Commit 7ab9b9d9 authored by Lars Beckers's avatar Lars Beckers

postfix: refactor role

parent ec24ccc5
---
postfix_domains:
- "{{ domain }}"
postfix_virtual_domains: []
postfix_tls_cert: /etc/ssl/private/fullchain.pem
postfix_tls_key: /etc/ssl/private/privkey.pem
postfix_tls_ciphers: "{{ tls_ciphers }}"
postfix_tls_protocols: "!SSLv2 !SSLv3"
postfix_login_suffix: '@extmind.de'
postfix_prefer_lmtp: no
postfix_enable_memcached: no
postfix_login_suffix: ''
postfix_dnsbl_sites:
- name: zen.spamhaus.org
- name: bl.spamcop.net
- name: b.barracudacentral.org
- name: '#swl.spamhaus.org'
modifier: 2
- name: list.dnswl.org
modifier: -5
postfix_network_access:
- cidr: 134.130.5.32/27 # rwth
action: permit
postfix_content_filter: no # or: spamassassin
test@wolfscloud.de test@wolfscloud.de
---
- name: ensure all required postfix packages are installed
apt: name={{ item }} state=present
apt:
name: "{{ item }}"
state: present
with_items:
- postfix
- postfix-pcre
- postfix-cdb
- memcached
tags:
- postfix
- mail
- name: ensure not templated config is present
copy: src=files/{{ item }} dest=/etc/postfix/
with_items:
- login_maps.pcre
- sender_login_map.hash
- postscreen_whitelist
notify:
- restart postfix
- name: ensure additional packages are installed if required
apt:
name: memcached
state: present
when: postfix_enable_memcached
tags:
- postfix
- mail
- name: ensure templated config is present
template: src=templates/{{ item }}.j2 dest=/etc/postfix/{{ item }}
- name: ensure config is present
template:
src: "{{ item }}.j2"
dest: "/etc/postfix/{{ item }}"
with_items:
- login_maps.pcre
- master.cf
- main.cf
- postscreen_cache
- postscreen_access.cidr
notify:
- restart postfix
tags:
......@@ -36,7 +37,21 @@
- mail
- name: ensure memcached config is present
template: src=templates/memcached.conf.j2 dest=/etc/memcached.conf
template:
src: memcached.conf.j2
dest: /etc/memcached.conf
when: postfix_enable_memcached
notify:
- restart memcached
tags:
- postfix
- mail
- name: ensure postscreen memcached integration is present
template:
src: postscreen_cache.j2
dest: /etc/postfix/postscreen_cache
when: postfix_enable_memcached
notify:
- restart memcached
tags:
......@@ -44,7 +59,9 @@
- mail
- name: ensure system alias database is present
template: src=templates/aliases.j2 dest=/etc/aliases
template:
src: aliases.j2
dest: /etc/aliases
notify:
- postmap system
tags:
......@@ -52,15 +69,21 @@
- mail
- name: ensure virtual alias database is present
template: src=templates/v_aliases.j2 dest=/etc/postfix/virtual
template:
src: virtual.j2
dest: /etc/postfix/virtual
notify:
- postmap virtual
tags:
- postfix
- mail
- meta: flush_handlers
- name: ensure mailname is properly configured
template:
src: mailname.j2
dest: /etc/mailname
notify:
- restart postfix
tags:
- postfix
- mail
{% for alias in system_aliases %}
{{ alias.src }}:{{ alias.dest }}
{{ alias.src }}: {{ alias.dest }}
{% endfor %}
/^(.*){{ postfix_login_suffix }}$/ ${1}
# See /usr/share/postfix/main.cf.dist for a commented, more complete version
inet_interfaces = all
inet_protocols = all
myhostname = {{ ansible_fqdn }}
myorigin = /etc/mailname
mydestination = $myhostname localhost {{ postfix_domains | join(" ") }}
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
relayhost =
{% if postfix_domains|count > 0 %}
{% if postfix_prefer_lmtp %}
mailbox_transport = lmtp:unix:private/dovecot-lmtp
{% else %}
mailbox_command = /usr/lib/dovecot/dovecot-lda -f "$SENDER" -a "$RECIPIENT"
