Merge branch 'master' of adellam/ansible-roles into master

This commit is contained in:
Andrea Dell'Amico 2019-12-17 19:55:34 +01:00 committed by Gitea
commit 07a855d487
9 changed files with 199 additions and 65 deletions

View File

@ -21,6 +21,9 @@ postfix_biff: "no"
postfix_append_dot_mydomain: "no" postfix_append_dot_mydomain: "no"
postfix_use_letsencrypt: False postfix_use_letsencrypt: False
postfix_tls_encryption_level: 'intermediate'
postfix_tls_dhparam_size: 2048
postfix_tls_dhparam_file: /etc/postfix/dhparam.pem
# Accepted values: none, may, encrypt # Accepted values: none, may, encrypt
postfix_smtpd_tls_security_level: encrypt postfix_smtpd_tls_security_level: encrypt
# Accepted values: none, may, encrypt, fingerprint, verify, secure. And from 2.11: dane, dane-only # Accepted values: none, may, encrypt, fingerprint, verify, secure. And from 2.11: dane, dane-only
@ -40,11 +43,21 @@ postfix_relay_port: 587
postfix_smtp_relay_user: '{{ ansible_fqdn }}' postfix_smtp_relay_user: '{{ ansible_fqdn }}'
# This one has to be set inside a vault file # This one has to be set inside a vault file
#postfix_smtp_relay_pwd: 'set_you_password_here_in_a_vault_encrypted_file' #postfix_smtp_relay_pwd: 'set_you_password_here_in_a_vault_encrypted_file'
postfix_smtpd_reject_unknown_helo_hostname: False
############################################################################# #############################################################################
# Relay server: accept authenticated clients # Relay server: accept authenticated clients
############################################################################# #############################################################################
postfix_relay_server: False postfix_relay_server: False
#
postfix_use_milter: False
postfix_spamassassin_milter: False
postfix_spamassassin_milter_socket: 'unix:/run/spamass-milter/postfix/sock'
postfix_clamav_milter: False
# inet:[127.0.0.1]:7357
postfix_clamav_milter_socket: 'unix:/run/clamav-milter/clamav-milter.socket'
# Specify accept, reject, tempfail, quarantine
postfix_milter_action: tempfail
############################################################################# #############################################################################
# SMTP server that not accept authenticated clients. # SMTP server that not accept authenticated clients.
############################################################################# #############################################################################
@ -68,6 +81,26 @@ postfix_sasl_deb_packages:
postfix_sasl_rh_packages: postfix_sasl_rh_packages:
- cyrus-sasl - cyrus-sasl
postfix_saslauthd_mech: 'pam'
postfix_saslauthd_flags: ''
postfix_saslauthd_conf_file: '/etc/saslauthd.conf'
#
postfix_sasl_ldap_servers: ldap://localhost
postfix_sasl_ldap_bind_dn: cn=saslauthd,ou=dsa,dc=example,dc=com
# postfix_sasl_ldap_bind_pw: set inside a vault file
postfix_sasl_ldap_timeout: 10
postfix_sasl_ldap_time_limit: 10
postfix_sasl_ldap_scope: sub
postfix_sasl_ldap_search_base: ou=people,dc=example,dc=com
postfix_sasl_ldap_auth_method: bind
postfix_sasl_ldap_filter: (&(uid=%u)(mail=*))
postfix_sasl_ldap_debug: 0
postfix_sasl_ldap_verbose: off
postfix_sasl_ldap_ssl: no
postfix_sasl_ldap_starttls: yes
postfix_sasl_ldap_referrals: no
#
postfix_use_domain_name: False postfix_use_domain_name: False
postfix_inet_lmtp_enabled: False postfix_inet_lmtp_enabled: False
postfix_inet_lmtp_host: '127.0.0.1' postfix_inet_lmtp_host: '127.0.0.1'

View File

@ -0,0 +1,4 @@
---
dependencies:
- { role: '../../library/roles/clamav', when: postfix_clamav_milter | bool }
#- { role: '../../library/roles/spamassassin', when: postfix_spamassassin_milter | bool }

