129 lines
4.4 KiB
YAML
129 lines
4.4 KiB
YAML
---
|
|
# configurar postscreen en master.cf
|
|
# habilito smtpd pass ... smtpd para postscreen (paso 2)
|
|
- name: "postscreen: enable smtpd/pass service"
|
|
postconf:
|
|
service: smtpd
|
|
type: pass
|
|
chroot: 'y'
|
|
command: smtpd
|
|
notify: reload postfix
|
|
|
|
# habilito smtp inet ... postscreen para postscreen (pasos 1,3)
|
|
- name: "postscreen: configure smtp/inet service"
|
|
postconf:
|
|
service: smtp
|
|
type: inet
|
|
private: 'n'
|
|
chroot: 'y'
|
|
process_limit: 1
|
|
command: postscreen
|
|
notify: reload postfix
|
|
|
|
# habilito tlsproxy para soporte TLS en postscreen (paso 4)
|
|
- name: "postscreen: enable tlsproxy/unix service"
|
|
postconf:
|
|
service: tlsproxy
|
|
type: unix
|
|
chroot: 'y'
|
|
process_limit: 0
|
|
command: tlsproxy
|
|
notify: reload postfix
|
|
|
|
# habilito dnsblog para que loguee bloqueos DNSBL en postscreen (paso 5)
|
|
- name: "postscreen: enable dnsblog/unix service"
|
|
postconf:
|
|
service: dnsblog
|
|
type: unix
|
|
chroot: 'y'
|
|
process_limit: 0
|
|
command: dnsblog
|
|
notify: reload postfix
|
|
|
|
# compilar tabla CIDR con las listas blancas
|
|
- name: "postscreen: template access list"
|
|
copy:
|
|
content: |
|
|
# Ansible-generated postscreen CIDR access table. You can change this
|
|
# file by setting the host variable `postfix_postscreen_access_list`
|
|
{% for entry in postfix_postscreen_access_list -%}
|
|
{{ entry.address }} {{ entry.action }}
|
|
{% endfor %}
|
|
dest: "/etc/postfix/rules/postscreen_access_list.cidr"
|
|
|
|
- name: "postscreen: set postscreen_access_list parameter"
|
|
postconf:
|
|
parameter: postscreen_access_list
|
|
value: "cidr:/etc/postfix/rules/postscreen_access_list.cidr, permit_mynetworks"
|
|
notify: reload postfix
|
|
|
|
- name: "postscreen: enable/disable after-220 SMTP greeting tests"
|
|
postconf:
|
|
parameter:
|
|
postscreen_bare_newline_enable:
|
|
"{{ 'yes' if postfix_postscreen_bare_newline_enable else 'no' }}"
|
|
postscreen_non_smtp_command_enable:
|
|
"{{ 'yes' if postfix_postscreen_non_smtp_command_enable else 'no' }}"
|
|
postscreen_pipelining_enable:
|
|
"{{ 'yes' if postfix_postscreen_pipelining_enable else 'no' }}"
|
|
notify: reload postfix
|
|
|
|
- name: "postscreen: configure dnsbl sites"
|
|
postconf:
|
|
parameter: postscreen_dnsbl_sites
|
|
value: "\
|
|
{% for entry in postfix_postscreen_dnsbl_sites -%}\
|
|
{% if entry is string -%}{{ entry }}{% elif entry is mapping -%}\
|
|
{{ entry.site }}{{ '*' if entry.score is defined else '' }}\
|
|
{{ entry.score | default('') }}{% endif %}\
|
|
{{ '' if loop.last else ', ' }}{% endfor %}"
|
|
notify: reload postfix
|
|
|
|
- name: "postscreen: template masking table for dnsbl sites"
|
|
copy:
|
|
content: |
|
|
# postscreen reply map, matching entries will be replaced
|
|
# with the resulting text when telling the source of DNS
|
|
# blacklisting to the remote client.
|
|
# used to mask passwords contained in dnsbl names
|
|
# edit this file by setting the "mask" option for items
|
|
# in the host variable postfix_postscreen_dnsbl_sites
|
|
{% for entry in postfix_postscreen_dnsbl_sites -%}
|
|
{% if entry is mapping -%}{% if entry.mask is defined -%}
|
|
{% if entry.mask is string and entry.mask != "" -%}
|
|
/^{{ entry.site }}$/ {{ entry.mask }}
|
|
{% else %}
|
|
/^{{ entry.site }}$/ dnsbl blacklist
|
|
{% endif %}{% endif %}{% endif %}{% endfor %}
|
|
dest: /etc/postfix/rules/postscreen_dnsbl_mask.pcre
|
|
notify: reload postfix
|
|
|
|
- name: "postscreen: configure masking table parameter"
|
|
postconf:
|
|
parameter: postscreen_dnsbl_reply_map
|
|
value: "pcre:/etc/postfix/rules/postscreen_dnsbl_mask.pcre"
|
|
notify: reload postfix
|
|
|
|
- name: "postscreen: set misc. parameters"
|
|
postconf:
|
|
parameter:
|
|
postscreen_blacklist_action:
|
|
"{{ postfix_postscreen_blacklist_action }}"
|
|
postscreen_bare_newline_action:
|
|
"{{ postfix_postscreen_bare_newline_action }}"
|
|
postscreen_dnsbl_action:
|
|
"{{ postfix_postscreen_dnsbl_action }}"
|
|
postscreen_dnsbl_threshold:
|
|
"{{ postfix_postscreen_dnsbl_threshold }}"
|
|
postscreen_dnsbl_whitelist_threshold:
|
|
"{{ postfix_postscreen_dnsbl_whitelist_threshold }}"
|
|
postscreen_greet_action:
|
|
"{{ postfix_postscreen_greet_action }}"
|
|
postscreen_greet_wait:
|
|
"{{ postfix_postscreen_greet_wait }}"
|
|
postscreen_non_smtp_command_action:
|
|
"{{ postfix_postscreen_non_smtp_command_action }}"
|
|
postscreen_pipelining_action:
|
|
"{{ postfix_postscreen_pipelining_action }}"
|
|
notify: reload postfix
|