Skip to content

idiv-biodiversity/ansible-role-postfix

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

43 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Ansible Role: Postfix

An Ansible role that installs Postfix and configures it.

Table of Contents

Requirements

  • Ansible 2.9

Role Variables

This role does in no way capture the entirety of possible postfix options. If you need something specific, feel free to contribute!

The content field is optional for of all dictionary variables potentially referring to configuration tables, e.g. postfix_transport.

Basic Variables

Variables with defaults:

postfix_inet_interfaces:
  - localhost

postfix_inet_protocols: all

postfix_destinations:
  - $myhostname
  - localhost.$mydomain
  - localhost

These variables are empty by default, but postfix has its own defaults for them. Check postconf -d | grep ^my for their defaults.

postfix_hostname: host.example.org
postfix_domain: example.org
postfix_origin: example.org

Note: Consult man 5 postconf for more information.

Masquerading

Masquerading can strip off subdomain structure, e.g. to rewrite [email protected] to [email protected]:

postfix_masquerade_domains:
  - example.org

Addresses that will be changed by masquerading:

postfix_masquerade_classes:
  - envelope_sender
  - envelope_recipient
  - header_sender
  - header_recipient

Users who are exceptions to masquerading:

postfix_masquerade_exceptions:
  - root

Note: Masquerading address mapping mechanism is able to rewrite both header and envelope addresses. For headers to be rewritten, see the section about Automatic Header Rewriting.

Aliases

The variable postfix_aliases configures /etc/aliases, e.g.:

postfix_aliases:
  - user: icinga
    alias: root
  - user: root
    alias: [email protected]

Relay and Transport

Delivery targets, i.e. relays:

postfix_relayhost: relay1.domain.org
postfix_smtp_fallback_relay: relay2.domain.org

Additionally, there is more fine-grained control with the transport table:

postfix_transport:
  - type: hash
    dest: /etc/postfix/transport
    content: |
      foo.org         smtp:[imap1.example.org]
      .foo.org        smtp:[imap1.example.org]
      bar.org         smtp:[imap2.example.org]
      .bar.org        smtp:[imap2.example.org]

Note: Consult man 5 transport for more information.

Canonical Address Mapping

Rewrite recipient and sender:

postfix_canonical:
  - type: hash
    dest: /etc/postfix/canonical
    content: |
      [email protected] [email protected]
  - type: ldap
    dest: /etc/postfix/ldap-canonical.cf
    content: |
      server_host = ldap.example.org
      search_base = dc=example, dc=org
      query_filter = uid=%s
      result_attribute = mail

Rewrite recipient:

postfix_recipient_canonical:
  - type: hash
    dest: /etc/postfix/recipient_canonical
    content: |
      [email protected]   [email protected]
      [email protected] [email protected]

Rewrite sender:

postfix_sender_canonical:
  - type: hash
    dest: /etc/postfix/sender_canonical
    content: |
      [email protected]   [email protected]
      [email protected] [email protected]

Note: The canonical address mapping mechanism is able to rewrite both header and envelope addresses. For headers to be rewritten, see the section about Automatic Header Rewriting.

Note: Consult man 5 canonical for more information.

SMTP Generic Table

Defines address mappings when mail is delivered via SMTP. This is useful to transform local mail addresses into valid mail addresses. The following example rewrites the sender icinga@internal to [email protected] and everything else @internal to [email protected]:

postfix_smtp_generic:
  type: hash
  dest: /etc/postfix/smtp_generic
  content: |
    icinga@internal [email protected]
    @internal       [email protected]

Note: Affects both message header addresses, i.e. the From: field, and envelope addresses which are used by SMTP.

Note: Consult man 5 generic for more information.

Header Checks

This lets you rewrite or reject message headers:

postfix_header_checks:
  - type: regexp
    dest: /etc/postfix/header_checks
    content: |
      /^From: root@[^ ]+\.example.org .*/ REPLACE From: [email protected]

Note: Consult man 5 header_checks for more information.

SMTP

postfix_smtp:
  tls_CApath: '/etc/pki/tls/certs'
  tls_security_level: 'may'
  tls_cert_file: '/etc/pki/cert.pem'
  tls_key_file: '/etc/pki/key.pem'
  tls_note_starttls_offer: 'yes'

postfix_smtpd:
  tls_CApath: '/etc/pki/tls/certs'
  tls_security_level: 'may'
  tls_cert_file: '/etc/pki/cert.pem'
  tls_key_file: '/etc/pki/key.pem'
  tls_auth_only: 'no'
  tls_loglevel: '1'
  tls_received_header: 'yes'
  tls_session_cache_timeout: '3600s'

postfix_tls_random_source: 'dev:/dev/urandom'

Note: At the moment, PEM files need to be copied manually.

Automatic Header Rewriting

Starting with Postfix 2.2 automatic message header rewriting has been disabled by default. Instead, only envelope addresses get rewritten. This applies to the address rewriting facilities. Check man 5 postconf to see if it applies to your configuration entries.

To get the behavior before Postfix 2.2, add this variable:

postfix_local_header_rewrite_clients:
  - type: static
    dest: all

Dependencies

---

# requirements.yml

roles:

  - name: idiv_biodiversity.postfix
    src: https://github.com/idiv-biodiversity/ansible-role-postfix
    version: vX.Y.Z

...

Example Playbook

Top-Level Playbook

Write a top-level playbook:

---

- name: head server
  hosts: head

  roles:
    - role: idiv_biodiversity.postfix
      tags:
        - mail
        - mta
        - postfix

...

Role Dependency

Define the role dependency in meta/main.yml:

---

dependencies:

  - role: idiv_biodiversity.postfix
    tags:
      - mail
      - mta
      - postfix

...

License

MIT

Author Information

This role was created in 2017 by Christian Krause aka wookietreiber at GitHub, HPC cluster systems administrator at the German Centre for Integrative Biodiversity Research (iDiv), based on a draft by Ben Langenberg aka bencarsten at GitHub.