List of networks from which mail relaying is allowed even without

  authentication. Each item in the list is a string defining a network. The

  format must be compatible with Postfix ``mynetworks`` setting (for example:

  ``192.168.1.0/24``, ``myhost.example.com`` etc).

Distribution compatibility

~~~~~~~~~~~~~~~~~~~~~~~~~~

Role is compatible with the following distributions:

- Debian 9 (Stretch)

Examples

~~~~~~~~

Here is an example configuration for setting-up XMPP server using Prosody:

.. code-block:: yaml

  ---

  mail_ldap_url: ldap://ldap.example.com/

    backup_patterns_filename: "mail_server"

    backup_patterns:

      - "/var/{{ mail_user }}"

galaxy_info:

  author: Branko Majic

  description: Sets-up mail server with SMTP and IMAP services, using LDAP as source of allowed destinations (domains, mail addresses)

  license: BSD

  min_ansible_version: 2.9

  platforms:

    - name: Debian

      versions:

        - 9

imap_tls_key: "{{ lookup('file', 'tests/data/x509/server/{{ inventory_hostname }}_imap.key.pem') }}"

local_mail_aliases:

  root: "john.doe@domain1"

smtp_tls_certificate: "{{ lookup('file', 'tests/data/x509/server/{{ inventory_hostname }}_smtp.cert.pem') }}"

smtp_tls_key: "{{ lookup('file', 'tests/data/x509/server/{{ inventory_hostname }}_smtp.key.pem') }}"

imap_folder_separator: "."

smtp_rbl:

  - bl.spamcop.net

  - zen.spamhaus.org

mail_postmaster: "webmaster@parameters-optional"

smtp_allow_relay_from:

mail_message_size_limit: 20480001

# common

ca_certificates:

  testca: "{{ lookup('file', 'tests/data/x509/ca/level1.cert.pem') }}"

# backup_client (backup username should end in -s64 for Stretch).

enable_backup: true

backup_client_username: "bak-parameters-optional-{{ ansible_distribution_release[0] }}64"

backup_encryption_key: "{{ lookup('file', 'tests/data/gnupg/parameters-optional.asc') }}"

backup_server: ldap-server

backup_server_host_ssh_public_keys:

  - "{{ lookup('file', 'tests/data/ssh/server_rsa.pub') }}"

  - "{{ lookup('file', 'tests/data/ssh/server_ed25519.pub') }}"

    value: dc=local

  - comment: URI

    option: URI

    value: ldapi:///

# backup_server role

backup_host_ssh_private_keys:

  rsa: "{{ lookup('file', 'tests/data/ssh/server_rsa') }}"

  ed25519: "{{ lookup('file', 'tests/data/ssh/server_ed25519') }}"

  ecdsa: "{{ lookup('file', 'tests/data/ssh/server_ecdsa') }}"

backup_clients:

  - server: parameters-optional-s64

    ip: 10.31.127.33

    public_key: "{{ lookup('file', 'tests/data/ssh/parameters-optional.pub') }}"

    groups:

      - parameters-optional

      - stretch

    box: debian/contrib-stretch64

    memory: 1536

    cpus: 1

    interfaces:

      - auto_config: true

        ip: 10.31.127.33

        network_name: private_network

        type: static

provisioner:

  name: ansible

  playbooks:

    cleanup: cleanup.yml

  config_options:

    defaults:

      force_valid_group_names: "ignore"

      interpreter_python: "/usr/bin/python3"

    ssh_connection:

      pipelining: "True"

  lint:

    name: ansible-lint

          - "{{ item.fqdn[:item.fqdn.rfind('-')] }}"

      with_items:

        - name: ldap-server_ldap

          fqdn: ldap-server

        - name: parameters-mandatory-stretch64_imap

          fqdn: parameters-mandatory-stretch64

        - name: parameters-mandatory-stretch64_smtp

          fqdn: parameters-mandatory-stretch64

        - name: parameters-optional-stretch64_imap

          fqdn: parameters-optional-stretch64

        - name: parameters-optional-stretch64_smtp

          fqdn: parameters-optional-stretch64

    - name: Set-up link to generated X.509 material

      file:

        src: ".gimmecert"

        dest: "tests/data/x509"

        state: link

- name: Prepare

  hosts: all

  gather_facts: false

  tasks:

    - name: Install python for Ansible

        line: "{{ item.key }} {{ item.value }}"

        owner: root

        group: root

        mode: 0644

        state: present

      with_dict:

        10.31.127.10: "ldap-server backup-server"

        10.31.127.22: "client1 smtp-server-requiring-tls"

        10.31.127.23: "client2 smtp-server-refusing-tls"

        10.31.127.32: "parameters-mandatory parameters-mandatory-stretch64"

        10.31.127.33: "parameters-optional parameters-optional-stretch64"

- hosts: client

  become: true

  tasks:

    - name: Install SWAKS for testing SMTP capability

      apt:

        name: swaks

        state: present

    - name: Install pip

      apt:

        name: python3-pip

    mailname = host.file('/etc/mailname')

    hostname = host.run('hostname').stdout.strip()

    assert mailname.content_string == hostname

def test_postfix_main_cf_file_content(host):

    """

    Tests if the Postfix main configuration file content is correct.

    """

    hostname = host.run('hostname').stdout.strip()

    config = host.file('/etc/postfix/main.cf')

    config_lines = config.content_string.split("\n")

    assert "myhostname = %s" % hostname in config_lines

    assert "mydestination = %s, %s, localhost.localdomain, localhost" % (hostname, hostname) in config_lines

    assert "mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 %s" % allow_relay_from_ip in config_lines

    assert "smtpd_tls_cert_file = /etc/ssl/certs/%s_smtp.pem" % hostname in config_lines

    assert "smtpd_tls_key_file = /etc/ssl/private/%s_smtp.key" % hostname in config_lines

    assert "  reject_rbl_client bl.spamcop.net" in config_lines