tweak email
authorRalf Jung <post@ralfj.de>
Sat, 7 Apr 2018 18:20:47 +0000 (20:20 +0200)
committerRalf Jung <post@ralfj.de>
Sun, 8 Apr 2018 08:20:25 +0000 (10:20 +0200)
email.yml
roles/postfix/tasks/main.yml
roles/postfix/templates/main.cf
roles/postfix/templates/master.cf [new file with mode: 0644]

index a4bb8e8..91f02f9 100644 (file)
--- a/email.yml
+++ b/email.yml
@@ -1,4 +1,8 @@
-- hosts: all
+- hosts: all:!base_only
   roles:
   - postfix
   - journalwatch
+  tasks:
+  # some basic security stuff that relies on working email
+  - name: install apticron, fail2ban
+    apt: name=apticron,fail2ban state=latest
index 69f8317..07c344e 100644 (file)
@@ -1,10 +1,13 @@
 - name: install postfix
   apt: name=postfix,bsd-mailx state=latest
-- name: install postfix main.cf
+- name: install postfix config
   register: config_main
   template:
-    src: templates/main.cf
-    dest: /etc/postfix/main.cf
+    src: templates/{{ item }}
+    dest: /etc/postfix/{{ item }}
+  with_items:
+  - main.cf
+  - master.cf
 - name: reload postfix
   service: name=postfix state=restarted enabled=yes
   when: config_main.changed
index ac40750..4085955 100644 (file)
@@ -1,8 +1,6 @@
 # local delivery: aliases only
 alias_maps = hash:/etc/aliases
 local_recipient_maps = $alias_maps
-# explicitly UNSET relay domains to prevent implicit domains
-relay_domains =
 # only consider ourselves local
 mynetworks_style = host
 {% if postfix.mynetworks is defined %}
@@ -23,10 +21,24 @@ smtpd_tls_mandatory_ciphers = high
 smtp_tls_mandatory_protocols = !SSLv2 !SSLv3
 smtp_tls_ciphers = low
 smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
+smtp_tls_loglevel = 1
+{% if not(postfix.relay_host is defined) %}
 smtp_tls_security_level = dane
 smtp_dns_support_level = dnssec
-smtp_tls_loglevel = 1
+{% endif %}
+
+{% if postfix.relay_host is defined %}
+# Relay everything
+default_transport = smtp:{{ postfix.relay_host }}
+{% if postfix.relay_client_cert is defined %}
+# Enforce relay encryption
+smtp_tls_cert_file=$config_directory/{{ postfix.relay_client_cert }}.crt
+smtp_tls_key_file=$config_directory/{{ postfix.relay_client_cert }}.key
+smtp_tls_security_level = encrypt
+{% endif %}
+{% endif %}
 
+{% if postfix.postscreen is defined and postfix.postscreen %}
 # postscreen config
 postscreen_dnsbl_threshold = 3
 postscreen_dnsbl_whitelist_threshold = -2
@@ -39,18 +51,20 @@ postscreen_dnsbl_action = enforce
 postscreen_pipelining_enable = yes
 postscreen_non_smtp_command_enable = yes
 postscreen_bare_newline_enable = yes
+{% endif %}
+
 # control relay access
 smtpd_relay_restrictions = permit_mynetworks, permit_tls_clientcerts,
-       # allow nobody else
-       defer_unauth_destination
+    # allow nobody else
+    defer_unauth_destination
 # spam-protection restrictions
 smtpd_helo_required = yes
 smtpd_recipient_restrictions = permit_mynetworks, permit_tls_clientcerts,
-       # check everybody else
-       reject_unauth_pipelining,
-        reject_invalid_helo_hostname,
-       reject_non_fqdn_recipient,
-       reject_non_fqdn_sender,
+    # check everybody else
+    reject_unauth_pipelining,
+    reject_invalid_helo_hostname,
+    reject_non_fqdn_recipient,
+    reject_non_fqdn_sender,
 
 # misc
 smtpd_delay_reject = yes
diff --git a/roles/postfix/templates/master.cf b/roles/postfix/templates/master.cf
new file mode 100644 (file)
index 0000000..18b8d98
--- /dev/null
@@ -0,0 +1,126 @@
+#
+# Postfix master process configuration file.  For details on the format
+# of the file, see the master(5) manual page (command: "man 5 master" or
+# on-line: http://www.postfix.org/master.5.html).
+#
+# Do not forget to execute "postfix reload" after editing this file.
+#
+# ==========================================================================
+# service type  private unpriv  chroot  wakeup  maxproc command + args
+#               (yes)   (yes)   (no)    (never) (100)
+# ==========================================================================
+{% if postfix.postscreen is defined and postfix.postscreen %}
+smtp      inet  n       -       y       -       1       postscreen
+{% else %}
+smtp      inet  n       -       y       -       -       smtpd
+{% endif %}
+#smtpd     pass  -       -       y       -       -       smtpd
+#dnsblog   unix  -       -       y       -       0       dnsblog
+#tlsproxy  unix  -       -       y       -       0       tlsproxy
+#submission inet n       -       y       -       -       smtpd
+#  -o syslog_name=postfix/submission
+#  -o smtpd_tls_security_level=encrypt
+#  -o smtpd_sasl_auth_enable=yes
+#  -o smtpd_reject_unlisted_recipient=no
+#  -o smtpd_client_restrictions=$mua_client_restrictions
+#  -o smtpd_helo_restrictions=$mua_helo_restrictions
+#  -o smtpd_sender_restrictions=$mua_sender_restrictions
+#  -o smtpd_recipient_restrictions=
+#  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
+#  -o milter_macro_daemon_name=ORIGINATING
+#smtps     inet  n       -       y       -       -       smtpd
+#  -o syslog_name=postfix/smtps
+#  -o smtpd_tls_wrappermode=yes
+#  -o smtpd_sasl_auth_enable=yes
+#  -o smtpd_reject_unlisted_recipient=no
+#  -o smtpd_client_restrictions=$mua_client_restrictions
+#  -o smtpd_helo_restrictions=$mua_helo_restrictions
+#  -o smtpd_sender_restrictions=$mua_sender_restrictions
+#  -o smtpd_recipient_restrictions=
+#  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
+#  -o milter_macro_daemon_name=ORIGINATING
+#628       inet  n       -       y       -       -       qmqpd
+pickup    unix  n       -       y       60      1       pickup
+cleanup   unix  n       -       y       -       0       cleanup
+qmgr      unix  n       -       n       300     1       qmgr
+#qmgr     unix  n       -       n       300     1       oqmgr
+tlsmgr    unix  -       -       y       1000?   1       tlsmgr
+rewrite   unix  -       -       y       -       -       trivial-rewrite
+bounce    unix  -       -       y       -       0       bounce
+defer     unix  -       -       y       -       0       bounce
+trace     unix  -       -       y       -       0       bounce
+verify    unix  -       -       y       -       1       verify
+flush     unix  n       -       y       1000?   0       flush
+proxymap  unix  -       -       n       -       -       proxymap
+proxywrite unix -       -       n       -       1       proxymap
+smtp      unix  -       -       y       -       -       smtp
+relay     unix  -       -       y       -       -       smtp
+#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
+showq     unix  n       -       y       -       -       showq
+error     unix  -       -       y       -       -       error
+retry     unix  -       -       y       -       -       error
+discard   unix  -       -       y       -       -       discard
+local     unix  -       n       n       -       -       local
+virtual   unix  -       n       n       -       -       virtual
+lmtp      unix  -       -       y       -       -       lmtp
+anvil     unix  -       -       y       -       1       anvil
+scache    unix  -       -       y       -       1       scache
+#
+# ====================================================================
+# Interfaces to non-Postfix software. Be sure to examine the manual
+# pages of the non-Postfix software to find out what options it wants.
+#
+# Many of the following services use the Postfix pipe(8) delivery
+# agent.  See the pipe(8) man page for information about ${recipient}
+# and other message envelope options.
+# ====================================================================
+#
+# maildrop. See the Postfix MAILDROP_README file for details.
+# Also specify in main.cf: maildrop_destination_recipient_limit=1
+#
+maildrop  unix  -       n       n       -       -       pipe
+  flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
+#
+# ====================================================================
+#
+# Recent Cyrus versions can use the existing "lmtp" master.cf entry.
+#
+# Specify in cyrus.conf:
+#   lmtp    cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
+#
+# Specify in main.cf one or more of the following:
+#  mailbox_transport = lmtp:inet:localhost
+#  virtual_transport = lmtp:inet:localhost
+#
+# ====================================================================
+#
+# Cyrus 2.1.5 (Amos Gouaux)
+# Also specify in main.cf: cyrus_destination_recipient_limit=1
+#
+#cyrus     unix  -       n       n       -       -       pipe
+#  user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
+#
+# ====================================================================
+# Old example of delivery via Cyrus.
+#
+#old-cyrus unix  -       n       n       -       -       pipe
+#  flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
+#
+# ====================================================================
+#
+# See the Postfix UUCP_README file for configuration details.
+#
+uucp      unix  -       n       n       -       -       pipe
+  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
+#
+# Other external delivery methods.
+#
+ifmail    unix  -       n       n       -       -       pipe
+  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
+bsmtp     unix  -       n       n       -       -       pipe
+  flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
+scalemail-backend unix -       n       n       -       2       pipe
+  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
+mailman   unix  -       n       n       -       -       pipe
+  flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
+  ${nexthop} ${user}