Merge branch 'master' into issue-21

.ansible-lint

+parseable: true
+quiet: true
+use_default_rules: true
+skip_list:
+  - '204'  # line length is checked by yamllint
+  - '401'  # git checkout must contain explicit version
+  - '701'  # 7xx is about ansible galaxy guidelines
+  - '702'
+  - '703'

.gitlab-ci.yml

+---
+
+image: registry.git.fsmpi.rwth-aachen.de/infra/ci-containers/fsmpi-ansible:buster
+
+variables:
+  GIT_SUBMODULE_STRATEGY: recursive
+
+before_script:
+  - export LANG=en_US.UTF-8
+  - chmod o-w .
+  - apt-get -qq update && apt-get -qq install -y ansible-lint ripgrep
+  - ansible --version
+  - ansible-lint --version
+  - yamllint --version
+
+stages:
+  - test
+
+test:
+  stage: test
+  script:
+    - yamllint .
+    - ansible-lint ./*/
+    # yamllint disable-line rule:line-length
+    - "! rg --fixed-strings 'passwordstore' ./*/templates"

.yamllint

@@ -14,6 +14,10 @@ rules:
     forbid-in-block-mappings: true
   line-length:
     level: warning
+    allow-non-breakable-inline-mappings: true
   octal-values:
     forbid-implicit-octal: true
-    level: warning
+    level: error
+  # quoted-strings: enable
+  truthy:
+    level: error

dovecot/defaults/main.yml

@@ -30,4 +30,4 @@ dovecot_dsync_host_attribute: ansible_host
 
 dovecot_content_filter: false
 dovecot_spam_folder: Spam
-dovecot_spam_user: "${1}" # debian-spamd
+dovecot_spam_user: "${1}"  # debian-spamd

dovecot/tasks/main.yml

@@ -89,6 +89,7 @@
 
 - meta: flush_handlers
 
+# yamllint disable-line rule:line-length
 - name: ensure the global spam filter and learning sieve script have correct permissions
   file:
     state: file

dovecot/templates/conf.d/10-ssl.conf.j2

@@ -81,4 +81,4 @@ ssl_prefer_server_ciphers = {{ 'yes' if dovecot_tls_prefer_server_ciphers else '
 
 # SSL extra options. Currently supported options are:
 #   no_compression - Disable compression.
-#ssl_options =
+ssl_options = no_compression

dovecot/vars/tls-intermediate.yml

@@ -3,6 +3,6 @@
 dovecot_tls_protocols: 'TLSv1.2 TLSv1.3'
 dovecot_tls_min_protocol: 'TLSv1.2'
 dovecot_tls_ciphers: 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384'
-dovecot_tls_dh_length: 4096 # 2048
-dovecot_tls_dh_file: ffdhe4096.txt # ffdhe2048.txt
+dovecot_tls_dh_length: 4096  # 2048
+dovecot_tls_dh_file: ffdhe4096.txt  # ffdhe2048.txt
 dovecot_tls_prefer_server_ciphers: false

dovecot/vars/tls-old.yml

@@ -3,6 +3,6 @@
 dovecot_tls_protocols: 'TLSv1 TLSv1.1 TLSv1.2 !SSLv3'
 dovecot_tls_min_protocol: 'TLSv1'
 dovecot_tls_ciphers: 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA'
-dovecot_tls_dh_length: 2048 # 1024
-dovecot_tls_dh_file: ffdhe2048.txt # openssl dhparam 1024 > ffdhe1024.txt
+dovecot_tls_dh_length: 2048  # 1024
+dovecot_tls_dh_file: ffdhe2048.txt  # openssl dhparam 1024 > ffdhe1024.txt
 dovecot_tls_prefer_server_ciphers: true

