Share master.cf accross all Postfix instances.

And use main.cf's 'master_service_disable' setting to deactivate each
service that's useless for a given instance. (Hence solve conflict when
trying to listen twice on the same port, for instance.)

3 files changed, 21 insertions, 16 deletions

diff --git a/roles/common/files/etc/postfix/generic.pcre b/roles/common/files/etc/postfix/generic.pcre
index c46f4b5..1181a22 100644
--- a/roles/common/files/etc/postfix/generic.pcre
+++ b/roles/common/files/etc/postfix/generic.pcre
@@ -1 +1,3 @@
+# Rewrite the whole enveloppe (From: & To: included) to somthing
+# routable on the internet.
 /^(.+)@([^@.]+)\.[^@]+$/    admin+${1}=${2}@fripost.org
diff --git a/roles/common/tasks/mail.yml b/roles/common/tasks/mail.yml
index 9de0eaa..c562c42 100644
--- a/roles/common/tasks/mail.yml
+++ b/roles/common/tasks/mail.yml
@@ -1,44 +1,47 @@
 - name: Install Postfix
   apt: pkg={{ item }}
   with_items:
     # That one is nicer than GNU mailutils' mailx(1)
     - heirloom-mailx
     - postfix
     - postfix-cdb
     - postfix-pcre
 
 - name: Create Postfix instances
   postmulti: instance={{ postfix_instance[item].name }}
              group={{ postfix_instance[item].group | default('') }}
   register: r1
   with_items: postfix_instance.keys() | intersect(group_names) | list
   notify:
     - Restart Postfix
 
-- name: Define dynamic maps for children instances
-  # main.cf and master.cf are configured in dedicated roles, though
-  file: src=../postfix/dynamicmaps.cf
-        dest=/etc/postfix-{{ postfix_instance[item].name }}/dynamicmaps.cf
-        owner=root group=root state=link
+- name: Link the dynamic maps & master.cf of each children to the master's
+  # main.cf is specialized to each dedicated role, though
+  file: src=../postfix/{{ item.1 }}
+        dest=/etc/postfix-{{ postfix_instance[item.0].name }}/{{ item.1 }}
+        owner=root group=root
+        state=link force=yes
   register: r2
-  with_items: postfix_instance.keys() | intersect(group_names) | list
+  with_nested:
+    - postfix_instance.keys() | intersect(group_names) | list
+    - [ 'dynamicmaps.cf', 'master.cf' ]
   notify:
     - Restart Postfix
 
 - name: Configure Postfix (1)
   copy: src=etc/postfix/{{ item }}
         dest=/etc/postfix/{{ item }}
         owner=root group=root
         mode=0644
   register: r3
   with_items:
     - master.cf
     - generic.pcre
   notify:
     - Reload Postfix
 
 - name: Configure Postfix (2)
   template: src=etc/postfix/main.cf.j2
             dest=/etc/postfix/main.cf
             owner=root group=root
             mode=0644
diff --git a/roles/common/templates/etc/postfix/main.cf.j2 b/roles/common/templates/etc/postfix/main.cf.j2
index 0922b49..59bf0ba 100644
--- a/roles/common/templates/etc/postfix/main.cf.j2
+++ b/roles/common/templates/etc/postfix/main.cf.j2
@@ -1,61 +1,61 @@
 ########################################################################
 # Nullmailer configuration
 
 smtpd_banner     = $myhostname ESMTP $mail_name (Debian/GNU)
 biff             = no
 readme_directory = no
 
 myorigin            = /etc/mailname
 myhostname          = {{ ansible_fqdn }}
 mydomain            = {{ ansible_domain }}
 append_dot_mydomain = no
 
 # This server is for internal use only
-mynetworks_style  = host
-inet_interfaces   = loopback-only
-inet_protocols    = ipv4
-# Tunnel everything through IPSec
-smtp_bind_address = 172.16.0.1
+mynetworks_style = host
+inet_interfaces  = loopback-only
+inet_protocols   = ipv4
 
 # No local delivery
 mydestination        =
 local_transport      = error:5.1.1 Mailbox unavailable
 alias_maps           =
 local_recipient_maps =
 
 # All aliases are virtual
 default_database_type = cdb
 virtual_alias_maps    = cdb:/etc/aliases
 alias_database        = $virtual_alias_maps
 
 # Transform local FQDN addresses to addresses routable on the internet
 smtp_generic_maps = pcre:$config_directory/generic.pcre
 
 # Forward everything to our internal mailhub
 {% if 'MTA-out' in group_names %}
-relayhost = [127.0.0.1]:2525
+# TODO: use a UNIX socket instead
+relay_transport = lmtp:unix:private/mta-out
 {% else %}
-relayhost = [outgoing.fripost.org]:2525
+relayhost       = [{{ MTA_out.IPv4 }}]:{{ MTA_out.port }}
 {% endif %}
+relay_domains   =
 
-# This server is for internal use only; external connections are
-# protected by IPSec already
-smtpd_tls_security_level = none
+# Tunnel everything through IPSec
 smtp_tls_security_level  = none
+smtp_bind_address        = 172.16.0.1
+smtpd_tls_security_level = none
 
 # Turn off all TCP/IP listener ports except that dedicated to
 # samhain(8), which sadly cannot use pickup through the sendmail binary.
 master_service_disable = !16132.inet inet
 
 {% set multi_instance = False %}
 {%- for g in postfix_instance.keys() | sort -%}
   {%- if g in group_names -%}
     {%- if not multi_instance -%}
       {%- set multi_instance = True -%}
 ## Other postfix instances
 multi_instance_wrapper     = $command_directory/postmulti -p --
 multi_instance_enable      = yes
 multi_instance_directories =
     {%- endif %} /etc/postfix-{{ postfix_instance[g].name }}
   {%- endif %}
 {% endfor %}