summaryrefslogtreecommitdiff
path: root/roles/mail/postfix/submission
diff options
context:
space:
mode:
Diffstat (limited to 'roles/mail/postfix/submission')
-rw-r--r--roles/mail/postfix/submission/defaults/main.yml21
-rw-r--r--roles/mail/postfix/submission/handlers/main.yml10
-rw-r--r--roles/mail/postfix/submission/tasks/main.yml79
-rw-r--r--roles/mail/postfix/submission/tasks/saslauthd-ldap.yml29
-rw-r--r--roles/mail/postfix/submission/tasks/saslauthd.yml48
5 files changed, 187 insertions, 0 deletions
diff --git a/roles/mail/postfix/submission/defaults/main.yml b/roles/mail/postfix/submission/defaults/main.yml
new file mode 100644
index 00000000..6ea29e91
--- /dev/null
+++ b/roles/mail/postfix/submission/defaults/main.yml
@@ -0,0 +1,21 @@
+---
+# postfix_submission_hostname: mailrelay.example.com
+
+# postfix_submission_tls:
+# certificate_provider: {{ acme_client }}
+
+# postfix_submission_auth_saslauthd:
+# mechanism: ldap
+# ldap_options:
+# auth_method: fastbind
+# servers: ldap://ldap.exmaple.com
+# start_tls: yes
+# tls_check_peer: yes
+# tls_cacert_file: "{{ global_files_dir }}/common/ldapscert.pem"
+# ldap_filter: "uid=%u,dc=example,dc=com"
+
+# postfix_submission_allowed_sender_domains:
+# - example.com
+
+postfix_submission_dkim_signer: "none"
+# postfix_submission_dkim_signer: "opendkim"
diff --git a/roles/mail/postfix/submission/handlers/main.yml b/roles/mail/postfix/submission/handlers/main.yml
new file mode 100644
index 00000000..68ad2bf2
--- /dev/null
+++ b/roles/mail/postfix/submission/handlers/main.yml
@@ -0,0 +1,10 @@
+---
+- name: restart saslauthd
+ service:
+ name: saslauthd
+ state: restarted
+
+- name: restart postfix
+ service:
+ name: postfix
+ state: restarted
diff --git a/roles/mail/postfix/submission/tasks/main.yml b/roles/mail/postfix/submission/tasks/main.yml
new file mode 100644
index 00000000..981f1511
--- /dev/null
+++ b/roles/mail/postfix/submission/tasks/main.yml
@@ -0,0 +1,79 @@
+---
+- name: install access table for allowed sender domains
+ when: postfix_submission_allowed_sender_domains is defined
+ block:
+ - name: create subdirectory for submission specific config
+ file:
+ path: /etc/postfix/submission
+ state: directory
+
+ - name: install access table for allowed domains
+ copy:
+ content: |
+ {% for domain in postfix_submission_allowed_sender_domains %}
+ /@{{ domain | replace('.', '\.') }}$/ OK
+ {% endfor %}
+ /@/ REJECT
+ dest: /etc/postfix/submission/allowed-sender-domains
+ register: allowed_sender_domains_status
+
+ - name: generate access table for allowed domains
+ when: allowed_sender_domains_status is changed
+ command: postmap /etc/postfix/submission/allowed-sender-domains
+
+- name: install and configure saslauthd
+ when: postfix_submission_auth_saslauthd is defined
+ include_tasks: saslauthd.yml
+
+- name: generate/install/fetch TLS certificate
+ when: postfix_submission_tls is defined
+ vars:
+ x509_certificate_name: "postfix-{{ postfix_submission_hostname }}"
+ x509_certificate_config: "{{ postfix_submission_tls.certificate_config | default({}) }}"
+ x509_certificate_hostnames:
+ - "{{ postfix_submission_hostname }}"
+ x509_certificate_reload_services:
+ - postfix
+ include_role:
+ name: "x509/{{ postfix_submission_tls.certificate_provider }}/cert"
+
+- name: add postfix user to opendkim group
+ when: postfix_submission_dkim_signer == "opendkim"
+ user:
+ name: postfix
+ groups: opendkim
+ append: yes
+ notify: restart postfix
+
+- name: configure postfix submission daemon
+ blockinfile:
+ marker: "# {mark} ansible postfix/submission"
+ block: |
+ submission inet n - y - - smtpd
+ -o myhostname={{ postfix_submission_hostname }}
+ {% if postfix_submission_tls is defined %}
+ -o smtpd_tls_key_file={{ x509_certificate_path_key }}
+ -o smtpd_tls_cert_file={{ x509_certificate_path_fullchain }}
+ -o smtpd_tls_security_level=encrypt
+ -o smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3,!TLSv1,!TLSv1.1
