Split the postfix role into a role for mail.a.o and the clients

The role for the clients is named postfix_null (per [1]) and it's much
simpler and cleaner than the postfix role. I hope can cleanup the
postfix role at a later date.

[1] http://www.postfix.org/STANDARD_CONFIGURATION_README.html#null_client

roles/postfix_null/tasks/main.yml

+---
+- name: install postfix
+  pacman: name=postfix state=present
+
+- name: install template configs
+  template: src={{ item.file }}.j2 dest=/etc/postfix/{{ item.file }} owner=root group={{ item.group }} mode={{ item.mode }}
+  with_items:
+    - {file: main.cf, group: root, mode: 644}
+    - {file: relay_passwords, group: postfix, mode: 640}
+  notify:
+    - reload postfix
+
+- name: create user account on mail to relay with
+  delegate_to: mail.archlinux.org
+  user:
+    name: "{{ inventory_hostname_short }}"
+    comment: "SMTP Relay Account for {{ inventory_hostname }}"
+    group: nobody
+    password: "{{ postfix_relay_password | password_hash('sha512') }}"
+    shell: /sbin/nologin
+    update_password: always
+    home: /home/"{{ inventory_hostname }}"  # Set home directory so shadow.service does not fail
+    create_home: true
+
+- name: start and enable postfix
+  service: name=postfix enabled=yes state=started

roles/postfix_null/templates/main.cf.j2

+#
+# {{ansible_managed}}
+#
+compatibility_level = 3.6
+
+mydestination =
+inet_interfaces = loopback-only
+# relay all outbound mail via {{ postfix_relayhost }}
+# the square brackets prevents postfix from trying to lookup mx records
+relayhost = [{{ postfix_relayhost }}]:465
+smtp_tls_wrappermode = yes
+smtp_tls_security_level = verify
+smtp_sasl_auth_enable = yes
+smtp_sasl_tls_security_options = noanonymous
+smtp_sasl_password_maps = texthash:/etc/postfix/relay_passwords
+smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
+
+alias_maps = inline:{root=root@archlinux.org}
+alias_database = $alias_maps