diff --git a/docs/email.md b/docs/email.md
index 2a1345d5dc4637c3679185d93b90b839eaa279b7..0333ae0ced84a82b4fddf852d584eebaab75b2eb 100644
--- a/docs/email.md
+++ b/docs/email.md
@@ -31,14 +31,14 @@ to the server. This gives us several benefits:
When a new host is provisioned:
-- The *postfix* role has a task delegated to 'mail.archlinux.org' to create a local user
+- The *postfix_null* role has a task delegated to 'mail.archlinux.org' to create a local user
on 'mail.archlinux.org' that is used for the new server to authenticate against. The user
name is the shortname of the new servers hostname (ie, "foobar.archlinux.org"
will authenticate with the username "foobar")
- You will need to run the *postfwd* role against mail.archlinux.org to update the
rate-limiting it performs (servers are given higher rate-limits than normal
users - see `/etc/postfwd/postfwd.cf` for exact limits). This *should*
- happen automatically as the *postfwd* role is a dependency of the *postfix*
+ happen automatically as the *postfwd* role is a dependency of the *postfix_null*
role (using `delegate_to` to run it against 'mail.archlinux.org' regardless of the target
host that the postfix role is being run on)
diff --git a/playbooks/archlinux.org.yml b/playbooks/archlinux.org.yml
index 95520c51aa65c6520253ed6ee1d87219aa9e601b..6302c0c473b4ec1f0ff2fcdc407674fe1a029ce1 100644
--- a/playbooks/archlinux.org.yml
+++ b/playbooks/archlinux.org.yml
@@ -27,7 +27,7 @@
- { role: borg_client, tags: ["borg"] }
- { role: certbot }
- { role: nginx }
- - { role: postfix, postfix_relayhost: "mail.archlinux.org" }
+ - { role: postfix_null }
- role: postgres
postgres_listen_addresses: "*"
postgres_ssl: 'on'
diff --git a/playbooks/aur-dev.archlinux.org.yml b/playbooks/aur-dev.archlinux.org.yml
index 92b106adcae6196f96dc72fb824ccaae19502abc..b8ce7befc4da8cebf1e7c80b254dddfd04d749c5 100644
--- a/playbooks/aur-dev.archlinux.org.yml
+++ b/playbooks/aur-dev.archlinux.org.yml
@@ -16,7 +16,7 @@
- { role: memcached }
- { role: uwsgi }
- { role: borg_client, tags: ["borg"] }
- - { role: postfix, postfix_relayhost: "mail.archlinux.org" }
+ - { role: postfix_null }
- { role: fail2ban }
- { role: aurweb, aurweb_domain: 'aur-dev.archlinux.org', aurweb_version: 'pu' }
- { role: prometheus_exporters }
diff --git a/playbooks/aur.archlinux.org.yml b/playbooks/aur.archlinux.org.yml
index 528e95d0baf0e8879c452054c4ef930b2caed7c6..bcac512493986714e3d9ecb61fb4a3afce539ebd 100644
--- a/playbooks/aur.archlinux.org.yml
+++ b/playbooks/aur.archlinux.org.yml
@@ -18,7 +18,7 @@
- { role: memcached }
- { role: uwsgi }
- { role: borg_client, tags: ["borg"] }
- - { role: postfix, postfix_relayhost: "mail.archlinux.org" }
+ - { role: postfix_null }
- { role: fail2ban }
- { role: aurweb }
- { role: wireguard }
diff --git a/playbooks/bbs.archlinux.org.yml b/playbooks/bbs.archlinux.org.yml
index f2d22821f0b705030c6d4fba3e7aa8d80c090e7d..a33071752bea48a7e3c6ebf9b4a8bd60d5b403c9 100644
--- a/playbooks/bbs.archlinux.org.yml
+++ b/playbooks/bbs.archlinux.org.yml
@@ -15,7 +15,7 @@
- { role: php_fpm, php_extensions: ['apcu', 'iconv', 'intl', 'mysqli'], zend_extensions: ['opcache'] }
- { role: fluxbb }
- { role: borg_client, tags: ["borg"] }
- - { role: postfix, postfix_relayhost: "mail.archlinux.org" }
+ - { role: postfix_null }
- { role: fail2ban }
- { role: prometheus_exporters }
- { role: promtail }
diff --git a/playbooks/bugs.archlinux.org.yml b/playbooks/bugs.archlinux.org.yml
index ad359f9cb5c6fa4b228b7f5817275430f6014fb2..fc82b29b75b692c74d4f852d809f6e607bc54d01 100644
--- a/playbooks/bugs.archlinux.org.yml
+++ b/playbooks/bugs.archlinux.org.yml
@@ -15,7 +15,7 @@
- { role: php7_fpm, php_extensions: ['mysqli'], zend_extensions: ['opcache'] }
- { role: flyspray }
- { role: borg_client, tags: ["borg"] }
- - { role: postfix, postfix_relayhost: "mail.archlinux.org" }
+ - { role: postfix_null }
- { role: fail2ban }
- { role: prometheus_exporters }
- { role: promtail }
diff --git a/playbooks/gemini.archlinux.org.yml b/playbooks/gemini.archlinux.org.yml
index 51e9574dcdb92a82a0769e4a1793235aa9f2492a..13a94511b9798d5f46a427074573c972080367cc 100644
--- a/playbooks/gemini.archlinux.org.yml
+++ b/playbooks/gemini.archlinux.org.yml
@@ -24,7 +24,7 @@
- { role: sources, sources_domain: "sources.archlinux.org", sources_dir: "/srv/sources" }
- { role: archive }
- { role: archive_web }
- - { role: postfix, postfix_relayhost: "mail.archlinux.org" }
+ - { role: postfix_null }
- { role: fail2ban }
- { role: prometheus_exporters }
- { role: promtail }
diff --git a/playbooks/mail.archlinux.org.yml b/playbooks/mail.archlinux.org.yml
index ee4dbc35f8096fe694eeb0b39bd071e74ece3bad..36cad509c681de29299ec38eb23c86ed08f42cf8 100644
--- a/playbooks/mail.archlinux.org.yml
+++ b/playbooks/mail.archlinux.org.yml
@@ -10,7 +10,7 @@
- { role: certbot }
- { role: nginx }
- { role: mta_sts }
- - { role: postfix, postfix_server: true, postfix_smtpd_public: true, tags: ['mail'] }
+ - { role: postfix, tags: ['mail'] }
- { role: dovecot }
- { role: rspamd, rspamd_dkim_domain: archlinux.org, tags: ["mail"] }
- { role: unbound, unbound_port: 5353, tags: ["mail"] }
diff --git a/playbooks/matrix.archlinux.org.yml b/playbooks/matrix.archlinux.org.yml
index 84cf39189c1fd6442dfa3c7c65acdac442b9b7a0..3c92d9e015a448333d87edfbed479c239511e3e3 100644
--- a/playbooks/matrix.archlinux.org.yml
+++ b/playbooks/matrix.archlinux.org.yml
@@ -19,8 +19,7 @@
postgres_maintenance_work_mem: 256MB
postgres_effective_cache_size: 4GB
postgres_jit: 'off'
- - role: postfix
- postfix_relayhost: "mail.archlinux.org"
+ - { role: postfix_null }
- { role: matrix }
- { role: fail2ban }
- { role: prometheus_exporters }
diff --git a/playbooks/security.archlinux.org.yml b/playbooks/security.archlinux.org.yml
index 3a7619d7a76f32e5b9af307f9825a01cd47ba80e..39821cef42bcba37022d148ab5c3fcee08d31981 100644
--- a/playbooks/security.archlinux.org.yml
+++ b/playbooks/security.archlinux.org.yml
@@ -11,7 +11,7 @@
- { role: borg_client, tags: ["borg"] }
- { role: certbot }
- { role: nginx }
- - { role: postfix, postfix_relayhost: "mail.archlinux.org" }
+ - { role: postfix_null }
- { role: sudo }
- { role: uwsgi }
- role: security_tracker
diff --git a/playbooks/wiki.archlinux.org.yml b/playbooks/wiki.archlinux.org.yml
index 4f062147c6c76820a8b9762d1a7aa56c69903964..00ac565e9d0bafead638779a2a620e4f2541fefd 100644
--- a/playbooks/wiki.archlinux.org.yml
+++ b/playbooks/wiki.archlinux.org.yml
@@ -13,7 +13,7 @@
- { role: borg_client, tags: ["borg"] }
- { role: certbot }
- { role: nginx }
- - { role: postfix, postfix_relayhost: "mail.archlinux.org" }
+ - { role: postfix_null }
- { role: mariadb, mariadb_query_cache_type: '0', mariadb_innodb_file_per_table: true }
- { role: sudo }
- { role: php7_fpm, php_extensions: ['bcmath', 'curl', 'gd', 'iconv', 'intl', 'mysqli', 'sockets', 'zip'], zend_extensions: ['opcache'] }
diff --git a/roles/postfix/defaults/main.yml b/roles/postfix/defaults/main.yml
index c77f03f7cab42b293f6da0198f5099a0bf8619e5..113f462403b9f097a436529c95f8288a112a5139 100644
--- a/roles/postfix/defaults/main.yml
+++ b/roles/postfix/defaults/main.yml
@@ -1,15 +1,11 @@
---
-postfix_smtpd_public: false
-postfix_server: false
postfix_patchwork_enabled: false
postfix_patchwork_user: "patchwork"
postfix_patchwork_mail_handler: "/usr/local/bin/patchwork-parsemail-wrapper.sh"
mail_domain: "mail.archlinux.org"
-postfix_relayhost: ""
-
postfix_wiki_bounce_mail_handler: "/usr/local/bin/wiki-bouncehandler.pl"
postfix_wiki_bounce_user: "wiki_bouncehandler"
postfix_wiki_bounce_config: "/etc/wiki-bouncehandler.conf"
diff --git a/roles/postfix/handlers/main.yml b/roles/postfix/handlers/main.yml
index ea8be353a62edc47b4cf227a58ed41239265f4e8..1a5c81e0749c084bbea36a69faabcb895cb68208 100644
--- a/roles/postfix/handlers/main.yml
+++ b/roles/postfix/handlers/main.yml
@@ -23,6 +23,3 @@
- name: update aliases db
command: postalias /etc/postfix/aliases
-
-- name: postmap relay_passwords
- command: postmap /etc/postfix/relay_passwords
diff --git a/roles/postfix/tasks/main.yml b/roles/postfix/tasks/main.yml
index 22caa5133b5ef5d9f7706b2591783eae77452d1b..19477610ce208c0a20c23ac0d4f3ffd338587f69 100644
--- a/roles/postfix/tasks/main.yml
+++ b/roles/postfix/tasks/main.yml
@@ -43,26 +43,21 @@
name: certificate
vars:
domains: ["{{ mail_domain }}"]
- when: postfix_smtpd_public
- name: install postfix cert renewal hook
template: src=letsencrypt.hook.d.j2 dest=/etc/letsencrypt/hook.d/postfix owner=root group=root mode=0755
- when: postfix_smtpd_public
- name: install bouncehandler config
template: src=wiki-bouncehandler.conf.j2 dest={{ postfix_wiki_bounce_config }} owner={{ postfix_wiki_bounce_user }} group=root mode=0600
- when: postfix_server
- name: install packages for bounce handler
pacman: name=perl-mediawiki-api,perl-config-simple state=present
- when: postfix_server
- name: install bouncehandler script
copy: src=bouncehandler.pl dest={{ postfix_wiki_bounce_mail_handler }} owner=root group=root mode=0755
- when: postfix_server
- name: make bouncehandler user
- user: name={{ postfix_wiki_bounce_user }} shell=/bin/false skeleton=/var/empty state={{ "present" if postfix_server else "absent" }}
+ user: name={{ postfix_wiki_bounce_user }} shell=/bin/false skeleton=/var/empty state=present
- name: start and enable postfix
service: name=postfix enabled=yes state=started
@@ -73,41 +68,11 @@
- compat_maps
- compat_maps.db
-- name: install extra packages for relaying via smarthost
- when: postfix_relayhost | length > 0
- package:
- name: cyrus-sasl
- state: present
-
-- name: install relay_passwords file
- when: postfix_relayhost | length > 0
- template:
- src: relay_passwords.j2
- dest: /etc/postfix/relay_passwords
- mode: 0640
- owner: root
- group: postfix
- notify:
- - postmap relay_passwords
-
-- name: create user account on mail to relay with
- delegate_to: mail.archlinux.org
- when: postfix_relayhost | length > 0
- user:
- name: "{{ inventory_hostname_short }}"
- comment: "SMTP Relay Account for {{ inventory_hostname }}"
- group: nobody
- password: "{{ postfix_relay_password | password_hash('sha512') }}"
- shell: /sbin/nologin
- update_password: always
- home: /home/"{{ inventory_hostname }}" # Set home directory so shadow.service does not fail
- create_home: true
-
- name: open firewall holes
ansible.posix.firewalld: service={{ item }} permanent=true state=enabled immediate=yes
with_items:
- smtp
- smtps
- when: postfix_smtpd_public and configure_firewall
+ when: configure_firewall
tags:
- firewall
diff --git a/roles/postfix/templates/main.cf.j2 b/roles/postfix/templates/main.cf.j2
index 3a0ed08762abd64f51d8bbd8300a02032193e493..d2c8386b28de95d0eac3aca4f1b76bc7082d0329 100644
--- a/roles/postfix/templates/main.cf.j2
+++ b/roles/postfix/templates/main.cf.j2
@@ -11,13 +11,8 @@ smtputf8_enable = no
append_dot_mydomain = no
-{% if postfix_smtpd_public %}
smtpd_tls_cert_file = /etc/letsencrypt/live/{{mail_domain}}/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/{{mail_domain}}/privkey.pem
-{% else %}
-smtpd_tls_cert_file = /etc/letsencrypt/live/{{inventory_hostname}}/fullchain.pem
-smtpd_tls_key_file = /etc/letsencrypt/live/{{inventory_hostname}}/privkey.pem
-{% endif %}
smtpd_tls_dh1024_param_file = /etc/postfix/dh2048.pem
smtpd_tls_eecdh_grade = ultra
@@ -34,11 +29,7 @@ smtpd_tls_mandatory_ciphers=high
tls_high_cipherlist=EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHAA
smtp_tls_loglevel = 1
-{% if postfix_relayhost %}
-smtp_tls_security_level = encrypt
-{% else %}
smtp_tls_security_level = may
-{% endif %}
smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache
smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_scache
@@ -51,11 +42,7 @@ daemon_directory = /usr/lib/postfix/bin
mydomain = {{inventory_hostname}}
myhostname = {{inventory_hostname}}
myorigin = archlinux.org
-{% if postfix_server %}
mydestination = archlinux.org
-{% else %}
-mydestination =
-{% endif %}
default_database_type=btree
indexed = ${default_database_type}:${config_directory}
@@ -82,7 +69,6 @@ smtp_connection_cache_on_demand = yes
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
-{% if postfix_smtpd_public %}
# custom restriction classes
policy_check =
# postfwd (rate-limiting)
@@ -121,7 +107,6 @@ smtpd_recipient_restrictions =
# some rate limiting rules only work after data so check it again
smtpd_end_of_data_restrictions =
$policy_check
-{% endif %}
address_verify_map = ${default_database_type}:/var/lib/postfix/verify_cache
@@ -132,19 +117,6 @@ unknown_address_reject_code = 550
smtpd_reject_footer = For assistance contact <postmaster@archlinux.org>. Please provide the following information in your problem report: time ($localtime), client ($client_address) and server ($server_name).
