postfix: refactor role

postfix/defaults/main.yml

+---
+
+postfix_domains:
+  - "{{ domain }}"
+postfix_virtual_domains: []
+
+postfix_tls_cert: /etc/ssl/private/fullchain.pem
+postfix_tls_key: /etc/ssl/private/privkey.pem
+postfix_tls_ciphers: "{{ tls_ciphers }}"
+postfix_tls_protocols: "!SSLv2 !SSLv3"
+
+postfix_login_suffix: '@extmind.de'
+postfix_prefer_lmtp: no
+postfix_enable_memcached: no
+postfix_login_suffix: ''
+postfix_dnsbl_sites:
+  - name: zen.spamhaus.org
+  - name: bl.spamcop.net
+  - name: b.barracudacentral.org
+  - name: '#swl.spamhaus.org'
+    modifier: 2
+  - name: list.dnswl.org
+    modifier: -5
+postfix_network_access:
+  - cidr: 134.130.5.32/27 # rwth
+    action: permit
+postfix_content_filter: no # or: spamassassin

postfix/files/login_maps.pcre

-/^(.*)$/   ${1}

postfix/files/sender_login_map.hash

-test@wolfscloud.de test@wolfscloud.de

postfix/tasks/main.yml

 ---
 
 - name: ensure all required postfix packages are installed
-  apt: name={{ item }} state=present
+  apt:
+    name: "{{ item }}"
+    state: present
   with_items: 
     - postfix
     - postfix-pcre
     - postfix-cdb
-    - memcached
   tags: 
     - postfix
     - mail
 
-- name: ensure not templated config is present
-  copy: src=files/{{ item }} dest=/etc/postfix/
-  with_items:
-    - login_maps.pcre
-    - sender_login_map.hash
-    - postscreen_whitelist
-  notify: 
-    - restart postfix
+- name: ensure additional packages are installed if required
+  apt:
+    name: memcached
+    state: present
+  when: postfix_enable_memcached
   tags:
     - postfix
     - mail
 
-- name: ensure templated config is present
-  template: src=templates/{{ item }}.j2 dest=/etc/postfix/{{ item }}
+- name: ensure config is present
+  template:
+    src: "{{ item }}.j2"
+    dest: "/etc/postfix/{{ item }}"
   with_items:
+    - login_maps.pcre
     - master.cf
     - main.cf
-    - postscreen_cache
+    - postscreen_access.cidr
   notify: 
     - restart postfix
   tags:
@@ -36,7 +37,21 @@
     - mail
 
 - name: ensure memcached config is present
-  template: src=templates/memcached.conf.j2 dest=/etc/memcached.conf
+  template:
+    src: memcached.conf.j2
+    dest: /etc/memcached.conf
+  when: postfix_enable_memcached
+  notify:
+    - restart memcached
+  tags:
+    - postfix
+    - mail
+
+- name: ensure postscreen memcached integration is present
+  template:
+    src: postscreen_cache.j2
+    dest: /etc/postfix/postscreen_cache
+  when: postfix_enable_memcached
   notify:
     - restart memcached
   tags:
@@ -44,7 +59,9 @@
     - mail
     
 - name: ensure system alias database is present
-  template: src=templates/aliases.j2 dest=/etc/aliases
+  template:
+    src: aliases.j2
+    dest: /etc/aliases
   notify:
     - postmap system
   tags:
@@ -52,15 +69,21 @@
     - mail
 
 - name: ensure virtual alias database is present
-  template: src=templates/v_aliases.j2 dest=/etc/postfix/virtual
+  template:
+    src: virtual.j2
+    dest: /etc/postfix/virtual
   notify:
     - postmap virtual
   tags:
     - postfix
     - mail
 
