current

defaults/main.yml

@@ -1,6 +1,9 @@
 mailname: "{{inventory_hostname}}"
 
-postfix_method: none
+postfix_method: false
+
+postfix_smtp_service: true
+postfix_submission_service: false
 
 postfix_postfixadmin_mysql_database: postfixadmin
 postfix_postfixadmin_mysql_username: postfix
@@ -10,3 +13,9 @@ postfix_check_spamhaus: false
 
 postfix_with_opendkim: false
 postfix_with_opendmarc: false
+
+postfix_virtual_transport: virtual # lmtp:unix:private/dovecot-lmtp
+
+postfix_submission_service_smtpd_sasl_path: private/auth
+
+postfix_smtps_service: false

handlers/main.yml

@@ -1,5 +1,17 @@
 ---
 
+- name: postmap virtual_alias_domains
+  command: postmap /etc/postfix/virtual_alias_domains
+
+- name: postmap virtual_alias_maps
+  command: postmap /etc/postfix/virtual_alias_maps
+
+- name: postmap virtual_mailbox_domains
+  command: postmap /etc/postfix/virtual_mailbox_domains
+
+- name: postmap virtual_mailbox_maps
+  command: postmap /etc/postfix/virtual_mailbox_maps
+
 - name: restart postfix
   service:
     name: postfix

tasks/main.yml

@@ -5,6 +5,12 @@
     pkg:
       - postfix
 
+- name: mailname
+  copy:
+    content: "{{mailname}}"
+    dest: /etc/mailname
+  notify: reload postfix
+
 - name: master configuration
   template:
     src: master.cf.j2
@@ -17,11 +23,29 @@
     dest: /etc/postfix/main.cf
   notify: reload postfix
 
-- name: mailname
-  copy:
-    content: "{{mailname}}"
-    dest: /etc/mailname
-  notify: reload postfix
+- name: postfix virtual_alias_domains
+  template:
+    src: virtual_alias_domains.j2
+    dest: /etc/postfix/virtual_alias_domains
+  notify: postmap virtual_alias_domains
+
+- name: postfix virtual_alias_maps
+  template:
+    src: virtual_alias_maps.j2
+    dest: /etc/postfix/virtual_alias_maps
+  notify: postmap virtual_alias_maps
+
+- name: postfix virtual_mailbox_domains
+  template:
+    src: virtual_mailbox_domains.j2
+    dest: /etc/postfix/virtual_mailbox_domains
+  notify: postmap virtual_mailbox_domains
+
+- name: postfix virtual_mailbox_maps
+  template:
+    src: virtual_mailbox_maps.j2
+    dest: /etc/postfix/virtual_mailbox_maps
+  notify: postmap virtual_mailbox_maps
 
 - import_tasks: spf.yaml
   when: postfix_check_spf
@@ -38,16 +62,3 @@
 - name: check postfix configuration
   command: postfix check
   changed_when: false
-
-- name: configuration pull directory
-  local_action: file
-  args:
-    path: ~/host_files/{{inventory_hostname}}/etc
-    state: directory
-
-- name: pull configuration
-  synchronize:
-    src: /etc/postfix
-    dest: ~/host_files/{{inventory_hostname}}/etc/
-    mode: pull
-    recursive: true

tasks/opendkim.yaml

@@ -2,6 +2,16 @@
 
 - import_role:
     name: opendkim
+  vars:
+    opendkim_socket: local:/var/spool/postfix/run/opendkim/opendkim.sock
+
+- name: opendkim run directory in postfix spool
+  file:
+    path: /var/spool/postfix/run/opendkim
+    state: directory
+    owner: opendkim
+    group: opendkim
+    mode: 0755
 
 - name: ensure postfix user is in opendkim group
   user:

tasks/opendmarc.yaml

@@ -2,6 +2,16 @@
 
 - import_role:
     name: opendmarc
+  vars:
+    opendmarc_socket: local:/var/spool/postfix/run/opendmarc/opendmarc.sock
+
+- name: opendmarc run directory in postfix spool
+  file:
+    path: /var/spool/postfix/run/opendmarc
+    state: directory
+    owner: opendmarc
+    group: opendmarc
+    mode: 0755
 