+ -o smtpd_tls_mandatory_ciphers=medium
+ -o tls_medium_cipherlist=ECDHE+CHACHA20:ECDHE+AESGCM:DHE+CHACHA20:DHE+AESGCM:ECDHE+AES256:DHE+AES256:ECDHE+AES128:DHE+AES128:!ADH:!AECDH:!MD5:!SHA
+ -o tls_preempt_cipherlist=no
+ {% endif %}
+ -o smtpd_sasl_auth_enable=yes
+ -o smtpd_sasl_path=submission
+ -o smtpd_sasl_security_options=noanonymous
+ {% if postfix_submission_allowed_sender_domains is defined %}
+ -o { smtpd_sender_restrictions=reject_non_fqdn_sender,check_sender_access regexp:/etc/postfix/submission/allowed-sender-domains,permit_sasl_authenticated,reject }
+ {% else %}
+ -o smtpd_sender_restrictions=reject_non_fqdn_sender,permit_sasl_authenticated,reject
+ {% endif %}
+ -o smtpd_recipient_restrictions=reject_non_fqdn_recipient,reject_unknown_recipient_domain
+ {% if postfix_submission_dkim_signer == 'opendkim' %}
+ -o milter_protocol=6
+ -o milter_default_action=accept
+ -o smtpd_milters=unix:opendkim/opendkim.sock
+ -o non_smtpd_milters=unix:opendkim/opendkim.sock
+ {% endif %}
+ dest: /etc/postfix/master.cf
+ notify: restart postfix
diff --git a/roles/mail/postfix/submission/tasks/saslauthd-ldap.yml b/roles/mail/postfix/submission/tasks/saslauthd-ldap.yml
new file mode 100644
index 00000000..55f1ece9
--- /dev/null
+++ b/roles/mail/postfix/submission/tasks/saslauthd-ldap.yml
@@ -0,0 +1,29 @@
+---
+- name: prepare ldap options for salsauthd
+ set_fact:
+ saslauthd_ldap_options: "{{ postfix_submission_auth_saslauthd.ldap_options }}"
+
+- name: install and configure ldap server certificate
+ when: "'tls_cacert_file' in postfix_submission_auth_saslauthd.ldap_options or 'tls_cacert_content' in postfix_submission_auth_saslauthd.ldap_options"
+ block:
+ - name: install ldap server certificate
+ copy:
+ src: "{{ postfix_submission_auth_saslauthd.ldap_options.tls_cacert_file | default(omit) }}"
+ content: "{{ postfix_submission_auth_saslauthd.ldap_options.tls_cacert_content | default(omit) }}"
+ dest: /etc/saslauthd-ldapscert.pem
+ notify: restart saslauthd
+
+ - name: update ca certificate file path in ldap options
+ set_fact:
+ saslauthd_ldap_options: "{{ saslauthd_ldap_options | combine({'tls_cacert_file': '/etc/saslauthd-ldapscert.pem'}) }}"
+
+- name: generate salsuathd config for ldap
+ copy:
+ content: |
+ {% for option,value in saslauthd_ldap_options.items() %}
+ {% if option != 'tls_cacert_content' %}
+ ldap_{{ option }}: {{ value }}
+ {% endif %}
+ {% endfor %}
+ dest: /etc/saslauthd.conf
+ notify: restart saslauthd
diff --git a/roles/mail/postfix/submission/tasks/saslauthd.yml b/roles/mail/postfix/submission/tasks/saslauthd.yml
new file mode 100644
index 00000000..065fb255
--- /dev/null
+++ b/roles/mail/postfix/submission/tasks/saslauthd.yml
@@ -0,0 +1,48 @@
+---
+- name: install saslauthd and sasl-modules
+ apt:
+ name:
+ - sasl2-bin
+ - libsasl2-modules
+ state: present
+
+- name: basic saslauthd options
+ vars:
+ saslauthd_options:
+ START: "yes"
+ MECHANISMS: "{{ postfix_submission_auth_saslauthd.mechanism }}"
+ OPTIONS: "-c -m /var/spool/postfix/saslauthd"
+ loop: "{{ saslauthd_options | dict2items }}"
+ loop_control:
+ label: "{{ item.key }} = {{ item.value }}"
+ lineinfile:
+ regexp: '^#?\s*{{ item.key }}\s*='
+ line: '{{ item.key }}="{{ item.value }}"'
+ dest: /etc/default/saslauthd
+ notify: restart saslauthd
+
+- name: configure saslauthd mechanism
+ include_tasks: "saslauthd-{{ postfix_submission_auth_saslauthd.mechanism }}.yml"
+
+- name: configure postfix sasl via saslauthd
+ copy:
+ content: |
+ pwcheck_method: saslauthd
+ saslauthd_path: /saslauthd/mux
+ mech_list: plain login
+ dest: /etc/postfix/sasl/submission.conf
+ notify: restart postfix
+
+- name: add postfix user to sasl group
+ user:
+ name: postfix
+ groups: sasl
+ append: yes
+ notify: restart postfix
+
+- name: make sure saslauthd service is enabled and started
+ systemd:
+ daemon_reload: yes
+ name: saslauthd.service
+ enabled: yes
+ state: started