-- meta: flush_handlers
-
-
-
-
+- name: ensure mailname is properly configured
+  template:
+    src: mailname.j2
+    dest: /etc/mailname
+  notify:
+    - restart postfix
+  tags:
+    - postfix
+    - mail

postfix/templates/aliases.j2

 {% for alias in system_aliases %}
-{{ alias.src }}:{{ alias.dest }}
+{{ alias.src }}: {{ alias.dest }}
 {% endfor %}
-

postfix/templates/login_maps.pcre.j2

+/^(.*){{ postfix_login_suffix }}$/   ${1}

postfix/templates/mailname.j2

+{{ domain }}

postfix/templates/main.cf.j2

 # See /usr/share/postfix/main.cf.dist for a commented, more complete version
 
+inet_interfaces = all
+inet_protocols = all
+myhostname = {{ ansible_fqdn }}
+myorigin = /etc/mailname
+mydestination = $myhostname localhost {{ postfix_domains | join(" ") }}
+mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
+relayhost =
+{% if postfix_domains|count > 0 %}
+{% if postfix_prefer_lmtp %}
+mailbox_transport = lmtp:unix:private/dovecot-lmtp
+{% else %}
+mailbox_command = /usr/lib/dovecot/dovecot-lda -f "$SENDER" -a "$RECIPIENT"
+{% endif %}
+{% endif %}
 
-# Debian specific:  Specifying a file name will cause the first
-# line of that file to be used as the name.  The Debian default
-# is /etc/mailname.
-#myorigin = /etc/mailname
-
-smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
-biff = no
-
-# appending .domain is the MUA's job.
 append_dot_mydomain = no
-
-# Uncomment the next line to generate "delayed mail" warnings
+biff = no
+compatibility_level = 2
 #delay_warning_time = 4h
-
+disable_vrfy_command = yes
+#enable_long_queue_ids = yes
+mailbox_size_limit = 0
+#message_size_limit = 41943040
 readme_directory = no
+recipient_delimiter = +
+#strict_rfc821_envelopes = no
 
-# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on
-# fresh installs.
-compatibility_level = 2
-
-# TLS parameters
-smtpd_use_tls = yes
-smtpd_tls_cert_file=/var/lib/acme/live/wolfscloud.de/fullchain
-smtpd_tls_key_file=/var/lib/acme/live/wolfscloud.de/privkey
-smtpd_tls_auth_only=yes
-smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
-smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
-
-#ciphers supported downto android 2.3
-smtpd_tls_mandatory_protocols = !TLSv1 !SSLv2, !SSLv3
-smtpd_tls_protocols = !TLSv1 !SSLv2 !SSLv3
-smtpd_tls_mandatory_ciphers=high
-tls_high_cipherlist = {{ tls_ciphers }}
-smtpd_tls_eecdh_grade=ultra
-
-
-
-# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
-# information on enabling SSL in the smtp client.
+smtpd_banner = $myhostname ESMTP $mail_name
+smtpd_sender_login_maps = proxy:pcre:/etc/postfix/login_maps.pcre
 smtpd_sasl_type = dovecot
 smtpd_sasl_path = private/auth
 smtpd_sasl_auth_enable = yes
@@ -47,82 +36,56 @@ smtpd_relay_restrictions =
 	permit_mynetworks
 	permit_sasl_authenticated
 	defer_unauth_destination
-myhostname = {{ ansible_fqdn }}
+
+smtpd_use_tls = yes
+smtpd_tls_auth_only = yes
+smtpd_tls_cert_file = {{ postfix_tls_cert }}
+smtpd_tls_key_file = {{ postfix_tls_key }}
+smtpd_tls_eecdh_grade = ultra
+smtpd_tls_mandatory_ciphers = high
+smtpd_tls_mandatory_protocols = {{ postfix_tls_protocols }}
+smtpd_tls_protocols = {{ postfix_tls_protocols }}
+smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
+smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
+tls_high_cipherlist = {{ postfix_tls_ciphers }}
+
 alias_maps = cdb:/etc/aliases
 alias_database = cdb:/etc/aliases
-myorigin = /etc/mailname
-mydestination = $myhostname, localhost
-relayhost = 
-mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
-mailbox_size_limit = 0
-recipient_delimiter = +
-inet_interfaces = all
-inet_protocols = all
+virtual_alias_maps = cdb:/etc/postfix/virtual
 
