Import the old role.
This commit is contained in:
parent
47189292cd
commit
7ed13f52e8
59
README.md
59
README.md
|
@ -1,31 +1,54 @@
|
|||
Role Name
|
||||
=========
|
||||
|
||||
A brief description of the role goes here.
|
||||
|
||||
Requirements
|
||||
------------
|
||||
|
||||
Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required.
|
||||
A role that installs and configures an instance of postfix that listens on localhost and routes messages to a relay server.
|
||||
|
||||
Role Variables
|
||||
--------------
|
||||
|
||||
A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well.
|
||||
The most important variables are listed below:
|
||||
|
||||
``` yaml
|
||||
postfix_relay_client: False
|
||||
postfix_relay_client_do_not_stop_submission: False
|
||||
postfix_biff: "no"
|
||||
postfix_append_dot_mydomain: "no"
|
||||
postfix_use_relay_host: True
|
||||
|
||||
postfix_use_letsencrypt: False
|
||||
# Accepted values: none, may, encrypt
|
||||
postfix_smtpd_tls_security_level: encrypt
|
||||
# Accepted values: none, may, encrypt, fingerprint, verify, secure. And from 2.11: dane, dane-only
|
||||
postfix_smtp_tls_security_level: encrypt
|
||||
postfix_use_sasl_auth: True
|
||||
postfix_smtp_sasl_auth_enable: "yes"
|
||||
postfix_smtp_create_relay_user: True
|
||||
# Options: noanonymous, noplaintext
|
||||
postfix_smtp_sasl_security_options: noanonymous
|
||||
postfix_smtp_sasl_tls_security_options: '{{ postfix_smtp_sasl_security_options }}'
|
||||
postfix_smtp_sasl_mechanism_filter: plain, login
|
||||
|
||||
# Set it in the local rules
|
||||
#postfix_relay_host: smtp-relay.example.com
|
||||
postfix_relay_port: 587
|
||||
postfix_default_destination_concurrency_limit: 20
|
||||
#postfix_smtp_relay_user: smtp-user
|
||||
postfix_smtp_relay_user: '{{ ansible_fqdn }}'
|
||||
# This one has to be set inside a vault file
|
||||
#postfix_smtp_relay_pwd: set_you_password_here_in_a_vault_encrypted_file
|
||||
|
||||
# The following options are used only whe postfix_relay_server is set to True
|
||||
postfix_relay_server: False
|
||||
postfix_mynetworks: hash:/etc/postfix/network_table
|
||||
postfix_interfaces: all
|
||||
postfix_inet_protocols: all
|
||||
postfix_message_size_limit: 10240000
|
||||
```
|
||||
|
||||
Dependencies
|
||||
------------
|
||||
|
||||
A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles.
|
||||
|
||||
Example Playbook
|
||||
----------------
|
||||
|
||||
Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
|
||||
|
||||
- hosts: servers
|
||||
roles:
|
||||
- { role: username.rolename, x: 42 }
|
||||
None
|
||||
|
||||
License
|
||||
-------
|
||||
|
@ -35,4 +58,4 @@ EUPL-1.2
|
|||
Author Information
|
||||
------------------
|
||||
|
||||
An optional section for the role authors to include contact information, or a website (HTML is not allowed).
|
||||
Andrea Dell'Amico, <andrea.dellamico@isti.cnr.it>
|
||||
|
|
|
@ -1,2 +1,49 @@
|
|||
---
|
||||
# defaults file for ansible-role-template
|
||||
postfix_enabled: True
|
||||
postfix_install_packages: True
|
||||
|
||||
# Set it to true when you want configure your machine to send email to a relay
|
||||
postfix_relay_client: False
|
||||
postfix_relay_client_do_not_stop_submission: False
|
||||
postfix_biff: "no"
|
||||
postfix_append_dot_mydomain: "no"
|
||||
postfix_use_relay_host: True
|
||||
|
||||
postfix_use_letsencrypt: False
|
||||
# Accepted values: none, may, encrypt
|
||||
postfix_smtpd_tls_security_level: encrypt
|
||||
# Accepted values: none, may, encrypt, fingerprint, verify, secure. And from 2.11: dane, dane-only
|
||||
postfix_smtp_tls_security_level: encrypt
|
||||
postfix_use_sasl_auth: True
|
||||
postfix_smtp_sasl_auth_enable: "yes"
|
||||
postfix_smtp_create_relay_user: True
|
||||
# Options: noanonymous, noplaintext
|
||||
postfix_smtp_sasl_security_options: noanonymous
|
||||
postfix_smtp_sasl_tls_security_options: '{{ postfix_smtp_sasl_security_options }}'
|
||||
postfix_smtp_sasl_mechanism_filter: plain, login
|
||||
|
||||
# Set it in the local rules
|
||||
#postfix_relay_host: smtp-relay.example.com
|
||||
postfix_relay_port: 587
|
||||
postfix_default_destination_concurrency_limit: 20
|
||||
#postfix_smtp_relay_user: smtp-user
|
||||
postfix_smtp_relay_user: '{{ ansible_fqdn }}'
|
||||
# This one has to be set inside a vault file
|
||||
#postfix_smtp_relay_pwd: set_you_password_here_in_a_vault_encrypted_file
|
||||
|
||||
# The following options are used only whe postfix_relay_server is set to True
|
||||
postfix_relay_server: False
|
||||
postfix_mynetworks: hash:/etc/postfix/network_table
|
||||
postfix_interfaces: all
|
||||
postfix_inet_protocols: all
|
||||
postfix_message_size_limit: 10240000
|
||||
|
||||
postfix_nagios_check: False
|
||||
postfix_nagios_checks:
|
||||
- check_postfix_mailqueue
|
||||
- check_postfix_processed
|
||||
|
||||
nagios_postfix_mailq_w: 20
|
||||
nagios_postfix_mailq_c: 50
|
||||
nagios_postfix_processed_w: 50
|
||||
nagios_postfix_processed_c: 150
|
||||
|
|
|
@ -0,0 +1,181 @@
|
|||
#!/bin/bash
|
||||
###################################################################
|
||||
# check_postfix_mailqueue is developped with GPL Licence 2.0
|
||||
#
|
||||
# GPL License: http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt
|
||||
#
|
||||
# First version developped by : Bjoern Bongermino
|
||||
#
|
||||
###################################################################
|
||||
# This program is free software; you can redistribute it and/or
|
||||
# modify it under the terms of the GNU General Public License
|
||||
# as published by the Free Software Foundation; either version 2
|
||||
# of the License, or (at your option) any later version.
|
||||
#
|
||||
# This program is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU General Public License for more details.
|
||||
#
|
||||
####################################################################
|
||||
|
||||
#
|
||||
# original https://gist.github.com/alexlehm/8084195
|
||||
#
|
||||
|
||||
# created by McArt <hello@mcart.ru> http://www.mcart.ru/
|
||||
|
||||
# Uncomment to enable debugging
|
||||
# set -x
|
||||
|
||||
PROGNAME=`basename $0`
|
||||
VERSION="Version 2.0"
|
||||
AUTHOR="McArt (http://www.mcart.ru)"
|
||||
|
||||
STATE_OK=0
|
||||
STATE_WARNING=1
|
||||
STATE_CRITICAL=2
|
||||
STATE_UNKNOWN=3
|
||||
|
||||
warning=unknown
|
||||
critical=unknown
|
||||
|
||||
print_version() {
|
||||
echo "$PROGNAME $VERSION $AUTHOR"
|
||||
}
|
||||
|
||||
print_help() {
|
||||
print_version $PROGNAME $VERSION
|
||||
echo ""
|
||||
echo "$PROGNAME - Checks postfix mailqueue statistic"
|
||||
echo ""
|
||||
echo "$PROGNAME is a Nagios plugin which generates statistics"
|
||||
echo "for the postfix mailqueue and checks for corrupt messages."
|
||||
echo "The following values will be checked:"
|
||||
echo "active: Mails being delivered (should be small)"
|
||||
echo "deferred: Stuck mails (that will be retried later)"
|
||||
echo "corrupt: Messages found to not be in correct format (should be 0)"
|
||||
echo "hold: Recent addition, messages put on hold indefinitly - delete of free"
|
||||
echo "bounced: Bounced mails"
|
||||
echo ""
|
||||
echo "Usage: $PROGNAME -w WARN-Level -c CRIT-Level"
|
||||
echo ""
|
||||
echo "Options:"
|
||||
echo " -w)"
|
||||
echo " Warning level for active mails"
|
||||
echo " -c)"
|
||||
echo " Critical level for active mail"
|
||||
echo " -h)"
|
||||
echo " This help"
|
||||
echo " -v)"
|
||||
echo " Version"
|
||||
exit $STATE_OK
|
||||
}
|
||||
|
||||
# Check for parameters
|
||||
while test -n "$1"; do
|
||||
case "$1" in
|
||||
-h)
|
||||
print_help
|
||||
exit $STATE_OK;;
|
||||
-v)
|
||||
print_version
|
||||
exit $STATE_OK;;
|
||||
-w)
|
||||
warning=$2
|
||||
shift
|
||||
;;
|
||||
-c)
|
||||
critical=$2
|
||||
shift
|
||||
;;
|
||||
*)
|
||||
echo "Usage: ./check_postfix_mailqueue2.sh -w <Warning level for active mails> -c <Critical level for active mail>"
|
||||
;;
|
||||
esac
|
||||
shift
|
||||
done
|
||||
|
||||
if [ $warning == "unknown" ] || [ $critical == "unknown" ]; then
|
||||
echo "You need to specify warning and critical for active mails"
|
||||
echo "Usage: ./check_postfix_mailqueue2.sh -w <warn> -c <crit>"
|
||||
exit $STATE_UNKNOWN
|
||||
fi
|
||||
|
||||
# make sure CRIT is larger than WARN
|
||||
if [ $warning -ge $critical ];then
|
||||
echo "UNKNOWN: WARN value may not be greater than or equal the CRIT value"
|
||||
exit $OK
|
||||
fi
|
||||
|
||||
check_postfix_mailqueue() {
|
||||
# Can be set via environment, but default is fetched by postconf (if available,
|
||||
# else /var/spool/postfix)
|
||||
if which postconf > /dev/null ; then
|
||||
SPOOLDIR=${spooldir:-`postconf -h queue_directory`}
|
||||
else
|
||||
SPOOLDIR=${spooldir:-/var/spool/postfix}
|
||||
fi
|
||||
|
||||
cd $SPOOLDIR >/dev/null 2>/dev/null || {
|
||||
echo -n "Cannot cd to $SPOOLDIR"
|
||||
exit $STATE_CRITICAL
|
||||
}
|
||||
|
||||
for d in deferred active corrupt hold
|
||||
do
|
||||
if [ ! -r $d ]
|
||||
then
|
||||
echo -n "queue dir '$d' is not readable"
|
||||
exit $STATE_CRITICAL
|
||||
fi
|
||||
done
|
||||
|
||||
# Get values
|
||||
deferred=`(test -d deferred && find deferred -type f ) | wc -l`
|
||||
active=`(test -d active && find active -type f ) | wc -l`
|
||||
corrupt=`(test -d corrupt && find corrupt -type f ) | wc -l`
|
||||
hold=`( test -d hold && find hold -type f ) | wc -l`
|
||||
bounced=`cat /var/log/mail.log | grep bounced | wc -l`
|
||||
}
|
||||
|
||||
check_postfix_mailqueue
|
||||
values="Deferred mails=$deferred Active deliveries=$active Corrupt mails=$corrupt Mails on hold=$hold Bounced mails=$bounced"
|
||||
perfdata="deferred=$deferred;; active=$active;; corrupt=$corrupt;; hold=$hold;; bounced=$bounced;;"
|
||||
|
||||
if [ $corrupt -gt 0 ]; then
|
||||
echo -n "Postfix Mailqueue WARNING - $corrupt corrupt messages found! | $perfdata"
|
||||
exit $STATE_WARNING
|
||||
fi
|
||||
|
||||
if [ $hold -gt 0 ]; then
|
||||
echo -n "Postfix Mailqueue WARNING - $hold hold messages found! | $perfdata"
|
||||
exit $STATE_WARNING
|
||||
fi
|
||||
|
||||
if [ $deferred -gt 0 ]; then
|
||||
echo -n "Postfix Mailqueue WARNING - $deferred deferred messages found! | $perfdata"
|
||||
exit $STATE_WARNING
|
||||
fi
|
||||
|
||||
if [ $bounced -gt 0 ]; then
|
||||
echo -n "Postfix Mailqueue WARNING - $bounced bounced messages found! | $perfdata"
|
||||
exit $STATE_WARNING
|
||||
fi
|
||||
|
||||
|
||||
if [ $active -gt $critical ]; then
|
||||
MES_TO_EXIT="Postfix Mailqueue CRITICAL - $values | $perfdata"
|
||||
STATE_TO_EXIT=$STATE_CRITICAL
|
||||
elif [ $active -gt $warning ]; then
|
||||
MES_TO_EXIT="Postfix Mailqueue WARNING - $values | $perfdata"
|
||||
STATE_TO_EXIT=$STATE_WARNING
|
||||
else
|
||||
MES_TO_EXIT="Postfix Mailqueue OK - $values | $perfdata"
|
||||
STATE_TO_EXIT=$STATE_OK
|
||||
fi
|
||||
|
||||
|
||||
echo -n $MES_TO_EXIT
|
||||
echo -e "\n"
|
||||
exit $STATE_TO_EXIT
|
|
@ -0,0 +1,104 @@
|
|||
#!/usr/bin/env bash
|
||||
|
||||
## This program is free software: you can redistribute it and/or modify
|
||||
## it under the terms of the GNU General Public License as published by
|
||||
## the Free Software Foundation, either version 3 of the License, or
|
||||
## (at your option) any later version.
|
||||
##
|
||||
## This program is distributed in the hope that it will be useful,
|
||||
## but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
## GNU General Public License for more details.
|
||||
##
|
||||
|
||||
# ===============
|
||||
# check_postfixprocessed - plugin to check the number of mail processed by parsing logfiles
|
||||
# ===============
|
||||
# * mail processor written by Cecil Westerhof & Modifications for nagios by Frank IJskes
|
||||
# * Christian Nutz identified the IF as slow on large logfiles, by only checking from the bottom up performance went back to normal
|
||||
|
||||
# version 2 uses AWK to improve processing / lower cpu load
|
||||
# plugin return codes:
|
||||
# 0 OK
|
||||
# 1 Warning
|
||||
# 2 Critical
|
||||
# 3 Unknown
|
||||
|
||||
NO_OF_SECONDS=300
|
||||
POSTFIX_LOG="/var/log/mail.log"
|
||||
|
||||
while getopts "hvw:c:" opt
|
||||
do
|
||||
case $opt in
|
||||
h)
|
||||
showhelp=1
|
||||
break
|
||||
;;
|
||||
w)
|
||||
warning="$OPTARG"
|
||||
;;
|
||||
c)
|
||||
critical="$OPTARG"
|
||||
;;
|
||||
v)
|
||||
verbose=1
|
||||
;;
|
||||
esac
|
||||
done
|
||||
|
||||
printUsage() {
|
||||
echo "Usage: $0 [-h] [-v] -w <warning> -c <critical>"
|
||||
echo ""
|
||||
echo "Example: $0 -w 50 -c 100"
|
||||
}
|
||||
|
||||
printHelp() {
|
||||
printUsage
|
||||
echo ""
|
||||
echo "This plugin checks the number of messages processed by Postfix in the last 5 minutes."
|
||||
echo ""
|
||||
echo "For more details, see inside the script ;)"
|
||||
echo ""
|
||||
exit 3
|
||||
}
|
||||
|
||||
if [ "$showhelp" = "1" ]; then
|
||||
printHelp
|
||||
exit 3
|
||||
fi
|
||||
|
||||
if [ ! "$warning" ] || [ ! "$critical" ]; then
|
||||
printUsage
|
||||
exit 3
|
||||
fi
|
||||
|
||||
if [ $warning -ge $critical ]; then
|
||||
echo "<warning> has to be smaller than <critical>!"
|
||||
exit 3
|
||||
fi
|
||||
|
||||
if [ ! "$POSTFIX_LOG" ]; then
|
||||
echo "Could not find postfix log!"
|
||||
exit 3
|
||||
fi
|
||||
|
||||
countSentMessages () {
|
||||
NOW=`date +%s`
|
||||
|
||||
DATE_FROM=`awk -v now=$NOW -v seconds=$NO_OF_SECONDS 'BEGIN{print strftime("%b %d %T", now-seconds)}'`
|
||||
DATE_TO=`awk -v now=$NOW 'BEGIN{print strftime("%b %d %T", now)}'`
|
||||
|
||||
echo `awk '$0>=from && $0<=to' from="$DATE_FROM" to="$DATE_TO" ${POSTFIX_LOG} | grep ' postfix/smtp\[.*, status=sent ' | wc -l`
|
||||
}
|
||||
|
||||
sentMessagesCount=`countSentMessages`
|
||||
|
||||
echo "Messages processed in the last $NO_OF_SECONDS seconds: $sentMessagesCount | mailsprocessed=$sentMessagesCount"
|
||||
|
||||
if [ "$sentMessagesCount" -ge "$critical" ]; then
|
||||
exit 2
|
||||
elif [ "$sentMessagesCount" -ge "$warning" ]; then
|
||||
exit 1
|
||||
else
|
||||
exit 0
|
||||
fi
|
|
@ -0,0 +1,3 @@
|
|||
pwcheck_method: saslauthd
|
||||
mech_list: PLAIN LOGIN
|
||||
|
|
@ -1,2 +1,21 @@
|
|||
---
|
||||
# handlers file for ansible-role-template
|
||||
- name: Update SASL hash
|
||||
shell: postmap hash:/etc/postfix/sasl_passwd
|
||||
|
||||
- name: Reload postfix
|
||||
service: name=postfix state=reloaded
|
||||
when: postfix_enabled
|
||||
|
||||
- name: Restart postfix
|
||||
service: name=postfix state=restarted
|
||||
when: postfix_enabled
|
||||
|
||||
- name: Update the network hash table
|
||||
shell: postmap hash:/etc/postfix/network_table
|
||||
|
||||
- name: start saslauth daemon
|
||||
service: name=saslauthd state=started enabled=yes
|
||||
when: postfix_enabled
|
||||
|
||||
- name: restart saslauth daemon
|
||||
service: name=saslauthd state=restarted
|
||||
when: postfix_enabled
|
||||
|
|
|
@ -1,61 +1,27 @@
|
|||
galaxy_info:
|
||||
author: your name
|
||||
description: your description
|
||||
author: Andrea Dell'Amico
|
||||
description: Systems Architect
|
||||
company: ISTI-CNR
|
||||
|
||||
# If the issue tracker for your role is not on github, uncomment the
|
||||
# next line and provide a value
|
||||
issue_tracker_url: https://redmine-s2i2s.isti.cnr.it/projects/provisioning
|
||||
|
||||
# Some suggested licenses:
|
||||
# - BSD (default)
|
||||
# - MIT
|
||||
# - GPLv2
|
||||
# - GPLv3
|
||||
# - Apache
|
||||
# - CC-BY
|
||||
license: EUPL-1.2
|
||||
license: EUPL 1.2+
|
||||
|
||||
min_ansible_version: 2.8
|
||||
|
||||
# If this a Container Enabled role, provide the minimum Ansible Container version.
|
||||
# min_ansible_container_version:
|
||||
|
||||
# Optionally specify the branch Galaxy will use when accessing the GitHub
|
||||
# repo for this role. During role install, if no tags are available,
|
||||
# Galaxy will use this branch. During import Galaxy will access files on
|
||||
# this branch. If Travis integration is configured, only notifications for this
|
||||
# branch will be accepted. Otherwise, in all cases, the repo's default branch
|
||||
# (usually master) will be used.
|
||||
#github_branch:
|
||||
|
||||
#
|
||||
# Provide a list of supported platforms, and for each platform a list of versions.
|
||||
# If you don't wish to enumerate all versions for a particular platform, use 'all'.
|
||||
# To view available platforms and versions (or releases), visit:
|
||||
# https://galaxy.ansible.com/api/v1/platforms/
|
||||
#
|
||||
# platforms:
|
||||
# - name: Fedora
|
||||
# versions:
|
||||
# - all
|
||||
# - 25
|
||||
# - name: SomePlatform
|
||||
# versions:
|
||||
# - all
|
||||
# - 1.0
|
||||
# - 7
|
||||
# - 99.99
|
||||
platforms:
|
||||
- name: Ubuntu
|
||||
versions:
|
||||
- trusty
|
||||
- bionic
|
||||
- name: EL
|
||||
versions:
|
||||
- 7
|
||||
|
||||
galaxy_tags: []
|
||||
# List tags for your role here, one per line. A tag is a keyword that describes
|
||||
# and categorizes the role. Users find roles by searching for tags. Be sure to
|
||||
# remove the '[]' above, if you add tags to this list.
|
||||
#
|
||||
# NOTE: A tag is limited to a single word comprised of alphanumeric characters.
|
||||
# Maximum 20 tags per role.
|
||||
galaxy_tags:
|
||||
- users
|
||||
|
||||
dependencies: []
