From 180e0b6d7927e1f74af22a7c939fe1ae84867660 Mon Sep 17 00:00:00 2001
From: Guilhem Moulin <guilhem@fripost.org>
Date: Thu, 4 Jan 2024 14:14:38 +0100
Subject: Install postfix and configure it as a nullmailer.

---
 files/etc/postfix/tls_policy     |  3 +++
 handlers/main.yml                | 12 ++++++++++
 setup.yml                        |  1 +
 tasks/mail.yml                   | 38 ++++++++++++++++++++++++++++++++
 templates/etc/postfix/main.cf.j2 | 47 ++++++++++++++++++++++++++++++++++++++++
 5 files changed, 101 insertions(+)
 create mode 100644 files/etc/postfix/tls_policy
 create mode 100644 tasks/mail.yml
 create mode 100644 templates/etc/postfix/main.cf.j2

diff --git a/files/etc/postfix/tls_policy b/files/etc/postfix/tls_policy
new file mode 100644
index 0000000..2af19c5
--- /dev/null
+++ b/files/etc/postfix/tls_policy
@@ -0,0 +1,3 @@
+# WARN: smtp_tls_fingerprint_digest MUST be sha256!
+[smtp.guilhem.org]:587 fingerprint ciphers=high protocols=!SSLv2:!SSLv3:!TLSv1:!TLSv1.1:!TLSv1.2
+    match=B2:37:09:EC:B9:54:DC:51:FA:77:A1:31:0D:30:06:84:7E:10:81:5B:9B:30:B0:31:6E:9A:7B:53:13:C8:37:62
diff --git a/handlers/main.yml b/handlers/main.yml
index d3d7755..9a4521f 100644
--- a/handlers/main.yml
+++ b/handlers/main.yml
@@ -26,5 +26,17 @@
 - name: Restart OpenSSH
   service: name=ssh.service state=restarted
 
+- name: Restart Postfix
+  service: name=postfix.service state=restarted
+
+- name: Reload Postfix
+  service: name=postfix.service state=reloaded
+
+- name: Run newaliases
+  command: /usr/bin/newaliases
+
+- name: Compile /etc/postfix/tls_policy
+  command: /usr/sbin/postmap /etc/postfix/tls_policy
+
 - name: Update initramfs
   command: /usr/sbin/update-initramfs -u
diff --git a/setup.yml b/setup.yml
index cf51ece..b84c73a 100644
--- a/setup.yml
+++ b/setup.yml
@@ -11,5 +11,6 @@
     - import_tasks: ./tasks/apt.yml
     - import_tasks: ./tasks/ssh.yml
     - import_tasks: ./tasks/base.yml
+    - import_tasks: ./tasks/mail.yml
   handlers:
     - import_tasks: ./handlers/main.yml
diff --git a/tasks/mail.yml b/tasks/mail.yml
new file mode 100644
index 0000000..89d8530
--- /dev/null
+++ b/tasks/mail.yml
@@ -0,0 +1,38 @@
+- name: Install Postfix
+  apt: pkg=postfix
+
+- name: Add some common aliases
+  lineinfile: dest=/etc/aliases create=yes
+              regexp='^{{ item.src }}{{':'}} '
+              line='{{ item.src }}{{':'}} {{ item.dst }}'
+  with_items:
+    - { src: mailer-daemon, dst: 'postmaster'                      }
+    - { src: postmaster,    dst: 'root'                            }
+    - { src: nobody,        dst: 'root'                            }
+    - { src: root,          dst: 'hostmaster@{{ ansible_domain }}' }
+  notify:
+    - Run newaliases
+
+- name: Configure Postfix
+  template: src=etc/postfix/main.cf.j2
+            dest=/etc/postfix/main.cf
+            owner=root group=root
+            mode=0644
+  notify:
+    - Reload Postfix
+
+- name: Start Postfix
+  service: name=postfix.service enabled=true state=started
+
+- name: Copy /etc/postfix/tls_policy
+  copy: src=etc/postfix/tls_policy
+        dest=/etc/postfix/tls_policy
+        owner=root group=root
+        mode=0644
+  notify:
+    - Compile /etc/postfix/tls_policy
+
+- meta: flush_handlers
+
+- name: Install s-nail
+  apt: pkg=s-nail
diff --git a/templates/etc/postfix/main.cf.j2 b/templates/etc/postfix/main.cf.j2
new file mode 100644
index 0000000..9557cc4
--- /dev/null
+++ b/templates/etc/postfix/main.cf.j2
@@ -0,0 +1,47 @@
+########################################################################
+# Nullmailer configuration
+
+smtpd_banner      = $myhostname ESMTP $mail_name (Debian/GNU)
+biff              = no
+readme_directory  = no
+
+compatibility_level = 3.6
+smtputf8_enable     = no
+
+myorigin            = /etc/mailname
+myhostname          = {{ ansible_fqdn }}
+mydomain            = {{ ansible_domain }}
+append_dot_mydomain = no
+
+# This server is for internal use only
+mynetworks_style = host
+inet_interfaces  = loopback-only
+
+# No local delivery
+mydestination        =
+local_transport      = error:5.1.1 Mailbox unavailable
+alias_maps           =
+local_recipient_maps =
+
+# All aliases are virtual
+virtual_alias_maps = hash:/etc/aliases
+alias_database     = $virtual_alias_maps
+mailbox_size_limit = 0
+
+# Forward everything to our internal outgoing proxy
+# TODO: User relay-smtps on 465/tcp once Hetzner opens it
+relay_domains     =
+relayhost         = [smtp.guilhem.org]:587
+default_transport = relay
+
+smtpd_tls_security_level        = none
+smtp_tls_exclude_ciphers        = EXPORT, LOW, MEDIUM, aNULL, eNULL, DES, RC4, MD5
+smtp_tls_security_level         = may
+smtp_tls_note_starttls_offer    = yes
+smtp_tls_cert_file              = /etc/ssl/certs/ssl-cert-snakeoil.pem
+smtp_tls_key_file               = /etc/ssl/private/ssl-cert-snakeoil.key
+smtp_tls_CApath                 = /etc/ssl/certs
+smtp_tls_session_cache_database = btree:$data_directory/smtp_tls_session_cache
+smtp_tls_policy_maps            = hash:$config_directory/tls_policy
+smtp_tls_fingerprint_digest     = sha256
+smtp_tls_loglevel               = 1
-- 
cgit v1.2.3