398 lines
9.4 KiB
YAML
398 lines
9.4 KiB
YAML
---
|
|
- name: Ruby packages installed
|
|
apt:
|
|
pkg:
|
|
- ruby2.3
|
|
- ruby-addressable
|
|
- ruby-json
|
|
- ruby-net-http-persistent
|
|
- ruby-syslog-logger
|
|
state: present
|
|
update_cache: yes
|
|
tags:
|
|
- email
|
|
|
|
- name: Ruby script receive-mail in place
|
|
copy:
|
|
src: files/receive-mail
|
|
dest: /usr/local/bin/receive-mail
|
|
mode: 0755
|
|
tags:
|
|
- email
|
|
|
|
- name: Ruby script discourse-smtp-fast-rejection in place
|
|
copy:
|
|
src: files/discourse-smtp-fast-rejection
|
|
dest: /usr/local/bin/discourse-smtp-fast-rejection
|
|
mode: 0755
|
|
tags:
|
|
- email
|
|
|
|
- name: Old, unneeded files removed
|
|
file:
|
|
path: /usr/local/bin/discourse-smtp-rcpt-acl
|
|
state: absent
|
|
tags:
|
|
- email
|
|
|
|
- name: debconf-utils installed for Ansible
|
|
apt:
|
|
name: debconf-utils
|
|
state: present
|
|
tags:
|
|
- email
|
|
|
|
- name: Debconf Postfix hostname set
|
|
debconf:
|
|
name: postfix
|
|
question: "postfix/mailname"
|
|
value: "{{ hostname }}"
|
|
vtype: string
|
|
tags:
|
|
- email
|
|
|
|
- name: Debconf Postfix set to be a internet server
|
|
debconf:
|
|
name: postfix
|
|
question: "postfix/main_mailer_type"
|
|
value: "Internet Site"
|
|
vtype: string
|
|
tags:
|
|
- email
|
|
|
|
- name: Postfix and related email packages installed
|
|
apt:
|
|
pkg:
|
|
- ca-certificates
|
|
- curl
|
|
- debian-archive-keyring
|
|
- dnsutils
|
|
- mailutils
|
|
- mutt
|
|
- opendkim
|
|
- opendkim-tools
|
|
- postfix
|
|
- pwgen
|
|
- whois
|
|
state: present
|
|
tags:
|
|
- email
|
|
|
|
- name: Postfix smtpd_relay_restrictions set
|
|
command: postconf -e "smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination"
|
|
changed_when: false
|
|
tags:
|
|
- email
|
|
|
|
- name: Postfix set not to use /etc/aliases
|
|
command: postconf -e "alias_maps = "
|
|
changed_when: false
|
|
tags:
|
|
- email
|
|
|
|
- name: Postfix mydestination set to localhost
|
|
command: postconf -e "mydestination = localhost"
|
|
changed_when: false
|
|
tags:
|
|
- email
|
|
|
|
- name: python-docker installed
|
|
apt:
|
|
pkg:
|
|
- python3-docker
|
|
state: present
|
|
tags:
|
|
- email
|
|
|
|
- name: Fetch app container information
|
|
docker_container_info:
|
|
name: app
|
|
register: containerinfo
|
|
tags:
|
|
- email
|
|
|
|
- name: Get the app container IP address
|
|
set_fact:
|
|
app_ip_address: '{{ containerinfo.container.NetworkSettings.IPAddress }}'
|
|
tags:
|
|
- email
|
|
|
|
- name: Postfix my networks set to include {{ app_ip_address }}
|
|
command: postconf -e "mynetworks = 127.0.0.0/8,{{ app_ip_address }}"
|
|
changed_when: false
|
|
tags:
|
|
- email
|
|
|
|
- name: Postfix relay domains set to {{ hostname }}
|
|
command: postconf -e "relay_domains = {{ hostname }}"
|
|
changed_when: false
|
|
tags:
|
|
- email
|
|
|
|
- name: Postfix smtpd_recipient_restrictions set
|
|
command: postconf -e "smtpd_recipient_restrictions = permit_mynetworks, check_policy_service unix:private/policy"
|
|
changed_when: false
|
|
tags:
|
|
- email
|
|
|
|
- name: Postfix opportunistic TLS enabled
|
|
command: postconf -e "smtp_tls_security_level = may"
|
|
changed_when: false
|
|
tags:
|
|
- email
|
|
|
|
- name: Postfix set to use sub-addresing
|
|
command: postconf -e "recipient_delimiter = +"
|
|
changed_when: false
|
|
tags:
|
|
- email
|
|
|
|
- name: Postfix disable UTF-8 SMTP input
|
|
command: postconf -e "smtputf8_enable=no"
|
|
changed_when: false
|
|
tags:
|
|
- email
|
|
|
|
- name: Postfix Time Zone and Lang set
|
|
command: postconf -e "export_environment='TZ LANG'"
|
|
changed_when: false
|
|
tags:
|
|
- email
|
|
|
|
- name: Postfix set for ipv4 only
|
|
command: postconf -e "inet_protocols = ipv4"
|
|
changed_when: false
|
|
tags:
|
|
- email
|
|
|
|
- name: Postfix set to use /usr/local/bin/receive-mail
|
|
command: postconf -M -e "discourse/unix=discourse unix - n n - - pipe user=nobody:nogroup argv=/usr/local/bin/receive-mail ${recipient}"
|
|
changed_when: false
|
|
tags:
|
|
- email
|
|
|
|
- name: Postfix transport in place
|
|
template:
|
|
src: templates/transport.j2
|
|
dest: /etc/postfix/transport
|
|
mode: 0644
|
|
tags:
|
|
- email
|
|
|
|
- name: Postfix Transport Maps file set
|
|
command: postconf -e "transport_maps=hash:/etc/postfix/transport"
|
|
changed_when: false
|
|
tags:
|
|
- email
|
|
|
|
- name: Postmap run with Transport Maps file
|
|
command: postmap /etc/postfix/transport
|
|
changed_when: false
|
|
tags:
|
|
- email
|
|
|
|
- name: Postfix set to reject incorrect email addresses
|
|
command: postconf -M -e "policy/unix=policy unix - n n - - spawn user=nobody argv=/usr/local/bin/discourse-smtp-fast-rejection"
|
|
changed_when: false
|
|
tags:
|
|
- email
|
|
|
|
- name: Stat "/var/discourse/shared/standalone/letsencrypt/{{ hostname }}/{{ hostname }}.cer"
|
|
stat:
|
|
path: "/var/discourse/shared/standalone/letsencrypt/{{ hostname }}/{{ hostname }}.cer"
|
|
check_mode: false
|
|
register: le_cert
|
|
tags:
|
|
- email
|
|
|
|
- block:
|
|
|
|
- name: Postfix configured to use Let's Encrypt RSA cert for incoming email
|
|
command: postconf -e "smtpd_tls_cert_file = /var/discourse/shared/standalone/letsencrypt/{{ hostname }}/{{ hostname }}.cer"
|
|
tags:
|
|
- email
|
|
|
|
- name: Postfix configured to use Let's Encrypt RSA key for incoming email
|
|
command: postconf -e "smtpd_tls_key_file = /var/discourse/shared/standalone/letsencrypt/{{ hostname }}/{{ hostname }}.key"
|
|
tags:
|
|
- email
|
|
|
|
when: le_cert.stat.exists
|
|
|
|
- name: Directories for opendkim keys and configuration present
|
|
file:
|
|
path: "{{ dir.name }}"
|
|
state: directory
|
|
owner: "{{ dir.owner }}"
|
|
group: "{{ dir.group }}"
|
|
mode: "{{ dir.mode }}"
|
|
loop:
|
|
- name: /etc/opendkim
|
|
mode: "0750"
|
|
owner: root
|
|
group: opendkim
|
|
- name: /etc/opendkim/keys
|
|
mode: "0750"
|
|
owner: root
|
|
group: opendkim
|
|
loop_control:
|
|
loop_var: dir
|
|
tags:
|
|
- email
|
|
|
|
- name: Set a fact for the postfix_dkim_domains array if it it not defined
|
|
set_fact:
|
|
dkim_domains:
|
|
- "{{ hostname | default(inventory_hostname) }}"
|
|
when: ( dkim_domains is not defined ) or ( dkim_domains == [] )
|
|
tags:
|
|
- email
|
|
|
|
- name: Generate new KeyTable and SigningTable files
|
|
template:
|
|
src: "{{ template }}.j2"
|
|
dest: "/etc/opendkim/{{ template }}.new"
|
|
loop:
|
|
- KeyTable
|
|
- SigningTable
|
|
loop_control:
|
|
loop_var: template
|
|
tags:
|
|
- email
|
|
|
|
- name: Loop through the postfix_dkim_domains array including DKIM tasks
|
|
include_tasks: dkim_domain.yml
|
|
