From 7de9fe08df920f2858e679efa158401fdda69d6b Mon Sep 17 00:00:00 2001 From: Lars Beckers Date: Sun, 25 Apr 2021 23:37:44 +0200 Subject: [PATCH 01/17] postfix: cleanup smtpd configuration options --- postfix/templates/master.cf.j2 | 36 +++++++++++++--------------------- 1 file changed, 14 insertions(+), 22 deletions(-) diff --git a/postfix/templates/master.cf.j2 b/postfix/templates/master.cf.j2 index 7d27464..a59b7b5 100644 --- a/postfix/templates/master.cf.j2 +++ b/postfix/templates/master.cf.j2 @@ -9,48 +9,40 @@ # (yes) (yes) (no) (never) (100) # ========================================================================== -{% if postfix_enable_postscreen and not postfix_satellite_only %} -smtp inet n - y - 1 postscreen -{% else %} +{% if postfix_satellite_only %} smtp inet n - y - - smtpd {% endif %} {% if not postfix_satellite_only %} +{% if postfix_enable_postscreen %} +smtp inet n - y - 1 postscreen smtpd pass - - y - - smtpd {% if postfix_content_filter %} -o content_filter={{ postfix_content_filter }} {% endif %} dnsblog unix - - y - 0 dnsblog tlsproxy unix - - y - 0 tlsproxy +{% else %} +smtp inet n - y - - smtpd +{% endif %} {% if postfix_enable_submission %} submission inet n - y - - smtpd - -o smtpd_sasl_security_options=noanonymous - -o smtpd_sasl_local_domain=$myhostname - -o smtpd_client_restrictions=permit_sasl_authenticated,reject - -o smtpd_sender_restrictions=reject_sender_login_mismatch - -o smtpd_recipient_restrictions=reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,reject -o syslog_name=postfix/submission + -o milter_macro_daemon_name=ORIGINATING + -o smtpd_tls_security_level=encrypt + -o smtpd_client_restrictions=permit_sasl_authenticated,reject {% if postfix_content_filter %} -o content_filter={{ postfix_content_filter }} {% endif %} -# -o smtpd_tls_security_level=encrypt -# -o smtpd_sasl_auth_enable=yes -# -o smtpd_reject_unlisted_recipient=no -# -o smtpd_client_restrictions=$mua_client_restrictions -# -o smtpd_helo_restrictions=$mua_helo_restrictions -# -o smtpd_sender_restrictions=$mua_sender_restrictions -# -o smtpd_recipient_restrictions= -# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject -# -o milter_macro_daemon_name=ORIGINATING {% endif %} {% if postfix_enable_smtps %} smtps inet n - y - - smtpd -o syslog_name=postfix/smtps - -o smtpd_tls_wrappermode=yes - -o smtpd_sasl_auth_enable=yes - -o smtpd_reject_unlisted_recipient=no - -o smtpd_recipient_restrictions= - -o smtpd_relay_restrictions=permit_mynetworks,permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING + -o smtpd_tls_wrappermode=yes + -o smtpd_client_restrictions=permit_sasl_authenticated,reject +{% if postfix_content_filter %} + -o content_filter={{ postfix_content_filter }} +{% endif %} {% endif %} #628 inet n - y - - qmqpd {% endif %} -- GitLab From 6050b72ca340e5fe6c3f229dea19f72a15c39289 Mon Sep 17 00:00:00 2001 From: Lars Beckers Date: Sun, 25 Apr 2021 23:41:50 +0200 Subject: [PATCH 02/17] postfix: add fsmpi-specific daemon setup --- postfix/templates/master.cf.j2 | 29 +++++++++++++++++++++++++++-- 1 file changed, 27 insertions(+), 2 deletions(-) diff --git a/postfix/templates/master.cf.j2 b/postfix/templates/master.cf.j2 index a59b7b5..b4bd1bf 100644 --- a/postfix/templates/master.cf.j2 +++ b/postfix/templates/master.cf.j2 @@ -45,6 +45,18 @@ smtps inet n - y - - smtpd {% endif %} {% endif %} #628 inet n - y - - qmqpd +{% if postfix_fsmpi|default(false) and ansible_hostname == "mail" %} +2525 inet n - y - - smtpd + -o syslog_name=postfix/smtps-internal + -o milter_macro_daemon_name=ORIGINATING + -o smtpd_tls_wrappermode=yes + -o smtpd_sasl_auth_enable=no + -o smtpd_sender_login_maps= + -o smtpd_client_restrictions=permit_mynetworks,reject + -o smtpd_recipient_restrictions=$2525_smtpd_recipient_restrictions + -o virtual_alias_domains=fsmpi.rwth-aachen.de + -o virtual_alias_maps=cdb:/etc/postfix/nullmailer_alias +{% endif %} {% endif %} pickup unix n - y 60 1 pickup cleanup unix n - y - 0 cleanup @@ -61,7 +73,11 @@ proxymap unix - - n - - proxymap proxywrite unix - - n - 1 proxymap smtp unix - - y - - smtp relay unix - - y - - smtp -# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5 +{% if postfix_fsmpi|default(false) and ansible_hostname == "mail" %} + -o smtp_fallback_relay= +{% else %} +# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5 +{% endif %} showq unix n - y - - showq error unix - - y - - error retry unix - - y - - error @@ -94,13 +110,17 @@ policy-spf unix - n n - 0 spawn {% if not postfix_satellite_only and postfix_enable_dovecot %} dovecot unix - n n - - pipe +{% if postfix_fsmpi|default(false) %} + flags=DRhu argv=/usr/lib/dovecot/deliver -d ${recipient} +{% else %} flags=DRhu user=5001:5000 argv=/usr/lib/dovecot/dovecot-lda -f ${sender} -a ${original_recipient} -d ${user}@${nexthop} +{% endif %} +{% endif %} {% if postfix_content_filter == 'spamassassin' %} spamassassin unix - n n - - pipe user=debian-spamd argv=/usr/bin/spamc -f -e /usr/sbin/sendmail -oi -f ${sender} ${recipient} {% endif %} -{% endif %} #maildrop unix - n n - - pipe # flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient} @@ -115,3 +135,8 @@ spamassassin unix - n n - - pipe #mailman unix - n n - - pipe # flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py # ${nexthop} ${user} +{% if postfix_fsmpi|default(false) and ansible_hostname == "lists" %} +mailman unix - n n - - pipe + flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py + ${nexthop} ${user} +{% endif %} -- GitLab From 1232de77278d78f96ae603581b67a56cf146e1cc Mon Sep 17 00:00:00 2001 From: Lars Beckers Date: Sun, 25 Apr 2021 23:43:30 +0200 Subject: [PATCH 03/17] postfix: remove unneeded examples from config --- postfix/templates/master.cf.j2 | 16 ---------------- 1 file changed, 16 deletions(-) diff --git a/postfix/templates/master.cf.j2 b/postfix/templates/master.cf.j2 index b4bd1bf..87d6bb4 100644 --- a/postfix/templates/master.cf.j2 +++ b/postfix/templates/master.cf.j2 @@ -100,9 +100,6 @@ postlog unix-dgram n - n - 1 postlogd # and other message envelope options. # ==================================================================== -# maildrop. See the Postfix MAILDROP_README file for details. -# Also specify in main.cf: maildrop_destination_recipient_limit=1 - {% if postfix_verify_spf %} policy-spf unix - n n - 0 spawn user=nobody argv=/usr/bin/policyd-spf @@ -122,19 +119,6 @@ spamassassin unix - n n - - pipe user=debian-spamd argv=/usr/bin/spamc -f -e /usr/sbin/sendmail -oi -f ${sender} ${recipient} {% endif %} -#maildrop unix - n n - - pipe -# flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient} -#uucp unix - n n - - pipe -# flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient) -#ifmail unix - n n - - pipe -# flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient) -#bsmtp unix - n n - - pipe -# flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient -#scalemail-backend unix - n n - 2 pipe -# flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension} -#mailman unix - n n - - pipe -# flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py -# ${nexthop} ${user} {% if postfix_fsmpi|default(false) and ansible_hostname == "lists" %} mailman unix - n n - - pipe flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py -- GitLab From cbd89e003f00a6e03d05a146338c456f26bdce6e Mon Sep 17 00:00:00 2001 From: Lars Beckers Date: Sun, 25 Apr 2021 23:47:04 +0200 Subject: [PATCH 04/17] postfix: ease configuration of multiple similar aliases --- postfix/defaults/main.yml | 1 + postfix/templates/aliases.j2 | 13 ++++++++++--- postfix/templates/virtual.j2 | 2 +- 3 files changed, 12 insertions(+), 4 deletions(-) diff --git a/postfix/defaults/main.yml b/postfix/defaults/main.yml index 3c1adc3..1f89644 100644 --- a/postfix/defaults/main.yml +++ b/postfix/defaults/main.yml @@ -34,6 +34,7 @@ postfix_network_access: postfix_content_filter: false # or: spamassassin postfix_message_size_limit: 10240000 # 10M +postfix_aliases_rt_url: '' postfix_aliases_rt: [] # - queue: IT # url: https://rt.example.com diff --git a/postfix/templates/aliases.j2 b/postfix/templates/aliases.j2 index 1604e7c..b52c679 100644 --- a/postfix/templates/aliases.j2 +++ b/postfix/templates/aliases.j2 @@ -1,7 +1,14 @@ {% for alias in system_aliases %} -{{ alias.src }}: {{ alias.dest }} +{% if alias.src is string %} +{{ alias.src }}: {{ alias.dest if alias.dest is string else alias.dest|join(', ') }} +{% else %} +{% for src in alias.src %} +{{ src }}: {{ alias.dest if alias.dest is string else alias.dest|join(', ') }} {% endfor %} +{% endif %} +{% endfor %} + {% for alias in postfix_aliases_rt|default([]) %} -{{ alias.address|default(alias.queue|lower) }}: "|/usr/bin/rt-mailgate --queue {{ alias.queue }} --action correspond --url {{ alias.url }}" -{{ alias.address|default(alias.queue|lower) }}-comment: "|/usr/bin/rt-mailgate --queue {{ alias.queue }} --action comment --url {{ alias.url }}" +{{ alias.address|default(alias.queue|lower) }}: "|/usr/bin/rt-mailgate --queue {{ alias.queue }} --action correspond --url {{ alias.url|default(postfix_aliases_rt_url) }}" +{{ alias.address|default(alias.queue|lower) }}-comment: "|/usr/bin/rt-mailgate --queue {{ alias.queue }} --action comment --url {{ alias.url|default(postfix_aliases_rt_url) }}" {% endfor %} diff --git a/postfix/templates/virtual.j2 b/postfix/templates/virtual.j2 index ac13c8d..5f6230e 100644 --- a/postfix/templates/virtual.j2 +++ b/postfix/templates/virtual.j2 @@ -6,7 +6,7 @@ abuse@{{ domain }} {{ adminaddr }} {% for alias in virtual_aliases %} {% if alias.src is string %} -{{ alias.src }} {{ alias.dest }} +{{ alias.src }} {{ alias.dest if alias.dest is string else alias.dest|join(', ') }} {% else %} {% for src in alias.src %} {{ src }}@{{ alias.domain }} {{ alias.dest if alias.dest is string else alias.dest|join(', ') }} -- GitLab From 1643279372d6ddf42d25eb69687f46c00095ff2f Mon Sep 17 00:00:00 2001 From: Lars Beckers Date: Sun, 25 Apr 2021 23:48:37 +0200 Subject: [PATCH 05/17] postfix: add missing conditions on templated configs --- postfix/tasks/main.yml | 29 +++++++++++++++++++++++++++-- 1 file changed, 27 insertions(+), 2 deletions(-) diff --git a/postfix/tasks/main.yml b/postfix/tasks/main.yml index 9af4803..481ad35 100644 --- a/postfix/tasks/main.yml +++ b/postfix/tasks/main.yml @@ -32,10 +32,35 @@ src: "{{ item }}.j2" dest: "/etc/postfix/{{ item }}" with_items: - - login_maps.pcre - master.cf - main.cf - - postscreen_access.cidr + notify: + - restart postfix + tags: + - postfix + - mail + +- name: ensure login maps list is present + template: + src: "login_maps.pcre.j2" + dest: "/etc/postfix/login_maps.pcre" + when: + - not postfix_satellite_only + - postfix_enable_dovecot + - not postfix_fsmpi|default(false) + notify: + - restart postfix + tags: + - postfix + - mail + +- name: ensure postscreen access list is present + template: + src: "postscreen_access.cidr.j2" + dest: "/etc/postfix/postscreen_access.cidr" + when: + - not postfix_satellite_only + - postfix_enable_postscreen notify: - restart postfix tags: -- GitLab From 6dbc92200e6381d607b99e2b24f073ac31b5ce3f Mon Sep 17 00:00:00 2001 From: Lars Beckers Date: Sun, 25 Apr 2021 23:54:23 +0200 Subject: [PATCH 06/17] postfix: allow to override mailname --- postfix/defaults/main.yml | 1 + postfix/templates/mailname.j2 | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/postfix/defaults/main.yml b/postfix/defaults/main.yml index 1f89644..b07efb5 100644 --- a/postfix/defaults/main.yml +++ b/postfix/defaults/main.yml @@ -3,6 +3,7 @@ postfix_domains: - "{{ domain }}" postfix_virtual_domains: [] +postfix_mailname: "{{ domain }}" postfix_tls_cert: /etc/ssl/private/fullchain.pem postfix_tls_key: /etc/ssl/private/privkey.pem diff --git a/postfix/templates/mailname.j2 b/postfix/templates/mailname.j2 index 81008ba..422f887 100644 --- a/postfix/templates/mailname.j2 +++ b/postfix/templates/mailname.j2 @@ -1 +1 @@ -{{ domain }} +{{ postfix_mailname }} -- GitLab From 1fb7cd00b40f720c6d2dde55328401c623b593d3 Mon Sep 17 00:00:00 2001 From: Lars Beckers Date: Mon, 26 Apr 2021 00:10:22 +0200 Subject: [PATCH 07/17] postfix: don't differentiate between undefined and empty alias lists --- postfix/tasks/main.yml | 2 +- postfix/templates/aliases.j2 | 2 +- postfix/templates/main.cf.j2 | 2 +- postfix/templates/virtual.j2 | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/postfix/tasks/main.yml b/postfix/tasks/main.yml index 481ad35..53527ce 100644 --- a/postfix/tasks/main.yml +++ b/postfix/tasks/main.yml @@ -130,7 +130,7 @@ template: src: virtual.j2 dest: /etc/postfix/virtual - when: virtual_aliases is defined or postfix_virtual_domains|count > 0 + when: virtual_aliases|default([])|count > 0 or postfix_virtual_domains|count > 0 notify: - postmap virtual tags: diff --git a/postfix/templates/aliases.j2 b/postfix/templates/aliases.j2 index b52c679..ea3de67 100644 --- a/postfix/templates/aliases.j2 +++ b/postfix/templates/aliases.j2 @@ -1,4 +1,4 @@ -{% for alias in system_aliases %} +{% for alias in system_aliases|default([]) %} {% if alias.src is string %} {{ alias.src }}: {{ alias.dest if alias.dest is string else alias.dest|join(', ') }} {% else %} diff --git a/postfix/templates/main.cf.j2 b/postfix/templates/main.cf.j2 index 988b60a..e07ad80 100644 --- a/postfix/templates/main.cf.j2 +++ b/postfix/templates/main.cf.j2 @@ -98,7 +98,7 @@ tls_ssl_options = NO_COMPRESSION alias_maps = cdb:/etc/aliases alias_database = cdb:/etc/aliases -{% if virtual_aliases is defined or postfix_virtual_domains|count > 0 %} +{% if virtual_aliases|default([])|count > 0 or postfix_virtual_domains|count > 0 %} virtual_alias_maps = cdb:/etc/postfix/virtual {% endif %} diff --git a/postfix/templates/virtual.j2 b/postfix/templates/virtual.j2 index 5f6230e..99d4e92 100644 --- a/postfix/templates/virtual.j2 +++ b/postfix/templates/virtual.j2 @@ -4,7 +4,7 @@ hostmaster@{{ domain }} {{ adminaddr }} abuse@{{ domain }} {{ adminaddr }} {% endfor %} -{% for alias in virtual_aliases %} +{% for alias in virtual_aliases|default([]) %} {% if alias.src is string %} {{ alias.src }} {{ alias.dest if alias.dest is string else alias.dest|join(', ') }} {% else %} -- GitLab From 1e505a7e95a489614cabdc9f830637ebdf236bd9 Mon Sep 17 00:00:00 2001 From: Lars Beckers Date: Mon, 26 Apr 2021 00:13:28 +0200 Subject: [PATCH 08/17] postfix: add several options to increase flexibility --- postfix/defaults/main.yml | 18 ++++++++++++++++ postfix/templates/main.cf.j2 | 42 ++++++++++++++++++++---------------- 2 files changed, 41 insertions(+), 19 deletions(-) diff --git a/postfix/defaults/main.yml b/postfix/defaults/main.yml index b07efb5..90d9f63 100644 --- a/postfix/defaults/main.yml +++ b/postfix/defaults/main.yml @@ -17,6 +17,24 @@ postfix_enable_dovecot: true postfix_enable_submission: true postfix_enable_smtps: false +postfix_sasl_auth_header: false +postfix_enable_long_queue_ids: false +postfix_tls_received_header: false + +# These variables were introduced for compatibility to a certain setup. +# They may disappear without prior notice and/or may not work as expected. +postfix_smtpd_recipient_limit: 1000 +postfix_minimal_backoff_time: 300s +postfix_maximal_backoff_time: 4000s +postfix_mailbox_command: '/usr/lib/dovecot/dovecot-lda -f "$SENDER" -a "$RECIPIENT"' +postfix_relay_domains: [] +postfix_alias_maps: + - cdb:/etc/aliases +postfix_virtual_alias_maps: + - cdb:/etc/postfix/virtual +postfix_sender_login_maps: + - proxy:pcre:/etc/postfix/login_maps.pcre + postfix_enable_postscreen: true postfix_enable_memcached: false postfix_login_suffix: '' diff --git a/postfix/templates/main.cf.j2 b/postfix/templates/main.cf.j2 index e07ad80..34c2d46 100644 --- a/postfix/templates/main.cf.j2 +++ b/postfix/templates/main.cf.j2 @@ -6,6 +6,8 @@ myhostname = {{ ansible_fqdn }} myorigin = /etc/mailname mydestination = $myhostname localhost {{ postfix_domains | join(" ") }} mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 {{ postfix_my_networks|join(" ") }} + +relay_domains = {{ postfix_relay_domains|join(" ") }} relayhost = {{ postfix_relay_host }} {% if