- hosts: [forward] become: true vars: hostname: forward.example.com virtual_alias_domains: - example.co - example.com - example.info # docs recommend against whitelist tls_protocols: ['!SSLv2', '!SSLv3', '!TLSv1', '!TLSv1.1'] tasks: - docker_network: name: mail - docker_volume: volume_name: postfix_config register: config_volume - docker_volume: volume_name: postfix_queue register: queue_volume - stat: path: '{{ config_volume.ansible_facts.docker_volume.Mountpoint }}' register: config_volume_stat - name: create virtual alias map copy: # http://www.postfix.org/virtual.5.html content: | alice@example.co alice@gmail.com office@example.info alice@gmail.com bob@example.co bob@gmail.com bob@example.com bob@gmail.com dest: '{{ config_volume.ansible_facts.docker_volume.Mountpoint }}/virtual' mode: u=r,g=,o= # workaround if userns remapping enabled # postmap: fatal: open /etc/postfix/virtual.db: Permission denied owner: '{{ config_volume_stat.stat.uid }}' register: virtual_alias_map - openssl_privatekey: path: '{{ config_volume.ansible_facts.docker_volume.Mountpoint }}/key.pem' type: RSA size: 4096 owner: '{{ config_volume_stat.stat.uid }}' mode: o=r,g=,o= - openssl_csr: path: '{{ config_volume.ansible_facts.docker_volume.Mountpoint }}/cert-request.pem' privatekey_path: '{{ config_volume.ansible_facts.docker_volume.Mountpoint }}/key.pem' common_name: '{{ hostname }}' subject_alt_name: ['DNS:{{ hostname }}'] country_name: AT basic_constraints: ['CA:FALSE'] basic_constraints_critical: yes digest: sha256 mode: a=r - openssl_certificate: backup: yes path: '{{ config_volume.ansible_facts.docker_volume.Mountpoint }}/cert.pem' csr_path: '{{ config_volume.ansible_facts.docker_volume.Mountpoint }}/cert-request.pem' privatekey_path: '{{ config_volume.ansible_facts.docker_volume.Mountpoint }}/key.pem' provider: selfsigned mode: a=r register: smtpd_cert - name: postsrsd secrets volume docker_volume: volume_name: postsrsd_secrets register: postsrsd_secrets_volume - name: postsrsd secrets dir file: path: '{{ postsrsd_secrets_volume.ansible_facts.docker_volume.Mountpoint }}/secrets' state: directory # arbitrary user, see https://github.com/fphammerle/docker-postsrsd/blob/docker/0.1.1-postsrsd1.6-amd64/Dockerfile mode: a=rwx,+t - name: postsrsd docker_container: name: postsrsd # docker/0.1.1-postsrsd1.6-amd64 image: fphammerle/postsrsd@sha256:486d79d63ce716994b7baca55172334aca525557e6609ee5864924040b6ad2d3 networks: [name: mail] purge_networks: yes env: SRS_DOMAIN: '{{ hostname }}' volumes: - '{{ postsrsd_secrets_volume.ansible_facts.docker_volume.Mountpoint }}/secrets:/etc/postsrsd/secrets:rw' restart_policy: always - name: create config copy: content: | smtpd_tls_security_level = may smtpd_tls_cert_file=/smtpd-cert.pem smtpd_tls_key_file=/smtpd-key.pem smtpd_tls_protocols = {{ tls_protocols | join(', ') }} smtpd_tls_ciphers = high smtpd_tls_session_cache_database = btree:${data_directory}/smtpd-tls-session-cache # $myhostname prefix is a RFC requirement smtpd_banner = $myhostname ESMTP $mail_name quid agis? # http://www.postfix.org/postconf.5.html#smtpd_relay_restrictions smtpd_relay_restrictions = reject_non_fqdn_recipient, reject_unauth_destination mydestination = # http://www.postfix.org/VIRTUAL_README.html#virtual_alias virtual_alias_domains = {{ virtual_alias_domains | join(', ') }} virtual_alias_maps = hash:/etc/postfix/virtual # include TLS protocol & cipher in 'Received' header smtpd_tls_received_header = yes # bytes message_size_limit = {{ 32 * 1024 * 1024 }} delay_warning_time = 1h sender_canonical_maps = tcp:postsrsd:10001 sender_canonical_classes = envelope_sender recipient_canonical_maps = tcp:postsrsd:10002 recipient_canonical_classes= envelope_recipient,header_recipient smtp_tls_security_level = encrypt smtp_tls_mandatory_protocols = {{ tls_protocols | join(', ') }} smtp_tls_session_cache_database = btree:${data_directory}/smtp-tls-session-cache # http://www.postfix.org/MAILLOG_README.html maillog_file = /dev/stdout # http://www.postfix.org/COMPATIBILITY_README.html compatibility_level = 2 dest: '{{ config_volume.ansible_facts.docker_volume.Mountpoint }}/main.cf' # postfix: warning: not owned by root owner: '{{ config_volume_stat.stat.uid }}' mode: u=r,g=,o= register: config - name: postfix docker_container: name: postfix # 1.0.1-postfix3.4.5r0-amd64 image: fphammerle/postfix@sha256:b2d214d66f1760bdcbfa3156efa7cb08cef5d80e5f6607e181f79fdde409b82d hostname: '{{ hostname }}' volumes: - '{{ config_volume.ansible_facts.docker_volume.Mountpoint }}/main.cf:/etc/postfix/main.cf:ro' - '{{ config_volume.ansible_facts.docker_volume.Mountpoint }}/virtual:/etc/postfix/virtual:ro' - '{{ queue_volume.ansible_facts.docker_volume.Mountpoint }}:/var/spool/postfix:rw' - '{{ config_volume.ansible_facts.docker_volume.Mountpoint }}/key.pem:/smtpd-key.pem:ro' - '{{ config_volume.ansible_facts.docker_volume.Mountpoint }}/cert.pem:/smtpd-cert.pem:ro' env: POSTMAP_PATHS: | /etc/postfix/virtual networks: [name: mail] purge_networks: yes published_ports: ['25:25'] restart_policy: unless-stopped restart: '{{ config.changed or virtual_alias_map.changed or smtpd_cert.changed }}' - name: send test mail command: docker exec postfix sendmail check@ssl-tools.net - name: ssl-tools test url debug: msg: 'https://ssl-tools.net/mailservers/{{ hostname }}'