Skip to content

idiv-biodiversity/ansible-role-postfix

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

43 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Ansible Role: Postfix

An Ansible role that installs Postfix and configures it.

Table of Contents

Requirements

  • Ansible 2.9

Role Variables

This role does in no way capture the entirety of possible postfix options. If you need something specific, feel free to contribute!

The content field is optional for of all dictionary variables potentially referring to configuration tables, e.g. postfix_transport.

Basic Variables

Variables with defaults:

postfix_inet_interfaces:
  - localhost

postfix_inet_protocols: all

postfix_destinations:
  - $myhostname
  - localhost.$mydomain
  - localhost

These variables are empty by default, but postfix has its own defaults for them. Check postconf -d | grep ^my for their defaults.

postfix_hostname: host.example.org
postfix_domain: example.org
postfix_origin: example.org

Note: Consult man 5 postconf for more information.

Masquerading

Masquerading can strip off subdomain structure, e.g. to rewrite user@sub.domain.example.org to user@example.org:

postfix_masquerade_domains:
  - example.org

Addresses that will be changed by masquerading:

postfix_masquerade_classes:
  - envelope_sender
  - envelope_recipient
  - header_sender
  - header_recipient

Users who are exceptions to masquerading:

postfix_masquerade_exceptions:
  - root

Note: Masquerading address mapping mechanism is able to rewrite both header and envelope addresses. For headers to be rewritten, see the section about Automatic Header Rewriting.

Aliases

The variable postfix_aliases configures /etc/aliases, e.g.:

postfix_aliases:
  - user: icinga
    alias: root
  - user: root
    alias: admin@example.org

Relay and Transport

Delivery targets, i.e. relays:

postfix_relayhost: relay1.domain.org
postfix_smtp_fallback_relay: relay2.domain.org

Additionally, there is more fine-grained control with the transport table:

postfix_transport:
  - type: hash
    dest: /etc/postfix/transport
    content: |
      foo.org         smtp:[imap1.example.org]
      .foo.org        smtp:[imap1.example.org]
      bar.org         smtp:[imap2.example.org]
      .bar.org        smtp:[imap2.example.org]

Note: Consult man 5 transport for more information.

Canonical Address Mapping

Rewrite recipient and sender:

postfix_canonical:
  - type: hash
    dest: /etc/postfix/canonical
    content: |
      platform@internal.domain platform@example.org
  - type: ldap
    dest: /etc/postfix/ldap-canonical.cf
    content: |
      server_host = ldap.example.org
      search_base = dc=example, dc=org
      query_filter = uid=%s
      result_attribute = mail

Rewrite recipient:

postfix_recipient_canonical:
  - type: hash
    dest: /etc/postfix/recipient_canonical
    content: |
      root@internal.domain   admin@example.org
      icinga@internal.domain admin@example.org

Rewrite sender:

postfix_sender_canonical:
  - type: hash
    dest: /etc/postfix/sender_canonical
    content: |
      root@internal.domain   support@example.org
      icinga@internal.domain support@example.org

Note: The canonical address mapping mechanism is able to rewrite both header and envelope addresses. For headers to be rewritten, see the section about Automatic Header Rewriting.

Note: Consult man 5 canonical for more information.

SMTP Generic Table

Defines address mappings when mail is delivered via SMTP. This is useful to transform local mail addresses into valid mail addresses. The following example rewrites the sender icinga@internal to support@example.org and everything else @internal to no-reply@example.org:

postfix_smtp_generic:
  type: hash
  dest: /etc/postfix/smtp_generic
  content: |
    icinga@internal support@example.org
    @internal       no-reply@example.org

Note: Affects both message header addresses, i.e. the From: field, and envelope addresses which are used by SMTP.

Note: Consult man 5 generic for more information.

Header Checks

This lets you rewrite or reject message headers:

postfix_header_checks:
  - type: regexp
    dest: /etc/postfix/header_checks
    content: |
      /^From: root@[^ ]+\.example.org .*/ REPLACE From: no-reply@example.org

Note: Consult man 5 header_checks for more information.

SMTP

postfix_smtp:
  tls_CApath: '/etc/pki/tls/certs'
  tls_security_level: 'may'
  tls_cert_file: '/etc/pki/cert.pem'
  tls_key_file: '/etc/pki/key.pem'
  tls_note_starttls_offer: 'yes'

postfix_smtpd:
  tls_CApath: '/etc/pki/tls/certs'
  tls_security_level: 'may'
  tls_cert_file: '/etc/pki/cert.pem'
  tls_key_file: '/etc/pki/key.pem'
  tls_auth_only: 'no'
  tls_loglevel: '1'
  tls_received_header: 'yes'
  tls_session_cache_timeout: '3600s'

postfix_tls_random_source: 'dev:/dev/urandom'

Note: At the moment, PEM files need to be copied manually.

Automatic Header Rewriting

Starting with Postfix 2.2 automatic message header rewriting has been disabled by default. Instead, only envelope addresses get rewritten. This applies to the address rewriting facilities. Check man 5 postconf to see if it applies to your configuration entries.

To get the behavior before Postfix 2.2, add this variable:

postfix_local_header_rewrite_clients:
  - type: static
    dest: all

Dependencies

---

# requirements.yml

roles:

  - name: idiv_biodiversity.postfix
    src: https://github.com/idiv-biodiversity/ansible-role-postfix
    version: vX.Y.Z

...

Example Playbook

Top-Level Playbook

Write a top-level playbook:

---

- name: head server
  hosts: head

  roles:
    - role: idiv_biodiversity.postfix
      tags:
        - mail
        - mta
        - postfix

...

Role Dependency

Define the role dependency in meta/main.yml:

---

dependencies:

  - role: idiv_biodiversity.postfix
    tags:
      - mail
      - mta
      - postfix

...

License

MIT

Author Information

This role was created in 2017 by Christian Krause aka wookietreiber at GitHub, HPC cluster systems administrator at the German Centre for Integrative Biodiversity Research (iDiv), based on a draft by Ben Langenberg aka bencarsten at GitHub.