256 lines
9.1 KiB
YAML
256 lines
9.1 KiB
YAML
---
|
|
- name: "Load default config for domains"
|
|
set_fact:
|
|
dc: "{{ dc|default({})|combine( { item: {
|
|
'user_lookup': {
|
|
'provider': 'file',
|
|
'file': vmail_home +'/'+item+'_users',
|
|
'domain': item,
|
|
'server_host': postfix_ldap_server,
|
|
'server_port': postfix_ldap_port,
|
|
'version': postfix_ldap_version,
|
|
'scope': postfix_ldap_scope,
|
|
'bind': postfix_ldap_bind,
|
|
'bind_dn': postfix_ldap_bind_dn,
|
|
'bind_pw': postfix_ldap_bind_pw,
|
|
'start_tls': postfix_ldap_start_tls,
|
|
'tls_ca_cert_file': postfix_ldap_tls_ca_cert_file,
|
|
'tls_ca_cert_dir': postfix_ldap_tls_ca_cert_dir,
|
|
'search_base':
|
|
'ou=People,'+item.split('.')|map('regex_replace','^','dc=')|join(','),
|
|
'query_filter': '(&(objectClass=inetOrgPerson)(uid=%u))',
|
|
'result_attribute': 'uid',
|
|
'result_format': vmail_home+'/mail/'+item+'/%s/',
|
|
'dbpath': vmail_home+'/'+item+'_users.sqlite',
|
|
'query': postfix_sqlite_user_query
|
|
},
|
|
'users': [],
|
|
'alias_lookup': {
|
|
'provider': 'file',
|
|
'file': vmail_home +'/'+item+'_aliases',
|
|
'domain': item,
|
|
'server_host': postfix_ldap_server,
|
|
'server_port': postfix_ldap_port,
|
|
'version': postfix_ldap_version,
|
|
'scope': postfix_ldap_scope,
|
|
'bind': postfix_ldap_bind,
|
|
'bind_dn': postfix_ldap_bind_dn,
|
|
'bind_pw': postfix_ldap_bind_pw,
|
|
'start_tls': postfix_ldap_start_tls,
|
|
'tls_ca_cert_file': postfix_ldap_tls_ca_cert_file,
|
|
'tls_ca_cert_dir': postfix_ldap_tls_ca_cert_dir,
|
|
'search_base':
|
|
'ou=Alias,'+item.split('.')|map('regex_replace','^','dc=')|join(','),
|
|
'query_filter': '(&(objectClass=nisMailAlias)(cn=%u))',
|
|
'result_attribute': 'rfc822MailMember',
|
|
'result_format': '%s',
|
|
'dbpath': vmail_home+'/'+item+'_aliases.sqlite',
|
|
'query': postfix_sqlite_alias_query
|
|
},
|
|
'aliases': [],
|
|
'use_group_as_alias': postfix_ldap_use_group_alias,
|
|
'group_lookup': {
|
|
'provider': 'ldap',
|
|
'domain': item,
|
|
'server_host': postfix_ldap_server,
|
|
'server_port': postfix_ldap_port,
|
|
'version': postfix_ldap_version,
|
|
'scope': postfix_ldap_scope,
|
|
'bind': postfix_ldap_bind,
|
|
'bind_dn': postfix_ldap_bind_dn,
|
|
'bind_pw': postfix_ldap_bind_pw,
|
|
'start_tls': postfix_ldap_start_tls,
|
|
'tls_ca_cert_file': postfix_ldap_tls_ca_cert_file,
|
|
'tls_ca_cert_dir': postfix_ldap_tls_ca_cert_dir,
|
|
'search_base':
|
|
'ou=Group,'+item.split('.')|map('regex_replace','^','dc=')|join(','),
|
|
'query_filter': '(&(objectClass=posixGroup)(cn=%u))',
|
|
'result_attribute': 'memberUid',
|
|
'result_format': '%s@{{d}}',
|
|
},
|
|
'noreply_aliases': [ 'noreply' ],
|
|
'noreply_file': vmail_home +'/'+item+'_noreply',
|
|
} }, recursive=True) }}"
|
|
with_items: "{{ postfix_mail_domains|belist }}"
|
|
|
|
- name: "Override config for domains"
|
|
set_fact:
|
|
dc: '{{ dc | combine(postfix_domain_config, recursive=True) }}'
|
|
|
|
- apt: name=postfix update_cache=yes
|
|
- apt: name=postfix-pcre
|
|
notify: restart postfix
|
|
|
|
- apt: name=postfix-ldap
