From bc775dc3fba9ecf5ad44c1d15070c80c385e0014 Mon Sep 17 00:00:00 2001 From: Someone Date: Fri, 4 Oct 2024 13:42:40 +0200 Subject: [PATCH] [roles/server/mail/postfix] setup postfix mail server --- .../files/default/header_checks_in.regexp | 26 +++ .../files/default/header_checks_out.regexp | 12 + .../server/mail/postfix/files/default/main.cf | 178 +++++++++++++++ .../mail/postfix/files/default/master.cf | 95 ++++++++ .../postfix/files/default/postfix@.service | 30 +++ .../files/default/rcpt_recipient.regexp | 15 ++ .../postfix/files/default/rcpt_sender.regexp | 18 ++ .../files/default/rel_recipient.regexp | 9 + .../postfix/files/default/rel_sender.regexp | 9 + .../postfix/files/default/sasl.smtpd.conf | 10 + .../mail/postfix/files/default/transport.map | 8 + .../mail/postfix/files/default/virtual.map | 16 ++ roles/server/mail/postfix/handlers/main.yml | 26 +++ roles/server/mail/postfix/meta/main.yml | 10 + roles/server/mail/postfix/tasks/main.yml | 209 ++++++++++++++++++ 15 files changed, 671 insertions(+) create mode 100644 roles/server/mail/postfix/files/default/header_checks_in.regexp create mode 100644 roles/server/mail/postfix/files/default/header_checks_out.regexp create mode 100644 roles/server/mail/postfix/files/default/main.cf create mode 100644 roles/server/mail/postfix/files/default/master.cf create mode 100644 roles/server/mail/postfix/files/default/postfix@.service create mode 100644 roles/server/mail/postfix/files/default/rcpt_recipient.regexp create mode 100644 roles/server/mail/postfix/files/default/rcpt_sender.regexp create mode 100644 roles/server/mail/postfix/files/default/rel_recipient.regexp create mode 100644 roles/server/mail/postfix/files/default/rel_sender.regexp create mode 100644 roles/server/mail/postfix/files/default/sasl.smtpd.conf create mode 100644 roles/server/mail/postfix/files/default/transport.map create mode 100644 roles/server/mail/postfix/files/default/virtual.map create mode 100644 roles/server/mail/postfix/handlers/main.yml create mode 100644 roles/server/mail/postfix/meta/main.yml create mode 100644 roles/server/mail/postfix/tasks/main.yml diff --git a/roles/server/mail/postfix/files/default/header_checks_in.regexp b/roles/server/mail/postfix/files/default/header_checks_in.regexp new file mode 100644 index 0000000..7ca2da7 --- /dev/null +++ b/roles/server/mail/postfix/files/default/header_checks_in.regexp @@ -0,0 +1,26 @@ +# +################################################ +### Managed by someone's ansible provisioner ### +################################################ +# Part of: https://git.somenet.org/root/pub/somesible.git +# 2017-2024 by someone +# + +# Remove our own internal headers again. +/^Received: by mail.somenet.org/ IGNORE +/^Received: from.*10\..+\..+\..+by mail.somenet.org/ IGNORE +/^Received: from localhost.+by mail.somenet.org/ IGNORE + +# ignored by spamassassin AND removed by postfix. +/^X-Spam-Checker-Version/ IGNORE +/^X-Spam$/ IGNORE +/^X-Spamd-.*/ IGNORE +/^X-Rspamd-.*/ IGNORE +/^X-Virus-Scanned/ IGNORE +/^X-Greylist/ IGNORE + +#/^.*GNU Terry Pratchett$/ REJECT spammy header: GNU Terry Pratchett +/^.*GNU Terry Pratchett$/ IGNORE + +# Debugging your mail setup? use this. +#/^Subject:/ WARN diff --git a/roles/server/mail/postfix/files/default/header_checks_out.regexp b/roles/server/mail/postfix/files/default/header_checks_out.regexp new file mode 100644 index 0000000..99fa2a4 --- /dev/null +++ b/roles/server/mail/postfix/files/default/header_checks_out.regexp @@ -0,0 +1,12 @@ +# +################################################ +### Managed by someone's ansible provisioner ### +################################################ +# Part of: https://git.somenet.org/root/pub/somesible.git +# 2017-2024 by someone +# + +# User-privacy: remove some headers before sending their mail. + +/^Received: .