View File

@ -7,7 +7,7 @@
- postfix_use_sasl_auth | bool - postfix_use_sasl_auth | bool
- postfix_relay_client | bool - postfix_relay_client | bool
- import_tasks: postfix-relay-server.yml - import_tasks: postfix-relay-server.yml
when: postfix_relay_server | bool when: postfix_smtpd_server | bool
- import_tasks: postfix-letsencrypt-hook.yml - import_tasks: postfix-letsencrypt-hook.yml
when: postfix_use_letsencrypt | bool when: postfix_use_letsencrypt | bool

View File

@ -3,7 +3,6 @@
block: block:
- name: Install the sasl2 authentication infrastructure - name: Install the sasl2 authentication infrastructure
apt: pkg={{ postfix_sasl_deb_packages }} state=present cache_valid_time=1800 apt: pkg={{ postfix_sasl_deb_packages }} state=present cache_valid_time=1800
when: ansible_distribution_file_variety == "Debian"
- name: Create the sasl run directory inside /var/spool/postfix, for chroot - name: Create the sasl run directory inside /var/spool/postfix, for chroot
file: dest=/var/spool/postfix/var/run/saslauthd state=directory owner=root group=root mode=0555 file: dest=/var/spool/postfix/var/run/saslauthd state=directory owner=root group=root mode=0555
@ -16,14 +15,24 @@
- name: Enable the saslauth daemon - name: Enable the saslauth daemon
action: configfile path=/etc/default/saslauthd key=START value='yes' syntax=shell action: configfile path=/etc/default/saslauthd key=START value='yes' syntax=shell
when: ansible_distribution_file_variety == "Debian"
tags: [ 'postfix_relay', 'postfix-relay' ] tags: [ 'postfix_relay', 'postfix-relay' ]
- name: Postfix relay, rh specific - name: Postfix relay, rh specific
block: block:
- name: Install the sasl2 authentication infrastructure - name: Install the sasl2 authentication infrastructure
yum: pkg={{ postfix_sasl_rh_packages }} state=present yum: pkg={{ postfix_sasl_rh_packages }} state=present
when: ansible_distribution_file_variety == "RedHat"
- name: Install the SASL configuration
template: src=saslauthd.sysconfig.j2 dest=/etc/sysconfig/saslauthd owner=root group=root mode=0644
notify: restart saslauth daemon
- name: Install the ldap configuration for saslauthd
template: src=saslauthd.conf.j2 dest=/etc/saslauthd.conf owner=root group=root mode=0400
when: postfix_saslauthd_mech == 'ldap'
notify: restart saslauth daemon
when: ansible_distribution_file_variety == "RedHat"
tags: [ 'postfix_relay', 'postfix-relay' ] tags: [ 'postfix_relay', 'postfix-relay' ]
@ -38,6 +47,7 @@
- name: Assign the sasl group to the postfix user so that postfix can use the saslauthd socket - name: Assign the sasl group to the postfix user so that postfix can use the saslauthd socket
user: name=postfix groups='sasl' user: name=postfix groups='sasl'
notify: Restart postfix notify: Restart postfix
when: ansible_distribution_file_variety == "Debian"
- name: Ensure that the saslauthd daemon is started and enabled - name: Ensure that the saslauthd daemon is started and enabled
service: name=saslauthd state=restarted enabled=yes service: name=saslauthd state=restarted enabled=yes

View File

@ -12,6 +12,20 @@
yum: pkg=ssmtp state=absent yum: pkg=ssmtp state=absent
when: ansible_distribution_file_variety == "RedHat" when: ansible_distribution_file_variety == "RedHat"
- name: Create a DHPARAM file used by TLS
shell: openssl dhparam -out {{ postfix_tls_dhparam_file }} {{ postfix_tls_dhparam_size }}
args:
creates: '{{ postfix_tls_dhparam_file }}'
when: postfix_tls_encryption_level == "old"
notify: Reload postfix
- name: Download a DHPARAM file from the mozilla ssl configurator site
get_url: url='https://ssl-config.mozilla.org/ffdhe2048.txt' dest={{ postfix_tls_dhparam_file }}
args:
creates: '{{ postfix_tls_dhparam_file }}'
when: postfix_tls_encryption_level != "old"
notify: Reload postfix
- name: Write the postfix main configuration file - name: Write the postfix main configuration file
template: src=main.cf.j2 dest=/etc/postfix/main.cf owner=root group=root mode=0444 template: src=main.cf.j2 dest=/etc/postfix/main.cf owner=root group=root mode=0444
register: postfix_main_restart_needed register: postfix_main_restart_needed

View File

@ -73,7 +73,7 @@ myorigin = {{ ansible_fqdn }}
# Note: you need to stop/start Postfix when this parameter changes. # Note: you need to stop/start Postfix when this parameter changes.
# #
{% if not postfix_use_inet_interfaces %} {% if not postfix_use_inet_interfaces %}
{% if not postfix_relay_server %} {% if not postfix_smtpd_server %}
inet_interfaces = localhost inet_interfaces = localhost
inet_protocols = ipv4 inet_protocols = ipv4
{% else %} {% else %}
@ -535,10 +535,54 @@ disable_vrfy_command = yes
smtpd_delay_reject = yes smtpd_delay_reject = yes
smtpd_helo_required = yes smtpd_helo_required = yes
mailbox_size_limit = {{ postfix_message_size_limit }}
{% if postfix_use_milter %}
#
# MILTER CONFIGURATION
#
# clamav, milter-greylist, spamassassin
#
#milter_connect_timeout = 30s
#milter_command_timeout = 30s
#milter_content_timeout = 300s
#milter_protocol = 2
# What to do in case of errors? Specify accept, reject, tempfail,
# or quarantine (Postfix 2.6 or later).
milter_default_action = {{ postfix_milter_action }}
smtpd_milters =
{% if postfix_spamassassin_milter %}
{{ postfix_spamassassin_milter_socket }}
{% endif %}
{% if postfix_clamav_milter %}
{{ postfix_clamav_milter_socket }}
{% endif %}
{% endif %}
{% if postfix_smtpd_server %} {% if postfix_smtpd_server %}
smtpd_client_restrictions = smtpd_client_restrictions =
permit_mynetworks permit_mynetworks
permit_inet_interfaces permit_inet_interfaces
smtpd_sasl_path = smtpd
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = {{ postfix_smtp_sasl_security_options }}
smtpd_sasl_tls_security_options = {{ postfix_smtp_sasl_tls_security_options }}
smtpd_sasl_authenticated_header = yes
broken_sasl_auth_clients = yes
smtpd_helo_required = yes
{% if postfix_smtpd_reject_unknown_helo_hostname %}
# Don't talk to mail systems that don't know their own hostname. Use with care: it breaks most dialup setups
smtpd_helo_restrictions = reject_unknown_helo_hostname
{% endif %}
# Block clients that speak too early.
smtpd_data_restrictions = reject_unauth_pipelining
# Our internal servers talk to the submission port so they are treated as clients
smtpd_client_restrictions = permit_inet_interfaces, permit_sasl_authenticated, reject
# Don't accept mail from domains that don't exist.
smtpd_sender_restrictions = reject_unknown_sender_domain
# Relay control: local clients and
# authenticated clients may specify any destination domain.
smtpd_relay_restrictions = permit_sasl_authenticated, reject
{% endif %} {% endif %}
# FAST ETRN SERVICE # FAST ETRN SERVICE
@ -668,43 +712,6 @@ manpage_directory = /usr/share/man
readme_directory = no readme_directory = no
# TLS parameters # TLS parameters
# 2019-12-11, https://ssl-config.mozilla.org/#server=postfix&server-version=2.10.1&config=intermediate&openssl-version=1.0.2k
# smtpd_use_tls = yes
# smtpd_tls_security_level = may
# smtpd_tls_auth_only = yes
# smtpd_tls_cert_file = /path/to/signed_cert_plus_intermediates
# smtpd_tls_key_file = /path/to/private_key
# smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
# smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
# smtpd_tls_mandatory_ciphers = medium
# curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam.pem
# not actually 1024 bits, this applies to all DHE >= 1024 bits
# smtpd_tls_dh1024_param_file = /path/to/dhparam.pem
# tls_medium_cipherlist = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
# tls_preempt_cipherlist = no
# 2019-12-11, https://ssl-config.mozilla.org/#server=postfix&server-version=2.10.1&config=old&openssl-version=1.0.2k
# smtpd_use_tls = yes
# smtpd_tls_security_level = may
# smtpd_tls_auth_only = yes
# smtpd_tls_cert_file = /path/to/signed_cert_plus_intermediates
# smtpd_tls_key_file = /path/to/private_key
# smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
# smtpd_tls_protocols = !SSLv2, !SSLv3
# smtpd_tls_mandatory_ciphers = medium
# openssl dhparam 1024 > /path/to/dhparam.pem
# not actually 1024 bits, this applies to all DHE >= 1024 bits
# smtpd_tls_dh1024_param_file = /path/to/dhparam.pem
# tls_medium_cipherlist = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA
# tls_preempt_cipherlist = yes
# Server
{% if letsencrypt_acme_install is defined %} {% if letsencrypt_acme_install is defined %}
{% if postfix_use_letsencrypt %} {% if postfix_use_letsencrypt %}
smtpd_tls_cert_file={{ letsencrypt_acme_certs_dir }}/cert smtpd_tls_cert_file={{ letsencrypt_acme_certs_dir }}/cert
@ -718,20 +725,45 @@ smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
{% endif %} {% endif %}
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache {% if postfix_tls_encryption_level == 'intermediate' %}
{% if postfix_smtpd_server %} # 2019-12-11, https://ssl-config.mozilla.org/#server=postfix&server-version=2.10.1&config=intermediate&openssl-version=1.0.2k
smtpd_use_tls = yes
smtpd_tls_security_level = {{ postfix_smtpd_tls_security_level }} smtpd_tls_security_level = {{ postfix_smtpd_tls_security_level }}
{% if postfix_smtpd_server %}
smtpd_tls_auth_only = yes smtpd_tls_auth_only = yes
{% endif %} {% endif %}
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_mandatory_ciphers = medium
# curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam.pem
# not actually 1024 bits, this applies to all DHE >= 1024 bits
smtpd_tls_dh1024_param_file = {{ postfix_tls_dhparam_file }}
tls_medium_cipherlist = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
tls_preempt_cipherlist = no
{% elif postfix_tls_encryption_level == 'old' %}
# 2019-12-11, https://ssl-config.mozilla.org/#server=postfix&server-version=2.10.1&config=old&openssl-version=1.0.2k
smtpd_use_tls = yes
smtpd_tls_security_level = {{ postfix_smtpd_tls_security_level }} smtpd_tls_security_level = {{ postfix_smtpd_tls_security_level }}
{% if postfix_smtpd_server %}
smtpd_tls_auth_only = yes
{% endif %}
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_protocols = !SSLv2, !SSLv3
smtpd_tls_mandatory_ciphers = medium
# openssl dhparam 1024 > /path/to/dhparam.pem
# not actually 1024 bits, this applies to all DHE >= 1024 bits
smtpd_tls_dh1024_param_file = {{ postfix_tls_dhparam_file }}
tls_medium_cipherlist = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA
tls_preempt_cipherlist = yes
{% endif %}
# Server
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
# Client # Client
smtp_tls_security_level = {{ postfix_smtp_tls_security_level }} smtp_tls_security_level = {{ postfix_smtp_tls_security_level }}
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
#
# HAPROXY
#
{% if postfix_behind_haproxy %}
smtpd_upstream_proxy_protocol = haproxy
{% endif %}

