Split the postfix role into a role for mail.a.o and the clients

The role for the clients is named postfix_null (per [1]) and it's much simpler and cleaner than the postfix role. I hope can cleanup the postfix role at a later date. [1] http://www.postfix.org/STANDARD_CONFIGURATION_README.html#null_client

Split the postfix role into a role for mail.a.o and the clients
2304dc5c · Kristian Klausen · 526ae415 · 2304dc5c · 2304dc5c · 2304dc5c
Commit 2304dc5c authored 3 years ago by Kristian Klausen
--- a/docs/email.md
+++ b/docs/email.md
@@ -31,14 +31,14 @@ to the server. This gives us several benefits:

 When a new host is provisioned:

- The *postfix* role has a task delegated to 'mail.archlinux.org' to create a local user
+- The *postfix_null* role has a task delegated to 'mail.archlinux.org' to create a local user
  on 'mail.archlinux.org' that is used for the new server to authenticate against. The user
  name is the shortname of the new servers hostname (ie, "foobar.archlinux.org"
  will authenticate with the username "foobar")
 - You will need to run the *postfwd* role against mail.archlinux.org to update the
  rate-limiting it performs (servers are given higher rate-limits than normal
  users - see `/etc/postfwd/postfwd.cf` for exact limits). This *should*
-  happen automatically as the *postfwd* role is a dependency of the *postfix*
+  happen automatically as the *postfwd* role is a dependency of the *postfix_null*
  role (using `delegate_to` to run it against 'mail.archlinux.org' regardless of the target
  host that the postfix role is being run on)


--- a/playbooks/archlinux.org.yml
+++ b/playbooks/archlinux.org.yml
@@ -27,7 +27,7 @@
    - { role: borg_client, tags: ["borg"] }
    - { role: certbot }
    - { role: nginx }
-    - { role: postfix, postfix_relayhost: "mail.archlinux.org" }
+    - { role: postfix_null }
    - role: postgres
      postgres_listen_addresses: "*"
      postgres_ssl: 'on'

--- a/playbooks/aur-dev.archlinux.org.yml
+++ b/playbooks/aur-dev.archlinux.org.yml
@@ -16,7 +16,7 @@
    - { role: memcached }
    - { role: uwsgi }
    - { role: borg_client, tags: ["borg"] }
-    - { role: postfix, postfix_relayhost: "mail.archlinux.org" }
+    - { role: postfix_null }
    - { role: fail2ban }
    - { role: aurweb, aurweb_domain: 'aur-dev.archlinux.org', aurweb_version: 'pu' }
    - { role: prometheus_exporters }

--- a/playbooks/aur.archlinux.org.yml
+++ b/playbooks/aur.archlinux.org.yml
@@ -18,7 +18,7 @@
    - { role: memcached }
    - { role: uwsgi }
    - { role: borg_client, tags: ["borg"] }
-    - { role: postfix, postfix_relayhost: "mail.archlinux.org" }
+    - { role: postfix_null }
    - { role: fail2ban }
    - { role: aurweb }
    - { role: wireguard }
--- a/playbooks/bbs.archlinux.org.yml
+++ b/playbooks/bbs.archlinux.org.yml
@@ -15,7 +15,7 @@
    - { role: php_fpm, php_extensions: ['apcu', 'iconv', 'intl', 'mysqli'], zend_extensions: ['opcache'] }
    - { role: fluxbb }
    - { role: borg_client, tags: ["borg"] }
-    - { role: postfix, postfix_relayhost: "mail.archlinux.org" }
+    - { role: postfix_null }
    - { role: fail2ban }
    - { role: prometheus_exporters }
    - { role: promtail }

--- a/playbooks/bugs.archlinux.org.yml
+++ b/playbooks/bugs.archlinux.org.yml
@@ -15,7 +15,7 @@
    - { role: php7_fpm, php_extensions: ['mysqli'], zend_extensions: ['opcache'] }
    - { role: flyspray }
    - { role: borg_client, tags: ["borg"] }
-    - { role: postfix, postfix_relayhost: "mail.archlinux.org" }
+    - { role: postfix_null }
    - { role: fail2ban }
    - { role: prometheus_exporters }
    - { role: promtail }

--- a/playbooks/gemini.archlinux.org.yml
+++ b/playbooks/gemini.archlinux.org.yml
@@ -24,7 +24,7 @@
    - { role: sources, sources_domain: "sources.archlinux.org", sources_dir: "/srv/sources" }
    - { role: archive }
    - { role: archive_web }
-    - { role: postfix, postfix_relayhost: "mail.archlinux.org" }
+    - { role: postfix_null }
    - { role: fail2ban }
    - { role: prometheus_exporters }
    - { role: promtail }
--- a/playbooks/mail.archlinux.org.yml
+++ b/playbooks/mail.archlinux.org.yml
@@ -10,7 +10,7 @@
    - { role: certbot }
    - { role: nginx }
    - { role: mta_sts }
-    - { role: postfix, postfix_server: true, postfix_smtpd_public: true, tags: ['mail'] }
+    - { role: postfix, tags: ['mail'] }
    - { role: dovecot }
    - { role: rspamd, rspamd_dkim_domain: archlinux.org, tags: ["mail"] }
    - { role: unbound, unbound_port: 5353, tags: ["mail"] }

--- a/playbooks/matrix.archlinux.org.yml
+++ b/playbooks/matrix.archlinux.org.yml
@@ -19,8 +19,7 @@
      postgres_maintenance_work_mem: 256MB
      postgres_effective_cache_size: 4GB
      postgres_jit: 'off'
-    - role: postfix
-      postfix_relayhost: "mail.archlinux.org"
+    - { role: postfix_null }
    - { role: matrix }
    - { role: fail2ban }
    - { role: prometheus_exporters }

--- a/playbooks/security.archlinux.org.yml
+++ b/playbooks/security.archlinux.org.yml
@@ -11,7 +11,7 @@
    - { role: borg_client, tags: ["borg"] }
    - { role: certbot }
    - { role: nginx }
-    - { role: postfix, postfix_relayhost: "mail.archlinux.org" }
+    - { role: postfix_null }
    - { role: sudo }
    - { role: uwsgi }
    - role: security_tracker

--- a/playbooks/wiki.archlinux.org.yml
+++ b/playbooks/wiki.archlinux.org.yml
@@ -13,7 +13,7 @@
    - { role: borg_client, tags: ["borg"] }
    - { role: certbot }
    - { role: nginx }
-    - { role: postfix, postfix_relayhost: "mail.archlinux.org" }
+    - { role: postfix_null }
    - { role: mariadb, mariadb_query_cache_type: '0', mariadb_innodb_file_per_table: true }
    - { role: sudo }
    - { role: php7_fpm, php_extensions: ['bcmath', 'curl', 'gd', 'iconv', 'intl', 'mysqli', 'sockets', 'zip'], zend_extensions: ['opcache'] }

--- a/roles/postfix/defaults/main.yml
+++ b/roles/postfix/defaults/main.yml
 ---

-postfix_smtpd_public: false
-postfix_server: false
 postfix_patchwork_enabled: false
 postfix_patchwork_user: "patchwork"
 postfix_patchwork_mail_handler: "/usr/local/bin/patchwork-parsemail-wrapper.sh"

 mail_domain: "mail.archlinux.org"

-postfix_relayhost: ""
-
 postfix_wiki_bounce_mail_handler: "/usr/local/bin/wiki-bouncehandler.pl"
 postfix_wiki_bounce_user: "wiki_bouncehandler"
 postfix_wiki_bounce_config: "/etc/wiki-bouncehandler.conf"
--- a/roles/postfix/handlers/main.yml
+++ b/roles/postfix/handlers/main.yml
@@ -23,6 +23,3 @@

 - name: update aliases db
  command: postalias /etc/postfix/aliases
-
- name: postmap relay_passwords
-  command: postmap /etc/postfix/relay_passwords
--- a/roles/postfix/tasks/main.yml
+++ b/roles/postfix/tasks/main.yml
@@ -43,26 +43,21 @@
    name: certificate
  vars:
    domains: ["{{ mail_domain }}"]
-  when: postfix_smtpd_public

 - name: install postfix cert renewal hook
  template: src=letsencrypt.hook.d.j2 dest=/etc/letsencrypt/hook.d/postfix owner=root group=root mode=0755
-  when: postfix_smtpd_public

 - name: install bouncehandler config
  template: src=wiki-bouncehandler.conf.j2 dest={{ postfix_wiki_bounce_config }} owner={{ postfix_wiki_bounce_user }} group=root mode=0600
-  when: postfix_server

 - name: install packages for bounce handler
  pacman: name=perl-mediawiki-api,perl-config-simple state=present
-  when: postfix_server

 - name: install bouncehandler script
  copy: src=bouncehandler.pl dest={{ postfix_wiki_bounce_mail_handler }} owner=root group=root mode=0755
-  when: postfix_server

