majic-ansible-roles Changeset

Changeset - a822861bea4e

Parent rev.

Child rev.

[Not reviewed]

0 8 0

Branko Majic (branko) - 20 days ago 2024-08-30 15:00:34
branko@majic.rs

MAR-239: Dropped support for Debian 11 Bullseye from the mail_server role.

8 files changed with 0 insertions and 202 deletions:

roles/mail_server/molecule/default/group_vars/parameters-optional.yml

roles/mail_server/molecule/default/host_vars/ldap-server.yml

roles/mail_server/molecule/default/molecule.yml

roles/mail_server/molecule/default/prepare.yml

roles/mail_server/molecule/default/tests/test_default.py

roles/mail_server/molecule/default/tests/test_mandatory.py

roles/mail_server/molecule/default/tests/test_optional.py

roles/mail_server/templates/main.cf.j2

0 comments (0 inline, 0 general)

roles/mail_server/molecule/default/group_vars/parameters-optional.yml

➞

Show inline comments

@@ @@ -25,25 +25,24 @@ smtp_rbl: @@
   - zen.spamhaus.org
 mail_postmaster: "webmaster@parameters-optional"
 smtp_allow_relay_from:
   - "{{ release_based_smtp_allow_relay_from[ansible_distribution_release] }}"
 mail_message_size_limit: 20480001
 mail_server_smtp_additional_configuration: |
   mail_name = MySMTP
   smtp_skip_5xx_greeting = no
 # Variables dependant on distribution release.
 release_based_smtp_allow_relay_from:
   bullseye: "192.168.56.41"
   bookworm: "192.168.56.21"
 # common
 ca_certificates:
   testca: "{{ lookup('file', 'tests/data/x509/ca/level1.cert.pem') }}"
 # backup_client
 enable_backup: true
 backup_client_username: "bak-param-optional-{{ ansible_distribution_release }}"
 backup_encryption_key: "{{ lookup('file', 'tests/data/gnupg/parameters-optional.asc') }}"
 backup_server: ldap-server
 backup_server_host_ssh_public_keys:

roles/mail_server/molecule/default/host_vars/ldap-server.yml

➞

Show inline comments

@@ @@ -34,19 +34,15 @@ ldap_client_config: @@
     value: dc=local
   - comment: URI
     option: URI
     value: ldapi:///
 # backup_server role
 backup_host_ssh_private_keys:
   rsa: "{{ lookup('file', 'tests/data/ssh/server_rsa') }}"
   ed25519: "{{ lookup('file', 'tests/data/ssh/server_ed25519') }}"
   ecdsa: "{{ lookup('file', 'tests/data/ssh/server_ecdsa') }}"
 backup_clients:
   - server: param-optional-bullseye
     ip: 192.168.56.52
     public_key: "{{ lookup('file', 'tests/data/ssh/parameters-optional.pub') }}"
   - server: param-optional-bookworm
     ip: 192.168.56.32
     public_key: "{{ lookup('file', 'tests/data/ssh/parameters-optional.pub') }}"

roles/mail_server/molecule/default/molecule.yml

➞

Show inline comments

@@ @@ -41,92 +41,24 @@ platforms: @@
     box: debian/bookworm64
     memory: 384
     cpus: 1
     provider_raw_config_args:
       - "customize ['modifyvm', :id, '--paravirtprovider', 'minimal']"
     interfaces:
       - auto_config: true
         ip: 192.168.56.12
         network_name: private_network
         type: static
   # Debian 11 Bullseye
   # ================
   - name: client1-bullseye
     groups:
       - client
       - client-relay-allowed
       - bullseye
       - smtp-server-requiring-tls
     box: debian/bullseye64
     memory: 256
     cpus: 1
     provider_raw_config_args:
       - "customize ['modifyvm', :id, '--paravirtprovider', 'minimal']"
     interfaces:
       - auto_config: true
         ip: 192.168.56.41
         network_name: private_network
         type: static
   - name: client2-bullseye
     groups:
       - client
       - client-relay-forbidden
       - bullseye
       - smtp-server-refusing-tls
     box: debian/bullseye64
     memory: 256
     cpus: 1
     provider_raw_config_args:
       - "customize ['modifyvm', :id, '--paravirtprovider', 'minimal']"
     interfaces:
       - auto_config: true
         ip: 192.168.56.42
         network_name: private_network
         type: static
   - name: parameters-mandatory-bullseye
     groups:
       - parameters-mandatory
       - bullseye
     box: debian/bullseye64
     memory: 2048
     cpus: 1
     provider_raw_config_args:
       - "customize ['modifyvm', :id, '--paravirtprovider', 'minimal']"
     interfaces:
       - auto_config: true
         ip: 192.168.56.51
         network_name: private_network
         type: static
   - name: parameters-optional-bullseye
     groups:
       - parameters-optional
       - bullseye
     box: debian/bullseye64
     memory: 2048
     cpus: 1
     provider_raw_config_args:
       - "customize ['modifyvm', :id, '--paravirtprovider', 'minimal']"
     interfaces:
       - auto_config: true
         ip: 192.168.56.52
         network_name: private_network
         type: static
   # Debian 11 Bookworm
   # ==================
   - name: client1-bookworm
     groups:
       - client
       - client-relay-allowed
       - bookworm
       - smtp-server-requiring-tls
     box: debian/bookworm64
     memory: 256
     cpus: 1

roles/mail_server/molecule/default/prepare.yml

➞

Show inline comments

@@ @@ -20,33 +20,24 @@ @@
         argv:
           - "gimmecert"
           - "server"
           - "{{ item.name }}"
           - "{{ item.fqdn }}"
           - "{{ item.fqdn[:item.fqdn.rfind('-')] }}"
       with_items:
         - name: clamav-database_https
           fqdn: database.clamav.net
         - name: ldap-server_ldap
           fqdn: ldap-server
         - name: parameters-mandatory-bullseye_imap
           fqdn: parameters-mandatory-bullseye
         - name: parameters-mandatory-bullseye_smtp
           fqdn: parameters-mandatory-bullseye
         - name: parameters-optional-bullseye_imap
           fqdn: parameters-optional-bullseye
         - name: parameters-optional-bullseye_smtp
           fqdn: parameters-optional-bullseye
         - name: parameters-mandatory-bookworm_imap
           fqdn: parameters-mandatory-bookworm
         - name: parameters-mandatory-bookworm_smtp
           fqdn: parameters-mandatory-bookworm
         - name: parameters-optional-bookworm_imap
           fqdn: parameters-optional-bookworm
         - name: parameters-optional-bookworm_smtp
           fqdn: parameters-optional-bookworm
     - name: Set-up link to generated X.509 material
       file:
         src: ".gimmecert"
@@ @@ -173,46 +164,24 @@ @@
         group: root
         mode: 0644
       notify:
         - Restart nginx
   handlers:
     - name: Restart nginx
       service:
         name: nginx
         state: restarted
 - hosts: bullseye
   become: true
   tasks:
     - name: Set-up the hosts file
       lineinfile:
         path: /etc/hosts
         regexp: "^{{ item.key }}"
         line: "{{ item.key }} {{ item.value }}"
         owner: root
         group: root
         mode: 0644
         state: present
       with_dict:
         # Force mail servers to use local ClamAV database mirror.
 .168.56.11: "db.local.clamav.net database.clamav.net"
 .168.56.12: "ldap-server backup-server"
 .168.56.41: "client1 smtp-server-requiring-tls"
 .168.56.42: "client2 smtp-server-refusing-tls"
 .168.56.51: "parameters-mandatory parameters-mandatory-bullseye"
 .168.56.52: "parameters-optional parameters-optional-bullseye"
 - hosts: bookworm
   become: true
   tasks:
     - name: Enable TLSv1.0+ in global OpenSSL configuration file in order to be able to test the web_server_tls_protocols parameter
       blockinfile:
         path: "/etc/ssl/openssl.cnf"
         block: |
           [openssl_init]
           ssl_conf = ssl_sect
           [ssl_sect]

roles/mail_server/molecule/default/tests/test_default.py

➞

Show inline comments

@@ @@ -623,90 +623,24 @@ def test_certificate_validity_check_configuration(host): @@
     assert config.user == 'root'
     assert config.group == 'root'
     assert config.mode == 0o644
     assert config.content_string == "/etc/ssl/certs/%s_imap.pem" % hostname
 def test_smtp_default_port_tls_version_and_ciphers(host):
     """
     Tests TLS configuration for SMTP default port (needs to be less
     restrictive for interoperability purposes).
     """
     distribution_release = host.ansible("setup")["ansible_facts"]["ansible_distribution_release"]
     if distribution_release == "bullseye":
         expected_tls_versions = ["TLSv1.0", "TLSv1.1", "TLSv1.2"]
         expected_tls_ciphers = [
             'TLS_DHE_RSA_WITH_AES_128_CBC_SHA',
             'TLS_DHE_RSA_WITH_AES_128_CBC_SHA256',
             'TLS_DHE_RSA_WITH_AES_128_CCM',
             'TLS_DHE_RSA_WITH_AES_128_CCM_8',
             'TLS_DHE_RSA_WITH_AES_128_GCM_SHA256',
             'TLS_DHE_RSA_WITH_AES_256_CBC_SHA',
             'TLS_DHE_RSA_WITH_AES_256_CBC_SHA256',
             'TLS_DHE_RSA_WITH_AES_256_CCM',
             'TLS_DHE_RSA_WITH_AES_256_CCM_8',
             'TLS_DHE_RSA_WITH_AES_256_GCM_SHA384',
             'TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256',
             'TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384',
             'TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA',
             'TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256',
             'TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA',
             'TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256',
             'TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256',
             'TLS_DHE_RSA_WITH_SEED_CBC_SHA',
             'TLS_DH_anon_WITH_AES_128_CBC_SHA',
             'TLS_DH_anon_WITH_AES_128_CBC_SHA256',
             'TLS_DH_anon_WITH_AES_128_GCM_SHA256',
             'TLS_DH_anon_WITH_AES_256_CBC_SHA',
             'TLS_DH_anon_WITH_AES_256_CBC_SHA256',
             'TLS_DH_anon_WITH_AES_256_GCM_SHA384',
             'TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA',
             'TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256',
             'TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA',
             'TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256',
             'TLS_DH_anon_WITH_SEED_CBC_SHA',
             'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA',
             'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256',
             'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256',
             'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA',
             'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384',
             'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384',
             'TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256',
             'TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384',
             'TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256',
             'TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384',
             'TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256',
             'TLS_ECDH_anon_WITH_AES_128_CBC_SHA',
             'TLS_ECDH_anon_WITH_AES_256_CBC_SHA',
             'TLS_RSA_WITH_AES_128_CBC_SHA',
             'TLS_RSA_WITH_AES_128_CBC_SHA256',
             'TLS_RSA_WITH_AES_128_CCM',
             'TLS_RSA_WITH_AES_128_CCM_8',
             'TLS_RSA_WITH_AES_128_GCM_SHA256',
             'TLS_RSA_WITH_AES_256_CBC_SHA',
             'TLS_RSA_WITH_AES_256_CBC_SHA256',
             'TLS_RSA_WITH_AES_256_CCM',
             'TLS_RSA_WITH_AES_256_CCM_8',
             'TLS_RSA_WITH_AES_256_GCM_SHA384',
             'TLS_RSA_WITH_ARIA_128_GCM_SHA256',
             'TLS_RSA_WITH_ARIA_256_GCM_SHA384',
             'TLS_RSA_WITH_CAMELLIA_128_CBC_SHA',
             'TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256',
             'TLS_RSA_WITH_CAMELLIA_256_CBC_SHA',
             'TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256',
             'TLS_RSA_WITH_SEED_CBC_SHA',
+        ]
     else:
     expected_tls_versions = ["TLSv1.0", "TLSv1.1", "TLSv1.2", "TLSv1.3"]
     expected_tls_ciphers = [
         'TLS_AKE_WITH_AES_128_GCM_SHA256',
         'TLS_AKE_WITH_AES_256_GCM_SHA384',
         'TLS_AKE_WITH_CHACHA20_POLY1305_SHA256',
         'TLS_DHE_RSA_WITH_AES_128_CBC_SHA',
         'TLS_DHE_RSA_WITH_AES_128_CBC_SHA256',
         'TLS_DHE_RSA_WITH_AES_128_CCM',
         'TLS_DHE_RSA_WITH_AES_128_CCM_8',
         'TLS_DHE_RSA_WITH_AES_128_GCM_SHA256',
         'TLS_DHE_RSA_WITH_AES_256_CBC_SHA',
         'TLS_DHE_RSA_WITH_AES_256_CBC_SHA256',