+/ IGNORE +/^User-Agent: .+/ IGNORE diff --git a/roles/server/mail/postfix/files/default/main.cf b/roles/server/mail/postfix/files/default/main.cf new file mode 100644 index 0000000..b3dd88e --- /dev/null +++ b/roles/server/mail/postfix/files/default/main.cf @@ -0,0 +1,178 @@ +# +################################################ +### Managed by someone's ansible provisioner ### +################################################ +# Part of: https://git.somenet.org/root/pub/somesible.git +# 2017-2024 by someone +# + +# Last time we extensively looked at our configuration. +compatibility_level=3.6 + + +myhostname = mail.somenet.org +myorigin = mail.l +mydestination = mail.l, l, localhost, localhost.localdomain +mynetworks = 10.0.0.0/8 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 + + +# incoming mail +smtpd_tls_chain_files = + /etc/ssl/letsencrypt/mail.somenet.org/privkey.pem, + /etc/ssl/letsencrypt/mail.somenet.org/fullchain.pem, + /etc/ssl/letsencrypt-rsa/mail.somenet.org/privkey.pem, + /etc/ssl/letsencrypt-rsa/mail.somenet.org/fullchain.pem +smtpd_tls_security_level = may +smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 +smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 +smtpd_tls_ciphers = high +smtpd_tls_mandatory_ciphers = high +smtpd_tls_loglevel = 1 +smtpd_tls_received_header = yes +smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache +smtpd_tls_auth_only = yes +# we override this for the "submission" service. +smtpd_sasl_auth_enable = no +smtpd_sasl_path = smtpd +smtpd_banner = $myhostname ESMTP $mail_name +smtpd_helo_required = yes +# fuck sec consult and their business "ethics". +smtpd_forbid_bare_newline = yes +smtpd_forbid_unauth_pipelining = yes +smtpd_discard_ehlo_keywords = chunking, silent-discard + + +# header cleanup + transport mapping +header_checks = regexp:/etc/postfix/header_checks_in.regexp +nested_header_checks = +transport_maps = hash:/etc/postfix/transport.map +#, hash:/var/lib/sympa/transport.map + + +# outgoing mail +smtp_tls_security_level = may +smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 +smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 +smtp_tls_ciphers = high +smtp_tls_mandatory_ciphers = high +smtp_tls_loglevel = 1 +smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache +smtp_header_checks = regexp:/etc/postfix/header_checks_out.regexp + + +# hosted domains +virtual_alias_domains = somenet.org +virtual_alias_maps = hash:/etc/postfix/virtual.map + + +# local delivery +mailbox_transport = lmtp:unix:/var/lib/cyrus/socket/lmtp +mailbox_size_limit = 209715200 + + +#sympa +# todo: flip vmailbox und valias domains? +#virtual_mailbox_domains = lists.somenet.org +#virtual_mailbox_maps = hash:/etc/postfix/virtual.map, hash:/etc/postfix/transport.map, hash:/var/lib/sympa/transport.map + + +# random settings +tls_preempt_cipherlist = yes +biff = no +connection_cache_status_update_time = 3600 +inet_protocols=ipv4 +message_size_limit = $mailbox_size_limit +recipient_delimiter = + + + +# take it easy. +default_destination_concurrency_limit = 2 + +# disable smtputf8 because of cyrus +smtputf8_enable = no + + +######################################### +# DONT BE AN OPEN RELAY. RESTRICT STUFF # +######################################### +smtpd_restriction_classes = HOLD_OK +HOLD_OK = check_client_access static:hold, permit + + +# 1. check every incomming connecting. +# we use master.cf to overridden this for the "submission" service to always require authentication: +# smtpd_client_restrictions = permit_sasl_authenticated, reject +# we merge that into recipient and relay restrictions - no need to check everything multiple times. +#smtpd_client_restrictions = +# permit_mynetworks, +# permit_sasl_authenticated, +# reject_unknown_client_hostname, +# permit + + +# 2. check the helo of the incomming connection. +# we merge that into recipient and relay restrictions - no need to check everything multiple times. +# smtpd_helo_restrictions = +# permit_mynetworks, +# permit_sasl_authenticated, +# reject_invalid_helo_hostname, +# reject_unknown_helo_hostname, +# permit + + +# 3. checks run after a connection issues "MAIL FROM" +# we merge that into recipient and relay restrictions - no need to check everything multiple times. +# smtpd_sender_restrictions = +# check_sender_access regexp:/etc/postfix/sender_restrictions.regexp, +# permit_mynetworks, +# permit_sasl_authenticated, +# reject_non_fqdn_sender, +# reject_unknown_sender_domain, +# permit + + +# 4a. checks run after a connection issues "RCPT TO" +smtpd_recipient_restrictions = + check_sender_access regexp:/etc/postfix/rcpt_sender.regexp, + check_recipient_access regexp:/etc/postfix/rcpt_recipient.regexp, + permit_mynetworks, + permit_sasl_authenticated, + reject_invalid_helo_hostname, + reject_unauth_pipelining, + reject_unauth_destination, + reject_non_fqdn_sender, + reject_non_fqdn_recipient, + reject_unknown_client_hostname, + reject_unknown_helo_hostname, + reject_unknown_sender_domain, + reject_unknown_recipient_domain, + permit + + +# 4b. same as smtpd_recipient_restrictions but diffrent. +smtpd_relay_restrictions = + check_sender_access regexp:/etc/postfix/rel_sender.regexp, + check_recipient_access regexp:/etc/postfix/rel_recipient.regexp, + check_sender_access regexp:/etc/postfix/rcpt_sender.regexp, + check_recipient_access regexp:/etc/postfix/rcpt_recipient.regexp, + permit_mynetworks, + permit_sasl_authenticated, + reject_invalid_helo_hostname, + reject_unauth_pipelining, + reject_unauth_destination, + reject_non_fqdn_sender, + reject_non_fqdn_recipient, + reject_unknown_client_hostname, + reject_unknown_helo_hostname, + reject_unknown_sender_domain, + reject_unknown_recipient_domain, + permit + + +# 5. checks run after a connection issues "RCPT TO" +# we merge that into recipient and relay restrictions - no need to check everything multiple times. +# smtpd_data_restrictions = +# permit_mynetworks, +# permit_sasl_authenticated, +# reject_unauth_pipelining, +# permit diff --git a/roles/server/mail/postfix/files/default/master.cf b/roles/server/mail/postfix/files/default/master.cf new file mode 100644 index 0000000..9b3720c --- /dev/null +++ b/roles/server/mail/postfix/files/default/master.cf @@ -0,0 +1,95 @@ +# +################################################ +### Managed by someone's ansible provisioner ### +################################################ +# Part of: https://git.somenet.org/root/pub/somesible.git +# 2017-2024 by someone +# +# +# Postfix master process configuration file. For details on the format +# of the file, see the master(5) manual page (command: "man 5 