mauro/ansible-role-postfix-docker
1
0
Fork 0
forked from mauro/ansible-role-postfix
Code Issues Pull Requests Releases Wiki Activity
ansible-role-postfix-docker/tasks/postscreen.yml
Mauro Torrez fe8a1d20ad postscreen rules path
2019-09-07 20:10:49 -03:00

129 lines
4.5 KiB
YAML
Raw Blame History

---
# configurar postscreen en master.cf
# habilito smtpd pass ... smtpd para postscreen (paso 2)
- name: "postscreen: enable smtpd/pass service"
postconf:
service: smtpd
type: pass
chroot: 'y'
command: smtpd
notify: reload postfix
# habilito smtp inet ... postscreen para postscreen (pasos 1,3)
- name: "postscreen: configure smtp/inet service"
postconf:
service: smtp
type: inet
private: 'n'
chroot: 'y'
process_limit: 1
command: postscreen
notify: reload postfix
# habilito tlsproxy para soporte TLS en postscreen (paso 4)
- name: "postscreen: enable tlsproxy/unix service"
postconf:
service: tlsproxy
type: unix
chroot: 'y'
process_limit: 0
command: tlsproxy
notify: reload postfix
# habilito dnsblog para que loguee bloqueos DNSBL en postscreen (paso 5)
- name: "postscreen: enable dnsblog/unix service"
postconf:
service: dnsblog
type: unix
chroot: 'y'
process_limit: 0
command: dnsblog
notify: reload postfix
# compilar tabla CIDR con las listas blancas
- name: "postscreen: template access list"
copy:
content: |
# Ansible-generated postscreen CIDR access table. You can change this
# file by setting the host variable `postfix_postscreen_access_list`
{% for entry in postfix_postscreen_access_list -%}
{{ entry.address }} {{ entry.action }}
{% endfor %}
dest: "{{ postfix_mountpoint }}/{{ postfix_rules_dir }}/postscreen_access_list.cidr"
- name: "postscreen: set postscreen_access_list parameter"
postconf:
parameter: postscreen_access_list
value: "cidr:/etc/postfix/{{ postfix_rules_dir }}/postscreen_access_list.cidr, permit_mynetworks"
notify: reload postfix
- name: "postscreen: enable/disable after-220 SMTP greeting tests"
postconf:
parameter:
postscreen_bare_newline_enable:
"{{ 'yes' if postfix_postscreen_bare_newline_enable else 'no' }}"
postscreen_non_smtp_command_enable:
"{{ 'yes' if postfix_postscreen_non_smtp_command_enable else 'no' }}"
postscreen_pipelining_enable:
"{{ 'yes' if postfix_postscreen_pipelining_enable else 'no' }}"
notify: reload postfix
- name: "postscreen: configure dnsbl sites"
postconf:
parameter: postscreen_dnsbl_sites
value: "\
{% for entry in postfix_postscreen_dnsbl_sites -%}\
{% if entry is string -%}{{ entry }}{% elif entry is mapping -%}\
{{ entry.site }}{{ '*' if entry.score is defined else '' }}\
{{ entry.score | default('') }}{% endif %}\
{{ '' if loop.last else ', ' }}{% endfor %}"
notify: reload postfix
- name: "postscreen: template masking table for dnsbl sites"
copy:
content: |
# postscreen reply map, matching entries will be replaced
# with the resulting text when telling the source of DNS
# blacklisting to the remote client.
# used to mask passwords contained in dnsbl names
# edit this file by setting the "mask" option for items
# in the host variable postfix_postscreen_dnsbl_sites
{% for entry in postfix_postscreen_dnsbl_sites -%}
{% if entry is mapping -%}{% if entry.mask is defined -%}
{% if entry.mask is string and entry.mask != "" -%}
/^{{ entry.site }}$/ {{ entry.mask }}
{% else %}
/^{{ entry.site }}$/ dnsbl blacklist
{% endif %}{% endif %}{% endif %}{% endfor %}
dest: "{{ postfix_mountpoint }}/{{ postfix_rules_dir }}/postscreen_dnsbl_mask.pcre"
notify: reload postfix
- name: "postscreen: configure masking table parameter"
postconf:
parameter: postscreen_dnsbl_reply_map
value: "pcre:/etc/postfix/{{ postfix_rules_dir }}/postscreen_dnsbl_mask.pcre"
notify: reload postfix
- name: "postscreen: set misc. parameters"
postconf:
parameter:
postscreen_blacklist_action:
"{{ postfix_postscreen_blacklist_action }}"
postscreen_bare_newline_action:
"{{ postfix_postscreen_bare_newline_action }}"
postscreen_dnsbl_action:
"{{ postfix_postscreen_dnsbl_action }}"
postscreen_dnsbl_threshold:
"{{ postfix_postscreen_dnsbl_threshold }}"
postscreen_dnsbl_whitelist_threshold:
"{{ postfix_postscreen_dnsbl_whitelist_threshold }}"
postscreen_greet_action:
"{{ postfix_postscreen_greet_action }}"
postscreen_greet_wait:
"{{ postfix_postscreen_greet_wait }}"
postscreen_non_smtp_command_action:
"{{ postfix_postscreen_non_smtp_command_action }}"
postscreen_pipelining_action:
"{{ postfix_postscreen_pipelining_action }}"
notify: reload postfix
Reference in New Issue View Git Blame Copy Permalink