summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--chaos-at-home/ch-testvm-prometheus.yml1
-rw-r--r--inventory/host_vars/ch-testvm-prometheus.yml7
-rw-r--r--roles/mail/postfix/mx/defaults/main.yml23
-rw-r--r--roles/mail/postfix/mx/handlers/main.yml5
-rw-r--r--roles/mail/postfix/mx/tasks/main.yml42
-rw-r--r--roles/mail/rspamd/tasks/main.yml4
6 files changed, 82 insertions, 0 deletions
diff --git a/chaos-at-home/ch-testvm-prometheus.yml b/chaos-at-home/ch-testvm-prometheus.yml
index edd278ea..85febb03 100644
--- a/chaos-at-home/ch-testvm-prometheus.yml
+++ b/chaos-at-home/ch-testvm-prometheus.yml
@@ -18,3 +18,4 @@
- role: mail/rspamd
- role: mail/postfix/base
- role: mail/postfix/submission
+ - role: mail/postfix/mx
diff --git a/inventory/host_vars/ch-testvm-prometheus.yml b/inventory/host_vars/ch-testvm-prometheus.yml
index 98c128b5..e1d0afd1 100644
--- a/inventory/host_vars/ch-testvm-prometheus.yml
+++ b/inventory/host_vars/ch-testvm-prometheus.yml
@@ -79,6 +79,10 @@ rspamd_modules_local_config:
rbl: |
enabled = false;
+rspamd_modules_override_config:
+ redis: |
+ servers = "127.0.0.1";
+ password = "{{ redis_server_legacy_auth_password }}"
postfix_base_mynetworks:
@@ -122,3 +126,6 @@ postfix_submission_allowed_sender_domains:
- chaox.org
postfix_submission_dkim_signer: "opendkim"
+
+
+postfix_mx_spam_filter: "rspamd"
diff --git a/roles/mail/postfix/mx/defaults/main.yml b/roles/mail/postfix/mx/defaults/main.yml
new file mode 100644
index 00000000..31c9d3f6
--- /dev/null
+++ b/roles/mail/postfix/mx/defaults/main.yml
@@ -0,0 +1,23 @@
+---
+# postfix_mx_hostname: mx.example.com
+# postfix_mx_tls:
+# certificate_provider: {{ acme_client }}
+
+postfix_mx_spam_filter: "none"
+# postfix_mx_spam_filter: "rspamd"
+
+# postfix_mx_recipient_restrictions:
+# - "permit_mynetworks"
+# - "permit_sasl_authenticated"
+
+# postfix_mx_helo_restrictions:
+# - "permit_mynetworks"
+# - "permit_sasl_authenticated"
+
+# postfix_mx_sender_restrictions:
+# - "permit_mynetworks"
+# - "permit_sasl_authenticated"
+
+# postfix_mx_relay_restrictions:
+# - "permit_mynetworks"
+# - "permit_sasl_authenticated"
diff --git a/roles/mail/postfix/mx/handlers/main.yml b/roles/mail/postfix/mx/handlers/main.yml
new file mode 100644
index 00000000..bea754c9
--- /dev/null
+++ b/roles/mail/postfix/mx/handlers/main.yml
@@ -0,0 +1,5 @@
+---
+- name: restart postfix
+ service:
+ name: postfix
+ state: restarted
diff --git a/roles/mail/postfix/mx/tasks/main.yml b/roles/mail/postfix/mx/tasks/main.yml
new file mode 100644
index 00000000..5ef5ff42
--- /dev/null
+++ b/roles/mail/postfix/mx/tasks/main.yml
@@ -0,0 +1,42 @@
+---
+- name: configure TLS
+ when: postfix_mx_tls is defined
+ block:
+ - name: generate/install/fetch TLS certificate
+ vars:
+ x509_certificate_name: "postfix-{{ postfix_mx_hostname }}"
+ x509_certificate_config: "{{ postfix_mx_tls.certificate_config | default({}) }}"
+ x509_certificate_hostnames:
+ - "{{ postfix_mx_hostname }}"
+ x509_certificate_reload_services:
+ - postfix
+ include_role:
+ name: "x509/{{ postfix_mx_tls.certificate_provider }}/cert"
+
+## TODO: configure virtual and relay domains and maps
+
+- name: configure spam filtering using rspamd
+ when: postfix_mx_spam_filter == "rspamd"
+ block:
+ - name: add postfix user to rspamd group
+ user:
+ name: postfix
+ groups: _rspamd
+ append: yes
+ notify: restart postfix
+
+ - name: configure postfix milter config for rspamd
+ vars:
+ postfix_options:
+ milter_protocol: "6"
+ milter_default_action: "accept"
+ smtpd_milters: "unix:rspamd/rspamd-proxy.sock"
+ non_smtpd_milters: "unix:rspamd/rspamd-proxy.sock"
+ loop: "{{ postfix_options | dict2items }}"
+ loop_control:
+ label: "{{ item.key }} = {{ item.value }}"
+ lineinfile:
+ regexp: "^#?\\s*{{ item.key }}\\s*="
+ line: "{{ item.key }} = {{ item.value }}"
+ dest: /etc/postfix/main.cf
+ notify: restart postfix
diff --git a/roles/mail/rspamd/tasks/main.yml b/roles/mail/rspamd/tasks/main.yml
index 503c3669..1397e35d 100644
--- a/roles/mail/rspamd/tasks/main.yml
+++ b/roles/mail/rspamd/tasks/main.yml
@@ -78,6 +78,8 @@
# ansible generated
{{ item.value }}
dest: /etc/rspamd/local.d/{{ item.key }}.conf
+ mode: 0400
+ owner: _rspamd
notify: reload rspamd
- name: generate override config files
@@ -89,4 +91,6 @@
# ansible generated
{{ item.value }}
dest: /etc/rspamd/override.d/{{ item.key }}.conf
+ mode: 0400
+ owner: _rspamd
notify: reload rspamd