You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 
 

82 lines
2.7 KiB

---
- name: install letsencrypt certificate if needed
hosts: 'postfix-host'
roles:
- role: firewall
vars:
firewall_server: "{{ inventory_hostname }}"
firewall_clients: [ 0.0.0.0/0 ]
firewall_protocols: [ tcp ]
firewall_ports: [ 80, 443 ]
firewall_rule_state: present
delegate_to: localhost
become: false
- role: certbot-postfix
become: true
- role: firewall
vars:
firewall_server: "{{ inventory_hostname }}"
firewall_clients: [ 0.0.0.0/0 ]
firewall_protocols: [ tcp ]
firewall_ports: [ 80, 443 ]
firewall_rule_state: absent
delegate_to: localhost
become: false
- name: install and configure postfix relay
hosts: 'postfix-host'
become: true
environment: '{{ inventory__environment | d({})
| combine(inventory__group_environment | d({}))
| combine(inventory__host_environment | d({})) }}'
roles:
- role: debops.postfix/env
- role: debops.secret
secret__directories:
- '{{ postfix__secret__directories | d([])}}'
- role: debops.postfix
postfix__mailname: '{{ domain }}'
postfix__fqdn: '{{ inventory_hostname }}.{{ domain }}'
postfix__mastercf:
- name: 'smtps'
state: 'present'
options:
- smtpd_sasl_auth_enable: False
- name: 'smtpd_relay_restrictions'
state: 'comment'
base__maincf:
- name: 'smtpd_relay_restrictions'
value: "{% if letsencrypt_staging | default(false) %}check_recipient_access inline:{{'{'}}dachary.org=OK{{'}'}} defer{% endif %}"
state: "{% if letsencrypt_staging | default(false) %}present{% else %}absent{% endif %}"
- name: 'mynetworks'
value:
- name: '0.0.0.0/0'
TLS__maincf:
- name: 'smtpd_tls_security_level'
value: 'encrypt'
comment: |
This enforce TLS usage.
According to RFC 2487 this MUST NOT be applied in case
of a publicly-referenced Postfix SMTP server.
section: 'smtpd-tls'
- name: 'smtpd_tls_cert_file'
value: '/etc/letsencrypt/live/postfix-host.{{ domain }}/cert.pem'
section: 'smtpd-tls'
- name: 'smtpd_tls_key_file'
value: '/etc/letsencrypt/live/postfix-host.{{ domain }}/privkey.pem'
section: 'smtpd-tls'
- name: 'smtpd_tls_CAfile'
value: '/etc/letsencrypt/live/postfix-host.{{ domain }}/chain.pem'
section: 'smtpd-tls'
postfix__maincf: "{{ base__maincf + TLS__maincf }}"
postfix__restrictions_maincf: [ ]
- role: install_dns_mail_records
- role: postfix_relay_monitoring