Compare commits

...

2 commits

Author SHA1 Message Date
9b131e6cac First proposal for TLS ciphers 2024-09-17 16:53:39 +00:00
6c41934194 Lint postfix role 2024-09-17 16:50:09 +00:00
3 changed files with 40 additions and 32 deletions

View file

@ -1,20 +1,20 @@
--- ---
- name: Reload s6-rc - name: Reload s6-rc
service: ansible.builtin.service:
name: s6-rc name: s6-rc
state: reloaded state: reloaded
- name: Restart Postfix - name: Restart Postfix
command: s6-svc -wU -T 5000 -ru {{ s6_scan_dir }}/postfix ansible.builtin.command: s6-svc -wU -T 5000 -ru {{ s6_scan_dir }}/postfix
- name: Restart Postfix log - name: Restart Postfix log
command: s6-svc -wU -T 5000 -ru {{ s6_scan_dir }}/postfix-log ansible.builtin.command: s6-svc -wU -T 5000 -ru {{ s6_scan_dir }}/postfix-log
- name: Reload Postfix - name: Reload Postfix
command: s6-svc -h {{ s6_scan_dir }}/postfix ansible.builtin.command: s6-svc -h {{ s6_scan_dir }}/postfix
- name: Rebuild Postfix maps - name: Rebuild Postfix maps
command: 'postmap {{ item.type }}:{{ item.name }}' ansible.builtin.command: 'postmap {{ item.type }}:{{ item.name }}'
args: args:
chdir: /usr/local/etc/postfix chdir: /usr/local/etc/postfix
when: item.type in postfix_rebuild_types when: item.type in postfix_rebuild_types

View file

@ -1,27 +1,27 @@
--- ---
- name: Install Postfix - name: Install Postfix
package: ansible.builtin.package:
name: postfix name: postfix
state: present state: present
notify: notify:
- Restart Postfix - Restart Postfix
- name: Create /usr/local/etc/mail - name: Create /usr/local/etc/mail
file: ansible.builtin.file:
path: /usr/local/etc/mail path: /usr/local/etc/mail
state: directory state: directory
owner: root owner: root
group: wheel group: wheel
mode: 0755 mode: '0755'
- name: Install Postfix mailer.conf - name: Install Postfix mailer.conf
copy: ansible.builtin.copy:
dest: /usr/local/etc/mail/mailer.conf dest: /usr/local/etc/mail/mailer.conf
src: /usr/local/share/postfix/mailer.conf.postfix src: /usr/local/share/postfix/mailer.conf.postfix
remote_src: yes remote_src: true
owner: root owner: root
group: wheel group: wheel
mode: 0644 mode: '0644'
- name: Disable sendmail - name: Disable sendmail
sysrc: sysrc:
@ -29,22 +29,22 @@
value: NONE value: NONE
- name: Make sure sendmail is stopped - name: Make sure sendmail is stopped
service: ansible.builtin.service:
name: sendmail name: sendmail
state: stopped state: stopped
- name: Disable sendmail periodic tasks - ansible.core.name: Disable sendmail periodic tasks
lineinfile: ansible.builtin.lineinfile:
path: /etc/periodic.conf path: /etc/periodic.conf
owner: root owner: root
group: wheel group: wheel
mode: 0444 mode: '0444'
regexp: '^{{ item }}=' regexp: '^{{ item }}='
line: '{{ item }}="NO"' line: '{{ item }}="NO"'
with_items: '{{ sendmail_periodic }}' with_items: '{{ sendmail_periodic }}'
- name: Add /var/log/postfix to fstab - name: Add /var/log/postfix to fstab
mount: ansible.builtin.mount:
path: /var/log/postfix path: /var/log/postfix
src: tmpfs src: tmpfs
fstype: tmpfs fstype: tmpfs
@ -52,19 +52,19 @@
state: mounted state: mounted
- name: Create Postfix service directories - name: Create Postfix service directories
file: ansible.builtin.file:
path: '{{ s6_etc_dir }}/service/{{ item }}' path: '{{ s6_etc_dir }}/service/{{ item }}'
state: directory state: directory
owner: root owner: root
group: wheel group: wheel
mode: 0755 mode: '0755'
with_items: '{{ postfix_service_dirs }}' with_items: '{{ postfix_service_dirs }}'
- name: Generate Postfix service scripts - name: Generate Postfix service scripts
template: ansible.builtin.template:
dest: '{{ s6_etc_dir }}/service/{{ item }}' dest: '{{ s6_etc_dir }}/service/{{ item }}'
src: '{{ item }}.j2' src: '{{ item }}.j2'
mode: 0555 mode: '0555'
owner: root owner: root
group: wheel group: wheel
with_items: '{{ postfix_service_scripts }}' with_items: '{{ postfix_service_scripts }}'
@ -73,24 +73,24 @@
- Restart Postfix - Restart Postfix
- name: Generate Postfix service configuration - name: Generate Postfix service configuration
copy: ansible.builtin.copy:
dest: '{{ s6_etc_dir }}/service/{{ item.name }}' dest: '{{ s6_etc_dir }}/service/{{ item.name }}'
content: '{{ item.content }}' content: '{{ item.content }}'
mode: 0444 mode: '0444'
owner: root owner: root
group: wheel group: wheel
loop_control: loop_control:
label: '{{ item.name }} = {{ item.content }}' label: '{{ item.name }} = {{ item.content }}'
notify: notify:
- Reload s6-rc - Reload s6-rc
- Restart Postfix - Restart Postfix
with_items: '{{ postfix_service_config }}' with_items: '{{ postfix_service_config }}'
- name: Generate Postfix maps - name: Generate Postfix maps
template: ansible.builtin.template:
dest: '/usr/local/etc/postfix/{{ item.name }}' dest: '/usr/local/etc/postfix/{{ item.name }}'
src: '{{ item.name }}.j2' src: '{{ item.name }}.j2'
mode: 0444 mode: '0444'
owner: root owner: root
group: wheel group: wheel
with_items: '{{ postfix_maps }}' with_items: '{{ postfix_maps }}'
@ -99,7 +99,7 @@
- Reload Postfix - Reload Postfix
- name: Configure Postfix - name: Configure Postfix
postconf: ansible.corepostconf:
name: '{{ item.name }}' name: '{{ item.name }}'
value: '{{ item.value | default(omit) }}' value: '{{ item.value | default(omit) }}'
state: '{{ item.state | default(omit) }}' state: '{{ item.state | default(omit) }}'
@ -108,7 +108,7 @@
- Reload Postfix - Reload Postfix
- name: Configure Postfix services - name: Configure Postfix services
lineinfile: ansible.builtin.lineinfile:
path: /usr/local/etc/postfix/master.cf path: /usr/local/etc/postfix/master.cf
regexp: '^{{ item.name }} +{{ item.type }}' regexp: '^{{ item.name }} +{{ item.type }}'
value: '{{ item.value }}' value: '{{ item.value }}'
@ -126,15 +126,15 @@
- Restart Postfix - Restart Postfix
- name: Flush handlers - name: Flush handlers
meta: flush_handlers ansible.builtin.meta: flush_handlers
- name: Start Postfix - name: Start Postfix
command: fdmove -c 2 1 s6-rc -l {{ s6_live_dir }} -u -v 2 change postfix ansible.builtin.command: fdmove -c 2 1 s6-rc -l {{ s6_live_dir }} -u -v 2 change postfix
register: change register: change
changed_when: change.stdout | length > 0 changed_when: change.stdout | length > 0
- name: Enable Postfix - name: Enable Postfix
lineinfile: ansible.builtin.lineinfile:
path: '{{ s6_etc_dir }}/service/enabled/contents' path: '{{ s6_etc_dir }}/service/enabled/contents'
regexp: "^postfix$" regexp: "^postfix$"
line: "postfix" line: "postfix"
@ -142,4 +142,4 @@
- Reload s6-rc - Reload s6-rc
- name: Flush handlers (again) - name: Flush handlers (again)
meta: flush_handlers ansible.builtin.meta: flush_handlers

View file

@ -353,6 +353,14 @@ postfix_config:
value: 'aNULL' value: 'aNULL'
state: present state: present
- name: smtpd_tls_mandatory_protocols
value: 'TLSv1.2 TLSv1.3'
state: present
- name: smtpd_tls_protocols
value: 'TLSv1.2 TLSv1.3'
state: present
- name: smtpd_tls_received_header - name: smtpd_tls_received_header
value: 'yes' value: 'yes'
state: present state: present
@ -370,7 +378,7 @@ postfix_config:
state: present state: present
- name: tls_high_cipherlist - name: tls_high_cipherlist
value: 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA' value: 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384'
state: present state: present
- name: tls_ssl_options - name: tls_ssl_options