diff --git a/library/roles/postfix/defaults/main.yml b/library/roles/postfix/defaults/main.yml index cd19e647..fdf25b7d 100644 --- a/library/roles/postfix/defaults/main.yml +++ b/library/roles/postfix/defaults/main.yml @@ -44,9 +44,9 @@ postfix_smtp_relay_user: '{{ ansible_fqdn }}' # This one has to be set inside a vault file #postfix_smtp_relay_pwd: 'set_you_password_here_in_a_vault_encrypted_file' postfix_smtpd_reject_unknown_helo_hostname: False - +postfix_reject_unknown_sender_domain: True ############################################################################# -# Relay server: accept authenticated clients +# Relay server: accepts authenticated clients ############################################################################# postfix_relay_server: False # @@ -62,6 +62,10 @@ postfix_milter_action: tempfail # SMTP server that not accept authenticated clients. ############################################################################# postfix_smtpd_server: False +############################################################################# +# SMTP submission server: accepts authenticated clients +############################################################################# +postfix_submission_server: False ########################################################################################### # The following options are used when acting as a relay or as a general purpose SMTP server ########################################################################################### diff --git a/library/roles/postfix/tasks/smtp-common-packages.yml b/library/roles/postfix/tasks/smtp-common-packages.yml index d36d22e1..5db5e324 100644 --- a/library/roles/postfix/tasks/smtp-common-packages.yml +++ b/library/roles/postfix/tasks/smtp-common-packages.yml @@ -39,7 +39,7 @@ register: postfix_network_table_status when: postfix_install_packages | bool - tags: postfix + tags: [ 'postfix', 'postfix_conf' ] - block: - name: Ensure that postfix is started and enabled @@ -56,7 +56,7 @@ when: - postfix_install_packages | bool - postfix_enabled | bool - tags: postfix + tags: [ 'postfix', 'postfix_conf' ] - block: - name: Ensure that postfix is stopped and disabled diff --git a/library/roles/postfix/templates/main.cf.j2 b/library/roles/postfix/templates/main.cf.j2 index 4501ebb1..38ad03fa 100644 --- a/library/roles/postfix/templates/main.cf.j2 +++ b/library/roles/postfix/templates/main.cf.j2 @@ -486,6 +486,8 @@ virtual_mailbox_domains = {{ postfix_virtual_mailbox_domains }} virtual_mailbox_maps = {% for mbmap in postfix_virtual_mailbox_maps %}{{ mbmap }} {% endfor %} virtual_alias_maps = {% for mbmap in postfix_virtual_alias_maps %}{{ mbmap }} {% endfor %} + +virtual_mailbox_limit = {{ postfix_message_size_limit }} {% endif %} # The luser_relay parameter specifies an optional destination address @@ -536,6 +538,7 @@ smtpd_delay_reject = yes smtpd_helo_required = yes mailbox_size_limit = {{ postfix_message_size_limit }} +message_size_limit = {{ postfix_message_size_limit }} {% if postfix_use_milter %} # @@ -563,27 +566,37 @@ smtpd_milters = smtpd_client_restrictions = permit_mynetworks permit_inet_interfaces +{% if postfix_submission_server %} + permit_sasl_authenticated +{% endif %} + reject +{% if postfix_submission_server %} smtpd_sasl_path = smtpd smtpd_sasl_auth_enable = yes smtpd_sasl_security_options = {{ postfix_smtp_sasl_security_options }} smtpd_sasl_tls_security_options = {{ postfix_smtp_sasl_tls_security_options }} smtpd_sasl_authenticated_header = yes broken_sasl_auth_clients = yes -smtpd_helo_required = yes +# Block clients that speak too early. +smtpd_data_restrictions = reject_unauth_pipelining +{% endif %} {% if postfix_smtpd_reject_unknown_helo_hostname %} # Don't talk to mail systems that don't know their own hostname. Use with care: it breaks most dialup setups smtpd_helo_restrictions = reject_unknown_helo_hostname {% endif %} -# Block clients that speak too early. -smtpd_data_restrictions = reject_unauth_pipelining -# Our internal servers talk to the submission port so they are treated as clients -smtpd_client_restrictions = permit_inet_interfaces, permit_sasl_authenticated, reject +{% if postfix_reject_unknown_sender_domain %} # Don't accept mail from domains that don't exist. smtpd_sender_restrictions = reject_unknown_sender_domain +{% endif %} +{% if postfix_submission_server %} # Relay control: local clients and # authenticated clients may specify any destination domain. smtpd_relay_restrictions = permit_sasl_authenticated, reject {% endif %} +{% if postfix_behind_haproxy %} +smtpd_upstream_proxy_protocol=haproxy +{% endif %} +{% endif %} # FAST ETRN SERVICE # diff --git a/library/roles/postfix/templates/master.cf.j2 b/library/roles/postfix/templates/master.cf.j2 index 12b71d16..303253d4 100644 --- a/library/roles/postfix/templates/master.cf.j2 +++ b/library/roles/postfix/templates/master.cf.j2 @@ -8,12 +8,14 @@ # service type private unpriv chroot wakeup maxproc command + args # (yes) (yes) (yes) (never) (100) # ========================================================================== +{% if postfix_smtpd_server %} smtp inet n - n - - smtpd +{% endif %} #smtp inet n - n - 1 postscreen #smtpd pass - - n - - smtpd #dnsblog unix - - n - 0 dnsblog #tlsproxy unix - - n - 0 tlsproxy -{% if postfix_smtpd_server %} +{% if postfix_submission_server %} submission inet n - n - - smtpd -o syslog_name=postfix/submission -o smtpd_tls_security_level={{ postfix_smtpd_tls_security_level }}