summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat (limited to 'ansible/roles/postfix')
-rw-r--r--ansible/roles/postfix/files/postfix/master.cf113
-rwxr-xr-xansible/roles/postfix/files/postfix/remap.sh9
-rw-r--r--ansible/roles/postfix/handlers/main.yml13
-rw-r--r--ansible/roles/postfix/tasks/main.yml50
-rw-r--r--ansible/roles/postfix/templates/postfix/main.cf.j2194
5 files changed, 379 insertions, 0 deletions
diff --git a/ansible/roles/postfix/files/postfix/master.cf b/ansible/roles/postfix/files/postfix/master.cf
new file mode 100644
index 0000000..d428c18
--- /dev/null
+++ b/ansible/roles/postfix/files/postfix/master.cf
@@ -0,0 +1,113 @@
1#
2# Postfix master process configuration file. For details on the format
3# of the file, see the master(5) manual page (command: "man 5 master" or
4# on-line: http://www.postfix.org/master.5.html).
5#
6# Do not forget to execute "postfix reload" after editing this file.
7#
8# ==========================================================================
9# service type private unpriv chroot wakeup maxproc command + args
10# (yes) (yes) (no) (never) (100)
11# ==========================================================================
12smtp inet n - y - - smtpd
13 -o smtpd_sasl_auth_enable=no
14# for verbose connection debugging, append -v to the above args
15#smtp inet n - y - 1 postscreen
16#smtpd pass - - y - - smtpd
17#dnsblog unix - - y - 0 dnsblog
18#tlsproxy unix - - y - 0 tlsproxy
19submission inet n - n - - smtpd
20 -o smtpd_tls_security_level=encrypt
21 -o tls_preempt_cipherlist=yes
22#submission inet n - y - - smtpd
23# -o syslog_name=postfix/submission
24# -o smtpd_tls_security_level=encrypt
25# -o smtpd_sasl_auth_enable=yes
26# -o smtpd_tls_auth_only=yes
27# -o smtpd_reject_unlisted_recipient=no
28# -o smtpd_client_restrictions=$mua_client_restrictions
29# -o smtpd_helo_restrictions=$mua_helo_restrictions
30# -o smtpd_sender_restrictions=$mua_sender_restrictions
31# -o smtpd_recipient_restrictions=
32# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
33# -o milter_macro_daemon_name=ORIGINATING
34#smtps inet n - y - - smtpd
35# -o syslog_name=postfix/smtps
36# -o smtpd_tls_wrappermode=yes
37# -o smtpd_sasl_auth_enable=yes
38# -o smtpd_reject_unlisted_recipient=no
39# -o smtpd_client_restrictions=$mua_client_restrictions
40# -o smtpd_helo_restrictions=$mua_helo_restrictions
41# -o smtpd_sender_restrictions=$mua_sender_restrictions
42# -o smtpd_recipient_restrictions=
43# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
44# -o milter_macro_daemon_name=ORIGINATING
45#628 inet n - y - - qmqpd
46pickup unix n - y 60 1 pickup
47cleanup unix n - y - 0 cleanup
48qmgr unix n - n 300 1 qmgr
49#qmgr unix n - n 300 1 oqmgr
50tlsmgr unix - - y 1000? 1 tlsmgr
51rewrite unix - - y - - trivial-rewrite
52bounce unix - - y - 0 bounce
53defer unix - - y - 0 bounce
54trace unix - - y - 0 bounce
55verify unix - - y - 1 verify
56flush unix n - y 1000? 0 flush
57proxymap unix - - n - - proxymap
58proxywrite unix - - n - 1 proxymap
59smtp unix - - y - - smtp
60relay unix - - y - - smtp
61 -o syslog_name=postfix/$service_name
62# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
63showq unix n - y - - showq
64error unix - - y - - error
65retry unix - - y - - error
66discard unix - - y - - discard
67local unix - n n - - local
68virtual unix - n n - - virtual
69lmtp unix - - y - - lmtp
70anvil unix - - y - 1 anvil
71scache unix - - y - 1 scache
72#
73# ====================================================================
74# Interfaces to non-Postfix software. Be sure to examine the manual
75# pages of the non-Postfix software to find out what options it wants.
76#
77# Many of the following services use the Postfix pipe(8) delivery
78# agent. See the pipe(8) man page for information about ${recipient}
79# and other message envelope options.
80# ====================================================================
81#
82# maildrop. See the Postfix MAILDROP_README file for details.
83# Also specify in main.cf: maildrop_destination_recipient_limit=1
84#
85maildrop unix - n n - - pipe
86 flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
87#
88# ====================================================================
89#
90# Recent Cyrus versions can use the existing "lmtp" master.cf entry.
91#
92# Specify in cyrus.conf:
93# lmtp cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
94#
95# Specify in main.cf one or more of the following:
96# mailbox_transport = lmtp:inet:localhost
97# virtual_transport = lmtp:inet:localhost
98#
99# ====================================================================
100#
101# Cyrus 2.1.5 (Amos Gouaux)
102# Also specify in main.cf: cyrus_destination_recipient_limit=1
103#
104#cyrus unix - n n - - pipe
105# user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
106#
107# ====================================================================
108# Old example of delivery via Cyrus.
109#
110#old-cyrus unix - n n - - pipe
111# flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
112#
113# ====================================================================
diff --git a/ansible/roles/postfix/files/postfix/remap.sh b/ansible/roles/postfix/files/postfix/remap.sh
new file mode 100755
index 0000000..86e8d73
--- /dev/null
+++ b/ansible/roles/postfix/files/postfix/remap.sh
@@ -0,0 +1,9 @@
1#!/usr/bin/env bash
2
3here=$(dirname $0)
4
5MAPS="virtual"
6
7for map in $MAPS; do
8 postmap $here/$map
9done
diff --git a/ansible/roles/postfix/handlers/main.yml b/ansible/roles/postfix/handlers/main.yml
new file mode 100644
index 0000000..aa41be4
--- /dev/null
+++ b/ansible/roles/postfix/handlers/main.yml
@@ -0,0 +1,13 @@
1---
2- name: restart postfix
3 service:
4 name: postfix
5 state: restarted
6
7- name: reload postfix
8 service:
9 name: postfix
10 state: reloaded
11
12- name: rehash postfix aliases
13 command: /etc/postfix/remap.sh
diff --git a/ansible/roles/postfix/tasks/main.yml b/ansible/roles/postfix/tasks/main.yml
new file mode 100644
index 0000000..57b0601
--- /dev/null
+++ b/ansible/roles/postfix/tasks/main.yml
@@ -0,0 +1,50 @@
1---
2# postfix install and configuration
3# note: this postfix config requires open ports: 25 and 587
4- name: install postfix
5 apt:
6 state: latest
7 pkg:
8 - postfix
9 - postfix-doc
10 - postfix-pcre
11
12- name: give postfix user permission to read private keys
13 user:
14 name: postfix
15 groups: ssl-cert
16 append: yes
17
18- name: copy postfix config
19 copy:
20 src: postfix/
21 dest: /etc/postfix/
22 mode: preserve
23 notify:
24 - restart postfix # NB this could be a reload instead
25 - rehash postfix aliases
26
27- name: instantiate postfix main.cf template
28 template:
29 src: postfix/main.cf.j2
30 dest: /etc/postfix/main.cf
31 notify:
32 - reload postfix
33
34
35# verify everything is running
36- name: verify services are running in dependency order
37 service:
38 name: "{{ item }}"
39 enabled: yes
40 state: started
41 loop:
42 - postfix
43
44- name: reload if certs newish
45 include_role:
46 name: certreload
47 vars:
48 certreload:
49 notifiers:
50 - reload postfix
diff --git a/ansible/roles/postfix/templates/postfix/main.cf.j2 b/ansible/roles/postfix/templates/postfix/main.cf.j2
new file mode 100644
index 0000000..b3e8cc2
--- /dev/null
+++ b/ansible/roles/postfix/templates/postfix/main.cf.j2
@@ -0,0 +1,194 @@
1# Modified from https://www.c0ffee.net/blog/mail-server-guide
2
3smtpd_banner = $myhostname ESMTP dx Independence
4
5# "2" is current for postfix 3.2 configs
6compatibility_level = 2
7
8# disable "new mail" notifications for local unix users
9biff = no
10
11# directory to store mail for local unix users
12mail_spool_directory = /var/mail/local
13
14# Name of this mail server, used in the SMTP HELO for outgoing mail. Make
15# sure this resolves to the same IP as your reverse DNS hostname.
16myhostname = {{ network.hostname.public }}
17
18# Domains for which postfix will deliver local mail. Does not apply to
19# virtual domains, which are configured below. Make sure to specify the FQDN
20# of your sever, as well as localhost.
21# Note: NEVER specify any virtual domains here!!! Those come later.
22mydestination = localhost
23
24# Domain appended to mail sent locally from this machine - such as mail sent
25# via the `sendmail` command.
26myorigin = $myhostname
27
28# prevent spammers from searching for valid users
29disable_vrfy_command = yes
30
31# require properly formatted email addresses - prevents a lot of spam
32strict_rfc821_envelopes = yes
33
34# don't give any helpful info when a mailbox doesn't exist
35show_user_unknown_table_name = no
36
37# limit maximum e-mail size to 256 MB. mailbox size must be at least as big as
38# the message size for the mail to be accepted, but has no meaning after
39# that since we are using Dovecot for delivery.
40message_size_limit = 268435456
41mailbox_size_limit = 0
42
43# require addresses of the form "[email protected]"
44allow_percent_hack = no
45swap_bangpath = no
46
47# allow plus-aliasing: "[email protected]" delivers to "user" mailbox
48recipient_delimiter = +
49
50# path to the SSL certificate for the mail server
51smtpd_tls_cert_file = /etc/ssl/{{ network.hostname.public }}-cert-combined.rsa2048.pem
52smtpd_tls_key_file = /etc/ssl/private/{{ network.hostname.public }}-key.rsa2048.pem
53
54# You can also specify an EC cert to try first if the clients support it.
55smtpd_tls_eccert_file = /etc/ssl/{{ network.hostname.public }}-cert-combined.prime256v1.pem
56smtpd_tls_eckey_file = /etc/ssl/private/{{ network.hostname.public }}-key.prime256v1.pem
57
58# Path to your trusted certificates file. Usually provided by a
59# ca-certificates package or similar.
60smtp_tls_CAfile=/etc/ssl/certs/ca-certificates.crt
61
62# These two lines define how postfix will connect to other mail servers.
63# "may" allows opportunistic TLS and "enabled" allows hostname lookups
64# http://www.postfix.org/TLS_README.html
65smtp_tls_security_level = may
66smtp_dns_support_level = enabled
67
68# IP address used by postfix to send outgoing mail. You only need this if
69# your machine has multiple IP addresses - set it to your MX address to
70# satisfy your SPF record.
71smtp_bind_address = {{ hostvars[inventory_hostname]['ansible_' + network.interface.public]['ipv4']['address'] }}
72smtp_bind_address6 =
73inet_interfaces = 127.0.0.1,$smtp_bind_address
74inet_protocols = ipv4
75
76# Here we define the options for "mandatory" TLS. In our setup, TLS is only
77# "mandatory" for authenticating users. I got these settings from Mozilla's
78# SSL reccomentations page.
79#
80# NOTE: do not attempt to make TLS mandatory for all incoming/outgoing
81# connections. Do not attempt to change the default cipherlist for non-
82# mandatory connections either. There are still a lot of mail servers out
83# there that do not use TLS, and many that do only support old ciphers.
84# Forcing TLS for everyone *will* cause you to lose mail.
85smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1, TLSv1.2
86smtpd_tls_mandatory_ciphers = high
87tls_high_cipherlist = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
88
89# allow other mail servers to connect using TLS, but don't require it
90smtpd_tls_security_level = may
91
92# tickets and compression have known vulnerabilities
93tls_ssl_options = no_ticket, no_compression
94
95# yes, using 2048 with "dh1024" is the right thing to do
96smtpd_tls_dh1024_param_file = /etc/ssl/ffdhe2048.pem
97
98# cache incoming and outgoing TLS sessions
99smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_tlscache
100smtp_tls_session_cache_database = btree:${data_directory}/smtp_tlscache
101
102# enable SMTPD auth. Dovecot will place an `auth` socket in postfix's
103# runtime directory that we will use for authentication.