 - name: ensure postfix user is in opendmarc group
   user:

templates/main.cf.j2

@@ -54,6 +54,9 @@ smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
 # Allow connections from trusted networks only.
 #smtpd_client_restrictions = permit_mynetworks, reject
 
+# Require that a remote SMTP client introduces itself
+#smtpd_helo_required = yes
+
 # Don't talk to mail systems that don't know their own hostname.
 #smtpd_helo_restrictions = reject_unknown_helo_hostname
 
@@ -79,9 +82,6 @@ smtpd_recipient_restrictions =
 # may specify any destination domain.
 smtpd_relay_restrictions =
   permit_mynetworks,
-{% if postfix_method == "postfixadmin" %}
-  permit_sasl_authenticated,
-{% endif %}
   reject_unauth_destination
 
 # Block clients that speak too early.
@@ -97,15 +97,6 @@ smtpd_end_of_data_restrictions = check_policy_service unix:private/policy
 #}
 
 
-### SASL
-
-{% if postfix_method == "postfixadmin" %}
-smtpd_sasl_type = dovecot
-smtpd_sasl_path = private/auth
-smtpd_sasl_auth_enable = yes
-{% endif %}
-
-
 ### DKIM and DMARC
 
 non_smtpd_milters =
@@ -127,26 +118,28 @@ smtpd_milters =
 
 ### Virtual Domain Hosting
 
-virtual_transport =
+virtual_alias_domains =
+  hash:/etc/postfix/virtual_alias_domains,
+
+virtual_alias_maps =
+  hash:/etc/postfix/virtual_alias_maps,
 {% if postfix_method == "postfixadmin" %}
-  # use dovecot lmtp for mail transport
-  lmtp:unix:private/dovecot-lmtp
+  proxy:mysql:/etc/postfix/postfixadmin-sql/mysql_virtual_alias_maps.cf,
+  proxy:mysql:/etc/postfix/postfixadmin-sql/mysql_virtual_alias_domain_maps.cf,
+  proxy:mysql:/etc/postfix/postfixadmin-sql/mysql_virtual_alias_domain_catchall_maps.cf
 {% endif %}
 
 virtual_mailbox_domains =
+  hash:/etc/postfix/virtual_mailbox_domains,
 {% if postfix_method == "postfixadmin" %}
   proxy:mysql:/etc/postfix/postfixadmin-sql/mysql_virtual_domains_maps.cf
 {% endif %}
 
 virtual_mailbox_maps =
+  hash:/etc/postfix/virtual_mailbox_maps,
 {% if postfix_method == "postfixadmin" %}
   proxy:mysql:/etc/postfix/postfixadmin-sql/mysql_virtual_mailbox_maps.cf,
   proxy:mysql:/etc/postfix/postfixadmin-sql/mysql_virtual_alias_domain_mailbox_maps.cf
 {% endif %}
 
-virtual_alias_maps =
-{% if postfix_method == "postfixadmin" %}
-  proxy:mysql:/etc/postfix/postfixadmin-sql/mysql_virtual_alias_maps.cf,
-  proxy:mysql:/etc/postfix/postfixadmin-sql/mysql_virtual_alias_domain_maps.cf,
-  proxy:mysql:/etc/postfix/postfixadmin-sql/mysql_virtual_alias_domain_catchall_maps.cf
-{% endif %}
+virtual_transport = {{postfix_virtual_transport}}

