Manage the smtp and submission configurations with different variables.

This commit is contained in:
Andrea Dell'Amico 2020-01-08 00:23:34 +01:00
parent ba319f76a5
commit ad4ed35212
4 changed files with 29 additions and 10 deletions

View File

@ -44,9 +44,9 @@ postfix_smtp_relay_user: '{{ ansible_fqdn }}'
# This one has to be set inside a vault file # This one has to be set inside a vault file
#postfix_smtp_relay_pwd: 'set_you_password_here_in_a_vault_encrypted_file' #postfix_smtp_relay_pwd: 'set_you_password_here_in_a_vault_encrypted_file'
postfix_smtpd_reject_unknown_helo_hostname: False postfix_smtpd_reject_unknown_helo_hostname: False
postfix_reject_unknown_sender_domain: True
############################################################################# #############################################################################
# Relay server: accept authenticated clients # Relay server: accepts authenticated clients
############################################################################# #############################################################################
postfix_relay_server: False postfix_relay_server: False
# #
@ -62,6 +62,10 @@ postfix_milter_action: tempfail
# SMTP server that not accept authenticated clients. # SMTP server that not accept authenticated clients.
############################################################################# #############################################################################
postfix_smtpd_server: False postfix_smtpd_server: False
#############################################################################
# SMTP submission server: accepts authenticated clients
#############################################################################
postfix_submission_server: False
########################################################################################### ###########################################################################################
# The following options are used when acting as a relay or as a general purpose SMTP server # The following options are used when acting as a relay or as a general purpose SMTP server
########################################################################################### ###########################################################################################

View File

@ -39,7 +39,7 @@
register: postfix_network_table_status register: postfix_network_table_status
when: postfix_install_packages | bool when: postfix_install_packages | bool
tags: postfix tags: [ 'postfix', 'postfix_conf' ]
- block: - block:
- name: Ensure that postfix is started and enabled - name: Ensure that postfix is started and enabled
@ -56,7 +56,7 @@
when: when:
- postfix_install_packages | bool - postfix_install_packages | bool
- postfix_enabled | bool - postfix_enabled | bool
tags: postfix tags: [ 'postfix', 'postfix_conf' ]
- block: - block:
- name: Ensure that postfix is stopped and disabled - name: Ensure that postfix is stopped and disabled

View File

@ -486,6 +486,8 @@ virtual_mailbox_domains = {{ postfix_virtual_mailbox_domains }}
virtual_mailbox_maps = {% for mbmap in postfix_virtual_mailbox_maps %}{{ mbmap }} {% endfor %} virtual_mailbox_maps = {% for mbmap in postfix_virtual_mailbox_maps %}{{ mbmap }} {% endfor %}
virtual_alias_maps = {% for mbmap in postfix_virtual_alias_maps %}{{ mbmap }} {% endfor %} virtual_alias_maps = {% for mbmap in postfix_virtual_alias_maps %}{{ mbmap }} {% endfor %}
virtual_mailbox_limit = {{ postfix_message_size_limit }}
{% endif %} {% endif %}
# The luser_relay parameter specifies an optional destination address # The luser_relay parameter specifies an optional destination address
@ -536,6 +538,7 @@ smtpd_delay_reject = yes
smtpd_helo_required = yes smtpd_helo_required = yes
mailbox_size_limit = {{ postfix_message_size_limit }} mailbox_size_limit = {{ postfix_message_size_limit }}
message_size_limit = {{ postfix_message_size_limit }}
{% if postfix_use_milter %} {% if postfix_use_milter %}
# #
@ -563,27 +566,37 @@ smtpd_milters =
smtpd_client_restrictions = smtpd_client_restrictions =
permit_mynetworks permit_mynetworks
permit_inet_interfaces permit_inet_interfaces
{% if postfix_submission_server %}
permit_sasl_authenticated
{% endif %}
reject
{% if postfix_submission_server %}
smtpd_sasl_path = smtpd smtpd_sasl_path = smtpd
smtpd_sasl_auth_enable = yes smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = {{ postfix_smtp_sasl_security_options }} smtpd_sasl_security_options = {{ postfix_smtp_sasl_security_options }}
smtpd_sasl_tls_security_options = {{ postfix_smtp_sasl_tls_security_options }} smtpd_sasl_tls_security_options = {{ postfix_smtp_sasl_tls_security_options }}
smtpd_sasl_authenticated_header = yes smtpd_sasl_authenticated_header = yes
broken_sasl_auth_clients = yes broken_sasl_auth_clients = yes
smtpd_helo_required = yes # Block clients that speak too early.
smtpd_data_restrictions = reject_unauth_pipelining
{% endif %}
{% if postfix_smtpd_reject_unknown_helo_hostname %} {% if postfix_smtpd_reject_unknown_helo_hostname %}
# Don't talk to mail systems that don't know their own hostname. Use with care: it breaks most dialup setups # Don't talk to mail systems that don't know their own hostname. Use with care: it breaks most dialup setups
smtpd_helo_restrictions = reject_unknown_helo_hostname smtpd_helo_restrictions = reject_unknown_helo_hostname
{% endif %} {% endif %}
# Block clients that speak too early. {% if postfix_reject_unknown_sender_domain %}
smtpd_data_restrictions = reject_unauth_pipelining
# Our internal servers talk to the submission port so they are treated as clients
smtpd_client_restrictions = permit_inet_interfaces, permit_sasl_authenticated, reject
# Don't accept mail from domains that don't exist. # Don't accept mail from domains that don't exist.
smtpd_sender_restrictions = reject_unknown_sender_domain smtpd_sender_restrictions = reject_unknown_sender_domain
{% endif %}
{% if postfix_submission_server %}
# Relay control: local clients and # Relay control: local clients and
# authenticated clients may specify any destination domain. # authenticated clients may specify any destination domain.
smtpd_relay_restrictions = permit_sasl_authenticated, reject smtpd_relay_restrictions = permit_sasl_authenticated, reject
{% endif %} {% endif %}
{% if postfix_behind_haproxy %}
smtpd_upstream_proxy_protocol=haproxy
{% endif %}
{% endif %}
# FAST ETRN SERVICE # FAST ETRN SERVICE
# #

View File

@ -8,12 +8,14 @@
# service type private unpriv chroot wakeup maxproc command + args # service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (100) # (yes) (yes) (yes) (never) (100)
# ========================================================================== # ==========================================================================
{% if postfix_smtpd_server %}
smtp inet n - n - - smtpd smtp inet n - n - - smtpd
{% endif %}
#smtp inet n - n - 1 postscreen #smtp inet n - n - 1 postscreen
#smtpd pass - - n - - smtpd #smtpd pass - - n - - smtpd
#dnsblog unix - - n - 0 dnsblog #dnsblog unix - - n - 0 dnsblog
#tlsproxy unix - - n - 0 tlsproxy #tlsproxy unix - - n - 0 tlsproxy
{% if postfix_smtpd_server %} {% if postfix_submission_server %}
submission inet n - n - - smtpd submission inet n - n - - smtpd
-o syslog_name=postfix/submission -o syslog_name=postfix/submission
-o smtpd_tls_security_level={{ postfix_smtpd_tls_security_level }} -o smtpd_tls_security_level={{ postfix_smtpd_tls_security_level }}