GithubHelp home page GithubHelp logo

robertdebock / ansible-role-postfix Goto Github PK

View Code? Open in Web Editor NEW
15.0 4.0 15.0 391 KB

Install and configure postfix on your system.

Home Page: https://robertdebock.nl/

License: Apache License 2.0

Jinja 100.00%
ansible postfix installer mailserver package security system molecule tox playbook

ansible-role-postfix's Introduction

Ansible role postfix

Install and configure postfix on your system.

GitHub GitLab Downloads Version
github gitlab downloads Version

Example Playbook

This example is taken from molecule/default/converge.yml and is tested on each push, pull request and release.

---
- name: Converge
  hosts: all
  become: yes
  gather_facts: yes

  roles:
    - role: robertdebock.postfix
      # postfix_relayhost: "[relay.example.com]"
      postfix_myhostname: "smtp.example.com"
      postfix_mydomain: "example.com"
      postfix_myorigin: "example.com"
      postfix_mynetworks:
        - 127.0.0.0/8
        - 192.168.0.0/16
      postfix_aliases:
        - name: root
          destination: [email protected]
      # Ziggo settings: ("email-address" and "email-password" are placeholders)
      postfix_relayhost: "[smtp.ziggo.nl]:587"
      postfix_smtp_use_tls: yes
      postfix_smtp_sasl_auth_enable: yes
      postfix_smtp_sasl_password_map: "/etc/postfix/relay_pass"
      postfix_smtp_sasl_security_options: ""
      postfix_smtp_tls_wrappermode: no
      postfix_smtp_tls_security_level: may
      postfix_smtp_sasl_password_map_content: |
        [smtp.ziggo.nl]:587 email-address:email-password

The machine needs to be prepared. In CI this is done using molecule/default/prepare.yml:

---
- name: Prepare
  hosts: all
  become: yes
  gather_facts: no

  roles:
    - role: robertdebock.bootstrap
    - role: robertdebock.core_dependencies

Also see a full explanation and example on how to use these roles.

Role Variables

The default values for the variables are set in defaults/main.yml:

---
# defaults file for postfix

# These settings are required in postfix.
postfix_myhostname: "{{ ansible_fqdn }}"
postfix_mydomain: "{{ ansible_domain | default('localdomain', true) }}"
postfix_myorigin: "{{ ansible_domain | default('localdomain', true) }}"

# To "listen" on public interfaces, set inet_interfaces to something like
# "all" or the name of the interface, such as "eth0".
postfix_inet_interfaces: "loopback-only"

# Enable IPv4, and IPv6 if supported - if IPV4 only set to ipv4
postfix_inet_protocols: all

# Set a banner
postfix_banner: "$myhostname ESMTP $mail_name"

# The distination tells Postfix what mails to accept mail for.
postfix_mydestination: $mydomain, $myhostname, localhost.$mydomain, localhost

# To accept email from other machines, set the mynetworks to something like
# "- 192.168.0.0/24".
postfix_mynetworks:
  - 127.0.0.0/8

# These settings change the role of the postfix server to a relay host.
# postfix_relay_domains: "$mydestination"

# If you want to forward emails to another central relay server, set relayhost.
# use brackets to sent to the A-record of the relayhost.
# postfix_relayhost: "[relay.example.com]"

# Set the restrictions for receiving mails.
postfix_smtpd_recipient_restrictions:
  - permit_mynetworks
  - permit_sasl_authenticated
  - reject_unauth_destination
  - reject_invalid_hostname
  - reject_non_fqdn_hostname
  - reject_non_fqdn_sender
  - reject_non_fqdn_recipient
  - reject_unknown_sender_domain
  - reject_unknown_recipient_domain
  - reject_rbl_client sbl.spamhaus.org
  - reject_rbl_client cbl.abuseat.org
  - reject_rbl_client dul.dnsbl.sorbs.net
  - permit

postfix_smtpd_sender_restrictions:
  - reject_unknown_sender_domain

# The default SMTP TLS security level for the Postfix SMTP client
# Valid values are: dane, encrypt, fingerprint, may, none, secure, verify
postfix_smtp_tls_security_level: none

# To enable spamassassin, ensure spamassassin is installed,
# (hint: role: robertdebock.spamassassin) and set these two variables:
# postfix_spamassassin: enabled
# postfix_spamassassin_user: spamd

# To enable clamav, ensure clamav is installed,
# (hint: role: robertdebock.clamav) and set this variable:
# postfix_clamav: enabled

# You can configure aliases here. Typically redirecting `root` is a good plan.
# postfix_aliases:
#   - name: root
#     destination: [email protected]

# You can configure sender access controls here.
# postfix_sender_access:
#   - domain: gooddomain.com
#     action: OK
#   - domain: baddomain.com
#     action: REJECT

# You can configure recipient access controls here.
# postfix_recipient_access:
#   - domain: gooddomain.com
#     action: OK
#   - domain: baddomain.com
#     action: REJECT

