Commit 5534a556 authored by Phillip Smith (fukawi2)'s avatar Phillip Smith (fukawi2)
Browse files

add relayhost option to postfix role

when deploying the postfix role, specify postfix_relayhost variable with the
hostname of the smtp smarthost to use for delivery. all outbound smtp mail
will be delivered via the specified host.
parent d2f9eb1c
# This is overridden for the actual mail server which uses mail.archlinux.org.
mail_domain: "{{inventory_hostname}}"
# password used by postfix for relaying to a central smtp server
postfix_relay_password: "{{vault_postfix_relay_password}}"
$ANSIBLE_VAULT;1.1;AES256
63396436643333343730376365326536393737643739653232333436386637346231356437663861
6238313664386163356537363964363637663935653032340a316165346230643565616235396265
30626135323865626161333563346135623762363637616137636161353361303034313933666361
3132303564653335610a336331643733646662333263333838383362383535643736633834303266
31333731353834366463316263643764343932623136313365393939383036356538326338623763
64376138643462643137303433623439623337333261646439373162653233623031653066373835
383166653263323430646333393430646236
......@@ -16,3 +16,4 @@
- { role: php-fpm, php_extensions: ['apcu', 'iconv', 'intl', 'mysqli'], zend_extensions: ['opcache'], tags: ["php-fpm"] }
- { role: fluxbb }
- { role: borg-client, tags: ["borg"] }
- { role: postfix, tags: ["postfix"], postfix_relayhost: "orion.archlinux.org" }
......@@ -8,6 +8,8 @@ postfix_patchwork_mail_handler: "/usr/local/bin/patchwork-parsemail-wrapper.sh"
mail_domain: "mail.archlinux.org"
postfix_relayhost: ""
postfix_wiki_bounce_mail_handler: "/usr/local/bin/wiki-bouncehandler.pl"
postfix_wiki_bounce_user: "wiki_bouncehandler"
postfix_wiki_bounce_config: "/etc/wiki-bouncehandler.conf"
......@@ -6,3 +6,5 @@
- name: reload postfix
command: postfix reload
- name: postmap relay_passwords
command: postmap /etc/postfix/relay_passwords
......@@ -85,6 +85,35 @@
- compat_maps
- compat_maps.db
- name: install extra packages for relaying via smarthost
when: postfix_relayhost != ""
package:
name: cyrus-sasl
state: present
- name: install relay_passwords file
when: postfix_relayhost != ""
template:
src: relay_passwords.j2
dest: /etc/postfix/relay_passwords
mode: 0640
owner: root
group: postfix
notify:
- postmap relay_passwords
- name: create user account on orion to relay with
delegate_to: orion.archlinux.org
when: postfix_relayhost != ""
user:
name: "{{inventory_hostname_short}}"
comment: "SMTP Relay Account for {{inventory_hostname}}"
group: nobody
password: ""
shell: /sbin/nologin
update_password: on_create
create_home: no
- name: open firewall holes
firewalld: service={{item}} permanent=true state=enabled immediate=yes
with_items:
......
......@@ -10,6 +10,9 @@ append_dot_mydomain = no
{% if postfix_smtpd_public %}
smtpd_tls_cert_file = /etc/letsencrypt/live/{{mail_domain}}/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/{{mail_domain}}/privkey.pem
{% else %}
smtpd_tls_cert_file = /etc/letsencrypt/live/{{inventory_hostname}}/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/{{inventory_hostname}}/privkey.pem
{% endif %}
smtpd_tls_dh1024_param_file = /etc/postfix/dh2048.pem
......@@ -70,13 +73,6 @@ debug_peer_list =
smtp_connection_cache_on_demand = yes
smtpd_milters=unix:/var/spool/opendkim/opendkim
non_smtpd_milters=unix:/var/spool/opendkim/opendkim
# Pass internal mails through filters so they get signed by opendkim
# XXX: Be careful not to have filters that may reject mails!
internal_mail_filter_classes = bounce
# custom restriction classes
policy_check =
# postfwd
......@@ -84,12 +80,6 @@ policy_check =
check_policy_service inet:127.0.0.1:10040
{% endif %}
submission_recipient_restrictions=
# allow postmaster
check_recipient_access ${indexed}/access_recipient,
permit_sasl_authenticated,
reject
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
smtpd_recipient_restrictions =
......@@ -141,6 +131,17 @@ unknown_address_reject_code = 550
smtpd_reject_footer = For assistance contact <postmaster@archlinux.org>. Please provide the following information in your problem report: time ($localtime), client ($client_address) and server ($server_name).
{% if postfix_relayhost %}
# relay all outbound mail via {{postfix_relayhost}}
# the square brackets prevents postfix from trying to lookup mx records
relayhost = [{{postfix_relayhost}}]:587
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = ${indexed}/relay_passwords
# allow plaintext authentication only over tls secured connections
smtp_sasl_security_options = noanonymous, noplaintext
smtp_sasl_tls_security_options = noanonymous
{% endif %}
{% if postfix_server %}
smtpd_sasl_auth_enable = yes
smtpd_tls_auth_only = yes
......@@ -152,6 +153,19 @@ smtpd_sasl_path = /var/run/dovecot/auth-client
smtpd_tls_received_header = yes
# needed for SA
smtpd_sasl_authenticated_header = yes
submission_recipient_restrictions=
# allow postmaster
check_recipient_access ${indexed}/access_recipient,
permit_sasl_authenticated,
reject
smtpd_milters=unix:/var/spool/opendkim/opendkim
non_smtpd_milters=unix:/var/spool/opendkim/opendkim
# Pass internal mails through filters so they get signed by opendkim
# XXX: Be careful not to have filters that may reject mails!
internal_mail_filter_classes = bounce
{% endif %}
{% if postfix_server %}
......
#
# {{ansible_managed}}
#
{{postfix_relayhost}} {{inventory_hostname_short}}:{{postfix_relay_password}}
#lists.archlinux.org mailman:
{% if not postfix_relayhost %}
gmail.com smtp-ipv4:
{% endif %}
{% if postfix_patchwork_enabled %}
patchwork@archlinux.org patchwork:
{% endif %}
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment