ISTI-ansible-roles
/
ansible-role-postfix-client
4
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Import the old role.

This commit is contained in:
Andrea Dell'Amico 2020-07-18 18:46:58 +02:00
parent 47189292cd
commit 7ed13f52e8
20 changed files with 829 additions and 70 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

59
README.md
View File

@ -1,31 +1,54 @@
Role Name
=========
A brief description of the role goes here.
Requirements
------------
Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required.
A role that installs and configures an instance of postfix that listens on localhost and routes messages to a relay server.
Role Variables
--------------
A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well.
The most important variables are listed below:
``` yaml
postfix_relay_client: False
postfix_relay_client_do_not_stop_submission: False
postfix_biff: "no"
postfix_append_dot_mydomain: "no"
postfix_use_relay_host: True
postfix_use_letsencrypt: False
# Accepted values: none, may, encrypt
postfix_smtpd_tls_security_level: encrypt
# Accepted values: none, may, encrypt, fingerprint, verify, secure. And from 2.11: dane, dane-only
postfix_smtp_tls_security_level: encrypt
postfix_use_sasl_auth: True
postfix_smtp_sasl_auth_enable: "yes"
postfix_smtp_create_relay_user: True
# Options: noanonymous, noplaintext
postfix_smtp_sasl_security_options: noanonymous
postfix_smtp_sasl_tls_security_options: '{{ postfix_smtp_sasl_security_options }}'
postfix_smtp_sasl_mechanism_filter: plain, login
# Set it in the local rules
#postfix_relay_host: smtp-relay.example.com
postfix_relay_port: 587
postfix_default_destination_concurrency_limit: 20
#postfix_smtp_relay_user: smtp-user
postfix_smtp_relay_user: '{{ ansible_fqdn }}'
# This one has to be set inside a vault file
#postfix_smtp_relay_pwd: set_you_password_here_in_a_vault_encrypted_file
# The following options are used only whe postfix_relay_server is set to True
postfix_relay_server: False
postfix_mynetworks: hash:/etc/postfix/network_table
postfix_interfaces: all
postfix_inet_protocols: all
postfix_message_size_limit: 10240000
```
Dependencies
------------
A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles.
Example Playbook
----------------
Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
- hosts: servers
roles:
- { role: username.rolename, x: 42 }
None
License
-------
@ -35,4 +58,4 @@ EUPL-1.2
Author Information
------------------
An optional section for the role authors to include contact information, or a website (HTML is not allowed).
Andrea Dell'Amico, <andrea.dellamico@isti.cnr.it>

49
defaults/main.yml
View File

@ -1,2 +1,49 @@
---
# defaults file for ansible-role-template
postfix_enabled: True
postfix_install_packages: True
# Set it to true when you want configure your machine to send email to a relay
postfix_relay_client: False
postfix_relay_client_do_not_stop_submission: False
postfix_biff: "no"
postfix_append_dot_mydomain: "no"
postfix_use_relay_host: True
postfix_use_letsencrypt: False
# Accepted values: none, may, encrypt
postfix_smtpd_tls_security_level: encrypt
# Accepted values: none, may, encrypt, fingerprint, verify, secure. And from 2.11: dane, dane-only
postfix_smtp_tls_security_level: encrypt
postfix_use_sasl_auth: True
postfix_smtp_sasl_auth_enable: "yes"
postfix_smtp_create_relay_user: True
# Options: noanonymous, noplaintext
postfix_smtp_sasl_security_options: noanonymous
postfix_smtp_sasl_tls_security_options: '{{ postfix_smtp_sasl_security_options }}'
postfix_smtp_sasl_mechanism_filter: plain, login
# Set it in the local rules
#postfix_relay_host: smtp-relay.example.com
postfix_relay_port: 587
postfix_default_destination_concurrency_limit: 20
#postfix_smtp_relay_user: smtp-user
postfix_smtp_relay_user: '{{ ansible_fqdn }}'
# This one has to be set inside a vault file
#postfix_smtp_relay_pwd: set_you_password_here_in_a_vault_encrypted_file
# The following options are used only whe postfix_relay_server is set to True
postfix_relay_server: False
postfix_mynetworks: hash:/etc/postfix/network_table
postfix_interfaces: all
postfix_inet_protocols: all
postfix_message_size_limit: 10240000
postfix_nagios_check: False
postfix_nagios_checks:
- check_postfix_mailqueue
- check_postfix_processed
nagios_postfix_mailq_w: 20
nagios_postfix_mailq_c: 50
nagios_postfix_processed_w: 50
nagios_postfix_processed_c: 150

