add relayhost option to postfix role

when deploying the postfix role, specify postfix_relayhost variable with the
hostname of the smtp smarthost to use for delivery. all outbound smtp mail
will be delivered via the specified host.

group_vars/all/postfix.yml

 # This is overridden for the actual mail server which uses mail.archlinux.org.
 mail_domain: "{{inventory_hostname}}"
+
+# password used by postfix for relaying to a central smtp server
+postfix_relay_password: "{{vault_postfix_relay_password}}"

group_vars/all/vault_postfix.yml

+$ANSIBLE_VAULT;1.1;AES256
+63396436643333343730376365326536393737643739653232333436386637346231356437663861
+6238313664386163356537363964363637663935653032340a316165346230643565616235396265
+30626135323865626161333563346135623762363637616137636161353361303034313933666361
+3132303564653335610a336331643733646662333263333838383362383535643736633834303266
+31333731353834366463316263643764343932623136313365393939383036356538326338623763
+64376138643462643137303433623439623337333261646439373162653233623031653066373835
+383166653263323430646333393430646236

playbooks/bbs.archlinux.org.yml

@@ -16,3 +16,4 @@
     - { role: php-fpm, php_extensions: ['apcu', 'iconv', 'intl', 'mysqli'], zend_extensions: ['opcache'], tags: ["php-fpm"] }
     - { role: fluxbb }
     - { role: borg-client, tags: ["borg"] }
+    - { role: postfix, tags: ["postfix"], postfix_relayhost: "orion.archlinux.org" }

roles/postfix/defaults/main.yml

@@ -8,6 +8,8 @@ postfix_patchwork_mail_handler: "/usr/local/bin/patchwork-parsemail-wrapper.sh"
 
 mail_domain: "mail.archlinux.org"
 
+postfix_relayhost: ""
+
 postfix_wiki_bounce_mail_handler: "/usr/local/bin/wiki-bouncehandler.pl"
 postfix_wiki_bounce_user: "wiki_bouncehandler"
 postfix_wiki_bounce_config: "/etc/wiki-bouncehandler.conf"

roles/postfix/handlers/main.yml

@@ -6,3 +6,5 @@
 - name: reload postfix
   command: postfix reload
 
+- name: postmap relay_passwords
+  command: postmap /etc/postfix/relay_passwords

roles/postfix/tasks/main.yml

@@ -85,6 +85,35 @@
     - compat_maps
     - compat_maps.db
 
+- name: install extra packages for relaying via smarthost
+  when: postfix_relayhost != ""
+  package:
+    name: cyrus-sasl
+    state: present
+
+- name: install relay_passwords file
+  when: postfix_relayhost != ""
+  template:
+    src: relay_passwords.j2
+    dest: /etc/postfix/relay_passwords
+    mode: 0640
+    owner: root
+    group: postfix
+  notify:
+    - postmap relay_passwords
+
+- name: create user account on orion to relay with
+  delegate_to: orion.archlinux.org
+  when: postfix_relayhost != ""
+  user:
+    name: "{{inventory_hostname_short}}"
+    comment: "SMTP Relay Account for {{inventory_hostname}}"
+    group: nobody
+    password: ""
+    shell: /sbin/nologin
+    update_password: on_create
+    create_home: no
+
 - name: open firewall holes
   firewalld: service={{item}} permanent=true state=enabled immediate=yes
   with_items:

roles/postfix/templates/main.cf.j2

@@ -10,6 +10,9 @@ append_dot_mydomain = no
 {% if postfix_smtpd_public %}
 smtpd_tls_cert_file = /etc/letsencrypt/live/{{mail_domain}}/fullchain.pem
 smtpd_tls_key_file = /etc/letsencrypt/live/{{mail_domain}}/privkey.pem
+{% else %}
+smtpd_tls_cert_file = /etc/letsencrypt/live/{{inventory_hostname}}/fullchain.pem
+smtpd_tls_key_file = /etc/letsencrypt/live/{{inventory_hostname}}/privkey.pem
 {% endif %}
 
 smtpd_tls_dh1024_param_file = /etc/postfix/dh2048.pem
@@ -70,13 +73,6 @@ debug_peer_list =
 
 smtp_connection_cache_on_demand = yes
 
-smtpd_milters=unix:/var/spool/opendkim/opendkim
-non_smtpd_milters=unix:/var/spool/opendkim/opendkim
-
-# Pass internal mails through filters so they get signed by opendkim
-# XXX: Be careful not to have filters that may reject mails!
-internal_mail_filter_classes = bounce
-
 # custom restriction classes
 policy_check =
 # postfwd
@@ -84,12 +80,6 @@ policy_check =
   check_policy_service inet:127.0.0.1:10040
 {% endif %}
 
-submission_recipient_restrictions=
-# allow postmaster
-  check_recipient_access ${indexed}/access_recipient,
-  permit_sasl_authenticated,
-  reject
-
 smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
 
 smtpd_recipient_restrictions =
@@ -141,6 +131,17 @@ unknown_address_reject_code = 550
 
 smtpd_reject_footer = For assistance contact <postmaster@archlinux.org>. Please provide the following information in your problem report: time ($localtime), client ($client_address) and server ($server_name).
 
+{% if postfix_relayhost %}
+# relay all outbound mail via {{postfix_relayhost}}
+# the square brackets prevents postfix from trying to lookup mx records
+relayhost = [{{postfix_relayhost}}]:587
+smtp_sasl_auth_enable = yes
+smtp_sasl_password_maps = ${indexed}/relay_passwords
+# allow plaintext authentication only over tls secured connections
+smtp_sasl_security_options = noanonymous, noplaintext
+smtp_sasl_tls_security_options = noanonymous
+{% endif %}
+
 {% if postfix_server %}
 smtpd_sasl_auth_enable = yes
 smtpd_tls_auth_only = yes
@@ -152,6 +153,19 @@ smtpd_sasl_path = /var/run/dovecot/auth-client
 smtpd_tls_received_header = yes
 # needed for SA
 smtpd_sasl_authenticated_header = yes
+
+submission_recipient_restrictions=
+# allow postmaster
+  check_recipient_access ${indexed}/access_recipient,
+  permit_sasl_authenticated,
+  reject
+
+smtpd_milters=unix:/var/spool/opendkim/opendkim
+non_smtpd_milters=unix:/var/spool/opendkim/opendkim
+
+# Pass internal mails through filters so they get signed by opendkim
+# XXX: Be careful not to have filters that may reject mails!
+internal_mail_filter_classes = bounce
 {% endif %}
 
 {% if postfix_server %}

roles/postfix/templates/relay_passwords.j2

+#
+# {{ansible_managed}}
+#
+{{postfix_relayhost}} {{inventory_hostname_short}}:{{postfix_relay_password}}

roles/postfix/templates/transport.j2

 #lists.archlinux.org mailman:
+{% if not postfix_relayhost %}
 gmail.com smtp-ipv4:
+{% endif %}
 {% if postfix_patchwork_enabled %}
 patchwork@archlinux.org patchwork:
 {% endif %}