Merge branch 'master' of adellam/ansible-roles into master

2020-01-08 00:24:47 +01:00 · 2020-01-08 00:24:47 +01:00 · 29f3c56424
parent 9b45d9beb6 ad4ed35212
commit 29f3c56424
4 changed files with 29 additions and 10 deletions
--- a/library/roles/postfix/defaults/main.yml
+++ b/library/roles/postfix/defaults/main.yml
@ -44,9 +44,9 @@ postfix_smtp_relay_user: '{{ ansible_fqdn }}'
 # This one has to be set inside a vault file
 #postfix_smtp_relay_pwd: 'set_you_password_here_in_a_vault_encrypted_file'
 postfix_smtpd_reject_unknown_helo_hostname: False
-
+postfix_reject_unknown_sender_domain: True
 #############################################################################
-# Relay server: accept authenticated clients
+# Relay server: accepts authenticated clients
 #############################################################################
 postfix_relay_server: False
 #
@ -62,6 +62,10 @@ postfix_milter_action: tempfail
 # SMTP server that not accept authenticated clients. 
 #############################################################################
 postfix_smtpd_server: False
+#############################################################################
+# SMTP submission server: accepts authenticated clients
+#############################################################################
+postfix_submission_server: False
 ###########################################################################################
 # The following options are used when acting as a relay or as a general purpose SMTP server
 ###########################################################################################
--- a/library/roles/postfix/tasks/smtp-common-packages.yml
+++ b/library/roles/postfix/tasks/smtp-common-packages.yml
@ -39,7 +39,7 @@
      register: postfix_network_table_status

  when: postfix_install_packages | bool
-  tags: postfix
+  tags: [ 'postfix', 'postfix_conf' ]

 - block:
    - name: Ensure that postfix is started and enabled
@ -56,7 +56,7 @@
  when:
    - postfix_install_packages | bool
    - postfix_enabled | bool
-  tags: postfix
+  tags: [ 'postfix', 'postfix_conf' ]

 - block:
    - name: Ensure that postfix is stopped and disabled
--- a/library/roles/postfix/templates/main.cf.j2
+++ b/library/roles/postfix/templates/main.cf.j2
@ -486,6 +486,8 @@ virtual_mailbox_domains = {{ postfix_virtual_mailbox_domains }}
 virtual_mailbox_maps = {% for mbmap in postfix_virtual_mailbox_maps %}{{ mbmap }} {% endfor %}

 virtual_alias_maps = {% for mbmap in postfix_virtual_alias_maps %}{{ mbmap }} {% endfor %}
+
+virtual_mailbox_limit = {{ postfix_message_size_limit }}
 {% endif %}

 # The luser_relay parameter specifies an optional destination address
@ -536,6 +538,7 @@ smtpd_delay_reject = yes
 smtpd_helo_required = yes

 mailbox_size_limit = {{ postfix_message_size_limit }}
+message_size_limit = {{ postfix_message_size_limit }}

 {% if postfix_use_milter %}
 #
@ -563,27 +566,37 @@ smtpd_milters =
 smtpd_client_restrictions =
   permit_mynetworks
   permit_inet_interfaces
+{% if postfix_submission_server %}
+   permit_sasl_authenticated
+{% endif %}
+   reject
+{% if postfix_submission_server %}
 smtpd_sasl_path = smtpd
 smtpd_sasl_auth_enable = yes
 smtpd_sasl_security_options = {{ postfix_smtp_sasl_security_options }}
 smtpd_sasl_tls_security_options = {{ postfix_smtp_sasl_tls_security_options }}
 smtpd_sasl_authenticated_header = yes
 broken_sasl_auth_clients = yes
-smtpd_helo_required = yes
+# Block clients that speak too early.
+smtpd_data_restrictions = reject_unauth_pipelining
+{% endif %}
 {% if postfix_smtpd_reject_unknown_helo_hostname %}
 # Don't talk to mail systems that don't know their own hostname. Use with care: it breaks most dialup setups
 smtpd_helo_restrictions = reject_unknown_helo_hostname
 {% endif %}
-# Block clients that speak too early.
-smtpd_data_restrictions = reject_unauth_pipelining
-# Our internal servers talk to the submission port so they are treated as clients
-smtpd_client_restrictions = permit_inet_interfaces, permit_sasl_authenticated, reject
+{% if postfix_reject_unknown_sender_domain %}
 # Don't accept mail from domains that don't exist.
 smtpd_sender_restrictions = reject_unknown_sender_domain
+{% endif %}
+{% if postfix_submission_server %}
 # Relay control: local clients and
 # authenticated clients may specify any destination domain.
 smtpd_relay_restrictions = permit_sasl_authenticated, reject
 {% endif %}
+{% if postfix_behind_haproxy %}
+smtpd_upstream_proxy_protocol=haproxy
+{% endif %}
+{% endif %}

 # FAST ETRN SERVICE
 #
--- a/library/roles/postfix/templates/master.cf.j2
+++ b/library/roles/postfix/templates/master.cf.j2
@ -8,12 +8,14 @@
 # service type  private unpriv  chroot  wakeup  maxproc command + args
 #               (yes)   (yes)   (yes)   (never) (100)
 # ==========================================================================
+{% if postfix_smtpd_server %}
 smtp      inet  n       -       n       -       -       smtpd
+{% endif %}
 #smtp      inet  n       -       n       -       1       postscreen
 #smtpd     pass  -       -       n       -       -       smtpd
 #dnsblog   unix  -       -       n       -       0       dnsblog
 #tlsproxy  unix  -       -       n       -       0       tlsproxy
-{% if postfix_smtpd_server %}
+{% if postfix_submission_server %}
 submission inet n       -       n       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level={{ postfix_smtpd_tls_security_level }}