majic-ansible-roles Changeset

Changeset - 35fff2909917

Parent rev.

Child rev.

[Not reviewed]

0 7 0

Branko Majic (branko) - 4 years ago 2020-05-20 09:51:52
branko@majic.rs

MAR-157: Added parameter to mail_server role for specifying maximum incoming mail size.

7 files changed with 46 insertions and 0 deletions:

docs/releasenotes.rst

docs/rolereference.rst

roles/mail_server/defaults/main.yml

roles/mail_server/molecule/default/group_vars/parameters-optional.yml

roles/mail_server/molecule/default/tests/test_mandatory.py

roles/mail_server/molecule/default/tests/test_optional.py

roles/mail_server/templates/main.cf.j2

0 comments (0 inline, 0 general)

docs/releasenotes.rst

➞

Show inline comments

@@ @@ -47,24 +47,30 @@ Breaking changes: @@
 Bug fixes:
 * ``common`` role
   * Run apticron at least once during initial installation to avoid
     accidental locking later on during the same playbook run.
 New features/improvements:
 * Tests have been updated to work with latest Molecule/Testinfra as
   part of the Ansible upgrade process.
 * ``mail_server`` role
   * The role now supports specifying the maximum mail message size
     limit for the SMTP server to accept via
     ``mail_message_size_limit`` role parameter.
 Deprecations:
 * ``backup_server`` and ``backup_client`` role
   * Officially dropped support for DSA keys (this was mainly remnant
     from Debian 8 Jessie support, on Debian 9 Stretch and upwards the
     DSA keys were not supported at all).
 .0.0
 -----

docs/rolereference.rst

➞

Show inline comments

@@ @@ -1104,24 +1104,31 @@ Parameters @@
 **mail_ldap_tls_truststore** (string, optional, ``{{ lookup('file', tls_certificate_dir + '/truststore.pem') }}``)
   X.509 certificate chain used for issuing certificate for the LDAP service. The
   file will be stored in locations ``/etc/ssl/certs/mail_ldap_tls_truststore.pem``
   and ``/var/spool/postfix/etc/ssl/certs/mail_ldap_tls_truststore.pem``.
 **mail_ldap_postfix_password** (string, mandatory)
   Password for authenticating the Postfix LDAP user.
 **mail_ldap_dovecot_password** (string, mandatory)
   Password for authenticating the Dovecot LDAP user.
 **mail_message_size_limit** (integer, optional, ``10240000``)
   Maximum size of message in bytes that the SMTP server should accept
   for incoming mails. If the mail message size exceeds the listed
   value, it will be rejected by the server. The size is also
   advertised as part of SMTP server capabilities (in response to the
   ``ehlo`` SMTP command).
 **mail_server_tls_protocols** (list, optional, ``[ "TLSv1.2" ]``)
   List of TLS protocols the mail server should support. Each value specified
   should be compatible with Postfix configuration option
   ``smtpd_tls_mandatory_protocols`` and Dovecot configuration option
   ``ssl_protocols``.
 **mail_server_tls_ciphers** (string, optional ``DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:!aNULL:!MD5:!EXPORT``)
   TLS ciphers to enable on the mail server (for IMAP and SMTP submission). This
   should be an OpenSSL-compatible cipher specification. Value should be
   compatible with Postfix configuration option ``tls_high_cipherlist`` and
   Dovecot configuration option ``ssl_cipher_list``. Default value allows only
   TLSv1.2 and strong PFS ciphers.

roles/mail_server/defaults/main.yml

➞

Show inline comments

 smtp_tls_key: "{{ lookup('file', tls_private_key_dir + '/' + ansible_fqdn + '_smtp.key') }}"
 imap_folder_separator: "/"
 smtp_rbl: []
 mail_postmaster: "postmaster@{{ ansible_domain }}"
 smtp_allow_relay_from: []
 local_mail_aliases: {}
 imap_max_user_connections_per_ip: 10
 mail_server_tls_protocols:
   - "TLSv1.2"
 mail_server_tls_ciphers: "DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-GCM-SHA384:\
 DHE-RSA-AES256-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-GCM-SHA384:\
 ECDHE-RSA-AES256-SHA384:!aNULL:!MD5:!EXPORT"
 mail_message_size_limit: 10240000

