diff options
| author | Guilhem Moulin <guilhem@fripost.org> | 2018-12-03 03:18:56 +0100 |
|---|---|---|
| committer | Guilhem Moulin <guilhem@fripost.org> | 2018-12-03 03:43:41 +0100 |
| commit | dcdb8cd6b1b525fc8eacd509586da3396c068251 (patch) | |
| tree | 0ea6c49af37faf4b8b33b366506aedbf374a5968 | |
| parent | 78a300a2430cb2652c7839cd35400cc22122c798 (diff) | |
Postfix: replace cdb & btree tables with lmdb ones.
Cf. lmdb_table(5).
| -rw-r--r-- | lib/modules/postmap | 4 | ||||
| -rw-r--r-- | roles/IMAP/tasks/mda.yml | 2 | ||||
| -rw-r--r-- | roles/IMAP/templates/etc/postfix/main.cf.j2 | 2 | ||||
| -rw-r--r-- | roles/MSA/tasks/main.yml | 2 | ||||
| -rw-r--r-- | roles/MSA/templates/etc/postfix/main.cf.j2 | 2 | ||||
| -rw-r--r-- | roles/MX/tasks/main.yml | 4 | ||||
| -rw-r--r-- | roles/MX/templates/etc/postfix/main.cf.j2 | 5 | ||||
| -rw-r--r-- | roles/amavis/tasks/main.yml | 2 | ||||
| -rw-r--r-- | roles/common/files/etc/logcheck/ignore.d.server/postfix-local | 2 | ||||
| -rw-r--r-- | roles/common/tasks/clamav.yml | 2 | ||||
| -rw-r--r-- | roles/common/tasks/mail.yml | 6 | ||||
| -rw-r--r-- | roles/common/templates/etc/postfix/main.cf.j2 | 4 | ||||
| -rw-r--r-- | roles/lists/tasks/mail.yml | 2 | ||||
| -rw-r--r-- | roles/lists/templates/etc/postfix/main.cf.j2 | 2 | ||||
| -rw-r--r-- | roles/out/templates/etc/postfix/main.cf.j2 | 2 |
15 files changed, 22 insertions, 21 deletions
diff --git a/lib/modules/postmap b/lib/modules/postmap index 7080b25..8c9d54c 100644 --- a/lib/modules/postmap +++ b/lib/modules/postmap @@ -25,63 +25,63 @@ except ImportError: # Look up for the file suffix corresponding to 'db'. If 'db' is unset, # pick the default_detabase_type of the given instance instead. def file_suffix(instance, db): if not db: if instance: cmd = [ os.path.join(os.sep, 'usr', 'sbin', 'postmulti') , '-x' , '-i', instance , '--' ] else: cmd = [] cmd.extend([ os.path.join(os.sep, 'usr', 'sbin', 'postconf') , '-h', 'default_database_type' ]) null = open (os.devnull, 'wb') db = subprocess.check_output(cmd, stderr=null).rstrip() null.closed # See postmap(1) and postalias(1) - suffixes = { 'btree': 'db', 'cdb': 'cdb', 'hash': 'db' } + suffixes = { 'btree': 'db', 'cdb': 'cdb', 'hash': 'db', 'lmdb': 'lmdb' } return suffixes[db] # Compile the given (alias/lookup) table def compile(cmd, instance, db, src): cmd = [ os.path.join(os.sep, 'usr', 'sbin', cmd) ] if instance: config = os.path.join(os.sep, 'etc', 'postfix-%s' % instance) cmd.extend([ '-c', config ]) if db: src = "%s:%s" % (db,src) cmd.append(src) subprocess.check_output(cmd, stderr=subprocess.STDOUT) def main(): module = AnsibleModule( argument_spec = dict( src = dict( required=True ), - db = dict( choices=['btree','cdb','hash'] ), + db = dict( choices=['btree','cdb','hash','lmdb'] ), cmd = dict( choices=['postmap','postalias'], default='postmap' ), instance = dict( required=False ) ), add_file_common_args=True, supports_check_mode=True ) params = module.params src = params['src'] db = params['db'] cmd = params['cmd'] instance = params['instance'] if os.path.isabs(src): src = src else: module.fail_json(msg="absolute paths are required") if not os.path.exists(src): module.fail_json(src=src, msg="no such file") diff --git a/roles/IMAP/tasks/mda.yml b/roles/IMAP/tasks/mda.yml index ced15cc..1510103 100644 --- a/roles/IMAP/tasks/mda.yml +++ b/roles/IMAP/tasks/mda.yml @@ -10,41 +10,41 @@ owner=root group=root mode=0644 with_items: - main.cf - master.cf notify: - Reload Postfix - name: Copy the transport and recipient canonical maps copy: src=etc/postfix/{{ item }} dest=/etc/postfix-{{ postfix_instance[inst].name }}/{{ item }} owner=root group=root mode=0644 with_items: # no need to reload upon change, as cleanup(8) is short-running - recipient_canonical.pcre - transport - name: Compile the Postfix transport