View File

@ -13,26 +13,42 @@ smtp inet n - n - - smtpd
#smtpd pass - - n - - smtpd #smtpd pass - - n - - smtpd
#dnsblog unix - - n - 0 dnsblog #dnsblog unix - - n - 0 dnsblog
#tlsproxy unix - - n - 0 tlsproxy #tlsproxy unix - - n - 0 tlsproxy
#submission inet n - n - - smtpd {% if postfix_smtpd_server %}
# -o syslog_name=postfix/submission submission inet n - n - - smtpd
# -o smtpd_tls_security_level=encrypt -o syslog_name=postfix/submission
# -o smtpd_sasl_auth_enable=yes -o smtpd_tls_security_level=encrypt
# -o smtpd_reject_unlisted_recipient=no {% if postfix_use_letsencrypt %}
-o smtpd_tls_cert_file={{ letsencrypt_acme_certs_dir }}/cert
-o smtpd_tls_key_file={{ letsencrypt_acme_certs_dir }}/privkey
{% endif %}
-o smtpd_sasl_auth_enable=yes
-o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions # -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions # -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions # -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING {% if postfix_behind_haproxy %}
#smtps inet n - n - - smtpd -o smtpd_upstream_proxy_protocol=haproxy
# -o syslog_name=postfix/smtps {% endif %}
# -o smtpd_tls_wrappermode=yes -o milter_macro_daemon_name=ORIGINATING
# -o smtpd_sasl_auth_enable=yes smtps inet n - n - - smtpd
# -o smtpd_reject_unlisted_recipient=no -o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
{% if postfix_use_letsencrypt %}
-o smtpd_tls_cert_file={{ letsencrypt_acme_certs_dir }}/cert
-o smtpd_tls_key_file={{ letsencrypt_acme_certs_dir }}/privkey
{% endif %}
{% if postfix_behind_haproxy %}
-o smtpd_upstream_proxy_protocol=haproxy
{% endif %}
-o smtpd_sasl_auth_enable=yes
-o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions # -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions # -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions # -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING -o milter_macro_daemon_name=ORIGINATING
{% endif %}
#628 inet n - n - - qmqpd #628 inet n - n - - qmqpd
pickup unix n - n 60 1 pickup pickup unix n - n 60 1 pickup
cleanup unix n - n - 0 cleanup cleanup unix n - n - 0 cleanup

View File

@ -0,0 +1,14 @@
ldap_servers: {{ postfix_sasl_ldap_servers }}
ldap_bind_dn: {{ postfix_sasl_ldap_bind_dn }}
ldap_bind_pw: {{ postfix_sasl_ldap_bind_pw }}
ldap_timeout: {{ postfix_sasl_ldap_timeout }}
ldap_time_limit: {{ postfix_sasl_ldap_time_limit }}
ldap_scope: {{ postfix_sasl_ldap_scope }}
ldap_search_base: {{ postfix_sasl_ldap_search_base }}
ldap_auth_method: {{ postfix_sasl_ldap_auth_method }}
ldap_filter: {{ postfix_sasl_ldap_filter }}
ldap_debug: {{ postfix_sasl_ldap_debug }}
ldap_verbose: {{ postfix_sasl_ldap_verbose }}
ldap_ssl: {{ postfix_sasl_ldap_ssl }}
ldap_starttls: {{ postfix_sasl_ldap_starttls }}
ldap_referrals: {{ postfix_sasl_ldap_referrals }}

View File

@ -0,0 +1,11 @@
# Directory in which to place saslauthd's listening socket, pid file, and so
# on. This directory must already exist.
SOCKETDIR=/run/saslauthd
# Mechanism to use when checking passwords. Run "saslauthd -v" to get a list
# of which mechanism your installation was compiled with the ablity to use.
MECH="{{ postfix_saslauthd_mech }}"
# Additional flags to pass to saslauthd on the command line. See saslauthd(8)
# for the list of accepted flags.
FLAGS={{ postfix_saslauthd_flags }}