diff --git a/defaults/main.yml b/defaults/main.yml index 9446d73..b462711 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,4 +1,12 @@ mailname: "{{inventory_hostname}}" +postfix_method: none + postfix_postfixadmin_mysql_database: postfixadmin postfix_postfixadmin_mysql_username: postfix + +postfix_check_spf: false +postfix_check_spamhaus: false + +postfix_with_opendkim: false +postfix_with_opendmarc: false diff --git a/handlers/main.yml b/handlers/main.yml index 81e6b13..c413b8b 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -1,3 +1,10 @@ +--- + +- name: restart postfix + service: + name: postfix + state: restarted + - name: reload postfix service: name: postfix diff --git a/tasks/main.yml b/tasks/main.yml index e701d1a..541e024 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -2,10 +2,14 @@ - name: install packages apt: - pkg: "{{item}}" - with_items: - - postfix - - postfix-mysql + pkg: + - postfix + +- name: master configuration + template: + src: master.cf.j2 + dest: /etc/postfix/master.cf + notify: restart postfix - name: main configuration template: @@ -19,7 +23,21 @@ dest: /etc/mailname notify: reload postfix -- include: postfixadmin.yml +- import_tasks: spf.yaml + when: postfix_check_spf + +- import_tasks: opendkim.yaml + when: postfix_with_opendkim + +- import_tasks: opendmarc.yaml + when: postfix_with_opendmarc + +- import_tasks: postfixadmin.yml + when: postfix_method == "postfixadmin" + +- name: check postfix configuration + command: postfix check + changed_when: false - name: configuration pull directory local_action: file diff --git a/tasks/opendkim.yaml b/tasks/opendkim.yaml new file mode 100644 index 0000000..1a1c3ad --- /dev/null +++ b/tasks/opendkim.yaml @@ -0,0 +1,11 @@ +--- + +- import_role: + name: opendkim + +- name: ensure postfix user is in opendkim group + user: + name: postfix + groups: opendkim + append: true + notify: restart postfix diff --git a/tasks/opendmarc.yaml b/tasks/opendmarc.yaml new file mode 100644 index 0000000..ef7701a --- /dev/null +++ b/tasks/opendmarc.yaml @@ -0,0 +1,12 @@ +--- + +- name: opendmarc debian packages + apt: + pkg: opendmarc + +- name: ensure postfix user is in opendmarc group + user: + name: postfix + groups: opendmarc + append: true + notify: restart postfix diff --git a/tasks/postfixadmin.yml b/tasks/postfixadmin.yml index 8bd4bc9..17f5bd5 100644 --- a/tasks/postfixadmin.yml +++ b/tasks/postfixadmin.yml @@ -1,5 +1,11 @@ --- +- name: postfix debian packages for postfixadmin + apt: + pkg: + - postfix + - postfix-mysql + - name: postfix sql map directory file: path: /etc/postfix/sql/ @@ -9,8 +15,8 @@ - name: postfixadmin sql map configuration template: - src: sql/{{item}}.j2 - dest: /etc/postfix/sql/{{item}} + src: postfixadmin/sql/{{item}}.j2 + dest: /etc/postfix/postfixadmin-sql/{{item}} mode: u=rwx,g=rx,o= group: postfix with_items: diff --git a/tasks/spf.yaml b/tasks/spf.yaml new file mode 100644 index 0000000..03c3e16 --- /dev/null +++ b/tasks/spf.yaml @@ -0,0 +1,5 @@ +--- + +- name: postfix debian packages for SPF + apt: + pkg: postfix-policyd-spf-python diff --git a/templates/main.cf.j2 b/templates/main.cf.j2 index 01254ba..8ca63f6 100644 --- a/templates/main.cf.j2 +++ b/templates/main.cf.j2 @@ -1,3 +1,5 @@ +{{ansible_managed|comment}} + # See /usr/share/postfix/main.cf.dist for a commented, more complete version # Debian specific: Specifying a file name will cause the first @@ -33,7 +35,7 @@ smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache myhostname = {{mailname}} alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases -mydestination = $myhostname, tg-infra-dev-mail-1, localhost.localdomain, , localhost +mydestination = $myhostname, {{inventory_hostname}}, localhost.localdomain, localhost relayhost = mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 mailbox_size_limit = 0 @@ -42,36 +44,97 @@ inet_interfaces = all inet_protocols = all # some rules from http://www.postfix.org/SMTPD_ACCESS_README.html + +# Allow connections from trusted networks only. #smtpd_client_restrictions = permit_mynetworks, reject + +# Don't talk to mail systems that don't know their own hostname. #smtpd_helo_restrictions = reject_unknown_helo_hostname + +# Don't accept mail from domains that don't exist. #smtpd_sender_restrictions = reject_unknown_sender_domain -smtpd_data_restrictions = reject_unauth_pipelining +# Spam control: exclude local clients and authenticated clients +# from DNSBL and SPF lookups. smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, +{% if postfix_check_spf %} + check_policy_service unix:private/policyd-spf, +{% endif %} +{% if postfix_check_spamhaus %} reject_rbl_client zen.spamhaus.org, reject_rhsbl_reverse_client dbl.spamhaus.org, reject_rhsbl_helo dbl.spamhaus.org, reject_rhsbl_sender dbl.spamhaus.org +{% endif %} +# Relay control: local clients and authenticated clients +# may specify any destination domain. smtpd_relay_restrictions = permit_mynetworks, +{% if postfix_method == "postfixadmin" %} permit_sasl_authenticated, - defer_unauth_destination +{% endif %} + reject_unauth_destination -virtual_mailbox_domains = proxy:mysql:/etc/postfix/sql/mysql_virtual_domains_maps.cf -virtual_alias_maps = - proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_maps.cf, - proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_domain_maps.cf, - proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_domain_catchall_maps.cf -virtual_mailbox_maps = - proxy:mysql:/etc/postfix/sql/mysql_virtual_mailbox_maps.cf, - proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_domain_mailbox_maps.cf +# Block clients that speak too early. +smtpd_data_restrictions = reject_unauth_pipelining -# use dovecot lmtp for mail transport -virtual_transport = lmtp:unix:private/dovecot-lmtp +{% if postfix_check_spf %} +# SPF +policy-spf_time_limit = 3600 +{% endif %} +{# +# Enforce mail volume quota via policy service callouts. +smtpd_end_of_data_restrictions = check_policy_service unix:private/policy +#} + +# SASL +{% if postfix_method == "postfixadmin" %} smtpd_sasl_type = dovecot smtpd_sasl_path = private/auth smtpd_sasl_auth_enable = yes +{% endif %} + +# DKIM and DMARC +non_smtpd_milters = +{% if postfix_with_opendkim %} + unix:/run/opendkim/opendkim.sock, +{% endif %} +{% if postfix_with_opendmarc %} + unix:/run/opendmarc/opendmarc.sock +{% endif %} +smtpd_milters = +{% if postfix_with_opendkim %} + unix:/run/opendkim/opendkim.sock, +{% endif %} +{% if postfix_with_opendmarc %} + unix:/run/opendmarc/opendmarc.sock +{% endif %} + +# Relay + +# Virtual Domain Hosting +virtual_mailbox_domains = +{% if postfix_method == "postfixadmin" %} + proxy:mysql:/etc/postfix/postfixadmin-sql/mysql_virtual_domains_maps.cf +{% endif %} +virtual_alias_maps = +{% if postfix_method == "postfixadmin" %} + proxy:mysql:/etc/postfix/postfixadmin-sql/mysql_virtual_alias_maps.cf, + proxy:mysql:/etc/postfix/postfixadmin-sql/mysql_virtual_alias_domain_maps.cf, + proxy:mysql:/etc/postfix/postfixadmin-sql/mysql_virtual_alias_domain_catchall_maps.cf +{% endif %} +virtual_mailbox_maps = +{% if postfix_method == "postfixadmin" %} + proxy:mysql:/etc/postfix/postfixadmin-sql/mysql_virtual_mailbox_maps.cf, + proxy:mysql:/etc/postfix/postfixadmin-sql/mysql_virtual_alias_domain_mailbox_maps.cf +{% endif %} + +virtual_transport = +{% if postfix_method == "postfixadmin" %} + # use dovecot lmtp for mail transport + lmtp:unix:private/dovecot-lmtp +{% endif %} diff --git a/templates/master.cf.j2 b/templates/master.cf.j2 new file mode 100644 index 0000000..d600f19 --- /dev/null +++ b/templates/master.cf.j2 @@ -0,0 +1,131 @@ +{{ansible_managed|comment}} + +# +# Postfix master process configuration file. For details on the format +# of the file, see the master(5) manual page (command: "man 5 master" or +# on-line: http://www.postfix.org/master.5.html). +# +# Do not forget to execute "postfix reload" after editing this file. +# +# ========================================================================== +# service type private unpriv chroot wakeup maxproc command + args +# (yes) (yes) (no) (never) (100) +# ========================================================================== +smtp inet n - y - - smtpd +#smtp inet n - y - 1 postscreen +#smtpd pass - - y - - smtpd +#dnsblog unix - - y - 0 dnsblog +#tlsproxy unix - - y - 0 tlsproxy +#submission inet n - y - - smtpd +# -o syslog_name=postfix/submission +# -o smtpd_tls_security_level=encrypt +# -o smtpd_sasl_auth_enable=yes +# -o smtpd_reject_unlisted_recipient=no +# -o smtpd_client_restrictions=$mua_client_restrictions +# -o smtpd_helo_restrictions=$mua_helo_restrictions +# -o smtpd_sender_restrictions=$mua_sender_restrictions +# -o smtpd_recipient_restrictions= +# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject +# -o milter_macro_daemon_name=ORIGINATING +#smtps inet n - y - - smtpd +# -o syslog_name=postfix/smtps +# -o smtpd_tls_wrappermode=yes +# -o smtpd_sasl_auth_enable=yes +# -o smtpd_reject_unlisted_recipient=no +# -o smtpd_client_restrictions=$mua_client_restrictions +# -o smtpd_helo_restrictions=$mua_helo_restrictions +# -o smtpd_sender_restrictions=$mua_sender_restrictions +# -o smtpd_recipient_restrictions= +# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject +# -o milter_macro_daemon_name=ORIGINATING +#628 inet n - y - - qmqpd +pickup unix n - y 60 1 pickup +cleanup unix n - y - 0 cleanup +qmgr unix n - n 300 1 qmgr +#qmgr unix n - n 300 1 oqmgr +tlsmgr unix - - y 1000? 1 tlsmgr +rewrite unix - - y - - trivial-rewrite +bounce unix - - y - 0 bounce +defer unix - - y - 0 bounce +trace unix - - y - 0 bounce +verify unix - - y - 1 verify +flush unix n - y 1000? 0 flush +proxymap unix - - n - - proxymap +proxywrite unix - - n - 1 proxymap +smtp unix - - y - - smtp +relay unix - - y - - smtp +# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5 +showq unix n - y - - showq +error unix - - y - - error +retry unix - - y - - error +discard unix - - y - - discard +local unix - n n - - local +virtual unix - n n - - virtual +lmtp unix - - y - - lmtp +anvil unix - - y - 1 anvil +scache unix - - y - 1 scache +# +# ==================================================================== +# Interfaces to non-Postfix software. Be sure to examine the manual +# pages of the non-Postfix software to find out what options it wants. +# +# Many of the following services use the Postfix pipe(8) delivery +# agent. See the pipe(8) man page for information about ${recipient} +# and other message envelope options. +# ==================================================================== +# +# maildrop. See the Postfix MAILDROP_README file for details. +# Also specify in main.cf: maildrop_destination_recipient_limit=1 +# +maildrop unix - n n - - pipe + flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient} +# +# ==================================================================== +# +# Recent Cyrus versions can use the existing "lmtp" master.cf entry. +# +# Specify in cyrus.conf: +# lmtp cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4 +# +# Specify in