{% endif %}
{% endif %}
# Debian specific: Specifying a file name will cause the first
# line of that file to be used as the name. The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no
# appending .domain is the MUA's job.
append_dot_mydomain = no
# Uncomment the next line to generate "delayed mail" warnings
biff = no
compatibility_level = 2
#delay_warning_time = 4h
disable_vrfy_command = yes
#enable_long_queue_ids = yes
mailbox_size_limit = 0
#message_size_limit = 41943040
readme_directory = no
recipient_delimiter = +
#strict_rfc821_envelopes = no
# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on
# fresh installs.
compatibility_level = 2
# TLS parameters
smtpd_use_tls = yes
smtpd_tls_cert_file=/var/lib/acme/live/wolfscloud.de/fullchain
smtpd_tls_key_file=/var/lib/acme/live/wolfscloud.de/privkey
smtpd_tls_auth_only=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
#ciphers supported downto android 2.3
smtpd_tls_mandatory_protocols = !TLSv1 !SSLv2, !SSLv3
smtpd_tls_protocols = !TLSv1 !SSLv2 !SSLv3
smtpd_tls_mandatory_ciphers=high
tls_high_cipherlist = {{ tls_ciphers }}
smtpd_tls_eecdh_grade=ultra
# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.
smtpd_banner = $myhostname ESMTP $mail_name
smtpd_sender_login_maps = proxy:pcre:/etc/postfix/login_maps.pcre
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
......@@ -47,82 +36,56 @@ smtpd_relay_restrictions =
permit_mynetworks
permit_sasl_authenticated
defer_unauth_destination
myhostname = {{ ansible_fqdn }}
smtpd_use_tls = yes
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = {{ postfix_tls_cert }}
smtpd_tls_key_file = {{ postfix_tls_key }}
smtpd_tls_eecdh_grade = ultra
smtpd_tls_mandatory_ciphers = high
smtpd_tls_mandatory_protocols = {{ postfix_tls_protocols }}
smtpd_tls_protocols = {{ postfix_tls_protocols }}
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
tls_high_cipherlist = {{ postfix_tls_ciphers }}
alias_maps = cdb:/etc/aliases
alias_database = cdb:/etc/aliases
myorigin = /etc/mailname
mydestination = $myhostname, localhost
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all
virtual_alias_maps = cdb:/etc/postfix/virtual
virtual_mailbox_domains = {{ virtual_domains | join(", ") }}
{% if postfix_virtual_domains|count > 0 %}
virtual_mailbox_domains = {{ postfix_virtual_domains | join(", ") }}
virtual_mailbox_base = /var/vmail/
virtual_mailbox_limit = 512000000
virtual_minimum_uid = 5000
virtual_transport = lmtp:unix:private/dovecot-lmtp
virtual_gid_maps = static:5000
virtual_alias_maps = cdb:/etc/postfix/virtual
smtpd_sender_login_maps = proxy:pcre:/etc/postfix/login_maps.pcre
{% endif %}
################################################################################
## POSTSCREEN - ERSTE STUFE DER SPAM/UCE/VIREN-ABWEHRMECHANISMEN
#
# Django : 2014-10-29 - PERMANENT WHITE/BLACKLIST TEST
# default: postscreen_access_list = permit_mynetworks
postscreen_access_list = permit_mynetworks
cidr:/etc/postfix/postscreen_whitelist
#
# default: postscreen_blacklist_action = ignore
cidr:/etc/postfix/postscreen_access.cidr
{% if postfix_enable_memcached %}
postscreen_cache_map = memcache:/etc/postfix/postscreen_cache
proxy_write_maps = proxy:btree:/var/lib/postfix/postscreen_cache
{% else %}
postscreen_cache_map = proxy:btree:/var/lib/postfix/postscreen_cache
{% endif %}
postscreen_blacklist_action = drop
