Manage the transport and virtual_domains maps.

2020-01-24 13:03:07 +01:00 · 2020-01-24 13:03:07 +01:00 · d53b569189
parent c036b0bf8b
commit d53b569189
7 changed files with 130 additions and 37 deletions
--- a/library/roles/postfix/defaults/main.yml
+++ b/library/roles/postfix/defaults/main.yml
@ -62,6 +62,9 @@ postfix_milter_action: tempfail
 # SMTP server that not accept authenticated clients. 
 #############################################################################
 postfix_smtpd_server: False
+# SMTP server that routes emails coming from outside
+#############################################################################
+postfix_mx_server: False
 #############################################################################
 # SMTP submission server: accepts authenticated clients
 #############################################################################
@ -106,12 +109,25 @@ postfix_sasl_ldap_referrals: no
 #

 postfix_use_domain_name: False
-postfix_inet_lmtp_enabled: False
-postfix_inet_lmtp_host: '127.0.0.1'
-postfix_inet_lmtp_port: 24
+postfix_virtual_transport_enabled: False
+postfix_virtual_transport_protocol: 'lmtp'
+postfix_lmtp_protocol: 'inet'
+postfix_lmtp_host: '127.0.0.1'
+postfix_lmtp_port: 24
 postfix_delivery_soft_bounce: False
 postfix_recipient_delimiter: '+'
 postfix_local_recipients: False
+postfix_transport_map_enabled: False
+postfix_transport_maps:
+  - 'hash:/etc/postfix/transport'
+
+postfix_transport_data: []
+#
+# Example:
+# postfix_transport_data:
+#   - { domain: 'example.com', action: 'smtp:[dest.smtp.example.com]:25' }
+postfix_rbl_enabled: True
+postfix_rbl_list: 'zen.spamhaus.org'

 postfix_mynetworks: hash:/etc/postfix/network_table
 postfix_mynetworks_data:
@ -125,9 +141,23 @@ postfix_alias_databases: '{{ postfix_alias_maps }}'

 postfix_virtual_addresses: False
 postfix_virtual_mailbox_domains: 'hash:/etc/postfix/virtual_domains'
+postfix_virtual_mailbox_domains_data: []
+#
+# Example. The 'action' part is optional:
+# postfix_virtual_mailbox_domains_data:
+#   - { domain: 'example.com', action: 'OK' }
+
 postfix_virtual_mailbox_maps:
  - 'hash:/etc/postfix/vmailbox_maps'

+postfix_virtual_domains: False
+postfix_virtual_alias_domains: 'hash:/etc/postfix/virtual_domains'
+postfix_virtual_alias_domains_data: []
+#
+# Example. The 'action' part is optional:
+# postfix_virtual_alias_domains_data:
+#   - { domain: 'example.com', action: 'OK' }
+
 postfix_virtual_alias_maps:
  - 'hash:/etc/postfix/virtual'

--- a/library/roles/postfix/tasks/main.yml
+++ b/library/roles/postfix/tasks/main.yml
@ -1,5 +1,6 @@
 ---
 - import_tasks: smtp-common-packages.yml
+- import_tasks: smtp-configuration.yml
 - import_tasks: postfix_firewalld.yml
  when: ansible_distribution_file_variety == "RedHat"
 - import_tasks: smtp-sasl-auth.yml
--- a/library/roles/postfix/tasks/smtp-common-packages.yml
+++ b/library/roles/postfix/tasks/smtp-common-packages.yml
@ -26,38 +26,9 @@
      when: postfix_tls_encryption_level != "old"
      notify: Reload postfix

-    - name: Write the postfix main configuration file
-      template: src=main.cf.j2 dest=/etc/postfix/main.cf owner=root group=root mode=0444
-      register: postfix_main_restart_needed
-
-    - name: The postfix master.cf file adapts to the service role
-      template: src=master.cf.j2 dest=/etc/postfix/master.cf owner=root group=root mode=0444
-      register: postfix_master_restart_needed
-
-    - name: Write the postfix network_table map
-      template: src=network_table.j2 dest=/etc/postfix/network_table owner=root group=root mode=0444
-      register: postfix_network_table_status
-
  when: postfix_install_packages | bool
  tags: [ 'postfix', 'postfix_conf' ]

- block:
-    - name: Ensure that postfix is started and enabled
-      service: name=postfix state=started enabled=yes
-
-    - name: Update the network hash table
-      shell: postmap hash:/etc/postfix/network_table
-      when: postfix_network_table_status is changed
-    
-    - name: Restart postfix
-      service: name=postfix state=restarted
-      when: ( postfix_main_restart_needed is changed ) or ( postfix_master_restart_needed is changed )
-
-  when:
-    - postfix_install_packages | bool
-    - postfix_enabled | bool
-  tags: [ 'postfix', 'postfix_conf' ]
-
 - block:
    - name: Ensure that postfix is stopped and disabled
      service: name=postfix state=stopped enabled=no
@ -67,7 +38,6 @@
    - not postfix_enabled | bool
  tags: postfix

