Changeset - 13fd27e4004c
Parent rev.
Child rev.
[Not reviewed]
0 3 1
Branko Majic (branko) - 7 years ago 2016-11-26 21:30:28
branko@majic.rs
MAR-79: Update mail_forwarder role to allow incoming connections to SMTP port from SMTP relay (if configured). Don't verify SMTP TLS server certificate if delivering mails directly.
4 files changed with 23 insertions and 1 deletions:
docs/rolereference.rst
4
1
roles/mail_forwarder/tasks/main.yml
6
roles/mail_forwarder/templates/ferm_mail.conf.j2
11
roles/mail_forwarder/templates/main.cf.j2
2
0 comments (0 inline, 0 general)
docs/rolereference.rst
Show inline comments
 
@@ -1047,13 +1047,16 @@ The role implements the following:
 
* Purges Exim4 configuration (just in case).
 
* Sets-up aliases for the local recipients.
 
* Installs SWAKS (utility for testing SMTP servers).
 
* Configures firewall to accept SMTP connections from SMTP relay (if one has
 
  been configured). This allows for delivery of bounced e-mails.
 

			




	
	
	
		
 
Postfix is configured as follows:

			




	
	
	
		
 

			




	
	
	
		
 
* Local destinations are set-up.

			




	
	
	
		
 
* A relay host is set.

			




	
	
	
		
 
* TLS is enforced for relaying mails, with configurable truststore for server

			




	
	
	
		
 
  certificate verification.

			




	
	
	
		
 
  certificate verification if SMTP relay is used. If SMTP relay is not used

			




	
	
	
		
 
  (configured), no certificate verification is done.

			




	
	
	
		
 

			




	
	
	
		
 

			




	
	
	
		
 
Role dependencies

			




        

    


    
    

    

        

                

                    roles/mail_forwarder/tasks/main.yml
                

                

                  
                      
                        

                      

                      
                        
                  

                  
                      
                  
                      
                  
                      
                  
                      
                  
                  
                

                

                    Show inline comments
                    
                

        

        

            



	
	
		
 
@@ -33,6 +33,12 @@

			




	
	
	
		
 
- name: Enable postfix service

			




	
	
	
		
 
  service: name=postfix state=started

			




	
	
	
		
 

			




	
	
	
		
 
- name: Deploy firewall configuration for mail forwader

			




	
	
	
		
 
  template: src="ferm_mail.conf.j2" dest="/etc/ferm/conf.d/20-mail.conf"

			




	
	
	
		
 
            owner=root group=root mode=640

			




	
	
	
		
 
  notify:

			




	
	
	
		
 
    - Restart ferm

			




	
	
	
		
 

			




	
	
	
		
 
- name: Install SWAKS

			




	
	
	
		
 
  apt: name="swaks" state=installed

			




	
	
	
		
 

			




        

    


    
    

    

        

                

                    roles/mail_forwarder/templates/ferm_mail.conf.j2
                

                

                  
                      
                        

                      

                      
                        
                  

                  
                      
                  
                      
                  
                      
                  
                      
                  
                  
                

                

                    Show inline comments
                    
                

        

        

            



	
	
		
 
new file 100644

			




	
	
	
		
 
{% if smtp_relay_host %}

			




	
	
	
		
 
# Accept incoming connections on port 25 from SMTP relay host.

			




	
	
	
		
 
table filter {

			




	
	
	
		
 
    chain INPUT {

			




	
	
	
		
 
        # SMTP for server communication.

			




	
	
	
		
 
        proto tcp dport 25 {

			




	
	
	
		
 
            saddr {{ smtp_relay_host }} ACCEPT;

			




	
	
	
		
 
        }

			




	
	
	
		
 
    }

			




	
	
	
		
 
}

			




	
	
	
		
 
{% endif %}

			




        

    


    
    

    

        

                

                    roles/mail_forwarder/templates/main.cf.j2
                

                

                  
                      
                        

                      

                      
                        
                  

                  
                      
                  
                      
                  
                      
                  
                      
                  
                  
                

                

                    Show inline comments
                    
                

        

        

            



	
	
		
 
@@ -23,8 +23,10 @@ smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key

			




	
	
	
		
 
smtpd_use_tls=yes

			




	
	
	
		
 
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache

			




	
	
	
		
 
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

			




	
	
	
		
 
{% if smtp_relay_host %}

			




	
	
	
		
 
smtp_tls_security_level=verify

			




	
	
	
		
 
smtp_tls_CAfile=/etc/ssl/certs/smtp_relay_truststore.pem

			




	
	
	
		
 
{% endif %}

			




	
	
	
		
 

			




	
	
	
		
 
# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for

			




	
	
	
		
 
# information on enabling SSL in the smtp client.

			




        

    



    


    



    



      

      





    
    0 comments (0 inline, 0 general)
    





    


  

  







  


    




    








    
        
    
    
        This site is powered by
            Kallithea 0.7.0,
        which is
        © 2010–2023 by various authors & licensed under GPLv3.