Outgoing SMTP proxy.

3 files changed, 104 insertions, 0 deletions

diff --git a/roles/out/handlers/main.yml b/roles/out/handlers/main.yml
new file mode 100644
index 0000000..21c736a
--- /dev/null
+++ b/roles/out/handlers/main.yml
@@ -0,0 +1,9 @@
+---
+- name: Restart Postgrey
+  service: name=postgrey state=restarted
+
+- name: Restart Postfix
+  service: name=postfix state=restarted
+
+- name: Reload Postfix
+  service: name=postfix state=reloaded
diff --git a/roles/out/tasks/main.yml b/roles/out/tasks/main.yml
new file mode 100644
index 0000000..4bf4363
--- /dev/null
+++ b/roles/out/tasks/main.yml
@@ -0,0 +1,17 @@
+- name: Install Postfix
+  apt: pkg=postfix
+
+- name: Configure Postfix
+  template: src=etc/postfix/main.cf.j2
+            dest=/etc/postfix-{{ postfix_instance[inst].name }}/main.cf
+            owner=root group=root
+            mode=0644
+  register: r
+  notify:
+    - Restart Postfix
+
+- name: Start Postfix
+  service: name=postfix state=started
+  when: not r.changed
+
+- meta: flush_handlers
diff --git a/roles/out/templates/etc/postfix/main.cf.j2 b/roles/out/templates/etc/postfix/main.cf.j2
new file mode 100644
index 0000000..1a7985f
--- /dev/null
+++ b/roles/out/templates/etc/postfix/main.cf.j2
@@ -0,0 +1,78 @@
+########################################################################
+# Outgoing MTA configuration
+#
+# {{ ansible_managed }}
+# Do NOT edit this file directly!
+
+smtpd_banner     = $myhostname ESMTP $mail_name (Debian/GNU)
+biff             = no
+readme_directory = no
+mail_owner       = postfix
+
+delay_warning_time     = 1d
+maximal_queue_lifetime = 5d
+
+myorigin            = /etc/mailname
+myhostname          = outgoing{{ outgoingno | default('') }}.$mydomain
+mydomain            = fripost.org
+append_dot_mydomain = no
+
+# Turn off all TCP/IP listener ports except that necessary for the
+# outgoing SMTP proxy.
+master_service_disable = !2525.inet inet
+
+queue_directory       = /var/spool/postfix-{{ postfix_instance[inst].name }}
+data_directory        = /var/lib/postfix-{{ postfix_instance[inst].name }}
+multi_instance_group  = {{ postfix_instance[inst].group | default('') }}
+multi_instance_name   = postfix-{{ postfix_instance[inst].name }}
+multi_instance_enable = yes
+
+# Accept everything coming through IPSec.
+# TODO: this should our virtual private subnetwork
+mynetworks      = 0.0.0.0/0
+inet_interfaces = 172.16.0.1, 127.0.0.1
+
+# No local delivery
+mydestination        =
+local_transport      = error:5.1.1 Mailbox unavailable
+alias_maps           =
+alias_database       =
+local_recipient_maps =
+
+message_size_limit  = 67108864
+recipient_delimiter = +
+
+relay_domains           =
+relay_transport         = error:5.3.2 Relay Transport unavailable
+
+# All header rewriting happens upstream
+local_header_rewrite_clients =
+
+
+smtp_tls_security_level         = may
+smtp_tls_note_starttls_offer    = yes
+smtp_tls_cert_file              = /etc/postfix-out/ssl/smtp.fripost.org.pem
+smtp_tls_key_file               = /etc/postfix-out/ssl/smtp.fripost.org.key
+smtp_tls_CApath                 = /etc/ssl/certs/
+smtp_tls_session_cache_database = btree:$data_directory/smtp_tls_session_cache
+smtp_tls_fingerprint_digest     = sha1
+tls_random_source               = dev:/dev/urandom
+
+
+smtpd_helo_required     = yes
+smtpd_helo_restrictions =
+    reject_invalid_helo_hostname
+
+smtpd_sender_restrictions =
+    reject_non_fqdn_sender
+    reject_unknown_sender_domain
+
+smtpd_recipient_restrictions =
+    # RFC requirements
+    reject_non_fqdn_recipient
+    reject_unknown_recipient_domain
+    permit_mynetworks
+    reject_unauth_destination
+
+smtpd_data_restrictions =
+    reject_unauth_pipelining