-
 - block:
    - name: Install the postfix NRPE nagios check
      copy: src={{ item }} dest={{ nagios_plugins_dir }}/{{ item }}  owner=root group=nagios mode=0555
--- a/library/roles/postfix/tasks/smtp-configuration.yml
+++ b/library/roles/postfix/tasks/smtp-configuration.yml
@ -0,0 +1,54 @@
+---
+- name: Postfix main configuration
+  block:
+    - name: Write the postfix main configuration file
+      template: src=main.cf.j2 dest=/etc/postfix/main.cf owner=root group=root mode=0444
+      register: postfix_main_restart_needed
+
+    - name: The postfix master.cf file adapts to the service role
+      template: src=master.cf.j2 dest=/etc/postfix/master.cf owner=root group=root mode=0444
+      register: postfix_master_restart_needed
+
+  when: postfix_enabled | bool
+  tags: [ 'postfix', 'postfix_conf' ]
+
+- name: Postfix maps installation
+  block:
+    - name: Write the postfix network_table map
+      template: src=network_table.j2 dest=/etc/postfix/network_table owner=root group=root mode=0444
+      register: postfix_network_table_status
+
+    - name: Write the postfix virtual_domains map
+      template: src=virtual_domains.j2 dest=/etc/postfix/virtual_domains owner=root group=root mode=0444
+      register: postfix_virtual_domains_status
+
+    - name: Write the postfix transport map
+      template: src=transport.j2 dest=/etc/postfix/transport owner=root group=root mode=0444
+      register: postfix_transport_table_status
+      when: postfix_transport_map_enabled | bool
+
+    - name: Update the network hash table
+      shell: postmap hash:/etc/postfix/network_table
+      when: postfix_network_table_status is changed
+
+    - name: Update the virtual_domains
+      shell: postmap hash:/etc/postfix/virtual_domains
+      when: postfix_virtual_domains_status is changed
+
+    - name: Update the transport hash table
+      shell: postmap hash:/etc/postfix/transport
+      when: postfix_transport_table_status is changed
+
+  when: postfix_enabled | bool
+  tags: [ 'postfix', 'postfix_conf', 'postfix_maps' ]
+
+- block:
+    - name: Ensure that postfix is started and enabled
+      service: name=postfix state=started enabled=yes
+
+    - name: Restart postfix
+      service: name=postfix state=restarted
+      when: ( postfix_main_restart_needed is changed ) or ( postfix_master_restart_needed is changed )
+
+  when: postfix_enabled | bool
+  tags: [ 'postfix', 'postfix_conf' ]
--- a/library/roles/postfix/templates/main.cf.j2
+++ b/library/roles/postfix/templates/main.cf.j2
@ -343,6 +343,9 @@ relayhost = {{ postfix_relay_host }}:{{ postfix_relay_port }}
 # TRANSPORT MAP
 #
 # See the discussion in the ADDRESS_REWRITING_README document.
+{% if postfix_transport_map_enabled %}
+transport_maps = {% for tmap in postfix_transport_maps %}{{ tmap }}{% if not loop.last %}, {% endif %}{% endfor %}
+{% endif %}

 # ALIAS DATABASE
 #
@ -478,14 +481,18 @@ recipient_delimiter = {{ postfix_recipient_delimiter }}
 #
 #fallback_transport = lmtp:unix:/var/lib/imap/socket/lmtp
 #fallback_transport =
-{% if postfix_inet_lmtp_enabled %}
-virtual_transport = lmtp:inet:{{ postfix_inet_lmtp_host }}:{{ postfix_inet_lmtp_port }}
-{% endif %}
+{% if postfix_virtual_transport_enabled %}
+virtual_transport = {{ postfix_virtual_transport_protocol }}:{{ postfix_lmtp_protocol }}:{{ postfix_lmtp_host }}:{{ postfix_lmtp_port }}

-{% if postfix_virtual_addresses %}
 virtual_mailbox_domains = {{ postfix_virtual_mailbox_domains }}
 virtual_mailbox_maps = {% for mbmap in postfix_virtual_mailbox_maps %}{{ mbmap }} {% endfor %}

+{% endif %}
+
+{% if postfix_virtual_domains %}
+virtual_alias_domains = = {{ postfix_virtual_alias_domains }}
+{% endif %}
+{% if postfix_virtual_addresses %}
 virtual_alias_maps = {% for mbmap in postfix_virtual_alias_maps %}{{ mbmap }} {% endfor %}

 virtual_mailbox_limit = {{ postfix_message_size_limit }}
@ -570,7 +577,24 @@ smtpd_client_restrictions =
 {% if postfix_submission_server %}
   permit_sasl_authenticated
 {% endif %}
+{% if postfix_mx_server %}
+   reject_unknown_sender_domain
+   reject_non_fqdn_sender
+   reject_non_fqdn_recipient
+   reject_invalid_hostname
+#   reject_non_fqdn_hostname
+   reject_unauth_destination
+   reject_unknown_recipient_domain
+   reject_unlisted_recipient
+{% if postfix_rbl_enabled %}
+   reject_rbl_client {{ postfix_rbl_list }}
+{% endif %}
+{% endif %}
+{% if postfix_mx_server %}
+   permit
+{% else %}
   reject
+{% endif %}
 {% if postfix_submission_server %}
 smtpd_sasl_path = smtpd
 smtpd_sasl_auth_enable = yes
--- a/library/roles/postfix/templates/transport.j2
+++ b/library/roles/postfix/templates/transport.j2
@ -0,0 +1,3 @@
+{% for map in postfix_transport_data %}
+{{ map.domain }} {{ map.action }}
+{% endfor %}
--- a/library/roles/postfix/templates/virtual_domains.j2
+++ b/library/roles/postfix/templates/virtual_domains.j2
@ -0,0 +1,11 @@
+{% if postfix_virtual_domains | bool %}
+{% for dom in postfix_virtual_alias_domains_data %}
+{{ dom.domain }} OK
+{% endfor %}
+{% elif postfix_virtual_addresses | bool %}
+{% for dom in postfix_virtual_mailbox_domains_data %}
+{{ dom.domain }} OK
+{% endfor %}
+{% else %}
+localdomain OK
+{% endif %}