From 0999c78f7efa79e7936a11288d5930dca5698dbb Mon Sep 17 00:00:00 2001
From: Christian Pointner <equinox@spreadspace.org>
Date: Mon, 29 Jul 2024 16:19:31 +0200
Subject: iniital role postfix/mx - still work in progress!

---
 chaos-at-home/ch-testvm-prometheus.yml       |  1 +
 inventory/host_vars/ch-testvm-prometheus.yml |  7 +++++
 roles/mail/postfix/mx/defaults/main.yml      | 23 +++++++++++++++
 roles/mail/postfix/mx/handlers/main.yml      |  5 ++++
 roles/mail/postfix/mx/tasks/main.yml         | 42 ++++++++++++++++++++++++++++
 roles/mail/rspamd/tasks/main.yml             |  4 +++
 6 files changed, 82 insertions(+)
 create mode 100644 roles/mail/postfix/mx/defaults/main.yml
 create mode 100644 roles/mail/postfix/mx/handlers/main.yml
 create mode 100644 roles/mail/postfix/mx/tasks/main.yml

diff --git a/chaos-at-home/ch-testvm-prometheus.yml b/chaos-at-home/ch-testvm-prometheus.yml
index edd278ea..85febb03 100644
--- a/chaos-at-home/ch-testvm-prometheus.yml
+++ b/chaos-at-home/ch-testvm-prometheus.yml
@@ -18,3 +18,4 @@
   - role: mail/rspamd
   - role: mail/postfix/base
   - role: mail/postfix/submission
+  - role: mail/postfix/mx
diff --git a/inventory/host_vars/ch-testvm-prometheus.yml b/inventory/host_vars/ch-testvm-prometheus.yml
index 98c128b5..e1d0afd1 100644
--- a/inventory/host_vars/ch-testvm-prometheus.yml
+++ b/inventory/host_vars/ch-testvm-prometheus.yml
@@ -79,6 +79,10 @@ rspamd_modules_local_config:
   rbl: |
    enabled = false;
 
+rspamd_modules_override_config:
+  redis: |
+   servers = "127.0.0.1";
+   password = "{{ redis_server_legacy_auth_password }}"
 
 
 postfix_base_mynetworks:
@@ -122,3 +126,6 @@ postfix_submission_allowed_sender_domains:
   - chaox.org
 
 postfix_submission_dkim_signer: "opendkim"
+
+
+postfix_mx_spam_filter: "rspamd"
diff --git a/roles/mail/postfix/mx/defaults/main.yml b/roles/mail/postfix/mx/defaults/main.yml
new file mode 100644
index 00000000..31c9d3f6
--- /dev/null
+++ b/roles/mail/postfix/mx/defaults/main.yml
@@ -0,0 +1,23 @@
+---
+# postfix_mx_hostname: mx.example.com
+# postfix_mx_tls:
+#   certificate_provider: {{ acme_client }}
+
+postfix_mx_spam_filter: "none"
+# postfix_mx_spam_filter: "rspamd"
+
+# postfix_mx_recipient_restrictions:
+#   - "permit_mynetworks"
+#   - "permit_sasl_authenticated"
+
+# postfix_mx_helo_restrictions:
+#   - "permit_mynetworks"
+#   - "permit_sasl_authenticated"
+
+# postfix_mx_sender_restrictions:
+#   - "permit_mynetworks"
+#   - "permit_sasl_authenticated"
+
+# postfix_mx_relay_restrictions:
+#   - "permit_mynetworks"
+#   - "permit_sasl_authenticated"
diff --git a/roles/mail/postfix/mx/handlers/main.yml b/roles/mail/postfix/mx/handlers/main.yml
new file mode 100644
index 00000000..bea754c9
--- /dev/null
+++ b/roles/mail/postfix/mx/handlers/main.yml
@@ -0,0 +1,5 @@
+---
+- name: restart postfix
+  service:
+    name: postfix
+    state: restarted
diff --git a/roles/mail/postfix/mx/tasks/main.yml b/roles/mail/postfix/mx/tasks/main.yml
new file mode 100644
index 00000000..5ef5ff42
--- /dev/null
+++ b/roles/mail/postfix/mx/tasks/main.yml
@@ -0,0 +1,42 @@
+---
+- name: configure TLS
+  when: postfix_mx_tls is defined
+  block:
+  - name: generate/install/fetch TLS certificate
+    vars:
+      x509_certificate_name: "postfix-{{ postfix_mx_hostname }}"
+      x509_certificate_config: "{{ postfix_mx_tls.certificate_config | default({}) }}"
+      x509_certificate_hostnames:
+      - "{{ postfix_mx_hostname }}"
+      x509_certificate_reload_services:
+      - postfix
+    include_role:
+      name: "x509/{{ postfix_mx_tls.certificate_provider }}/cert"
+
+## TODO: configure virtual and relay domains and maps
+
+- name: configure spam filtering using rspamd
+  when: postfix_mx_spam_filter == "rspamd"
+  block:
+  - name: add postfix user to rspamd group
+    user:
+      name: postfix
+      groups: _rspamd
+      append: yes
+    notify: restart postfix
+
+  - name: configure postfix milter config for rspamd
+    vars:
+      postfix_options:
+        milter_protocol: "6"
+        milter_default_action: "accept"
+        smtpd_milters: "unix:rspamd/rspamd-proxy.sock"
+        non_smtpd_milters: "unix:rspamd/rspamd-proxy.sock"
+    loop: "{{ postfix_options | dict2items }}"
+    loop_control:
+      label: "{{ item.key }} = {{ item.value }}"
+    lineinfile:
+      regexp: "^#?\\s*{{ item.key }}\\s*="
+      line: "{{ item.key }} = {{ item.value }}"
+      dest: /etc/postfix/main.cf
+    notify: restart postfix
diff --git a/roles/mail/rspamd/tasks/main.yml b/roles/mail/rspamd/tasks/main.yml
index 503c3669..1397e35d 100644
--- a/roles/mail/rspamd/tasks/main.yml
+++ b/roles/mail/rspamd/tasks/main.yml
@@ -78,6 +78,8 @@
       # ansible generated
       {{ item.value }}
     dest: /etc/rspamd/local.d/{{ item.key }}.conf
+    mode: 0400
+    owner: _rspamd
   notify: reload rspamd
 
 - name: generate override config files
@@ -89,4 +91,6 @@
       # ansible generated
       {{ item.value }}
     dest: /etc/rspamd/override.d/{{ item.key }}.conf
+    mode: 0400
+    owner: _rspamd
   notify: reload rspamd
-- 
cgit v1.2.3