|
|
when:
|
|
# see http://jmespath.org/
|
|
- '"ldap" in dc|json_query("*.[ alias_lookup, user_lookup ][].provider")'
|
|
notify: restart postfix
|
|
- apt: name=postfix-sqlite
|
|
when:
|
|
# see http://jmespath.org/
|
|
- '"sqlite" in dc|json_query("*.[ alias_lookup, user_lookup ][].provider")'
|
|
notify: restart postfix
|
|
|
|
- name: "Template Dovecot delivery/auth service config for Postfix"
|
|
template:
|
|
src: 11-postfix.conf.j2
|
|
dest: /etc/dovecot/conf.d/11-postfix.conf
|
|
notify: restart dovecot
|
|
|
|
- name: "Configure lookup tables"
|
|
include_tasks: lookup_tables.yml
|
|
with_items: "{{postfix_mail_domains|belist}}"
|
|
loop_control:
|
|
loop_var: "domain"
|
|
|
|
- name: "Configure no-reply local mail alias"
|
|
blockinfile:
|
|
block: |
|
|
_dev_null: /dev/null
|
|
marker: "# {mark} ANSIBLE-MANAGED ALIASES"
|
|
path: "/etc/aliases"
|
|
notify: newaliases
|
|
|
|
- name: "Create rules directory for access lists"
|
|
file:
|
|
name: "{{ postfix_rules_dir }}"
|
|
state: directory
|
|
|
|
- name: "Template client access list"
|
|
blockinfile:
|
|
path: "{{ postfix_rules_dir }}/client_access_list"
|
|
create: yes
|
|
block: |
|
|
# Edit host variable `postfix_client_access_list` to change these values
|
|
{% for entry in postfix_client_access_list -%}
|
|
{{ entry.regex }} {{ entry.action }}
|
|
{% endfor %}
|
|
|
|
- name: "Template helo access list"
|
|
blockinfile:
|
|
path: "{{ postfix_rules_dir }}/helo_access_list"
|
|
create: yes
|
|
block: |
|
|
# Edit host variable `postfix_helo_access_list` to change these values
|
|
{% for entry in postfix_helo_access_list -%}
|
|
{{ entry.host }} {{ entry.action }}
|
|
{% endfor %}
|
|
notify: postmap access lists
|
|
|
|
- name: "Template recipient access list"
|
|
blockinfile:
|
|
path: "{{ postfix_rules_dir }}/recipient_access_list"
|
|
create: yes
|
|
block: |
|
|
# Edit host variable `postfix_recipient_access_list` to change these values
|
|
{% for entry in postfix_recipient_access_list -%}
|
|
{{ entry.rcpt }} {{ entry.action }}
|
|
{% endfor %}
|
|
notify: postmap access lists
|
|
|
|
- name: "Template sender access list"
|
|
blockinfile:
|
|
path: "{{ postfix_rules_dir }}/sender_access_list"
|
|
create: yes
|
|
block: |
|
|
# Edit host variable `postfix_sender_access_list` to change these values
|
|
{% for entry in postfix_sender_access_list -%}
|
|
{{ entry.sender }} {{ entry.action }}
|
|
{% endfor %}
|
|
notify: postmap access lists
|
|
|
|
- name: "Set main.cf parameters"
|
|
postconf:
|
|
parameter:
|
|
mydestination: >-
|
|
{{ postfix_unix_domains | belist |
|
|
union( [ ansible_fqdn, 'localhost.localdomain', 'localhost'] ) |
|
|
difference( postfix_mail_domains|belist ) }}
|
|
myhostname: "{{ postfix_server_name }}"
|
|
mydomain: "{{ postfix_server_domain }}"
|
|
mynetworks: >-
|
|
{{ ['127.0.0.0/8', '[::ffff:127.0.0.0]/104', '[::1]/128'] |
|
|
union( postfix_local_networks ) }}
|
|
virtual_alias_maps: >-
|
|
{% for d in postfix_mail_domains|belist %}
|
|
{% set p = dc[d]['alias_lookup']['provider'] %}
|