|
||||
# List your role dependencies here, one per line. Be sure to remove the '[]' above,
|
||||
# if you add dependencies to this list.
|
||||
|
||||
|
|
|
@ -1,2 +1,11 @@
|
|||
---
|
||||
# tasks file for ansible-role-template
|
||||
- import_tasks: smtp-common-packages.yml
|
||||
- import_tasks: smtp-sasl-auth.yml
|
||||
when:
|
||||
- postfix_use_sasl_auth
|
||||
- postfix_relay_client
|
||||
- import_tasks: postfix-relay-server.yml
|
||||
when: postfix_relay_server
|
||||
- import_tasks: postfix-letsencrypt-hook.yml
|
||||
when: postfix_use_letsencrypt
|
||||
|
||||
|
|
|
@ -0,0 +1,8 @@
|
|||
---
|
||||
- name: Create the acme hooks directory if it does not exist
|
||||
file: dest=/usr/lib/acme/hooks state=directory
|
||||
tags: [ 'postfix', 'postfix-relay', 'postfix_letsencrypt', 'letsencrypt' ]
|
||||
|
||||
- name: Install a hook for letsencrypt
|
||||
template: src=postfix-letsencrypt-hook dest=/usr/lib/acme/hooks/postfix owner=root group=root mode=4555
|
||||
tags: [ 'postfix', 'postfix-relay', 'postfix_letsencrypt', 'letsencrypt' ]
|
|
@ -0,0 +1,45 @@
|
|||
---
|
||||
- name: Create the /etc/mailname file if it's not present
|
||||
template: src=mailname.j2 dest=/etc/mailname owner=root group=root mode=0644
|
||||
tags: postfix-relay
|
||||
|
||||
- name: Write the network hash file
|
||||
template: src=network_table.j2 dest=/etc/postfix/network_table owner=root group=root mode=0444
|
||||
notify: Update the network hash table
|
||||
tags: postfix-relay
|
||||
|
||||
- name: Install the sasl2 authentication infrastructure
|
||||
apt: pkg={{ item }} state=present
|
||||
with_items: '{{ postfix_sasl_packages }}'
|
||||
tags: postfix-relay
|
||||
|
||||
- name: Create the sasl directory inside /etc/postfix
|
||||
file: dest=/etc/postfix/sasl state=directory owner=root group=root mode=0555
|
||||
tags: postfix-relay
|
||||
|
||||
- name: Create the sasl run directory inside /var/spool/postfix, for chroot
|
||||
file: dest=/var/spool/postfix/var/run/saslauthd state=directory owner=root group=root mode=0555
|
||||
notify: start saslauth daemon
|
||||
tags: postfix-relay
|
||||
|
||||
- name: Install the smtpd.conf file inside inside /etc/postfix/sasl
|
||||
copy: src=sasl_smtpd.conf dest=/etc/postfix/sasl/smtpd.conf owner=root group=root mode=0444
|
||||
tags: postfix-relay
|
||||
|
||||
- name: Change the socket path because postfix on debian runs inside a chroot jail
|
||||
action: configfile path=/etc/default/saslauthd key=OPTIONS value='"-c -m /var/spool/postfix/var/run/saslauthd"' syntax=shell
|
||||
notify: restart saslauth daemon
|
||||
tags: postfix-relay
|
||||
|
||||
- name: Enable the saslauth daemon
|
||||
action: configfile path=/etc/default/saslauthd key=START value='yes' syntax=shell
|
||||
tags: postfix-relay
|
||||
|
||||
- name: Assign the sasl group to the postfix user so that postfix can use the saslauthd socket
|
||||
user: name=postfix groups='sasl'
|
||||
notify: Restart postfix
|
||||
tags: postfix-relay
|
||||
|
||||
- name: Ensure that the saslauthd daemon is started and enabled
|
||||
service: name=saslauthd state=restarted enabled=yes
|
||||
tags: postfix-relay
|
|
@ -0,0 +1,68 @@
|
|||
---
|
||||
- block:
|
||||
- name: Install postfix and libsas to do mail relay on deb systems
|
||||
apt: pkg={{ postfix_relay_deb_pkgs }} state=present update_cache=yes cache_valid_time=1800
|
||||
when: ansible_distribution_file_variety == "Debian"
|
||||
|
||||
- name: Install postfix and libsas to do mail relay on RH systems
|
||||
yum: pkg={{ postfix_relay_rh_pkgs }} state=present
|
||||
when: ansible_distribution_file_variety == "RedHat"
|
||||
|
||||
- name: Remove the ssmtp package on RH systems
|
||||
yum: pkg=ssmtp state=absent
|
||||
when: ansible_distribution_file_variety == "RedHat"
|
||||
|
||||
- name: Write the postfix main configuration file
|
||||
template: src=main.cf.j2 dest=/etc/postfix/main.cf owner=root group=root mode=0444
|
||||
register: postfix_main_restart_needed
|
||||
|
||||
- name: Activate the submission port on the postfix master file
|
||||
template: src=postfix-master.cf.j2 dest=/etc/postfix/master.cf owner=root group=root mode=0444
|
||||
register: postfix_master_restart_needed
|
||||
|
||||
when: postfix_install_packages | bool
|
||||
tags: postfix-relay
|
||||
|
||||
- block:
|
||||
- name: Ensure that postfix is started and enabled
|
||||
service: name=postfix state=started enabled=yes
|
||||
when: postfix_enabled | bool
|
||||
|
||||
- name: Ensure that postfix is stopped and disabled
|
||||
service: name=postfix state=stopped enabled=no
|
||||
when: not postfix_enabled | bool
|
||||
|
||||
- name: Restart postfix
|
||||
service: name=postfix state=restarted
|
||||
when: ( postfix_main_restart_needed is changed ) or ( postfix_master_restart_needed is changed )
|
||||
|
||||
when:
|
||||
- postfix_install_packages | bool
|
||||
- postfix_enabled | bool
|
||||
tags: postfix-relay
|
||||
|
||||
- block:
|
||||
- name: Install the postfix NRPE nagios check
|
||||
copy: src={{ item }} dest={{ nagios_plugins_dir }}/{{ item }} owner=root group=nagios mode=0555
|
||||
with_items: '{{ postfix_nagios_checks }}'
|
||||
|
||||
- name: Install the postfix NRPE command configuration
|
||||
template: src=postfix-nrpe.cfg.j2 dest={{ nrpe_include_dir }}/postfix-nrpe.cfg owner=root group=root mode=0444
|
||||
notify: Reload NRPE server
|
||||
|
||||
when:
|
||||
- postfix_install_packages | bool
|
||||
- postfix_nagios_check | bool
|
||||
tags: [ 'postfix-relay', 'nagios', 'nrpe' ]
|
||||
|
||||
- block:
|
||||
- name: Remove postfix and libsas on deb systems
|
||||
action: apt pkg={{ postfix_relay_deb_pkgs }} state=absent
|
||||
when: ansible_distribution_file_variety == "Debian"
|
||||
|
||||
- name: Remove postfix and libsas to do mail relay on RH systems
|
||||
yum: pkg={{ postfix_relay_rh_pkgs }} state=absent
|
||||
when: ansible_distribution_file_variety == "RedHat"
|
||||
|
||||
when: not postfix_install_packages | bool
|
||||
tags: postfix-relay
|
|
@ -0,0 +1,11 @@
|
|||
---
|
||||
- name: Write sasl hash file
|
||||
template: src=sasl_passwd.j2 dest=/etc/postfix/sasl_passwd owner=root group=root mode=0400
|
||||
when: postfix_use_sasl_auth
|
||||
register: update_sasl_hash
|
||||
tags: postfix-relay
|
||||
|
||||
- name: Update SASL hash
|
||||
shell: postmap hash:/etc/postfix/sasl_passwd
|
||||
when: update_sasl_hash is changed
|
||||
tags: postfix-relay
|
|
@ -0,0 +1,6 @@
|
|||
{% if hostname is defined %}
|
||||
{{ hostname }}
|
||||
{% else %}
|
||||
{{ ansible_fqdn }}
|
||||
{% endif %}
|
||||
|
|
@ -0,0 +1,101 @@
|
|||
smtpd_banner = $myhostname ESMTP $mail_name
|
||||
biff = {{ postfix_biff }}
|
||||
|
||||
# appending .domain is the MUA's job.
|
||||
append_dot_mydomain = {{ postfix_append_dot_mydomain }}
|
||||
|
||||
# Uncomment the next line to generate "delayed mail" warnings
|
||||
#delay_warning_time = 4h
|
||||
|
||||
readme_directory = no
|
||||
|
||||
# TLS parameters
|
||||
# Server
|
||||
{% if letsencrypt_acme_install is defined %}
|
||||
{% if postfix_use_letsencrypt %}
|
||||
smtpd_tls_cert_file={{ letsencrypt_acme_certs_dir }}/cert
|
||||
smtpd_tls_key_file={{ letsencrypt_acme_certs_dir }}/privkey
|
||||
{% else %}
|
||||
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
|
||||
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
{% if letsencrypt_acme_install is not defined %}
|
||||
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
|
||||
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
|
||||
{% endif %}
|
||||
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
|
||||
{% if postfix_relay_server %}
|
||||
smtpd_tls_security_level = encrypt
|
||||
smtpd_tls_auth_only = yes
|
||||
{% endif %}
|
||||
smtpd_tls_security_level={{ postfix_smtpd_tls_security_level }}
|
||||
# Client
|
||||
smtp_tls_security_level = {{ postfix_smtp_tls_security_level }}
|
||||
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
|
||||
|
||||
# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
|
||||
# information on enabling SSL in the smtp client.
|
||||
|
||||
myhostname = {{ ansible_fqdn }}
|
||||
alias_maps = hash:/etc/aliases
|
||||
alias_database = hash:/etc/aliases
|
||||
{% if domain_name is defined %}
|
||||
myorigin = {{ domain_name }}
|
||||
{% else %}
|
||||
myorigin = {{ ansible_fqdn }}
|
||||
{% endif %}
|
||||
mydestination = {{ ansible_fqdn }}, localhost
|
||||
{% if postfix_use_relay_host %}
|
||||
relayhost = {{ postfix_relay_host }}:{{ postfix_relay_port }}
|
||||
{% endif %}
|
||||
{% if not postfix_relay_server %}
|
||||
mynetworks = 127.0.0.1
|
||||
inet_interfaces = localhost
|
||||
inet_protocols = ipv4
|
||||
{% endif %}
|
||||
mailbox_size_limit = 0
|
||||
message_size_limit = {{ postfix_message_size_limit }}
|
||||
recipient_delimiter = +
|
||||
default_destination_concurrency_limit = {{ postfix_default_destination_concurrency_limit }}
|
||||
{% if postfix_use_sasl_auth %}
|
||||
smtp_sasl_auth_enable= {{ postfix_smtp_sasl_auth_enable }}
|
||||
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
|
||||
smtp_sasl_security_options = {{ postfix_smtp_sasl_security_options }}
|
||||
smtp_sasl_tls_security_options = {{ postfix_smtp_sasl_tls_security_options }}
|
||||
smtp_sasl_mechanism_filter = {{ postfix_smtp_sasl_mechanism_filter }}
|
||||
{% if ansible_distribution_file_variety == "Debian" %}
|
||||
{% if ansible_distribution_version is version_compare('18.04', '>=') %}
|
||||
smtpd_relay_restrictions = permit_mynetworks, defer_unauth_destination
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
{% if postfix_relay_server %}
|
||||
smtpd_sasl_path = smtpd
|
||||
smtpd_sasl_auth_enable = yes
|
||||
smtpd_sasl_security_options = {{ postfix_smtp_sasl_security_options }}
|
||||
smtpd_sasl_tls_security_options = {{ postfix_smtp_sasl_tls_security_options }}
|
||||
smtpd_helo_required = yes
|
||||
mynetworks = {{ postfix_mynetworks }}
|
||||
inet_interfaces = {{ postfix_interfaces }}
|
||||
|
||||
# Don't talk to mail systems that don't know their own hostname.
|
||||
smtpd_helo_restrictions = reject_unknown_helo_hostname
|
||||
# Block clients that speak too early.
|
||||
smtpd_data_restrictions = reject_unauth_pipelining
|
||||
|
||||
# Our internal servers talk to the submission port so they are treated as clients
|
||||
smtpd_client_restrictions = permit_sasl_authenticated, reject
|
||||
|
||||
# Don't accept mail from domains that don't exist.
|
||||
smtpd_sender_restrictions = reject_unknown_sender_domain
|
||||
|
||||
# Relay control: local clients and
|
||||
# authenticated clients may specify any destination domain.
|
||||
smtpd_relay_restrictions = permit_sasl_authenticated, reject
|
||||
{% endif %}
|
||||
{% if ansible_distribution_file_variety == "Debian" %}
|
||||
{% if ansible_distribution_version is version_compare('18.04', '>=') %}
|
||||
compatibility_level=2
|
||||
{% endif %}
|
||||
{% endif %}
|
|
@ -0,0 +1,4 @@
|
|||
127.0.0.0/8 OK
|
||||
127.0.0.1 OK
|
||||
127.0.1.1 OK
|
||||
[::1] OK
|
|
@ -0,0 +1,25 @@
|
|||
#!/bin/bash
|
||||
|
||||
LE_SERVICES_SCRIPT_DIR=/usr/lib/acme/hooks
|
||||
LE_LOG_DIR=/var/log/letsencrypt
|
||||
DATE=$( date )