main.cf one or more of the following: +# mailbox_transport = lmtp:inet:localhost +# virtual_transport = lmtp:inet:localhost +# +# ==================================================================== +# +# Cyrus 2.1.5 (Amos Gouaux) +# Also specify in main.cf: cyrus_destination_recipient_limit=1 +# +#cyrus unix - n n - - pipe +# user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user} +# +# ==================================================================== +# Old example of delivery via Cyrus. +# +#old-cyrus unix - n n - - pipe +# flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user} +# +# ==================================================================== +# +# See the Postfix UUCP_README file for configuration details. +# +uucp unix - n n - - pipe + flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient) +# +# Other external delivery methods. +# +ifmail unix - n n - - pipe + flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient) +bsmtp unix - n n - - pipe + flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient +scalemail-backend unix - n n - 2 pipe + flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension} +mailman unix - n n - - pipe + flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py + ${nexthop} ${user} + +{% if postfix_check_spf %} +# spf +policyd-spf unix - n n - 0 spawn + user=policyd-spf argv=/usr/bin/policyd-spf +{% endif %} diff --git a/templates/sql/mysql_virtual_alias_domain_catchall_maps.cf.j2 b/templates/postfixadmin/sql/mysql_virtual_alias_domain_catchall_maps.cf.j2 similarity index 100% rename from templates/sql/mysql_virtual_alias_domain_catchall_maps.cf.j2 rename to templates/postfixadmin/sql/mysql_virtual_alias_domain_catchall_maps.cf.j2 diff --git a/templates/sql/mysql_virtual_alias_domain_mailbox_maps.cf.j2 b/templates/postfixadmin/sql/mysql_virtual_alias_domain_mailbox_maps.cf.j2 similarity index 100% rename from templates/sql/mysql_virtual_alias_domain_mailbox_maps.cf.j2 rename to templates/postfixadmin/sql/mysql_virtual_alias_domain_mailbox_maps.cf.j2 diff --git a/templates/sql/mysql_virtual_alias_domain_maps.cf.j2 b/templates/postfixadmin/sql/mysql_virtual_alias_domain_maps.cf.j2 similarity index 100% rename from templates/sql/mysql_virtual_alias_domain_maps.cf.j2 rename to templates/postfixadmin/sql/mysql_virtual_alias_domain_maps.cf.j2 diff --git a/templates/sql/mysql_virtual_alias_maps.cf.j2 b/templates/postfixadmin/sql/mysql_virtual_alias_maps.cf.j2 similarity index 100% rename from templates/sql/mysql_virtual_alias_maps.cf.j2 rename to templates/postfixadmin/sql/mysql_virtual_alias_maps.cf.j2 diff --git a/templates/sql/mysql_virtual_domains_maps.cf.j2 b/templates/postfixadmin/sql/mysql_virtual_domains_maps.cf.j2 similarity index 100% rename from templates/sql/mysql_virtual_domains_maps.cf.j2 rename to templates/postfixadmin/sql/mysql_virtual_domains_maps.cf.j2 diff --git a/templates/sql/mysql_virtual_mailbox_limit_maps.cf.j2 b/templates/postfixadmin/sql/mysql_virtual_mailbox_limit_maps.cf.j2 similarity index 100% rename from templates/sql/mysql_virtual_mailbox_limit_maps.cf.j2 rename to templates/postfixadmin/sql/mysql_virtual_mailbox_limit_maps.cf.j2 diff --git a/templates/sql/mysql_virtual_mailbox_maps.cf.j2 b/templates/postfixadmin/sql/mysql_virtual_mailbox_maps.cf.j2 similarity index 100% rename from templates/sql/mysql_virtual_mailbox_maps.cf.j2 rename to templates/postfixadmin/sql/mysql_virtual_mailbox_maps.cf.j2 diff --git a/vars/main.yaml b/vars/main.yaml new file mode 100644 index 0000000..7afad49 --- /dev/null +++ b/vars/main.yaml @@ -0,0 +1,3 @@ +postfix_smtpd_recipient_restrictions: + - permit_mynetworks + - permit_sasl_authenticated