# You can disable SSL/TLS versions here.
# postfix_tls_protocols: '!SSLv2, !SSLv3, !TLSv1, !TLSv1.1'

# You can supply a transport_maps Jinja2 template here
# postfix_transport_maps_template: /path/to/transport.j2

# You can supply a header_checks Jinja2 template here
# postfix_header_checks_template: /path/to/header_checks.j2

# Whether or not to use the local biff service.
# postfix_biff: yes

# With locally submitted mail, append the string ".$mydomain" to addresses that have no ".domain" information
# postfix_append_dot_mydomain: no

# The alias databases that are used for local(8) delivery
# postfix_alias_maps: "hash:/etc/aliases"

# A prefix that the virtual(8) delivery agent prepends to all pathname results from $virtual_mailbox_maps table lookups.
# postfix_virtual_mailbox_base: /var/mail

# Optional lookup tables with all valid addresses in the domains that match $virtual_mailbox_domains.
# postfix_virtual_mailbox_maps: mysql:/etc/postfix/mysql-virtual_mailbox_maps.cf

# Postfix is final destination for the specified list of domains; mail is delivered via the $virtual_transport mail delivery transport
# postfix_virtual_mailbox_domains: "$virtual_mailbox_maps"

# Postfix is final destination for the specified list of virtual alias domains, that is, domains for which all addresses are aliased to addresses in other local or remote domains.
# postfix_virtual_alias_domains: "$virtual_alias_maps"

# Optional lookup tables that alias specific mail addresses or domains to other local or remote address.
# postix_virtual_alias_maps: "$virtual_maps"

# Lookup tables with the per-recipient user ID that the virtual(8) delivery agent uses while writing to the recipient's mailbox.
# postfix_virtual_uid_maps: "static:2000"

# Lookup tables with the per-recipient group ID for virtual(8) mailbox delivery.
# postfix_virtual_gid_maps: "static:2000"

# Enable SASL authentication in the Postfix SMTP server.
# postfix_smtpd_sasl_auth_enable: yes

# The name of the Postfix SMTP server's local SASL authentication realm.
# postfix_smtpd_sasl_local_domain: $myhostname

# Postfix SMTP server SASL security options; as of Postfix 2.3 the list of available features depends on the SASL server implementation that is selected with smtpd_sasl_type.
# postfix_smtpd_sasl_security_options: noanonymous

# Report the SASL authenticated user name in the smtpd(8) Received message header.
# postfix_smtpd_sasl_authenticated_header: yes

# Enable interoperability with remote SMTP clients that implement an obsolete version of the AUTH command (RFC 4954).
# postfix_broken_sasl_auth_clients: no

# A file containing (PEM format) CA certificates of root CAs trusted to sign either remote SMTP client certificates or intermediate CA certificates.
# postfix_smtpd_tls_CAfile: /etc/letsencrypt/live/smtp.syhosting.ch/chain.pem

# File with the Postfix SMTP server RSA certificate in PEM format.
# postfix_smtpd_tls_cert_file: /etc/letsencrypt/live/smtp.syhosting.ch/cert.pem

# File with the Postfix SMTP server RSA private key in PEM format.
# postfix_smtpd_tls_key_file: /etc/letsencrypt/live/smtp.syhosting.ch/privkey.pem

# Request that the Postfix SMTP server produces Received: message headers that include information about the protocol and cipher used, as well as the remote SMTP client CommonName and client certificate issuer CommonName.
# postfix_smtpd_tls_received_header: yes

# The default SMTP TLS security level for the Postfix SMTP client; when a non-empty value is specified, this overrides the obsolete parameters smtp_use_tls, smtp_enforce_tls, and smtp_tls_enforce_peername.
# postfix_smtpd_tls_security_level: may

# Ask a remote SMTP client for a client certificate.
# postfix_smtpd_tls_ask_ccert: yes

# Enable additional Postfix SMTP server logging of TLS activity.
# postfix_smtpd_tls_loglevel: 1

# Name of the file containing the optional Postfix SMTP server TLS session cache.
# postfix_smtpd_tls_session_cache_database: btree:/var/lib/postfix/smtpd_tls_session_cache

# A file containing CA certificates of root CAs trusted to sign either remote SMTP server certificates or intermediate CA certificates.
# postfix_smtp_tls_CAfile: /etc/letsencrypt/live/smtp.syhosting.ch/chain.pem

# File with the Postfix SMTP client RSA certificate in PEM format.
# postfix_smtp_tls_cert_file: /etc/letsencrypt/live/smtp.syhosting.ch/cert.pem

# File with the Postfix SMTP client RSA private key in PEM format.
# postfix_smtp_tls_key_file: /etc/letsencrypt/live/smtp.syhosting.ch/privkey.pem

# Name of the file containing the optional Postfix SMTP client TLS session cache.
# postfix_smtp_tls_session_cache_database: btree:/var/lib/postfix/smtp_tls_session_cache

# The external entropy source for the in-memory tlsmgr(8) pseudo random number generator (PRNG) pool.
# postfix_tls_random_source: dev:/dev/urandom

# TLS protocols accepted by the Postfix SMTP server with mandatory TLS encryption.
# postfix_smtpd_tls_mandatory_protocols: TLSv1

