summaryrefslogtreecommitdiffstats
path: root/roles/MSA/tasks/main.yml
blob: 4b389743709cb4d7265f1d3847d0915a9e739a91 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
- name: Install Postfix
  apt: pkg={{ packages }}
  vars:
    packages:
    - postfix
    - postfix-lmdb
    - postfix-pcre
    - postfix-policyd-spf-python

- name: Install Net::LDAP and Authen::SASL
  apt: pkg={{ packages }}
  vars:
    packages:
    - libnet-ldap-perl
    - libauthen-sasl-perl

- name: Copy Postfix sender login socketmap
  copy: src=usr/local/bin/postfix-sender-login.pl
        dest=/usr/local/bin/postfix-sender-login.pl
        owner=root group=staff
        mode=0755

- name: Create '_postfix-sender-login' user
  user: name=_postfix-sender-login system=yes
        group=nogroup
        createhome=no
        home=/nonexistent
        shell=/usr/sbin/nologin
        password=!
        state=present

- name: Copy Postfix sender login socketmap systemd unit files
  copy: src=etc/systemd/system/{{ item }}
        dest=/etc/systemd/system/{{ item }}
        owner=root group=root
        mode=0644
  with_items:
    - postfix-sender-login.service
    - postfix-sender-login.socket
  notify:
    - systemctl daemon-reload

- meta: flush_handlers

- name: Enable Postfix sender login socketmap
  service: name=postfix-sender-login.socket state=started enabled=yes

- name: Configure Postfix
  template: src=etc/postfix/{{ item }}.j2
            dest=/etc/postfix-{{ postfix_instance[inst].name }}/{{ item }}
            owner=root group=root
            mode=0644
  with_items:
    - main.cf
    - master.cf
  notify:
    - Reload Postfix

- name: Copy the Regex to anonymize senders
  # no need to reload upon change, as cleanup(8) is short-running
  copy: src=etc/postfix/anonymize_sender.pcre
        dest=/etc/postfix-{{ postfix_instance[inst].name }}/anonymize_sender.pcre
        owner=root group=root
        mode=0644

- name: Copy the check_sender_access map
  copy: src=etc/postfix/check_sender_access
        dest=/etc/postfix-{{ postfix_instance[inst].name }}/check_sender_access
        owner=root group=root
        mode=0644

- name: Compile the check_sender_access map
  # no need to reload upon change, as cleanup(8) is short-running
  postmap: cmd=postmap src=/etc/postfix-{{ postfix_instance[inst].name }}/check_sender_access db=lmdb
           owner=root group=root
           mode=0644
  notify:
    - Reload Postfix

- name: Configure policyd-spf
  template: src=etc/postfix-policyd-spf-python/policyd-spf.conf.j2
            dest=/etc/postfix-policyd-spf-python/policyd-spf.conf
            owner=root group=root
            mode=0644
  # Reload Postifx to terminate spawn(8) daemon children
  notify:
    - Reload Postfix

- name: Create directory /etc/postfix/ssl
  file: path=/etc/postfix-{{ postfix_instance[inst].name }}/ssl
        state=directory
        owner=root group=root
        mode=0755
  tags:
    - genkey

- meta: flush_handlers

- name: Start Postfix
  service: name=postfix state=started

- name: Fetch Postfix's X.509 certificate
  # Ensure we don't fetch private data
  become: False
  # `/usr/sbin/postmulti -i msa -x /usr/sbin/postconf -xh smtpd_tls_cert_file`
  fetch_cmd: cmd="openssl x509 -noout -pubkey"
             stdin=/etc/postfix-{{ postfix_instance[inst].name }}/ssl/smtp.fripost.org.pem
             dest=certs/public/smtp.fripost.org.pub
  tags:
    - genkey


- name: Install 'postfix_mailqueue_' Munin wildcard plugin
  file: src=/usr/local/share/munin/plugins/postfix_mailqueue_
        dest=/etc/munin/plugins/postfix_mailqueue_postfix-{{ postfix_instance[inst].name }}
        owner=root group=root
        state=link force=yes
  tags:
    - munin
    - munin-node
  notify:
    - Restart munin-node

- name: Install 'postfix_stats_' Munin wildcard plugin
  file: src=/usr/local/share/munin/plugins/postfix_stats_
        dest=/etc/munin/plugins/postfix_stats_{{ item }}_postfix-{{ postfix_instance[inst].name }}
        owner=root group=root
        state=link force=yes
  with_items:
    - smtpd
    - qmgr
    - smtp
  tags:
    - munin
    - munin-node
  notify:
    - Restart munin-node

- name: Install 'postfix_sasl_' Munin wildcard plugin
  file: src=/usr/local/share/munin/plugins/postfix_sasl_
        dest=/etc/munin/plugins/postfix_sasl_postfix-{{ postfix_instance[inst].name }}
        owner=root group=root
        state=link force=yes
  tags:
    - munin
    - munin-node
  notify:
    - Restart munin-node