debops.postconf default variables

Postfix capabilities

These variables roughly define what functionality will be enabled in Postfix. See Postfix "capabilities" for more details.

postconf__autodetect_capabilities

List of Postfix capabilities enabled dynamically during role execution.

postconf__autodetect_capabilities: '{{ postconf__env_capabilities }}'
postconf__default_capabilities

List of Postfix capabilities enabled by default by the role.

postconf__default_capabilities: [ 'overhead' ]
postconf__capabilities

List of Postfix capabilities which should be enabled on all hosts in the Ansible inventory.

postconf__capabilities: []
postconf__group_capabilities

List of Postfix capabilities which should be enabled on hosts in specific Ansible inventory group.

postconf__group_capabilities: []
postconf__host_capabilities

List of Postfix capabilities which should be enabled in specific hosts in the Ansible inventory.

postconf__host_capabilities: []
postconf__combined_capabilities

List that combines all Postfix capabilities from the other variables and is used in other configuration variables and Ansible tasks.

postconf__combined_capabilities: '{{ postconf__autodetect_capabilities
                                     + postconf__default_capabilities
                                     + postconf__capabilities
                                     + postconf__group_capabilities
                                     + postconf__host_capabilities }}'

Postfix configuration variables

postconf__deploy_state

Select the state of the debops.postconf configuration options in Postfix configuration.

postconf__deploy_state: 'present'
postconf__fqdn

The Fully Qualified Domain Name of this SMTP host.

postconf__fqdn: '{{ ansible_fqdn }}'
postconf__sasl_auth_method

Select the preferred SASL authentication method for accepting authenticated e-mail messages. Currently supported methods are "cyrus" which will use the saslauthd service, or "dovecot" which will use the Dovecot service. The default preference is to use saslauthd when it is installed to allow for more flexible client authentication methods, authenticated mail relays, and the like.

postconf__sasl_auth_method: '{{ "cyrus"
                                if (ansible_local | d() and ansible_local.saslauthd | d() and
                                    (ansible_local.saslauthd.installed | d()) | bool and
                                    "smtpd" in ansible_local.saslauthd.instances)
                                else "dovecot" }}'
postconf__unauth_sender_domains

List of FQDN domains which are handled by this Postfix instance. Any unauthenticated mail messages from these domains that are sent from external hosts will be blocked. This list should be synchronized with the Postfix $mydestination, $relay_domains, $virtual_mailbox_domains and $virtual_alias_domains configuration parameters.

postconf__unauth_sender_domains: [ '{{ postconf__fqdn }}' ]
postconf__unauth_sender_default_action

The error message which will be sent to the SMTP servers that try to deliver unauthenticated mail messages.

postconf__unauth_sender_default_action: 'REJECT This server requires SMTP authentication'

Postfix lookup tables

These lists define Postfix lookup tables placed in the /etc/postfix/ directory. The configuration format is specified in the debops.postfix role documentation.

postconf__default_lookup_tables

List of default lookup tables defined by the role.

postconf__default_lookup_tables:

  - name: 'auth_header_checks.pcre'
    by_role: 'debops.postconf'
    comment: |
      Cleanup headers in mail messages sent by authenticated clients through
      submission/smtps service.

      Documentation: https://askubuntu.com/questions/78163/
    default_action: 'IGNORE'
    options:
      - '/^X-Mailer:/':   'IGNORE'
      - '/^User-Agent:/': 'IGNORE'
    state: '{{ "present"
               if (postconf__deploy_state == "present" and
                   "authcleanup" in postconf__combined_capabilities)
               else ("absent"
                     if (postconf__deploy_state == "absent")
                     else "ignore") }}'

  - name: 'mx_access.cidr'
    by_role: 'debops.postconf'
    comment: |
      Check if sender MX server is in subnets not accessible from the public
      Internet. If so, reject mail delivery from these servers, because any
      replies will be non-deliverable.
    options:
      - '0.0.0.0/8':       'REJECT Domain MX in broadcast network'
      - '10.0.0.0/8':      'REJECT Domain MX in RFC 1918 private network'
      - '127.0.0.0/8':     'REJECT Domain MX in loopback network'
      - '169.254.0.0/16':  'REJECT Domain MX in link local network'
      - '172.16.0.0/12':   'REJECT Domain MX in RFC 1918 private network'
      - '192.0.2.0/24':    'REJECT Domain MX in TEST-NET-1 network'
      - '192.168.0.0/16':  'REJECT Domain MX in RFC 1918 private network'
      - '198.51.100.0/24': 'REJECT Domain MX in TEST-NET-2 network'
      - '203.0.113.0/24':  'REJECT Domain MX in TEST-NET-3 network'
      - '224.0.0.0/4':     'REJECT Domain MX in class D multicast network'
      - '240.0.0.0/5':     'REJECT Domain MX in class E reserved network'
      - '248.0.0.0/5':     'REJECT Domain MX in reserved network'

      - '::1/128':         'REJECT Domain MX is Loopback address'
      - '::/128':          'REJECT Domain MX is Unspecified address'
      - '::/96':           'REJECT Domain MX in IPv4-Compatible IPv6'
      - '::ffff:0:0/96':   'REJECT Domain MX in IPv4-Mapped IPv6'
      - 'ff00::/8':        'REJECT Domain MX in Multicast network'
      - 'fe80::/10':       'REJECT Domain MX in Link-local unicast network'
      - 'fec0::/10':       'REJECT Domain MX in Site-local unicast network'
    state: '{{ "present"
               if (postconf__deploy_state == "present" and
                   "public-mx-required" in postconf__combined_capabilities)
               else ("absent"
                     if (postconf__deploy_state == "absent")
                     else "ignore") }}'

  - name: 'unauth_sender_access.in'
    by_role: 'debops.postconf'
    comment: |
      Block any unauthenticated external mail that uses our domain names. Users
      that send this mail need to enable SMTP authentication and use the
      'submission' service.

      Documentation: https://serverfault.com/a/51122
    default_action: '{{ postconf__unauth_sender_default_action }}'
    content: '{{ postconf__unauth_sender_domains }}'
    state: '{{ "present"
               if (postconf__deploy_state == "present" and
                   "auth" in postconf__combined_capabilities and
                   "unauth-sender" in postconf__combined_capabilities)
               else ("absent"
                     if (postconf__deploy_state == "absent")
                     else "ignore") }}'

  - name: 'overhead_checks.pcre'
    by_role: 'debops.postconf'
    comment: |
      "A man is not dead while his name is still spoken."
                - Going Postal, Chapter 4 prologue

      Ref: http://www.gnuterrypratchett.com/
    options:
      - '/^X-Clacks-Overhead:/': 'IGNORE'
      - '/^To:/': 'PREPEND X-Clacks-Overhead: GNU Terry Pratchett'
    state: '{{ "present"
               if (postconf__deploy_state == "present" and
                   "overhead" in postconf__combined_capabilities)
               else ("absent"
                     if (postconf__deploy_state == "absent")
                     else "ignore") }}'
postconf__lookup_tables

List of lookup tables that are managed on all hosts in the Ansible inventory.

postconf__lookup_tables: []
postconf__group_lookup_tables

List of lookup tables that are managed on hosts in specific Ansible inventory group.

postconf__group_lookup_tables: []
postconf__host_lookup_tables

List of lookup tables that are managed on specific hosts in the Ansible inventory.

postconf__host_lookup_tables: []
postconf__combined_lookup_tables

Variable that combines the other lookup table lists together for eas of use.

postconf__combined_lookup_tables: '{{ postconf__default_lookup_tables
                                      + postconf__lookup_tables
                                      + postconf__group_lookup_tables
                                      + postconf__host_lookup_tables }}'

Configuration for other Ansible roles

postconf__postfix__dependent_packages

List of APT packages to install passed to the debops.postfix Ansible role.

postconf__postfix__dependent_packages:
  - '{{ "libsasl2-modules"
        if ("auth" in postconf__combined_capabilities)
        else [] }}'
postconf__postfix__dependent_lookup_tables

Lookup table configuration passed to the debops.postfix Ansible role.

postconf__postfix__dependent_lookup_tables:
  - '{{ postconf__combined_lookup_tables }}'
postconf__postfix__dependent_maincf

The main.cf configuration passed to the debops.postfix Ansible role.