dovecot/vars/tls-previous.yml

@@ -4,5 +4,5 @@ dovecot_tls_protocols: 'TLSv1.1 TLSv1.2 !SSLv3'
 dovecot_tls_min_protocol: 'TLSv1.1'
 dovecot_tls_ciphers: "{{ tls_ciphers }}"
 dovecot_tls_dh_length: 4096
-dovecot_tls_dh_file: ffdhe4096.txt # ffdhe2048.txt
+dovecot_tls_dh_file: ffdhe4096.txt  # ffdhe2048.txt
 dovecot_tls_prefer_server_ciphers: true

postfix/defaults/main.yml

@@ -12,6 +12,8 @@ postfix_tls_key: /etc/ssl/private/privkey.pem
 postfix_tls_configuration: 'previous'
 
 postfix_prefer_lmtp: false
+
+postfix_enable_postscreen: true
 postfix_enable_memcached: false
 postfix_login_suffix: ''
 postfix_dnsbl_sites:
@@ -26,3 +28,35 @@ postfix_network_access:
   - cidr: 134.130.5.32/27  # rwth
     action: permit
 postfix_content_filter: false  # or: spamassassin
+postfix_message_size_limit: 10240000  # 10M
+
+postfix_aliases_rt: []
+#  - queue: IT
+#    url: https://rt.example.com
+#    address: it
+
+postfix_relay_host: ""
+postfix_transport_maps: []
+#  - domain: foo.example.com
+#    server: mail.bar.example.com
+#    port: 2025
+#    protocol: smtp
+#    use_mx: true
+
+# Note: This requires at least buster-backports or newer.
+postfix_enable_mta_sts: false
+
+postfix_my_networks: []
+postfix_notify_classes: []
+postfix_satellite_only: false
+
+## sane defaults for postfix satellites
+#
+# postfix_satellite_only: true
+# postfix_enable_postscreen: false
+# postfix_domains: []
+# postfix_notify_classes:
+#   - 2bounce
+# postfix_relay_host: relay.example.com
+# postfix_tls_cert: "/etc/ssl/certs/ssl-cert-snakeoil.pem"
+# postfix_tls_key: "/etc/ssl/private/ssl-cert-snakeoil.key"

postfix/files/mta-sts-daemon.yml

+---
+path: "/var/spool/postfix/mta-sts/mta-sts.sock"
+# yamllint disable-line rule:octal-values
+mode: 0666
+# host: 127.0.0.1
+# port: 8461
+reuse_port: true
+cache_grace: 60
+shutdown_timeout: 5
+cache:
+  type: sqlite
+  options:
+    filename: "/var/lib/mta-sts/cache.db"
+default_zone:
+  strict_testing: false
+  timeout: 4
+# zones:
+#   myzone:
+#     strict_testing: false
+#     timeout: 4

postfix/files/mta-sts-override.conf

+[Service]
+ReadWritePaths=/var/spool/postfix/mta-sts

postfix/files/mta-sts-tmpfiles.conf

+d /var/spool/postfix/mta-sts 0770 postfix _mta-sts - -

postfix/handlers/main.yml

 ---
 
+- name: create tmpfiles
+  command: systemd-tmpfiles --create
+
+- name: reload systemd service files
+  systemd: daemon_reload=true
+
 - name: restart postfix
   service: name=postfix state=restarted
 
 - name: restart memcached
   service: name=memcached state=restarted
 
+- name: restart mta-sts resolver
+  service: name=postfix-mta-sts-resolver state=restarted
+
 - name: postmap system
   command: postalias cdb:/etc/aliases
 