# TLS protocols that the Postfix SMTP client will use with mandatory TLS encryption.
# postfix_smtp_tls_mandatory_protocols: TLSv1

# The default mail delivery transport and next-hop destination for final delivery to domains listed with $virtual_mailbox_domains.
# postfix_virtual_transport: maildrop1

# Optional pathname of a mailbox file relative to a local(8) user's home directory.
# postfix_home_mailbox: Maildir/

# The maximal size in bytes of a message, including envelope information.
# postfix_message_size_limit: 10240000

# Require that a remote SMTP client introduces itself with the HELO or EHLO command before sending the MAIL command or other commands that require EHLO negotiation.
# postfix_smtpd_helo_required: no

# The time unit over which client connection rates and other rates are calculated.
# postfix_anvil_rate_time_unit: 60s

# The maximal number of connection attempts any client is allowed to make to this service per time unit.
# postfix_smtpd_client_connection_rate_limit: 10

# How many simultaneous connections any client is allowed to make to this service.
# postfix_smtpd_client_connection_count_limit: 10

# Consider a bounce message as undeliverable, when delivery fails with a temporary error, and the time in the queue has reached the bounce_queue_lifetime limit.
# postfix_bounce_queue_lifetime: 5d

# The location of Postfix README files that describe how to build, configure or operate a specific Postfix subsystem or feature.
# postfix_readme_directory: /usr/share/doc/postfix

# The location of Postfix HTML files that describe how to build, configure or operate a specific Postfix subsystem or feature.
# postfix_html_directory: /usr/share/doc/postfix/html

# You can change the port where Postfix listens on.
# Postfix used `/etc/services` to map service names to port numbers like `2525`.
# So either specifcy a port number or a service name like `smtp`.
postfix_smtp_listen_port: smtp

postfix_smtp_use_tls: no
postfix_smtp_sasl_auth_enable: no
postfix_smtp_sasl_password_map: ""
postfix_smtp_sasl_security_options: ""
postfix_smtp_tls_wrappermode: no
postfix_smtp_sasl_password_map_content: ""

Requirements

State of used roles

The following roles are used to prepare a system. You can prepare your system in another way.

Requirement GitHub GitLab
robertdebock.bootstrap Build Status GitHub Build Status GitLab
robertdebock.core_dependencies Build Status GitHub Build Status GitLab

Context

This role is a part of many compatible roles. Have a look at the documentation of these roles for further information.

Here is an overview of related roles: dependencies

Compatibility

This role has been tested on these container images:

container tags
Amazon 2018.03
EL all
Debian all
Fedora all
Ubuntu all

The minimum version of Ansible required is 2.12, tests have been done to:

  • The previous version.
  • The current version.
  • The development version.

If you find issues, please register them in GitHub.

License

Apache-2.0.

Author Information

robertdebock

Please consider sponsoring me.

ansible-role-postfix's People

Contributors

benformosa avatar justin-p avatar obihoernchen avatar robert-de-bock avatar robertdebock avatar stdtom avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar

Forkers

dhuzen kividiot kgizdov wzzrd justin-p obihoernchen adelerhof tzurita cjsteel mmorster stdtom ndgit teefax flybyray

ansible-role-postfix's Issues

setgid_group variable in main.cf template

Proposed feature

Make the setgid_group value in the postfix configuration a variable, with default, that can be overridden on those systems were that group does not exist.

ansible-role-postfix/templates/main.cf.j2

Line 694 in 96d50e4

setgid_group = postdrop

Rationale

Using this role on an opensuse system, the Postfix setgid_group is actually 'maildrop' for executables and spools. So it would useful to be able to override the value this role uses.

Additional context

See: https://build.opensuse.org/package/view_file/openSUSE:Factory/postfix/postfix.spec?expand=1

This should be a list.

This should be a list.

To accept email from other machines, set the mynetworks to something like

"192.168.0.0/24".

ansible-role-postfix/README.md

Line 70 in e6921d5

# TODO: This should be a list. 

postfix_mydestination: $mydomain, $myhostname, localhost.$mydomain, localhost

# TODO: This should be a list.
# To accept email from other machines, set the mynetworks to something like
# "192.168.0.0/24".
postfix_mynetworks: "127.0.0.0/8"

9a8a2cebde302d72ad416d70bbf7662f85ea5163

Support Postfix Address Rewriting

Proposed feature

Postfix address rewriting purpose

Address rewriting is at the heart of the Postfix mail system. Postfix rewrites
addresses for many different purposes. Some are merely cosmetic, and some are
necessary to deliver correctly formatted mail to the correct destination.
Examples of address rewriting in Postfix are:

  • Transform an incomplete address into a complete address. For example,
    transform "username" into "[email protected]", or transform
    "username@hostname" into "[email protected]".

  • Replace an address by an equivalent address. For example, replace
    "[email protected]" by "[email protected]" when sending
    mail, and do the reverse transformation when receiving mail.

