Explorar el Código

current development state

master
padre
commit
97ab85cf54
Se han modificado 17 ficheros con 284 adiciones y 20 borrados
  1. +8
    -0
      defaults/main.yml
  2. +7
    -0
      handlers/main.yml
  3. +23
    -5
      tasks/main.yml
  4. +11
    -0
      tasks/opendkim.yaml
  5. +12
    -0
      tasks/opendmarc.yaml
  6. +8
    -2
      tasks/postfixadmin.yml
  7. +5
    -0
      tasks/spf.yaml
  8. +76
    -13
      templates/main.cf.j2
  9. +131
    -0
      templates/master.cf.j2
  10. +0
    -0
      templates/postfixadmin/sql/mysql_virtual_alias_domain_catchall_maps.cf.j2
  11. +0
    -0
      templates/postfixadmin/sql/mysql_virtual_alias_domain_mailbox_maps.cf.j2
  12. +0
    -0
      templates/postfixadmin/sql/mysql_virtual_alias_domain_maps.cf.j2
  13. +0
    -0
      templates/postfixadmin/sql/mysql_virtual_alias_maps.cf.j2
  14. +0
    -0
      templates/postfixadmin/sql/mysql_virtual_domains_maps.cf.j2
  15. +0
    -0
      templates/postfixadmin/sql/mysql_virtual_mailbox_limit_maps.cf.j2
  16. +0
    -0
      templates/postfixadmin/sql/mysql_virtual_mailbox_maps.cf.j2
  17. +3
    -0
      vars/main.yaml

+ 8
- 0
defaults/main.yml Ver fichero

@@ -1,4 +1,12 @@
mailname: "{{inventory_hostname}}"

postfix_method: none

postfix_postfixadmin_mysql_database: postfixadmin
postfix_postfixadmin_mysql_username: postfix

postfix_check_spf: false
postfix_check_spamhaus: false

postfix_with_opendkim: false
postfix_with_opendmarc: false

+ 7
- 0
handlers/main.yml Ver fichero

@@ -1,3 +1,10 @@
---

- name: restart postfix
service:
name: postfix
state: restarted

- name: reload postfix
service:
name: postfix


+ 23
- 5
tasks/main.yml Ver fichero

@@ -2,10 +2,14 @@

- name: install packages
apt:
pkg: "{{item}}"
with_items:
- postfix
- postfix-mysql
pkg:
- postfix

- name: master configuration
template:
src: master.cf.j2
dest: /etc/postfix/master.cf
notify: restart postfix

- name: main configuration
template:
@@ -19,7 +23,21 @@
dest: /etc/mailname
notify: reload postfix

- include: postfixadmin.yml
- import_tasks: spf.yaml
when: postfix_check_spf

- import_tasks: opendkim.yaml
when: postfix_with_opendkim

- import_tasks: opendmarc.yaml
when: postfix_with_opendmarc

- import_tasks: postfixadmin.yml
when: postfix_method == "postfixadmin"

- name: check postfix configuration
command: postfix check
changed_when: false

- name: configuration pull directory
local_action: file


+ 11
- 0
tasks/opendkim.yaml Ver fichero

@@ -0,0 +1,11 @@
---

- import_role:
name: opendkim

- name: ensure postfix user is in opendkim group
user:
name: postfix
groups: opendkim
append: true
notify: restart postfix

+ 12
- 0
tasks/opendmarc.yaml Ver fichero

@@ -0,0 +1,12 @@
---

- name: opendmarc debian packages
apt:
pkg: opendmarc

- name: ensure postfix user is in opendmarc group
user:
name: postfix
groups: opendmarc
append: true
notify: restart postfix

+ 8
- 2
tasks/postfixadmin.yml Ver fichero

@@ -1,5 +1,11 @@
---

- name: postfix debian packages for postfixadmin
apt:
pkg:
- postfix
- postfix-mysql

- name: postfix sql map directory
file:
path: /etc/postfix/sql/
@@ -9,8 +15,8 @@

- name: postfixadmin sql map configuration
template:
src: sql/{{item}}.j2
dest: /etc/postfix/sql/{{item}}
src: postfixadmin/sql/{{item}}.j2
dest: /etc/postfix/postfixadmin-sql/{{item}}
mode: u=rwx,g=rx,o=
group: postfix
with_items:


+ 5
- 0
tasks/spf.yaml Ver fichero

@@ -0,0 +1,5 @@
---

- name: postfix debian packages for SPF
apt:
pkg: postfix-policyd-spf-python

+ 76
- 13
templates/main.cf.j2 Ver fichero

@@ -1,3 +1,5 @@
{{ansible_managed|comment}}

# See /usr/share/postfix/main.cf.dist for a commented, more complete version

# Debian specific: Specifying a file name will cause the first
@@ -33,7 +35,7 @@ smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
myhostname = {{mailname}}
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
mydestination = $myhostname, tg-infra-dev-mail-1, localhost.localdomain, , localhost
mydestination = $myhostname, {{inventory_hostname}}, localhost.localdomain, localhost
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
@@ -42,36 +44,97 @@ inet_interfaces = all
inet_protocols = all

# some rules from http://www.postfix.org/SMTPD_ACCESS_README.html

# Allow connections from trusted networks only.
#smtpd_client_restrictions = permit_mynetworks, reject

# Don't talk to mail systems that don't know their own hostname.
#smtpd_helo_restrictions = reject_unknown_helo_hostname

# Don't accept mail from domains that don't exist.
#smtpd_sender_restrictions = reject_unknown_sender_domain
smtpd_data_restrictions = reject_unauth_pipelining

# Spam control: exclude local clients and authenticated clients
# from DNSBL and SPF lookups.
smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
{% if postfix_check_spf %}
check_policy_service unix:private/policyd-spf,
{% endif %}
{% if postfix_check_spamhaus %}
reject_rbl_client zen.spamhaus.org,
reject_rhsbl_reverse_client dbl.spamhaus.org,
reject_rhsbl_helo dbl.spamhaus.org,
reject_rhsbl_sender dbl.spamhaus.org
{% endif %}

# Relay control: local clients and authenticated clients
# may specify any destination domain.
smtpd_relay_restrictions =
permit_mynetworks,
{% if postfix_method == "postfixadmin" %}
permit_sasl_authenticated,
defer_unauth_destination
{% endif %}
reject_unauth_destination

virtual_mailbox_domains = proxy:mysql:/etc/postfix/sql/mysql_virtual_domains_maps.cf
virtual_alias_maps =
proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_maps.cf,
proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_domain_maps.cf,
proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_domain_catchall_maps.cf
virtual_mailbox_maps =
proxy:mysql:/etc/postfix/sql/mysql_virtual_mailbox_maps.cf,
proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_domain_mailbox_maps.cf
# Block clients that speak too early.
smtpd_data_restrictions = reject_unauth_pipelining

# use dovecot lmtp for mail transport
virtual_transport = lmtp:unix:private/dovecot-lmtp
{% if postfix_check_spf %}
# SPF
policy-spf_time_limit = 3600
{% endif %}

{#
# Enforce mail volume quota via policy service callouts.
smtpd_end_of_data_restrictions = check_policy_service unix:private/policy
#}

# SASL
{% if postfix_method == "postfixadmin" %}
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
{% endif %}

# DKIM and DMARC
non_smtpd_milters =
{% if postfix_with_opendkim %}
unix:/run/opendkim/opendkim.sock,
{% endif %}
{% if postfix_with_opendmarc %}
unix:/run/opendmarc/opendmarc.sock
{% endif %}
smtpd_milters =
{% if postfix_with_opendkim %}
unix:/run/opendkim/opendkim.sock,
{% endif %}
{% if postfix_with_opendmarc %}
unix:/run/opendmarc/opendmarc.sock
{% endif %}

# Relay

# Virtual Domain Hosting
virtual_mailbox_domains =
{% if postfix_method == "postfixadmin" %}
proxy:mysql:/etc/postfix/postfixadmin-sql/mysql_virtual_domains_maps.cf
{% endif %}
virtual_alias_maps =
{% if postfix_method == "postfixadmin" %}
proxy:mysql:/etc/postfix/postfixadmin-sql/mysql_virtual_alias_maps.cf,
proxy:mysql:/etc/postfix/postfixadmin-sql/mysql_virtual_alias_domain_maps.cf,
proxy:mysql:/etc/postfix/postfixadmin-sql/mysql_virtual_alias_domain_catchall_maps.cf
{% endif %}
virtual_mailbox_maps =
{% if postfix_method == "postfixadmin" %}
proxy:mysql:/etc/postfix/postfixadmin-sql/mysql_virtual_mailbox_maps.cf,
proxy:mysql:/etc/postfix/postfixadmin-sql/mysql_virtual_alias_domain_mailbox_maps.cf
{% endif %}

virtual_transport =
{% if postfix_method == "postfixadmin" %}
# use dovecot lmtp for mail transport
lmtp:unix:private/dovecot-lmtp
{% endif %}

