summaryrefslogtreecommitdiffstats
path: root/roles/MX/tasks/main.yml
blob: 300dbfb100dc59518a5815e04b83328a96810a2d (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
- name: Install Postfix
  apt: pkg={{ packages }}
  vars:
    packages:
    - postfix
    - postfix-pcre
    - postfix-ldap
    - postfix-lmdb
    # The following is for reserved-alias.pl
    - libnet-ldap-perl
    - libauthen-sasl-perl

- name: Configure Postfix
  template: src=etc/postfix/{{ item }}.j2
            dest=/etc/postfix-{{ postfix_instance[inst].name }}/{{ item }}
            owner=root group=root
            mode=0644
  with_items:
    - main.cf
    - master.cf
    - access-list.cidr
  notify:
    - Reload Postfix

- name: Create directory /etc/postfix-.../virtual
  file: path=/etc/postfix-{{ postfix_instance[inst].name }}/virtual
        state=directory
        owner=root group=root
        mode=0755

# trivial-rewrite(8) runs in a chroot.  We create an empty
# /usr/lib/sasl2 to avoid "No such file or directory" warnings.
# Cf. also #738989.
- name: Create directory /usr/lib/sasl2
  file: path=/var/spool/postfix-{{ postfix_instance[inst].name }}/{{ item }}
        state=directory
        owner=root group=root
        mode=0755
  with_items:
    - /usr/lib/sasl2
    - /usr/lib/{{ ansible_architecture }}-linux-gnu/sasl2
  notify:
    - Reload Postfix

- name: Copy lookup tables (1)
  copy: src=etc/postfix/virtual/{{ item }}
        dest=/etc/postfix-{{ postfix_instance[inst].name }}/virtual/{{ item }}
        owner=root group=root
        mode=0644
  with_items:
    - domains.cf
    # no need to reload upon change, as cleanup(8) is short-running
    - reserved_alias.pcre
    - alias.cf
    - mailbox.cf
    - list.cf
    - alias_domains.cf
    - catchall.cf

- name: Copy lookup tables (2)
  template: src=etc/postfix/virtual/transport.j2
            dest=/etc/postfix-{{ postfix_instance[inst].name }}/virtual/transport
            owner=root group=root
            mode=0644

- name: Copy recipient access(5) map
  copy: src=etc/postfix/reject-unknown-client-hostname.cf
            dest=/etc/postfix-{{ postfix_instance[inst].name }}/reject-unknown-client-hostname.cf
            owner=root group=root
            mode=0644
  notify:
    - Reload Postfix

- name: Compile the Postfix transport maps
  # trivial-rewrite(8) is a long-running process, so it's safer to reload
  postmap: instance={{ postfix_instance[inst].name }}
           src=/etc/postfix-{{ postfix_instance[inst].name }}/virtual/transport db=lmdb
           owner=root group=root
           mode=0644
  notify:
    - Reload Postfix

- name: Copy reserved-alias.pl
  copy: src=usr/local/bin/reserved-alias.pl
        dest=/usr/local/bin/reserved-alias.pl
        owner=root group=staff
        mode=0755

- name: Create directory /etc/postfix/ssl
  file: path=/etc/postfix-{{ postfix_instance[inst].name }}/ssl
        state=directory
        owner=root group=root
        mode=0755
  tags:
    - genkey

- meta: flush_handlers

- name: Start Postfix
  service: name=postfix state=started

- name: Fetch Postfix's X.509 certificate
  # Ensure we don't fetch private data
  become: False
  # `/usr/sbin/postmulti -i mx -x /usr/sbin/postconf -xh smtpd_tls_cert_file`
  fetch_cmd: cmd="openssl x509 -noout -pubkey"
             stdin=/etc/postfix-{{ postfix_instance[inst].name }}/ssl/mx.fripost.org.pem
             dest=certs/public/mx{{ mxno | default('') }}.fripost.org.pub
  tags:
    - genkey


- name: Install 'postfix_mailqueue_' Munin wildcard plugin
  file: src=/usr/local/share/munin/plugins/postfix_mailqueue_
        dest=/etc/munin/plugins/postfix_mailqueue_postfix-{{ postfix_instance[inst].name }}
        owner=root group=root
        state=link force=yes
  tags:
    - munin
    - munin-node
  notify:
    - Restart munin-node

- name: Install 'postfix_stats_' Munin wildcard plugin
  file: src=/usr/local/share/munin/plugins/postfix_stats_
        dest=/etc/munin/plugins/postfix_stats_{{ item }}_postfix-{{ postfix_instance[inst].name }}
        owner=root group=root
        state=link force=yes
  with_items:
    - postscreen
    - smtpd
    - qmgr
    - smtp
    - pipe
  tags:
    - munin
    - munin-node
  notify:
    - Restart munin-node

# XXX we probaly want SPF verification for domains without DMARC
# policies
- name: Install OpenDMARC
  apt: pkg=opendmarc

- name: Copy OpenDMARC configuration
  copy: src=etc/opendmarc.conf
        dest=/etc/opendmarc.conf
        owner=root group=root
        mode=0644
  notify:
    - Stop OpenDMARC

- name: Create directory /etc/systemd/system/opendmarc.service.d
  file: path=/etc/systemd/system/opendmarc.service.d
        state=directory
        owner=root group=root
        mode=0755

- name: Harden OpenDMARC service unit
  copy: src=etc/systemd/system/opendmarc.service.d/override.conf
        dest=/etc/systemd/system/opendmarc.service.d/override.conf
        owner=root group=root
        mode=0644
  notify:
    - systemctl daemon-reload
    - Stop OpenDMARC

- meta: flush_handlers

- name: Copy OpenDMARC socket unit
  copy: src=etc/systemd/system/opendmarc.socket
        dest=/etc/systemd/system/opendmarc.socket
        owner=root group=root
        mode=0644
  register: r
  notify:
    - systemctl daemon-reload
    - Restart OpenDMARC

- name: Disable OpenDMARC service
  service: name=opendmarc.service enabled=false

- name: Start OpenDMARC socket
  service: name=opendmarc.socket state=started enabled=true