diff options
Diffstat (limited to 'ansible/roles/postfix')
-rw-r--r-- | ansible/roles/postfix/files/postfix/master.cf | 113 | ||||
-rwxr-xr-x | ansible/roles/postfix/files/postfix/remap.sh | 9 | ||||
-rw-r--r-- | ansible/roles/postfix/handlers/main.yml | 13 | ||||
-rw-r--r-- | ansible/roles/postfix/tasks/main.yml | 50 | ||||
-rw-r--r-- | ansible/roles/postfix/templates/postfix/main.cf.j2 | 194 |
5 files changed, 379 insertions, 0 deletions
diff --git a/ansible/roles/postfix/files/postfix/master.cf b/ansible/roles/postfix/files/postfix/master.cf new file mode 100644 index 0000000..d428c18 --- /dev/null +++ b/ansible/roles/postfix/files/postfix/master.cf | |||
@@ -0,0 +1,113 @@ | |||
1 | # | ||
2 | # Postfix master process configuration file. For details on the format | ||
3 | # of the file, see the master(5) manual page (command: "man 5 master" or | ||
4 | # on-line: http://www.postfix.org/master.5.html). | ||
5 | # | ||
6 | # Do not forget to execute "postfix reload" after editing this file. | ||
7 | # | ||
8 | # ========================================================================== | ||
9 | # service type private unpriv chroot wakeup maxproc command + args | ||
10 | # (yes) (yes) (no) (never) (100) | ||
11 | # ========================================================================== | ||
12 | smtp inet n - y - - smtpd | ||
13 | -o smtpd_sasl_auth_enable=no | ||
14 | # for verbose connection debugging, append -v to the above args | ||
15 | #smtp inet n - y - 1 postscreen | ||
16 | #smtpd pass - - y - - smtpd | ||
17 | #dnsblog unix - - y - 0 dnsblog | ||
18 | #tlsproxy unix - - y - 0 tlsproxy | ||
19 | submission inet n - n - - smtpd | ||
20 | -o smtpd_tls_security_level=encrypt | ||
21 | -o tls_preempt_cipherlist=yes | ||
22 | #submission inet n - y - - smtpd | ||
23 | # -o syslog_name=postfix/submission | ||
24 | # -o smtpd_tls_security_level=encrypt | ||
25 | # -o smtpd_sasl_auth_enable=yes | ||
26 | # -o smtpd_tls_auth_only=yes | ||
27 | # -o smtpd_reject_unlisted_recipient=no | ||
28 | # -o smtpd_client_restrictions=$mua_client_restrictions | ||
29 | # -o smtpd_helo_restrictions=$mua_helo_restrictions | ||
30 | # -o smtpd_sender_restrictions=$mua_sender_restrictions | ||
31 | # -o smtpd_recipient_restrictions= | ||
32 | # -o smtpd_relay_restrictions=permit_sasl_authenticated,reject | ||
33 | # -o milter_macro_daemon_name=ORIGINATING | ||
34 | #smtps inet n - y - - smtpd | ||
35 | # -o syslog_name=postfix/smtps | ||
36 | # -o smtpd_tls_wrappermode=yes | ||
37 | # -o smtpd_sasl_auth_enable=yes | ||
38 | # -o smtpd_reject_unlisted_recipient=no | ||
39 | # -o smtpd_client_restrictions=$mua_client_restrictions | ||
40 | # -o smtpd_helo_restrictions=$mua_helo_restrictions | ||
41 | # -o smtpd_sender_restrictions=$mua_sender_restrictions | ||
42 | # -o smtpd_recipient_restrictions= | ||
43 | # -o smtpd_relay_restrictions=permit_sasl_authenticated,reject | ||
44 | # -o milter_macro_daemon_name=ORIGINATING | ||
45 | #628 inet n - y - - qmqpd | ||
46 | pickup unix n - y 60 1 pickup | ||
47 | cleanup unix n - y - 0 cleanup | ||
48 | qmgr unix n - n 300 1 qmgr | ||
49 | #qmgr unix n - n 300 1 oqmgr | ||
50 | tlsmgr unix - - y 1000? 1 tlsmgr | ||
51 | rewrite unix - - y - - trivial-rewrite | ||
52 | bounce unix - - y - 0 bounce | ||
53 | defer unix - - y - 0 bounce | ||
54 | trace unix - - y - 0 bounce | ||
55 | verify unix - - y - 1 verify | ||
56 | flush unix n - y 1000? 0 flush | ||
57 | proxymap unix - - n - - proxymap | ||
58 | proxywrite unix - - n - 1 proxymap | ||
59 | smtp unix - - y - - smtp | ||
60 | relay unix - - y - - smtp | ||
61 | -o syslog_name=postfix/$service_name | ||