maps # trivial-rewrite(8) is a long-running process, so it's safer to reload - postmap: cmd=postmap src=/etc/postfix-{{ postfix_instance[inst].name }}/transport db=cdb + postmap: cmd=postmap src=/etc/postfix-{{ postfix_instance[inst].name }}/transport db=lmdb owner=root group=root mode=0644 notify: - Reload Postfix - meta: flush_handlers - name: Start Postfix service: name=postfix state=started - name: Install 'postfix_mailqueue_' Munin wildcard plugin file: src=/usr/local/share/munin/plugins/postfix_mailqueue_ dest=/etc/munin/plugins/postfix_mailqueue_postfix-{{ postfix_instance[inst].name }} owner=root group=root state=link force=yes tags: - munin - munin-node notify: diff --git a/roles/IMAP/templates/etc/postfix/main.cf.j2 b/roles/IMAP/templates/etc/postfix/main.cf.j2 index a879d28..3d548ce 100644 --- a/roles/IMAP/templates/etc/postfix/main.cf.j2 +++ b/roles/IMAP/templates/etc/postfix/main.cf.j2 @@ -34,41 +34,41 @@ multi_instance_enable = yes # No local delivery mydestination = local_transport = error:5.1.1 Mailbox unavailable alias_maps = alias_database = local_recipient_maps = message_size_limit = 0 recipient_delimiter = + # No relay: this server is inbound-only relay_transport = error:5.1.1 Relay unavailable default_transport = error:5.1.1 Transport unavailable # Virtual transport (the alias resolution and address validation is # performed on the MX:es only) virtual_transport = lmtp:unix:private/dovecot-lmtpd lmtp_bind_address = 127.0.0.1 virtual_mailbox_domains = static:all virtual_mailbox_maps = static:all -#transport_maps = cdb:$config_directory/transport +#transport_maps = lmdb:$config_directory/transport # Restore the original envelope recipient relay_domains = recipient_canonical_classes = envelope_recipient recipient_canonical_maps = pcre:$config_directory/recipient_canonical.pcre # Don't rewrite remote headers local_header_rewrite_clients = smtp_tls_security_level = none smtpd_tls_security_level = none strict_rfc821_envelopes = yes smtpd_delay_reject = yes disable_vrfy_command = yes smtpd_client_restrictions = permit_mynetworks # We are the only ones using this proxy, but if things go wrong we # want to know why diff --git a/roles/MSA/tasks/main.yml b/roles/MSA/tasks/main.yml index 00c205d..4f32df3 100644 --- a/roles/MSA/tasks/main.yml +++ b/roles/MSA/tasks/main.yml @@ -35,41 +35,41 @@ - main.cf - master.cf notify: - Reload Postfix - name: Copy the Regex to anonymize senders # no need to reload upon change, as cleanup(8) is short-running copy: src=etc/postfix/anonymize_sender.pcre dest=/etc/postfix-{{ postfix_instance[inst].name }}/anonymize_sender.pcre owner=root group=root mode=0644 - name: Copy the check_sender_access map copy: src=etc/postfix/check_sender_access dest=/etc/postfix-{{ postfix_instance[inst].name }}/check_sender_access owner=root group=root mode=0644 - name: Compile the check_sender_access map # no need to reload upon change, as cleanup(8) is short-running - postmap: cmd=postmap src=/etc/postfix-{{ postfix_instance[inst].name }}/check_sender_access db=cdb + postmap: cmd=postmap src=/etc/postfix-{{ postfix_instance[inst].name }}/check_sender_access db=lmdb owner=root group=root mode=0644 notify: - Reload Postfix - name: Create directory /etc/postfix/ssl file: path=/etc/postfix-{{ postfix_instance[inst].name }}/ssl state=directory owner=root group=root mode=0755 tags: - genkey - meta: flush_handlers - name: Start Postfix service: name=postfix state=started - name: Fetch Postfix's X.509 certificate # Ensure we don't fetch private data diff --git a/roles/MSA/templates/etc/postfix/main.cf.j2 b/roles/MSA/templates/etc/postfix/main.cf.j2 index 79808d5..7d7cb6d 100644 --- a/roles/MSA/templates/etc/postfix/main.cf.j2 +++ b/roles/MSA/templates/etc/postfix/main.cf.j2 @@ -86,34 +86,34 @@ disable_vrfy_command = yes address_verify_sender = $double_bounce_sender@noreply.