181
files/check_postfix_mailqueue Normal file
View File

@ -0,0 +1,181 @@
#!/bin/bash
###################################################################
# check_postfix_mailqueue is developped with GPL Licence 2.0
#
# GPL License: http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt
#
# First version developped by : Bjoern Bongermino
#
###################################################################
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
####################################################################
#
# original https://gist.github.com/alexlehm/8084195
#
# created by McArt <hello@mcart.ru> http://www.mcart.ru/
# Uncomment to enable debugging
# set -x
PROGNAME=`basename $0`
VERSION="Version 2.0"
AUTHOR="McArt (http://www.mcart.ru)"
STATE_OK=0
STATE_WARNING=1
STATE_CRITICAL=2
STATE_UNKNOWN=3
warning=unknown
critical=unknown
print_version() {
echo "$PROGNAME $VERSION $AUTHOR"
}
print_help() {
print_version $PROGNAME $VERSION
echo ""
echo "$PROGNAME - Checks postfix mailqueue statistic"
echo ""
echo "$PROGNAME is a Nagios plugin which generates statistics"
echo "for the postfix mailqueue and checks for corrupt messages."
echo "The following values will be checked:"
echo "active: Mails being delivered (should be small)"
echo "deferred: Stuck mails (that will be retried later)"
echo "corrupt: Messages found to not be in correct format (should be 0)"
echo "hold: Recent addition, messages put on hold indefinitly - delete of free"
echo "bounced: Bounced mails"
echo ""
echo "Usage: $PROGNAME -w WARN-Level -c CRIT-Level"
echo ""
echo "Options:"
echo " -w)"
echo " Warning level for active mails"
echo " -c)"
echo " Critical level for active mail"
echo " -h)"
echo " This help"
echo " -v)"
echo " Version"
exit $STATE_OK
}
# Check for parameters
while test -n "$1"; do
case "$1" in
-h)
print_help
exit $STATE_OK;;
-v)
print_version
exit $STATE_OK;;
-w)
warning=$2
shift
;;
-c)
critical=$2
shift
;;
*)
echo "Usage: ./check_postfix_mailqueue2.sh -w <Warning level for active mails> -c <Critical level for active mail>"
;;
esac
shift
done
if [ $warning == "unknown" ] || [ $critical == "unknown" ]; then
echo "You need to specify warning and critical for active mails"
echo "Usage: ./check_postfix_mailqueue2.sh -w <warn> -c <crit>"
exit $STATE_UNKNOWN
fi
# make sure CRIT is larger than WARN
if [ $warning -ge $critical ];then
echo "UNKNOWN: WARN value may not be greater than or equal the CRIT value"
exit $OK
fi
check_postfix_mailqueue() {
# Can be set via environment, but default is fetched by postconf (if available,
# else /var/spool/postfix)
if which postconf > /dev/null ; then
SPOOLDIR=${spooldir:-`postconf -h queue_directory`}
else
SPOOLDIR=${spooldir:-/var/spool/postfix}
fi
cd $SPOOLDIR >/dev/null 2>/dev/null || {
echo -n "Cannot cd to $SPOOLDIR"
exit $STATE_CRITICAL
}
for d in deferred active corrupt hold
do
if [ ! -r $d ]
then
echo -n "queue dir '$d' is not readable"
exit $STATE_CRITICAL
fi
done
# Get values
deferred=`(test -d deferred && find deferred -type f ) | wc -l`
active=`(test -d active && find active -type f ) | wc -l`
corrupt=`(test -d corrupt && find corrupt -type f ) | wc -l`
hold=`( test -d hold && find hold -type f ) | wc -l`
bounced=`cat /var/log/mail.log | grep bounced | wc -l`
}
check_postfix_mailqueue
values="Deferred mails=$deferred Active deliveries=$active Corrupt mails=$corrupt Mails on hold=$hold Bounced mails=$bounced"
perfdata="deferred=$deferred;; active=$active;; corrupt=$corrupt;; hold=$hold;; bounced=$bounced;;"
if [ $corrupt -gt 0 ]; then
echo -n "Postfix Mailqueue WARNING - $corrupt corrupt messages found! | $perfdata"
exit $STATE_WARNING
fi
if [ $hold -gt 0 ]; then
echo -n "Postfix Mailqueue WARNING - $hold hold messages found! | $perfdata"
exit $STATE_WARNING
fi
if [ $deferred -gt 0 ]; then
echo -n "Postfix Mailqueue WARNING - $deferred deferred messages found! | $perfdata"
exit $STATE_WARNING
fi
if [ $bounced -gt 0 ]; then
echo -n "Postfix Mailqueue WARNING - $bounced bounced messages found! | $perfdata"
exit $STATE_WARNING
fi
if [ $active -gt $critical ]; then
MES_TO_EXIT="Postfix Mailqueue CRITICAL - $values | $perfdata"
STATE_TO_EXIT=$STATE_CRITICAL
elif [ $active -gt $warning ]; then
MES_TO_EXIT="Postfix Mailqueue WARNING - $values | $perfdata"
STATE_TO_EXIT=$STATE_WARNING
else
MES_TO_EXIT="Postfix Mailqueue OK - $values | $perfdata"
STATE_TO_EXIT=$STATE_OK
fi
echo -n $MES_TO_EXIT
echo -e "\n"
exit $STATE_TO_EXIT

104
files/check_postfix_processed Executable file
View File

@ -0,0 +1,104 @@
#!/usr/bin/env bash
## This program is free software: you can redistribute it and/or modify
## it under the terms of the GNU General Public License as published by
## the Free Software Foundation, either version 3 of the License, or
## (at your option) any later version.
##
## This program is distributed in the hope that it will be useful,
## but WITHOUT ANY WARRANTY; without even the implied warranty of
## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
## GNU General Public License for more details.
##
# ===============
# check_postfixprocessed - plugin to check the number of mail processed by parsing logfiles
# ===============
# * mail processor written by Cecil Westerhof & Modifications for nagios by Frank IJskes
# * Christian Nutz identified the IF as slow on large logfiles, by only checking from the bottom up performance went back to normal
# version 2 uses AWK to improve processing / lower cpu load
# plugin return codes:
# 0 OK
# 1 Warning
# 2 Critical
# 3 Unknown
NO_OF_SECONDS=300
POSTFIX_LOG="/var/log/mail.log"
while getopts "hvw:c:" opt
do
case $opt in
h)
showhelp=1
break
;;
w)
warning="$OPTARG"
;;
c)
critical="$OPTARG"
;;
v)
verbose=1
;;
esac
done
printUsage() {
echo "Usage: $0 [-h] [-v] -w <warning> -c <critical>"
echo ""
echo "Example: $0 -w 50 -c 100"
}
printHelp() {
printUsage
echo ""
echo "This plugin checks the number of messages processed by Postfix in the last 5 minutes."
echo ""
echo "For more details, see inside the script ;)"
echo ""
exit 3
}
if [ "$showhelp" = "1" ]; then
printHelp
exit 3
fi
if [ ! "$warning" ] || [ ! "$critical" ]; then
printUsage
exit 3
fi
if [ $warning -ge $critical ]; then
echo "<warning> has to be smaller than <critical>!"
exit 3
fi
if [ ! "$POSTFIX_LOG" ]; then
echo "Could not find postfix log!"
exit 3
fi
countSentMessages () {
NOW=`date +%s`
DATE_FROM=`awk -v now=$NOW -v seconds=$NO_OF_SECONDS 'BEGIN{print strftime("%b %d %T", now-seconds)}'`
DATE_TO=`awk -v now=$NOW 'BEGIN{print strftime("%b %d %T", now)}'`
echo `awk '$0>=from && $0<=to' from="$DATE_FROM" to="$DATE_TO" ${POSTFIX_LOG} | grep ' postfix/smtp\[.*, status=sent ' | wc -l`
}
sentMessagesCount=`countSentMessages`
echo "Messages processed in the last $NO_OF_SECONDS seconds: $sentMessagesCount | mailsprocessed=$sentMessagesCount"
if [ "$sentMessagesCount" -ge "$critical" ]; then
exit 2
elif [ "$sentMessagesCount" -ge "$warning" ]; then
exit 1
else
exit 0
fi

3
files/sasl_smtpd.conf Normal file
View File

@ -0,0 +1,3 @@
pwcheck_method: saslauthd
mech_list: PLAIN LOGIN

23
handlers/main.yml
View File

@ -1,2 +1,21 @@
---
# handlers file for ansible-role-template
- name: Update SASL hash
shell: postmap hash:/etc/postfix/sasl_passwd
- name: Reload postfix
service: name=postfix state=reloaded
when: postfix_enabled
- name: Restart postfix
service: name=postfix state=restarted
when: postfix_enabled
- name: Update the network hash table
shell: postmap hash:/etc/postfix/network_table
- name: start saslauth daemon
service: name=saslauthd state=started enabled=yes
when: postfix_enabled
- name: restart saslauth daemon
service: name=saslauthd state=restarted
when: postfix_enabled

60
meta/main.yml
View File

@ -1,61 +1,27 @@
galaxy_info:
author: your name
description: your description
author: Andrea Dell'Amico
description: Systems Architect
company: ISTI-CNR
# If the issue tracker for your role is not on github, uncomment the
# next line and provide a value
issue_tracker_url: https://redmine-s2i2s.isti.cnr.it/projects/provisioning
# Some suggested licenses:
# - BSD (default)
# - MIT
# - GPLv2
# - GPLv3
# - Apache
# - CC-BY
license: EUPL-1.2
license: EUPL 1.2+
min_ansible_version: 2.8
# If this a Container Enabled role, provide the minimum Ansible Container version.
# min_ansible_container_version:
# Optionally specify the branch Galaxy will use when accessing the GitHub
# repo for this role. During role install, if no tags are available,
# Galaxy will use this branch. During import Galaxy will access files on
# this branch. If Travis integration is configured, only notifications for this
# branch will be accepted. Otherwise, in all cases, the repo's default branch
# (usually master) will be used.
#github_branch:
#
# Provide a list of supported platforms, and for each platform a list of versions.
# If you don't wish to enumerate all versions for a particular platform, use 'all'.
# To view available platforms and versions (or releases), visit:
# https://galaxy.ansible.com/api/v1/platforms/
#
# platforms:
# - name: Fedora
# versions:
# - all
# - 25
# - name: SomePlatform
# versions:
# - all
# - 1.0
# - 7
# - 99.99
platforms:
- name: Ubuntu
versions:
- trusty
- bionic
- name: EL
versions:
- 7
galaxy_tags: []
# List tags for your role here, one per line. A tag is a keyword that describes
# and categorizes the role. Users find roles by searching for tags. Be sure to
# remove the '[]' above, if you add tags to this list.
#
# NOTE: A tag is limited to a single word comprised of alphanumeric characters.
# Maximum 20 tags per role.
galaxy_tags:
- users
dependencies: []
# List your role dependencies here, one per line. Be sure to remove the '[]' above,
# if you add dependencies to this list.