-virtual_mailbox_domains = {{ virtual_domains | join(", ") }}
+{% if postfix_virtual_domains|count > 0 %}
+virtual_mailbox_domains = {{ postfix_virtual_domains | join(", ") }}
 virtual_mailbox_base = /var/vmail/
 virtual_mailbox_limit = 512000000
 virtual_minimum_uid = 5000
 virtual_transport = lmtp:unix:private/dovecot-lmtp
 virtual_gid_maps = static:5000
-virtual_alias_maps = cdb:/etc/postfix/virtual
-smtpd_sender_login_maps = proxy:pcre:/etc/postfix/login_maps.pcre
+{% endif %}
 
-################################################################################
-## POSTSCREEN - ERSTE STUFE DER SPAM/UCE/VIREN-ABWEHRMECHANISMEN
-#
-# Django : 2014-10-29 - PERMANENT WHITE/BLACKLIST TEST
-# default: postscreen_access_list = permit_mynetworks
 postscreen_access_list = permit_mynetworks
-                         cidr:/etc/postfix/postscreen_whitelist
-#
-# default: postscreen_blacklist_action = ignore
+                         cidr:/etc/postfix/postscreen_access.cidr
+{% if postfix_enable_memcached %}
+postscreen_cache_map = memcache:/etc/postfix/postscreen_cache
+proxy_write_maps = proxy:btree:/var/lib/postfix/postscreen_cache 
+{% else %}
+postscreen_cache_map = proxy:btree:/var/lib/postfix/postscreen_cache
+{% endif %}
+
 postscreen_blacklist_action = drop
- 
- 
-# Django : 2014-10-29 - MAIL EXCHANGER POLICY TESTS
-# default: postscreen_whitelist_interfaces = static:all
- 
-# Django : 2014-10-29 - PRE 220 GREETING TESTS
-#
-# default: postscreen_greet_banner = $smtpd_banner
-#
-# default: postscreen_greet_action = ignore
 postscreen_greet_action = enforce
- 
-# default: postscreen_dnsbl_threshold = 1
-postscreen_dnsbl_threshold = 2
-#
-# default: postscreen_dnsbl_sites =
-postscreen_dnsbl_sites = zen.spamhaus.org*1
-                         bl.spamcop.net*1
-                         b.barracudacentral.org*1
-                         #swl.spamhaus.org*2
-			 list.dnswl.org*-5
-#                        
-# default: postscreen_dnsbl_action = ignore
-postscreen_dnsbl_action = enforce
- 
- 
-# Django : 2014-10-29 - POST 220 GREETING TESTS
-#
-# default: postscreen_dnsbl_whitelist_threshold = 0
-postscreen_dnsbl_whitelist_threshold = -1
-#
-# default: postscreen_pipelining_enable = no
+# postscreen_whitelist_interfaces = static:all
+# postscreen_greet_banner = $smtpd_banner
 postscreen_pipelining_enable = yes
-#
-# default: postscreen_pipelining_action = enforce
-#
-# default: postscreen_non_smtp_command_enable = no
+# postscreen_pipelining_action = enforce
 postscreen_non_smtp_command_enable = yes
-# default: postscreen_non_smtp_command_action = drop
-#
-# default: postscreen_bare_newline_enable = no
+# postscreen_non_smtp_command_action = drop
 postscreen_bare_newline_enable = yes
-#
-# default: postscreen_bare_newline_action = ignore
 postscreen_bare_newline_action = drop
-#
-postscreen_cache_map = memcache:/etc/postfix/postscreen_cache
-proxy_write_maps = proxy:btree:/var/lib/postfix/postscreen_cache 
+ 
+postscreen_dnsbl_action = enforce
+postscreen_dnsbl_threshold = 2
+postscreen_dnsbl_whitelist_threshold = -1
+postscreen_dnsbl_sites =
+{% for site in postfix_dnsbl_sites %}
+	{{ site.name }}*{{ site.modifier|default(1) }}
+{% endfor %}

postfix/templates/master.cf.j2

-dovecot   unix  -       n       n       -       -       pipe
-  flags=DRhu user=5001:5000 argv=/usr/lib/dovecot/dovecot-lda -f ${sender} -a ${original_recipient} -d ${user}@${nexthop}
-#
 # Postfix master process configuration file.  For details on the format
 # of the file, see the master(5) manual page (command: "man 5 master" or
 # on-line: http://www.postfix.org/master.5.html).
 #
 # Do not forget to execute "postfix reload" after editing this file.
-#
+
 # ==========================================================================
 # service type  private unpriv  chroot  wakeup  maxproc command + args
 #               (yes)   (yes)   (no)    (never) (100)
 # ==========================================================================
-#smtp      inet  n       -       y       -       -       smtpd
+
+#smtp     inet  n       -       y       -       -       smtpd
 smtp      inet  n       -       y       -       1       postscreen
 smtpd     pass  -       -       y       -       -       smtpd
-{% if content_filter is defined %}
-  -o content_filter={{ content_filter }}
+{% if postfix_content_filter %}
+  -o content_filter={{ postfix_content_filter }}
 {% endif %}
 dnsblog   unix  -       -       y       -       0       dnsblog
 tlsproxy  unix  -       -       y       -       0       tlsproxy
 submission inet n       -       y       -       -       smtpd 
-#  -o smtpd_tls_security_level=encrypt
   -o smtpd_sasl_security_options=noanonymous
   -o smtpd_sasl_local_domain=$myhostname
   -o smtpd_client_restrictions=permit_sasl_authenticated,reject
   -o smtpd_sender_restrictions=reject_sender_login_mismatch
   -o smtpd_recipient_restrictions=reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,reject
-{% if content_filter is defined %}
-  -o content_filter={{ content_filter }}
-{% endif %}
   -o syslog_name=postfix/submission
-#  -o syslog_name=postfix/submission
+{% if postfix_content_filter %}
+  -o content_filter={{ postfix_content_filter }}
+{% endif %}
 #  -o smtpd_tls_security_level=encrypt
 #  -o smtpd_sasl_auth_enable=yes
 #  -o smtpd_reject_unlisted_recipient=no
@@ -51,7 +47,7 @@ submission inet n       -       y       -       -       smtpd
 #  -o smtpd_recipient_restrictions=
 #  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
 #  -o milter_macro_daemon_name=ORIGINATING
-#628       inet  n       -       y       -       -       qmqpd
+#628	  inet  n       -       y       -       -       qmqpd
 pickup    unix  n       -       y       60      1       pickup
 cleanup   unix  n       -       y       -       0       cleanup
 qmgr      unix  n       -       n       300     1       qmgr
@@ -77,7 +73,7 @@ virtual   unix  -       n       n       -       -       virtual
 lmtp      unix  -       -       y       -       -       lmtp
 anvil     unix  -       -       y       -       1       anvil
 scache    unix  -       -       y       -       1       scache
-#
+
 # ====================================================================
 # Interfaces to non-Postfix software. Be sure to examine the manual
 # pages of the non-Postfix software to find out what options it wants.
@@ -86,57 +82,28 @@ scache    unix  -       -       y       -       1       scache
 # agent.  See the pipe(8) man page for information about ${recipient}
 # and other message envelope options.
 # ====================================================================
-#
+
 # maildrop. See the Postfix MAILDROP_README file for details.
 # Also specify in main.cf: maildrop_destination_recipient_limit=1
-#
-maildrop  unix  -       n       n       -       -       pipe
-  flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
-#
-# ====================================================================
-#
-# Recent Cyrus versions can use the existing "lmtp" master.cf entry.
-#
-# Specify in cyrus.conf:
-#   lmtp    cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
-#
-# Specify in main.cf one or more of the following:
-#  mailbox_transport = lmtp:inet:localhost
-#  virtual_transport = lmtp:inet:localhost
-#
-# ====================================================================
-#
-# Cyrus 2.1.5 (Amos Gouaux)
-# Also specify in main.cf: cyrus_destination_recipient_limit=1
-#
-#cyrus     unix  -       n       n       -       -       pipe
-#  user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
-#
-# ====================================================================
-# Old example of delivery via Cyrus.
-#
-#old-cyrus unix  -       n       n       -       -       pipe
-#  flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
-#
-# ====================================================================
-#
-# See the Postfix UUCP_README file for configuration details.
-#
-uucp      unix  -       n       n       -       -       pipe
-  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
-#
-# Other external delivery methods.
-#
-ifmail    unix  -       n       n       -       -       pipe
-  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
-bsmtp     unix  -       n       n       -       -       pipe
-  flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
-scalemail-backend unix	-	n	n	-	2	pipe
-  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
-mailman   unix  -       n       n       -       -       pipe
-  flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
-  ${nexthop} ${user}
-{% if content_filter is defined %}
-{{ content_filter }} {{ content_filter_arguments }}
-{{ content_filter_command }}
+
+dovecot   unix  -       n       n       -       -       pipe
+  flags=DRhu user=5001:5000 argv=/usr/lib/dovecot/dovecot-lda -f ${sender} -a ${original_recipient} -d ${user}@${nexthop}
+
+{% if postfix_content_filter == 'spamassassin' %}
+spamassassin	unix -     n       n       -       -       pipe
+  user=debian-spamd argv=/usr/bin/spamc -f -e /usr/sbin/sendmail -oi -f ${sender} ${recipient}
 {% endif %}
+
+#maildrop  unix  -       n       n       -       -       pipe
+#  flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
+#uucp      unix  -       n       n       -       -       pipe
+#  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
+#ifmail    unix  -       n       n       -       -       pipe
+#  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
+#bsmtp     unix  -       n       n       -       -       pipe
+#  flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
+#scalemail-backend unix	-	n	n	-	2	pipe
+#  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
+#mailman   unix  -       n       n       -       -       pipe
+#  flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
+#  ${nexthop} ${user}

postfix/files/postscreen_whitelist → postfix/templates/postscreen_access.cidr.j2

-# Django : 2014-10-29
 # access-Tabelle: Wer wird von postscreen ausgenommen und wer nicht?
-# Tabelle zum black- und whitelisten einzelner Hosts auf Basis ihrer 
-# IP-Adressen. In der rechten Tabellenspalte können die AKtionen 
+# Tabelle zum black- und whitelisten einzelner Hosts auf Basis ihrer
+# IP-Adressen. In der rechten Tabellenspalte können die Aktionen
 # "permit", "reject" und "dunno" gesetzt werden.
 # Nach dem Ändern und/oder Erweitern der Tabelle, muß ein
-# laufender Postfix über die Änderungen mit einem reload informiert 
-# werden: 
+# laufender Postfix über die Änderungen mit einem reload informiert
+# werden:
 #             $ systemctl reload postfix.service
 #
-# Es muss hier keine Datenbank mit postmap erzeugt werden, da 
+# Es muss hier keine Datenbank mit postmap erzeugt werden, da
 # Postfix die ASCII-Konfigurationsdatei direkt auswertet!
 #
 
-# roughly the RWTH network for the e-mail servers 
-134.130.5.32/27               permit                                                                                                                                                                                                                                   
+{% for net in postfix_network_access %}
+{{ net.cidr }}	{{ net.action|default('dunno') }}
+{% endfor %}

postfix/templates/postscreen_cache.j2

-# Django : 2014-11-07 postscreen-cache Konfigurationsdatei
-# #
-#
-
 {% for partner in groups['mail'] %}
 {% if partner != ansible_hostname %}
-memcache = inet:{{hostvars[partner]["tinc_vpnip"]}}:11211
+memcache = inet:{{ hostvars[partner]['tinc_vpnip'] }}:11211
 {% endif %}
 {% endfor %}
 

postfix/templates/v_aliases.j2 → postfix/templates/virtual.j2

@@ -5,6 +5,11 @@ abuse@{{ domain }} {{ adminaddr }}
 {% endfor %}
 
 {% for alias in virtual_aliases %}
+{% if alias.src is string %}
 {{ alias.src }} {{ alias.dest }}
+{% else %}
+{% for src in alias.src %}
+{{ src }}@{{ alias.domain }} {{ alias.dest }}
+{% endfor %}
+{% endif %}
 {% endfor %}
-