$mydomain address_verify_poll_count = 3 address_verify_relayhost = address_verify_sender_ttl = 8069m address_verify_negative_refresh_time = 5m unverified_recipient_defer_code = 250 unverified_recipient_reject_code = 550 smtpd_client_restrictions = permit_sasl_authenticated reject smtpd_helo_required = yes smtpd_helo_restrictions = reject_invalid_helo_hostname smtpd_sender_login_maps = socketmap:unix:private/sender-login:sender_login smtpd_sender_restrictions = reject_non_fqdn_sender reject_unknown_sender_domain - check_sender_access cdb:$config_directory/check_sender_access + check_sender_access lmdb:$config_directory/check_sender_access reject_known_sender_login_mismatch smtpd_relay_restrictions = reject_non_fqdn_recipient reject_unknown_recipient_domain reject_unverified_recipient permit_sasl_authenticated reject smtpd_data_restrictions = reject_unauth_pipelining # vim: set filetype=pfmain : diff --git a/roles/MX/tasks/main.yml b/roles/MX/tasks/main.yml index 78362ca..6092301 100644 --- a/roles/MX/tasks/main.yml +++ b/roles/MX/tasks/main.yml @@ -1,27 +1,27 @@ - name: Install Postfix apt: pkg={{ item }} with_items: - postfix - postfix-pcre - postfix-ldap - - postfix-cdb + - postfix-lmdb # The following is for reserved-alias.pl - libnet-ldap-perl - libauthen-sasl-perl - name: Configure Postfix template: src=etc/postfix/{{ item }}.j2 dest=/etc/postfix-{{ postfix_instance[inst].name }}/{{ item }} owner=root group=root mode=0644 with_items: - main.cf - master.cf - access-list.cidr notify: - Reload Postfix - name: Create directory /etc/postfix-.../virtual file: path=/etc/postfix-{{ postfix_instance[inst].name }}/virtual state=directory owner=root group=root @@ -56,41 +56,41 @@ - alias_domains.cf - catchall.cf - name: Copy lookup tables (2) template: src=etc/postfix/virtual/transport.j2 dest=/etc/postfix-{{ postfix_instance[inst].name }}/virtual/transport owner=root group=root mode=0644 - name: Copy recipient access(5) map copy: src=etc/postfix/reject-unknown-client-hostname.cf dest=/etc/postfix-{{ postfix_instance[inst].name }}/reject-unknown-client-hostname.cf owner=root group=root mode=0644 notify: - Reload Postfix - name: Compile the Postfix transport maps # trivial-rewrite(8) is a long-running process, so it's safer to reload postmap: instance={{ postfix_instance[inst].name }} - src=/etc/postfix-{{ postfix_instance[inst].name }}/virtual/transport db=cdb + src=/etc/postfix-{{ postfix_instance[inst].name }}/virtual/transport db=lmdb owner=root group=root mode=0644 notify: - Reload Postfix - name: Copy reserved-alias.pl copy: src=usr/local/bin/reserved-alias.pl dest=/usr/local/bin/reserved-alias.pl owner=root group=staff mode=0755 - name: Create directory /etc/postfix/ssl file: path=/etc/postfix-{{ postfix_instance[inst].name }}/ssl state=directory owner=root group=root mode=0755 tags: - genkey - meta: flush_handlers diff --git a/roles/MX/templates/etc/postfix/main.cf.j2 b/roles/MX/templates/etc/postfix/main.cf.j2 index e5792c4..8362d57 100644 --- a/roles/MX/templates/etc/postfix/main.cf.j2 +++ b/roles/MX/templates/etc/postfix/main.cf.j2 @@ -28,51 +28,51 @@ multi_instance_enable = yes # No local delivery mydestination = local_transport = error:5.1.1 Mailbox unavailable alias_maps = alias_database = local_recipient_maps = message_size_limit = 67108864 recipient_delimiter = + # Forward everything to our internal outgoing proxy relayhost = [{{ postfix_instance.out.addr | ipaddr }}]:{{ postfix_instance.out.port }} relay_domains = # Virtual transport # We use a dedicated "virtual" domain to decongestion potential # bottlenecks on trivial_rewrite(8) due to slow LDAP lookups in # tranport_maps. virtual_transport = error:5.1.1 Virtual transport unavailable -virtual_alias_domains = !cdb:$config_directory/virtual/transport +virtual_alias_domains = !lmdb:$config_directory/virtual/transport ldap:$config_directory/virtual/domains.cf virtual_alias_maps = pcre:$config_directory/virtual/reserved_alias.pcre # unless there is a matching user/alias/list... ldap:$config_directory/virtual/mailbox.cf ldap:$config_directory/virtual/alias.cf ldap:$config_directory/virtual/list.cf # ...we resolve alias domains and catch alls ldap:$config_directory/virtual/alias_domains.cf ldap:$config_directory/virtual/catchall.cf -transport_maps = cdb:$config_directory/virtual/transport +transport_maps = lmdb:$config_directory/virtual/transport # Don't rewrite remote headers local_header_rewrite_clients = # Pass the client information along to the content filter smtp_send_xforward_command = yes # Avoid splitting the envelope and scanning messages multiple times smtp_destination_recipient_limit = 1000 reserved-alias_destination_recipient_limit = 1 # Tolerate occasional high latency smtp_data_done_timeout = 1200s smtp_tls_security_level = none smtpd_tls_security_level = may smtpd_tls_ciphers = medium smtpd_tls_protocols = !SSLv2, !SSLv3 smtpd_tls_cert_file = $config_directory/ssl/mx.fripost.org.pem smtpd_tls_key_file = $config_directory/ssl/mx.fripost.org.key smtpd_tls_dh1024_param_file = /etc/ssl/dhparams.pem @@ -85,40 +85,41 @@ smtpd_tls_received_header = yes # http://www.howtoforge.com/block_spam_at_mta_level_postfix strict_rfc821_envelopes = yes smtpd_delay_reject = yes disable_vrfy_command = yes # UCE control invalid_hostname_reject_code = 554 multi_recipient_bounce_reject_code = 554 non_fqdn_reject_code = 554 relay_domains_reject_code = 554 unknown_local_recipient_reject_code = 554 unknown_relay_recipient_reject_code = 554 unknown_virtual_alias_reject_code = 554 unknown_virtual_mailbox_reject_code = 554 postscreen_access_list = permit_mynetworks cidr:$config_directory/access-list.cidr postscreen_dnsbl_whitelist_threshold = -1 +postscreen_cache_map = lmdb:$data_directory/postscreen_cache postscreen_blacklist_action = drop postscreen_dnsbl_threshold = 8 postscreen_dnsbl_action = enforce postscreen_dnsbl_sites = zen.spamhaus.org=127.0.0.[10;11]*8 zen.spamhaus.org=127.0.0.[4..7]*6 zen.spamhaus.org=127.0.0.3*4 zen.spamhaus.org=127.0.0.2*3 #swl.spamhaus.org*-4 b.barracudacentral.org=127.0.0.2*7 bl.mailspike.net=127.0.0.2*5 bl.mailspike.net=127.0.0.[10..12]*4 wl.mailspike.net=127.0.0.[18..20]*-2 bl.spameatingmonkey.net=127.0.0.2*4 bl.spamcop.net=127.0.0.2*2 dnsbl.sorbs.net=127.0.0.10*8 dnsbl.sorbs.net=127.0.0.5*6 dnsbl.sorbs.net=127.0.0.7*3 dnsbl.sorbs.net=127.0.0.8*2 diff --git a/roles/amavis/tasks/main.yml b/roles/amavis/tasks/main.yml index d4298b8..ce43c9c 100644 --- a/roles/amavis/tasks/main.yml +++ b/roles/amavis/tasks/main.yml @@ -19,41 +19,41 @@ - zoo - ripole - cabextract - unar - tnef notify: - Restart Amavis - name: Add 'clamav' to the group 'amavis' user: name=clamav groups=amavis append=yes notify: - Restart ClamAV - Restart Amavis - name: Add an 'amavis' alias lineinfile: dest=/etc/aliases create=yes regexp="^amavis{{':'}} " line="amavis{{':'}} root" - name: Compile the static local Postfix database - postmap: cmd=postalias src=/etc/aliases db=cdb + postmap: cmd=postalias src=/etc/aliases db=lmdb owner=root group=root mode=0644 - name: Create directory /var/lib/dkim file: path=/var/lib/dkim state=directory owner=root group=root mode=0755 when: "'out' in group_names" tags: - genkey - name: Generate a private key for DKIM signing command: genkeypair.sh dkim --privkey=/var/lib/dkim/20140703.fripost.org.key -t rsa -b 1024 register: dkim changed_when: dkim.rc == 0 failed_when: dkim.rc > 1 when: "'out' in group_names" notify: - Restart Amavis diff --git a/roles/common/files/etc/logcheck/ignore.d.server/postfix-local b/roles/common/files/etc/logcheck/ignore.d.server/postfix-local index df5e158..7df68c4 100644 --- a/roles/common/files/etc/logcheck/ignore.d.server/postfix-local +++ b/roles/common/files/etc/logcheck/ignore.d.server/postfix-local @@ -77,34 +77,34 @@ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-mx/smtpd\[[[:digit:]]+\]: too many errors after ([[:upper:]]{4}|END-OF-MESSAGE|UNKNOWN|DATA \(0 bytes\)) from [._[:alnum:]-]+\[[.