# Task to install and configure postfix
---
- name: Add mail archive user
  user:
    name: mailarchive
    shell: /bin/false
    
- name: Install postfix
  apt:
    name: "{{ item }}"
    dpkg_options: 'force-confdef,force-confnew'
    update_cache: yes
  with_items:
    - postfix
    - postfix-doc
    - postfix-policyd-spf-python
    - postfix-pcre
    - postfix-policyd-spf-perl

- name: Configure Postfix
  shell: postconf -e "{{ item }}"
  with_items:
      # Set up domain
    - "myorigin = {{ domain }}"
    - "myhostname = {{ mail_domain }}"
    - "relay_domains = {{ relay_domain}}, {{ domain }}"
      # Set up alias maps
    - alias_maps = hash:/etc/aliases
      # Use Maildir mail boxes (single files, not one huge file)
    - home_mailbox = Maildir/
    - mailbox_command =
      # AO
    - smtpd_milters = inet:localhost:12301, inet:localhost:54321
    - non_smtpd_milters = unix:private/opendkim unix:private/opendmarc
    - smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination,reject_invalid_hostname,reject_non_fqdn_hostname,reject_non_fqdn_sender,reject_non_fqdn_recipient,reject_unknown_sender_domain,reject_rbl_client sbl.spamhaus.org,reject_rbl_client cbl.abuseat.org
    - smtpd_helo_restrictions = reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, reject_unknown_helo_hostname
    - smtpd_client_restrictions = reject_rbl_client dnsbl.sorbs.net
    - mynetworks = 127.0.0.0/8
      # TLS parameters
      # Incoming e-mails
    - smtpd_tls_CApath = /etc/ssl/certs
    - "smtpd_tls_cert_file = /etc/letsencrypt/live/{{ mail_domain }}/fullchain.pem"
    - "smtpd_tls_key_file = /etc/letsencrypt/live/{{ mail_domain }}/privkey.pem"
    - smtpd_tls_security_level = may
    - smtpd_tls_ask_ccert = yes
    - smtpd_tls_eecdh_grade = strong
    - smtpd_tls_protocols = !SSLv2, !SSLv3
    - smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
    - smtpd_tls_mandatory_ciphers = high
    - tls_preempt_cipherlist = yes
      #disable following ciphers for smtpd_tls_security_level=encrypt
    - smtpd_tls_mandatory_exclude_ciphers = aNULL, MD5 , DES, ADH, RC4, PSD, SRP, 3DES, eNULL
      #disable following ciphers for smtpd_tls_security_level=may
    - smtpd_tls_exclude_ciphers = aNULL, MD5 , DES, ADH, RC4, PSD, SRP, 3DES, eNULL
    - smtpd_tls_loglevel = 1
    - smtpd_use_tls = yes
    - smtp_tls_note_starttls_offer = yes
    - smtpd_tls_received_header = yes
      # Outgoing e-mails
    - smtp_tls_CApath = /etc/ssl/certs
    - smtp_tls_security_level = may
    - smtp_tls_loglevel = 1
    - smtp_use_tls = yes
    - smtp_tls_mandatory_ciphers=high
    - smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
    - inet_interfaces = all
    - inet_protocols = ipv4
    - message_size_limit = 52428800
    - disable_vrfy_command = yes
    - smtpd_helo_required = yes
      # Maybe: permit_sasl_authenticated, reject_unknown_hostname
    - smtpd_helo_restrictions = permit_mynetworks, reject_non_fqdn_hostname, reject_invalid_hostname, reject_invalid_helo_hostname, reject_unknown_helo_hostname
    - smtpd_delay_reject = yes
      # bcc all mail to the mailarchive user
    - always_bcc = mailarchive
      # DKIM enabled protocol
    - milter_protocol = 2
    - milter_default_action = accept
      # DKIM only for internal messages
    - non_smtpd_milters = inet:localhost:12301
    - allow_mail_to_commands = alias,forward,include
      # mydestination at is also alt domains
    - "mydestination = localhost, localhost.localdomain, {{ domain }}"
      # From certbot
      # https://www.upcloud.com/support/secure-postfix-using-lets-encrypt/
    - smtpd_sasl_type = dovecot
    - smtpd_sasl_path = private/auth
    - smtpd_sasl_local_domain =
    - smtpd_sasl_security_options = noanonymous
    - broken_sasl_auth_clients = yes
    - smtpd_sasl_auth_enable = yes
    - virtual_alias_domains = $mydomain
    - virtual_alias_maps = hash:/etc/postfix/virtual

- name: Adding to virtual
  blockinfile:
    path: /etc/postfix/virtual
    insertafter: EOF
    state: present
    block: |
      postmaster@{{ domain }} root
      webmaster@{{ domain }} root
      @{{ domain }} jebba
    create: yes
  tags:
    - pfvirtual

- name: Copy master.cf file to remote host
  copy:
    src: master.cf
    dest: /etc/postfix/master.cf
  notify:
    - new virtual aliases
    - reload postfix

- name: Create Auth Header Checks file
  copy:
    src: auth_header_checks.pcre
    dest: /etc/postfix/auth_header_checks.pcre

- name: Copy aliases
  template:
    src: aliases.j2
    dest: /etc/aliases
  notify:
    - new aliases
    - post alias
    - restart postfix service