You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
204 lines
4.8 KiB
204 lines
4.8 KiB
- name: set postfix_cfg
|
|
set_fact:
|
|
postfix_cfg: "{{ postfix_default_config | d({}) | combine(postfix_config | d({}), recursive=true) }}"
|
|
|
|
|
|
- name: install postfix
|
|
include_tasks: tasks/install_packages.yml
|
|
vars:
|
|
package:
|
|
- postfix
|
|
- postfix-openrc
|
|
- postfix-pgsql
|
|
- postfix-pcre
|
|
|
|
|
|
- name: create user and group
|
|
include_tasks: tasks/create_user.yml
|
|
vars:
|
|
user:
|
|
name: "{{ postfix_user }}"
|
|
group: "{{ postfix_group }}"
|
|
|
|
|
|
- name: ensure postfix spool directory is owned by root
|
|
file:
|
|
path: /var/spool/postfix
|
|
state: directory
|
|
owner: root
|
|
group: root
|
|
|
|
|
|
- name: create postfix directory structure
|
|
file:
|
|
path: "{{ item }}"
|
|
state: directory
|
|
mode: 0700
|
|
loop:
|
|
- "{{ postfix_conf_dir }}"
|
|
- "{{ postfix_sql_dir }}"
|
|
- "{{ postfix_tls_dir }}"
|
|
|
|
|
|
- name: generate dh params
|
|
include_role:
|
|
name: ca
|
|
vars:
|
|
function: dhparams
|
|
dh_params:
|
|
path: "{{ postfix_tls_dh2048 }}"
|
|
mode: '0400'
|
|
remote_gen: yes
|
|
notify: restart postfix
|
|
|
|
|
|
- name: remove unneeded postfix files
|
|
file:
|
|
path: "{{ postfix_conf_dir ~ '/' ~ item }}"
|
|
state: absent
|
|
loop:
|
|
- access
|
|
- aliases
|
|
- canonical
|
|
- generic
|
|
- header_checks
|
|
- main.cf.proto
|
|
- master.cf.proto
|
|
- relocated
|
|
- transport
|
|
- virtual
|
|
notify: restart postfix
|
|
|
|
|
|
- name: template postfix configuration
|
|
template:
|
|
src: "{{ item if item is string else item.src }}.j2"
|
|
dest: "{{ postfix_conf_dir ~ '/' ~ ((item ~ '.cf') if item is string else item.dest) }}"
|
|
force: yes
|
|
mode: 0400
|
|
lstrip_blocks: yes
|
|
loop:
|
|
- { src: postscreen_connect, dest: filter_postscreen_connect.cidr }
|
|
- { src: smtpd_helo, dest: filter_smtpd_helo.pcre }
|
|
- { src: submission_header, dest: filter_submission_header.pcre }
|
|
- main
|
|
- master
|
|
- { src: smtpd_checks_relaxed, dest: smtpd_checks_relaxed.hash }
|
|
notify: restart postfix
|
|
|
|
|
|
- name: template postfix sql snippets
|
|
template:
|
|
src: sql.j2
|
|
dest: "{{ postfix_sql_dir ~ '/' ~ item }}.cf"
|
|
force: yes
|
|
mode: 0400
|
|
vars:
|
|
query: "{{ postfix_sql_queries[item] }}"
|
|
loop:
|
|
- aliases
|
|
- domains
|
|
- forwards
|
|
- no_reply
|
|
- self_users
|
|
- shared_users
|
|
- tls_policies
|
|
- users
|
|
notify: restart postfix
|
|
|
|
|
|
- name: install mta resolver
|
|
include_role:
|
|
name: mta-sts
|
|
vars:
|
|
mta_sts_log_verbosity: info
|
|
mta_sts_config:
|
|
port: "{{ mail_server.mta_sts_port }}"
|
|
|
|
|
|
- name: add extra cname record
|
|
include_role:
|
|
name: ns
|
|
vars:
|
|
function: add_records
|
|
ns_add_default_record: no
|
|
ns_records:
|
|
- name: "{{ mail_server.mta_actual_hostname }}"
|
|
type: CNAME
|
|
value: "{{ host_fqdn }}"
|
|
when: mail_server.mta_actual_hostname is defined
|
|
|
|
|
|
- name: add records to external ns
|
|
include_role:
|
|
name: external_ns
|
|
vars:
|
|
nse_items:
|
|
- {name: '{{ mail_server.mta_actual_hostname }}', type: 'CNAME', value: '@'}
|
|
- {name: '@', type: 'MX', value: '0 {{ mail_server.mta_actual_hostname ~ "." ~ mail_server.tld ~ "." }}'}
|
|
|
|
- {name: '@', type: 'TXT', value: 'v=spf1 ip4:{{ mail_server.allowed_spf | join(" ip4:") }} ~all'}
|
|
- {name: '_adsp._domainkey', type: 'TXT', value: 'dkim=all'}
|
|
- {name: '_dmarc', type: 'TXT', value: 'v=DMARC1;p=reject;sp=reject;rua=mailto:dmarc-report@{{ mail_server.tld }}'}
|
|
- {name: '_report._domainkey', type: 'TXT', value: 'ra=dkim-report rr=o:s:u:v'}
|
|
- {name: '_smtp._tls', type: 'TXT', value: 'v=TLSRPTv1;rua=mailto:smtp-tls-report@{{ mail_server.tld }}'}
|
|
|
|
- {name: '_mta-sts', type: 'TXT', value: 'v=STSv1; id={{ mail_server.mta_sts_id | d("sts2022") }}'}
|
|
|
|
nse_function: add_records
|
|
nse_instant: yes
|
|
|
|
|
|
- name: deploy certs
|
|
include_role:
|
|
name: certs
|
|
vars:
|
|
common:
|
|
owner: root
|
|
group: root
|
|
post_hook: service postfix restart
|
|
notify: restart postfix
|
|
ecc: no
|
|
hostname: "{{ mail_server.mta_actual_hostname }}"
|
|
certs:
|
|
- id: postfix-ecc-ext
|
|
cert: "{{ postfix_tls_ext_ecc384_cert }}"
|
|
key: "{{ postfix_tls_ext_ecc384_key }}"
|
|
ecc: yes
|
|
tld: "{{ mail_server.tld }}"
|
|
|
|
- id: postfix-ecc-int
|
|
cert: "{{ postfix_tls_int_ecc384_cert }}"
|
|
key: "{{ postfix_tls_int_ecc384_key }}"
|
|
ecc: yes
|
|
|
|
- id: postfix-rsa-ext
|
|
cert: "{{ postfix_tls_ext_rsa2048_cert }}"
|
|
key: "{{ postfix_tls_ext_rsa2048_key }}"
|
|
tld: "{{ mail_server.tld }}"
|
|
|
|
- id: postfix-rsa-int
|
|
cert: "{{ postfix_tls_int_rsa2048_cert }}"
|
|
key: "{{ postfix_tls_int_rsa2048_key }}"
|
|
|
|
|
|
- name: flush handlers
|
|
meta: flush_handlers
|
|
|
|
|
|
- name: add directories to backup plan
|
|
include_role:
|
|
name: backup
|
|
vars:
|
|
function: add
|
|
backup_items:
|
|
- "{{ postfix_conf_dir }}"
|
|
- "{{ postfix_sql_dir }}"
|
|
- "{{ postfix_tls_dir }}"
|
|
|
|
|
|
- name: enable and start postfix
|
|
service:
|
|
name: postfix
|
|
enabled: yes
|
|
state: started
|
|
|