From 0c0c509f074bf5a319d1bb9867c4d62af8dd970e Mon Sep 17 00:00:00 2001 From: Denis Knauf Date: Sun, 8 Nov 2020 00:02:54 +0100 Subject: [PATCH] postfix-vars, dkim-selector --- README.adoc | 4 ++++ defaults/main.yml | 3 +++ tasks/main.yml | 35 ++++++++++++----------------------- tasks/postfix.yml | 6 +++--- 4 files changed, 22 insertions(+), 26 deletions(-) diff --git a/README.adoc b/README.adoc index 711c65a..ba3acb6 100644 --- a/README.adoc +++ b/README.adoc @@ -74,6 +74,10 @@ Full qualified domain name of your mail server. It is not possible to choose different for SMTP/Submission/IMAP/Sieve. But you can use CNAMEs/X509-Alt-names to define different. +mail_dkim_selector:: +For DKIM you need a selector, which will be used in DNS. +E.g. pick the current year. + mail_ldap_basedn:: LDAP-BaseDN. `cn=example,cn=net` (default: value of ldap_basedn) diff --git a/defaults/main.yml b/defaults/main.yml index dae517a..9462d81 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -9,6 +9,9 @@ mail_ldap_field_password: userPassword mail_ldap_filter: '(&(objectClass=simpleSecurityObject)({{mail_ldap_field_user}}=%u))' postfix_tls_policy: {} +postfix_myhostname: '{{mail_server_fqdn}}' +postfix_myorigin: '{{mail_server_fqdn}}' +postfix_mynetworks: '::1, 127.0.0.1' dovecot_ldap_uris: "{{mail_ldap_uris}}" dovecot_ldap_ldaprc_path: /etc/ldap/ldap.conf diff --git a/tasks/main.yml b/tasks/main.yml index 7806a7e..a23d4d5 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -60,7 +60,7 @@ - name: vmail-user for Mailboxes user: name: vmail - uid: 999 + uid: '{{postfix_vmail_uid}}' comment: Mailboxes group: vmail shell: /bin/false @@ -89,20 +89,12 @@ mode: 03700 - name: '/var/mail domains' file: - dest: '/var/mail/{{item.key}}' + dest: '/var/mail/{{item}}' group: vmail owner: vmail state: directory mode: 03700 - with_dict: '{{mail_domains}}' - -- name: opendkim.conf - copy: - src: opendkim.conf - dest: /etc - owner: root - group: root - mode: 0644 + with_items: '{{mail_domains}}' - name: /etc/mailname copy: @@ -123,17 +115,17 @@ insertafter: '^#{{item.key}}[ \t]' line: '{{item.key}} {{item.value}}' with_dict: - Domain: '{{mail_domain}}' - KeyFile: '/etc/dkimkeys/{{dkim_selector}}.key' + Domain: '{{mail_server_fqdn}}' + KeyFile: '/etc/dkimkeys/{{mail_dkim_selector}}.key' Socket: local:/var/spool/postfix/milter/opendkim - Selector: '{{dkim_selector}}' + Selector: '{{mail_dkim_selector}}' - name: 'DKIM-key' shell: | set -e f={{item|quote}} ulimit 0400 - opendkim-genkey --bits 2048 --domain {{mail_domain|quote}} --restrict --selector "$f" + opendkim-genkey --bits 2048 --domain {{mail_server_fqdn|quote}} --restrict --selector "$f" chown opendkim:root "$f.private" "$f.txt" mv "$f.private" "$f.key" mv "$f.txt" "$f.zone" @@ -169,20 +161,17 @@ mode: 0444 with_fileglob: "systemd/default/*" -- include_tasks: - name: postfix -- include_tasks: - name: dovecot -- include_tasks: - name: tls +- include_tasks: postfix.yml +- include_tasks: dovecot.yml +- include_tasks: tls.yml - name: enabled services systemd: name: '{{item}}' daemon-reload: true enabled: true - with-items: [dovecot, postfix, opendkim, opendmarc, postsrsd] + with_items: [dovecot, postfix, opendkim, opendmarc, postsrsd] - name: reload/restart services shell: 'systemctl reload-or-restart {{item|quote}}' - with-items: [dovecot, postfix, opendkim, opendmarc, postsrsd] + with_items: [dovecot, postfix, opendkim, opendmarc, postsrsd] diff --git a/tasks/postfix.yml b/tasks/postfix.yml index 80f434e..21dc397 100644 --- a/tasks/postfix.yml +++ b/tasks/postfix.yml @@ -49,11 +49,11 @@ #tls_high_cipherlist: 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA' smtpd_tls_exclude_ciphers: MD5, DES, eNULL, 3DES, EXP, RC4, DSS, PSK, SEED, IDEA, ECDSA, aNULL smtpd_tls_eecdh_grade: strong - myhostname: '{{mail_postfix_domain}}' - myorigin: '{{mail_postfix_myorigin}}' + myhostname: '{{postfix_myhostname}}' + myorigin: '{{postfix_myorigin}}' mydestination: '' relayhost: '' - mynetworks: '{{mynetworks}}' + mynetworks: '{{postfix_mynetworks}}' recipient_delimiter: '+' inet_interfaces: 'all' #inet_protocols: 'ipv4'