|
||||
|
||||
[ ! -d $LE_LOG_DIR ] && mkdir $LE_LOG_DIR
|
||||
echo "$DATE" >> $LE_LOG_DIR/postfix.log
|
||||
|
||||
if [ -f /etc/default/letsencrypt ] ; then
|
||||
. /etc/default/letsencrypt
|
||||
else
|
||||
echo "No letsencrypt default file" >> $LE_LOG_DIR/postfix.log
|
||||
fi
|
||||
|
||||
echo "Reload the postfix service" >> $LE_LOG_DIR/postfix.log
|
||||
if [ -x /bin/systemctl ] ; then
|
||||
systemctl reload postfix >> $LE_LOG_DIR/postfix.log 2>&1
|
||||
else
|
||||
service postfix reload >> $LE_LOG_DIR/postfix.log 2>&1
|
||||
fi
|
||||
|
||||
echo "Done." >> $LE_LOG_DIR/postfix.log
|
||||
|
||||
exit 0
|
|
@ -0,0 +1,123 @@
|
|||
#
|
||||
# Postfix master process configuration file. For details on the format
|
||||
# of the file, see the master(5) manual page (command: "man 5 master" or
|
||||
# on-line: http://www.postfix.org/master.5.html).
|
||||
#
|
||||
# Do not forget to execute "postfix reload" after editing this file.
|
||||
#
|
||||
# ==========================================================================
|
||||
# service type private unpriv chroot wakeup maxproc command + args
|
||||
# (yes) (yes) (yes) (never) (100)
|
||||
# ==========================================================================
|
||||
smtp inet n - - - - smtpd
|
||||
#smtp inet n - - - 1 postscreen
|
||||
#smtpd pass - - - - - smtpd
|
||||
#dnsblog unix - - - - 0 dnsblog
|
||||
#tlsproxy unix - - - - 0 tlsproxy
|
||||
submission inet n - - - - smtpd
|
||||
-o syslog_name=postfix/submission
|
||||
-o smtpd_tls_security_level={{ postfix_smtpd_tls_security_level }}
|
||||
-o smtpd_sasl_auth_enable=yes
|
||||
# -o smtpd_reject_unlisted_recipient=no
|
||||
# -o smtpd_client_restrictions=$mua_client_restrictions
|
||||
# -o smtpd_helo_restrictions=$mua_helo_restrictions
|
||||
# -o smtpd_sender_restrictions=$mua_sender_restrictions
|
||||
# -o smtpd_recipient_restrictions=
|
||||
# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
|
||||
# -o milter_macro_daemon_name=ORIGINATING
|
||||
#smtps inet n - - - - smtpd
|
||||
# -o syslog_name=postfix/smtps
|
||||
# -o smtpd_tls_wrappermode=yes
|
||||
# -o smtpd_sasl_auth_enable=yes
|
||||
# -o smtpd_reject_unlisted_recipient=no
|
||||
# -o smtpd_client_restrictions=$mua_client_restrictions
|
||||
# -o smtpd_helo_restrictions=$mua_helo_restrictions
|
||||
# -o smtpd_sender_restrictions=$mua_sender_restrictions
|
||||
# -o smtpd_recipient_restrictions=
|
||||
# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
|
||||
# -o milter_macro_daemon_name=ORIGINATING
|
||||
#628 inet n - - - - qmqpd
|
||||
pickup unix n - - 60 1 pickup
|
||||
cleanup unix n - - - 0 cleanup
|
||||
qmgr unix n - n 300 1 qmgr
|
||||
#qmgr unix n - n 300 1 oqmgr
|
||||
tlsmgr unix - - - 1000? 1 tlsmgr
|
||||
rewrite unix - - - - - trivial-rewrite
|
||||
bounce unix - - - - 0 bounce
|
||||
defer unix - - - - 0 bounce
|
||||
trace unix - - - - 0 bounce
|
||||
verify unix - - - - 1 verify
|
||||
flush unix n - - 1000? 0 flush
|
||||
proxymap unix - - n - - proxymap
|
||||
proxywrite unix - - n - 1 proxymap
|
||||
smtp unix - - - - - smtp
|
||||
relay unix - - - - - smtp
|
||||
# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
|
||||
showq unix n - - - - showq
|
||||
error unix - - - - - error
|
||||
retry unix - - - - - error
|
||||
discard unix - - - - - discard
|
||||
local unix - n n - - local
|
||||
virtual unix - n n - - virtual
|
||||
lmtp unix - - - - - lmtp
|
||||
anvil unix - - - - 1 anvil
|
||||
scache unix - - - - 1 scache
|
||||
#
|
||||
# ====================================================================
|
||||
# Interfaces to non-Postfix software. Be sure to examine the manual
|
||||
# pages of the non-Postfix software to find out what options it wants.
|
||||
#
|
||||
# Many of the following services use the Postfix pipe(8) delivery
|
||||
# agent. See the pipe(8) man page for information about ${recipient}
|
||||
# and other message envelope options.
|
||||
# ====================================================================
|
||||
#
|
||||
# maildrop. See the Postfix MAILDROP_README file for details.
|
||||
# Also specify in main.cf: maildrop_destination_recipient_limit=1
|
||||
#
|
||||
maildrop unix - n n - - pipe
|
||||
flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
|
||||
#
|
||||
# ====================================================================
|
||||
#
|
||||
# Recent Cyrus versions can use the existing "lmtp" master.cf entry.
|
||||
#
|
||||
# Specify in cyrus.conf:
|
||||
# lmtp cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
|
||||
#
|
||||
# Specify in main.cf one or more of the following:
|
||||
# mailbox_transport = lmtp:inet:localhost
|
||||
# virtual_transport = lmtp:inet:localhost
|
||||
#
|
||||
# ====================================================================
|
||||
#
|
||||
# Cyrus 2.1.5 (Amos Gouaux)
|
||||
# Also specify in main.cf: cyrus_destination_recipient_limit=1
|
||||
#
|
||||
#cyrus unix - n n - - pipe
|
||||
# user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
|
||||
#
|
||||
# ====================================================================
|
||||
# Old example of delivery via Cyrus.
|
||||
#
|
||||
#old-cyrus unix - n n - - pipe
|
||||
# flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
|
||||
#
|
||||
# ====================================================================
|
||||
#
|
||||
# See the Postfix UUCP_README file for configuration details.
|
||||
#
|
||||
#uucp unix - n n - - pipe
|
||||
# flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
|
||||
#
|
||||
# Other external delivery methods.
|
||||
#
|
||||
#ifmail unix - n n - - pipe
|
||||
# flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
|
||||
#bsmtp unix - n n - - pipe
|
||||
# flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
|
||||
#scalemail-backend unix - n n - 2 pipe
|
||||
# flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
|
||||
#mailman unix - n n - - pipe
|
||||
# flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
|
||||
# ${nexthop} ${user}
|
|
@ -0,0 +1,4 @@
|
|||
# Postfix mailq
|
||||
command[postfix_check_mailqueue]=/usr/bin/sudo {{ nagios_plugins_dir }}/check_postfix_mailqueue -w {{ nagios_postfix_mailq_w }} -c {{ nagios_postfix_mailq_c }}
|
||||
# Postfix processed
|
||||
command[postfix_check_processed]=/usr/bin/sudo {{ nagios_plugins_dir }}/check_postfix_processed -w {{ nagios_postfix_processed_w }} -c {{ nagios_postfix_processed_c }}
|
|
@ -0,0 +1 @@
|
|||
{{ postfix_relay_host }}:{{ postfix_relay_port }} {{ postfix_smtp_relay_user }}:{{ postfix_smtp_relay_pwd }}
|
|
@ -1,2 +1,13 @@
|
|||
---
|
||||
# vars file for ansible-role-template
|
||||
postfix_relay_rh_pkgs:
|
||||
- postfix
|
||||
- cyrus-sasl-lib
|
||||
- cyrus-sasl-plain
|
||||
- cyrus-sasl-md5
|
||||
|
||||
postfix_relay_deb_pkgs:
|
||||
- postfix
|
||||
- libsasl2-2
|
||||
|
||||
postfix_sasl_packages:
|
||||
- sasl2-bin
|
||||
|
|
Loading…
Reference in New Issue