users, aliases etc.

**mail_ldap_url** (string, mandatory)

  LDAP URL that should be used for connecting to the LDAP server for doing

  domain/user look-ups.

  X.509 certificate chain used for issuing certificate for the LDAP service. The

  file will be stored in locations ``/etc/ssl/certs/mail_ldap_tls_truststore.pem``

  and ``/var/spool/postfix/etc/ssl/certs/mail_ldap_tls_truststore.pem``.

**mail_ldap_postfix_password** (string, mandatory)

  Password for authenticating the Postfix LDAP user.

**imap_max_user_connections_per_ip** (integer, optional, ``10``)

  Maximum number of IMAP connections from a single IP for a single user. Default

  value can be considered rather low, since two devices (computer and phone)

  will easily reach it.

  X.509 certificate used for TLS for IMAP service. The file will be stored in

  directory ``/etc/ssl/certs/`` under name ``{{ ansible_fqdn }}_imap.pem``.

  Private key used for TLS for IMAP service. The file will be stored in

  directory ``/etc/ssl/private/`` under name ``{{ ansible_fqdn }}_imap.key``.

**local_mail_aliases** (dictionary, optional, ``{}``)

  Dictionary defining the local aliases. Aliases defined this way will either be

  appended to default aliases on the server, or replace the existing entries (if

  the alias/recipient is already present). Keys in the dictionary are the local

  recipients/aliases, while the value provided should be a space-separated list

  of mail addresses (or local users) where the mails should be forwarded.

  X.509 certificate used for TLS for SMTP service. The file will be stored in

  directory ``/etc/ssl/certs/`` under name ``{{ ansible_fqdn }}_smtp.pem``.

  Private key used for TLS for SMTP service. The file will be stored in

  directory ``/etc/ssl/private/`` under name ``{{ ansible_fqdn }}_smtp.key``.

**imap_folder_separator** (string, optional, ``/``)

  Character used for separating the IMAP folders when clients are requesting

  listing from the server. Usually either slash(``/``) or dot(``.``).

      # Setting uid/gid is optional, but you might have a policy on how to

      # assign UIDs and GIDs, so it is convenient to be able to change this.

      mail_user_uid: 5000

      mail_user_gid: 5000

3. There are two distinct mail services that need to access the LDAP directory -

   *Postfix* (serving as an SMTP server), and *Dovecot* (serving as an IMAP

   server). These two need their own dedicated LDAP entries on the LDAP server in

   order to log-in. Luckily, it is easy to create such entries through the options

   provided by the LDAP server role. In addition to this, the Postfix and Dovecot

   services will check if users are members of ``mail`` group in LDAP directory

---

enable_backup: false

mail_user: vmail

imap_folder_separator: "/"

smtp_rbl: []

mail_postmaster: "postmaster@{{ ansible_domain }}"

smtp_allow_relay_from: []

local_mail_aliases: {}

imap_max_user_connections_per_ip: 10

---

mail_ldap_base_dn: dc=local

mail_ldap_url: ldap://ldap-server/

mail_ldap_postfix_password: postfixpassword

mail_ldap_dovecot_password: dovecotpassword

# common

ca_certificates:

  testca: "{{ lookup('file', 'tests/data/x509/ca.cert.pem') }}"

---

mail_ldap_base_dn: dc=local

mail_ldap_url: ldap://ldap-server/

mail_ldap_postfix_password: postfixpassword

mail_ldap_dovecot_password: dovecotpassword

mail_server_tls_protocols:

  - TLSv1.2

  - TLSv1.1

mail_server_tls_ciphers: "DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-GCM-SHA384:\

        tls_file = host.file('/etc/ssl/private/%s_smtp.key' % hostname)

        assert tls_file.is_file

        assert tls_file.user == 'root'

        assert tls_file.group == 'root'

        assert tls_file.mode == 0o640

        tls_file = host.file('/etc/ssl/certs/%s_smtp.pem' % hostname)

        assert tls_file.is_file

        assert tls_file.user == 'root'

        assert tls_file.group == 'root'

        assert tls_file.mode == 0o644

        tls_file = host.file('/etc/ssl/private/%s_imap.key' % hostname)

        assert tls_file.is_file

        assert tls_file.user == 'root'

        assert tls_file.group == 'root'

        assert tls_file.mode == 0o640

        tls_file = host.file('/etc/ssl/certs/%s_imap.pem' % hostname)

        assert tls_file.is_file

        assert tls_file.user == 'root'

        assert tls_file.group == 'root'

        assert tls_file.mode == 0o644

def test_certificate_validity_check_configuration(host):

    """

    Tests if certificate validity check configuration file has been deployed

    correctly.