* Parameter ``maintenance_allowed_hosts`` has been dropped and

    replaced with parameter ``maintenance_allowed_sources``. The new

    parameter expects a list of IPv4 and IPv6 addresses (or

    subnets). Resolvable names can no longer be specified.

* ``wsgi_website`` role

  * Dropped support for Python 2.7. Only Python 3 is supported now.

    The ``python_version`` role parameter has been dropped. The

    ``python_interpreter`` parameter is still available, but it

  Maximum size of message in bytes that the SMTP server should accept

  for incoming mails. If the mail message size exceeds the listed

  value, it will be rejected by the server. The size is also

  advertised as part of SMTP server capabilities (in response to the

  ``ehlo`` SMTP command).

**mail_server_smtp_additional_configuration** (string, optional, ``""``))

  Additional configuration directives to include in SMTP server main

  configuration file. Directives must be specifically compatible with

  Postfix, and are treated verbatim (multi-line string will suffice).

**mail_server_tls_ciphers** (string, optional ``DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:!aNULL:!MD5:!EXPORT``)

  TLS ciphers to enable on the mail server (for IMAP and SMTP submission). This

  should be an OpenSSL-compatible cipher specification. Value should be

  compatible with Postfix configuration option ``tls_high_cipherlist`` and

  Dovecot configuration option ``ssl_cipher_list``. Default value allows only

  TLSv1.2 and strong PFS ciphers.

imap_folder_separator: "/"

smtp_rbl: []

mail_postmaster: "postmaster@{{ ansible_domain }}"

smtp_allow_relay_from: []

local_mail_aliases: {}

imap_max_user_connections_per_ip: 10

mail_server_tls_ciphers: "\

DHE-RSA-AES128-GCM-SHA256:\

DHE-RSA-AES256-GCM-SHA384:\

DHE-RSA-CHACHA20-POLY1305:\

ECDHE-RSA-AES128-GCM-SHA256:\

ECDHE-RSA-AES256-GCM-SHA384:\

ECDHE-RSA-CHACHA20-POLY1305:\

!aNULL:!MD5:!EXPORT"

mail_message_size_limit: 10240000

mail_server_smtp_additional_configuration: ""

mail_ldap_base_dn: dc=local

mail_ldap_url: ldap://ldap-server/

mail_ldap_tls_truststore: "{{ lookup('file', 'tests/data/x509/ca/chain-full.cert.pem') }}"

mail_ldap_postfix_password: postfixpassword

mail_ldap_dovecot_password: dovecotpassword

mail_server_tls_ciphers: "DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-GCM-SHA384:\

DHE-RSA-AES256-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-GCM-SHA384:\

ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:!aNULL:!MD5:!EXPORT"

mail_user: virtmail

mail_user_uid: 5000

mail_user_gid: 5000

    tls_versions.sort()

    tls_ciphers = sorted(list(tls_ciphers))

    assert tls_versions == expected_tls_versions

    assert tls_ciphers == expected_tls_ciphers[distribution_release]

}

# TLS configuration.

ssl_cert = </etc/ssl/certs/{{ ansible_fqdn }}_imap.pem

ssl_key = </etc/ssl/private/{{ ansible_fqdn }}_imap.key

ssl_dh=</etc/ssl/private/{{ inventory_hostname }}_imap.dh.pem

ssl_cipher_list = {{ mail_server_tls_ciphers }}

ssl = required

# Mail delivery.

protocol lda {

  mail_plugins = $mail_plugins sieve

  -o syslog_name=postfix/submission

  -o smtpd_tls_security_level=encrypt

  -o smtpd_sasl_auth_enable=yes

  -o smtpd_tls_auth_only=yes

  -o smtpd_recipient_restrictions=

  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject

  -o smtpd_tls_mandatory_ciphers=high

  -o tls_high_cipherlist={{ mail_server_tls_ciphers }}

  - xmpp.{{ testsite_domain }}

  - web.{{ testsite_domain }}

  - ws01.{{ testsite_domain }}

imap_max_user_connections_per_ip: 50

mail_server_tls_ciphers: "DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-GCM-SHA384:\

DHE-RSA-AES256-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-GCM-SHA384:\

ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA:!aNULL:!MD5:!EXPORT"