agrego postscreen

tasks/postscreen.yml

@@ -0,0 +1,128 @@
+---
+# configurar postscreen en master.cf
+# habilito smtpd pass ... smtpd para postscreen (paso 2)
+- name: "postscreen: enable smtpd/pass service"
+  postconf:
+    service: smtpd
+    type: pass
+    chroot: 'y'
+    command: smtpd
+  notify: reload postfix
+
+# habilito smtp inet ... postscreen para postscreen (pasos 1,3)
+- name: "postscreen: configure smtp/inet service"
+  postconf:
+    service: smtp
+    type: inet
+    private: 'n'
+    chroot: 'y'
+    process_limit: 1
+    command: postscreen
+  notify: reload postfix
+
+# habilito tlsproxy para soporte TLS en postscreen (paso 4)
+- name: "postscreen: enable tlsproxy/unix service"
+  postconf:
+    service: tlsproxy
+    type: unix
+    chroot: 'y'
+    process_limit: 0
+    command: tlsproxy
+  notify: reload postfix
+
+# habilito dnsblog para que loguee bloqueos DNSBL en postscreen (paso 5)
+- name: "postscreen: enable dnsblog/unix service"
+  postconf:
+    service: dnsblog
+    type: unix
+    chroot: 'y'
+    process_limit: 0
+    command: dnsblog
+  notify: reload postfix
+
+# compilar tabla CIDR con las listas blancas
+- name: "postscreen: template access list"
+  copy:
+    content: |
+      # Ansible-generated postscreen CIDR access table. You can change this
+      # file by setting the host variable `postfix_postscreen_access_list`
+      {% for entry in postfix_postscreen_access_list -%}
+      {{ entry.address }} {{ entry.action }}
+      {% endfor %}
+    dest: "/etc/postfix/rules/postscreen_access_list.cidr"
+
+- name: "postscreen: set postscreen_access_list parameter"
+  postconf:
+    parameter: postscreen_access_list
+    value: "cidr:/etc/postfix/rules/postscreen_access_list.cidr, permit_mynetworks"
+  notify: reload postfix
+
+- name: "postscreen: enable/disable after-220 SMTP greeting tests"
+  postconf:
+    parameter:
+      postscreen_bare_newline_enable:
+        "{{ 'yes' if postfix_postscreen_bare_newline_enable else 'no' }}"
+      postscreen_non_smtp_command_enable:
+        "{{ 'yes' if postfix_postscreen_non_smtp_command_enable else 'no' }}"
+      postscreen_pipelining_enable:
+        "{{ 'yes' if postfix_postscreen_pipelining_enable else 'no' }}"
+  notify: reload postfix
+
+- name: "postscreen: configure dnsbl sites"
+  postconf:
+    parameter: postscreen_dnsbl_sites
+    value: "\
+      {% for entry in postfix_postscreen_dnsbl_sites|belist -%}\
+      {% if entry is string -%}{{ entry }}{% elif entry is mapping -%}\
+      {{ entry.site }}{{ '*' if entry.score is defined else '' }}\
+      {{ entry.score | default('') }}{% endif %}\
+      {{ '' if loop.last else ', ' }}{% endfor %}"
+  notify: reload postfix
+
+- name: "postscreen: template masking table for dnsbl sites"
+  copy:
+    content: |
+      # postscreen reply map, matching entries will be replaced
+      # with the resulting text when telling the source of DNS
+      # blacklisting to the remote client.
+      # used to mask passwords contained in dnsbl names
+      # edit this file by setting the "mask" option for items
+      # in the host variable postfix_postscreen_dnsbl_sites
+      {% for entry in postfix_postscreen_dnsbl_sites -%}
+      {% if entry is mapping -%}{% if entry.mask is defined -%}
+      {% if entry.mask is string and entry.mask != "" -%}
+      /^{{ entry.site }}$/ {{ entry.mask }}
+      {% else %}
+      /^{{ entry.site }}$/ dnsbl blacklist
+      {% endif %}{% endif %}{% endif %}{% endfor %}
+    dest: /etc/postfix/rules/postscreen_dnsbl_mask.pcre
+  notify: reload postfix
+
+- name: "postscreen: configure masking table parameter"
+  postconf:
+    parameter: postscreen_dnsbl_reply_map
+    value: "pcre:/etc/postfix/rules/postscreen_dnsbl_mask.pcre"
+  notify: reload postfix
+
+- name: "postscreen: set misc. parameters"
+  postconf:
+    parameter:
+      postscreen_blacklist_action:
+        "{{ postfix_postscreen_blacklist_action }}"
+      postscreen_bare_newline_action:
+        "{{ postfix_postscreen_bare_newline_action }}"
+      postscreen_dnsbl_action:
+        "{{ postfix_postscreen_dnsbl_action }}"
+      postscreen_dnsbl_threshold:
+        "{{ postfix_postscreen_dnsbl_threshold }}"
+      postscreen_dnsbl_whitelist_threshold:
+        "{{ postfix_postscreen_dnsbl_whitelist_threshold }}"
+      postscreen_greet_action:
+        "{{ postfix_postscreen_greet_action }}"
+      postscreen_greet_wait:
+        "{{ postfix_postscreen_greet_wait }}"
+      postscreen_non_smtp_command_action:
+        "{{ postfix_postscreen_non_smtp_command_action }}"
+      postscreen_pipelining_action:
+        "{{ postfix_postscreen_pipelining_action }}"
+  notify: reload postfix

tasks/postscreen_disable.yml

@@ -0,0 +1,24 @@
+---
+- name: "postscreen_disable: disable smtpd/pass service"
+  postconf:
+    service: smtpd
+    type: pass
+    state: absent
+  notify: reload postfix
+
+- name: "postscreen_disable: configure smtp/inet service"
+  postconf:
+    service: smtp
+    type: inet
+    private: 'n'
+    chroot: '-'
+    process_limit: '-'
+    command: smtpd
+  notify: reload postfix
+
+- name: "postscreen_disable: disable dnsblog/unix service"
+  postconf:
+    service: dnsblog
+    type: unix
+    state: absent
+  notify: reload postfix