# Django : 2014-10-29 - MAIL EXCHANGER POLICY TESTS
# default: postscreen_whitelist_interfaces = static:all
# Django : 2014-10-29 - PRE 220 GREETING TESTS
#
# default: postscreen_greet_banner = $smtpd_banner
#
# default: postscreen_greet_action = ignore
postscreen_greet_action = enforce
# default: postscreen_dnsbl_threshold = 1
postscreen_dnsbl_threshold = 2
#
# default: postscreen_dnsbl_sites =
postscreen_dnsbl_sites = zen.spamhaus.org*1
bl.spamcop.net*1
b.barracudacentral.org*1
#swl.spamhaus.org*2
list.dnswl.org*-5
#
# default: postscreen_dnsbl_action = ignore
postscreen_dnsbl_action = enforce
# Django : 2014-10-29 - POST 220 GREETING TESTS
#
# default: postscreen_dnsbl_whitelist_threshold = 0
postscreen_dnsbl_whitelist_threshold = -1
#
# default: postscreen_pipelining_enable = no
# postscreen_whitelist_interfaces = static:all
# postscreen_greet_banner = $smtpd_banner
postscreen_pipelining_enable = yes
#
# default: postscreen_pipelining_action = enforce
#
# default: postscreen_non_smtp_command_enable = no
# postscreen_pipelining_action = enforce
postscreen_non_smtp_command_enable = yes
# default: postscreen_non_smtp_command_action = drop
#
# default: postscreen_bare_newline_enable = no
# postscreen_non_smtp_command_action = drop
postscreen_bare_newline_enable = yes
#
# default: postscreen_bare_newline_action = ignore
postscreen_bare_newline_action = drop
#
postscreen_cache_map = memcache:/etc/postfix/postscreen_cache
proxy_write_maps = proxy:btree:/var/lib/postfix/postscreen_cache
postscreen_dnsbl_action = enforce
postscreen_dnsbl_threshold = 2
postscreen_dnsbl_whitelist_threshold = -1
postscreen_dnsbl_sites =
{% for site in postfix_dnsbl_sites %}
{{ site.name }}*{{ site.modifier|default(1) }}
{% endfor %}
dovecot unix - n n - - pipe
flags=DRhu user=5001:5000 argv=/usr/lib/dovecot/dovecot-lda -f ${sender} -a ${original_recipient} -d ${user}@${nexthop}
#
# Postfix master process configuration file. For details on the format
# of the file, see the master(5) manual page (command: "man 5 master" or
# on-line: http://www.postfix.org/master.5.html).
#
# Do not forget to execute "postfix reload" after editing this file.
#
# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (no) (never) (100)
# ==========================================================================
#smtp inet n - y - - smtpd
#smtp inet n - y - - smtpd
smtp inet n - y - 1 postscreen
smtpd pass - - y - - smtpd
{% if content_filter is defined %}
-o content_filter={{ content_filter }}
{% if postfix_content_filter %}
-o content_filter={{ postfix_content_filter }}
{% endif %}
dnsblog unix - - y - 0 dnsblog
tlsproxy unix - - y - 0 tlsproxy
submission inet n - y - - smtpd
# -o smtpd_tls_security_level=encrypt
-o smtpd_sasl_security_options=noanonymous
-o smtpd_sasl_local_domain=$myhostname
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o smtpd_sender_restrictions=reject_sender_login_mismatch
-o smtpd_recipient_restrictions=reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,reject
{% if content_filter is defined %}
-o content_filter={{ content_filter }}
{% endif %}
-o syslog_name=postfix/submission
# -o syslog_name=postfix/submission
{% if postfix_content_filter %}
-o content_filter={{ postfix_content_filter }}
{% endif %}
# -o smtpd_tls_security_level=encrypt
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_reject_unlisted_recipient=no