62 | # -o smtp_helo_timeout=5 -o smtp_connect_timeout=5 | ||
63 | showq unix n - y - - showq | ||
64 | error unix - - y - - error | ||
65 | retry unix - - y - - error | ||
66 | discard unix - - y - - discard | ||
67 | local unix - n n - - local | ||
68 | virtual unix - n n - - virtual | ||
69 | lmtp unix - - y - - lmtp | ||
70 | anvil unix - - y - 1 anvil | ||
71 | scache unix - - y - 1 scache | ||
72 | # | ||
73 | # ==================================================================== | ||
74 | # Interfaces to non-Postfix software. Be sure to examine the manual | ||
75 | # pages of the non-Postfix software to find out what options it wants. | ||
76 | # | ||
77 | # Many of the following services use the Postfix pipe(8) delivery | ||
78 | # agent. See the pipe(8) man page for information about ${recipient} | ||
79 | # and other message envelope options. | ||
80 | # ==================================================================== | ||
81 | # | ||
82 | # maildrop. See the Postfix MAILDROP_README file for details. | ||
83 | # Also specify in main.cf: maildrop_destination_recipient_limit=1 | ||
84 | # | ||
85 | maildrop unix - n n - - pipe | ||
86 | flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient} | ||
87 | # | ||
88 | # ==================================================================== | ||
89 | # | ||
90 | # Recent Cyrus versions can use the existing "lmtp" master.cf entry. | ||
91 | # | ||
92 | # Specify in cyrus.conf: | ||
93 | # lmtp cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4 | ||
94 | # | ||
95 | # Specify in main.cf one or more of the following: | ||
96 | # mailbox_transport = lmtp:inet:localhost | ||
97 | # virtual_transport = lmtp:inet:localhost | ||
98 | # | ||
99 | # ==================================================================== | ||
100 | # | ||
101 | # Cyrus 2.1.5 (Amos Gouaux) | ||
102 | # Also specify in main.cf: cyrus_destination_recipient_limit=1 | ||
103 | # | ||
104 | #cyrus unix - n n - - pipe | ||
105 | # user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user} | ||
106 | # | ||
107 | # ==================================================================== | ||
108 | # Old example of delivery via Cyrus. | ||
109 | # | ||
110 | #old-cyrus unix - n n - - pipe | ||
111 | # flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user} | ||
112 | # | ||
113 | # ==================================================================== | ||
diff --git a/ansible/roles/postfix/files/postfix/remap.sh b/ansible/roles/postfix/files/postfix/remap.sh new file mode 100755 index 0000000..86e8d73 --- /dev/null +++ b/ansible/roles/postfix/files/postfix/remap.sh | |||
@@ -0,0 +1,9 @@ | |||
1 | #!/usr/bin/env bash | ||
2 | |||
3 | here=$(dirname $0) | ||
4 | |||
5 | MAPS="virtual" | ||
6 | |||
7 | for map in $MAPS; do | ||
8 | postmap $here/$map | ||
9 | done | ||
diff --git a/ansible/roles/postfix/handlers/main.yml b/ansible/roles/postfix/handlers/main.yml new file mode 100644 index 0000000..aa41be4 --- /dev/null +++ b/ansible/roles/postfix/handlers/main.yml | |||
@@ -0,0 +1,13 @@ | |||
1 | --- | ||
2 | - name: restart postfix | ||
3 | service: | ||
4 | name: postfix | ||
5 | state: restarted | ||
6 | |||
7 | - name: reload postfix | ||
8 | service: | ||
9 | name: postfix | ||
10 | state: reloaded | ||
11 | |||
12 | - name: rehash postfix aliases | ||
13 | command: /etc/postfix/remap.sh | ||
diff --git a/ansible/roles/postfix/tasks/main.yml b/ansible/roles/postfix/tasks/main.yml new file mode 100644 index 0000000..57b0601 --- /dev/null +++ b/ansible/roles/postfix/tasks/main.yml | |||
@@ -0,0 +1,50 @@ | |||
1 | --- | ||
2 | # postfix install and configuration | ||
