Commit e1a2ad7e authored by Lars Beckers's avatar Lars Beckers
Browse files

Merge branch 'master' into issue-21

parents 12923c95 65abfe75
parseable: true
quiet: true
use_default_rules: true
skip_list:
- '204' # line length is checked by yamllint
- '401' # git checkout must contain explicit version
- '701' # 7xx is about ansible galaxy guidelines
- '702'
- '703'
---
image: registry.git.fsmpi.rwth-aachen.de/infra/ci-containers/fsmpi-ansible:buster
variables:
GIT_SUBMODULE_STRATEGY: recursive
before_script:
- export LANG=en_US.UTF-8
- chmod o-w .
- apt-get -qq update && apt-get -qq install -y ansible-lint ripgrep
- ansible --version
- ansible-lint --version
- yamllint --version
stages:
- test
test:
stage: test
script:
- yamllint .
- ansible-lint ./*/
# yamllint disable-line rule:line-length
- "! rg --fixed-strings 'passwordstore' ./*/templates"
......@@ -14,6 +14,10 @@ rules:
forbid-in-block-mappings: true
line-length:
level: warning
allow-non-breakable-inline-mappings: true
octal-values:
forbid-implicit-octal: true
level: warning
level: error
# quoted-strings: enable
truthy:
level: error
This diff is collapsed.
......@@ -30,4 +30,4 @@ dovecot_dsync_host_attribute: ansible_host
dovecot_content_filter: false
dovecot_spam_folder: Spam
dovecot_spam_user: "${1}" # debian-spamd
dovecot_spam_user: "${1}" # debian-spamd
......@@ -89,6 +89,7 @@
- meta: flush_handlers
# yamllint disable-line rule:line-length
- name: ensure the global spam filter and learning sieve script have correct permissions
file:
state: file
......
......@@ -81,4 +81,4 @@ ssl_prefer_server_ciphers = {{ 'yes' if dovecot_tls_prefer_server_ciphers else '
# SSL extra options. Currently supported options are:
# no_compression - Disable compression.
#ssl_options =
ssl_options = no_compression
......@@ -3,6 +3,6 @@
dovecot_tls_protocols: 'TLSv1.2 TLSv1.3'
dovecot_tls_min_protocol: 'TLSv1.2'
dovecot_tls_ciphers: 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384'
dovecot_tls_dh_length: 4096 # 2048
dovecot_tls_dh_file: ffdhe4096.txt # ffdhe2048.txt
dovecot_tls_dh_length: 4096 # 2048
dovecot_tls_dh_file: ffdhe4096.txt # ffdhe2048.txt
dovecot_tls_prefer_server_ciphers: false
......@@ -3,6 +3,6 @@
dovecot_tls_protocols: 'TLSv1 TLSv1.1 TLSv1.2 !SSLv3'
dovecot_tls_min_protocol: 'TLSv1'
dovecot_tls_ciphers: 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA'
dovecot_tls_dh_length: 2048 # 1024
dovecot_tls_dh_file: ffdhe2048.txt # openssl dhparam 1024 > ffdhe1024.txt
dovecot_tls_dh_length: 2048 # 1024
dovecot_tls_dh_file: ffdhe2048.txt # openssl dhparam 1024 > ffdhe1024.txt
dovecot_tls_prefer_server_ciphers: true
......@@ -4,5 +4,5 @@ dovecot_tls_protocols: 'TLSv1.1 TLSv1.2 !SSLv3'
dovecot_tls_min_protocol: 'TLSv1.1'
dovecot_tls_ciphers: "{{ tls_ciphers }}"
dovecot_tls_dh_length: 4096
dovecot_tls_dh_file: ffdhe4096.txt # ffdhe2048.txt
dovecot_tls_dh_file: ffdhe4096.txt # ffdhe2048.txt
dovecot_tls_prefer_server_ciphers: true
......@@ -12,6 +12,8 @@ postfix_tls_key: /etc/ssl/private/privkey.pem
postfix_tls_configuration: 'previous'
postfix_prefer_lmtp: false
postfix_enable_postscreen: true
postfix_enable_memcached: false
postfix_login_suffix: ''
postfix_dnsbl_sites:
......@@ -26,3 +28,35 @@ postfix_network_access:
- cidr: 134.130.5.32/27 # rwth
action: permit
postfix_content_filter: false # or: spamassassin
postfix_message_size_limit: 10240000 # 10M
postfix_aliases_rt: []
# - queue: IT
# url: https://rt.example.com
# address: it
postfix_relay_host: ""
postfix_transport_maps: []