 - name: postmap virtual
   command: postmap cdb:/etc/postfix/virtual
+
+- name: postmap transport
+  command: postmap cdb:/etc/postfix/transport

postfix/tasks/main.yml

@@ -78,6 +78,17 @@
     - postfix
     - mail
 
+- import_tasks: mta-sts.yml
+
+- name: install rt-mailgate if needed
+  apt:
+    name: rt4-clients
+    state: present
+  when: postfix_aliases_rt|bool
+  tags:
+    - postfix
+    - mail
+
 - name: ensure system alias database is present
   template:
     src: aliases.j2
@@ -107,3 +118,14 @@
   tags:
     - postfix
     - mail
+
+- name: ensure transport_maps are configured
+  template:
+    src: transport.j2
+    dest: /etc/postfix/transport
+  notify:
+    - postmap transport
+  when: postfix_transport_maps|bool
+  tags:
+    - postfix
+    - mail

postfix/tasks/mta-sts.yml

+---
+
+- name: ensure we got the MTA-STS resolver software installed
+  apt:
+    state: "{{ 'present' if postfix_enable_mta_sts else 'absent' }}"
+    name: postfix-mta-sts-resolver
+
+# yamllint disable-line rule:line-length
+- name: ensure the MTA-STS resolver can put its socket somewhere reachable (tmpfiles)
+  copy:
+    src: mta-sts-tmpfiles.conf
+    dest: /etc/tmpfiles.d/mta-sts.conf
+    owner: root
+    group: root
+    mode: '0644'
+  when: postfix_enable_mta_sts
+  notify:
+    - create tmpfiles
+    - restart mta-sts resolver
+
+# yamllint disable-line rule:line-length
+- name: ensure the MTA-STS resolver can put its socket somewhere reachable (overrideable)
+  file:
+    state: directory
+    path: /etc/systemd/system/postfix-mta-sts-resolver.service.d/
+    owner: root
+    group: root
+    mode: '0755'
+  when: postfix_enable_mta_sts
+  notify:
+    - reload systemd service files
+    - restart mta-sts resolver
+
+# yamllint disable-line rule:line-length
+- name: ensure the MTA-STS resolver can put its socket somewhere reachable (service)
+  copy:
+    src: mta-sts-override.conf
+    dest: /etc/systemd/system/postfix-mta-sts-resolver.service.d/rw-paths.conf
+    owner: root
+    group: root
+    mode: '0644'
+  when: postfix_enable_mta_sts
+  notify:
+    - reload systemd service files
+    - restart mta-sts resolver
+
+- name: ensure MTA-STS resolver overrides are deconfigured when disabled
+  file:
+    path: "{{ item }}"
+    state: absent
+  with_items:
+    - /etc/systemd/system/postfix-mta-sts-resolver.service.d/rw-paths.conf
+    - /etc/systemd/system/postfix-mta-sts-resolver.service.d/
+    - /etc/tmpfiles.d/mta-sts.conf
+  when: not postfix_enable_mta_sts
+  notify:
+    - reload systemd service files
+
+- name: ensure the MTA-STS resolver is configured
+  copy:
+    src: mta-sts-daemon.yml
+    dest: /etc/mta-sts-daemon.yml
+    owner: root
+    group: root
+    mode: '0644'
+  when: postfix_enable_mta_sts
+  notify:
+    - restart mta-sts resolver
+
+- name: ensure the MTA-STS resolver is up and running
+  service:
+    name: postfix-mta-sts-resolver
+    enabled: "{{ postfix_enable_mta_sts|string }}"
+    state: "{{ 'started' if postfix_enable_mta_sts else 'stopped' }}"

postfix/templates/aliases.j2

 {% for alias in system_aliases %}
 {{ alias.src }}: {{ alias.dest }}
 {% endfor %}
+{% for alias in postfix_aliases_rt|default([]) %}
+{{ alias.address|default(alias.queue|lower) }}: "|/usr/bin/rt-mailgate --queue {{ alias.queue }} --action correspond --url {{ alias.url }}"
+{{ alias.address|default(alias.queue|lower) }}-comment: "|/usr/bin/rt-mailgate --queue {{ alias.queue }} --action comment --url {{ alias.url }}"
+{% endfor %}