templates/master.cf.j2

@@ -11,25 +11,36 @@
 # service type  private unpriv  chroot  wakeup  maxproc command + args
 #               (yes)   (yes)   (no)    (never) (100)
 # ==========================================================================
+{% if postfix_smtp_service %}
 smtp      inet  n       -       y       -       -       smtpd
+{% endif %}
 #smtp      inet  n       -       y       -       1       postscreen
 #smtpd     pass  -       -       y       -       -       smtpd
 #dnsblog   unix  -       -       y       -       0       dnsblog
 #tlsproxy  unix  -       -       y       -       0       tlsproxy
-#submission inet n       -       y       -       -       smtpd
-#  -o syslog_name=postfix/submission
-#  -o smtpd_tls_security_level=encrypt
-#  -o smtpd_sasl_auth_enable=yes
-#  -o smtpd_reject_unlisted_recipient=no
-#  -o smtpd_client_restrictions=$mua_client_restrictions
-#  -o smtpd_helo_restrictions=$mua_helo_restrictions
-#  -o smtpd_sender_restrictions=$mua_sender_restrictions
-#  -o smtpd_recipient_restrictions=
-#  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-#  -o milter_macro_daemon_name=ORIGINATING
-#smtps     inet  n       -       y       -       -       smtpd
-#  -o syslog_name=postfix/smtps
-#  -o smtpd_tls_wrappermode=yes
+{% if postfix_submission_service %}
+submission inet n       -       y       -       -       smtpd
+  -o syslog_name=postfix/submission
+  -o smtpd_tls_security_level=encrypt
+  -o smtpd_sasl_auth_enable=yes
+  -o smtpd_sasl_type=dovecot
+  -o smtpd_sasl_path={{postfix_submission_service_smtpd_sasl_path}}
+  -o smtpd_sasl_security_options=noanonymous
+  -o smtpd_sasl_local_domain=$myhostname
+  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
+  -o smtpd_sender_login_maps=hash:/etc/postfix/virtual
+  -o smtpd_sender_restrictions=reject_sender_login_mismatch
+  -o smtpd_recipient_restrictions=reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,reject
+  -o smtpd_reject_unlisted_recipient=no
+  -o smtpd_helo_required=no
+  -o smtpd_helo_restrictions=
+  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
+  -o milter_macro_daemon_name=ORIGINATING
+{% endif %}
+{% if postfix_smtps_service %}
+smtps     inet  n       -       y       -       -       smtpd
+  -o syslog_name=postfix/smtps
+  -o smtpd_tls_wrappermode=yes
 #  -o smtpd_sasl_auth_enable=yes
 #  -o smtpd_reject_unlisted_recipient=no
 #  -o smtpd_client_restrictions=$mua_client_restrictions
@@ -38,6 +49,7 @@ smtp      inet  n       -       y       -       -       smtpd
 #  -o smtpd_recipient_restrictions=
 #  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
 #  -o milter_macro_daemon_name=ORIGINATING
+{% endif %}
 #628       inet  n       -       y       -       -       qmqpd
 pickup    unix  n       -       y       60      1       pickup
 cleanup   unix  n       -       y       -       0       cleanup

templates/virtual_alias_domains.j2

@@ -0,0 +1,7 @@
+{{ansible_managed|comment}}
+
+{% if postfix_virtual_alias_domains is defined %}
+{% for domain in postfix_virtual_alias_domains %}
+{{domain}}  OK
+{% endfor %}
+{% endif %}

templates/virtual_alias_maps.j2

@@ -0,0 +1,8 @@
+{{ansible_managed|comment}}
+
+{% if postfix_virtual_alias_maps is defined %}
+{% for from in postfix_virtual_alias_maps %}
+{% set to = postfix_virtual_alias_maps[from] %}
+{{from}}  {{to}}
+{% endfor %}
+{% endif %}

templates/virtual_mailbox_domains.j2

@@ -0,0 +1,7 @@
+{{ansible_managed|comment}}
+
+{% if postfix_virtual_mailbox_domains is defined %}
+{% for domain in postfix_virtual_mailbox_domains %}
+{{domain}}  OK
+{% endfor %}
+{% endif %}

templates/virtual_mailbox_maps.j2

@@ -0,0 +1,8 @@
+{{ansible_managed|comment}}
+
+{% if postfix_virtual_mailbox_maps is defined %}
+{% for from in postfix_virtual_mailbox_maps %}
+{% set to = postfix_virtual_mailbox_maps[from] %}
+{{from}}  {{to}}
+{% endfor %}
+{% endif %}

vars/methods/postfixadmin.yaml

@@ -0,0 +1,3 @@
+postfix_smtpd_sasl_type: dovecot
+postfix_smtpd_sasl_path: private/auth
+postfix_smtpd_sasl_auth_enable: true