-{% if postfix_relayhost %}
-# relay all outbound mail via {{postfix_relayhost}}
-# the square brackets prevents postfix from trying to lookup mx records
-relayhost = [{{postfix_relayhost}}]:465
-smtp_tls_wrappermode = yes
-smtp_sasl_auth_enable = yes
-smtp_sasl_password_maps = ${indexed}/relay_passwords
-# allow plaintext authentication only over tls secured connections
-smtp_sasl_security_options = noanonymous, noplaintext
-smtp_sasl_tls_security_options = noanonymous
-{% endif %}
-
-{% if postfix_server %}
smtpd_sasl_auth_enable = yes
smtpd_tls_auth_only = yes
@@ -168,13 +140,10 @@ non_smtpd_milters=inet:localhost:11332
# Pass internal mails through filters so they get signed by opendkim
# XXX: Be careful not to have filters that may reject mails!
internal_mail_filter_classes = bounce
-{% endif %}
-{% if postfix_server %}
smtpd_sender_login_maps =
${indexed}/smtp_sender_map,
${indexed}/users
-{% endif %}
smtpd_helo_required = yes
smtpd_client_connection_rate_limit = 400
@@ -185,7 +154,6 @@ alias_maps = ${indexed}/aliases
alias_database = ${indexed}/aliases
-{% if postfix_server %}
virtual_alias_maps =
${indexed}/users
pcre:${config_directory}/users.pcre
@@ -197,7 +165,6 @@ local_recipient_maps =
$alias_maps
pcre:${config_directory}/transport.pcre
relocated_maps = ${indexed}/relocated
-{% endif %}
relay_domains =
{%if postfix_patchwork_enabled %}
@@ -212,9 +179,7 @@ transport_maps =
patchwork_destination_recipient_limit = 1
{% endif %}
-{% if postfix_server %}
wiki_bouncehandler_destination_recipient_limit = 1
-{% endif %}
authorized_mailq_users = root
diff --git a/roles/postfix/templates/master.cf.j2 b/roles/postfix/templates/master.cf.j2
index b607428951e25708dfa3b5f9f3793d2b94918e35..f0a01d44d1cafafc189034c314dd23aa9aabea6e 100644
--- a/roles/postfix/templates/master.cf.j2
+++ b/roles/postfix/templates/master.cf.j2
@@ -12,16 +12,10 @@
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (no) (never) (100)
# ==========================================================================
-{% if postfix_smtpd_public %}
smtp inet n - n - - smtpd
-o smtpd_client_connection_count_limit=20
-o smtpd_proxy_options=speed_adjust
-{% else %}
-localhost:smtp inet n - n - - smtpd
- -o smtpd_tls_security_level=none
-{% endif %}
-{% if postfix_server %}
msa_cleanup unix n - n - 0 cleanup
-o header_checks=pcre:/etc/postfix/msa_header_checks
submissions inet n - n - - smtpd
@@ -32,7 +26,6 @@ submissions inet n - n - - smtpd
-o smtpd_sasl_auth_enable=yes
-o smtpd_recipient_restrictions=$submission_recipient_restrictions
-o smtpd_client_connection_count_limit=10
-{% endif %}
#smtp inet n - n - 1 postscreen
#smtpd pass - - n - - smtpd
@@ -94,7 +87,5 @@ patchwork unix - n n - - pipe
flags=DFRX user={{postfix_patchwork_user}} argv={{postfix_patchwork_mail_handler}}
{% endif %}
-{% if postfix_server %}
wiki_bouncehandler unix - n n - - pipe
flags=DFRX user={{postfix_wiki_bounce_user}} argv=/usr/bin/systemd-cat {{postfix_wiki_bounce_mail_handler}} {{postfix_wiki_bounce_config}}
-{% endif %}
diff --git a/roles/postfix/templates/transport.j2 b/roles/postfix/templates/transport.j2
index def1ec60ed34709fea10af094df8f609cfb98954..8d483786e2c2e6773d04a3056923ea961c4d23ec 100644
--- a/roles/postfix/templates/transport.j2
+++ b/roles/postfix/templates/transport.j2
@@ -3,9 +3,7 @@
#
#lists.archlinux.org mailman:
-{% if not postfix_relayhost %}
gmail.com smtp-ipv4:
-{% endif %}
{% if postfix_patchwork_enabled %}
patchwork@archlinux.org patchwork:
{% endif %}
diff --git a/roles/postfix/templates/transport.pcre.j2 b/roles/postfix/templates/transport.pcre.j2
index 5a6032a03f3a47285a3ecaeb0d7150164bc13d47..76be66a6627a1013daae31b9ea90b14a71bd6f9c 100644
--- a/roles/postfix/templates/transport.pcre.j2
+++ b/roles/postfix/templates/transport.pcre.j2
@@ -1,6 +1,4 @@
#
# {{ansible_managed}}
#
-{% if postfix_server %}
/wikibounce-[\w.]+-\w+-\w+-\w...............@archlinux.org/ wiki_bouncehandler:
-{% endif %}
diff --git a/roles/postfix_null/defaults/main.yml b/roles/postfix_null/defaults/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..936bcb7661097c1fea2b8086892e20720b0cc1da
--- /dev/null
+++ b/roles/postfix_null/defaults/main.yml
@@ -0,0 +1,2 @@
+---
+postfix_relayhost: "mail.archlinux.org"
diff --git a/roles/postfix_null/handlers/main.yml b/roles/postfix_null/handlers/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..b247a9f8367dabbc4eadb4406af9035974acb95c
--- /dev/null
+++ b/roles/postfix_null/handlers/main.yml
@@ -0,0 +1,3 @@
+---
+- name: reload postfix
+ service: name=postfix state=reloaded
diff --git a/roles/postfix/meta/main.yml b/roles/postfix_null/meta/main.yml
similarity index 100%
rename from roles/postfix/meta/main.yml
rename to roles/postfix_null/meta/main.yml
diff --git a/roles/postfix_null/tasks/main.yml b/roles/postfix_null/tasks/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..2cfd7f2c634a9e5c0449015a8985b289b07c0697
--- /dev/null
+++ b/roles/postfix_null/tasks/main.yml
@@ -0,0 +1,26 @@
+---
+- name: install postfix
+ pacman: name=postfix state=present
+
+- name: install template configs
+ template: src={{ item.file }}.j2 dest=/etc/postfix/{{ item.file }} owner=root group={{ item.group }} mode={{ item.mode }}
+ with_items:
+ - {file: main.cf, group: root, mode: 644}
+ - {file: relay_passwords, group: postfix, mode: 640}
+ notify:
+ - reload postfix
+
+- name: create user account on mail to relay with
+ delegate_to: mail.archlinux.org
+ user:
+ name: "{{ inventory_hostname_short }}"
+ comment: "SMTP Relay Account for {{ inventory_hostname }}"
+ group: nobody
+ password: "{{ postfix_relay_password | password_hash('sha512') }}"
+ shell: /sbin/nologin
+ update_password: always
+ home: /home/"{{ inventory_hostname }}" # Set home directory so shadow.service does not fail
+ create_home: true
+
+- name: start and enable postfix
+ service: name=postfix enabled=yes state=started
diff --git a/roles/postfix_null/templates/main.cf.j2 b/roles/postfix_null/templates/main.cf.j2
new file mode 100644
index 0000000000000000000000000000000000000000..f5ddfdfe231d9d3c96da56125903fe6957530937
--- /dev/null
+++ b/roles/postfix_null/templates/main.cf.j2
@@ -0,0 +1,19 @@
+#
+# {{ansible_managed}}
+#
+compatibility_level = 3.6
+
+mydestination =
+inet_interfaces = loopback-only
+# relay all outbound mail via {{ postfix_relayhost }}
+# the square brackets prevents postfix from trying to lookup mx records
+relayhost = [{{ postfix_relayhost }}]:465
+smtp_tls_wrappermode = yes
+smtp_tls_security_level = verify
+smtp_sasl_auth_enable = yes
+smtp_sasl_tls_security_options = noanonymous
+smtp_sasl_password_maps = texthash:/etc/postfix/relay_passwords
+smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
+
+alias_maps = inline:{root=root@archlinux.org}
+alias_database = $alias_maps
diff --git a/roles/postfix/templates/relay_passwords.j2 b/roles/postfix_null/templates/relay_passwords.j2
similarity index 100%
rename from roles/postfix/templates/relay_passwords.j2
rename to roles/postfix_null/templates/relay_passwords.j2