You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
128 lines
4.6 KiB
128 lines
4.6 KiB
# Task to install and configure postfix
|
|
---
|
|
- name: Add mail archive user
|
|
user:
|
|
name: mailarchive
|
|
shell: /bin/false
|
|
|
|
- name: Install postfix
|
|
apt:
|
|
name: "{{ item }}"
|
|
dpkg_options: 'force-confdef,force-confnew'
|
|
update_cache: yes
|
|
with_items:
|
|
- postfix
|
|
- postfix-doc
|
|
- postfix-policyd-spf-python
|
|
- postfix-pcre
|
|
- postfix-policyd-spf-perl
|
|
|
|
- name: Configure Postfix
|
|
shell: postconf -e "{{ item }}"
|
|
with_items:
|
|
# Set up domain
|
|
- "myorigin = {{ domain }}"
|
|
- "myhostname = {{ mail_domain }}"
|
|
- "relay_domains = {{ relay_domain}}, {{ domain }}"
|
|
# Set up alias maps
|
|
- alias_maps = hash:/etc/aliases
|
|
# Use Maildir mail boxes (single files, not one huge file)
|
|
- home_mailbox = Maildir/
|
|
- mailbox_command =
|
|
# AO
|
|
- smtpd_milters = inet:localhost:12301, inet:localhost:54321
|
|
- non_smtpd_milters = unix:private/opendkim unix:private/opendmarc
|
|
- smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination,reject_invalid_hostname,reject_non_fqdn_hostname,reject_non_fqdn_sender,reject_non_fqdn_recipient,reject_unknown_sender_domain,reject_rbl_client sbl.spamhaus.org,reject_rbl_client cbl.abuseat.org
|
|
- smtpd_helo_restrictions = reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, reject_unknown_helo_hostname
|
|
- smtpd_client_restrictions = reject_rbl_client dnsbl.sorbs.net
|
|
- mynetworks = 127.0.0.0/8
|
|
# TLS parameters
|
|
# Incoming e-mails
|
|
- smtpd_tls_CApath = /etc/ssl/certs
|
|
- "smtpd_tls_cert_file = /etc/letsencrypt/live/{{ mail_domain }}/fullchain.pem"
|
|
- "smtpd_tls_key_file = /etc/letsencrypt/live/{{ mail_domain }}/privkey.pem"
|
|
- smtpd_tls_security_level = may
|
|
- smtpd_tls_ask_ccert = yes
|
|
- smtpd_tls_eecdh_grade = strong
|
|
- smtpd_tls_protocols = !SSLv2, !SSLv3
|
|
- smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
|
|
- smtpd_tls_mandatory_ciphers = high
|
|
- tls_preempt_cipherlist = yes
|
|
#disable following ciphers for smtpd_tls_security_level=encrypt
|
|
- smtpd_tls_mandatory_exclude_ciphers = aNULL, MD5 , DES, ADH, RC4, PSD, SRP, 3DES, eNULL
|
|
#disable following ciphers for smtpd_tls_security_level=may
|
|
- smtpd_tls_exclude_ciphers = aNULL, MD5 , DES, ADH, RC4, PSD, SRP, 3DES, eNULL
|
|
- smtpd_tls_loglevel = 1
|
|
- smtpd_use_tls = yes
|
|
- smtp_tls_note_starttls_offer = yes
|
|
- smtpd_tls_received_header = yes
|
|
# Outgoing e-mails
|
|
- smtp_tls_CApath = /etc/ssl/certs
|
|
- smtp_tls_security_level = may
|
|
- smtp_tls_loglevel = 1
|
|
- smtp_use_tls = yes
|
|
- smtp_tls_mandatory_ciphers=high
|
|
- smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
|
|
- inet_interfaces = all
|
|
- inet_protocols = ipv4
|
|
- message_size_limit = 52428800
|
|
- disable_vrfy_command = yes
|
|
- smtpd_helo_required = yes
|
|
# Maybe: permit_sasl_authenticated, reject_unknown_hostname
|
|
- smtpd_helo_restrictions = permit_mynetworks, reject_non_fqdn_hostname, reject_invalid_hostname, reject_invalid_helo_hostname, reject_unknown_helo_hostname
|
|
- smtpd_delay_reject = yes
|
|
# bcc all mail to the mailarchive user
|
|
- always_bcc = mailarchive
|
|
# DKIM enabled protocol
|
|
- milter_protocol = 2
|
|
- milter_default_action = accept
|
|
# DKIM only for internal messages
|
|
- non_smtpd_milters = inet:localhost:12301
|
|
- allow_mail_to_commands = alias,forward,include
|
|
# mydestination at is also alt domains
|
|
- "mydestination = localhost, localhost.localdomain, {{ domain }}"
|
|
# From certbot
|
|
# https://www.upcloud.com/support/secure-postfix-using-lets-encrypt/
|
|
- smtpd_sasl_type = dovecot
|
|
- smtpd_sasl_path = private/auth
|
|
- smtpd_sasl_local_domain =
|
|
- smtpd_sasl_security_options = noanonymous
|
|
- broken_sasl_auth_clients = yes
|
|
- smtpd_sasl_auth_enable = yes
|
|
- virtual_alias_domains = $mydomain
|
|
- virtual_alias_maps = hash:/etc/postfix/virtual
|
|
|
|
- name: Adding to virtual
|
|
blockinfile:
|
|
path: /etc/postfix/virtual
|
|
insertafter: EOF
|
|
state: present
|
|
block: |
|
|
postmaster@{{ domain }} root
|
|
webmaster@{{ domain }} root
|
|
@{{ domain }} jebba
|
|
create: yes
|
|
tags:
|
|
- pfvirtual
|
|
|
|
- name: Copy master.cf file to remote host
|
|
copy:
|
|
src: master.cf
|
|
dest: /etc/postfix/master.cf
|
|
notify:
|
|
- new virtual aliases
|
|
- reload postfix
|
|
|
|
- name: Create Auth Header Checks file
|
|
copy:
|
|
src: auth_header_checks.pcre
|
|
dest: /etc/postfix/auth_header_checks.pcre
|
|
|
|
- name: Copy aliases
|
|
template:
|
|
src: aliases.j2
|
|
dest: /etc/aliases
|
|
notify:
|
|
- new aliases
|
|
- post alias
|
|
- restart postfix service |