+ 131
- 0
templates/master.cf.j2 Ver fichero

@@ -0,0 +1,131 @@
{{ansible_managed|comment}}

#
# Postfix master process configuration file. For details on the format
# of the file, see the master(5) manual page (command: "man 5 master" or
# on-line: http://www.postfix.org/master.5.html).
#
# Do not forget to execute "postfix reload" after editing this file.
#
# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (no) (never) (100)
# ==========================================================================
smtp inet n - y - - smtpd
#smtp inet n - y - 1 postscreen
#smtpd pass - - y - - smtpd
#dnsblog unix - - y - 0 dnsblog
#tlsproxy unix - - y - 0 tlsproxy
#submission inet n - y - - smtpd
# -o syslog_name=postfix/submission
# -o smtpd_tls_security_level=encrypt
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=
# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
#smtps inet n - y - - smtpd
# -o syslog_name=postfix/smtps
# -o smtpd_tls_wrappermode=yes
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=
# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
#628 inet n - y - - qmqpd
pickup unix n - y 60 1 pickup
cleanup unix n - y - 0 cleanup
qmgr unix n - n 300 1 qmgr
#qmgr unix n - n 300 1 oqmgr
tlsmgr unix - - y 1000? 1 tlsmgr
rewrite unix - - y - - trivial-rewrite
bounce unix - - y - 0 bounce
defer unix - - y - 0 bounce
trace unix - - y - 0 bounce
verify unix - - y - 1 verify
flush unix n - y 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - y - - smtp
relay unix - - y - - smtp
# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq unix n - y - - showq
error unix - - y - - error
retry unix - - y - - error
discard unix - - y - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - y - - lmtp
anvil unix - - y - 1 anvil
scache unix - - y - 1 scache
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent. See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
maildrop unix - n n - - pipe
flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
#
# ====================================================================
#
# Recent Cyrus versions can use the existing "lmtp" master.cf entry.
#
# Specify in cyrus.conf:
# lmtp cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
#
# Specify in main.cf one or more of the following:
# mailbox_transport = lmtp:inet:localhost
# virtual_transport = lmtp:inet:localhost
#
# ====================================================================
#
# Cyrus 2.1.5 (Amos Gouaux)
# Also specify in main.cf: cyrus_destination_recipient_limit=1
#
#cyrus unix - n n - - pipe
# user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
#
# ====================================================================
# Old example of delivery via Cyrus.
#
#old-cyrus unix - n n - - pipe
# flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
#
# ====================================================================
#
# See the Postfix UUCP_README file for configuration details.
#
uucp unix - n n - - pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# Other external delivery methods.
#
ifmail unix - n n - - pipe
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe
flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix - n n - 2 pipe
flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman unix - n n - - pipe
flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
${nexthop} ${user}

{% if postfix_check_spf %}
# spf
policyd-spf unix - n n - 0 spawn
user=policyd-spf argv=/usr/bin/policyd-spf
{% endif %}

templates/sql/mysql_virtual_alias_domain_catchall_maps.cf.j2 → templates/postfixadmin/sql/mysql_virtual_alias_domain_catchall_maps.cf.j2 Ver fichero


templates/sql/mysql_virtual_alias_domain_mailbox_maps.cf.j2 → templates/postfixadmin/sql/mysql_virtual_alias_domain_mailbox_maps.cf.j2 Ver fichero


templates/sql/mysql_virtual_alias_domain_maps.cf.j2 → templates/postfixadmin/sql/mysql_virtual_alias_domain_maps.cf.j2 Ver fichero


templates/sql/mysql_virtual_alias_maps.cf.j2 → templates/postfixadmin/sql/mysql_virtual_alias_maps.cf.j2 Ver fichero


templates/sql/mysql_virtual_domains_maps.cf.j2 → templates/postfixadmin/sql/mysql_virtual_domains_maps.cf.j2 Ver fichero


templates/sql/mysql_virtual_mailbox_limit_maps.cf.j2 → templates/postfixadmin/sql/mysql_virtual_mailbox_limit_maps.cf.j2 Ver fichero


templates/sql/mysql_virtual_mailbox_maps.cf.j2 → templates/postfixadmin/sql/mysql_virtual_mailbox_maps.cf.j2 Ver fichero


+ 3
- 0
vars/main.yaml Ver fichero

@@ -0,0 +1,3 @@
postfix_smtpd_recipient_restrictions:
- permit_mynetworks
- permit_sasl_authenticated

Cargando…
Cancelar
Guardar