feat(mail): Add postfix configuration

host_vars/mx.test.infra.auro.re.yml

@@ -1,7 +1,4 @@
 ---
-systemd_link__links:
-  ext0: ae:ae:ae:1d:c8:b2
-
 ifupdown2__interfaces:
   ext0:
     addresses:
@@ -9,4 +6,25 @@ ifupdown2__interfaces:
       - 10.211.1.5/16
       - 45.66.111.205/30
     gateways: "{{ ifupdown2__gateways.ext }}"
+
+postfix__hostname: mx.test.auro.re
+
+postfix__sasl_local_domain: test.auro.re
+
+postfix__virtual_aliases:
+  postmaster@test.auro.re: root@test.auro.re
+  dmarc@test.auro.re: root@test.auro.re
+
+postfix__virtual_mailbox_domains:
+ - infra.test.auro.re
+ - test.auro.re
+
+postfix__virtual_mailboxes:
+  jeltz@test.auro.re: jeltz@test.auro.re
+  root@test.auro.re: root@test.auro.re
+  toto@test.auro.re: toto@test.auro.re
+  vincent.lafeychine@test.auro.re: lafeych@test.auro.re
+
+systemd_link__links:
+  ext0: ae:ae:ae:1d:c8:b2
 ...

playbooks/mail.yml

@@ -0,0 +1,7 @@
+#!/usr/bin/env ansible-playbook
+---
+- hosts:
+    - vm_test
+  roles:
+    - postfix
+...

roles/postfix/defaults/main.yml

@@ -0,0 +1,9 @@
+---
+postfix__destination_concurrency_limit: 50
+postfix__destination_rate_delay: 3s
+postfix__destination_recipient_limit: 50
+postfix__recipient_delimiter: +
+postfix__virtual_aliases: {}
+postfix__virtual_mailbox_domains: []
+postfix__virtual_mailboxes: {}
+...

roles/postfix/handlers/main.yml

@@ -0,0 +1,6 @@
+---
+- name: Reload postfix
+  systemd:
+    name: postfix.service
+    state: reloaded
+...

roles/postfix/tasks/main.yml

@@ -0,0 +1,30 @@
+---
+- name: Install postfix
+  apt:
+    name: postfix
+
+- name: Configure postfix
+  template:
+    src: "{{ item.src }}"
+    dest: "{{ item.dest }}"
+    owner: root
+    group: root
+    mode: u=rw,g=,o=
+  loop:
+    - src: main.cf.j2
+      dest: /etc/postfix/main.cf
+    - src: master.cf.j2
+      dest: /etc/postfix/master.cf
+    - src: virtual.j2
+      dest: /etc/postfix/virtual
+    - src: vmailbox.j2
+      dest: /etc/postfix/vmailbox
+  notify:
+    - Reload postfix
+
+- name: Enable and start postfix
+  systemd:
+    name: postfix.service
+    state: started
+    enabled: true
+...

roles/postfix/templates/main.cf.j2

@@ -0,0 +1,73 @@
+{{ ansible_managed | comment }}
+
+myhostname = {{ postfix__hostname }}
+smtpd_banner = $myhostname ESMTP
+biff = no
+
+# appending .domain is the MUA's job.
+append_dot_mydomain = no
+
+#delay_warning_time = 4h
+
+compatibility_level = 3.6
+
+virtual_alias_maps = texthash:/etc/postfix/virtual
+virtual_mailbox_domains = {{ postfix__virtual_mailbox_domains | join(" ") }}
+virtual_mailbox_maps = texthash:/etc/postfix/vmailbox
+virtual_transport = lmtp:unix:private/dovecot-lmtp
+
+smtpd_sender_login_maps = $virtual_mailbox_maps, $virtual_alias_maps
+
+#smtpd_sasl_type = dovecot
+#smtpd_sasl_path = private/auth
+
+alias_maps =
+
+# TODO peut-être
+#smtpd_helo_required = yes
+#strict_rfc821_envelopes = yes
+
+# TLS parameters
+smtp_tls_CApath = /etc/ssl/certs
+smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
+smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
+smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
+smtpd_tls_security_level = may
+
+# M2M
+smtpd_client_restrictions = permit
+smtpd_helo_restrictions = permit
+smtpd_recipient_restrictions =
+    reject_unverified_recipient,
+    permit
+smtpd_relay_restrictions =
+    reject_unauth_destination,
+    permit
+smtpd_sender_restrictions = permit
+
+# MUA
+mua_client_restrictions =
+    permit_sasl_authenticated,
+    reject
+mua_helo_restrictions = permit
+# TODO match envelope
+mua_recipient_restrictions =
+    reject_authenticated_sender_login_mismatch,
+    permit_sasl_authenticated,
+    reject
+mua_reject_unlisted_sender = yes
+mua_reject_unlisted_recipient = no
+mua_relay_restrictions = permit
+mua_sasl_local_domain = {{ postfix__sasl_local_domain }}
+mua_sender_restrictions = permit
+# TODO mails depuis *@infra.auro.re + localhost
+
+#smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
+#mailbox_size_limit = 0
+recipient_delimiter = {{ postfix__recipient_delimiter }}
+inet_interfaces = all
+inet_protocols = all
+
+default_destination_rate_delay = {{ postfix__destination_rate_delay }}
+smtp_destination_concurrency_limit = {{ postfix__destination_concurrency_limit }}
+smtp_destination_recipient_limit = {{ postfix__destination_recipient_limit }}