 - name: make bouncehandler user
-  user: name={{ postfix_wiki_bounce_user }} shell=/bin/false skeleton=/var/empty state={{ "present" if postfix_server else "absent" }}
+  user: name={{ postfix_wiki_bounce_user }} shell=/bin/false skeleton=/var/empty state=present

 - name: start and enable postfix
  service: name=postfix enabled=yes state=started
@@ -73,41 +68,11 @@
    - compat_maps
    - compat_maps.db

- name: install extra packages for relaying via smarthost
-  when: postfix_relayhost | length > 0
-  package:
-    name: cyrus-sasl
-    state: present
-
- name: install relay_passwords file
-  when: postfix_relayhost | length > 0
-  template:
-    src: relay_passwords.j2
-    dest: /etc/postfix/relay_passwords
-    mode: 0640
-    owner: root
-    group: postfix
-  notify:
-    - postmap relay_passwords
-
- name: create user account on mail to relay with
-  delegate_to: mail.archlinux.org
-  when: postfix_relayhost | length > 0
-  user:
-    name: "{{ inventory_hostname_short }}"
-    comment: "SMTP Relay Account for {{ inventory_hostname }}"
-    group: nobody
-    password: "{{ postfix_relay_password | password_hash('sha512') }}"
-    shell: /sbin/nologin
-    update_password: always
-    home: /home/"{{ inventory_hostname }}"  # Set home directory so shadow.service does not fail
-    create_home: true
-
 - name: open firewall holes
  ansible.posix.firewalld: service={{ item }} permanent=true state=enabled immediate=yes
  with_items:
    - smtp
    - smtps
-  when: postfix_smtpd_public and configure_firewall
+  when: configure_firewall
  tags:
    - firewall
--- a/roles/postfix/templates/main.cf.j2
+++ b/roles/postfix/templates/main.cf.j2
@@ -11,13 +11,8 @@ smtputf8_enable = no

 append_dot_mydomain = no

-{% if postfix_smtpd_public %}
 smtpd_tls_cert_file = /etc/letsencrypt/live/{{mail_domain}}/fullchain.pem
 smtpd_tls_key_file = /etc/letsencrypt/live/{{mail_domain}}/privkey.pem
-{% else %}
-smtpd_tls_cert_file = /etc/letsencrypt/live/{{inventory_hostname}}/fullchain.pem
-smtpd_tls_key_file = /etc/letsencrypt/live/{{inventory_hostname}}/privkey.pem
-{% endif %}

 smtpd_tls_dh1024_param_file = /etc/postfix/dh2048.pem
 smtpd_tls_eecdh_grade = ultra
@@ -34,11 +29,7 @@ smtpd_tls_mandatory_ciphers=high
 tls_high_cipherlist=EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHAA

 smtp_tls_loglevel = 1
-{% if postfix_relayhost %}
-smtp_tls_security_level = encrypt
-{% else %}
 smtp_tls_security_level = may
-{% endif %}

 smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache
 smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_scache
@@ -51,11 +42,7 @@ daemon_directory = /usr/lib/postfix/bin
 mydomain = {{inventory_hostname}}
 myhostname = {{inventory_hostname}}
 myorigin = archlinux.org
-{% if postfix_server %}
 mydestination = archlinux.org
-{% else %}
-mydestination =
-{% endif %}

 default_database_type=btree
 indexed = ${default_database_type}:${config_directory}
@@ -82,7 +69,6 @@ smtp_connection_cache_on_demand = yes

 smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination

-{% if postfix_smtpd_public %}
 # custom restriction classes
 policy_check =
 # postfwd (rate-limiting)
@@ -121,7 +107,6 @@ smtpd_recipient_restrictions =
 # some rate limiting rules only work after data so check it again
 smtpd_end_of_data_restrictions =
  $policy_check
-{% endif %}

 address_verify_map = ${default_database_type}:/var/lib/postfix/verify_cache

@@ -132,19 +117,6 @@ unknown_address_reject_code = 550

 smtpd_reject_footer = For assistance contact <postmaster@archlinux.org>. Please provide the following information in your problem report: time ($localtime), client ($client_address) and server ($server_name).

