| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148 |
- - hosts: [forward]
- become: true
- vars:
- hostname: forward.example.com
- virtual_alias_domains:
- - example.co
- - example.com
- - example.info
- # docs recommend against whitelist
- tls_protocols: ['!SSLv2', '!SSLv3', '!TLSv1', '!TLSv1.1']
- tasks:
- - docker_network:
- name: mail
- - docker_volume:
- volume_name: postfix_config
- register: config_volume
- - docker_volume:
- volume_name: postfix_queue
- register: queue_volume
- - stat:
- path: '{{ config_volume.ansible_facts.docker_volume.Mountpoint }}'
- register: config_volume_stat
- - name: create virtual alias map
- copy:
- # http://www.postfix.org/virtual.5.html
- content: |
- /^alice/ alice@gmail.com
- /^bob/ bob@gmail.com
- /^postmaster\@/ alice@gmail.com
- dest: '{{ config_volume.ansible_facts.docker_volume.Mountpoint }}/virtual'
- mode: u=r,g=,o=
- # workaround if userns remapping enabled
- # postmap: fatal: open /etc/postfix/virtual.db: Permission denied
- owner: '{{ config_volume_stat.stat.uid }}'
- register: virtual_alias_map
- - openssl_privatekey:
- path: '{{ config_volume.ansible_facts.docker_volume.Mountpoint }}/key.pem'
- type: RSA
- size: 4096
- owner: '{{ config_volume_stat.stat.uid }}'
- mode: o=r,g=,o=
- - openssl_csr:
- path: '{{ config_volume.ansible_facts.docker_volume.Mountpoint }}/cert-request.pem'
- privatekey_path: '{{ config_volume.ansible_facts.docker_volume.Mountpoint }}/key.pem'
- common_name: '{{ hostname }}'
- subject_alt_name: ['DNS:{{ hostname }}']
- country_name: AT
- basic_constraints: ['CA:FALSE']
- basic_constraints_critical: yes
- digest: sha256
- mode: a=r
- - openssl_certificate:
- backup: yes
- path: '{{ config_volume.ansible_facts.docker_volume.Mountpoint }}/cert.pem'
- csr_path: '{{ config_volume.ansible_facts.docker_volume.Mountpoint }}/cert-request.pem'
- privatekey_path: '{{ config_volume.ansible_facts.docker_volume.Mountpoint }}/key.pem'
- provider: selfsigned
- mode: a=r
- register: smtpd_cert
- - name: postsrsd secrets volume
- docker_volume:
- volume_name: postsrsd_secrets
- register: postsrsd_secrets_volume
- - name: postsrsd secrets dir
- file:
- path: '{{ postsrsd_secrets_volume.ansible_facts.docker_volume.Mountpoint }}/secrets'
- state: directory
- # arbitrary user, see https://github.com/fphammerle/docker-postsrsd/blob/docker/0.1.1-postsrsd1.6-amd64/Dockerfile
- mode: a=rwx,+t
- - name: postsrsd
- docker_container:
- name: postsrsd
- # docker/0.1.1-postsrsd1.6-amd64
- image: fphammerle/postsrsd@sha256:486d79d63ce716994b7baca55172334aca525557e6609ee5864924040b6ad2d3
- networks: [name: mail]
- purge_networks: yes
- env:
- SRS_DOMAIN: '{{ hostname }}'
- volumes:
- - '{{ postsrsd_secrets_volume.ansible_facts.docker_volume.Mountpoint }}/secrets:/etc/postsrsd/secrets:rw'
- restart_policy: always
- - name: create config
- copy:
- content: |
- smtpd_tls_security_level = may
- smtpd_tls_cert_file=/smtpd-cert.pem
- smtpd_tls_key_file=/smtpd-key.pem
- smtpd_tls_protocols = {{ tls_protocols | join(', ') }}
- smtpd_tls_ciphers = high
- smtpd_tls_session_cache_database = btree:${data_directory}/smtpd-tls-session-cache
- # $myhostname prefix is a RFC requirement
- smtpd_banner = $myhostname ESMTP $mail_name quid agis?
- # http://www.postfix.org/postconf.5.html#smtpd_relay_restrictions
- smtpd_relay_restrictions = reject_non_fqdn_recipient, reject_unauth_destination
- mydestination =
- # http://www.postfix.org/VIRTUAL_README.html#virtual_alias
- virtual_alias_domains = {{ virtual_alias_domains | join(', ') }}
- virtual_alias_maps = regexp:/etc/postfix/virtual
- # include TLS protocol & cipher in 'Received' header
- smtpd_tls_received_header = yes
- # bytes
- message_size_limit = {{ 32 * 1024 * 1024 }}
- delay_warning_time = 1h
- sender_canonical_maps = tcp:postsrsd:10001
- sender_canonical_classes = envelope_sender
- recipient_canonical_maps = tcp:postsrsd:10002
- recipient_canonical_classes= envelope_recipient,header_recipient
- smtp_tls_security_level = encrypt
- smtp_tls_mandatory_protocols = {{ tls_protocols | join(', ') }}
- smtp_tls_session_cache_database = btree:${data_directory}/smtp-tls-session-cache
- # http://www.postfix.org/MAILLOG_README.html
- maillog_file = /dev/stdout
- # http://www.postfix.org/COMPATIBILITY_README.html
- compatibility_level = 2
- dest: '{{ config_volume.ansible_facts.docker_volume.Mountpoint }}/main.cf'
- # postfix: warning: not owned by root
- owner: '{{ config_volume_stat.stat.uid }}'
- mode: u=r,g=,o=
- register: config
- - name: postfix
- docker_container:
- name: postfix
- # 1.0.1-postfix3.4.5r0-amd64
- image: fphammerle/postfix@sha256:b2d214d66f1760bdcbfa3156efa7cb08cef5d80e5f6607e181f79fdde409b82d
- hostname: '{{ hostname }}'
- volumes:
- - '{{ config_volume.ansible_facts.docker_volume.Mountpoint }}/main.cf:/etc/postfix/main.cf:ro'
- - '{{ config_volume.ansible_facts.docker_volume.Mountpoint }}/virtual:/etc/postfix/virtual:ro'
- - '{{ queue_volume.ansible_facts.docker_volume.Mountpoint }}:/var/spool/postfix:rw'
- - '{{ config_volume.ansible_facts.docker_volume.Mountpoint }}/key.pem:/smtpd-key.pem:ro'
- - '{{ config_volume.ansible_facts.docker_volume.Mountpoint }}/cert.pem:/smtpd-cert.pem:ro'
- networks: [name: mail]
- purge_networks: yes
- published_ports: ['25:25']
- restart_policy: unless-stopped
- restart: '{{ config.changed or virtual_alias_map.changed or smtpd_cert.changed }}'
- - name: send test mail
- command: docker exec postfix sendmail check@ssl-tools.net
- - name: ssl-tools test url
- debug:
- msg: 'https://ssl-tools.net/mailservers/{{ hostname }}'
|
