1 files changed, 82 insertions, 6 deletions

diff --git a/roles/MX/tasks/main.yml b/roles/MX/tasks/main.yml
index 4302502..57f17f8 100644
--- a/roles/MX/tasks/main.yml
+++ b/roles/MX/tasks/main.yml
@@ -1,36 +1,41 @@
 - name: Install Postfix
-  apt: pkg={{ item }}
-  with_items:
+  apt: pkg={{ packages }}
+  vars:
+    packages:
     - postfix
     - postfix-pcre
     - postfix-ldap
-    - postfix-cdb
+    - postfix-lmdb
     # The following is for reserved-alias.pl
     - libnet-ldap-perl
     - libauthen-sasl-perl
 
 - name: Configure Postfix
-  template: src=etc/postfix/main.cf.j2
-            dest=/etc/postfix-{{ postfix_instance[inst].name }}/main.cf
+  template: src=etc/postfix/{{ item }}.j2
+            dest=/etc/postfix-{{ postfix_instance[inst].name }}/{{ item }}
             owner=root group=root
             mode=0644
+  with_items:
+    - main.cf
+    - master.cf
+    - access-list.cidr
   notify:
     - Reload Postfix
 
 - name: Create directory /etc/postfix-.../virtual
   file: path=/etc/postfix-{{ postfix_instance[inst].name }}/virtual
         state=directory
         owner=root group=root
         mode=0755
 
 # trivial-rewrite(8) runs in a chroot.  We create an empty
 # /usr/lib/sasl2 to avoid "No such file or directory" warnings.
 # Cf. also #738989.
 - name: Create directory /usr/lib/sasl2
   file: path=/var/spool/postfix-{{ postfix_instance[inst].name }}/{{ item }}
         state=directory
         owner=root group=root
         mode=0755
   with_items:
     - /usr/lib/sasl2
     - /usr/lib/{{ ansible_architecture }}-linux-gnu/sasl2
@@ -41,68 +46,139 @@
   copy: src=etc/postfix/virtual/{{ item }}
         dest=/etc/postfix-{{ postfix_instance[inst].name }}/virtual/{{ item }}
         owner=root group=root
         mode=0644
   with_items:
     - domains.cf
     # no need to reload upon change, as cleanup(8) is short-running
     - reserved_alias.pcre
     - alias.cf
     - mailbox.cf
     - list.cf
     - alias_domains.cf
     - catchall.cf
 
 - name: Copy lookup tables (2)
   template: src=etc/postfix/virtual/transport.j2
             dest=/etc/postfix-{{ postfix_instance[inst].name }}/virtual/transport
             owner=root group=root
             mode=0644
 
+- name: Copy recipient access(5) map
+  copy: src=etc/postfix/reject-unknown-client-hostname.cf
+            dest=/etc/postfix-{{ postfix_instance[inst].name }}/reject-unknown-client-hostname.cf
+            owner=root group=root
+            mode=0644
+  notify:
+    - Reload Postfix
+
 - name: Compile the Postfix transport maps
   # trivial-rewrite(8) is a long-running process, so it's safer to reload
   postmap: instance={{ postfix_instance[inst].name }}
-           src=/etc/postfix-{{ postfix_instance[inst].name }}/virtual/transport db=cdb
+           src=/etc/postfix-{{ postfix_instance[inst].name }}/virtual/transport db=lmdb
            owner=root group=root
            mode=0644
   notify:
     - Reload Postfix
 
 - name: Copy reserved-alias.pl
   copy: src=usr/local/bin/reserved-alias.pl
         dest=/usr/local/bin/reserved-alias.pl
+        owner=root group=staff
+        mode=0755
+
+- name: Create directory /etc/postfix/ssl
+  file: path=/etc/postfix-{{ postfix_instance[inst].name }}/ssl
+        state=directory
         owner=root group=root
         mode=0755
+  tags:
+    - genkey
 
 - meta: flush_handlers
 
 - name: Start Postfix
   service: name=postfix state=started
 
+- name: Fetch Postfix's X.509 certificate
+  # Ensure we don't fetch private data
+  become: False
+  # `/usr/sbin/postmulti -i mx -x /usr/sbin/postconf -xh smtpd_tls_cert_file`
+  fetch_cmd: cmd="openssl x509 -noout -pubkey"
+             stdin=/etc/postfix-{{ postfix_instance[inst].name }}/ssl/mx.fripost.org.pem
+             dest=certs/public/mx{{ mxno | default('') }}.fripost.org.pub
+  tags:
+    - genkey
+
 
 - name: Install 'postfix_mailqueue_' Munin wildcard plugin
   file: src=/usr/local/share/munin/plugins/postfix_mailqueue_
         dest=/etc/munin/plugins/postfix_mailqueue_postfix-{{ postfix_instance[inst].name }}
         owner=root group=root
         state=link force=yes
   tags:
     - munin
     - munin-node
   notify:
     - Restart munin-node
 
 - name: Install 'postfix_stats_' Munin wildcard plugin
   file: src=/usr/local/share/munin/plugins/postfix_stats_
         dest=/etc/munin/plugins/postfix_stats_{{ item }}_postfix-{{ postfix_instance[inst].name }}
         owner=root group=root
         state=link force=yes
   with_items:
     - postscreen
     - smtpd
     - qmgr
     - smtp
     - pipe
   tags:
     - munin
     - munin-node
   notify:
     - Restart munin-node
+
+# XXX we probaly want SPF verification for domains without DMARC
+# policies
+- name: Install OpenDMARC
+  apt: pkg=opendmarc
+
+- name: Copy OpenDMARC configuration
+  copy: src=etc/opendmarc.conf
+        dest=/etc/opendmarc.conf
+        owner=root group=root
+        mode=0644
+  notify:
+    - Stop OpenDMARC
+
+- name: Create directory /etc/systemd/system/opendmarc.service.d
+  file: path=/etc/systemd/system/opendmarc.service.d
+        state=directory
+        owner=root group=root
+        mode=0755
+
+- name: Harden OpenDMARC service unit
+  copy: src=etc/systemd/system/opendmarc.service.d/override.conf
+        dest=/etc/systemd/system/opendmarc.service.d/override.conf
+        owner=root group=root
+        mode=0644
+  notify:
+    - systemctl daemon-reload
+    - Stop OpenDMARC
+
+- meta: flush_handlers
+
+- name: Copy OpenDMARC socket unit
+  copy: src=etc/systemd/system/opendmarc.socket
+        dest=/etc/systemd/system/opendmarc.socket
+        owner=root group=root
+        mode=0644
+  notify:
+    - systemctl daemon-reload
+    - Restart OpenDMARC
+
+- name: Disable OpenDMARC service
+  service: name=opendmarc.service enabled=false
+
+- name: Start OpenDMARC socket
+  service: name=opendmarc.socket state=started enabled=true