postfix/templates/main.cf.j2

 # See /usr/share/postfix/main.cf.dist for a commented, more complete version
 
-inet_interfaces = all
+inet_interfaces = {{ "loopback-only" if postfix_satellite_only else "all" }}
 inet_protocols = all
 myhostname = {{ ansible_fqdn }}
 myorigin = /etc/mailname
 mydestination = $myhostname localhost {{ postfix_domains | join(" ") }}
-mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
-relayhost =
+mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 {{ postfix_my_networks|join(" ") }}
+relayhost = {{ postfix_relay_host }}
+{% if postfix_transport_maps|bool %}
+transport_maps = cdb:/etc/postfix/transport
+{% endif %}
+
+{% if not postfix_satellite_only %}
+
 {% if postfix_domains|count > 0 %}
 {% if postfix_prefer_lmtp %}
 mailbox_transport = lmtp:unix:private/dovecot-lmtp
@@ -15,6 +21,13 @@ mailbox_command = /usr/lib/dovecot/dovecot-lda -f "$SENDER" -a "$RECIPIENT"
 {% endif %}
 {% endif %}
 
+smtpd_sender_login_maps = proxy:pcre:/etc/postfix/login_maps.pcre
+smtpd_sasl_type = dovecot
+smtpd_sasl_path = private/auth
+smtpd_sasl_auth_enable = yes
+
+{% endif %}
+
 append_dot_mydomain = no
 biff = no
 compatibility_level = 2
@@ -22,28 +35,30 @@ compatibility_level = 2
 disable_vrfy_command = yes
 #enable_long_queue_ids = yes
 mailbox_size_limit = 0
-#message_size_limit = 41943040
+message_size_limit = {{ postfix_message_size_limit }}
 readme_directory = no
 recipient_delimiter = +
 #strict_rfc821_envelopes = no
 
 smtpd_banner = $myhostname ESMTP $mail_name
-smtpd_sender_login_maps = proxy:pcre:/etc/postfix/login_maps.pcre
-smtpd_sasl_type = dovecot
-smtpd_sasl_path = private/auth
-smtpd_sasl_auth_enable = yes
-smtpd_relay_restrictions = 
+smtpd_relay_restrictions =
 	permit_mynetworks
 	permit_sasl_authenticated
 	defer_unauth_destination
 
 smtpd_use_tls = yes
+smtp_tls_security_level = may
+smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
 smtpd_tls_security_level = may
 smtpd_tls_auth_only = yes
 smtpd_tls_cert_file = {{ postfix_tls_cert }}
 smtpd_tls_key_file = {{ postfix_tls_key }}
 smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
 smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
+{% if postfix_enable_mta_sts %}
+smtp_tls_policy_maps = socketmap:unix:mta-sts/mta-sts.sock:postfix
+{% endif %}
+{% if not postfix_satellite_only %}
 smtpd_tls_protocols = {{ postfix_tls_protocols }}
 smtpd_tls_mandatory_protocols = {{ postfix_tls_protocols }}
 {% if postfix_tls_mandatory_ciphers %}
@@ -64,6 +79,8 @@ tls_medium_cipherlist = {{ postfix_tls_medium_cipherlist }}
 {% if postfix_tls_dh_file %}
 smtpd_tls_dh1024_param_file = /etc/postfix/dh.pem
 {% endif %}
+tls_ssl_options = NO_COMPRESSION
+{% endif %}
 
 alias_maps = cdb:/etc/aliases
 alias_database = cdb:/etc/aliases
@@ -78,11 +95,15 @@ virtual_transport = lmtp:unix:private/dovecot-lmtp
 virtual_gid_maps = static:5000
 {% endif %}
 