# - domain: foo.example.com
# server: mail.bar.example.com
# port: 2025
# protocol: smtp
# use_mx: true
# Note: This requires at least buster-backports or newer.
postfix_enable_mta_sts: false
postfix_my_networks: []
postfix_notify_classes: []
postfix_satellite_only: false
## sane defaults for postfix satellites
#
# postfix_satellite_only: true
# postfix_enable_postscreen: false
# postfix_domains: []
# postfix_notify_classes:
# - 2bounce
# postfix_relay_host: relay.example.com
# postfix_tls_cert: "/etc/ssl/certs/ssl-cert-snakeoil.pem"
# postfix_tls_key: "/etc/ssl/private/ssl-cert-snakeoil.key"
---
path: "/var/spool/postfix/mta-sts/mta-sts.sock"
# yamllint disable-line rule:octal-values
mode: 0666
# host: 127.0.0.1
# port: 8461
reuse_port: true
cache_grace: 60
shutdown_timeout: 5
cache:
type: sqlite
options:
filename: "/var/lib/mta-sts/cache.db"
default_zone:
strict_testing: false
timeout: 4
# zones:
# myzone:
# strict_testing: false
# timeout: 4
[Service]
ReadWritePaths=/var/spool/postfix/mta-sts
d /var/spool/postfix/mta-sts 0770 postfix _mta-sts - -
---
- name: create tmpfiles
command: systemd-tmpfiles --create
- name: reload systemd service files
systemd: daemon_reload=true
- name: restart postfix
service: name=postfix state=restarted
- name: restart memcached
service: name=memcached state=restarted
- name: restart mta-sts resolver
service: name=postfix-mta-sts-resolver state=restarted
- name: postmap system
command: postalias cdb:/etc/aliases
- name: postmap virtual
command: postmap cdb:/etc/postfix/virtual
- name: postmap transport
command: postmap cdb:/etc/postfix/transport
......@@ -78,6 +78,17 @@
- postfix
- mail
- import_tasks: mta-sts.yml
- name: install rt-mailgate if needed
apt:
name: rt4-clients
state: present
when: postfix_aliases_rt|bool
tags:
- postfix
- mail
- name: ensure system alias database is present
template:
src: aliases.j2
......@@ -107,3 +118,14 @@
tags:
- postfix
- mail
- name: ensure transport_maps are configured
template:
src: transport.j2
dest: /etc/postfix/transport
notify:
- postmap transport
when: postfix_transport_maps|bool
tags:
- postfix
- mail
---
- name: ensure we got the MTA-STS resolver software installed
apt:
state: "{{ 'present' if postfix_enable_mta_sts else 'absent' }}"
name: postfix-mta-sts-resolver
# yamllint disable-line rule:line-length
- name: ensure the MTA-STS resolver can put its socket somewhere reachable (tmpfiles)
copy:
src: mta-sts-tmpfiles.conf
dest: /etc/tmpfiles.d/mta-sts.conf
owner: root
group: root
mode: '0644'
when: postfix_enable_mta_sts
notify:
- create tmpfiles
- restart mta-sts resolver
# yamllint disable-line rule:line-length
- name: ensure the MTA-STS resolver can put its socket somewhere reachable (overrideable)
file:
state: directory
path: /etc/systemd/system/postfix-mta-sts-resolver.service.d/
owner: root
group: root
mode: '0755'
when: postfix_enable_mta_sts
notify:
- reload systemd service files
- restart mta-sts resolver
# yamllint disable-line rule:line-length
- name: ensure the MTA-STS resolver can put its socket somewhere reachable (service)
copy:
src: mta-sts-override.conf
dest: /etc/systemd/system/postfix-mta-sts-resolver.service.d/rw-paths.conf
owner: root
group: root
mode: '0644'
when: postfix_enable_mta_sts
notify:
- reload systemd service files
- restart mta-sts resolver
