forward.yml 3.0 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081
  1. - hosts: [forward.example.com]
  2. become: true
  3. vars:
  4. virtual_alias_domains:
  5. - example.co
  6. - example.com
  7. - example.info
  8. tasks:
  9. - docker_network:
  10. name: mail
  11. - docker_volume:
  12. volume_name: postfix_config
  13. register: config_volume
  14. - docker_volume:
  15. volume_name: postfix_queue
  16. register: queue_volume
  17. - stat:
  18. path: '{{ config_volume.ansible_facts.docker_volume.Mountpoint }}'
  19. register: config_volume_stat
  20. - name: create virtual alias map
  21. copy:
  22. # http://www.postfix.org/virtual.5.html
  23. content: |
  24. /^alice/ alice@gmail.com
  25. /^bob/ bob@gmail.com
  26. /^postmaster\@/ alice@gmail.com
  27. dest: '{{ config_volume.ansible_facts.docker_volume.Mountpoint }}/virtual'
  28. mode: u=r,g=,o=
  29. # workaround if userns remapping enabled
  30. # postmap: fatal: open /etc/postfix/virtual.db: Permission denied
  31. owner: '{{ config_volume_stat.stat.uid }}'
  32. register: virtual_alias_map
  33. - name: create config
  34. copy:
  35. content: |
  36. # $myhostname prefix is a RFC requirement
  37. smtpd_banner = $myhostname ESMTP $mail_name quid agis?
  38. # http://www.postfix.org/postconf.5.html#smtpd_relay_restrictions
  39. smtpd_relay_restrictions = reject_non_fqdn_recipient, reject_unauth_destination
  40. mydestination =
  41. # http://www.postfix.org/VIRTUAL_README.html#virtual_alias
  42. virtual_alias_domains = {{ virtual_alias_domains | join(', ') }}
  43. virtual_alias_maps = regexp:/etc/postfix/virtual
  44. # include TLS protocol & cipher in 'Received' header
  45. smtpd_tls_received_header = yes
  46. # bytes
  47. message_size_limit = {{ 32 * 1024 * 1024 }}
  48. delay_warning_time = 1h
  49. smtp_tls_security_level = encrypt
  50. # docs recommend against whitelist
  51. smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
  52. smtp_tls_session_cache_database = btree:${data_directory}/smtp-tls-session-cache
  53. # http://www.postfix.org/MAILLOG_README.html
  54. maillog_file = /dev/stdout
  55. # http://www.postfix.org/COMPATIBILITY_README.html
  56. compatibility_level = 2
  57. dest: '{{ config_volume.ansible_facts.docker_volume.Mountpoint }}/main.cf'
  58. # postfix: warning: not owned by root
  59. owner: '{{ config_volume_stat.stat.uid }}'
  60. mode: u=r,g=,o=
  61. register: config
  62. - docker_container:
  63. name: postfix
  64. # 1.0.1-postfix3.4.5r0-amd64
  65. image: fphammerle/postfix@sha256:b2d214d66f1760bdcbfa3156efa7cb08cef5d80e5f6607e181f79fdde409b82d
  66. hostname: forward.example.com
  67. volumes:
  68. - '{{ config_volume.ansible_facts.docker_volume.Mountpoint }}/main.cf:/etc/postfix/main.cf:ro'
  69. - '{{ config_volume.ansible_facts.docker_volume.Mountpoint }}/virtual:/etc/postfix/virtual:ro'
  70. - '{{ queue_volume.ansible_facts.docker_volume.Mountpoint }}:/var/spool/postfix:rw'
  71. networks: [name: mail]
  72. purge_networks: yes
  73. published_ports: ['25:25']
  74. restart_policy: unless-stopped
  75. restart: '{{ config.changed or virtual_alias_map.changed }}'