postfix_transport_maps|count > 0 %} transport_maps = cdb:/etc/postfix/transport @@ -16,37 +18,38 @@ local_recipient_maps = {% endif %} {% if not postfix_satellite_only and postfix_enable_dovecot %} -{% if postfix_domains|count > 0 %} -{% if postfix_prefer_lmtp %} +{% if postfix_domains|count > 0 and postfix_prefer_lmtp %} mailbox_transport = lmtp:unix:private/dovecot-lmtp -{% else %} -mailbox_command = /usr/lib/dovecot/dovecot-lda -f "$SENDER" -a "$RECIPIENT" -{% endif %} +{% elif postfix_domains|count > 0 and not postfix_prefer_lmtp %} +mailbox_command = {{ postfix_mailbox_command }} {% endif %} -smtpd_sender_login_maps = proxy:pcre:/etc/postfix/login_maps.pcre +smtpd_sender_login_maps = {{ postfix_sender_login_maps|join(" ") }} +smtpd_sender_restrictions = reject_sender_login_mismatch + smtpd_sasl_type = dovecot smtpd_sasl_path = private/auth smtpd_sasl_auth_enable = yes +smtpd_sasl_security_options = noanonymous +smtpd_sasl_authenticated_header = {{ 'yes' if postfix_sasl_auth_header else 'no' }} +smtpd_sasl_local_domain = $myhostname {% endif %} -append_dot_mydomain = no biff = no -compatibility_level = 2 -#delay_warning_time = 4h +append_dot_mydomain = no +readme_directory = no disable_vrfy_command = yes -#enable_long_queue_ids = yes -mailbox_size_limit = 0 +compatibility_level = 2 + +enable_long_queue_ids = {{ 'yes' if postfix_enable_long_queue_ids else 'no' }} +minimal_backoff_time = {{ postfix_minimal_backoff_time }} +maximal_backoff_time = {{ postfix_maximal_backoff_time }} message_size_limit = {{ postfix_message_size_limit }} -readme_directory = no +mailbox_size_limit = 0 recipient_delimiter = + -#strict_rfc821_envelopes = no smtpd_banner = $myhostname ESMTP $mail_name -smtpd_relay_restrictions = - permit_mynetworks - permit_sasl_authenticated - defer_unauth_destination +smtpd_recipient_limit = {{ postfix_smtpd_recipient_limit }} {% if postfix_verify_spf %} smtpd_recipient_restrictions= permit_mynetworks @@ -65,6 +68,7 @@ smtp_tls_security_level = may smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt smtpd_tls_security_level = may smtpd_tls_auth_only = yes +smtpd_tls_received_header = {{ 'yes' if postfix_tls_received_header else 'no' }} smtpd_tls_cert_file = {{ postfix_tls_cert }} smtpd_tls_key_file = {{ postfix_tls_key }} smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache @@ -96,10 +100,10 @@ smtpd_tls_dh1024_param_file = /etc/postfix/dh.pem tls_ssl_options = NO_COMPRESSION {% endif %} -alias_maps = cdb:/etc/aliases +alias_maps = {{ postfix_alias_maps|join(" ") }} alias_database = cdb:/etc/aliases {% if virtual_aliases|default([])|count > 0 or postfix_virtual_domains|count > 0 %} -virtual_alias_maps = cdb:/etc/postfix/virtual +virtual_alias_maps = {{ postfix_virtual_alias_maps|join(" ") }} {% endif %} {% if postfix_virtual_domains|count > 0 and postfix_enable_dovecot %} -- GitLab From 92cef3dd298fb496e62f143776bd9893745ebfeb Mon Sep 17 00:00:00 2001 From: Lars Beckers Date: Mon, 26 Apr 2021 00:14:20 +0200 Subject: [PATCH 09/17] postfix: add some hardcoded, but gated fsmpi-specific options --- postfix/templates/main.cf.j2 | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/postfix/templates/main.cf.j2 b/postfix/templates/main.cf.j2 index 34c2d46..6acc3c9 100644 --- a/postfix/templates/main.cf.j2 +++ b/postfix/templates/main.cf.j2 @@ -11,6 +11,8 @@ relay_domains = {{ postfix_relay_domains|join(" ") }} relayhost = {{ postfix_relay_host }} {% if postfix_transport_maps|count > 0 %} transport_maps = cdb:/etc/postfix/transport +{% elif postfix_fsmpi|default(false) and ansible_hostname == "mail" %} +transport_maps = pgsql:/etc/postfix/pgsql-transport.cf {% endif %} {% if postfix_luser_relay != "" %} luser_relay = {{ postfix_luser_relay }} @@ -118,6 +120,18 @@ virtual_gid_maps = static:5000 {% set _x = postfix_notify_classes.extend(["resource", "software"]) %} notify_classes = {{ postfix_notify_classes|unique|join(", ") }} +{% if postfix_fsmpi|default(false) and ansible_hostname == "lists" %} +mailman_destination_recipient_limit = 1 +{% elif postfix_fsmpi|default(false) and ansible_hostname == "mail" %} +local_header_rewrite_clients = permit_mynetworks +2525_smtpd_recipient_restrictions = check_sender_access + pcre:/etc/postfix/nullmailer_class.pcre +smtpd_restriction_classes = nullmailer +nullmailer = + check_recipient_access cdb:/etc/postfix/known_mailaddresses + check_recipient_access pcre:/etc/postfix/nullmailer_recipient_filters.pcre +{% endif %} + {% if postfix_enable_postscreen and not postfix_satellite_only %} postscreen_access_list = permit_mynetworks cidr:/etc/postfix/postscreen_access.cidr -- GitLab From 6bb7d9db1dc91aaa5270642dba16679b127dc27c Mon Sep 17 00:00:00 2001 From: Lars Beckers Date: Mon, 26 Apr 2021 00:15:28 +0200 Subject: [PATCH 10/17] dovecot: add additional config file templates --- dovecot/defaults/main.yml | 2 + dovecot/tasks/main.yml | 5 +- dovecot/templates/conf.d/10-director.conf.j2 | 57 ++++++++++++ dovecot/templates/conf.d/15-mailboxes.conf.j2 | 90 +++++++++++++++++++ .../templates/conf.d/auth-system.conf.ext.j2 | 74 +++++++++++++++ 5 files changed, 227 insertions(+), 1 deletion(-) create mode 100644 dovecot/templates/conf.d/10-director.conf.j2 create mode 100644 dovecot/templates/conf.d/15-mailboxes.conf.j2 create mode 100644 dovecot/templates/conf.d/auth-system.conf.ext.j2 diff --git