diff --git a/library/roles/postfix/defaults/main.yml b/library/roles/postfix/defaults/main.yml index fdf25b7d..1070768c 100644 --- a/library/roles/postfix/defaults/main.yml +++ b/library/roles/postfix/defaults/main.yml @@ -62,6 +62,9 @@ postfix_milter_action: tempfail # SMTP server that not accept authenticated clients. ############################################################################# postfix_smtpd_server: False +# SMTP server that routes emails coming from outside +############################################################################# +postfix_mx_server: False ############################################################################# # SMTP submission server: accepts authenticated clients ############################################################################# @@ -106,12 +109,25 @@ postfix_sasl_ldap_referrals: no # postfix_use_domain_name: False -postfix_inet_lmtp_enabled: False -postfix_inet_lmtp_host: '127.0.0.1' -postfix_inet_lmtp_port: 24 +postfix_virtual_transport_enabled: False +postfix_virtual_transport_protocol: 'lmtp' +postfix_lmtp_protocol: 'inet' +postfix_lmtp_host: '127.0.0.1' +postfix_lmtp_port: 24 postfix_delivery_soft_bounce: False postfix_recipient_delimiter: '+' postfix_local_recipients: False +postfix_transport_map_enabled: False +postfix_transport_maps: + - 'hash:/etc/postfix/transport' + +postfix_transport_data: [] +# +# Example: +# postfix_transport_data: +# - { domain: 'example.com', action: 'smtp:[dest.smtp.example.com]:25' } +postfix_rbl_enabled: True +postfix_rbl_list: 'zen.spamhaus.org' postfix_mynetworks: hash:/etc/postfix/network_table postfix_mynetworks_data: @@ -125,9 +141,23 @@ postfix_alias_databases: '{{ postfix_alias_maps }}' postfix_virtual_addresses: False postfix_virtual_mailbox_domains: 'hash:/etc/postfix/virtual_domains' +postfix_virtual_mailbox_domains_data: [] +# +# Example. The 'action' part is optional: +# postfix_virtual_mailbox_domains_data: +# - { domain: 'example.com', action: 'OK' } + postfix_virtual_mailbox_maps: - 'hash:/etc/postfix/vmailbox_maps' +postfix_virtual_domains: False +postfix_virtual_alias_domains: 'hash:/etc/postfix/virtual_domains' +postfix_virtual_alias_domains_data: [] +# +# Example. The 'action' part is optional: +# postfix_virtual_alias_domains_data: +# - { domain: 'example.com', action: 'OK' } + postfix_virtual_alias_maps: - 'hash:/etc/postfix/virtual' diff --git a/library/roles/postfix/tasks/main.yml b/library/roles/postfix/tasks/main.yml index 87cdd912..4bb6b7d4 100644 --- a/library/roles/postfix/tasks/main.yml +++ b/library/roles/postfix/tasks/main.yml @@ -1,5 +1,6 @@ --- - import_tasks: smtp-common-packages.yml +- import_tasks: smtp-configuration.yml - import_tasks: postfix_firewalld.yml when: ansible_distribution_file_variety == "RedHat" - import_tasks: smtp-sasl-auth.yml diff --git a/library/roles/postfix/tasks/smtp-common-packages.yml b/library/roles/postfix/tasks/smtp-common-packages.yml index 5db5e324..618488a0 100644 --- a/library/roles/postfix/tasks/smtp-common-packages.yml +++ b/library/roles/postfix/tasks/smtp-common-packages.yml @@ -26,38 +26,9 @@ when: postfix_tls_encryption_level != "old" notify: Reload postfix - - name: Write the postfix main configuration file - template: src=main.cf.j2 dest=/etc/postfix/main.cf owner=root group=root mode=0444 - register: postfix_main_restart_needed - - - name: The postfix master.cf file adapts to the service role - template: src=master.cf.j2 dest=/etc/postfix/master.cf owner=root group=root mode=0444 - register: postfix_master_restart_needed - - - name: Write the postfix network_table map - template: src=network_table.j2 dest=/etc/postfix/network_table owner=root group=root mode=0444 - register: postfix_network_table_status - when: postfix_install_packages | bool tags: [ 'postfix', 'postfix_conf' ] -- block: - - name: Ensure that postfix is started and enabled - service: name=postfix state=started enabled=yes - - - name: Update the network hash table - shell: postmap hash:/etc/postfix/network_table - when: postfix_network_table_status is changed - - - name: Restart postfix - service: name=postfix state=restarted - when: ( postfix_main_restart_needed is changed ) or ( postfix_master_restart_needed is changed ) - - when: - - postfix_install_packages | bool - - postfix_enabled | bool - tags: [ 'postfix', 'postfix_conf' ] - - block: - name: Ensure that postfix is stopped and disabled service: name=postfix state=stopped enabled=no @@ -67,7 +38,6 @@ - not postfix_enabled | bool tags: postfix - - block: - name: Install the postfix NRPE nagios check copy: src={{ item }} dest={{ nagios_plugins_dir }}/{{ item }} owner=root group=nagios mode=0555 diff --git a/library/roles/postfix/tasks/smtp-configuration.yml b/library/roles/postfix/tasks/smtp-configuration.yml new file mode 100644 index 00000000..f6ebdb8e --- /dev/null +++ b/library/roles/postfix/tasks/smtp-configuration.yml @@ -0,0 +1,54 @@ +--- +- name: Postfix main configuration + block: + - name: Write the postfix main configuration file + template: src=main.cf.j2 dest=/etc/postfix/main.cf owner=root group=root mode=0444 + register: postfix_main_restart_needed + + - name: The postfix master.cf file adapts to the service role + template: src=master.cf.j2 dest=/etc/postfix/master.cf owner=root group=root mode=0444 + register: postfix_master_restart_needed + + when: postfix_enabled | bool + tags: [ 'postfix', 'postfix_conf' ] + +- name: Postfix maps installation + block: + - name: Write the postfix network_table map + template: src=network_table.j2 dest=/etc/postfix/network_table owner=root group=root mode=0444 + register: postfix_network_table_status + + - name: Write the postfix virtual_domains map + template: src=virtual_domains.j2 dest=/etc/postfix/virtual_domains owner=root group=root mode=0444 + register: postfix_virtual_domains_status + + - name: Write the postfix transport map + template: src=transport.j2 dest=/etc/postfix/transport owner=root group=root mode=0444 + register: postfix_transport_table_status + when: postfix_transport_map_enabled | bool + + - name: Update the network hash table + shell: postmap hash:/etc/postfix/network_table + when: postfix_network_table_status is changed + + - name: Update the virtual_domains + shell: postmap hash:/etc/postfix/virtual_domains + when: postfix_virtual_domains_status is changed + + - name: Update the transport hash table + shell: postmap hash:/etc/postfix/transport + when: postfix_transport_table_status is changed + + when: postfix_enabled | bool + tags: [ 'postfix', 'postfix_conf', 'postfix_maps' ] + +- block: + - name: Ensure that postfix is started and enabled + service: name=postfix state=started enabled=yes + + - name: Restart postfix + service: name=postfix state=restarted + when: ( postfix_main_restart_needed is changed ) or ( postfix_master_restart_needed is changed ) + + when: postfix_enabled | bool + tags: [ 'postfix', 'postfix_conf' ] diff --git a/library/roles/postfix/templates/main.cf.j2 b/library/roles/postfix/templates/main.cf.j2 index d72c3177..d4db78f6 100644 --- a/library/roles/postfix/templates/main.cf.j2 +++ b/library/roles/postfix/templates/main.cf.j2 @@ -343,6 +343,9 @@ relayhost = {{ postfix_relay_host }}:{{ postfix_relay_port }} # TRANSPORT MAP # # See the discussion in the ADDRESS_REWRITING_README document. +{% if postfix_transport_map_enabled %} +transport_maps = {% for tmap in postfix_transport_maps %}{{ tmap }}{% if not loop.last %}, {% endif %}{% endfor %} +{% endif %} # ALIAS DATABASE # @@ -478,14 +481,18 @@ recipient_delimiter = {{ postfix_recipient_delimiter }} # #fallback_transport = lmtp:unix:/var/lib/imap/socket/lmtp #fallback_transport = -{% if postfix_inet_lmtp_enabled %} -virtual_transport = lmtp:inet:{{ postfix_inet_lmtp_host }}:{{ postfix_inet_lmtp_port }} -{% endif %} +{% if postfix_virtual_transport_enabled %} +virtual_transport = {{ postfix_virtual_transport_protocol }}:{{ postfix_lmtp_protocol }}:{{ postfix_lmtp_host }}:{{ postfix_lmtp_port }} -{% if postfix_virtual_addresses %} virtual_mailbox_domains = {{ postfix_virtual_mailbox_domains }} virtual_mailbox_maps = {% for mbmap in postfix_virtual_mailbox_maps %}{{ mbmap }} {% endfor %} +{% endif %} + +{% if postfix_virtual_domains %} +virtual_alias_domains = = {{ postfix_virtual_alias_domains }} +{% endif %} +{% if postfix_virtual_addresses %} virtual_alias_maps = {% for mbmap in postfix_virtual_alias_maps %}{{ mbmap }} {% endfor %} virtual_mailbox_limit = {{ postfix_message_size_limit }} @@ -570,7 +577,24 @@ smtpd_client_restrictions = {% if postfix_submission_server %} permit_sasl_authenticated {% endif %} +{% if postfix_mx_server %} + reject_unknown_sender_domain + reject_non_fqdn_sender + reject_non_fqdn_recipient + reject_invalid_hostname +# reject_non_fqdn_hostname + reject_unauth_destination + reject_unknown_recipient_domain + reject_unlisted_recipient +{% if postfix_rbl_enabled %} + reject_rbl_client {{ postfix_rbl_list }} +{% endif %} +{% endif %} +{% if postfix_mx_server %} + permit +{% else %} reject +{% endif %} {% if postfix_submission_server %} smtpd_sasl_path = smtpd smtpd_sasl_auth_enable = yes diff --git a/library/roles/postfix/templates/transport.j2 b/library/roles/postfix/templates/transport.j2 new file mode 100644 index 00000000..c84f3bf3 --- /dev/null +++ b/library/roles/postfix/templates/transport.j2 @@ -0,0 +1,3 @@ +{% for map in postfix_transport_data %} +{{ map.domain }} {{ map.action }} +{% endfor %} diff --git a/library/roles/postfix/templates/virtual_domains.j2 b/library/roles/postfix/templates/virtual_domains.j2 new file mode 100644 index 00000000..bbb82600 --- /dev/null +++ b/library/roles/postfix/templates/virtual_domains.j2 @@ -0,0 +1,11 @@ +{% if postfix_virtual_domains | bool %} +{% for dom in postfix_virtual_alias_domains_data %} +{{ dom.domain }} OK +{% endfor %} +{% elif postfix_virtual_addresses | bool %} +{% for dom in postfix_virtual_mailbox_domains_data %} +{{ dom.domain }} OK +{% endfor %} +{% else %} +localdomain OK +{% endif %}