  • Replace an internal address by an external address. For example, replace
    "[email protected]" by "[email protected]" when sending mail
    from a home computer to the Internet.

  • Replace an address by multiple addresses. For example, replace the address
    of an alias by the addresses listed under that alias.

  • Determine how and where to deliver mail for a specific address. For
    example, deliver mail for "[email protected]" with the smtp(8) delivery
    agent, to the hosts that are listed in the DNS as the mail servers for the
    domain "example.com".
    ( /usr/share/doc/postfix/README_FILES/ADDRESS_REWRITING_README )

Rationale

"To transform a locally valid address into a globally valid address when sending mail across the Internet.
This is needed when the local machine does not have its own Internet domain name, but uses something like localdomain.local instead." ( man 5 postconf | grep -A9 '^smtp_generic_maps' )

Additional context

Implementation should be quite similar like the postfix_aliases .

SELinux module?

Hey Robert,

Consciously not following the bug report template here.

I have been looking at the reason behind the custom SELinux module a bit. I cannot find a reason why this is required, I think. On neither RHEL8 nor RHEL7 I can reproduce a dac_override error.

I have built both RHEL7 and RHEL8 VMs to test with, but neither is problematic.

Hence, I don't think the module should be there.

Would you be open to:
a) dropping the module?
b) tagging the SELinux tasks, so they are skippable?
c) making them optional, and controlled by a variable?

Not that it's really relevant, but I've been testing with Ansible 2.9 and 2.10 from a Fedora control host.

Taking away setgid makes sendmail fail

Describe the bug

On all of Debian Buster, Fedora 33 and RHEL8 at least, the "set group owner" task takes away various setgid and sticky bits makes sendmail fail with variations off the following error:

 postdrop: warning: mail_queue_enter: create file maildrop/441438.29415: Permission denied

Playbook

The listed bit of playbook sets the octal mode for the listed files to 0755, but from the deb / rpm, the files actually have the pemissions listed below:

  - name: set group owner                                                                                                                                                                                 
    file:                                                                                    
      path: "{{ item }}"                                                                     
      group: "{{ postfix_group }}"                                                           
      mode: "0755"                                                                           
    loop:                                                                                    
      - /usr/sbin/postqueue                                                                  
      - /usr/sbin/postdrop                                                                   
      - /var/spool/postfix/public                                                            
      - /var/spool/postfix/maildrop

Original permissions

On Debian Buster:
/usr/sbin/postdrop and /usr/sbin/postqueue are setgid (both 2555). /var/spool/postfix/maildrop has the sticky bit set (mode 1730), while /var/spool/postfix/public is setgid (mode 2710)

On Fedora 33 and RHEL8:
Both /usr/sbin/postdrop and /usr/sbin/postqueue are setgid (both 2755). /var/spool/postfix/maildrop and /var/spool/postfix/public are mode 0730 and 0710, respectively.

Output

After running the playbook, setgid is dropped from the postqueue and postdrop binaries, meaning the directories under /var/spool/postfix are no longer writable for postdrop processes. This leads the the aforementioned error.

Environment

RHEL8, Fedora 33 and Debian Buster clients.

I'm most curious about why the permissions are changed in the first place. Is there something I am missing that could easily remedy this problem?

daemon_directory for Debian

Debian's daemon_directory is missing in vars. It's not using /usr/libexec/postfix.
Evidence on Debian 9's mail.log

fatal: daemon_directory = '/usr/libexec/postfix': directory not found: No such file or directory

Complete the list in vars/mail.yml

postfix_daemon_directory:
  default: /usr/libexec/postfix
  Ubuntu: /usr/lib/postfix
  openSUSE Leap: /usr/lib/postfix
  Debian: /usr/lib/postfix/sbin

compatibility_level is not set in Postfix 3.0 and later

Describe the bug

This role does not set the compatibility_level parameter which was introduced with Postfix 3.0.
Therefore, Postfix produces warnings in the log file on every restart (see below).

Output

Jan  5 16:40:56 CentOS-9-64-minimal postfix[5743]: Postfix is running with backwards-compatible default settings
Jan  5 16:40:56 CentOS-9-64-minimal postfix[5743]: See http://www.postfix.org/COMPATIBILITY_README.html for details
Jan  5 16:40:56 CentOS-9-64-minimal postfix[5743]: To disable backwards compatibility use "postconf compatibility_level=2" and "postfix reload"

Environment

  • Control node OS: MacOS
  • Control node Ansible version: ansible [core 2.14.1]
  • Managed node OS: centos-stream-9 (as per the output above), ubuntu-22.04, debian-11, fedora-37, rocky-9

Debian builds failing

Describe the bug

Molecule builds on Debian and Ubuntu fail.

https://github.com/robertdebock/ansible-role-postfix/runs/1903058812

It seems that the Molecule action is running on a container which has a hostname constructed from inputs to the GitHub Action.
E.g. postfix-debian-latestpy39-ansible-2.10

Debian's postinstall script attempts to configure postfix, but fails when the hostname contains a dot(.) - it interprets everything after the dot as the domain name, and does not accept a numeric-only hostname.

The hostname appears to be set in molecule/default/molecule.yml

platforms:
  - name: "postfix-${image:-fedora}-${tag:-latest}${TOX_ENVNAME}"

TOX_ENVNAME is set in tox.ini

Solution might be to do some kind of search/replace on TOX_ENVNAME before it gets to Molecule to replace . with another character.

Output

TASK [Wait for instance(s) creation to complete] *******************************
FAILED - RETRYING: Wait for instance(s) creation to complete (300 retries left).
changed: [localhost] => ({
  'started': 1,
  'finished': 0,
  'ansible_job_id': '783246255794.187',
  'results_file': '/root/.ansible_async/783246255794.187',
  'changed': True,
  'failed': False,
  'item': {
    'command': '/sbin/init',
    'image': 'robertdebock/debian:latest',
    'name': 'postfix-debian-latestpy39-ansible-2.9',
    'pre_build_image': True,
    'privileged': True,
    'volumes': ['/sys/fs/cgroup:/sys/fs/cgroup:ro']
  },
  'ansible_loop_var': 'item'
})

...

TASK [ansible-role-postfix : install postfix] **********************************
fatal: [postfix-debian-latestpy39-ansible-2.10]: FAILED! => changed=false 
  cache_update_time: 1613391886
  cache_updated: false
  msg: |-
    '/usr/bin/apt-get -y -o "Dpkg::Options::=--force-confdef" -o "Dpkg::Options::=--force-confold"      install 'postfix'' failed: debconf: delaying package configuration, since apt-utils is not installed
    E: Sub-process /usr/bin/dpkg returned an error code (1)
  rc: 100
  stderr: |-
    debconf: delaying package configuration, since apt-utils is not installed
    E: Sub-process /usr/bin/dpkg returned an error code (1)
  stderr_lines: <omitted>
  stdout: |-
    Reading package lists...
...
    setting myhostname: postfix-debian-latestpy39-ansible-2.10
    setting alias maps
    setting alias database
    setting myorigin
    setting destinations: $myhostname, postfix-debian-latestpy39-ansible-2.10, localhost.10, , localhost
    setting relayhost:
    setting mynetworks: 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
    setting mailbox_size_limit: 0
    setting recipient_delimiter: +
    setting inet_interfaces: all
    setting inet_protocols: all
    WARNING: /etc/aliases exists, but does not have a root alias.
  
    Postfix (main.cf) is now set up with a default configuration.  If you need to
    make changes, edit /etc/postfix/main.cf (and others) as needed.  To view
    Postfix configuration values, see postconf(1).
  
    After modifying main.cf, be sure to run 'service postfix reload'.
  
    Running newaliases
    newaliases: warning: valid_hostname: numeric hostname: 10
    newaliases: fatal: file /etc/postfix/main.cf: parameter mydomain: bad parameter value: 10
    dpkg: error processing package postfix (--configure):
     installed postfix package post-installation script subprocess returned error exit status 75
    Processing triggers for systemd (241-7~deb10u5) ...
    Processing triggers for libc-bin (2.28-10) ...
    Errors were encountered while processing:
     postfix

Environment

Please consider sponsoring me.

Validate configuration before restarting

ISSUE TYPE
  • Bug Report
SUMMARY

The template module has a validate option to verify if the rendered configuration could work. Implementing this validate would prevent restart that cause disruption.

EXPECTED RESULTS

An error in the configuration would let the playbook fail, but let the daemon run normally. This is now done with a restart -> really restart pattern. Less standard.

maildrop_destination_recipient_limit is undocuments in Postfix's documentation.

maildrop_destination_recipient_limit is undocuments in Postfix's documentation.

postfix_maildrop_destination_recipient_limit: 1

ansible-role-postfix/README.md

Line 234 in 1d4b596

# TODO: maildrop_destination_recipient_limit is undocuments in Postfix's documentation. 

# Lookup tables with the per-recipient group ID for virtual(8) mailbox delivery.
# postfix_virtual_gid_maps: "static:2000"

# Enable SASL authentication in the Postfix SMTP server.
# postfix_smtpd_sasl_auth_enable: yes

# The name of the Postfix SMTP server's local SASL authentication realm.
# postfix_smtpd_sasl_local_domain: $myhostname

# Postfix SMTP server SASL security options; as of Postfix 2.3 the list of available features depends on the SASL server implementation that is selected with smtpd_sasl_type.
# postfix_smtpd_sasl_security_options: noanonymous

# Report the SASL authenticated user name in the smtpd(8) Received message header.
# postfix_smtpd_sasl_authenticated_header: yes

# Enable interoperability with remote SMTP clients that implement an obsolete version of the AUTH command (RFC 4954).
# postfix_broken_sasl_auth_clients: no

# A file containing (PEM format) CA certificates of root CAs trusted to sign either remote SMTP client certificates or intermediate CA certificates.
# postfix_smtpd_tls_CAfile: /etc/letsencrypt/live/smtp.syhosting.ch/chain.pem

# File with the Postfix SMTP server RSA certificate in PEM format.
# postfix_smtpd_tls_cert_file: /etc/letsencrypt/live/smtp.syhosting.ch/cert.pem

# File with the Postfix SMTP server RSA private key in PEM format.
# postfix_smtpd_tls_key_file: /etc/letsencrypt/live/smtp.syhosting.ch/privkey.pem

# Request that the Postfix SMTP server produces Received: message headers that include information about the protocol and cipher used, as well as the remote SMTP client CommonName and client certificate issuer CommonName.
# postfix_smtpd_tls_received_header: yes

# The default SMTP TLS security level for the Postfix SMTP client; when a non-empty value is specified, this overrides the obsolete parameters smtp_use_tls, smtp_enforce_tls, and smtp_tls_enforce_peername.
# postfix_smtpd_tls_security_level: may

# Ask a remote SMTP client for a client certificate.
# postfix_smtpd_tls_ask_ccert: yes

# Enable additional Postfix SMTP server logging of TLS activity.
# postfix_smtpd_tls_loglevel: 1

# Name of the file containing the optional Postfix SMTP server TLS session cache.
# postfix_smtpd_tls_session_cache_database: btree:/var/lib/postfix/smtpd_tls_session_cache

# A file containing CA certificates of root CAs trusted to sign either remote SMTP server certificates or intermediate CA certificates.
# postfix_smtp_tls_CAfile: /etc/letsencrypt/live/smtp.syhosting.ch/chain.pem

# File with the Postfix SMTP client RSA certificate in PEM format.
# postfix_smtp_tls_cert_file: /etc/letsencrypt/live/smtp.syhosting.ch/cert.pem

# File with the Postfix SMTP client RSA private key in PEM format.
# postfix_smtp_tls_key_file: /etc/letsencrypt/live/smtp.syhosting.ch/privkey.pem

# Name of the file containing the optional Postfix SMTP client TLS session cache.
# postfix_smtp_tls_session_cache_database: btree:/var/lib/postfix/smtp_tls_session_cache

# The external entropy source for the in-memory tlsmgr(8) pseudo random number generator (PRNG) pool.
# postfix_tls_random_source: dev:/dev/urandom

# TLS protocols accepted by the Postfix SMTP server with mandatory TLS encryption.
# postfix_smtpd_tls_mandatory_protocols: TLSv1

# TLS protocols that the Postfix SMTP client will use with mandatory TLS encryption.
# postfix_smtp_tls_mandatory_protocols: TLSv1

# The default mail delivery transport and next-hop destination for final delivery to domains listed with $virtual_mailbox_domains.
# postfix_virtual_transport: maildrop1

# TODO: maildrop_destination_recipient_limit is undocuments in Postfix's documentation.
# postfix_maildrop_destination_recipient_limit: 1

# Optional pathname of a mailbox file relative to a local(8) user's home directory.
# postfix_home_mailbox: Maildir/

# The maximal size in bytes of a message, including envelope information.
# postfix_message_size_limit: 10240000

# Require that a remote SMTP client introduces itself with the HELO or EHLO command before sending the MAIL command or other commands that require EHLO negotiation.
# postfix_smtpd_helo_required: no

# The time unit over which client connection rates and other rates are calculated.
# postfix_anvil_rate_time_unit: 60s

# The maximal number of connection attempts any client is allowed to make to this service per time unit.
# postfix_smtpd_client_connection_rate_limit: 10

# How many simultaneous connections any client is allowed to make to this service.
# postfix_smtpd_client_connection_count_limit: 10

# Consider a bounce message as undeliverable, when delivery fails with a temporary error, and the time in the queue has reached the bounce_queue_lifetime limit.
# postfix_bounce_queue_lifetime: 5d

# The location of Postfix README files that describe how to build, configure or operate a specific Postfix subsystem or feature.
# postfix_readme_directory: /usr/share/doc/postfix

# The location of Postfix HTML files that describe how to build, configure or operate a specific Postfix subsystem or feature.
# postfix_html_directory: /usr/share/doc/postfix/html

Requirements

ndex b0e0e1e..f6f934f 100644
++ b/defaults/main.yml


1a27185156329700975757e7839aae6f5761ed7a

Failing to install - did github changed something?

Describe the bug

Hi Robert, I am trying to install your postfix role and I am getting this weird output from Github. I suspect it might be something on my side but what?

Output

$ ansible-galaxy role install robertdebock.postfix
Starting galaxy role install process
- downloading role 'postfix', owned by robertdebock
- downloading role from https://github.com/robertdebock/ansible-role-postfix/archive/5.1.1.tar.gz
 [ERROR]: failed to download the file: HTTP Error 401: Unauthorized
[WARNING]: - robertdebock.postfix was NOT installed successfully.
ERROR! - you can use --ignore-errors to skip failed roles and finish processing the list.

Update documentation to give better examples.

ISSUE TYPE
  • Documentation Report
SUMMARY

It would be helpful to show a few use cases in the README.md. For example:

  • Plain usage
  • With spamassassin
  • With ClamAV
  • With both spamassassin and ClamAV

This should be a list.

This should be a list.

To accept email from other machines, set the mynetworks to something like

"192.168.0.0/24".

ansible-role-postfix/defaults/main.yml

Line 22 in 0643045

# TODO: This should be a list. 

postfix_mydestination: $mydomain, $myhostname, localhost.$mydomain, localhost

# TODO: This should be a list.
# To accept email from other machines, set the mynetworks to something like
# "192.168.0.0/24".
postfix_mynetworks: "127.0.0.0/8"

48b507a25ae026440e471d15e5052310b785a178

postmap is used instead of postalias to rebuild alias db

Describe the bug

This role uses the postmap command in the handler to rebuild the alias database:

ansible-role-postfix/handlers/main.yml

Line 6 in 4caa217

cmd: postmap "{{ postfix_alias_path }}"

This command produces warnings in the output/log file (see below).
Instead of postmap it should be used postalias man be used to update the alias database.

Output

Jan  5 15:58:31 CentOS-9-64-minimal postfix/postmap[5583]: warning: /etc/aliases, line 11: record is in "key: value" format; is this an alias file?
Jan  5 15:58:31 CentOS-9-64-minimal postfix/postmap[5583]: warning: /etc/aliases, line 12: record is in "key: value" format; is this an alias file?
Jan  5 15:58:31 CentOS-9-64-minimal postfix/postmap[5583]: warning: /etc/aliases, line 15: record is in "key: value" format; is this an alias file?
Jan  5 15:58:31 CentOS-9-64-minimal postfix/postmap[5583]: warning: /etc/aliases, line 16: record is in "key: value" format; is this an alias file?
...

Environment

  • Control node OS: MacOS
  • Control node Ansible version: ansible [core 2.14.1]
  • Managed node OS: centos-stream-9 (as per the output above), ubuntu-22.04, debian-11, fedora-37, rocky-9

Template for master.cf is not correct

When running ansible:

fatal: [server4]: FAILED! => {"changed": true, "cmd": ["postconf", "-d"], "delta": "0:00:01.011576", "end": "2018-01-09 06:39:40.573341", "failed": true, "msg": "non-zero return code", "rc": 1, "start": "2018-01-09 06:39:39.561765", "stderr": "postconf: fatal: file /etc/postfix/master.cf: line 16: bad field count", "stderr_lines": ["postconf: fatal: file /etc/postfix/master.cf: line 16: bad field count"], "stdout": "", "stdout_lines": []}

relayhost set incorrectly on RHEL 7

Describe the bug

The replace filter inserts a u character into the relayhost on RHEL 7. RHEL 8 is not affected.
I'm guessing that this is a difference in unicode character handling between Python 2 and 3.

Playbook

I'm using a playbook which sets the postfix_relayhost variable:

---
- hosts: localhost
  become: true
  vars:
    postfix_relayhost: [mail.example.com]
  roles:
    - robertdebock.postfix

This generic playbook demonstrates the issue:

---
- hosts: localhost
  vars:
    unbracketed: mail.example.com
    bracketed: [mail.example.com]
  tasks:
    - name: Old method
      debug:
        msg: "[{{ unbracketed }}]"

    - name: Current method
      debug:
        msg: |-
          {{ bracketed|replace("'", "") }}

Output

RHEL 7:

PLAY [localhost] *****************************************************************************************************************************

TASK [Gathering Facts] ***********************************************************************************************************************
ok: [localhost]

TASK [Old method] ****************************************************************************************************************************
ok: [localhost] => {
    "msg": "[mail.example.com]"
}

TASK [Current method] ************************************************************************************************************************
ok: [localhost] => {
    "msg": "[umail.example.com]"
}

PLAY RECAP ***********************************************************************************************************************************
localhost                  : ok=3    changed=0    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0

RHEL 8:

PLAY [localhost] *******************************************************************************************************************************

TASK [Gathering Facts] *************************************************************************************************************************
ok: [localhost]

TASK [Old method] ******************************************************************************************************************************
ok: [localhost] => {
    "msg": "[mail.example.com]"
}

TASK [Current method] **************************************************************************************************************************
ok: [localhost] => {
    "msg": "[mail.example.com]"
}

PLAY RECAP *************************************************************************************************************************************
localhost                  : ok=3    changed=0    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0

Environment

  • Control node OS: RHEL 7.9
  • Control node Ansible version: 2.9.17
  • Managed node OS: RHEL 7.9

Please consider sponsoring me.

maildrop_destination_recipient_limit is undocuments in Postfix's documentation.

maildrop_destination_recipient_limit is undocuments in Postfix's documentation.

postfix_maildrop_destination_recipient_limit: 1

ansible-role-postfix/defaults/main.yml

Line 186 in 1d4b596

# TODO: maildrop_destination_recipient_limit is undocuments in Postfix's documentation. 

# Lookup tables with the per-recipient group ID for virtual(8) mailbox delivery.
# postfix_virtual_gid_maps: "static:2000"

# Enable SASL authentication in the Postfix SMTP server.
# postfix_smtpd_sasl_auth_enable: yes

# The name of the Postfix SMTP server's local SASL authentication realm.
# postfix_smtpd_sasl_local_domain: $myhostname

# Postfix SMTP server SASL security options; as of Postfix 2.3 the list of available features depends on the SASL server implementation that is selected with smtpd_sasl_type.
# postfix_smtpd_sasl_security_options: noanonymous

# Report the SASL authenticated user name in the smtpd(8) Received message header.
# postfix_smtpd_sasl_authenticated_header: yes

# Enable interoperability with remote SMTP clients that implement an obsolete version of the AUTH command (RFC 4954).
# postfix_broken_sasl_auth_clients: no

# A file containing (PEM format) CA certificates of root CAs trusted to sign either remote SMTP client certificates or intermediate CA certificates.
# postfix_smtpd_tls_CAfile: /etc/letsencrypt/live/smtp.syhosting.ch/chain.pem

# File with the Postfix SMTP server RSA certificate in PEM format.
# postfix_smtpd_tls_cert_file: /etc/letsencrypt/live/smtp.syhosting.ch/cert.pem

# File with the Postfix SMTP server RSA private key in PEM format.
# postfix_smtpd_tls_key_file: /etc/letsencrypt/live/smtp.syhosting.ch/privkey.pem

# Request that the Postfix SMTP server produces Received: message headers that include information about the protocol and cipher used, as well as the remote SMTP client CommonName and client certificate issuer CommonName.
# postfix_smtpd_tls_received_header: yes

# The default SMTP TLS security level for the Postfix SMTP client; when a non-empty value is specified, this overrides the obsolete parameters smtp_use_tls, smtp_enforce_tls, and smtp_tls_enforce_peername.
# postfix_smtpd_tls_security_level: may

# Ask a remote SMTP client for a client certificate.
# postfix_smtpd_tls_ask_ccert: yes

# Enable additional Postfix SMTP server logging of TLS activity.
# postfix_smtpd_tls_loglevel: 1

# Name of the file containing the optional Postfix SMTP server TLS session cache.
# postfix_smtpd_tls_session_cache_database: btree:/var/lib/postfix/smtpd_tls_session_cache

# A file containing CA certificates of root CAs trusted to sign either remote SMTP server certificates or intermediate CA certificates.
# postfix_smtp_tls_CAfile: /etc/letsencrypt/live/smtp.syhosting.ch/chain.pem

# File with the Postfix SMTP client RSA certificate in PEM format.
# postfix_smtp_tls_cert_file: /etc/letsencrypt/live/smtp.syhosting.ch/cert.pem

# File with the Postfix SMTP client RSA private key in PEM format.
# postfix_smtp_tls_key_file: /etc/letsencrypt/live/smtp.syhosting.ch/privkey.pem

# Name of the file containing the optional Postfix SMTP client TLS session cache.
# postfix_smtp_tls_session_cache_database: btree:/var/lib/postfix/smtp_tls_session_cache

# The external entropy source for the in-memory tlsmgr(8) pseudo random number generator (PRNG) pool.
# postfix_tls_random_source: dev:/dev/urandom

# TLS protocols accepted by the Postfix SMTP server with mandatory TLS encryption.
# postfix_smtpd_tls_mandatory_protocols: TLSv1

# TLS protocols that the Postfix SMTP client will use with mandatory TLS encryption.
# postfix_smtp_tls_mandatory_protocols: TLSv1

# The default mail delivery transport and next-hop destination for final delivery to domains listed with $virtual_mailbox_domains.
# postfix_virtual_transport: maildrop1

# TODO: maildrop_destination_recipient_limit is undocuments in Postfix's documentation.
# postfix_maildrop_destination_recipient_limit: 1

# Optional pathname of a mailbox file relative to a local(8) user's home directory.
# postfix_home_mailbox: Maildir/

# The maximal size in bytes of a message, including envelope information.
# postfix_message_size_limit: 10240000

# Require that a remote SMTP client introduces itself with the HELO or EHLO command before sending the MAIL command or other commands that require EHLO negotiation.
# postfix_smtpd_helo_required: no

# The time unit over which client connection rates and other rates are calculated.
# postfix_anvil_rate_time_unit: 60s

# The maximal number of connection attempts any client is allowed to make to this service per time unit.
# postfix_smtpd_client_connection_rate_limit: 10

# How many simultaneous connections any client is allowed to make to this service.
# postfix_smtpd_client_connection_count_limit: 10

# Consider a bounce message as undeliverable, when delivery fails with a temporary error, and the time in the queue has reached the bounce_queue_lifetime limit.
# postfix_bounce_queue_lifetime: 5d

# The location of Postfix README files that describe how to build, configure or operate a specific Postfix subsystem or feature.
# postfix_readme_directory: /usr/share/doc/postfix

# The location of Postfix HTML files that describe how to build, configure or operate a specific Postfix subsystem or feature.
# postfix_html_directory: /usr/share/doc/postfix/html
ndex a37e177..c39b868 100644
++ b/tasks/assert.yml

ee7d9bb144fd31353cb71f1ea3496b2425f744b7

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.