......@@ -51,7 +47,7 @@ submission inet n - y - - smtpd
# -o smtpd_recipient_restrictions=
# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
#628 inet n - y - - qmqpd
#628 inet n - y - - qmqpd
pickup unix n - y 60 1 pickup
cleanup unix n - y - 0 cleanup
qmgr unix n - n 300 1 qmgr
......@@ -77,7 +73,7 @@ virtual unix - n n - - virtual
lmtp unix - - y - - lmtp
anvil unix - - y - 1 anvil
scache unix - - y - 1 scache
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
......@@ -86,57 +82,28 @@ scache unix - - y - 1 scache
# agent. See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
maildrop unix - n n - - pipe
flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
#
# ====================================================================
#
# Recent Cyrus versions can use the existing "lmtp" master.cf entry.
#
# Specify in cyrus.conf:
# lmtp cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
#
# Specify in main.cf one or more of the following:
# mailbox_transport = lmtp:inet:localhost
# virtual_transport = lmtp:inet:localhost
#
# ====================================================================
#
# Cyrus 2.1.5 (Amos Gouaux)
# Also specify in main.cf: cyrus_destination_recipient_limit=1
#
#cyrus unix - n n - - pipe
# user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
#
# ====================================================================
# Old example of delivery via Cyrus.
#
#old-cyrus unix - n n - - pipe
# flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
#
# ====================================================================
#
# See the Postfix UUCP_README file for configuration details.
#
uucp unix - n n - - pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# Other external delivery methods.
#
ifmail unix - n n - - pipe
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe
flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix - n n - 2 pipe
flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman unix - n n - - pipe
flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
${nexthop} ${user}
{% if content_filter is defined %}
{{ content_filter }} {{ content_filter_arguments }}
{{ content_filter_command }}
dovecot unix - n n - - pipe
flags=DRhu user=5001:5000 argv=/usr/lib/dovecot/dovecot-lda -f ${sender} -a ${original_recipient} -d ${user}@${nexthop}
{% if postfix_content_filter == 'spamassassin' %}
spamassassin unix - n n - - pipe
user=debian-spamd argv=/usr/bin/spamc -f -e /usr/sbin/sendmail -oi -f ${sender} ${recipient}
{% endif %}
#maildrop unix - n n - - pipe
# flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
#uucp unix - n n - - pipe
# flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#ifmail unix - n n - - pipe
# flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
#bsmtp unix - n n - - pipe
# flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
#scalemail-backend unix - n n - 2 pipe
# flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
#mailman unix - n n - - pipe
# flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
# ${nexthop} ${user}
# Django : 2014-10-29
# access-Tabelle: Wer wird von postscreen ausgenommen und wer nicht?
# Tabelle zum black- und whitelisten einzelner Hosts auf Basis ihrer
# IP-Adressen. In der rechten Tabellenspalte können die AKtionen
# Tabelle zum black- und whitelisten einzelner Hosts auf Basis ihrer
# IP-Adressen. In der rechten Tabellenspalte können die Aktionen
# "permit", "reject" und "dunno" gesetzt werden.
# Nach dem Ändern und/oder Erweitern der Tabelle, muß ein
# laufender Postfix über die Änderungen mit einem reload informiert
# werden:
# laufender Postfix über die Änderungen mit einem reload informiert
# werden:
# $ systemctl reload postfix.service
#
# Es muss hier keine Datenbank mit postmap erzeugt werden, da
# Es muss hier keine Datenbank mit postmap erzeugt werden, da
# Postfix die ASCII-Konfigurationsdatei direkt auswertet!
#
# roughly the RWTH network for the e-mail servers
134.130.5.32/27 permit
{% for net in postfix_network_access %}
{{ net.cidr }} {{ net.action|default('dunno') }}
{% endfor %}
# Django : 2014-11-07 postscreen-cache Konfigurationsdatei
# #
#
{% for partner in groups['mail'] %}
{% if partner != ansible_hostname %}
memcache = inet:{{hostvars[partner]["tinc_vpnip"]}}:11211
memcache = inet:{{ hostvars[partner]['tinc_vpnip'] }}:11211
{% endif %}
{% endfor %}
......
......@@ -5,6 +5,11 @@ abuse@{{ domain }} {{ adminaddr }}
{% endfor %}
{% for alias in virtual_aliases %}
{% if alias.src is string %}
{{ alias.src }} {{ alias.dest }}
{% else %}
{% for src in alias.src %}
{{ src }}@{{ alias.domain }} {{ alias.dest }}
{% endfor %}
{% endif %}
{% endfor %}
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment