Getting started

User and password configuration is insecure

Before using user authentication in your nullmailer installation, be aware that the nullmailer package in Debian uses the debconf service which can leak the user and password to unprivileged users on your system. If you need to use authenticated user accounts to forward mail on hosts where other users can login, you should either set up an intermediate mail relay on another host you control and use that to forward the messages, or use different MTA, for example Postfix.

No local mail by default

The nullmailer service does not provide support for local mail - all mail is forwarded to the configured SMTP servers for further processing. If you need more advanced SMTP configuration, you should check out the debops.postfix role which can configure the Postfix MTA. This also means that in a new environment, you should perpare at least 1 host as the central mail hub for your network, or use an already existing SMTP server for relaying mail messages.

The debops.nullmailer role is designed to allow automatic switch to a different SMTP server - if it detects a postfix package installed on a host, it will automatically disable configuration of the nullmailer service to not interfere with existing Postfix configuration.

Default SMTP relay

The default upstream SMTP relay is configured in the nullmailer__relayhost default variable. If not configured otherwise, all mail will be forwarded to smtp.{{ ansible_domain }}. However, this might not be the correct destination in your environment. The nullmailer SMTP server does not resolve the MX records for a domain (as far as I can tell), so you need to specify the address to your SMTP server manually.

To set the desired value for all hosts in your environment, set in the inventory:

# ansible/inventory/group_vars/all/nullmailer.yml

nullmailer__relayhost: '<FQDN address of mail server>'

Example inventory

The debops.nullmailer role is included by default in the common DebOps playbook and you don't need to add a host to a custom inventory group to activate it.

Example playbook

If you are using this role without DebOps, here's an example Ansible playbook that uses the debops.nullmailer role:

---

- name: Manage nullmailer SMTP server
  hosts: [ 'debops_all_hosts', 'debops_service_nullmailer' ]
  become: True

  environment: '{{ inventory__environment | d({})
                   | combine(inventory__group_environment | d({}))
                   | combine(inventory__host_environment  | d({})) }}'

  roles:

    - role: debops.nullmailer/env
      tags: [ 'role::nullmailer', 'role::ferm', 'role::tcpwrappers' ]

    - role: debops.ferm
      tags: [ 'role::ferm' ]
      ferm__dependent_rules:
        - '{{ nullmailer__ferm__dependent_rules }}'

    - role: debops.tcpwrappers
      tags: [ 'role::tcpwrappers' ]
      tcpwrappers__dependent_allow:
        - '{{ nullmailer__tcpwrappers__dependent_allow }}'

    - role: debops.nullmailer
      tags: [ 'role::nullmailer' ]