roles/postfix/templates/master.cf.j2

@@ -0,0 +1,60 @@
+{{ ansible_managed | comment }}
+
+# service    type        private  unpriv  chroot   wakeup  maxproc  command + args
+#            (yes)       (yes)    (no)    (never)  (100)
+
+smtp         inet        n        -       y        -       -        smtpd
+    -o syslog_name=postfix/smtp
+    -o smtpd_sasl_auth_enable=no
+    -o smtpd_tls_security_level=may
+
+submissions  inet        n        -       y        -       -        smtpd
+    -o syslog_name=postfix/submissions
+    -o smtpd_tls_wrappermode=yes
+    -o smtpd_sasl_auth_enable=yes
+    -o smtpd_sasl_type=dovecot
+    -o smtpd_sasl_path=private/auth
+    -o smtpd_sasl_security_options=noanonymous
+    -o smtpd_sasl_local_domain=$mua_sasl_local_domain
+    -o smtpd_reject_unlisted_sender=$mua_reject_unlisted_sender
+    -o smtpd_reject_unlisted_recipient=$mua_reject_unlisted_recipient
+    -o smtpd_client_restrictions=$mua_client_restrictions
+    -o smtpd_helo_restrictions=$mua_helo_restrictions
+    -o smtpd_sender_restrictions=$mua_sender_restrictions
+    -o smtpd_relay_restrictions=$mua_relay_restrictions
+    -o smtpd_recipient_restrictions=$mua_recipient_restrictions
+#     -o milter_macro_daemon_name=ORIGINATING
+
+pickup       unix        n        -       y        60      1        pickup
+cleanup      unix        n        -       y        -       0        cleanup
+qmgr         unix        n        -       n        300     1        qmgr
+tlsmgr       unix        -        -       y        1000?   1        tlsmgr
+rewrite      unix        -        -       y        -       -        trivial-rewrite
+bounce       unix        -        -       y        -       0        bounce
+defer        unix        -        -       y        -       0        bounce
+trace        unix        -        -       y        -       0        bounce
+verify       unix        -        -       y        -       1        verify
+flush        unix        n        -       y        1000?   0        flush
+proxymap     unix        -        -       n        -       -        proxymap
+proxywrite   unix        -        -       n        -       1        proxymap
+smtp         unix        -        -       y        -       -        smtp
+
+# TODO
+# relay        unix        -        -       y        -       -        smtp
+#     -o syslog_name=postfix/$service_name
+#     -o smtp_helo_timeout=5
+#     -o smtp_connect_timeout=5
+
+showq        unix        n        -       y        -       -        showq
+error        unix        -        -       y        -       -        error
+retry        unix        -        -       y        -       -        error
+discard      unix        -        -       y        -       -        discard
+local        unix        -        n       n        -       -        local
+virtual      unix        -        n       n        -       -        virtual
+lmtp         unix        -        -       y        -       -        lmtp
+anvil        unix        -        -       y        -       1        anvil
+scache       unix        -        -       y        -       1        scache
+postlog      unix-dgram  n        -       n        -       1        postlogd
+relay        unix        -        -       n        -       -        smtp
+    -o smtp_fallback_relay=
+#     -o smtp_helo_timeout=5 -o smtp_connect_timeout=5

roles/postfix/templates/virtual.j2

@@ -0,0 +1,5 @@
+{{ ansible_managed | comment }}
+
+{% for src, dest in postfix__virtual_aliases.items() %}
+{{ src }} {{ dest }}
+{% endfor %}

roles/postfix/templates/vmailbox.j2

@@ -0,0 +1,5 @@
+{{ ansible_managed | comment }}
+
+{% for src, dest in postfix__virtual_mailboxes.items() %}
+{{ src }} {{ dest }}
+{% endfor %}