- name: ensure MTA-STS resolver overrides are deconfigured when disabled
file:
path: "{{ item }}"
state: absent
with_items:
- /etc/systemd/system/postfix-mta-sts-resolver.service.d/rw-paths.conf
- /etc/systemd/system/postfix-mta-sts-resolver.service.d/
- /etc/tmpfiles.d/mta-sts.conf
when: not postfix_enable_mta_sts
notify:
- reload systemd service files
- name: ensure the MTA-STS resolver is configured
copy:
src: mta-sts-daemon.yml
dest: /etc/mta-sts-daemon.yml
owner: root
group: root
mode: '0644'
when: postfix_enable_mta_sts
notify:
- restart mta-sts resolver
- name: ensure the MTA-STS resolver is up and running
service:
name: postfix-mta-sts-resolver
enabled: "{{ postfix_enable_mta_sts|string }}"
state: "{{ 'started' if postfix_enable_mta_sts else 'stopped' }}"
{% for alias in system_aliases %}
{{ alias.src }}: {{ alias.dest }}
{% endfor %}
{% for alias in postfix_aliases_rt|default([]) %}
{{ alias.address|default(alias.queue|lower) }}: "|/usr/bin/rt-mailgate --queue {{ alias.queue }} --action correspond --url {{ alias.url }}"
{{ alias.address|default(alias.queue|lower) }}-comment: "|/usr/bin/rt-mailgate --queue {{ alias.queue }} --action comment --url {{ alias.url }}"
{% endfor %}
# See /usr/share/postfix/main.cf.dist for a commented, more complete version
inet_interfaces = all
inet_interfaces = {{ "loopback-only" if postfix_satellite_only else "all" }}
inet_protocols = all
myhostname = {{ ansible_fqdn }}
myorigin = /etc/mailname
mydestination = $myhostname localhost {{ postfix_domains | join(" ") }}
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 {{ postfix_my_networks|join(" ") }}
relayhost = {{ postfix_relay_host }}
{% if postfix_transport_maps|bool %}
transport_maps = cdb:/etc/postfix/transport
{% endif %}
{% if not postfix_satellite_only %}
{% if postfix_domains|count > 0 %}
{% if postfix_prefer_lmtp %}
mailbox_transport = lmtp:unix:private/dovecot-lmtp
......@@ -15,6 +21,13 @@ mailbox_command = /usr/lib/dovecot/dovecot-lda -f "$SENDER" -a "$RECIPIENT"
{% endif %}
{% endif %}
smtpd_sender_login_maps = proxy:pcre:/etc/postfix/login_maps.pcre
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
{% endif %}
append_dot_mydomain = no
biff = no
compatibility_level = 2
......@@ -22,28 +35,30 @@ compatibility_level = 2
disable_vrfy_command = yes
#enable_long_queue_ids = yes
mailbox_size_limit = 0
#message_size_limit = 41943040
message_size_limit = {{ postfix_message_size_limit }}
readme_directory = no
recipient_delimiter = +
#strict_rfc821_envelopes = no
smtpd_banner = $myhostname ESMTP $mail_name
smtpd_sender_login_maps = proxy:pcre:/etc/postfix/login_maps.pcre
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_relay_restrictions =
smtpd_relay_restrictions =
permit_mynetworks
permit_sasl_authenticated
defer_unauth_destination
smtpd_use_tls = yes
smtp_tls_security_level = may
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtpd_tls_security_level = may
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = {{ postfix_tls_cert }}
smtpd_tls_key_file = {{ postfix_tls_key }}
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
{% if postfix_enable_mta_sts %}
smtp_tls_policy_maps = socketmap:unix:mta-sts/mta-sts.sock:postfix
{% endif %}
{% if not postfix_satellite_only %}
smtpd_tls_protocols = {{ postfix_tls_protocols }}
smtpd_tls_mandatory_protocols = {{ postfix_tls_protocols }}
