ansible-role-mail/tasks/postfix.yml

---
# vim: set et sw=2 ts=2 sts=2:

- name: postfix-configs
  copy:
    src: "{{item}}"
    dest: /etc/postfix
    owner: root
    group: root
    mode: 0444
  with_fileglob:
  - "postfix/*"

  - name: 'postfix: main.cf'
    lineinfile:
      path: /etc/postfix/main.cf
      insertafter: "^#{{item.key}} *= *"
      regexp: "^{{item.key}} *= *"
      line: "{{item.key}} = {{item.value}}"
    with_dict:
      compatibility_level: "2"
      html_directory: /usr/share/doc/postfix/html
      default_database_type: lmdb

      # Verbindungssicherheit / Verschluesselung:
      smtpd_tls_cert_file: "/etc/postfix/tls/{{mail_server_fqdn}}.crt"
      smtpd_tls_key_file: "/etc/postfix/tls/{{mail_server_fqdn}}.key"
      smtpd_use_tls: 'yes'
      smtpd_tls_session_cache_database: 'lmdb:${data_directory}/smtpd_scache'
      smtp_tls_session_cache_database: 'lmdb:${data_directory}/smtp_scache'
      smtpd_tls_loglevel: "1"
      smtp_tls_loglevel: "1"
      smtpd_tls_security_level: may
      smtp_tls_security_level: may
      smtpd_tls_auth_only: 'yes'
      tls_ssl_options: NO_COMPRESSION
      # Some servers are crapy.  If we provide only TLSv1.2, he would try it unencrypted again.
      smtpd_tls_mandatory_protocols: '>=TLSv1.2'
      smtpd_tls_protocols: '>=TLSv1.2'
      # Same for sending mails: :/
      smtp_tls_mandatory_protocols: '>=TLSv1.2'
      smtp_tls_protocols: '>=TLSv1.2'
      # Internal/Clients must support better crypto:
      lmtp_tls_mandatory_protocols: '>=TLSv1.2'
      lmtp_tls_protocols: '>=TLSv1.2'
      submission_tls_mandatory_protocols: '>=TLSv1.2'
      submission_tls_protocols: '>=TLSv1.2'
      smtpd_tls_mandatory_ciphers: high
      #tls_high_cipherlist: 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA'
      smtpd_tls_exclude_ciphers: MD5, DES, eNULL, 3DES, EXP, RC4, DSS, PSK, SEED, IDEA, ECDSA, aNULL
      smtpd_tls_eecdh_grade: strong
      myhostname: '{{mail_postfix_domain}}'
      myorigin: '{{mail_postfix_myorigin}}'
      mydestination: ''
      relayhost: ''
      mynetworks: '{{mynetworks}}'
      recipient_delimiter: '+'
      inet_interfaces: 'all'
      #inet_protocols: 'ipv4'

      alias_maps: 'cdb:/etc/aliases'
      alias_database: 'cdb:/etc/aliases'
      smtp_generic_maps: cdb:/etc/postfix/generic_map
      smtpd_sasl_type: dovecot
      smtpd_sasl_path: private/auth
      smtpd_sasl_local_domain: '{{domain}}'
      smtpd_sasl_security_options: noanonymous
      smtpd_sasl_auth_enable: 'no'
      strict_rfc821_envelopes: 'yes'
      smtpd_reject_unlisted_sender: 'yes'
      smtp_tls_policy_maps: 'cdb:/etc/postfix/tls_policy'

      #### Zustellung und Ueberpruefung, ob Server fuer die Domain zustaendig ist und die Adresse existiert:
      # domain ist virtuell und nicht lokal!
      # zustellung via lmtp and dovecot:
      virtual_transport: "lmtp:unix:private/dovecot-lmtp"
      # ebenso.  eigentlich nicht in verwendung.
      local_transport: "lmtp:unix:private/dovecot-lmtp"
      # welche domains sind moeglich?
      virtual_mailbox_domains: "cdb:/etc/postfix/virtual_endpoint_map"
      # aliases fuer virtuelle adressen.
      virtual_alias_maps: "cdb:/etc/postfix/virtual_aliases, cdb:/etc/postfix/mailinglists"
      sender_canonical_maps: "cdb:/etc/postfix/sender_canonical"
      # virtual_mailbox_maps wird nicht gesezt, da virtual_transport die ueberpruefung vornimmt.
      smtpd_relay_restrictions: 'permit_mynetworks, permit_sasl_authenticated, defer_unauth_destination'

      address_verify_map: 'lmdb:$data_directory/verify_cache'
      unknown_address_reject_code: 550

      smtpd_recipient_restrictions: 'reject_unknown_reverse_client_hostname, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_invalid_hostname, permit_mynetworks, reject_unauth_destination, reject_unverified_recipient, check_policy_service unix:private/policy-spf'