roles/mail_server/molecule/default/group_vars/parameters-optional.yml

➞

Show inline comments

 local_mail_aliases:
   root: "john.doe@domain1"
 smtp_tls_certificate: "{{ lookup('file', 'tests/data/x509/parameters-optional_smtp.cert.pem') }}"
 smtp_tls_key: "{{ lookup('file', 'tests/data/x509/parameters-optional_smtp.key.pem') }}"
 imap_folder_separator: "."
 smtp_rbl:
   - bl.spamcop.net
   - zen.spamhaus.org
 mail_postmaster: "webmaster@parameters-optional"
 smtp_allow_relay_from:
   - "10.31.127.22"
 mail_message_size_limit: 20480001
 # common
 ca_certificates:
   testca: "{{ lookup('file', 'tests/data/x509/ca.cert.pem') }}"
 # backup_client (backup username should end in -s64 for Stretch).
 enable_backup: true
 backup_client_username: "bak-parameters-optional-{{ ansible_distribution_release[0] }}64"
 backup_encryption_key: "{{ lookup('file', 'tests/data/gnupg/parameters-optional.asc') }}"
 backup_server: ldap-server
 backup_server_host_ssh_public_keys:
   - "{{ lookup('file', 'tests/data/ssh/server_rsa.pub') }}"

roles/mail_server/molecule/default/tests/test_mandatory.py

➞

Show inline comments

@@ @@ -259,12 +259,26 @@ def test_postfix_tls_configuration(host): @@
     assert "CONNECTED" in starttls_cipher.stdout
     assert "ECDHE-RSA-AES128-SHA" not in starttls_cipher.stdout
 def test_sieve_tls_configuration(host):
     """
     Tests TLS configuration for SIEVE in Dovecot
     """
     # @TODO: Currently not possible to test since openssl s_client does not
     # support STARTTLS for Sieve.
     pass
 def test_mail_message_size_limit(host):
     """
     Tests if the mail message size limit advertised by the SMTP server
     is correct.
     """
     capabilities = host.run("(echo 'ehlo localhost' && sleep 2) | telnet localhost 25")
     begin = capabilities.stdout.find("250-SIZE")
     end = capabilities.stdout.find("\n", begin)
     mail_message_size_limit = capabilities.stdout[begin:end]
     assert mail_message_size_limit == "250-SIZE 10240000"

roles/mail_server/molecule/default/tests/test_optional.py

➞

Show inline comments

@@ @@ -292,12 +292,26 @@ def test_postfix_tls_configuration(host): @@
     assert starttls_cipher.rc == 0
     assert "ECDHE-RSA-AES128-SHA" in starttls_cipher.stdout
 def test_sieve_tls_configuration(host):
     """
     Tests TLS configuration for SIEVE in Dovecot
     """
     # @TODO: Currently not possible to test since openssl s_client does not
     # support STARTTLS for Sieve.
     pass
 def test_mail_message_size_limit(host):
     """
     Tests if the mail message size limit advertised by the SMTP server
     is correct.
     """
     capabilities = host.run("(echo 'ehlo localhost' && sleep 2) | telnet localhost 25")
     begin = capabilities.stdout.find("250-SIZE")
     end = capabilities.stdout.find("\n", begin)
     mail_message_size_limit = capabilities.stdout[begin:end]
     assert mail_message_size_limit == "250-SIZE 20480001"

roles/mail_server/templates/main.cf.j2

➞

Show inline comments

@@ @@ -68,12 +68,15 @@ smtpd_recipient_restrictions = permit_mynetworks @@
   {% endfor -%}
   reject_unauth_destination
 smtpd_milters = unix:/var/run/clamav/clamav-milter.ctl
 non_smtpd_milters = unix:/var/run/clamav/clamav-milter.ctl
 # Deliver undeliverable bounces to domain's postmaster. Helps with application
 # misconfigurations.
 notify_classes = resource, software, 2bounce
 # Fall-back to using native lookups (/etc/hosts etc) if DNS lookup fails. Useful
 # for local overrides of mail servers.
 smtp_host_lookup = dns, native
 # Explicitly set maximum allowed mail size that should be accepted.
 message_size_limit = {{ mail_message_size_limit }}

0 comments (0 inline, 0 general)