3 | # note: this postfix config requires open ports: 25 and 587 | ||
4 | - name: install postfix | ||
5 | apt: | ||
6 | state: latest | ||
7 | pkg: | ||
8 | - postfix | ||
9 | - postfix-doc | ||
10 | - postfix-pcre | ||
11 | |||
12 | - name: give postfix user permission to read private keys | ||
13 | user: | ||
14 | name: postfix | ||
15 | groups: ssl-cert | ||
16 | append: yes | ||
17 | |||
18 | - name: copy postfix config | ||
19 | copy: | ||
20 | src: postfix/ | ||
21 | dest: /etc/postfix/ | ||
22 | mode: preserve | ||
23 | notify: | ||
24 | - restart postfix # NB this could be a reload instead | ||
25 | - rehash postfix aliases | ||
26 | |||
27 | - name: instantiate postfix main.cf template | ||
28 | template: | ||
29 | src: postfix/main.cf.j2 | ||
30 | dest: /etc/postfix/main.cf | ||
31 | notify: | ||
32 | - reload postfix | ||
33 | |||
34 | |||
35 | # verify everything is running | ||
36 | - name: verify services are running in dependency order | ||
37 | service: | ||
38 | name: "{{ item }}" | ||
39 | enabled: yes | ||
40 | state: started | ||
41 | loop: | ||
42 | - postfix | ||
43 | |||
44 | - name: reload if certs newish | ||
45 | include_role: | ||
46 | name: certreload | ||
47 | vars: | ||
48 | certreload: | ||
49 | notifiers: | ||
50 | - reload postfix | ||
diff --git a/ansible/roles/postfix/templates/postfix/main.cf.j2 b/ansible/roles/postfix/templates/postfix/main.cf.j2 new file mode 100644 index 0000000..b3e8cc2 --- /dev/null +++ b/ansible/roles/postfix/templates/postfix/main.cf.j2 | |||
@@ -0,0 +1,194 @@ | |||
1 | # Modified from https://www.c0ffee.net/blog/mail-server-guide | ||
2 | |||
3 | smtpd_banner = $myhostname ESMTP dx Independence | ||
4 | |||
5 | # "2" is current for postfix 3.2 configs | ||
6 | compatibility_level = 2 | ||
7 | |||
8 | # disable "new mail" notifications for local unix users | ||
9 | biff = no | ||
10 | |||
11 | # directory to store mail for local unix users | ||
12 | mail_spool_directory = /var/mail/local | ||
13 | |||
14 | # Name of this mail server, used in the SMTP HELO for outgoing mail. Make | ||
15 | # sure this resolves to the same IP as your reverse DNS hostname. | ||
16 | myhostname = {{ network.hostname.public }} | ||
17 | |||
18 | # Domains for which postfix will deliver local mail. Does not apply to | ||
19 | # virtual domains, which are configured below. Make sure to specify the FQDN | ||
20 | # of your sever, as well as localhost. | ||
21 | # Note: NEVER specify any virtual domains here!!! Those come later. | ||
22 | mydestination = localhost | ||
23 | |||
24 | # Domain appended to mail sent locally from this machine - such as mail sent | ||
25 | # via the `sendmail` command. | ||
26 | myorigin = $myhostname | ||
27 | |||
28 | # prevent spammers from searching for valid users | ||
29 | disable_vrfy_command = yes | ||
30 | |||
31 | # require properly formatted email addresses - prevents a lot of spam | ||
32 | strict_rfc821_envelopes = yes | ||
33 | |||
34 | # don't give any helpful info when a mailbox doesn't exist | ||
35 | show_user_unknown_table_name = no | ||
36 | |||
37 | # limit maximum e-mail size to 256 MB. mailbox size must be at least as big as | ||
38 | # the message size for the mail to be accepted, but has no meaning after | ||
39 | # that since we are using Dovecot for delivery. | ||
40 | message_size_limit = 268435456 | ||
41 | mailbox_size_limit = 0 | ||
42 | |||
43 | # require addresses of the form "[email protected]" | ||
44 | allow_percent_hack = no | ||
45 | swap_bangpath = no | ||
46 | |||
47 | # allow plus-aliasing: "[email protected]" delivers to "user" mailbox | ||
48 | recipient_delimiter = + | ||
49 | |||