master" or +# on-line: http://www.postfix.org/master.5.html). +# +# Do not forget to execute "postfix reload" after editing this file. +# +# ========================================================================== +# service type private unpriv chroot wakeup maxproc command + args +# (yes) (yes) (no) (never) (100) +# ========================================================================== +smtp inet n - n - - smtpd + -o content_filter=spamassassin + -o smtpd_milters=unix:/run/pyspf-milter/pyspf-milter.sock,unix:/run/opendkim/opendkim.sock,unix:/run/opendmarc/opendmarc.sock + -o non_smtpd_milters=unix:/run/pyspf-milter/pyspf-milter.sock,unix:/run/opendkim/opendkim.sock,unix:/run/opendmarc/opendmarc.sock +submission inet n - n - - smtpd + -o syslog_name=postfix/submission + -o smtpd_tls_security_level=encrypt + -o smtpd_sasl_auth_enable=yes + -o smtpd_reject_unlisted_recipient=no + -o smtpd_client_restrictions=permit_sasl_authenticated,reject + -o milter_macro_daemon_name=ORIGINATING + -o smtpd_milters=unix:/run/opendkim/opendkim.sock + -o non_smtpd_milters=unix:/run/opendkim/opendkim.sock + -o cleanup_service_name=cleanupsubmission +#smtp inet n - y - 1 postscreen +#smtpd pass - - y - - smtpd +#dnsblog unix - - y - 0 dnsblog +#tlsproxy unix - - y - 0 tlsproxy +#smtps inet n - y - - smtpd +# -o syslog_name=postfix/smtps +# -o smtpd_tls_wrappermode=yes +# -o smtpd_sasl_auth_enable=yes +# -o smtpd_reject_unlisted_recipient=no +# -o smtpd_client_restrictions=$mua_client_restrictions +# -o smtpd_helo_restrictions=$mua_helo_restrictions +# -o smtpd_sender_restrictions=$mua_sender_restrictions +# -o smtpd_recipient_restrictions= +# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject +# -o milter_macro_daemon_name=ORIGINATING +#628 inet n - y - - qmqpd +pickup unix n - y 60 1 pickup +cleanup unix n - y - 0 cleanup +cleanupsubmission unix n - y - 0 cleanup + -o header_checks=regexp:/etc/postfix/header_checks_out.regexp +qmgr unix n - n 300 1 qmgr +#qmgr unix n - n 300 1 oqmgr +tlsmgr unix - - y 1000? 1 tlsmgr +rewrite unix - - y - - trivial-rewrite +bounce unix - - y - 0 bounce +defer unix - - y - 0 bounce +trace unix - - y - 0 bounce +verify unix - - y - 1 verify +flush unix n - y 1000? 0 flush +proxymap unix - - n - - proxymap +proxywrite unix - - n - 1 proxymap +smtp unix - - y - - smtp +relay unix - - y - - smtp + -o syslog_name=postfix/$service_name +# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5 +showq unix n - y - - showq +error unix - - y - - error +retry unix - - y - - error +discard unix - - y - - discard +local unix - n n - - local +virtual unix - n n - - virtual +lmtp unix - - n - - lmtp +anvil unix - - y - 1 anvil +scache unix - - y - 1 scache +postlog unix-dgram n - n - 1 postlogd +# +# ==================================================================== +# Interfaces to non-Postfix software. Be sure to examine the manual +# pages of the non-Postfix software to find out what options it wants. +# +# Many of the following services use the Postfix pipe(8) delivery +# agent. See the pipe(8) man page for information about ${recipient} +# and other message envelope options. +# ==================================================================== +# + +spamassassin unix - n n - - pipe + user=debian-spamd argv=/usr/bin/spamc -x -X -d 127.0.0.1 -s 10000000 -e /usr/sbin/sendmail -oi -f ${sender} ${recipient} + +#sympa unix - n n - - pipe +# flags=hqRu null_sender= user=sympa argv=/usr/lib/sympa/bin/queue ${nexthop} +#sympabounce unix - n n - - pipe +# flags=hqRu null_sender= user=sympa argv=/usr/lib/sympa/bin/bouncequeue ${nexthop} diff --git a/roles/server/mail/postfix/files/default/postfix@.service b/roles/server/mail/postfix/files/default/postfix@.service new file mode 100644 index 0000000..262da7e --- /dev/null +++ b/roles/server/mail/postfix/files/default/postfix@.service @@ -0,0 +1,30 @@ +# +################################################ +### Managed by someone's ansible provisioner ### +################################################ +# Part of: https://git.somenet.org/root/pub/somesible.git +# 2017-2024 by someone +# + +[Unit] +Description=Postfix Mail Transport Agent (instance %i) +Documentation=man:postfix(1) +PartOf=postfix.service +Before=postfix.service +ReloadPropagatedFrom=postfix.service +After=network-online.target nss-lookup.target +Wants=network-online.target + +[Service] +Type=forking +GuessMainPID=no +ExecStartPre=/usr/lib/postfix/configure-instance.sh %i +ExecStart=/usr/sbin/postmulti -i %i -p start +ExecStop=/usr/sbin/postmulti -i %i -p stop +ExecReload=/usr/sbin/postmulti -i %i -p reload +TimeoutStartSec=600 +Restart=always +RestartSec=10 + +[Install] +WantedBy=multi-user.target diff --git a/roles/server/mail/postfix/files/default/rcpt_recipient.regexp b/roles/server/mail/postfix/files/default/rcpt_recipient.regexp new file mode 100644 index 0000000..64a8034 --- /dev/null +++ b/roles/server/mail/postfix/files/default/rcpt_recipient.regexp @@ -0,0 +1,15 @@ +# +################################################ +### Managed by someone's ansible provisioner ### +################################################ +# Part of: https://git.somenet.org/root/pub/somesible.git +# 2017-2024 by someone +# +# This file is consulted for every incoming and outgoing mail. +# + +# Allow all mails to. +# /^internalhoneypod@example\.com$/ OK + +# Deny all mail to. +# /^.*@untrusted.example.com$/ REJECT diff --git a/roles/server/mail/postfix/files/default/rcpt_sender.regexp b/roles/server/mail/postfix/files/default/rcpt_sender.regexp new file mode 100644 index 0000000..27c3303 --- /dev/null +++ b/roles/server/mail/postfix/files/default/rcpt_sender.regexp @@ -0,0 +1,18 @@ +# +################################################ +### Managed by someone's ansible provisioner ### +################################################ +# Part of: https://git.somenet.org/root/pub/somesible.git +# 2017-2024 by someone +# +# This file is consulted for every incoming and outgoing mail. +# + +# Deny mail from. +# /^.*reject@example\.com$/ REJECT + +# Discard mail from. +# /^discard@example\.com$/ DISCARD + +# Hold mail from, even if they would not have passed other checks. +# /^hold@example\.com$/ HOLD_OK diff --git a/roles/server/mail/postfix/files/default/rel_recipient.regexp b/roles/server/mail/postfix/files/default/rel_recipient.regexp new file mode 100644 index 0000000..6c26ee4 --- /dev/null +++ b/roles/server/mail/postfix/files/default/rel_recipient.regexp @@ -0,0 +1,9 @@ +# +################################################ +### Managed by someone's ansible provisioner ### +################################################ +# Part of: https://git.somenet.org/root/pub/somesible.git +# 2017-2024 by someone +# +# This file is consulted only when relaying mails. (relay maps, or outgoing) +# diff --git a/roles/server/mail/postfix/files/default/rel_sender.regexp b/roles/server/mail/postfix/files/default/rel_sender.regexp new file mode 100644 index 0000000..6c26ee4 --- /dev/null +++ b/roles/server/mail/postfix/files/default/rel_sender.regexp @@ -0,0 +1,9 @@ +# +################################################ +### Managed by someone's ansible provisioner ### +################################################ +# Part of: https://git.somenet.org/root/pub/somesible.git +# 2017-2024 by someone +# +# This file is consulted only when relaying mails. (relay maps, or outgoing) +# diff --git a/roles/server/mail/postfix/files/default/sasl.smtpd.conf b/roles/server/mail/postfix/files/default/sasl.smtpd.conf new file mode 100644 index 0000000..3d98671 --- /dev/null +++ b/roles/server/mail/postfix/files/default/sasl.smtpd.conf @@ -0,0 +1,10 @@ +# +################################################ +### Managed by someone's ansible provisioner ### +################################################ +# Part of: https://git.somenet.org/root/pub/somesible.git +# 2017-2024 by someone +# + +pwcheck_method: saslauthd +mech_list: PLAIN LOGIN diff --git a/roles/server/mail/postfix/files/default/transport.map b/roles/server/mail/postfix/files/default/transport.map new file mode 100644 index 0000000..a73bb65 --- /dev/null +++ b/roles/server/mail/postfix/files/default/transport.map @@ -0,0 +1,8 @@ +# +################################################ +### Managed by someone's ansible provisioner ### +################################################ +# Part of: https://git.somenet.org/root/pub/somesible.git +# 2017-2024 by someone +# + diff --git a/roles/server/mail/postfix/files/default/virtual.map b/roles/server/mail/postfix/files/default/virtual.map new file mode 100644 index 0000000..051a82c --- /dev/null +++ b/roles/server/mail/postfix/files/default/virtual.map @@ -0,0 +1,16 @@ +# +################################################ +### Managed by someone's ansible provisioner ### +################################################ +# Part of: https://git.somenet.org/root/pub/somesible.git +# 2017-2024 by someone +# + + +## example.com +mailer-daemon@example.com root +hostmaster@example.com root +postmaster@example.com root +abuse@example.com root +security@example.com root +root@example.com root diff --git a/roles/server/mail/postfix/handlers/main.yml b/roles/server/mail/postfix/handlers/main.yml new file mode 100644 index 0000000..724cde7 --- /dev/null +++ b/roles/server/mail/postfix/handlers/main.yml @@ -0,0 +1,26 @@ +##################################### +### someone's ansible provisioner ### +##################################### +# Part of: https://git.somenet.org/root/pub/somesible.git +# 2017-2024 by someone +# +--- +- name: restart postfix.service + systemd: + name: postfix.service + daemon_reload: yes + state: restarted + ignore_errors: yes + + +- name: reload postfix.service + systemd: + name: postfix.service + daemon_reload: yes + state: restarted + ignore_errors: yes + + +- name: rehash postfix maps + shell: postmap /etc/postfix/*.map + ignore_errors: yes diff --git a/roles/server/mail/postfix/meta/main.yml b/roles/server/mail/postfix/meta/main.yml new file mode 100644 index 0000000..07149b5 --- /dev/null +++ b/roles/server/mail/postfix/meta/main.yml @@ -0,0 +1,10 @@ +##################################### +### someone's ansible provisioner ### +##################################### +# Part of: https://git.somenet.org/root/pub/somesible.git +# 2017-2024 by someone +# +--- +dependencies: + - { role: server/mail/saslauthd } + - { role: util/letsencrypt-cert, letsencrypt_cert_domain: "{{mail_primary_domain}}" } diff --git a/roles/server/mail/postfix/tasks/main.yml b/roles/server/mail/postfix/tasks/main.yml new file mode 100644 index 0000000..8d5d347 --- /dev/null +++ b/roles/server/mail/postfix/tasks/main.yml @@ -0,0 +1,209 @@ +##################################### +### someone's ansible provisioner ### +##################################### +# Part of: https://git.somenet.org/root/pub/somesible.git +# 2017-2024 by someone +# +--- +- name: install postfix + apt: + pkg: + - postfix + state: present + policy_rc_d: 101 + tags: "online" + ignore_errors: "{{ignore_online_errors | bool}}" + + +- name: add postfix user to groups mail,sasl,ssl-cert,letsencrypt,opendkim,opendmarc + user: + name: "postfix" + groups: "mail,sasl,ssl-cert,letsencrypt,opendkim,opendmarc,pyspf-milter" + append: yes + createhome: no + state: present + + +- name: copy main.cf + copy: + src: "{{item}}" + dest: "/etc/postfix/main.cf" + mode: 0644 + owner: "root" + group: "root" + with_first_found: + - "{{lookup('env','PWD')}}/host_files/{{inventory_hostname}}/{{role_name}}/main.cf" + - "{{lookup('env','PWD')}}/group_files/{{group_files_group}}/{{role_name}}/main.cf" + - "{{lookup('env','PWD')}}/group_files/all/{{role_name}}/main.cf" + - "default/main.cf" + notify: restart postfix.service + + +- name: copy master.cf + copy: + src: "{{item}}" + dest: "/etc/postfix/master.cf" + mode: 0644 + owner: "root" + group: "root" + with_first_found: + - "{{lookup('env','PWD')}}/host_files/{{inventory_hostname}}/{{role_name}}/master.cf" + - "{{lookup('env','PWD')}}/group_files/{{group_files_group}}/{{role_name}}/master.cf" + - "{{lookup('env','PWD')}}/group_files/all/{{role_name}}/master.cf" + - "default/master.cf" + notify: restart postfix.service + + +- name: copy saslauthd smtpd.conf + copy: + src: "{{item}}" + dest: "/etc/postfix/sasl/smtpd.conf" + mode: 0644 + owner: "root" + group: "root" + with_first_found: + - "{{lookup('env','PWD')}}/host_files/{{inventory_hostname}}/{{role_name}}/sasl.smtpd.conf" + - "{{lookup('env','PWD')}}/group_files/{{group_files_group}}/{{role_name}}/sasl.smtpd.conf" + - "{{lookup('env','PWD')}}/group_files/all/{{role_name}}/sasl.smtpd.conf" + - "default/sasl.smtpd.conf" + notify: restart postfix.service + + +- name: copy header_checks_in.regexp + copy: + src: "{{item}}" + dest: "/etc/postfix/header_checks_in.regexp" + mode: 0644 + owner: "root" + group: "root" + with_first_found: + - "{{lookup('env','PWD')}}/host_files/{{inventory_hostname}}/{{role_name}}/header_checks_in.regexp" + - "{{lookup('env','PWD')}}/group_files/{{group_files_group}}/{{role_name}}/header_checks_in.regexp" + - "{{lookup('env','PWD')}}/group_files/all/{{role_name}}/header_checks_in.regexp" + - "default/header_checks_in.regexp" + notify: reload postfix.service + + +- name: copy header_checks_out.regexp + copy: + src: "{{item}}" + dest: "/etc/postfix/header_checks_out.regexp" + mode: 0644 + owner: "root" + group: "root" + with_first_found: + - "{{lookup('env','PWD')}}/host_files/{{inventory_hostname}}/{{role_name}}/header_checks_out.regexp" + - "{{lookup('env','PWD')}}/group_files/{{group_files_group}}/{{role_name}}/header_checks_out.regexp" + - "{{lookup('env','PWD')}}/group_files/all/{{role_name}}/header_checks_out.regexp" + - "default/header_checks_out.regexp" + notify: reload postfix.service + + +- name: copy rcpt_recipient.regexp + copy: + src: "{{item}}" + dest: "/etc/postfix/rcpt_recipient.regexp" + mode: 0644 + owner: "root" + group: "root" + with_first_found: + - "{{lookup('env','PWD')}}/host_files/{{inventory_hostname}}/{{role_name}}/rcpt_recipient.regexp" + - "{{lookup('env','PWD')}}/group_files/{{group_files_group}}/{{role_name}}/rcpt_recipient.regexp" + - "{{lookup('env','PWD')}}/group_files/all/{{role_name}}/rcpt_recipient.regexp" + - "default/rcpt_recipient.regexp" + notify: reload postfix.service + + +- name: copy rcpt_sender.regexp + copy: + src: "{{item}}" + dest: "/etc/postfix/rcpt_sender.regexp" + mode: 0644 + owner: "root" + group: "root" + with_first_found: + - "{{lookup('env','PWD')}}/host_files/{{inventory_hostname}}/{{role_name}}/rcpt_sender.regexp" + - "{{lookup('env','PWD')}}/group_files/{{group_files_group}}/{{role_name}}/rcpt_sender.regexp" + - "{{lookup('env','PWD')}}/group_files/all/{{role_name}}/rcpt_sender.regexp" + - "default/rcpt_sender.regexp" + notify: reload postfix.service + + +- name: copy rel_recipient.regexp + copy: + src: "{{item}}" + dest: "/etc/postfix/rel_recipient.regexp" + mode: 0644 + owner: "root" + group: "root" + with_first_found: + - "{{lookup('env','PWD')}}/host_files/{{inventory_hostname}}/{{role_name}}/rel_recipient.regexp" + - "{{lookup('env','PWD')}}/group_files/{{group_files_group}}/{{role_name}}/rel_recipient.regexp" + - "{{lookup('env','PWD')}}/group_files/all/{{role_name}}/rel_recipient.regexp" + - "default/rel_recipient.regexp" + notify: reload postfix.service + + +- name: copy rel_sender.regexp + copy: + src: "{{item}}" + dest: "/etc/postfix/rel_sender.regexp" + mode: 0644 + owner: "root" + group: "root" + with_first_found: + - "{{lookup('env','PWD')}}/host_files/{{inventory_hostname}}/{{role_name}}/rel_sender.regexp" + - "{{lookup('env','PWD')}}/group_files/{{group_files_group}}/{{role_name}}/rel_sender.regexp" + - "{{lookup('env','PWD')}}/group_files/all/{{role_name}}/rel_sender.regexp" + - "default/rel_sender.regexp" + notify: reload postfix.service + + +- name: copy transport.map + copy: + src: "{{item}}" + dest: "/etc/postfix/transport.map" + mode: 0644 + owner: "root" + group: "root" + with_first_found: + - "{{lookup('env','PWD')}}/host_files/{{inventory_hostname}}/{{role_name}}/transport.map" + - "{{lookup('env','PWD')}}/group_files/{{group_files_group}}/{{role_name}}/transport.map" + - "{{lookup('env','PWD')}}/group_files/all/{{role_name}}/transport.map" + - "default/transport.map" + notify: rehash postfix maps + + +- name: copy virtual.map + copy: + src: "{{item}}" + dest: "/etc/postfix/virtual.map" + mode: 0644 + owner: "root" + group: "root" + with_first_found: + - "{{lookup('env','PWD')}}/host_files/{{inventory_hostname}}/{{role_name}}/virtual.map" + - "{{lookup('env','PWD')}}/group_files/{{group_files_group}}/{{role_name}}/virtual.map" + - "{{lookup('env','PWD')}}/group_files/all/{{role_name}}/virtual.map" + - "default/virtual.map" + notify: rehash postfix maps + + +- name: copy postfix@.service to /etc/systemd/system/ + copy: + src: "{{item}}" + dest: "/etc/systemd/system/postfix@.service" + mode: 0644 + owner: "root" + group: "root" + with_first_found: + - "{{lookup('env','PWD')}}/host_files/{{inventory_hostname}}/{{role_name}}/postfix@.service" + - "{{lookup('env','PWD')}}/group_files/{{group_files_group}}/{{role_name}}/postfix@.service" + - "{{lookup('env','PWD')}}/group_files/all/{{role_name}}/postfix@.service" + - "default/postfix@.service" + + +- name: enable and start postfix.service + include_role: name="base/systemd/enable-and-start" + vars: + service_name: postfix.service -- 2.43.0