roles/mail_server/molecule/default/tests/test_mandatory.py

➞

Show inline comments

@@ @@ -89,38 +89,24 @@ def test_mail_owner(host): @@
 @pytest.mark.parametrize("port", [
 ,
 ,
 ,
 ])
 def test_imap_and_smtp_submission_tls_version_and_ciphers(host, port):
     """
     Tests if the correct TLS version and ciphers have been enabled for
     IMAP and SMTP submission.
     """
     distribution_release = host.ansible("setup")["ansible_facts"]["ansible_distribution_release"]
     if distribution_release == "bullseye":
         expected_tls_versions = ["TLSv1.2"]
         expected_tls_ciphers = [
             "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
             "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
             "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
             "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
             "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
             "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
+        ]
     else:
     expected_tls_versions = ["TLSv1.2", "TLSv1.3"]
     expected_tls_ciphers = [
         "TLS_AKE_WITH_AES_128_GCM_SHA256",
         "TLS_AKE_WITH_AES_256_GCM_SHA384",
         "TLS_AKE_WITH_CHACHA20_POLY1305_SHA256",
         "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
         "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
         "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
         "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
         "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
         "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
+    ]

roles/mail_server/molecule/default/tests/test_optional.py

➞

Show inline comments

@@ @@ -114,40 +114,24 @@ def test_mail_owner(host): @@
 @pytest.mark.parametrize("port", [
 ,
 ,
 ,
 ])
 def test_imap_and_smtp_submission_tls_version_and_ciphers(host, port):
     """
     Tests if the correct TLS version and ciphers have been enabled for
     IMAP and SMTP submission.
     """
     distribution_release = host.ansible("setup")["ansible_facts"]["ansible_distribution_release"]
     if distribution_release == "bullseye":
         expected_tls_versions = ["TLSv1.1", "TLSv1.2"]
         expected_tls_ciphers = [
             "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256",
             "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
             "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256",
             "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
             "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
             "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
             "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
             "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
             "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
+        ]
     else:
     expected_tls_versions = ["TLSv1.1", "TLSv1.2", "TLSv1.3"]
     expected_tls_ciphers = [
         "TLS_AKE_WITH_AES_128_GCM_SHA256",
         "TLS_AKE_WITH_AES_256_GCM_SHA384",
         "TLS_AKE_WITH_CHACHA20_POLY1305_SHA256",
         "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256",
         "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
         "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256",
         "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
         "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
         "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
         "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",

roles/mail_server/templates/main.cf.j2

➞

Show inline comments

@@ @@ -27,29 +27,27 @@ smtp_host_lookup = dns, native @@
 recipient_delimiter = +
 # Deliver undeliverable bounces to domain's postmaster. Helps with application
 # misconfigurations.
 notify_classes = resource, software, 2bounce
 # Explicitly set maximum allowed mail size that should be accepted.
 message_size_limit = {{ mail_message_size_limit }}
 # Disable output of Postfix README file paths when invoking postconf.
 readme_directory = no
 {% if ansible_distribution_release != 'bullseye' %}
 # Use whitelist/blacklist instead of allowlist/denylist in log
 # entries.
 respectful_logging = no
 {% endif %}
 # Compatibility level for default values. For more details, see:
 #     https://www.postfix.org/COMPATIBILITY_README.html
 compatibility_level = 3.6
 # Local mailbox delivery
 # ======================
 # List of domains for local transport deliveries.
 mydestination = {{ inventory_hostname }}, {{ inventory_hostname_short }}, localhost.localdomain, localhost

0 comments (0 inline, 0 general)