--- # configurar postscreen en master.cf # habilito smtpd pass ... smtpd para postscreen (paso 2) - name: "postscreen: enable smtpd/pass service" postconf: service: smtpd type: pass chroot: 'y' command: smtpd notify: reload postfix # habilito smtp inet ... postscreen para postscreen (pasos 1,3) - name: "postscreen: configure smtp/inet service" postconf: service: smtp type: inet private: 'n' chroot: 'y' process_limit: 1 command: postscreen notify: reload postfix # habilito tlsproxy para soporte TLS en postscreen (paso 4) - name: "postscreen: enable tlsproxy/unix service" postconf: service: tlsproxy type: unix chroot: 'y' process_limit: 0 command: tlsproxy notify: reload postfix # habilito dnsblog para que loguee bloqueos DNSBL en postscreen (paso 5) - name: "postscreen: enable dnsblog/unix service" postconf: service: dnsblog type: unix chroot: 'y' process_limit: 0 command: dnsblog notify: reload postfix # compilar tabla CIDR con las listas blancas - name: "postscreen: template access list" copy: content: | # Ansible-generated postscreen CIDR access table. You can change this # file by setting the host variable `postfix_postscreen_access_list` {% for entry in postfix_postscreen_access_list -%} {{ entry.address }} {{ entry.action }} {% endfor %} dest: "/etc/postfix/rules/postscreen_access_list.cidr" - name: "postscreen: set postscreen_access_list parameter" postconf: parameter: postscreen_access_list value: "cidr:/etc/postfix/rules/postscreen_access_list.cidr, permit_mynetworks" notify: reload postfix - name: "postscreen: enable/disable after-220 SMTP greeting tests" postconf: parameter: postscreen_bare_newline_enable: "{{ 'yes' if postfix_postscreen_bare_newline_enable else 'no' }}" postscreen_non_smtp_command_enable: "{{ 'yes' if postfix_postscreen_non_smtp_command_enable else 'no' }}" postscreen_pipelining_enable: "{{ 'yes' if postfix_postscreen_pipelining_enable else 'no' }}" notify: reload postfix - name: "postscreen: configure dnsbl sites" postconf: parameter: postscreen_dnsbl_sites value: "\ {% for entry in postfix_postscreen_dnsbl_sites -%}\ {% if entry is string -%}{{ entry }}{% elif entry is mapping -%}\ {{ entry.site }}{{ '*' if entry.score is defined else '' }}\ {{ entry.score | default('') }}{% endif %}\ {{ '' if loop.last else ', ' }}{% endfor %}" notify: reload postfix - name: "postscreen: template masking table for dnsbl sites" copy: content: | # postscreen reply map, matching entries will be replaced # with the resulting text when telling the source of DNS # blacklisting to the remote client. # used to mask passwords contained in dnsbl names # edit this file by setting the "mask" option for items # in the host variable postfix_postscreen_dnsbl_sites {% for entry in postfix_postscreen_dnsbl_sites -%} {% if entry is mapping -%}{% if entry.mask is defined -%} {% if entry.mask is string and entry.mask != "" -%} /^{{ entry.site }}$/ {{ entry.mask }} {% else %} /^{{ entry.site }}$/ dnsbl blacklist {% endif %}{% endif %}{% endif %}{% endfor %} dest: /etc/postfix/rules/postscreen_dnsbl_mask.pcre notify: reload postfix - name: "postscreen: configure masking table parameter" postconf: parameter: postscreen_dnsbl_reply_map value: "pcre:/etc/postfix/rules/postscreen_dnsbl_mask.pcre" notify: reload postfix - name: "postscreen: set misc. parameters" postconf: parameter: postscreen_blacklist_action: "{{ postfix_postscreen_blacklist_action }}" postscreen_bare_newline_action: "{{ postfix_postscreen_bare_newline_action }}" postscreen_dnsbl_action: "{{ postfix_postscreen_dnsbl_action }}" postscreen_dnsbl_threshold: "{{ postfix_postscreen_dnsbl_threshold }}" postscreen_dnsbl_whitelist_threshold: "{{ postfix_postscreen_dnsbl_whitelist_threshold }}" postscreen_greet_action: "{{ postfix_postscreen_greet_action }}" postscreen_greet_wait: "{{ postfix_postscreen_greet_wait }}" postscreen_non_smtp_command_action: "{{ postfix_postscreen_non_smtp_command_action }}" postscreen_pipelining_action: "{{ postfix_postscreen_pipelining_action }}" notify: reload postfix