11
tasks/main.yml
View File

@ -1,2 +1,11 @@
---
# tasks file for ansible-role-template
- import_tasks: smtp-common-packages.yml
- import_tasks: smtp-sasl-auth.yml
when:
- postfix_use_sasl_auth
- postfix_relay_client
- import_tasks: postfix-relay-server.yml
when: postfix_relay_server
- import_tasks: postfix-letsencrypt-hook.yml
when: postfix_use_letsencrypt

8
tasks/postfix-letsencrypt-hook.yml Normal file
View File

@ -0,0 +1,8 @@
---
- name: Create the acme hooks directory if it does not exist
file: dest=/usr/lib/acme/hooks state=directory
tags: [ 'postfix', 'postfix-relay', 'postfix_letsencrypt', 'letsencrypt' ]
- name: Install a hook for letsencrypt
template: src=postfix-letsencrypt-hook dest=/usr/lib/acme/hooks/postfix owner=root group=root mode=4555
tags: [ 'postfix', 'postfix-relay', 'postfix_letsencrypt', 'letsencrypt' ]

45
tasks/postfix-relay-server.yml Normal file
View File

@ -0,0 +1,45 @@
---
- name: Create the /etc/mailname file if it's not present
template: src=mailname.j2 dest=/etc/mailname owner=root group=root mode=0644
tags: postfix-relay
- name: Write the network hash file
template: src=network_table.j2 dest=/etc/postfix/network_table owner=root group=root mode=0444
notify: Update the network hash table
tags: postfix-relay
- name: Install the sasl2 authentication infrastructure
apt: pkg={{ item }} state=present
with_items: '{{ postfix_sasl_packages }}'
tags: postfix-relay
- name: Create the sasl directory inside /etc/postfix
file: dest=/etc/postfix/sasl state=directory owner=root group=root mode=0555
tags: postfix-relay
- name: Create the sasl run directory inside /var/spool/postfix, for chroot
file: dest=/var/spool/postfix/var/run/saslauthd state=directory owner=root group=root mode=0555
notify: start saslauth daemon
tags: postfix-relay
- name: Install the smtpd.conf file inside inside /etc/postfix/sasl
copy: src=sasl_smtpd.conf dest=/etc/postfix/sasl/smtpd.conf owner=root group=root mode=0444
tags: postfix-relay
- name: Change the socket path because postfix on debian runs inside a chroot jail
action: configfile path=/etc/default/saslauthd key=OPTIONS value='"-c -m /var/spool/postfix/var/run/saslauthd"' syntax=shell
notify: restart saslauth daemon
tags: postfix-relay
- name: Enable the saslauth daemon
action: configfile path=/etc/default/saslauthd key=START value='yes' syntax=shell
tags: postfix-relay
- name: Assign the sasl group to the postfix user so that postfix can use the saslauthd socket
user: name=postfix groups='sasl'
notify: Restart postfix
tags: postfix-relay
- name: Ensure that the saslauthd daemon is started and enabled
service: name=saslauthd state=restarted enabled=yes
tags: postfix-relay

68
tasks/smtp-common-packages.yml Normal file
View File

@ -0,0 +1,68 @@
---
- block:
- name: Install postfix and libsas to do mail relay on deb systems
apt: pkg={{ postfix_relay_deb_pkgs }} state=present update_cache=yes cache_valid_time=1800
when: ansible_distribution_file_variety == "Debian"
- name: Install postfix and libsas to do mail relay on RH systems
yum: pkg={{ postfix_relay_rh_pkgs }} state=present
when: ansible_distribution_file_variety == "RedHat"
- name: Remove the ssmtp package on RH systems
yum: pkg=ssmtp state=absent
when: ansible_distribution_file_variety == "RedHat"
- name: Write the postfix main configuration file
template: src=main.cf.j2 dest=/etc/postfix/main.cf owner=root group=root mode=0444
register: postfix_main_restart_needed
- name: Activate the submission port on the postfix master file
template: src=postfix-master.cf.j2 dest=/etc/postfix/master.cf owner=root group=root mode=0444
register: postfix_master_restart_needed
when: postfix_install_packages | bool
tags: postfix-relay
- block:
- name: Ensure that postfix is started and enabled
service: name=postfix state=started enabled=yes
when: postfix_enabled | bool
- name: Ensure that postfix is stopped and disabled
service: name=postfix state=stopped enabled=no
when: not postfix_enabled | bool
- name: Restart postfix
service: name=postfix state=restarted
when: ( postfix_main_restart_needed is changed ) or ( postfix_master_restart_needed is changed )
when:
- postfix_install_packages | bool
- postfix_enabled | bool
tags: postfix-relay
- block:
- name: Install the postfix NRPE nagios check
copy: src={{ item }} dest={{ nagios_plugins_dir }}/{{ item }} owner=root group=nagios mode=0555
with_items: '{{ postfix_nagios_checks }}'
- name: Install the postfix NRPE command configuration
template: src=postfix-nrpe.cfg.j2 dest={{ nrpe_include_dir }}/postfix-nrpe.cfg owner=root group=root mode=0444
notify: Reload NRPE server
when:
- postfix_install_packages | bool
- postfix_nagios_check | bool
tags: [ 'postfix-relay', 'nagios', 'nrpe' ]
- block:
- name: Remove postfix and libsas on deb systems
action: apt pkg={{ postfix_relay_deb_pkgs }} state=absent
when: ansible_distribution_file_variety == "Debian"
- name: Remove postfix and libsas to do mail relay on RH systems
yum: pkg={{ postfix_relay_rh_pkgs }} state=absent
when: ansible_distribution_file_variety == "RedHat"
when: not postfix_install_packages | bool
tags: postfix-relay

11
tasks/smtp-sasl-auth.yml Normal file
View File

@ -0,0 +1,11 @@
---
- name: Write sasl hash file
template: src=sasl_passwd.j2 dest=/etc/postfix/sasl_passwd owner=root group=root mode=0400
when: postfix_use_sasl_auth
register: update_sasl_hash
tags: postfix-relay
- name: Update SASL hash
shell: postmap hash:/etc/postfix/sasl_passwd
when: update_sasl_hash is changed
tags: postfix-relay

6
templates/mailname.j2 Normal file
View File

@ -0,0 +1,6 @@
{% if hostname is defined %}
{{ hostname }}
{% else %}
{{ ansible_fqdn }}
{% endif %}