a/dovecot/defaults/main.yml b/dovecot/defaults/main.yml index 31ce02c..9d03d8a 100644 --- a/dovecot/defaults/main.yml +++ b/dovecot/defaults/main.yml @@ -31,3 +31,5 @@ dovecot_dsync_host_attribute: ansible_host dovecot_content_filter: false dovecot_spam_folder: Spam dovecot_spam_user: "${1}" # debian-spamd +dovecot_sieve: 'file:~/sieve;active=~/.dovecot.sieve' +dovecot_special_mailbox_auto_subscribe: false diff --git a/dovecot/tasks/main.yml b/dovecot/tasks/main.yml index f629400..c9af587 100644 --- a/dovecot/tasks/main.yml +++ b/dovecot/tasks/main.yml @@ -28,15 +28,18 @@ - dovecot.conf - deny-users - conf.d/10-auth.conf + - conf.d/10-director.conf - conf.d/10-mail.conf - conf.d/10-master.conf - conf.d/10-ssl.conf - conf.d/15-lda.conf - - conf.d/20-managesieve.conf + - conf.d/15-mailboxes.conf - conf.d/20-imap.conf - conf.d/20-lmtp.conf + - conf.d/20-managesieve.conf - conf.d/90-sieve.conf - conf.d/auth-passwdfile.conf.ext + - conf.d/auth-system.conf.ext notify: - restart dovecot tags: diff --git a/dovecot/templates/conf.d/10-director.conf.j2 b/dovecot/templates/conf.d/10-director.conf.j2 new file mode 100644 index 0000000..1429e2c --- /dev/null +++ b/dovecot/templates/conf.d/10-director.conf.j2 @@ -0,0 +1,57 @@ +## +## Director-specific settings. +## + +# Director can be used by Dovecot proxy to keep a temporary user -> mail server +# mapping. As long as user has simultaneous connections, the user is always +# redirected to the same server. Each proxy server is running its own director +# process, and the directors are communicating the state to each others. +# Directors are mainly useful with NFS-like setups. + +# List of IPs or hostnames to all director servers, including ourself. +# Ports can be specified as ip:port. The default port is the same as +# what director service's inet_listener is using. +#director_servers = + +# List of IPs or hostnames to all backend mail servers. Ranges are allowed +# too, like 10.0.0.10-10.0.0.30. +#director_mail_servers = + +# How long to redirect users to a specific server after it no longer has +# any connections. +#director_user_expire = 15 min + +# How the username is translated before being hashed. Useful values include +# %Ln if user can log in with or without @domain, %Ld if mailboxes are shared +# within domain. +#director_username_hash = %Lu + +# To enable director service, uncomment the modes and assign a port. +service director { + unix_listener login/director { + #mode = 0666 + } + fifo_listener login/proxy-notify { + #mode = 0666 + } + unix_listener director-userdb { + #mode = 0600 + } + inet_listener { + #port = + } +} + +# Enable director for the wanted login services by telling them to +# connect to director socket instead of the default login socket: +service imap-login { + #executable = imap-login director +} +#service submission-login { +# #executable = submission-login director +#} + +# Enable director for LMTP proxying: +protocol lmtp { + #auth_socket_path = director-userdb +} diff --git a/dovecot/templates/conf.d/15-mailboxes.conf.j2 b/dovecot/templates/conf.d/15-mailboxes.conf.j2 new file mode 100644 index 0000000..0833558 --- /dev/null +++ b/dovecot/templates/conf.d/15-mailboxes.conf.j2 @@ -0,0 +1,90 @@ +## +## Mailbox definitions +## + +# Each mailbox is specified in a separate mailbox section. The section name +# specifies the mailbox name. If it has spaces, you can put the name +# "in quotes". These sections can contain the following mailbox settings: +# +# auto: +# Indicates whether the mailbox with this name is automatically created +# implicitly when it is first accessed. The user can also be automatically +# subscribed to the mailbox after creation. The following values are +# defined for this setting: +# +# no - Never created automatically. +# create - Automatically created, but no automatic subscription. +# subscribe - Automatically created and subscribed. +# +# special_use: +# A space-separated list of SPECIAL-USE flags (RFC 6154) to use for the +# mailbox. There are no validity checks, so you could specify anything +# you want in here, but it's not a good idea to use flags other than the +# standard ones specified in the RFC: +# +# \All - This (virtual) mailbox presents all messages in the +# user's message store. +# \Archive - This mailbox is used to archive messages. +# \Drafts - This mailbox is used to hold draft messages. +# \Flagged - This (virtual) mailbox presents all messages in the +# user's message store marked with the IMAP \Flagged flag. +# \Junk - This mailbox is where messages deemed to be junk mail +# are held. +# \Sent - This mailbox is used to hold copies of messages that +# have been sent. +# \Trash - This mailbox is used to hold messages that have been +# deleted. +# +# comment: +# Defines a default comment or note associated with the mailbox. This +# value is accessible through the IMAP METADATA mailbox entries +# "/shared/comment" and "/private/comment". Users with sufficient +# privileges can override the default value for entries with a custom +# value. + +# NOTE: Assumes "namespace inbox" has been defined in 10-mail.conf. +namespace inbox { + # These mailboxes are widely used and could perhaps be created automatically: + mailbox Drafts { + special_use = \Drafts +{% if dovecot_special_mailbox_auto_subscribe %} + auto = subscribe +{% endif %} + } + mailbox {{ dovecot_spam_folder }} { + special_use = \Junk +{% if dovecot_special_mailbox_auto_subscribe %} + auto = subscribe +{% endif %} + } + mailbox Trash { + special_use = \Trash +{% if dovecot_special_mailbox_auto_subscribe %} + auto = subscribe +{% endif %} + } + + # For \Sent mailboxes there are two widely used names. We'll mark both of + # them as \Sent. User typically deletes one of them if duplicates are created. + mailbox Sent { + special_use = \Sent +{% if dovecot_special_mailbox_auto_subscribe %} + auto = subscribe +{% endif %} + } + mailbox "Sent Messages" { + special_use = \Sent + } + + # If you have a virtual "All messages" mailbox: + #mailbox virtual/All { + # special_use = \All + # comment = All my messages + #} + + # If you have a virtual "Flagged" mailbox: + #mailbox virtual/Flagged { + # special_use = \Flagged + # comment = All my flagged messages + #} +} diff --git a/dovecot/templates/conf.d/auth-system.conf.ext.j2 b/dovecot/templates/conf.d/auth-system.conf.ext.j2 new file mode 100644 index 0000000..dadb9f7 --- /dev/null +++ b/dovecot/templates/conf.d/auth-system.conf.ext.j2 @@ -0,0 +1,74 @@ +# Authentication for system users. Included from 10-auth.conf. +# +# +# + +# PAM authentication. Preferred nowadays by most systems. +# PAM is typically used with either userdb passwd or userdb static. +# REMEMBER: You'll need /etc/pam.d/dovecot file created for PAM +# authentication to actually work. +passdb { + driver = pam + # [session=yes] [setcred=yes] [failure_show_msg=yes] [max_requests=] + # [cache_key=] [] + #args = dovecot +} + +# System users (NSS, /etc/passwd, or similar). +# In many systems nowadays this uses Name Service Switch, which is +# configured in /etc/nsswitch.conf. +#passdb { + #driver = passwd + # [blocking=no] + #args = +#} + +# Shadow passwords for system users (NSS, /etc/shadow or similar). +# Deprecated by PAM nowadays. +# +#passdb { + #driver = shadow + # [blocking=no] + #args = +#} + +# PAM-like authentication for OpenBSD. +# +#passdb { + #driver = bsdauth + # [blocking=no] [cache_key=] + #args = +#} + +## +## User databases +## + +# System users (NSS, /etc/passwd, or similar). In many systems nowadays this +# uses Name Service Switch, which is configured in /etc/nsswitch.conf. +userdb { + # + driver = passwd + # [blocking=no] + #args = + + # Override fields from passwd + #override_fields = home=/home/virtual/%u +} + +# Static settings generated from template +#userdb { + #driver = static + # Can return anything a userdb could normally return. For example: + # + # args = uid=500 gid=500 home=/var/mail/%u + # + # LDA and LMTP needs to look up users only from the userdb. This of course + # doesn't work with static userdb because there is no list of users. + # Normally static userdb handles this by doing a passdb lookup. This works + # with most passdbs, with PAM being the most notable exception. If you do + # the user verification another way, you can add allow_all_users=yes to + # the args in which case the passdb lookup is skipped. + # + #args = +#} -- GitLab From 497c0e8f2b26f8ea818cba6d7b58983ca60dbc41 Mon Sep 17 00:00:00 2001 From: Lars Beckers Date: Mon, 26 Apr 2021 00:16:29 +0200 Subject: [PATCH 11/17] dovecot: allow to override sieve script locations --- dovecot/templates/conf.d/90-sieve.conf.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dovecot/templates/conf.d/90-sieve.conf.j2 b/dovecot/templates/conf.d/90-sieve.conf.j2 index e5adf68..deba2ba 100644 --- a/dovecot/templates/conf.d/90-sieve.conf.j2 +++ b/dovecot/templates/conf.d/90-sieve.conf.j2 @@ -36,7 +36,7 @@ plugin { # active script symlink is located. # For other types: use the ';name=' parameter to specify the name of the # default/active script. - sieve = file:~/sieve;active=~/.dovecot.sieve + sieve = {{ dovecot_sieve }} # The default Sieve script when the user has none. This is the location of a # global sieve script file, which gets executed ONLY if user's personal Sieve -- GitLab From f57bcbe5c40f0ce0bae678d741de185d664778cd Mon Sep 17 00:00:00 2001 From: Lars Beckers Date: Mon, 26 Apr 2021 00:21:46 +0200 Subject: [PATCH 12/17] dovecot: allow configuration of authentication mechanisms --- dovecot/defaults/main.yml | 8 ++++++++ dovecot/templates/conf.d/10-auth.conf.j2 | 8 ++++---- 2 files changed, 12 insertions(+), 4 deletions(-) diff --git a/dovecot/defaults/main.yml b/dovecot/defaults/main.yml index 9d03d8a..dcf1bde 100644 --- a/dovecot/defaults/main.yml +++ b/dovecot/defaults/main.yml @@ -32,4 +32,12 @@ dovecot_content_filter: false dovecot_spam_folder: Spam dovecot_spam_user: "${1}" # debian-spamd dovecot_sieve: 'file:~/sieve;active=~/.dovecot.sieve' + +# These variables were introduced for compatibility to a certain setup. +# They may disappear without prior notice and/or may not work as expected. +dovecot_auth_realms: [] +dovecot_auth_default_realm: '' +dovecot_auth_krb5_keytab: '' +dovecot_auth_mechanisms: + - plain dovecot_special_mailbox_auto_subscribe: false diff --git a/dovecot/templates/conf.d/10-auth.conf.j2 b/dovecot/templates/conf.d/10-auth.conf.j2 index 5daa65e..7c8a79a 100644 --- a/dovecot/templates/conf.d/10-auth.conf.j2 +++ b/dovecot/templates/conf.d/10-auth.conf.j2 @@ -26,11 +26,11 @@ disable_plaintext_auth = yes # them. You can leave it empty if you don't want to support multiple realms. # Many clients simply use the first one listed here, so