|
{% if p == "ldap" %}
|
|
ldap:{{ postfix_config_dir }}/{{d}}_ldap_alias.cf
|
|
{% if dc[d]['use_group_as_alias'] %},
|
|
ldap:{{ postfix_config_dir }}/{{d}}_ldap_group.cf
|
|
{% endif %}
|
|
{% elif p == "sqlite" %}
|
|
sqlite:{{ postfix_config_dir }}/{{d}}_sqlite_alias.cf
|
|
{% elif p == "file" %}
|
|
hash:{{ vmail_home }}/{{d}}_aliases
|
|
{% endif %}{{ '' if loop.last else ',' }}{% endfor %},
|
|
hash:{{ postfix_config_dir }}/noreply_aliases
|
|
virtual_mailbox_maps: >-
|
|
{% for d in postfix_mail_domains|belist %}
|
|
{% set p = dc[d]['user_lookup']['provider'] %}
|
|
{% if p == "ldap" %}
|
|
ldap:{{ postfix_config_dir }}/{{d}}_ldap_user.cf
|
|
{% elif p == "sqlite" %}
|
|
sqlite:{{ postfix_config_dir }}/{{d}}_sqlite_user.cf
|
|
{% elif p == "file" %}
|
|
hash:{{ vmail_home }}/{{d}}_users
|
|
{% endif %}{{ '' if loop.last else ',' }}{% endfor %},
|
|
virtual_transport: "lmtp:unix:private/dovecot-lmtp"
|
|
virtual_mailbox_domains: "{{ postfix_mail_domains }}"
|
|
smtpd_sasl_path: private/auth
|
|
smtpd_sasl_type: dovecot
|
|
smtpd_sasl_auth_enable: "{{ 'yes' if postfix_enable_smtpd_auth else 'no' }}"
|
|
smtpd_tls_cert_file: "{{ postfix_tls_certificate }}"
|
|
smtpd_tls_key_file: "{{ postfix_tls_private_key }}"
|
|
smtp_tls_security_level: "{{postfix_incoming_tls_security}}"
|
|
smtpd_tls_security_level: "{{postfix_outgoing_tls_security}}"
|
|
smtpd_tls_auth_only: "{{ 'yes' if postfix_allow_insecure_auth else 'no'}}"
|
|
smtpd_tls_session_cache_database: "{{ 'btree:${data_directory}/smtpd_scache' if postfix_tls_session_cache else '' }}"
|
|
smtpd_client_restrictions: "{{ postfix_client_restrictions }}"
|
|
smtpd_data_restrictions: "{{ postfix_data_restrictions }}"
|
|
smtpd_helo_restrictions: "{{ postfix_helo_restrictions }}"
|
|
smtpd_relay_restrictions: "{{ postfix_relay_restrictions }}"
|
|
smtpd_recipient_restrictions: "{{ postfix_recipient_restrictions }}"
|
|
message_size_limit: "{{ postfix_message_size_limit }}"
|
|
smtpd_helo_required: "{{ 'yes' if postfix_helo_required else 'no' }}"
|
|
biff: "{{ 'yes' if postfix_biff else 'no' }}"
|
|
notify: reload postfix
|
|
|
|
- name: "Enable submission service"
|
|
postconf:
|
|
service: submission
|
|
type: inet
|
|
private: 'n'
|
|
command: smtpd
|
|
parameter:
|
|
milter_macro_daemon_name: ORIGINATING
|
|
smtpd_client_restrictions:
|
|
- permit_sasl_authenticated
|
|
- reject
|
|
smtpd_sasl_auth_enable: 'yes'
|
|
smtpd_tls_security_level: encrypt
|
|
syslog_name: postfix/submission
|
|
notify: reload postfix
|
|
when: "postfix_submission_enable == True"
|
|
|
|
- name: "Disable submission service"
|
|
postconf:
|
|
service: submission
|
|
type: inet
|
|
state: absent
|
|
notify: reload postfix
|
|
when: "postfix_submission_enable == False"
|
|
|
|
- name: "Enable postscreen"
|
|
include_tasks: postscreen.yml
|
|
when: "postfix_postscreen_enable == True"
|
|
|
|
- name: "Disable postscreen"
|
|
include_tasks: postscreen_disable.yml
|
|
when: "postfix_postscreen_enable == False"
|
|
|
|
# TODO: mensajes
|
|
|
|
# TODO: milter_header_checks
|