104# TODO: can also replace this with a network inet connection if dovecot opens it
105smtpd_sasl_auth_enable = yes
106smtpd_sasl_path = private/auth
107smtpd_sasl_type = dovecot
108
109# only allow authentication over TLS
110smtpd_tls_auth_only = yes
111
112# don't allow plaintext auth methods on unencrypted connections
113smtpd_sasl_security_options = noanonymous, noplaintext
114# but plaintext auth is fine when using TLS
115smtpd_sasl_tls_security_options = noanonymous
116
117# add a message header when email was recieved over TLS
118smtpd_tls_received_header = yes
119
120# require that connecting mail servers identify themselves - this greatly
121# reduces spam
122smtpd_helo_required = yes
123
124# The following block specifies some security restrictions for incoming
125# mail. The gist of it is, authenticated users and connections from
126# localhost can do anything they want. Random people connecting over the
127# internet are treated with more suspicion: they must have a reverse DNS
128# entry and present a valid, FQDN HELO hostname. In addition, they can only
129# send mail to valid mailboxes on the server, and the sender's domain must
130# actually exist.
131smtpd_client_restrictions =
132 permit_mynetworks,
133 permit_sasl_authenticated,
134 #reject_unknown_reverse_client_hostname,
135 # you might want to consider:
136 # reject_unknown_client_hostname,
137 # here. This will reject all incoming connections without a reverse DNS
138 # entry that resolves back to the client's IP address. This is a very
139 # restrictive check and may reject legitimate mail.
140 reject_unauth_pipelining
141smtpd_helo_restrictions =
142 permit_mynetworks,
143 permit_sasl_authenticated,
144 reject_invalid_helo_hostname,
145 reject_non_fqdn_helo_hostname,
146 # you might want to consider:
147 # reject_unknown_helo_hostname,
148 # here. This will reject all incoming mail without a HELO hostname that
149 # properly resolves in DNS. This is a somewhat restrictive check and may
150 # reject legitimate mail.
151 reject_unauth_pipelining
152smtpd_sender_restrictions =
153 permit_mynetworks,
154 permit_sasl_authenticated,
155 reject_non_fqdn_sender,
156# reject_unknown_sender_domain,
157 reject_unauth_pipelining
158smtpd_relay_restrictions =
159 permit_mynetworks,
160 permit_sasl_authenticated,
161 # !!! THIS SETTING PREVENTS YOU FROM BEING AN OPEN RELAY !!!
162 reject_unauth_destination
163 # !!! DO NOT REMOVE IT UNDER ANY CIRCUMSTANCES !!!
164#smtpd_recipient_restrictions =
165# permit_mynetworks,
166# permit_sasl_authenticated,
167# reject_non_fqdn_recipient,
168# reject_unknown_recipient_domain,
169# reject_unauth_pipelining,
170smtpd_data_restrictions =
171 permit_mynetworks,
172 permit_sasl_authenticated,
173 reject_multi_recipient_bounce,
174 reject_unauth_pipelining
175
176smtpd_recipient_restrictions =
177 permit_mynetworks,
178 permit_sasl_authenticated,
179 reject_unauth_destination
180
181# deliver mail for virtual users to Dovecot's LMTP socket
182# TODO: convert this to network with dovecot opening a local inet port
183virtual_transport = lmtp:unix:private/dovecot-lmtp
184virtual_mailbox_domains = /etc/postfix/domains
185
186virtual_alias_maps = hash:/etc/postfix/virtual
187#virtual_alias_domains = /etc/postfix/domains
188
189# We'll uncomment these when we set up rspamd later:
190milter_protocol = 6
191milter_default_action = accept
192#smtpd_milters = unix:/var/run/rspamd/milter.sock
193smtpd_milters = inet:localhost:11332
194milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen}
Powered by cgit v1.2.3 (git 2.41.0)