keep the default realm # first. -#auth_realms = +auth_realms = {{ dovecot_auth_realms|join(" ") }} # Default realm/domain to use if none was specified. This is used for both # SASL realms and appending @domain to username in plaintext logins. -#auth_default_realm = +auth_default_realm = {{ dovecot_auth_default_realm }} # List of allowed characters in username. If the user-given username contains # a character not listed in here, the login automatically fails. This is just @@ -77,7 +77,7 @@ auth_username_format = %Ln # Kerberos keytab to use for the GSSAPI mechanism. Will use the system # default (usually /etc/krb5.keytab) if not specified. You may need to change # the auth service to run as root to be able to read this file. -#auth_krb5_keytab = +auth_krb5_keytab = {{ dovecot_auth_krb5_keytab }} # Do NTLM and GSS-SPNEGO authentication using Samba's winbind daemon and # ntlm_auth helper. @@ -101,7 +101,7 @@ auth_username_format = %Ln # plain login digest-md5 cram-md5 ntlm rpa apop anonymous gssapi otp # gss-spnego # NOTE: See also disable_plaintext_auth setting. -auth_mechanisms = plain +auth_mechanisms = {{ dovecot_auth_mechanisms|join(" ") }} ## ## Password and user databases -- GitLab From c2093e46c3170cacaaad3da4b4b84085946e2b22 Mon Sep 17 00:00:00 2001 From: Lars Beckers Date: Mon, 26 Apr 2021 00:23:01 +0200 Subject: [PATCH 13/17] dovecot: add custom mail namespaces for shared folders --- dovecot/defaults/main.yml | 1 + dovecot/templates/conf.d/10-mail.conf.j2 | 8 ++++++++ 2 files changed, 9 insertions(+) diff --git a/dovecot/defaults/main.yml b/dovecot/defaults/main.yml index dcf1bde..f656071 100644 --- a/dovecot/defaults/main.yml +++ b/dovecot/defaults/main.yml @@ -40,4 +40,5 @@ dovecot_auth_default_realm: '' dovecot_auth_krb5_keytab: '' dovecot_auth_mechanisms: - plain +dovecot_mail_namespaces: [] dovecot_special_mailbox_auto_subscribe: false diff --git a/dovecot/templates/conf.d/10-mail.conf.j2 b/dovecot/templates/conf.d/10-mail.conf.j2 index 52df2b7..f74f8b7 100644 --- a/dovecot/templates/conf.d/10-mail.conf.j2 +++ b/dovecot/templates/conf.d/10-mail.conf.j2 @@ -79,6 +79,14 @@ namespace inbox { # See 15-mailboxes.conf for definitions of special mailboxes. } +{% for namespace in dovecot_mail_namespaces %} +namespace { + {% for key, value in namespace.items() %} + {{ key }} = {{ value }} + {% endfor %} +} +{% endfor %} + # Example shared namespace configuration #namespace { #type = shared -- GitLab From 1488eeab9085214c9b430f64f27a5ed91f2132c3 Mon Sep 17 00:00:00 2001 From: Lars Beckers Date: Mon, 26 Apr 2021 00:23:50 +0200 Subject: [PATCH 14/17] dovecot: add lda autocreate/autosubscribe options --- dovecot/defaults/main.yml | 2 ++ dovecot/templates/conf.d/15-lda.conf.j2 | 4 ++-- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/dovecot/defaults/main.yml b/dovecot/defaults/main.yml index f656071..b253b5b 100644 --- a/dovecot/defaults/main.yml +++ b/dovecot/defaults/main.yml @@ -35,6 +35,8 @@ dovecot_sieve: 'file:~/sieve;active=~/.dovecot.sieve' # These variables were introduced for compatibility to a certain setup. # They may disappear without prior notice and/or may not work as expected. +dovecot_lda_mailbox_autocreate: false +dovecot_lda_mailbox_autosubscribe: false dovecot_auth_realms: [] dovecot_auth_default_realm: '' dovecot_auth_krb5_keytab: '' diff --git a/dovecot/templates/conf.d/15-lda.conf.j2 b/dovecot/templates/conf.d/15-lda.conf.j2 index 47e83de..cdce6e3 100644 --- a/dovecot/templates/conf.d/15-lda.conf.j2 +++ b/dovecot/templates/conf.d/15-lda.conf.j2 @@ -37,10 +37,10 @@ #lda_original_recipient_header = # Should saving a mail to a nonexistent mailbox automatically create it? -#lda_mailbox_autocreate = no +lda_mailbox_autocreate = {{ 'yes' if dovecot_lda_mailbox_autocreate else 'no' }} # Should automatically created mailboxes be also automatically subscribed? -#lda_mailbox_autosubscribe = no +lda_mailbox_autosubscribe = {{ 'yes' if dovecot_lda_mailbox_autosubscribe else 'no' }} protocol lda { # Space separated list of plugins to load (default is global mail_plugins). -- GitLab From 6b97c4231ddca63dc85a1ff1d289cb125bae858a Mon Sep 17 00:00:00 2001 From: Lars Beckers Date: Mon, 26 Apr 2021 00:24:59 +0200 Subject: [PATCH 15/17] dovecot: add options to finetune imap resource usage --- dovecot/defaults/main.yml | 4 ++++ dovecot/templates/conf.d/10-master.conf.j2 | 12 ++++++++++-- dovecot/templates/conf.d/20-imap.conf.j2 | 8 +++----- 3 files changed, 17 insertions(+), 7 deletions(-) diff --git a/dovecot/defaults/main.yml b/dovecot/defaults/main.yml index b253b5b..24ac6b0 100644 --- a/dovecot/defaults/main.yml +++ b/dovecot/defaults/main.yml @@ -35,6 +35,10 @@ dovecot_sieve: 'file:~/sieve;active=~/.dovecot.sieve' # These variables were introduced for compatibility to a certain setup. # They may disappear without prior notice and/or may not work as expected. +dovecot_process_limit: 100 +dovecot_client_limit: 1000 +dovecot_imap_idle_interval: '29 mins' +dovecot_imap_max_userip_connections: 40 dovecot_lda_mailbox_autocreate: false dovecot_lda_mailbox_autosubscribe: false dovecot_auth_realms: [] diff --git a/dovecot/templates/conf.d/10-master.conf.j2 b/dovecot/templates/conf.d/10-master.conf.j2 index 3aabeeb..957da6b 100644 --- a/dovecot/templates/conf.d/10-master.conf.j2 +++ b/dovecot/templates/conf.d/10-master.conf.j2 @@ -1,5 +1,5 @@ -#default_process_limit = 100 -#default_client_limit = 1000 +default_process_limit = {{ dovecot_process_limit }} +default_client_limit = {{ dovecot_client_limit }} # Default VSZ (virtual memory size) limit for service processes. This is mainly # intended to catch and kill processes that leak memory before they eat up @@ -99,7 +99,15 @@ service auth { # user = $default_internal_user user = dovecot group = dovecot +{% if dovecot_client_limit != 1000 %} + client_limit = {{ dovecot_client_limit * 2 }} +{% endif %} } +{% if dovecot_client_limit != 1000 %} +service anvil { + client_limit = {{ dovecot_client_limit + 500 }} +} +{% endif %} service auth-worker { # Auth worker process is run as root by default, so that it can access diff --git a/dovecot/templates/conf.d/20-imap.conf.j2 b/dovecot/templates/conf.d/20-imap.conf.j2 index a3ddfe4..77cf9b4 100644 --- a/dovecot/templates/conf.d/20-imap.conf.j2 +++ b/dovecot/templates/conf.d/20-imap.conf.j2 @@ -39,8 +39,7 @@ # How long to wait between "OK Still here" notifications when client is # IDLEing. -#imap_idle_notify_interval = 2 mins -imap_idle_notify_interval = 29 mins +imap_idle_notify_interval = {{ dovecot_imap_idle_interval }} # ID field names and values to send to clients. Using * as the value makes # Dovecot use the default value. The following fields have default values @@ -92,12 +91,11 @@ imap_idle_notify_interval = 29 mins protocol imap { # Space separated list of plugins to load (default is global mail_plugins). - #mail_plugins = $mail_plugins + mail_plugins = $mail_plugins # Maximum number of IMAP connections allowed for a user from each IP address. # NOTE: The username is compared case-sensitively. - #mail_max_userip_connections = 10 - mail_max_userip_connections = 40 + mail_max_userip_connections = {{ dovecot_imap_max_userip_connections }} } {% if dovecot_content_filter %} -- GitLab From 9b9fddb8c5f14304689fc74a190ab4d9792855d6 Mon Sep 17 00:00:00 2001 From: Lars Beckers Date: Mon, 26 Apr 2021 00:26:46 +0200 Subject: [PATCH 16/17] dovecot: add options to finetune security concerns --- dovecot/defaults/main.yml | 2 ++ dovecot/templates/conf.d/10-master.conf.j2 | 20 +++++++++++++------- 2 files changed, 15 insertions(+), 7 deletions(-) diff --git a/dovecot/defaults/main.yml b/dovecot/defaults/main.yml index 24ac6b0..144b53f 100644 --- a/dovecot/defaults/main.yml +++ b/dovecot/defaults/main.yml @@ -37,6 +37,8 @@ dovecot_sieve: 'file:~/sieve;active=~/.dovecot.sieve' # They may disappear without prior notice and/or may not work as expected. dovecot_process_limit: 100 dovecot_client_limit: 1000 +dovecot_disable_imap_starttls: false +dovecot_postfix_public_private_partnership: true dovecot_imap_idle_interval: '29 mins' dovecot_imap_max_userip_connections: 40 dovecot_lda_mailbox_autocreate: false diff --git a/dovecot/templates/conf.d/10-master.conf.j2 b/dovecot/templates/conf.d/10-master.conf.j2 index 957da6b..14440ad 100644 --- a/dovecot/templates/conf.d/10-master.conf.j2 +++ b/dovecot/templates/conf.d/10-master.conf.j2 @@ -15,9 +15,11 @@ default_client_limit = {{ dovecot_client_limit }} #default_internal_user = dovecot service imap-login { +{% if not dovecot_disable_imap_starttls %} inet_listener imap { port = 143 } +{% endif %} inet_listener imaps { port = 993 ssl = yes @@ -42,10 +44,10 @@ service imap-login { #} service lmtp { - unix_listener /var/spool/postfix/private/dovecot-lmtp { - group = postfix - mode = 0600 - user = postfix + unix_listener /var/spool/postfix/private/dovecot-lmtp { + mode = 0600 + user = postfix + group = postfix } # Create inet listener only if you can't use the above UNIX socket @@ -92,13 +94,17 @@ service auth { # Postfix smtp-auth unix_listener /var/spool/postfix/private/auth { +{% if dovecot_postfix_public_private_partnership %} mode = 0666 +{% else %} + mode = 0660 +{% endif %} + user = postfix + group = postfix } # Auth process is run as this user. -# user = $default_internal_user - user = dovecot - group = dovecot + #user = $default_internal_user {% if dovecot_client_limit != 1000 %} client_limit = {{ dovecot_client_limit * 2 }} {% endif %} -- GitLab From 7a107269d47214e9d8b52accfd309f7ab722e5e8 Mon Sep 17 00:00:00 2001 From: Lars Beckers Date: Tue, 4 May 2021 13:55:00 +0200 Subject: [PATCH 17/17] postfix: fix fsmpi special caseing --- postfix/templates/main.cf.j2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/postfix/templates/main.cf.j2 b/postfix/templates/main.cf.j2 index 6acc3c9..5d9800c 100644 --- a/postfix/templates/main.cf.j2 +++ b/postfix/templates/main.cf.j2 @@ -1,7 +1,7 @@ # See /usr/share/postfix/main.cf.dist for a commented, more complete version inet_interfaces = {{ "loopback-only" if postfix_satellite_only else "all" }} -inet_protocols = all +inet_protocols = {{ "all" if not postfix_fsmpi|default(false) else "ipv4" }} myhostname = {{ ansible_fqdn }} myorigin = /etc/mailname mydestination = $myhostname localhost {{ postfix_domains | join(" ") }} @@ -104,7 +104,7 @@ tls_ssl_options = NO_COMPRESSION alias_maps = {{ postfix_alias_maps|join(" ") }} alias_database = cdb:/etc/aliases -{% if virtual_aliases|default([])|count > 0 or postfix_virtual_domains|count > 0 %} +{% if virtual_aliases|default([])|count > 0 or postfix_virtual_alias_maps != ['cdb:/etc/postfix/virtual'] %} virtual_alias_maps = {{ postfix_virtual_alias_maps|join(" ") }} {% endif %} -- GitLab