101
templates/main.cf.j2 Normal file
View File

@ -0,0 +1,101 @@
smtpd_banner = $myhostname ESMTP $mail_name
biff = {{ postfix_biff }}
# appending .domain is the MUA's job.
append_dot_mydomain = {{ postfix_append_dot_mydomain }}
# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h
readme_directory = no
# TLS parameters
# Server
{% if letsencrypt_acme_install is defined %}
{% if postfix_use_letsencrypt %}
smtpd_tls_cert_file={{ letsencrypt_acme_certs_dir }}/cert
smtpd_tls_key_file={{ letsencrypt_acme_certs_dir }}/privkey
{% else %}
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
{% endif %}
{% endif %}
{% if letsencrypt_acme_install is not defined %}
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
{% endif %}
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
{% if postfix_relay_server %}
smtpd_tls_security_level = encrypt
smtpd_tls_auth_only = yes
{% endif %}
smtpd_tls_security_level={{ postfix_smtpd_tls_security_level }}
# Client
smtp_tls_security_level = {{ postfix_smtp_tls_security_level }}
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.
myhostname = {{ ansible_fqdn }}
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
{% if domain_name is defined %}
myorigin = {{ domain_name }}
{% else %}
myorigin = {{ ansible_fqdn }}
{% endif %}
mydestination = {{ ansible_fqdn }}, localhost
{% if postfix_use_relay_host %}
relayhost = {{ postfix_relay_host }}:{{ postfix_relay_port }}
{% endif %}
{% if not postfix_relay_server %}
mynetworks = 127.0.0.1
inet_interfaces = localhost
inet_protocols = ipv4
{% endif %}
mailbox_size_limit = 0
message_size_limit = {{ postfix_message_size_limit }}
recipient_delimiter = +
default_destination_concurrency_limit = {{ postfix_default_destination_concurrency_limit }}
{% if postfix_use_sasl_auth %}
smtp_sasl_auth_enable= {{ postfix_smtp_sasl_auth_enable }}
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = {{ postfix_smtp_sasl_security_options }}
smtp_sasl_tls_security_options = {{ postfix_smtp_sasl_tls_security_options }}
smtp_sasl_mechanism_filter = {{ postfix_smtp_sasl_mechanism_filter }}
{% if ansible_distribution_file_variety == "Debian" %}
{% if ansible_distribution_version is version_compare('18.04', '>=') %}
smtpd_relay_restrictions = permit_mynetworks, defer_unauth_destination
{% endif %}
{% endif %}
{% endif %}
{% if postfix_relay_server %}
smtpd_sasl_path = smtpd
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = {{ postfix_smtp_sasl_security_options }}
smtpd_sasl_tls_security_options = {{ postfix_smtp_sasl_tls_security_options }}
smtpd_helo_required = yes
mynetworks = {{ postfix_mynetworks }}
inet_interfaces = {{ postfix_interfaces }}
# Don't talk to mail systems that don't know their own hostname.
smtpd_helo_restrictions = reject_unknown_helo_hostname
# Block clients that speak too early.
smtpd_data_restrictions = reject_unauth_pipelining
# Our internal servers talk to the submission port so they are treated as clients
smtpd_client_restrictions = permit_sasl_authenticated, reject
# Don't accept mail from domains that don't exist.
smtpd_sender_restrictions = reject_unknown_sender_domain
# Relay control: local clients and
# authenticated clients may specify any destination domain.
smtpd_relay_restrictions = permit_sasl_authenticated, reject
{% endif %}
{% if ansible_distribution_file_variety == "Debian" %}
{% if ansible_distribution_version is version_compare('18.04', '>=') %}
compatibility_level=2
{% endif %}
{% endif %}

4
templates/network_table.j2 Normal file
View File

@ -0,0 +1,4 @@
127.0.0.0/8 OK
127.0.0.1 OK
127.0.1.1 OK
[::1] OK

25
templates/postfix-letsencrypt-hook Normal file
View File

@ -0,0 +1,25 @@
#!/bin/bash
LE_SERVICES_SCRIPT_DIR=/usr/lib/acme/hooks
LE_LOG_DIR=/var/log/letsencrypt
DATE=$( date )
[ ! -d $LE_LOG_DIR ] && mkdir $LE_LOG_DIR
echo "$DATE" >> $LE_LOG_DIR/postfix.log
if [ -f /etc/default/letsencrypt ] ; then
. /etc/default/letsencrypt
else
echo "No letsencrypt default file" >> $LE_LOG_DIR/postfix.log
fi
echo "Reload the postfix service" >> $LE_LOG_DIR/postfix.log
if [ -x /bin/systemctl ] ; then
systemctl reload postfix >> $LE_LOG_DIR/postfix.log 2>&1
else
service postfix reload >> $LE_LOG_DIR/postfix.log 2>&1
fi
echo "Done." >> $LE_LOG_DIR/postfix.log
exit 0

123
templates/postfix-master.cf.j2 Normal file
View File

@ -0,0 +1,123 @@
#
# Postfix master process configuration file. For details on the format
# of the file, see the master(5) manual page (command: "man 5 master" or
# on-line: http://www.postfix.org/master.5.html).
#
# Do not forget to execute "postfix reload" after editing this file.
#
# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (100)
# ==========================================================================
smtp inet n - - - - smtpd
#smtp inet n - - - 1 postscreen
#smtpd pass - - - - - smtpd
#dnsblog unix - - - - 0 dnsblog
#tlsproxy unix - - - - 0 tlsproxy
submission inet n - - - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level={{ postfix_smtpd_tls_security_level }}
-o smtpd_sasl_auth_enable=yes
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=
# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
#smtps inet n - - - - smtpd
# -o syslog_name=postfix/smtps
# -o smtpd_tls_wrappermode=yes
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=
# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
#628 inet n - - - - qmqpd
pickup unix n - - 60 1 pickup
cleanup unix n - - - 0 cleanup
qmgr unix n - n 300 1 qmgr
#qmgr unix n - n 300 1 oqmgr
tlsmgr unix - - - 1000? 1 tlsmgr
rewrite unix - - - - - trivial-rewrite
bounce unix - - - - 0 bounce
defer unix - - - - 0 bounce
trace unix - - - - 0 bounce
verify unix - - - - 1 verify
flush unix n - - 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - - - - smtp
relay unix - - - - - smtp
# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq unix n - - - - showq
error unix - - - - - error
retry unix - - - - - error
discard unix - - - - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - - - - lmtp
anvil unix - - - - 1 anvil
scache unix - - - - 1 scache
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent. See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
maildrop unix - n n - - pipe
flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
#
# ====================================================================
#
# Recent Cyrus versions can use the existing "lmtp" master.cf entry.
#
# Specify in cyrus.conf:
# lmtp cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
#
# Specify in main.cf one or more of the following:
# mailbox_transport = lmtp:inet:localhost
# virtual_transport = lmtp:inet:localhost
#
# ====================================================================
#
# Cyrus 2.1.5 (Amos Gouaux)
# Also specify in main.cf: cyrus_destination_recipient_limit=1
#
#cyrus unix - n n - - pipe
# user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
#
# ====================================================================
# Old example of delivery via Cyrus.
#
#old-cyrus unix - n n - - pipe
# flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
#
# ====================================================================
#
# See the Postfix UUCP_README file for configuration details.
#
#uucp unix - n n - - pipe
# flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# Other external delivery methods.
#
#ifmail unix - n n - - pipe
# flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
#bsmtp unix - n n - - pipe
# flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
#scalemail-backend unix - n n - 2 pipe
# flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
#mailman unix - n n - - pipe
# flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
# ${nexthop} ${user}

4
templates/postfix-nrpe.cfg.j2 Normal file
View File

@ -0,0 +1,4 @@
# Postfix mailq
command[postfix_check_mailqueue]=/usr/bin/sudo {{ nagios_plugins_dir }}/check_postfix_mailqueue -w {{ nagios_postfix_mailq_w }} -c {{ nagios_postfix_mailq_c }}
# Postfix processed
command[postfix_check_processed]=/usr/bin/sudo {{ nagios_plugins_dir }}/check_postfix_processed -w {{ nagios_postfix_processed_w }} -c {{ nagios_postfix_processed_c }}

1
templates/sasl_passwd.j2 Normal file
View File

@ -0,0 +1 @@
{{ postfix_relay_host }}:{{ postfix_relay_port }} {{ postfix_smtp_relay_user }}:{{ postfix_smtp_relay_pwd }}

13
vars/main.yml
View File

@ -1,2 +1,13 @@
---
# vars file for ansible-role-template
postfix_relay_rh_pkgs:
- postfix
- cyrus-sasl-lib
- cyrus-sasl-plain
- cyrus-sasl-md5
postfix_relay_deb_pkgs:
- postfix
- libsasl2-2
postfix_sasl_packages:
- sasl2-bin