50 | # path to the SSL certificate for the mail server | ||
51 | smtpd_tls_cert_file = /etc/ssl/{{ network.hostname.public }}-cert-combined.rsa2048.pem | ||
52 | smtpd_tls_key_file = /etc/ssl/private/{{ network.hostname.public }}-key.rsa2048.pem | ||
53 | |||
54 | # You can also specify an EC cert to try first if the clients support it. | ||
55 | smtpd_tls_eccert_file = /etc/ssl/{{ network.hostname.public }}-cert-combined.prime256v1.pem | ||
56 | smtpd_tls_eckey_file = /etc/ssl/private/{{ network.hostname.public }}-key.prime256v1.pem | ||
57 | |||
58 | # Path to your trusted certificates file. Usually provided by a | ||
59 | # ca-certificates package or similar. | ||
60 | smtp_tls_CAfile=/etc/ssl/certs/ca-certificates.crt | ||
61 | |||
62 | # These two lines define how postfix will connect to other mail servers. | ||
63 | # "may" allows opportunistic TLS and "enabled" allows hostname lookups | ||
64 | # http://www.postfix.org/TLS_README.html | ||
65 | smtp_tls_security_level = may | ||
66 | smtp_dns_support_level = enabled | ||
67 | |||
68 | # IP address used by postfix to send outgoing mail. You only need this if | ||
69 | # your machine has multiple IP addresses - set it to your MX address to | ||
70 | # satisfy your SPF record. | ||
71 | smtp_bind_address = {{ hostvars[inventory_hostname]['ansible_' + network.interface.public]['ipv4']['address'] }} | ||
72 | smtp_bind_address6 = | ||
73 | inet_interfaces = 127.0.0.1,$smtp_bind_address | ||
74 | inet_protocols = ipv4 | ||
75 | |||
76 | # Here we define the options for "mandatory" TLS. In our setup, TLS is only | ||
77 | # "mandatory" for authenticating users. I got these settings from Mozilla's | ||
78 | # SSL reccomentations page. | ||
79 | # | ||
80 | # NOTE: do not attempt to make TLS mandatory for all incoming/outgoing | ||
81 | # connections. Do not attempt to change the default cipherlist for non- | ||
82 | # mandatory connections either. There are still a lot of mail servers out | ||
83 | # there that do not use TLS, and many that do only support old ciphers. | ||
84 | # Forcing TLS for everyone *will* cause you to lose mail. | ||
85 | smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1, TLSv1.2 | ||
86 | smtpd_tls_mandatory_ciphers = high | ||
87 | tls_high_cipherlist = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 | ||
88 | |||
89 | # allow other mail servers to connect using TLS, but don't require it | ||
90 | smtpd_tls_security_level = may | ||
91 | |||
92 | # tickets and compression have known vulnerabilities | ||
93 | tls_ssl_options = no_ticket, no_compression | ||
94 | |||
95 | # yes, using 2048 with "dh1024" is the right thing to do | ||
96 | smtpd_tls_dh1024_param_file = /etc/ssl/ffdhe2048.pem | ||
97 | |||
98 | # cache incoming and outgoing TLS sessions | ||
99 | smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_tlscache | ||
100 | smtp_tls_session_cache_database = btree:${data_directory}/smtp_tlscache | ||
101 | |||
102 | # enable SMTPD auth. Dovecot will place an `auth` socket in postfix's | ||
103 | # runtime directory that we will use for authentication. | ||
104 | # TODO: can also replace this with a network inet connection if dovecot opens it | ||
105 | smtpd_sasl_auth_enable = yes | ||
106 | smtpd_sasl_path = private/auth | ||
107 | smtpd_sasl_type = dovecot | ||
108 | |||
109 | # only allow authentication over TLS | ||
110 | smtpd_tls_auth_only = yes | ||
111 | |||
112 | # don't allow plaintext auth methods on unencrypted connections | ||
113 | smtpd_sasl_security_options = noanonymous, noplaintext | ||
114 | # but plaintext auth is fine when using TLS | ||
115 | smtpd_sasl_tls_security_options = noanonymous | ||
116 | |||
117 | # add a message header when email was recieved over TLS | ||
118 | smtpd_tls_received_header = yes | ||
119 | |||
120 | # require that connecting mail servers identify themselves - this greatly | ||
121 | # reduces spam | ||
122 | smtpd_helo_required = yes | ||
123 | |||
124 | # The following block specifies some security restrictions for incoming | ||
125 | # mail. The gist of it is, authenticated users and connections from | ||
126 | # localhost can do anything they want. Random people connecting over the | ||
127 | # internet are treated with more suspicion: they must have a reverse DNS | ||
128 | # entry and present a valid, FQDN HELO hostname. In addition, they can only | ||
129 | # send mail to valid mailboxes on the server, and the sender's domain must | ||
130 | # actually exist. | ||
131 | smtpd_client_restrictions = | ||
132 | permit_mynetworks, | ||
133 | permit_sasl_authenticated, | ||
134 | #reject_unknown_reverse_client_hostname, | ||
135 | # you might want to consider: | ||
136 | # reject_unknown_client_hostname, | ||
137 | # here. This will reject all incoming connections without a reverse DNS | ||
138 | # entry that resolves back to the client's IP address. This is a very | ||
139 | # restrictive check and may reject legitimate mail. | ||
140 | reject_unauth_pipelining | ||
141 | smtpd_helo_restrictions = | ||
142 | permit_mynetworks, | ||
143 | permit_sasl_authenticated, | ||
144 | reject_invalid_helo_hostname, | ||
145 | reject_non_fqdn_helo_hostname, | ||
146 | # you might want to consider: | ||
147 | # reject_unknown_helo_hostname, | ||
148 | # here. This will reject all incoming mail without a HELO hostname that | ||
149 | # properly resolves in DNS. This is a somewhat restrictive check and may | ||
150 | # reject legitimate mail. | ||
151 | reject_unauth_pipelining | ||
152 | smtpd_sender_restrictions = | ||
153 | permit_mynetworks, | ||
154 | permit_sasl_authenticated, | ||
155 | reject_non_fqdn_sender, | ||
156 | # reject_unknown_sender_domain, | ||
157 | reject_unauth_pipelining | ||
158 | smtpd_relay_restrictions = | ||
159 | permit_mynetworks, | ||
160 | permit_sasl_authenticated, | ||
161 | # !!! THIS SETTING PREVENTS YOU FROM BEING AN OPEN RELAY !!! | ||
162 | reject_unauth_destination | ||
163 | # !!! DO NOT REMOVE IT UNDER ANY CIRCUMSTANCES !!! | ||
164 | #smtpd_recipient_restrictions = | ||
165 | # permit_mynetworks, | ||
166 | # permit_sasl_authenticated, | ||
167 | # reject_non_fqdn_recipient, | ||
168 | # reject_unknown_recipient_domain, | ||
169 | # reject_unauth_pipelining, | ||
170 | smtpd_data_restrictions = | ||
171 | permit_mynetworks, | ||
172 | permit_sasl_authenticated, | ||
173 | reject_multi_recipient_bounce, | ||
174 | reject_unauth_pipelining | ||
175 | |||
176 | smtpd_recipient_restrictions = | ||
177 | permit_mynetworks, | ||
178 | permit_sasl_authenticated, | ||
179 | reject_unauth_destination | ||
180 | |||
181 | # deliver mail for virtual users to Dovecot's LMTP socket | ||
182 | # TODO: convert this to network with dovecot opening a local inet port | ||
183 | virtual_transport = lmtp:unix:private/dovecot-lmtp | ||
184 | virtual_mailbox_domains = /etc/postfix/domains | ||
185 | |||
186 | virtual_alias_maps = hash:/etc/postfix/virtual | ||
187 | #virtual_alias_domains = /etc/postfix/domains | ||
188 | |||
189 | # We'll uncomment these when we set up rspamd later: | ||
190 | milter_protocol = 6 | ||
191 | milter_default_action = accept | ||
192 | #smtpd_milters = unix:/var/run/rspamd/milter.sock | ||
193 | smtpd_milters = inet:localhost:11332 | ||
194 | milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen} | ||