- hosts: [localhost] become: true tasks: - docker_network: name: mail - docker_volume: volume_name: postfix_config register: config_volume - name: copy trusted CA certs copy: src: ../smtp-tls-trusted-ca.pem dest: '{{ config_volume.ansible_facts.docker_volume.Mountpoint }}/smtp-tls-trusted-ca.pem' register: smtp_trusted_ca_certs - name: create config copy: content: | # $myhostname prefix is a RFC requirement smtpd_banner = $myhostname ESMTP $mail_name quid agis? # RCPT TO matches $relay_domains => !reject_unauth_destination # http://www.postfix.org/postconf.5.html#smtpd_relay_restrictions smtpd_relay_restrictions = reject_non_fqdn_recipient, reject_unauth_destination mydestination = relay_domains = example.com # include TLS protocol & cipher in 'Received' header smtpd_tls_received_header = yes # + sasl username smtpd_sasl_authenticated_header = yes relayhost = relay.example.com:submission smtp_tls_security_level = secure smtp_tls_secure_cert_match = nexthop smtp_tls_CAfile = /etc/postfix/smtp-tls-trusted-ca.pem # docs recommend against whitelist smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 smtp_tls_session_cache_database = btree:${data_directory}/smtp-tls-session-cache # http://www.postfix.org/MAILLOG_README.html maillog_file = /dev/stdout # http://www.postfix.org/COMPATIBILITY_README.html compatibility_level = 2 dest: '{{ config_volume.ansible_facts.docker_volume.Mountpoint }}/main.cf' mode: a=r register: config - docker_container: name: postfix # 1.0.0-postfix3.4.5r0-amd64 image: fphammerle/postfix@sha256:33c2dfc8d292b8399f7c61b206922b81c870ce5ae2c7e233fd1a38d420417154 hostname: postfix-test volumes: - '{{ config_volume.ansible_facts.docker_volume.Mountpoint }}/main.cf:/etc/postfix/main.cf:ro' - '{{ config_volume.ansible_facts.docker_volume.Mountpoint }}/smtp-tls-trusted-ca.pem:/etc/postfix/smtp-tls-trusted-ca.pem:ro' networks: [name: mail] purge_networks: yes published_ports: ['localhost:25:25'] restart_policy: unless-stopped restart: '{{ config.changed or smtp_trusted_ca_certs.changed }}'