      # Postscreen
      postscreen_greet_banner: 'Loving the dog most, oh human, you say is a sin.  The dog stayed true to me during the storm, the human not even during the wind.'
      postscreen_cache_map: 'lmdb:$data_directory/postscreen_cache'
      postscreen_access_list: 'permit_mynetworks, cidr:/etc/postfix/postscreen_access.cidr'
      postscreen_blacklist_action: 'enforce'
      postscreen_greet_action: 'enforce'
      postscreen_pipelining_enable: 'yes'
      postscreen_dnsbl_threshold: '1'
      postscreen_dnsbl_sites: 'ix.dnsbl.manitu.net b.barracudacentral.org dnsbl.sorbs.net dnsbl-3.uceprotect.net dnsbl-2.uceprotect.net dnsbl-1.uceprotect.net'
      postscreen_dnsbl_action: 'enforce'
      postscreen_dnsbl_ttl: '1h'
      # TODO: greylisting custom message

      # SPF
      policy-spf_time_limit: 3600s

      # DKIM
      milter_default_action: accept
      milter_protocol: "2"
      smtpd_milters: 'unix:milter/opendkim, unix:milter/opendmarc'
      non_smtpd_milters: 'unix:milter/opendkim'

- name: mailinglists-aliases
  template:
    src: mailinglist-aliases.j2
    dest: /etc/postfix/mailinglists
    mode: 0444
    owner: root
    group: root

- name: dummy files if needed
  copy:
    dest: '{{item.key}}'
    content: '{{item.value}}'
    force: no
  with_dict: '{{postfix_default_file_content}}'

- name: force TLS for these
  lineinfile:
    path: /etc/postfix/tls_policy
    regexp: '^{{key}}[ \t]'
    line: '{{key}} {{value}}'
  with_dict: '{{postfix_tls_policy}}'

- name: prepare aliases-lookup-tables
  command: newaliases
- name: prepare lookup-tables
  shell: 'postmap {{item|quote}}'
  args:
    chdir: /etc/postfix
  with_items: '{{postfix_postmap}}'
init 2020-11-07 20:27:01 +01:00			`---`
			`# vim: set et sw=2 ts=2 sts=2:`

			`- name: postfix-configs`
tabs to two spaces 2020-11-07 23:23:20 +01:00			`copy:`
			`src: "{{item}}"`
			`dest: /etc/postfix`
			`owner: root`
			`group: root`
			`mode: 0444`
			`with_fileglob:`
			`- "postfix/*"`
init 2020-11-07 20:27:01 +01:00
			`- name: 'postfix: main.cf'`
			`lineinfile:`
			`path: /etc/postfix/main.cf`
			`insertafter: "^#{{item.key}} = "`
			`regexp: "^{{item.key}} = "`
			`line: "{{item.key}} = {{item.value}}"`
			`with_dict:`
			`compatibility_level: "2"`
			`html_directory: /usr/share/doc/postfix/html`
			`default_database_type: lmdb`

			`# Verbindungssicherheit / Verschluesselung:`
more variables. 2020-11-07 22:36:05 +01:00			`smtpd_tls_cert_file: "/etc/postfix/tls/{{mail_server_fqdn}}.crt"`
			`smtpd_tls_key_file: "/etc/postfix/tls/{{mail_server_fqdn}}.key"`
init 2020-11-07 20:27:01 +01:00			`smtpd_use_tls: 'yes'`
			`smtpd_tls_session_cache_database: 'lmdb:${data_directory}/smtpd_scache'`
			`smtp_tls_session_cache_database: 'lmdb:${data_directory}/smtp_scache'`
			`smtpd_tls_loglevel: "1"`
			`smtp_tls_loglevel: "1"`
			`smtpd_tls_security_level: may`
			`smtp_tls_security_level: may`
			`smtpd_tls_auth_only: 'yes'`
			`tls_ssl_options: NO_COMPRESSION`
			`# Some servers are crapy. If we provide only TLSv1.2, he would try it unencrypted again.`
			`smtpd_tls_mandatory_protocols: '>=TLSv1.2'`
			`smtpd_tls_protocols: '>=TLSv1.2'`
			`# Same for sending mails: :/`
			`smtp_tls_mandatory_protocols: '>=TLSv1.2'`
			`smtp_tls_protocols: '>=TLSv1.2'`
			`# Internal/Clients must support better crypto:`
			`lmtp_tls_mandatory_protocols: '>=TLSv1.2'`
			`lmtp_tls_protocols: '>=TLSv1.2'`
			`submission_tls_mandatory_protocols: '>=TLSv1.2'`
			`submission_tls_protocols: '>=TLSv1.2'`
			`smtpd_tls_mandatory_ciphers: high`
			`#tls_high_cipherlist: 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA'`
			`smtpd_tls_exclude_ciphers: MD5, DES, eNULL, 3DES, EXP, RC4, DSS, PSK, SEED, IDEA, ECDSA, aNULL`
			`smtpd_tls_eecdh_grade: strong`
			`myhostname: '{{mail_postfix_domain}}'`
			`myorigin: '{{mail_postfix_myorigin}}'`
			`mydestination: ''`
			`relayhost: ''`
			`mynetworks: '{{mynetworks}}'`
			`recipient_delimiter: '+'`
			`inet_interfaces: 'all'`
			`#inet_protocols: 'ipv4'`

