current development state

defaults/main.yml

@@ -1,4 +1,12 @@
 mailname: "{{inventory_hostname}}"
 
+postfix_method: none
+
 postfix_postfixadmin_mysql_database: postfixadmin
 postfix_postfixadmin_mysql_username: postfix
+
+postfix_check_spf: false
+postfix_check_spamhaus: false
+
+postfix_with_opendkim: false
+postfix_with_opendmarc: false

handlers/main.yml

@@ -1,3 +1,10 @@
+---
+
+- name: restart postfix
+  service:
+    name: postfix
+    state: restarted
+
 - name: reload postfix
   service:
     name: postfix

tasks/main.yml

@@ -2,10 +2,14 @@
 
 - name: install packages
   apt:
-    pkg: "{{item}}"
-  with_items:
-    - postfix
-    - postfix-mysql
+    pkg:
+      - postfix
+
+- name: master configuration
+  template:
+    src: master.cf.j2
+    dest: /etc/postfix/master.cf
+  notify: restart postfix
 
 - name: main configuration
   template:
@@ -19,7 +23,21 @@
     dest: /etc/mailname
   notify: reload postfix
 
-- include: postfixadmin.yml
+- import_tasks: spf.yaml
+  when: postfix_check_spf
+
+- import_tasks: opendkim.yaml
+  when: postfix_with_opendkim
+
+- import_tasks: opendmarc.yaml
+  when: postfix_with_opendmarc
+
+- import_tasks: postfixadmin.yml
+  when: postfix_method == "postfixadmin"
+
+- name: check postfix configuration
+  command: postfix check
+  changed_when: false
 
 - name: configuration pull directory
   local_action: file

tasks/opendkim.yaml

@@ -0,0 +1,11 @@
+---
+
+- import_role:
+    name: opendkim
+
+- name: ensure postfix user is in opendkim group
+  user:
+    name: postfix
+    groups: opendkim
+    append: true
+  notify: restart postfix

tasks/opendmarc.yaml

@@ -0,0 +1,12 @@
+---
+
+- name: opendmarc debian packages
+  apt:
+    pkg: opendmarc
+
+- name: ensure postfix user is in opendmarc group
+  user:
+    name: postfix
+    groups: opendmarc
+    append: true
+  notify: restart postfix

tasks/postfixadmin.yml

@@ -1,5 +1,11 @@
 ---
 
+- name: postfix debian packages for postfixadmin
+  apt:
+    pkg:
+      - postfix
+      - postfix-mysql
+
 - name: postfix sql map directory
   file:
     path: /etc/postfix/sql/
@@ -9,8 +15,8 @@
 
 - name: postfixadmin sql map configuration
   template:
-    src: sql/{{item}}.j2
-    dest: /etc/postfix/sql/{{item}}
+    src: postfixadmin/sql/{{item}}.j2
+    dest: /etc/postfix/postfixadmin-sql/{{item}}
     mode: u=rwx,g=rx,o=
     group: postfix
   with_items:

tasks/spf.yaml

@@ -0,0 +1,5 @@
+---
+
+- name: postfix debian packages for SPF
+  apt:
+    pkg: postfix-policyd-spf-python

templates/main.cf.j2

@@ -1,3 +1,5 @@
+{{ansible_managed|comment}}
+
 # See /usr/share/postfix/main.cf.dist for a commented, more complete version
 
 # Debian specific:  Specifying a file name will cause the first
@@ -33,7 +35,7 @@ smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
 myhostname = {{mailname}}
 alias_maps = hash:/etc/aliases
 alias_database = hash:/etc/aliases
-mydestination = $myhostname, tg-infra-dev-mail-1, localhost.localdomain, , localhost
+mydestination = $myhostname, {{inventory_hostname}}, localhost.localdomain, localhost
 relayhost =
 mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
 mailbox_size_limit = 0
@@ -42,36 +44,97 @@ inet_interfaces = all
 inet_protocols = all
 
 # some rules from http://www.postfix.org/SMTPD_ACCESS_README.html
+
+# Allow connections from trusted networks only.
 #smtpd_client_restrictions = permit_mynetworks, reject
+
+# Don't talk to mail systems that don't know their own hostname.
 #smtpd_helo_restrictions = reject_unknown_helo_hostname
+
+# Don't accept mail from domains that don't exist.
 #smtpd_sender_restrictions = reject_unknown_sender_domain
-smtpd_data_restrictions = reject_unauth_pipelining
 
