diff options
| author | Guilhem Moulin <guilhem@fripost.org> | 2024-01-04 14:14:38 +0100 |
|---|---|---|
| committer | Guilhem Moulin <guilhem@fripost.org> | 2024-01-04 14:32:30 +0100 |
| commit | 180e0b6d7927e1f74af22a7c939fe1ae84867660 (patch) | |
| tree | 496d8b8288940c115e63d3eef7e0e49544ef6417 | |
| parent | 6691410f945719e62601c3d69d9b2ff9c4cfb4fb (diff) | |
Install postfix and configure it as a nullmailer.
| -rw-r--r-- | files/etc/postfix/tls_policy | 3 | ||||
| -rw-r--r-- | handlers/main.yml | 12 | ||||
| -rw-r--r-- | setup.yml | 1 | ||||
| -rw-r--r-- | tasks/mail.yml | 38 | ||||
| -rw-r--r-- | templates/etc/postfix/main.cf.j2 | 47 |
5 files changed, 101 insertions, 0 deletions
diff --git a/files/etc/postfix/tls_policy b/files/etc/postfix/tls_policy new file mode 100644 index 0000000..2af19c5 --- /dev/null +++ b/files/etc/postfix/tls_policy @@ -0,0 +1,3 @@ +# WARN: smtp_tls_fingerprint_digest MUST be sha256! +[smtp.guilhem.org]:587 fingerprint ciphers=high protocols=!SSLv2:!SSLv3:!TLSv1:!TLSv1.1:!TLSv1.2 + match=B2:37:09:EC:B9:54:DC:51:FA:77:A1:31:0D:30:06:84:7E:10:81:5B:9B:30:B0:31:6E:9A:7B:53:13:C8:37:62 diff --git a/handlers/main.yml b/handlers/main.yml index d3d7755..9a4521f 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -26,5 +26,17 @@ - name: Restart OpenSSH service: name=ssh.service state=restarted +- name: Restart Postfix + service: name=postfix.service state=restarted + +- name: Reload Postfix + service: name=postfix.service state=reloaded + +- name: Run newaliases + command: /usr/bin/newaliases + +- name: Compile /etc/postfix/tls_policy + command: /usr/sbin/postmap /etc/postfix/tls_policy + - name: Update initramfs command: /usr/sbin/update-initramfs -u @@ -11,5 +11,6 @@ - import_tasks: ./tasks/apt.yml - import_tasks: ./tasks/ssh.yml - import_tasks: ./tasks/base.yml + - import_tasks: ./tasks/mail.yml handlers: - import_tasks: ./handlers/main.yml diff --git a/tasks/mail.yml b/tasks/mail.yml new file mode 100644 index 0000000..89d8530 --- /dev/null +++ b/tasks/mail.yml @@ -0,0 +1,38 @@ +- name: Install Postfix + apt: pkg=postfix + +- name: Add some common aliases + lineinfile: dest=/etc/aliases create=yes + regexp='^{{ item.src }}{{':'}} ' + line='{{ item.src }}{{':'}} {{ item.dst }}' + with_items: + - { src: mailer-daemon, dst: 'postmaster' } + - { src: postmaster, dst: 'root' } + - { src: nobody, dst: 'root' } + - { src: root, dst: 'hostmaster@{{ ansible_domain }}' } + notify: + - Run newaliases + +- name: Configure Postfix + template: src=etc/postfix/main.cf.j2 + dest=/etc/postfix/main.cf + owner=root group=root + mode=0644 + notify: + - Reload Postfix + +- name: Start Postfix + service: name=postfix.service enabled=true state=started + +- name: Copy /etc/postfix/tls_policy + copy: src=etc/postfix/tls_policy + dest=/etc/postfix/tls_policy + owner=root group=root + mode=0644 + notify: + - Compile /etc/postfix/tls_policy + +- meta: flush_handlers + +- name: Install s-nail + apt: pkg=s-nail diff --git a/templates/etc/postfix/main.cf.j2 b/templates/etc/postfix/main.cf.j2 new file mode 100644 index 0000000..9557cc4 --- /dev/null +++ b/templates/etc/postfix/main.cf.j2 @@ -0,0 +1,47 @@ +######################################################################## +# Nullmailer configuration + +smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU) +biff = no +readme_directory = no + +compatibility_level = 3.6 +smtputf8_enable = no + +myorigin = /etc/mailname +myhostname = {{ ansible_fqdn }} +mydomain = {{ ansible_domain }} +append_dot_mydomain = no + +# This server is for internal use only +mynetworks_style = host +inet_interfaces = loopback-only + +# No local delivery +mydestination = +local_transport = error:5.1.1 Mailbox unavailable +alias_maps = +local_recipient_maps = + +# All aliases are virtual +virtual_alias_maps = hash:/etc/aliases +alias_database = $virtual_alias_maps +mailbox_size_limit = 0 + +# Forward everything to our internal outgoing proxy +# TODO: User relay-smtps on 465/tcp once Hetzner opens it +relay_domains = +relayhost = [smtp.guilhem.org]:587 +default_transport = relay + +smtpd_tls_security_level = none +smtp_tls_exclude_ciphers = EXPORT, LOW, MEDIUM, aNULL, eNULL, DES, RC4, MD5 +smtp_tls_security_level = may +smtp_tls_note_starttls_offer = yes +smtp_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem +smtp_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key +smtp_tls_CApath = /etc/ssl/certs +smtp_tls_session_cache_database = btree:$data_directory/smtp_tls_session_cache +smtp_tls_policy_maps = hash:$config_directory/tls_policy +smtp_tls_fingerprint_digest = sha256 +smtp_tls_loglevel = 1 |