-{% if postfix_relayhost %}
-# relay all outbound mail via {{postfix_relayhost}}
-# the square brackets prevents postfix from trying to lookup mx records
-relayhost = [{{postfix_relayhost}}]:465
-smtp_tls_wrappermode = yes
-smtp_sasl_auth_enable = yes
-smtp_sasl_password_maps = ${indexed}/relay_passwords
-# allow plaintext authentication only over tls secured connections
-smtp_sasl_security_options = noanonymous, noplaintext
-smtp_sasl_tls_security_options = noanonymous
-{% endif %}
-
-{% if postfix_server %}
 smtpd_sasl_auth_enable = yes
 smtpd_tls_auth_only = yes

@@ -168,13 +140,10 @@ non_smtpd_milters=inet:localhost:11332
 # Pass internal mails through filters so they get signed by opendkim
 # XXX: Be careful not to have filters that may reject mails!
 internal_mail_filter_classes = bounce
-{% endif %}

-{% if postfix_server %}
 smtpd_sender_login_maps =
  ${indexed}/smtp_sender_map,
  ${indexed}/users
-{% endif %}
 smtpd_helo_required = yes

 smtpd_client_connection_rate_limit = 400
@@ -185,7 +154,6 @@ alias_maps = ${indexed}/aliases
 alias_database = ${indexed}/aliases


-{% if postfix_server %}
 virtual_alias_maps =
  ${indexed}/users
  pcre:${config_directory}/users.pcre
@@ -197,7 +165,6 @@ local_recipient_maps =
  $alias_maps
  pcre:${config_directory}/transport.pcre
 relocated_maps = ${indexed}/relocated
-{% endif %}

 relay_domains =
 {%if postfix_patchwork_enabled %}
@@ -212,9 +179,7 @@ transport_maps =
 patchwork_destination_recipient_limit = 1
 {% endif %}

-{% if postfix_server %}
 wiki_bouncehandler_destination_recipient_limit = 1
-{% endif %}

 authorized_mailq_users = root


--- a/roles/postfix/templates/master.cf.j2
+++ b/roles/postfix/templates/master.cf.j2
@@ -12,16 +12,10 @@
 # service type  private unpriv  chroot  wakeup  maxproc command + args
 #               (yes)   (yes)   (no)    (never) (100)
 # ==========================================================================
-{% if postfix_smtpd_public %}
 smtp      inet  n       -       n       -       -       smtpd
    -o smtpd_client_connection_count_limit=20
    -o smtpd_proxy_options=speed_adjust
-{% else %}
-localhost:smtp      inet  n       -       n       -       -       smtpd
-    -o smtpd_tls_security_level=none
-{% endif %}

-{% if postfix_server %}
 msa_cleanup unix n      -       n       -       0       cleanup
    -o header_checks=pcre:/etc/postfix/msa_header_checks
 submissions inet n       -       n       -       -       smtpd
@@ -32,7 +26,6 @@ submissions inet n       -       n       -       -       smtpd
    -o smtpd_sasl_auth_enable=yes
    -o smtpd_recipient_restrictions=$submission_recipient_restrictions
    -o smtpd_client_connection_count_limit=10
-{% endif %}

 #smtp      inet  n       -       n       -       1       postscreen
 #smtpd     pass  -       -       n       -       -       smtpd
@@ -94,7 +87,5 @@ patchwork   unix  -       n       n       -       -       pipe
  flags=DFRX user={{postfix_patchwork_user}} argv={{postfix_patchwork_mail_handler}}
 {% endif %}

-{% if postfix_server %}
 wiki_bouncehandler unix - n       n       -       -       pipe
  flags=DFRX user={{postfix_wiki_bounce_user}} argv=/usr/bin/systemd-cat {{postfix_wiki_bounce_mail_handler}} {{postfix_wiki_bounce_config}}
-{% endif %}
--- a/roles/postfix/templates/transport.j2
+++ b/roles/postfix/templates/transport.j2
@@ -3,9 +3,7 @@
 #

 #lists.archlinux.org mailman:
-{% if not postfix_relayhost %}
 gmail.com smtp-ipv4:
-{% endif %}
 {% if postfix_patchwork_enabled %}
 patchwork@archlinux.org patchwork:
 {% endif %}
--- a/roles/postfix/templates/transport.pcre.j2
+++ b/roles/postfix/templates/transport.pcre.j2
 #
 # {{ansible_managed}}
 #
-{% if postfix_server %}
 /wikibounce-[\w.]+-\w+-\w+-\w...............@archlinux.org/  wiki_bouncehandler:
-{% endif %}
--- a/roles/postfix_null/defaults/main.yml
+++ b/roles/postfix_null/defaults/main.yml
+---
+postfix_relayhost: "mail.archlinux.org"
--- a/roles/postfix_null/handlers/main.yml
+++ b/roles/postfix_null/handlers/main.yml
+---
+- name: reload postfix
+  service: name=postfix state=reloaded