			`alias_maps: 'cdb:/etc/aliases'`
			`alias_database: 'cdb:/etc/aliases'`
			`smtp_generic_maps: cdb:/etc/postfix/generic_map`
			`smtpd_sasl_type: dovecot`
			`smtpd_sasl_path: private/auth`
			`smtpd_sasl_local_domain: '{{domain}}'`
			`smtpd_sasl_security_options: noanonymous`
			`smtpd_sasl_auth_enable: 'no'`
			`strict_rfc821_envelopes: 'yes'`
			`smtpd_reject_unlisted_sender: 'yes'`
			`smtp_tls_policy_maps: 'cdb:/etc/postfix/tls_policy'`

			`#### Zustellung und Ueberpruefung, ob Server fuer die Domain zustaendig ist und die Adresse existiert:`
			`# domain ist virtuell und nicht lokal!`
			`# zustellung via lmtp and dovecot:`
			`virtual_transport: "lmtp:unix:private/dovecot-lmtp"`
			`# ebenso. eigentlich nicht in verwendung.`
			`local_transport: "lmtp:unix:private/dovecot-lmtp"`
			`# welche domains sind moeglich?`
			`virtual_mailbox_domains: "cdb:/etc/postfix/virtual_endpoint_map"`
			`# aliases fuer virtuelle adressen.`
			`virtual_alias_maps: "cdb:/etc/postfix/virtual_aliases, cdb:/etc/postfix/mailinglists"`
			`sender_canonical_maps: "cdb:/etc/postfix/sender_canonical"`
			`# virtual_mailbox_maps wird nicht gesezt, da virtual_transport die ueberpruefung vornimmt.`
			`smtpd_relay_restrictions: 'permit_mynetworks, permit_sasl_authenticated, defer_unauth_destination'`

			`address_verify_map: 'lmdb:$data_directory/verify_cache'`
			`unknown_address_reject_code: 550`

			`smtpd_recipient_restrictions: 'reject_unknown_reverse_client_hostname, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_invalid_hostname, permit_mynetworks, reject_unauth_destination, reject_unverified_recipient, check_policy_service unix:private/policy-spf'`

			`# Postscreen`
			`postscreen_greet_banner: 'Loving the dog most, oh human, you say is a sin. The dog stayed true to me during the storm, the human not even during the wind.'`
			`postscreen_cache_map: 'lmdb:$data_directory/postscreen_cache'`
			`postscreen_access_list: 'permit_mynetworks, cidr:/etc/postfix/postscreen_access.cidr'`
			`postscreen_blacklist_action: 'enforce'`
			`postscreen_greet_action: 'enforce'`
			`postscreen_pipelining_enable: 'yes'`
			`postscreen_dnsbl_threshold: '1'`
			`postscreen_dnsbl_sites: 'ix.dnsbl.manitu.net b.barracudacentral.org dnsbl.sorbs.net dnsbl-3.uceprotect.net dnsbl-2.uceprotect.net dnsbl-1.uceprotect.net'`
			`postscreen_dnsbl_action: 'enforce'`
			`postscreen_dnsbl_ttl: '1h'`
			`# TODO: greylisting custom message`

			`# SPF`
			`policy-spf_time_limit: 3600s`

			`# DKIM`
			`milter_default_action: accept`
			`milter_protocol: "2"`
			`smtpd_milters: 'unix:milter/opendkim, unix:milter/opendmarc'`
			`non_smtpd_milters: 'unix:milter/opendkim'`

			`- name: mailinglists-aliases`
tabs to two spaces 2020-11-07 23:23:20 +01:00			`template:`
			`src: mailinglist-aliases.j2`
			`dest: /etc/postfix/mailinglists`
			`mode: 0444`
			`owner: root`
			`group: root`
init 2020-11-07 20:27:01 +01:00
			`- name: dummy files if needed`
tabs to two spaces 2020-11-07 23:23:20 +01:00			`copy:`
			`dest: '{{item.key}}'`
			`content: '{{item.value}}'`
			`force: no`
			`with_dict: '{{postfix_default_file_content}}'`
init 2020-11-07 20:27:01 +01:00
			`- name: force TLS for these`
tabs to two spaces 2020-11-07 23:23:20 +01:00			`lineinfile:`
			`path: /etc/postfix/tls_policy`
			`regexp: '^{{key}}[ \t]'`
			`line: '{{key}} {{value}}'`
			`with_dict: '{{postfix_tls_policy}}'`
init 2020-11-07 20:27:01 +01:00
			`- name: prepare aliases-lookup-tables`
tabs to two spaces 2020-11-07 23:23:20 +01:00			`command: newaliases`
init 2020-11-07 20:27:01 +01:00			`- name: prepare lookup-tables`
tabs to two spaces 2020-11-07 23:23:20 +01:00			`shell: 'postmap {{item\|quote}}'`
			`args:`
			`chdir: /etc/postfix`
			`with_items: '{{postfix_postmap}}'`