+{% set _x = postfix_notify_classes.extend(["resource", "software"]) %}
+notify_classes = {{ postfix_notify_classes|unique|join(", ") }}
+
+{% if postfix_enable_postscreen and not postfix_satellite_only %}
 postscreen_access_list = permit_mynetworks
                          cidr:/etc/postfix/postscreen_access.cidr
 {% if postfix_enable_memcached %}
 postscreen_cache_map = memcache:/etc/postfix/postscreen_cache
-proxy_write_maps = proxy:btree:/var/lib/postfix/postscreen_cache 
+proxy_write_maps = proxy:btree:/var/lib/postfix/postscreen_cache
 {% else %}
 postscreen_cache_map = proxy:btree:/var/lib/postfix/postscreen_cache
 {% endif %}
@@ -97,7 +118,7 @@ postscreen_non_smtp_command_enable = yes
 # postscreen_non_smtp_command_action = drop
 postscreen_bare_newline_enable = yes
 postscreen_bare_newline_action = drop
- 
+
 postscreen_dnsbl_action = enforce
 postscreen_dnsbl_threshold = 2
 postscreen_dnsbl_whitelist_threshold = -1
@@ -105,3 +126,4 @@ postscreen_dnsbl_sites =
 {% for site in postfix_dnsbl_sites %}
 	{{ site.name }}*{{ site.modifier|default(1) }}
 {% endfor %}
+{% endif %}

postfix/templates/master.cf.j2

@@ -9,15 +9,19 @@
 #               (yes)   (yes)   (no)    (never) (100)
 # ==========================================================================
 
-#smtp     inet  n       -       y       -       -       smtpd
+{% if postfix_enable_postscreen and not postfix_satellite_only %}
 smtp      inet  n       -       y       -       1       postscreen
+{% else %}
+smtp     inet  n       -       y       -       -       smtpd
+{% endif %}
+{% if not postfix_satellite_only %}
 smtpd     pass  -       -       y       -       -       smtpd
 {% if postfix_content_filter %}
   -o content_filter={{ postfix_content_filter }}
 {% endif %}
 dnsblog   unix  -       -       y       -       0       dnsblog
 tlsproxy  unix  -       -       y       -       0       tlsproxy
-submission inet n       -       y       -       -       smtpd 
+submission inet n       -       y       -       -       smtpd
   -o smtpd_sasl_security_options=noanonymous
   -o smtpd_sasl_local_domain=$myhostname
   -o smtpd_client_restrictions=permit_sasl_authenticated,reject
@@ -48,6 +52,7 @@ submission inet n       -       y       -       -       smtpd
 #  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
 #  -o milter_macro_daemon_name=ORIGINATING
 #628	  inet  n       -       y       -       -       qmqpd
+{% endif %}
 pickup    unix  n       -       y       60      1       pickup
 cleanup   unix  n       -       y       -       0       cleanup
 qmgr      unix  n       -       n       300     1       qmgr
@@ -73,6 +78,9 @@ virtual   unix  -       n       n       -       -       virtual
 lmtp      unix  -       -       y       -       -       lmtp
 anvil     unix  -       -       y       -       1       anvil
 scache    unix  -       -       y       -       1       scache
+{% if ansible_distribution_major_version|int >= 10 %}
+postlog   unix-dgram n  -       n       -       1       postlogd
+{% endif %}
 
 # ====================================================================
 # Interfaces to non-Postfix software. Be sure to examine the manual
@@ -86,6 +94,7 @@ scache    unix  -       -       y       -       1       scache
 # maildrop. See the Postfix MAILDROP_README file for details.
 # Also specify in main.cf: maildrop_destination_recipient_limit=1
 
+{% if not postfix_satellite_only %}
 dovecot   unix  -       n       n       -       -       pipe
   flags=DRhu user=5001:5000 argv=/usr/lib/dovecot/dovecot-lda -f ${sender} -a ${original_recipient} -d ${user}@${nexthop}
 
@@ -93,6 +102,7 @@ dovecot   unix  -       n       n       -       -       pipe
 spamassassin	unix -     n       n       -       -       pipe
   user=debian-spamd argv=/usr/bin/spamc -f -e /usr/sbin/sendmail -oi -f ${sender} ${recipient}
 {% endif %}
+{% endif %}
 
 #maildrop  unix  -       n       n       -       -       pipe
 #  flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}