{% if postfix_tls_mandatory_ciphers %}
......@@ -64,6 +79,8 @@ tls_medium_cipherlist = {{ postfix_tls_medium_cipherlist }}
{% if postfix_tls_dh_file %}
smtpd_tls_dh1024_param_file = /etc/postfix/dh.pem
{% endif %}
tls_ssl_options = NO_COMPRESSION
{% endif %}
alias_maps = cdb:/etc/aliases
alias_database = cdb:/etc/aliases
......@@ -78,11 +95,15 @@ virtual_transport = lmtp:unix:private/dovecot-lmtp
virtual_gid_maps = static:5000
{% endif %}
{% set _x = postfix_notify_classes.extend(["resource", "software"]) %}
notify_classes = {{ postfix_notify_classes|unique|join(", ") }}
{% if postfix_enable_postscreen and not postfix_satellite_only %}
postscreen_access_list = permit_mynetworks
cidr:/etc/postfix/postscreen_access.cidr
{% if postfix_enable_memcached %}
postscreen_cache_map = memcache:/etc/postfix/postscreen_cache
proxy_write_maps = proxy:btree:/var/lib/postfix/postscreen_cache
proxy_write_maps = proxy:btree:/var/lib/postfix/postscreen_cache
{% else %}
postscreen_cache_map = proxy:btree:/var/lib/postfix/postscreen_cache
{% endif %}
......@@ -97,7 +118,7 @@ postscreen_non_smtp_command_enable = yes
# postscreen_non_smtp_command_action = drop
postscreen_bare_newline_enable = yes
postscreen_bare_newline_action = drop
postscreen_dnsbl_action = enforce
postscreen_dnsbl_threshold = 2
postscreen_dnsbl_whitelist_threshold = -1
......@@ -105,3 +126,4 @@ postscreen_dnsbl_sites =
{% for site in postfix_dnsbl_sites %}
{{ site.name }}*{{ site.modifier|default(1) }}
{% endfor %}
{% endif %}
......@@ -9,15 +9,19 @@
# (yes) (yes) (no) (never) (100)
# ==========================================================================
#smtp inet n - y - - smtpd
{% if postfix_enable_postscreen and not postfix_satellite_only %}
smtp inet n - y - 1 postscreen
{% else %}
smtp inet n - y - - smtpd
{% endif %}
{% if not postfix_satellite_only %}
smtpd pass - - y - - smtpd
{% if postfix_content_filter %}
-o content_filter={{ postfix_content_filter }}
{% endif %}
dnsblog unix - - y - 0 dnsblog
tlsproxy unix - - y - 0 tlsproxy
submission inet n - y - - smtpd
submission inet n - y - - smtpd
-o smtpd_sasl_security_options=noanonymous
-o smtpd_sasl_local_domain=$myhostname
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
......@@ -48,6 +52,7 @@ submission inet n - y - - smtpd
# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
#628 inet n - y - - qmqpd
{% endif %}
pickup unix n - y 60 1 pickup
cleanup unix n - y - 0 cleanup
qmgr unix n - n 300 1 qmgr
......@@ -73,6 +78,9 @@ virtual unix - n n - - virtual
lmtp unix - - y - - lmtp
anvil unix - - y - 1 anvil
scache unix - - y - 1 scache
{% if ansible_distribution_major_version|int >= 10 %}
postlog unix-dgram n - n - 1 postlogd
{% endif %}
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
......@@ -86,6 +94,7 @@ scache unix - - y - 1 scache
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
{% if not postfix_satellite_only %}
dovecot unix - n n - - pipe
flags=DRhu user=5001:5000 argv=/usr/lib/dovecot/dovecot-lda -f ${sender} -a ${original_recipient} -d ${user}@${nexthop}
......@@ -93,6 +102,7 @@ dovecot unix - n n - - pipe
spamassassin unix - n n - - pipe
user=debian-spamd argv=/usr/bin/spamc -f -e /usr/sbin/sendmail -oi -f ${sender} ${recipient}
{% endif %}
{% endif %}
#maildrop unix - n n - - pipe
# flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment