Add postfix role

8 files changed, 443 insertions, 0 deletions

diff --git a/roles/postfix/files/body_checks b/roles/postfix/files/body_checks
new file mode 100644
index 0000000..9aafaac
--- /dev/null
+++ b/roles/postfix/files/body_checks
@@ -0,0 +1,6 @@
+$ANSIBLE_VAULT;1.1;AES256
+39333137373439626266366132623033656133333661633661663939353230363764363737373439
+3566663537353463363233643061363131353232616336610a366262626565353565303138643834
+36313863666331376632313430336435633732393464386664353630623438313231383364303730
+3934353161393738630a616431343966666565636134343330343337313861386634626137336538
+66663536326663613231663861663361303635646231626231343935396564633637
diff --git a/roles/postfix/files/main.cf b/roles/postfix/files/main.cf
new file mode 100644
index 0000000..1292a8d
--- /dev/null
+++ b/roles/postfix/files/main.cf
@@ -0,0 +1,337 @@
+# COMPATIBILITY
+#
+# The compatibility_level determines what default settings Postfix
+# will use for main.cf and master.cf settings. These defaults will
+# change over time.
+#
+# To avoid breaking things, Postfix will use backwards-compatible
+# default settings and log where it uses those old backwards-compatible
+# default settings, until the system administrator has determined
+# if any backwards-compatible default settings need to be made
+# permanent in main.cf or master.cf.
+#
+# When this review is complete, update the compatibility_level setting
+# below as recommended in the RELEASE_NOTES file.
+#
+# The level below is what should be used with new (not upgrade) installs.
+#
+compatibility_level = 3.8
+
+# LOCAL PATHNAME INFORMATION
+#
+# The queue_directory specifies the location of the Postfix queue.
+# This is also the root directory of Postfix daemons that run chrooted.
+# See the files in examples/chroot-setup for setting up Postfix chroot
+# environments on different UNIX systems.
+#
+queue_directory = /var/spool/postfix
+
+# The command_directory parameter specifies the location of all
+# postXXX commands.
+#
+command_directory = /usr/bin
+
+# The daemon_directory parameter specifies the location of all Postfix
+# daemon programs (i.e. programs listed in the master.cf file). This
+# directory must be owned by root.
+#
+daemon_directory = /usr/lib/postfix/bin
+
+# The data_directory parameter specifies the location of Postfix-writable
+# data files (caches, random numbers). This directory must be owned
+# by the mail_owner account (see below).
+#
+data_directory = /var/lib/postfix
+
+# QUEUE AND PROCESS OWNERSHIP
+#
+# The mail_owner parameter specifies the owner of the Postfix queue
+# and of most Postfix daemon processes.  Specify the name of a user
+# account THAT DOES NOT SHARE ITS USER OR GROUP ID WITH OTHER ACCOUNTS
+# AND THAT OWNS NO OTHER FILES OR PROCESSES ON THE SYSTEM.  In
+# particular, don't specify nobody or daemon. PLEASE USE A DEDICATED
+# USER.
+#
+mail_owner = postfix
+
+# The unknown_local_recipient_reject_code specifies the SMTP server
+# response code when a recipient domain matches $mydestination or
+# ${proxy,inet}_interfaces, while $local_recipient_maps is non-empty
+# and the recipient address or address local-part is not found.
+#
+# The default setting is 550 (reject mail) but it is safer to start
+# with 450 (try again later) until you are certain that your
+# local_recipient_maps settings are OK.
+#
+unknown_local_recipient_reject_code = 550
+
+# TRUST AND RELAY CONTROL
+#
+# The SASL plug-in type that the Postfix SMTP server should use for
+# authentication. The available types are listed with the "postconf -a"
+# command.
+#
+# The default setting is cyrus.
+smtpd_sasl_type = dovecot
+
+# Implementation-specific information that the Postfix SMTP server
+# passes through to the SASL plug-in implementation that is selected
+# with smtpd_sasl_type. Typically this specifies the name of a
+# configuration file or rendezvous point.
+#
+# The default setting is smtpd.
+smtpd_sasl_path = private/auth
+
+# Enable SASL authentication in the Postfix SMTP server. By default, the
+# Postfix SMTP server does not use authentication.
+#
+# The default setting is no.
+smtpd_sasl_auth_enable = yes
+
+# Enable interoperability with remote SMTP clients that implement an
+# obsolete version of the AUTH command (RFC 4954). Examples of such
+# clients are MicroSoft Outlook Express version 4 and MicroSoft Exchange
+# version 5.0.
+#
+# The default setting is no.
+broken_sasl_auth_clients = yes
+
+# Report the SASL authenticated user name in the smtpd(8) Received
+# message header.
+#
+# The default setting is no.
+smtpd_sasl_authenticated_header = yes
+
+# Optional restrictions that the Postfix SMTP server applies in the
+# context of a client RCPT TO command, after smtpd_relay_restrictions.
+# See SMTPD_ACCESS_README, section "Delayed evaluation of SMTP access
+# restriction lists" for a discussion of evaluation context and time.
+#
+# For defualts see `postconf -d` output.
+smtpd_recipient_restrictions = permit_mynetworks,
+                               permit_sasl_authenticated,
+                               reject_invalid_hostname,
+                               reject_non_fqdn_hostname,
+                               reject_non_fqdn_sender,
+                               reject_non_fqdn_recipient,
+                               reject_unknown_sender_domain,
+                               reject_unknown_recipient_domain,
+                               reject_unauth_destination,
+                               reject_rbl_client sbl.spamhaus.org,
+                               reject_rbl_client cbl.abuseat.org,
+                               reject_rbl_client dul.dnsbl.sorbs.net,
+                               reject_rbl_client bl.spamcop.net,
+                               check_sender_access pcre:/etc/postfix/sender_access
+
+# Opportunistic TLS: announce STARTTLS support to remote SMTP clients,
+# but do not require that clients use TLS encryption.
+# The default setting is no.
+smtpd_use_tls = yes
+
+# File with the Postfix SMTP server RSA certificate in PEM format. This
+# file may also contain the Postfix SMTP server private RSA key.
+#
+# The default setting is empty.
+smtpd_tls_cert_file = /etc/letsencrypt/live/mail.ilvokhin.com/fullchain.pem
+
+# File with the Postfix SMTP server RSA private key in PEM format.
+#
+# The default setting is $smtpd_tls_cert_file.
+smtpd_tls_key_file = /etc/letsencrypt/live/mail.ilvokhin.com/privkey.pem
+
+# The default SMTP TLS security level for the Postfix SMTP client.
+#
+# The default setting is empty.
+smtp_tls_security_level = may
+
+# The lookup tables that the proxymap(8) server is allowed to access for
+# the read-only service.
+#
+# For defualts see `postconf -d` output. 
+proxy_read_maps = $local_recipient_maps
+                  $mydestination
+                  $virtual_alias_maps
+                  $virtual_alias_domains
+                  $virtual_mailbox_maps
+                  $virtual_mailbox_domains
+                  $relay_recipient_maps
+                  $relay_domains
+                  $canonical_maps
+                  $sender_canonical_maps
+                  $recipient_canonical_maps
+                  $relocated_maps
+                  $transport_maps
+                  $mynetworks
+
+# Milter settings are here fro DKIM support.
+#
+# A list of Milter (mail filter) applications for new mail that arrives
+# via the Postfix smtpd(8) server. Specify space or comma as separator.
+# See the MILTER_README document for details.
+#
+# The default setting is empty.
+smtpd_milters = inet:localhost:8891
+
+# A list of Milter (mail filter) applications for new mail that does not
+# arrive via the Postfix smtpd(8) server.
+#
+# The default setting is empty.
+non_smtpd_milters = $smtpd_milters
+
+# The default action when a Milter (mail filter) response is unavailable
+# (for example, bad Postfix configuration or Milter failure).
+#
+# The default value is tempfail.
+milter_default_action = accept
+
+# ADDRESS REDIRECTION (VIRTUAL DOMAIN)
+#
+# The VIRTUAL_README document gives information about the many forms
+# of domain hosting that Postfix supports.
+#
+# Postfix is the final destination for the specified list of domains;
+# mail is delivered via the $virtual_transport mail delivery transport.
+#
+# The default setting is $virtual_mailbox_maps.
+virtual_mailbox_domains = ilvokhin.com
+
+# A prefix that the virtual(8) delivery agent prepends to all pathname
+# results from $virtual_mailbox_maps table lookups.
+#
+# The default setting is empty.
+virtual_mailbox_base = /var/mail
+
+# Optional lookup tables with aliases that apply to all recipients:
+# local(8), virtual, and remote; this is unlike alias_maps that apply
+# only to local(8) recipients.
+#
+# The default setting is $virtual_maps.
+virtual_alias_maps = hash:/etc/postfix/virtual
+
+# The default mail delivery transport and next-hop destination for final
+# delivery to domains listed with $virtual_mailbox_domains. This
+# information can be overruled with the transport(5) table.
+#
+# The default setting is virtual.
+virtual_transport = dovecot
+
+# ALIAS DATABASE
+#
+# The alias_maps parameter specifies the list of alias databases used
+# by the local delivery agent. The default list is system dependent.
+#
+# On systems with NIS, the default is to search the local alias
+# database, then the NIS alias database. See aliases(5) for syntax
+# details.
+# 
+# If you change the alias database, run "postalias /etc/aliases" (or
+# wherever your system stores the mail alias file), or simply run
+# "newaliases" to build the necessary DBM or DB file.
+#
+# It will take a minute or so before changes become visible.  Use
+# "postfix reload" to eliminate the delay.
+
+# Optional lookup tables with aliases that apply only to local(8) recipients
+#
+# For defualts see `postconf -d` output.
+alias_maps = hash:/etc/postfix/aliases
+
+# The alias_database parameter specifies the alias database(s) that
+# are built with "newaliases" or "sendmail -bi".  This is a separate
+# configuration parameter, because alias_maps (see above) may specify
+# tables that are not necessarily all under control by Postfix.
+#
+# For defualts see `postconf -d` output.
+alias_database = $alias_maps
+
+# ADDRESS EXTENSIONS (e.g., user+foo)
+#
+# The recipient_delimiter parameter specifies the separator between
+# user names and address extensions (user+foo). See canonical(5),
+# local(8), relocated(5) and virtual(5) for the effects this has on
+# aliases, canonical, virtual, relocated and .forward file lookups.
+# Basically, the software tries user+foo and .forward+foo before
+# trying user and .forward.
+#
+recipient_delimiter = +
+
+# JUNK MAIL CONTROLS
+# 
+# The controls listed here are only a very small subset. The file
+# SMTPD_ACCESS_README provides an overview.
+
+# The header_checks parameter specifies an optional table with patterns
+# that each logical message header is matched against, including
+# headers that span multiple physical lines.
+#
+# By default, these patterns also apply to MIME headers and to the
+# headers of attached messages. With older Postfix versions, MIME and
+# attached message headers were treated as body text.
+#
+# For details, see "man header_checks".
+#
+body_checks = pcre:/etc/postfix/body_checks
+
+# DEBUGGING CONTROL
+#
+# The debug_peer_level parameter specifies the increment in verbose
+# logging level when an SMTP client or server host name or address
+# matches a pattern in the debug_peer_list parameter.
+#
+debug_peer_level = 2
+
+# The debugger_command specifies the external command that is executed
+# when a Postfix daemon program is run with the -D option.
+#
+# Use "command .. & sleep 5" so that the debugger can attach before
+# the process marches on. If you use an X-based debugger, be sure to
+# set up your XAUTHORITY environment variable before starting Postfix.
+#
+debugger_command =
+	 PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
+	 ddd $daemon_directory/$process_name $process_id & sleep 5
+
+# INSTALL-TIME CONFIGURATION INFORMATION
+#
+# The following parameters are used when installing a new Postfix version.
+# 
+# sendmail_path: The full pathname of the Postfix sendmail command.
+# This is the Sendmail-compatible mail posting interface.
+# 
+sendmail_path = /usr/bin/sendmail
+
+# newaliases_path: The full pathname of the Postfix newaliases command.
+# This is the Sendmail-compatible command to build alias databases.
+#
+newaliases_path = /usr/bin/newaliases
+
+# mailq_path: The full pathname of the Postfix mailq command.  This
+# is the Sendmail-compatible mail queue listing command.
+# 
+mailq_path = /usr/bin/mailq
+
+# setgid_group: The group for mail submission and queue management
+# commands.  This must be a group name with a numerical group ID that
+# is not shared with other accounts, not even with the Postfix account.
+#
+setgid_group = postdrop
+
+# html_directory: The location of the Postfix HTML documentation.
+#
+html_directory = no
+
+# manpage_directory: The location of the Postfix on-line manual pages.
+#
+manpage_directory = /usr/share/man
+
+# sample_directory: The location of the Postfix sample configuration files.
+# This parameter is obsolete as of Postfix 2.1.
+#
+sample_directory = /etc/postfix
+
+# readme_directory: The location of the Postfix README files.
+#
+readme_directory = /usr/share/doc/postfix
+inet_protocols = ipv4
+shlib_directory = /usr/lib/postfix
+meta_directory = /etc/postfix
diff --git a/roles/postfix/files/postfix.sh b/roles/postfix/files/postfix.sh
new file mode 100644
index 0000000..4a9a37e
--- /dev/null
+++ b/roles/postfix/files/postfix.sh
@@ -0,0 +1,3 @@
+#! /bin/sh
+
+systemctl reload postfix
diff --git a/roles/postfix/files/sender_access b/roles/postfix/files/sender_access
new file mode 100644
index 0000000..17976c5
--- /dev/null
+++ b/roles/postfix/files/sender_access
@@ -0,0 +1,6 @@
+$ANSIBLE_VAULT;1.1;AES256
+32373637623231396238363731306131383963396633396337373366373166306265616163356537
+6266653964306537316165306430386564343362383665630a326636373265633737326664643263
+61626365613665326233313961356263363931336166313162313439353137663861656334616130
+6430356536336538660a656439346666343237326266356463656231663266356233666133663634
+3763
diff --git a/roles/postfix/files/virtual b/roles/postfix/files/virtual
new file mode 100644
index 0000000..c35fd66
--- /dev/null
+++ b/roles/postfix/files/virtual
@@ -0,0 +1,18 @@
+$ANSIBLE_VAULT;1.1;AES256
+37613838336530373762663864656334356239303133336235303936616364643266383532613865
+3637636132653166633837623732663435373761306665620a373539343865363035666331366436
+30326439316236623037376464333162303237646662653063633465613036346237383463643434
+6164366130343539620a373936613034653136363136346632373836326336636166356135373261
+30386531326135616365626466643538613562633132616664396633646539373061393330333330
+62393362333438333465656265373433343337383966313631303531623632663866626262653336
+33333034626165386336313566323864626630353339316636393534353133633138346135656134
+64623735383162333538613937616363656565306433633531303737336234366464623735363463
+64623662666362626338613565383535303734363633313863613937326231343837313032333036
+32393734653238353032646434343432616461333934343030376163303464383966376637376539
+38653535326434646332313435616235356133353337646432303738363531393364346565613361
+65613461383564656537646561336661376336356135333061336264363230383930316661666230
+38663965323866313033366237663462343065653532323938386337303265343436363138326662
+38616130323734303166363032346133346139373831313439613163623735313062643038636636
+35313232366132613166323136383366623065346638626562643734353862376338646364343436
+63326361383737633633633931333337656130366636303062363037613866626266653961653834
+3832
diff --git a/roles/postfix/handlers/main.yml b/roles/postfix/handlers/main.yml
new file mode 100644
index 0000000..62be72c
--- /dev/null
+++ b/roles/postfix/handlers/main.yml
@@ -0,0 +1,12 @@
+- name: Reload postfix
+  ansible.builtin.service:
+    name: postfix
+    state: reloaded
+
+- name: Check postfix
+  ansible.builtin.command: postfix check
+
+- name: Update postfix lookup tables
+  ansible.builtin.command: postmap {{ item }}
+  with_items:
+    - /etc/postfix/virtual
diff --git a/roles/postfix/meta/main.yml b/roles/postfix/meta/main.yml
new file mode 100644
index 0000000..d65d517
--- /dev/null
+++ b/roles/postfix/meta/main.yml
@@ -0,0 +1,4 @@
+dependencies:
+  - role: certmail
+  - role: opendkim
+  - role: dovecot
diff --git a/roles/postfix/tasks/main.yml b/roles/postfix/tasks/main.yml
new file mode 100644
index 0000000..63a760d
--- /dev/null
+++ b/roles/postfix/tasks/main.yml
@@ -0,0 +1,57 @@
+- name: Install postfix
+  ansible.builtin.package:
+    name:
+      - postfix
+      - postfix-pcre
+    state: present
+
+- name: Copy postfix lookup tables
+  ansible.builtin.copy:
+    src: '{{ item }}'
+    dest: /etc/postfix/
+    owner: root
+    group: root
+    mode: u+rw,g+r,o+r
+  loop:
+    - files/virtual
+  notify:
+    - Update postfix lookup tables
+    - Reload postfix
+
+- name: Copy postfix additional restriction files
+  ansible.builtin.copy:
+    src: '{{ item }}'
+    dest: /etc/postfix/
+    owner: root
+    group: root
+    mode: u+rw,g+r,o+r
+  loop:
+    - files/sender_access
+    - files/body_checks
+  notify:
+    - Reload postfix
+
+- name: Configure postfix
+  ansible.builtin.copy:
+    src: files/main.cf
+    dest: /etc/postfix/main.cf
+    owner: root
+    group: root
+    mode: u+rw,g+r,o+r
+  notify:
+    - Check postfix
+    - Reload postfix
+
+- name: Copy postfix certificate renewal hook
+  ansible.builtin.copy:
+    src: files/postfix.sh
+    dest: /etc/letsencrypt/renewal-hooks/deploy/postfix.sh
+    owner: root
+    group: root
+    mode: u+rwx,g+r,o+r
+
+- name: Enable postfix systemd service
+  ansible.builtin.service:
+    name: postfix
+    enabled: yes
+    state: started