[:digit:]]+\]$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-(mx|msa)/smtpd\[[[:digit:]]+\]: warning: hostname [^[:space:]]+ does not resolve to address [[:xdigit:].:]{3,39}: (No address associated with hostname|Temporary failure in name resolution)$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-mx/smtpd\[[[:digit:]]+\]: warning: (numeric hostname: [[:xdigit:].:]{3,39}|valid_hostname: misplaced delimiter: \S)$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-(mx|lists)/pipe\[[[:digit:]]+\]: [[:xdigit:]]+: to=<[^>]+>,( orig_to=<[^>]+>,)* relay=([-_.[:alnum:]]+), delay=[.[:digit:]]+(, delays=([.[:digit:]]+/){3}[.[:digit:]]+)?(, dsn=2(\.[[:digit:]]+){2})?, status=sent \(delivered via \3 service\)$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-mx/discard\[[[:digit:]]+\]: [[:xdigit:]]+: to=<[^>]+>,( orig_to=<[^>]+>,)* relay=none, delay=[.[:digit:]]+(, delays=([.[:digit:]]+/){3}[.[:digit:]]+)?(, dsn=2(\.[[:digit:]]+){2})?, status=sent \(discard\.fripost\.org\)$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-(mx|msa)/smtpd\[[[:digit:]]+\]: warning: Illegal address syntax from [._[:alnum:]-]+\[[[:xdigit:].:]{3,39}\] in (MAIL|RCPT) command:\s ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-mx/postscreen\[[[:digit:]]+\]: (PASS (OLD|NEW)|WHITELISTED) \[[[:xdigit:].:]{3,39}\]:[[:digit:]]+$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-mx/postscreen\[[[:digit:]]+\]: CONNECT from \[[[:xdigit:].:]{3,39}\]:[[:digit:]]+ to \[[[:xdigit:].:]{3,39}\]:25$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-mx/postscreen\[[[:digit:]]+\]: DISCONNECT \[[[:xdigit:].:]{3,39}\]:[[:digit:]]+$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-mx/postscreen\[[[:digit:]]+\]: PREGREET [[:digit:]]+ after [.[:digit:]]+ from \[[[:xdigit:].:]{3,39}\]:[[:digit:]]+:\s ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-mx/postscreen\[[[:digit:]]+\]: HANGUP after [.[:digit:]]+ from \[[[:xdigit:].:]{3,39}\]:[[:digit:]]+ in tests (before|after) SMTP handshake$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-mx/postscreen\[[[:digit:]]+\]: BARE NEWLINE from \[[[:xdigit:].:]{3,39}\]:[[:digit:]]+( after\s.*)?$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-mx/postscreen\[[[:digit:]]+\]: NON-SMTP COMMAND from \[[[:xdigit:].:]{3,39}\]:[[:digit:]]+\s ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-mx/postscreen\[[[:digit:]]+\]: COMMAND PIPELINING from \[[[:xdigit:].:]{3,39}\]:[[:digit:]]+ after\s ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-mx/postscreen\[[[:digit:]]+\]: DNSBL rank [[:digit:]]+ for \[[[:xdigit:].:]{3,39}\]:[[:digit:]]+$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-mx/postscreen\[[[:digit:]]+\]: NOQUEUE: reject: RCPT from (\[[[:xdigit:].:]{3,39}\]):[[:digit:]]+: [45][[:digit:]][[:digit:]]( [45](\.[[:digit:]]){2})? (Service unavailable; client \1 blocked using [._[:alnum:]-]+|Protocol error|Service currently unavailable);( .+;)? (from=<[^>]*>, to=<[^>]+>, )?proto=E?SMTP(, helo=<[^[:space:]]+>)?$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-mx/postscreen\[[[:digit:]]+\]: NOQUEUE: reject: CONNECT from \[[[:xdigit:].:]{3,39}\]:[[:digit:]]+: too many connections$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-mx/postscreen\[[[:digit:]]+\]: COMMAND (COUNT|TIME) LIMIT from \[[[:xdigit:].:]{3,39}\]:[[:digit:]]+( after [[:upper:]]+)?$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-mx/postscreen\[[[:digit:]]+\]: cache [a-z]+:\S+ full cleanup: retained=[[:digit:]]+ dropped=[[:digit:]]+ entries$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-mx/postscreen\[[[:digit:]]+\]: warning: getpeername: Transport endpoint is not connected -- dropping this connection$ -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-mx/postscreen\[[[:digit:]]+\]: warning: psc_cache_update: btree:/var/lib/postfix-mx/postscreen_cache update average delay is [[:digit:]]+ ms$ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-mx/postscreen\[[[:digit:]]+\]: warning: psc_cache_update: lmdb:/var/lib/postfix-mx/postscreen_cache update average delay is [[:digit:]]+ ms$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-mx/postscreen\[[[:digit:]]+\]: warning: dnsblog reply timeout [[:digit:]]+s for [._[:alnum:]-]+$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-mx/dnsblog\[[[:digit:]]+\]: addr [[:xdigit:].:]{3,39} listed by domain [._[:alnum:]-]+ as [[:xdigit:].:]{3,39}$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-mx/dnsblog\[[[:digit:]]+\]: warning: dnsblog_query: lookup error for DNS query ([._[:alnum:]-]+): Host or domain name not found. Name service error for name=\1 type=A(AAA)?: Host not found, try again$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-out/smtp\[[[:digit:]]+\]: [[:xdigit:]]+: to=<[^>]+>, relay=none, delay=[.[:digit:]]+(, delays=([.[:digit:]]+/){3}[.[:digit:]]+)?(, dsn=5(\.[[:digit:]]+){2})?, status=(undeliverable|bounced) \(Host or domain name not found. Name service error for name=[^[:space:]]+ type=A(AAA)?: Host not found\)$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-mx/tlsproxy\[[[:digit:]]+\]: (CONNECT from|DISCONNECT) \[[[:xdigit:].:]{3,39}\]:[[:digit:]]+$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[1\]: Start(ing|ed) Postfix sender login socketmap\.(\.\.)?$ # # Amavis ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ amavis\[[[:digit:]]+\]: \([-[:digit:]]+\) Passed (CLEAN|SPAM|UNCHECKED(-[A-Z]+)?|BAD-HEADER-[28]) {Relayed(Tagged)?(Internal|Inbound|Outbound)}, (INCOMING|OUTGOING)( LOCAL)? \[(IPv6:)?[[:xdigit:].:]{3,39}\](:[[:digit:]]+)?( \[[[:xdigit:].:]{3,39}\])? <[^>]*> -> (<[^>]*>,)+( Queue-ID: [[:xdigit:]]+,)?( Message-ID: <[^>]+>,)?( Resent-Message-ID: <[^>]+>,)? mail_id: [_-+[:alnum:]]+, Hits: -?[[:digit:].]*, size: [[:digit:]]+, queued_as: [[:xdigit:]]+(, dkim_(new|sd)?=[-_.,:[:alnum:]]+)?, [[:digit:]]+ ms$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ amavis\[[[:digit:]]+\]: \([-[:digit:]]+\) Passed (CLEAN|SPAM|UNCHECKED(-[A-Z]+)?|BAD-HEADER-[28]) {Relayed(Tagged)?(Internal|Inbound|Outbound)}, (INCOMING|OUTGOING)( LOCAL)? \[(IPv6:)?[[:xdigit:].:]{3,39}\](:[[:digit:]]+)?( \[[[:xdigit:].:]{3,39}\])? <[^>]*> -> (<[^>]*>,)*(<[^>]*)?\.\.\.$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ amavis\[[[:digit:]]+\]: \([-[:digit:]]+\) \.\.\.([^>]*>)?(,<[^>]*>)*,( Queue-ID: [[:xdigit:]]+,)?( Message-ID: <[^>]+>,)?( Resent-Message-ID: <[^>]+>,)? mail_id: [_-+[:alnum:]]+, Hits: -?[[:digit:].]*, size: [[:digit:]]+, queued_as: [[:xdigit:]]+(, dkim_(new|sd)?=[-_.,:[:alnum:]]+)?, [[:digit:]]+ ms$ # SMTP client connection caching was introduced in 2.6.0; the SMTP session is held for the next task, and is terminated by Postfix if the next mail comes soon enough ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-out/smtpd\[[[:digit:]]+\]: timeout after END-OF-MESSAGE from [._[:alnum:]-]+\[(127.0.0.1|::1)\]$ diff --git a/roles/common/tasks/clamav.yml b/roles/common/tasks/clamav.yml index 1c68598..28a8460 100644 --- a/roles/common/tasks/clamav.yml +++ b/roles/common/tasks/clamav.yml @@ -9,23 +9,23 @@ template: src=etc/clamav/freshclam.conf.j2 dest=/etc/clamav/freshclam.conf owner=clamav group=adm mode=0444 tags: freshclam notify: - Restart freshclam - name: Start ClamAV service: name={{ item }} state=started with_items: - clamav-daemon - clamav-freshclam - name: Add a 'clamav' alias lineinfile: dest=/etc/aliases create=yes regexp="^clamav{{':'}} " line="clamav{{':'}} root" - name: Compile the static local Postfix database - postmap: cmd=postalias src=/etc/aliases db=cdb + postmap: cmd=postalias src=/etc/aliases db=lmdb owner=root group=root mode=0644 diff --git a/roles/common/tasks/mail.yml b/roles/common/tasks/mail.yml index 7692c28..49815f5 100644 --- a/roles/common/tasks/mail.yml +++ b/roles/common/tasks/mail.yml @@ -1,27 +1,27 @@ - name: Install Postfix apt: pkg={{ item }} with_items: # That one is nicer than GNU mailutils' mailx(1) - s-nail - postfix - - postfix-cdb + - postfix-lmdb - name: Create Postfix instances postmulti: instance={{ postfix_instance[item].name }} group={{ postfix_instance[item].group | default('') }} register: r1 with_items: "{{ postfix_instance.keys() | intersect(group_names) | list }}" notify: - Restart Postfix - name: Link the dynamic maps of each children to the master's # main.cf and master.cf are specialized to each dedicated role, though file: src=../postfix/dynamicmaps.cf dest=/etc/postfix-{{ postfix_instance[item].name }}/dynamicmaps.cf owner=root group=root state=link force=yes register: r2 with_items: "{{ postfix_instance.keys() | intersect(group_names) | list }}" notify: - Restart Postfix @@ -30,33 +30,33 @@ dest=/etc/postfix/{{ item }} owner=root group=root mode=0644 with_items: - main.cf - master.cf notify: - Reload Postfix - name: Add some common aliases lineinfile: dest=/etc/aliases create=yes regexp='^{{ item.src }}{{':'}} ' line='{{ item.src }}{{':'}} {{ item.dst }}' with_items: - { src: mailer-daemon, dst: 'postmaster' } - { src: postmaster, dst: 'root' } - { src: nobody, dst: 'root' } - { src: root, dst: 'root@fripost.org' } - name: Compile the static local Postfix database - postmap: cmd=postalias src=/etc/aliases db=cdb + postmap: cmd=postalias src=/etc/aliases db=lmdb owner=root group=root mode=0644 -# We're using CDB +# We're using LMDB - name: Delete /etc/aliases.db file: path=/etc/aliases.db state=absent - name: Start Postfix service: name=postfix state=started when: not (r1.changed or r2.changed) - meta: flush_handlers diff --git a/roles/common/templates/etc/postfix/main.cf.j2 b/roles/common/templates/etc/postfix/main.cf.j2 index 55361ee..92a3340 100644 --- a/roles/common/templates/etc/postfix/main.cf.j2 +++ b/roles/common/templates/etc/postfix/main.cf.j2 @@ -9,40 +9,40 @@ biff = no readme_directory = no mail_owner = postfix compatibility_level = 2 myorigin = /etc/mailname myhostname = {{ ansible_fqdn }} mydomain = {{ ansible_domain }} append_dot_mydomain = no # This server is for internal use only mynetworks_style = host inet_interfaces = loopback-only # No local delivery mydestination = local_transport = error:5.1.1 Mailbox unavailable alias_maps = local_recipient_maps = # All aliases are virtual -default_database_type = cdb -virtual_alias_maps = cdb:/etc/aliases +default_database_type = lmdb +virtual_alias_maps = lmdb:/etc/aliases alias_database = $virtual_alias_maps # Forward everything to our internal outgoing proxy relayhost = [{{ postfix_instance.out.addr | ipaddr }}]:{{ postfix_instance.out.port }} relay_domains = smtp_tls_security_level = none smtpd_tls_security_level = none {% set instances = postfix_instance.keys() | intersect(group_names) | list %} {%- if instances | length > 0 -%} ## Other postfix instances multi_instance_wrapper = $command_directory/postmulti -p -- multi_instance_enable = yes multi_instance_directories ={% for i in instances | sort %} /etc/postfix-{{ postfix_instance[i].name }}{% endfor %} {% endif %} # vim: set filetype=pfmain : diff --git a/roles/lists/tasks/mail.yml b/roles/lists/tasks/mail.yml index 409a74b..8705f91 100644 --- a/roles/lists/tasks/mail.yml +++ b/roles/lists/tasks/mail.yml @@ -7,41 +7,41 @@ - name: Configure Postfix template: src=etc/postfix/{{ item }}.j2 dest=/etc/postfix-{{ postfix_instance[inst].name }}/{{ item }} owner=root group=root mode=0644 with_items: - main.cf - master.cf notify: - Reload Postfix - name: Copy the transport maps copy: src=etc/postfix/transport dest=/etc/postfix-{{ postfix_instance[inst].name }}/transport owner=root group=root mode=0644 # no need to reload upon change, as cleanup(8) is short-running - name: Compile the Postfix transport maps # trivial-rewrite(8) is a long-running process, so it's safer to reload - postmap: cmd=postmap src=/etc/postfix-{{ postfix_instance[inst].name }}/transport db=cdb + postmap: cmd=postmap src=/etc/postfix-{{ postfix_instance[inst].name }}/transport db=lmdb owner=root group=root mode=0644 notify: - Reload Postfix - meta: flush_handlers - name: Start Postfix service: name=postfix state=started - name: Copy the 'sympa-queue' wrapper copy: src=usr/local/bin/sympa-queue dest=/usr/local/bin/sympa-queue owner=root group=staff mode=0755 - name: Install 'postfix_mailqueue_' Munin wildcard plugin file: src=/usr/local/share/munin/plugins/postfix_mailqueue_ dest=/etc/munin/plugins/postfix_mailqueue_postfix-{{ postfix_instance[inst].name }} diff --git a/roles/lists/templates/etc/postfix/main.cf.j2 b/roles/lists/templates/etc/postfix/main.cf.j2 index 07b27a6..667ceb9 100644 --- a/roles/lists/templates/etc/postfix/main.cf.j2 +++ b/roles/lists/templates/etc/postfix/main.cf.j2 @@ -30,41 +30,41 @@ multi_instance_group = {{ postfix_instance[inst].group | default('') }} multi_instance_name = postfix-{{ postfix_instance[inst].name }} multi_instance_enable = yes # No local delivery mydestination = local_transport = error:5.1.1 Mailbox unavailable alias_maps = alias_database = local_recipient_maps = message_size_limit = 0 recipient_delimiter = + # No relay: this server is inbound-only relay_transport = error:5.1.1 Relay unavailable default_transport = error:5.1.1 Transport unavailable relay_domains = sympa.$mydomain -transport_maps = cdb:$config_directory/transport +transport_maps = lmdb:$config_directory/transport sympa_destination_recipient_limit = 1 # Don't rewrite remote headers local_header_rewrite_clients = smtp_tls_security_level = none smtpd_tls_security_level = none strict_rfc821_envelopes = yes smtpd_delay_reject = yes disable_vrfy_command = yes smtpd_client_restrictions = permit_mynetworks # We are the only ones using this proxy, but if things go wrong we # want to know why defer smtpd_helo_required = yes smtpd_helo_restrictions = diff --git a/roles/out/templates/etc/postfix/main.cf.j2 b/roles/out/templates/etc/postfix/main.cf.j2 index 7167b14..fa314cc 100644 --- a/roles/out/templates/etc/postfix/main.cf.j2 +++ b/roles/out/templates/etc/postfix/main.cf.j2 @@ -32,41 +32,41 @@ multi_instance_enable = yes mydestination = local_transport = error:5.1.1 Mailbox unavailable alias_maps = alias_database = local_recipient_maps = message_size_limit = 0 recipient_delimiter = + relay_domains = relay_transport = error:5.3.2 Relay Transport unavailable # All header rewriting happens upstream local_header_rewrite_clients = smtp_tls_security_level = may smtp_tls_ciphers = medium smtp_tls_protocols = !SSLv2, !SSLv3 smtp_tls_note_starttls_offer = yes -smtp_tls_session_cache_database = btree:$data_directory/smtp_tls_session_cache +smtp_tls_session_cache_database = lmdb:$data_directory/smtp_tls_session_cache smtpd_tls_security_level = none strict_rfc821_envelopes = yes smtpd_delay_reject = yes disable_vrfy_command = yes smtpd_client_restrictions = permit_mynetworks # We are the only ones using this proxy, but if things go wrong we # want to know why defer smtpd_helo_required = yes smtpd_helo_restrictions = reject_invalid_helo_hostname smtpd_sender_restrictions = reject_non_fqdn_sender |