diff --git a/roles/mail_forwarder/tasks/main.yml b/roles/mail_forwarder/tasks/main.yml index b93cd6ef7c5df587a65fb765e6450885e7e98d1c..912c2641734e8b62bf721c9db44548bf6cfaa5e5 100644 --- a/roles/mail_forwarder/tasks/main.yml +++ b/roles/mail_forwarder/tasks/main.yml @@ -70,6 +70,38 @@ state: started enabled: true +- name: Retrieve IPv4 addresses of SMTP relay host + shell: "getent ahostsv4 '{{ smtp_relay_host }}' | awk '{ print $1 }' | sort -u" # noqa 306 + # [306] Shells that use pipes should set the pipefail option + # The getent ahostsv4 command has non-zero exit code if the + # supplies name cannot be resolved. However, that is a valid + # use-case for extracting this information. It effectively means + # that no IPv4 firewall rules will be deployed for allowing + # incoming connections from the SMTP relay host. + changed_when: false + register: smtp_relay_host_ipv4 + +- name: Retrieve IPv6 addresses of SMTP relay host + shell: "getent ahostsv6 '{{ smtp_relay_host }}' | awk '{ print $1 }' | grep -v '^::ffff:' | sort -u" # noqa 306 + # [306] Shells that use pipes should set the pipefail option + # The getent ahostsv6 command has non-zero exit code if the + # supplies name cannot be resolved. However, that is a valid + # use-case for extracting this information. It effectively means + # that no IPv6 firewall rules will be deployed for allowing + # incoming connections from the SMTP relay host. + changed_when: false + register: smtp_relay_host_ipv6 + +- name: Normalise the SMTP relay host IPv4 addresses variable + set_fact: + smtp_relay_host_ipv4: "{{ smtp_relay_host_ipv4.stdout_lines | reject('equalto', '') | list }}" + when: "smtp_relay_host | length != 0" + +- name: Normalise the SMTP relay host IPv6 addresses variable + set_fact: + smtp_relay_host_ipv6: "{{ smtp_relay_host_ipv6.stdout_lines | reject('equalto', '') | list }}" + when: "smtp_relay_host | length != 0" + - name: Deploy firewall configuration for mail forwader template: src: "ferm_mail.conf.j2"