+# Spam control: exclude local clients and authenticated clients
+# from DNSBL and SPF lookups.
 smtpd_recipient_restrictions =
   permit_mynetworks,
   permit_sasl_authenticated,
+{% if postfix_check_spf %}
+  check_policy_service unix:private/policyd-spf,
+{% endif %}
+{% if postfix_check_spamhaus %}
   reject_rbl_client zen.spamhaus.org,
   reject_rhsbl_reverse_client dbl.spamhaus.org,
   reject_rhsbl_helo dbl.spamhaus.org,
   reject_rhsbl_sender dbl.spamhaus.org
+{% endif %}
 
+# Relay control: local clients and authenticated clients
+# may specify any destination domain.
 smtpd_relay_restrictions =
   permit_mynetworks,
+{% if postfix_method == "postfixadmin" %}
   permit_sasl_authenticated,
-  defer_unauth_destination
+{% endif %}
+  reject_unauth_destination
 
-virtual_mailbox_domains = proxy:mysql:/etc/postfix/sql/mysql_virtual_domains_maps.cf
-virtual_alias_maps =
-   proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_maps.cf,
-   proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_domain_maps.cf,
-   proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_domain_catchall_maps.cf
-virtual_mailbox_maps =
-   proxy:mysql:/etc/postfix/sql/mysql_virtual_mailbox_maps.cf,
-   proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_domain_mailbox_maps.cf
+# Block clients that speak too early.
+smtpd_data_restrictions = reject_unauth_pipelining
 
-# use dovecot lmtp for mail transport
-virtual_transport = lmtp:unix:private/dovecot-lmtp
+{% if postfix_check_spf %}
+# SPF
+policy-spf_time_limit = 3600
+{% endif %}
 
+{#
+# Enforce mail volume quota via policy service callouts.
+smtpd_end_of_data_restrictions = check_policy_service unix:private/policy
+#}
+
+# SASL
+{% if postfix_method == "postfixadmin" %}
 smtpd_sasl_type = dovecot
 smtpd_sasl_path = private/auth
 smtpd_sasl_auth_enable = yes
+{% endif %}
+
+# DKIM and DMARC
+non_smtpd_milters =
+{% if postfix_with_opendkim %}
+  unix:/run/opendkim/opendkim.sock,
+{% endif %}
+{% if postfix_with_opendmarc %}
+  unix:/run/opendmarc/opendmarc.sock
+{% endif %}
+smtpd_milters =
+{% if postfix_with_opendkim %}
+  unix:/run/opendkim/opendkim.sock,
+{% endif %}
+{% if postfix_with_opendmarc %}
+  unix:/run/opendmarc/opendmarc.sock
+{% endif %}
+
+# Relay
+
+# Virtual Domain Hosting
+virtual_mailbox_domains =
+{% if postfix_method == "postfixadmin" %}
+  proxy:mysql:/etc/postfix/postfixadmin-sql/mysql_virtual_domains_maps.cf
+{% endif %}
+virtual_alias_maps =
+{% if postfix_method == "postfixadmin" %}
+  proxy:mysql:/etc/postfix/postfixadmin-sql/mysql_virtual_alias_maps.cf,
+  proxy:mysql:/etc/postfix/postfixadmin-sql/mysql_virtual_alias_domain_maps.cf,
+  proxy:mysql:/etc/postfix/postfixadmin-sql/mysql_virtual_alias_domain_catchall_maps.cf
+{% endif %}
+virtual_mailbox_maps =
+{% if postfix_method == "postfixadmin" %}
+  proxy:mysql:/etc/postfix/postfixadmin-sql/mysql_virtual_mailbox_maps.cf,
+  proxy:mysql:/etc/postfix/postfixadmin-sql/mysql_virtual_alias_domain_mailbox_maps.cf
+{% endif %}
+
+virtual_transport =
+{% if postfix_method == "postfixadmin" %}
+  # use dovecot lmtp for mail transport
+  lmtp:unix:private/dovecot-lmtp
+{% endif %}

templates/master.cf.j2

@@ -0,0 +1,131 @@
+{{ansible_managed|comment}}
+
+#
+# Postfix master process configuration file.  For details on the format
+# of the file, see the master(5) manual page (command: "man 5 master" or
+# on-line: http://www.postfix.org/master.5.html).
+#
+# Do not forget to execute "postfix reload" after editing this file.
+#
+# ==========================================================================
+# service type  private unpriv  chroot  wakeup  maxproc command + args
+#               (yes)   (yes)   (no)    (never) (100)
+# ==========================================================================
+smtp      inet  n       -       y       -       -       smtpd
+#smtp      inet  n       -       y       -       1       postscreen
+#smtpd     pass  -       -       y       -       -       smtpd
+#dnsblog   unix  -       -       y       -       0       dnsblog
+#tlsproxy  unix  -       -       y       -       0       tlsproxy
+#submission inet n       -       y       -       -       smtpd
+#  -o syslog_name=postfix/submission
+#  -o smtpd_tls_security_level=encrypt
+#  -o smtpd_sasl_auth_enable=yes
+#  -o smtpd_reject_unlisted_recipient=no
+#  -o smtpd_client_restrictions=$mua_client_restrictions
+#  -o smtpd_helo_restrictions=$mua_helo_restrictions
+#  -o smtpd_sender_restrictions=$mua_sender_restrictions
+#  -o smtpd_recipient_restrictions=
+#  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
+#  -o milter_macro_daemon_name=ORIGINATING
+#smtps     inet  n       -       y       -       -       smtpd
+#  -o syslog_name=postfix/smtps
+#  -o smtpd_tls_wrappermode=yes
+#  -o smtpd_sasl_auth_enable=yes
+#  -o smtpd_reject_unlisted_recipient=no
+#  -o smtpd_client_restrictions=$mua_client_restrictions
+#  -o smtpd_helo_restrictions=$mua_helo_restrictions
+#  -o smtpd_sender_restrictions=$mua_sender_restrictions
+#  -o smtpd_recipient_restrictions=
+#  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
+#  -o milter_macro_daemon_name=ORIGINATING
+#628       inet  n       -       y       -       -       qmqpd
+pickup    unix  n       -       y       60      1       pickup
+cleanup   unix  n       -       y       -       0       cleanup
+qmgr      unix  n       -       n       300     1       qmgr
+#qmgr     unix  n       -       n       300     1       oqmgr
+tlsmgr    unix  -       -       y       1000?   1       tlsmgr
+rewrite   unix  -       -       y       -       -       trivial-rewrite
+bounce    unix  -       -       y       -       0       bounce
+defer     unix  -       -       y       -       0       bounce
+trace     unix  -       -       y       -       0       bounce
+verify    unix  -       -       y       -       1       verify
+flush     unix  n       -       y       1000?   0       flush
+proxymap  unix  -       -       n       -       -       proxymap
+proxywrite unix -       -       n       -       1       proxymap
+smtp      unix  -       -       y       -       -       smtp
+relay     unix  -       -       y       -       -       smtp
+#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
+showq     unix  n       -       y       -       -       showq
+error     unix  -       -       y       -       -       error
+retry     unix  -       -       y       -       -       error
+discard   unix  -       -       y       -       -       discard
+local     unix  -       n       n       -       -       local
+virtual   unix  -       n       n       -       -       virtual
+lmtp      unix  -       -       y       -       -       lmtp
+anvil     unix  -       -       y       -       1       anvil
+scache    unix  -       -       y       -       1       scache
+#
+# ====================================================================
+# Interfaces to non-Postfix software. Be sure to examine the manual
+# pages of the non-Postfix software to find out what options it wants.
+#
+# Many of the following services use the Postfix pipe(8) delivery
+# agent.  See the pipe(8) man page for information about ${recipient}
+# and other message envelope options.
+# ====================================================================
+#
+# maildrop. See the Postfix MAILDROP_README file for details.
+# Also specify in main.cf: maildrop_destination_recipient_limit=1
+#
+maildrop  unix  -       n       n       -       -       pipe
+  flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
+#
+# ====================================================================
+#
+# Recent Cyrus versions can use the existing "lmtp" master.cf entry.
+#
+# Specify in cyrus.conf:
+#   lmtp    cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
+#
+# Specify in main.cf one or more of the following:
+#  mailbox_transport = lmtp:inet:localhost
+#  virtual_transport = lmtp:inet:localhost
+#
+# ====================================================================
+#
+# Cyrus 2.1.5 (Amos Gouaux)
+# Also specify in main.cf: cyrus_destination_recipient_limit=1
+#
+#cyrus     unix  -       n       n       -       -       pipe
+#  user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
+#
+# ====================================================================
+# Old example of delivery via Cyrus.
+#
+#old-cyrus unix  -       n       n       -       -       pipe
+#  flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
+#
+# ====================================================================
+#
+# See the Postfix UUCP_README file for configuration details.
+#
+uucp      unix  -       n       n       -       -       pipe
+  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
+#
+# Other external delivery methods.
+#
+ifmail    unix  -       n       n       -       -       pipe
+  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
+bsmtp     unix  -       n       n       -       -       pipe
+  flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
+scalemail-backend unix	-	n	n	-	2	pipe
+  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
+mailman   unix  -       n       n       -       -       pipe
+  flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
+  ${nexthop} ${user}
+
+{% if postfix_check_spf %}
+# spf
+policyd-spf  unix  -       n       n       -       0       spawn
+        user=policyd-spf argv=/usr/bin/policyd-spf
+{% endif %}

vars/main.yaml

@@ -0,0 +1,3 @@
+postfix_smtpd_recipient_restrictions:
+  - permit_mynetworks
+  - permit_sasl_authenticated