*Postfix* (serving as an SMTP server), and *Dovecot* (serving as an IMAP

   server). These two need their own dedicated LDAP entries on the LDAP server in

   order to log-in. Luckily, it is easy to create such entries through the options

   provided by the LDAP server role. In addition to this, the Postfix and Dovecot

   services will check if users are members of ``mail`` group in LDAP directory

   before accepting them as valid mail users. Once again, the LDAP server role

   comes with a simple option for creating groups.

Setting-up mail relaying from web server

------------------------------------------

With the mail server set-up, the next thing to do would be to set-up the SMTP

server on web server to relay mails via the communications server. This way we

can make sure that mail that gets sent via local SMTP to external addresses on

the web server goes through anti-virus scans and such.

1. Update the web server list of roles to include the mail forwarder role.

   :file:`~/mysite/playbooks/web.yml`::

      ---

      - hosts: web

        remote_user: ansible

        sudo: yes

        roles:

          - common

          - mail_forwarder

2. The next thing is to set-up the configuration for the new role. Web server

   configuration has not been touched before, so this will be a new

   configuration file.

   :file:`~/mysite/group_vars/web.yml`::

      ---

      # First, let's make sure any mails directed to localhost root account get

      # forwarded to one of our mail users as well.

      local_mail_aliases:

         root: root john.doe@example.com

      # Now signal the local SMTP to relay any non-local mails via our

      # communications server. Don't forget to specify your own IP address

      # here. Without this option, the SMTP would send out the mails directly.

      smtp_relay_host: comms.example.com

3. Although we have told our web server to use the communications server as

   relay for non-local mail, the communications server is not aware of

   this. This would result in the communications server refusing all relay

   attempts (if not, it would be an open relay, which is bad).

   So, let's fix this a bit - we have a configuration option for the mail server

   for exactly this purpose.

   :file:`~/mysite/group_vars/communications.yml`::

      # We want to allow relaying of mails from our web server here. Beware the

      # IP spoofing, though! Don't forget to change the bellow IP for your

      # server ;)

      smtp_allow_relay_from:

         - 10.32.64.20

4. Let's apply the changes::

     ansible-playbook playbooks/site.yml

5. After this you may want to test out sending mail via web server's local SMTP

   to the root user (to see if the aliasing works), and to some external mail

   address - just run something along the lines of::

     swaks --to root@localhost --server localhost

     swaks --to YOUR_MAIL --server localhost

   If all went well, you should be able to see a new mail in John Doe's mailbox,

   as well as your own mailbox.