* TLSv1.3 is now enabled by default (with RFC-defined mandatory

    ciphers), in addition to TLSv1.2, for client-to-server

    communications.

**Bug fixes:**

* ``common`` role

  * Fixed permission errors with Python cache directories in the pip

    requirements upgrade checks virtual environment that can happen if

    the initial virtual environment set-up fails.

8.0.0

-----

Dropped support for Python 2.7 and Debian 10 Buster. Added support for

Debian 12 Bookworm. Numerous minor improvements and fixes.

**Breaking changes:**

* All roles

  * Dropped support for Debian 10 (Buster).

---

mail_ldap_base_dn: dc=local

mail_ldap_url: ldap://ldap-server/

mail_ldap_tls_truststore: "{{ lookup('file', 'tests/data/x509/ca/chain-full.cert.pem') }}"

mail_ldap_postfix_password: postfixpassword

mail_ldap_dovecot_password: dovecotpassword

# common

ca_certificates:

  testca: "{{ lookup('file', 'tests/data/x509/ca/level1.cert.pem') }}"

# Tests can run in quick succession, increase limits to avoid false negatives.

incoming_connection_limit: 10/second

incoming_connection_limit_burst: 60

# ensure TLSv1.3 gets initialised. TLSv1.3 ciphers (TLS_*) are not

# configurable and listed for documentation/reference purposes.

mail_server_tls_ciphers: "\

ECDHE-RSA-CHACHA20-POLY1305:\

TLS_AES_128_GCM_SHA256:\

TLS_AES_256_GCM_SHA384:\

TLS_CHACHA20_POLY1305_SHA256:\

!aNULL:!MD5:!EXPORT"

mail_user: virtmail

mail_user_uid: 5000

mail_user_gid: 5000

imap_max_user_connections_per_ip: 2

local_mail_aliases:

  root: "john.doe@domain1"

imap_folder_separator: "."

smtp_rbl:

  - bl.spamcop.net

  - zen.spamhaus.org

mail_postmaster: "webmaster@parameters-optional"

smtp_allow_relay_from: "{{ release_based_smtp_allow_relay_from[ansible_distribution_release] }}"

mail_message_size_limit: 20480001

mail_server_smtp_additional_configuration: |

  mail_name = MySMTP

  smtp_skip_5xx_greeting = no

- name: Deploy the LDAP TLS truststore in Postfix chroot

  ansible.builtin.copy:

    content: "{{ mail_ldap_tls_truststore }}"

    dest: "/var/spool/postfix/etc/ssl/certs/mail_ldap_tls_truststore.pem"

    owner: root

    group: root

    mode: "0644"

  notify:

    - Restart Postfix

- name: Configure visible mail name of the system

  ansible.builtin.copy:

    dest: "/etc/mailname"

    owner: root

    group: root

    mode: "0644"

  notify:

    - Restart Postfix

- name: Deploy Postfix configurations files for LDAP look-ups

  ansible.builtin.template:

    src: "{{ item }}.cf.j2"

    dest: "/etc/postfix/{{ item }}.cf"

    owner: root

# See /usr/share/postfix/main.cf.dist for a commented, more complete

# version.

# General settings

# ================

# Internet hostname of this mail system.

# Under Debian, when a file name is specified, the first line of the

# file be used as the SMTP server name.

myorigin = /etc/mailname

# Text shown to connecting clients as part of SMTP greeting.

smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)

# Listen on all network interfaces and all protocols.

inet_interfaces = all

inet_protocols = all

# entries.

respectful_logging = no

# Compatibility level for default values. For more details, see:

#     https://www.postfix.org/COMPATIBILITY_README.html

compatibility_level = 3.6

# Local mailbox delivery

# ======================

# List of domains for local transport deliveries.

# Alias maps for local deliveries (to system accounts).

alias_maps = hash:/etc/aliases

# Alias database that gets updated when invoking "newaliases" command.

alias_database = hash:/etc/aliases

# Disable size limits for local user mailboxes.

mailbox_size_limit = 0

# Disable use of biff service for new mail notifications to local

# users (improves performance).

# Allow connecting SMTP clients to use TLS when connecting to the

# host, but do not enforce it.

smtpd_tls_security_level = may

# Allow SMTP authentication to proceed only over TLS.

smtpd_tls_auth_only = yes

# TLS private key and certificate to use for SMTP server.

smtpd_tls_cert_file = /etc/ssl/certs/{{ ansible_fqdn }}_smtp.pem

smtpd_tls_key_file = /etc/ssl/private/{{ ansible_fqdn }}_smtp.key

# Use custom, generated DH parameters for increased security.

# Use TLS when available with Postfix SMTP client.

smtp_tls_security_level = may

# Enable TLS session cache database for SMTP client. Helps with

# performance and bandwidth usage.

smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

# Authentication and authorisation

# ================================