theel0ja / ansible-postfix Goto Github PK

Set up a postfix server in Debian-like systems.

None

• postfix_install [default: [postfix, mailutils, libsasl2-2, sasl2-bin, libsasl2-modules]]: Packages to install
• postfix_hostname [default: {{ ansible_fqdn }}]: Host name, used for myhostname and in mydestination
• postfix_mailname [default: {{ ansible_fqdn }}]: Mail name (in /etc/mailname), used for myorigin
• postfix_aliases [default: []]: Aliases to ensure present in /etc/aliases
• postfix_virtual_aliases [default: []]: Virtual aliases to ensure present in /etc/postfix/virtual
• postfix_sender_canonical_maps [default: []]: Sender address rewriting in /etc/postfix/sender_canonical_maps (see)
• postfix_recipient_canonical_maps [default: []]: Recipient address rewriting in /etc/postfix/recipient_canonical_maps (see)
• postfix_transport_maps [default: []]: Transport mapping based on recipient address /etc/postfix/transport_maps (see)
• postfix_sender_dependent_relayhost_maps [default: []]: Transport mapping based on sender address /etc/postfix/sender_dependent_relayhost_maps (see)
• postfix_header_checks [default: []]: Lookup tables for content inspection of primary non-MIME message headers /etc/postfix/header_checks (see)
• postfix_generic: [default: []]: Generic table address mapping in /etc/postfix/generic (see)
• postfix_mydestination [default: ["{{ postfix_hostname }}", 'localdomain', 'localhost', 'localhost.localdomain']]: Specifies what domains this machine will deliver locally, instead of forwarding to another machine
• postfix_mynetworks [default: ['127.0.0.0/8', '[::ffff:127.0.0.0]/104', '[::1]/128']]: The list of "trusted" remote SMTP clients that have more privileges than "strangers"
• postfix_inet_interfaces [default: all]: Network interfaces to bind (see)
• postfix_inet_protocols [default: all]: The Internet protocols Postfix will attempt to use when making or accepting connections (see)
• postfix_sasl_auth_enable [default: true]: Enable SASL authentication in the SMTP client
• postfix_relayhost [default: false (no relay host)]: Hostname to relay all email to
• postfix_relayhost_mxlookup [default: false (not using mx lookup)]: Lookup for MX record instead of A record for relayhost
• postfix_relayhost_port [default: 587]: Relay port (on postfix_relayhost, if set)
• postfix_smtpd_relay_restrictions [optional]: List of access restrictions for mail relay control (see)
• postfix_sasl_security_options [default: noanonymous]: SMTP client SASL security options
• postfix_sasl_mechanism_filter [default: '']: SMTP client SASL authentication mechanism filter (see)
• postfix_relaytls [default: false]: Use TLS when sending with a relay host
• postfix_smtp_tls_cafile [optional]: A file containing CA certificates of root CAs trusted to sign either remote SMTP server certificates or intermediate CA certificates (e.g. /etc/ssl/certs/ca-certificates.crt)
• postfix_sasl_user [default: postmaster@{{ ansible_domain }}]: SASL relay username
• postfix_sasl_password [default: k8+haga4@#pR]: SASL relay password Make sure to change!
• postfix_smtpd_banner [default: $myhostname ESMTP $mail_name (Ubuntu)]: Greeting banner You MUST specify $myhostname at the start of the text. This is required by the SMTP protocol.
• postfix_disable_vrfy_command [default: false]: Disable the SMTP VRFY command. This stops some techniques used to harvest email addresses
• postfix_message_size_limit [default: 10240000]: The maximal size in bytes of a message, including envelope information
• postifx_header_checks_database_type [default: regexp]: The database type for use in header_checks
• postfix_default_database_type [default: hash]: The default database type for use in newaliases, postalias and postmap commands
• postfix_smtpd_tls_cert_file [default: /etc/ssl/certs/ssl-cert-snakeoil.pem]: Path to certificate file
• postfix_smtpd_tls_key_file [default: /etc/ssl/certs/ssl-cert-snakeoil.key]: Path to key file
• postfix_raw_options [default: []]: List of lines (to pass extra (unsupported) configuration)

• debconf
• debconf-utils

A simple example that doesn't use SASL relaying:

---
- hosts: all
  roles:
    - postfix
  vars:
    postfix_aliases:
      - user: root
        alias: [email protected]

A simple example with virtual aliases for mail forwarding that doesn't use SASL relaying:

---
- hosts: all
  roles:
    - postfix
  vars:
    postfix_mydestination:
      - "{{ postfix_hostname }}"
      - '$mydomain'
      - localdomain
      - localhost
      - localhost.localdomain
    postfix_virtual_aliases:
      - virtual: [email protected]
        alias: [email protected]
      - virtual: [email protected]
        alias: [email protected], [email protected]

A simple example that rewrites the sender address:

---
- hosts: all
  roles:
    - postfix
  vars:
    postfix_sender_canonical_maps:
      - sender: root
        rewrite: [email protected]

Provide the relay host name if you want to enable relaying:

---
- hosts: all
  roles:
    - postfix
  vars:
    postfix_aliases:
      - user: root
        alias: [email protected]
    postfix_relayhost: mail.yourdomain.org

Provide the relay domain name and use MX records if you want to enable relaying to DNS MX records of a domain:

---
- hosts: all
  roles:
    - postfix
  vars:
    postfix_aliases:
      - user: root
        alias: [email protected]
    postfix_relayhost: yourdomain.org
    postfix_relayhost_mxlookup: true

Conditional relaying:

---
- hosts: all
  roles:
    - postfix
  vars:
    postfix_transport_maps:
      - pattern: '[email protected]'
        result: ':'
      - pattern: '*'
        result: "smtp:{{ ansible_lo['ipv4']['address'] }}:1025"
    postfix_sender_dependent_relayhost_maps:
      - pattern: '[email protected]'
        result: 'DUNNO'
      - pattern: '[email protected]'
        result: 'DUNNO'
      - pattern: '*'
        result: "smtp:{{ ansible_lo['ipv4']['address'] }}:1025"

For AWS SES support:

---
- hosts: all
  roles:
    - postfix
  vars:
    postfix_aliases:
      - user: root
        alias: [email protected]
    postfix_relayhost: email-smtp.us-east-1.amazonaws.com
    postfix_relaytls: true
    # AWS IAM SES credentials (not access key):
    postfix_sasl_user: AKIXXXXXXXXXXXXXXXXX
    postfix_sasl_password: ASDFXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

For MailHog support:

---
- hosts: all
  roles:
    - postfix
  vars:
    postfix_aliases:
      - user: root
        alias: [email protected]
    postfix_relayhost: "{{ ansible_lo['ipv4']['address'] }}"
    postfix_relayhost_port: 1025
    postfix_sasl_auth_enable: false

For Gmail support:

---
- hosts: all
  roles:
    - postfix
  vars:
    postfix_aliases:
      - user: root
        alias: [email protected]
    postfix_relayhost: smtp.gmail.com
    postfix_relaytls: true
    postfix_smtp_tls_cafile: /etc/ssl/certs/ca-certificates.crt
    postfix_sasl_user: 'foo'
    postfix_sasl_password: 'bar'

If you configure your Google account for extra security to use the 2-step verification, then postfix won't send out emails anymore and you might notice error messages in the /var/log/mail.log file

To fix this issue, you need to visit the (Authorizing applications & sites) page under your Google Account settings. On this page enter the name of the application to be authorized (Postfix) and click on Generate button. Set the postfix_sasl_password variable with the password generated by this page.

A simple example that shows how to add some raw config:

---
- hosts: all
  roles:
    - postfix
  vars:
    postfix_raw_options:
      - |
        milter_default_action = accept
        milter_protocol = 6
        smtpd_milters = unix:opendkim/opendkim.sock unix:opendmarc/opendmarc.sock unix:spamass/spamass.sock unix:clamav/clamav-milter.ctl
        milter_connect_macros = "i j {daemon_name} v {if_name} _"
        policyd-spf_time_limit = 3600

MIT

Mischa ter Smitten

Are welcome!