loop: "{{ dkim_domains }}"
|
|
loop_control:
|
|
loop_var: domain
|
|
tags:
|
|
- email
|
|
|
|
- name: Copy the new KeyTable and SigningTable files into place if changed
|
|
copy:
|
|
src: "{{ file }}.new"
|
|
dest: "{{ file }}"
|
|
remote_src: true
|
|
loop:
|
|
- /etc/opendkim/KeyTable
|
|
- /etc/opendkim/SigningTable
|
|
loop_control:
|
|
loop_var: file
|
|
tags:
|
|
- email
|
|
|
|
- name: Check if the KeyTable has more than one line
|
|
command: wc -l /etc/opendkim/KeyTable
|
|
check_mode: false
|
|
changed_when: false
|
|
register: opendkim_keytable_check
|
|
tags:
|
|
- email
|
|
|
|
- name: Check if the SigningTable has more than one line
|
|
command: wc -l /etc/opendkim/SigningTable
|
|
check_mode: false
|
|
changed_when: false
|
|
register: opendkim_signingtable_check
|
|
tags:
|
|
- email
|
|
|
|
- name: Set fact for KeyTable and SigningTable file lengths
|
|
set_fact:
|
|
opendkim_keytable_length: "{{ opendkim_keytable_check.stdout | replace('/etc/opendkim/KeyTable', '') | trim | int }}"
|
|
opendkim_signingtable_length: "{{ opendkim_signingtable_check.stdout | replace('/etc/opendkim/SigningTable', '') | trim | int }}"
|
|
tags:
|
|
- email
|
|
|
|
- name: Enable OpenDKIM
|
|
block:
|
|
|
|
- name: Configure TrustedHosts
|
|
template:
|
|
src: templates/TrustedHosts.j2
|
|
dest: /etc/opendkim/TrustedHosts
|
|
owner: root
|
|
group: root
|
|
mode: 0644
|
|
tags:
|
|
- email
|
|
|
|
- name: OpenDKIM configuration in place
|
|
template:
|
|
src: templates/opendkim.conf.j2
|
|
dest: /etc/opendkim.conf
|
|
tags:
|
|
- email
|
|
|
|
- name: Run postconf to add DKIM configuration to main.cf
|
|
command: postconf -e "{{ edit }}"
|
|
loop:
|
|
- "milter_default_action = accept"
|
|
- "milter_protocol = 6"
|
|
- "smtpd_milters = inet:localhost:{{ postfix_opendkim_port }}"
|
|
- "non_smtpd_milters = inet:localhost:{{ postfix_opendkim_port }}"
|
|
loop_control:
|
|
loop_var: edit
|
|
tags:
|
|
- email
|
|
|
|
- name: OpenDKIM enabled and restarted
|
|
service:
|
|
name: opendkim
|
|
enabled: true
|
|
state: restarted
|
|
tags:
|
|
- email
|
|
|
|
when: ( opendkim_keytable_length | int > 1 ) and ( opendkim_signingtable_length | int > 1 )
|
|
|
|
- name: Disable OpenDKIM
|
|
block:
|
|
|
|
- name: Run postconf to remove DKIM configuration from main.cf
|
|
command: postconf -X "{{ remove }}"
|
|
loop:
|
|
- "milter_default_action"
|
|
- "milter_protocol"
|
|
- "smtpd_milters"
|
|
- "non_smtpd_milters"
|
|
loop_control:
|
|
loop_var: remove
|
|
changed_when: false
|
|
tags:
|
|
- email
|
|
|
|
- name: OpenDKIM disabled and stopped
|
|
service:
|
|
name: opendkim
|
|
enabled: false
|
|
state: stopped
|
|
when: ( postfix_dkim_dns_configured is not defined ) or ( not postfix_dkim_dns_configured )
|
|
tags:
|
|
- email
|
|
|
|
when: ( opendkim_keytable_length | int == 1 ) or ( opendkim_signingtable_length | int == 1 )
|
|
|
|
- name: mail-receiver-environment in place
|
|
template:
|
|
src: templates/mail-receiver-environment.json.j2
|
|
dest: /etc/postfix/mail-receiver-environment.json
|
|
owner: root
|
|
group: root
|
|
mode: 0644
|
|
|
|
- name: Postfix restarted
|
|
service:
|
|
name: postfix
|
|
state: restarted
|
|
tags:
|
|
- email
|
|
|
|
- name: Root .forward in place
|
|
template:
|
|
src: templates/forward.j2
|
|
dest: /root/.forward
|
|
tags:
|
|
- email
|
|
...
|