postconf__postfix__dependent_maincf:

  - name: 'smtpd_sasl_auth_enable'
    value: True
    state: '{{ "present"
               if ("auth" in postconf__combined_capabilities)
               else "ignore" }}'

  - name: 'smtpd_sasl_authenticated_header'
    value: True
    state: '{{ "present"
               if ("auth" in postconf__combined_capabilities)
               else "ignore" }}'

  - name: 'broken_sasl_auth_clients'
    value: True
    state: '{{ "present"
               if ("auth" in postconf__combined_capabilities)
               else "ignore" }}'

  - name: 'smtpd_sasl_security_options'
    value: [ 'noanonymous', 'noplaintext' ]
    state: '{{ "present"
               if ("auth" in postconf__combined_capabilities)
               else "ignore" }}'

  - name: 'smtpd_sasl_tls_security_options'
    value: [ 'noanonymous' ]
    state: '{{ "present"
               if ("auth" in postconf__combined_capabilities)
               else "ignore" }}'

  - name: 'smtpd_sasl_type'
    value: '{{ "cyrus"
               if (postconf__sasl_auth_method == "cyrus")
               else "dovecot" }}'
    state: '{{ "present"
               if ("auth" in postconf__combined_capabilities)
               else "ignore" }}'

  - name: 'smtpd_sasl_path'
    value: '{{ "smtpd"
               if (postconf__sasl_auth_method == "cyrus")
               else "private/auth" }}'
    state: '{{ "present"
               if ("auth" in postconf__combined_capabilities)
               else "ignore" }}'

  - name: 'smtpd_sender_restrictions'
    value:
      - name: 'check_sender_mx_access cidr:${config_directory}/mx_access.cidr'
        weight: 50
    state: '{{ "present"
               if ("public-mx-required" in postconf__combined_capabilities)
               else "ignore" }}'

  - name: 'smtpd_sender_restrictions'
    value:

      - name: 'permit_mynetworks'

      - name: 'reject_authenticated_sender_login_mismatch'
        copy_id_from: 'permit_mynetworks'
        weight: 10

      - name: 'permit_sasl_authenticated'
        copy_id_from: 'reject_authenticated_sender_login_mismatch'
        weight: 10

      - name: 'check_sender_access hash:${config_directory}/unauth_sender_access'
        copy_id_from: 'permit_sasl_authenticated'
        weight: 10

    state: '{{ "present"
               if ("auth" in postconf__combined_capabilities and
                   "unauth-sender" in postconf__combined_capabilities)
               else "ignore" }}'

  - name: 'smtpd_relay_restrictions'
    value:

      - name: 'reject_authenticated_sender_login_mismatch'
        copy_id_from: 'permit_mynetworks'
        weight: 10

    state: '{{ "present"
               if ("auth" in postconf__combined_capabilities and
                   "unauth-sender" in postconf__combined_capabilities)
               else "ignore" }}'

  - name: 'smtp_header_checks'
    value: [ 'pcre:${config_directory}/overhead_checks.pcre' ]
    state: '{{ "present"
               if ("overhead" in postconf__combined_capabilities)
               else "ignore" }}'
postconf__postfix__dependent_mastercf

The master.cf configuration passed to the debops.postfix Ansible role.

postconf__postfix__dependent_mastercf:

  - name: 'submission'
    options:

      - name: 'smtpd_helo_restrictions'
        value: ''
        state: '{{ "present"
                   if ("public-mx-required" in postconf__combined_capabilities)
                   else "ignore" }}'

      - name: 'smtpd_sender_restrictions'
        value: 'reject_authenticated_sender_login_mismatch'
        state: '{{ "present"
                   if ("unauth-sender" in postconf__combined_capabilities)
                   else "ignore" }}'

      - name: 'cleanup_service_name'
        value: 'authcleanup'
        state: '{{ "present"
                   if ("authcleanup" in postconf__combined_capabilities)
                   else "ignore" }}'
    state: '{{ "present"
               if ("auth" in postconf__combined_capabilities)
               else "ignore" }}'

  - name: 'smtps'
    options:

      - name: 'smtpd_helo_restrictions'
        value: ''
        state: '{{ "present"
                   if ("public-mx-required" in postconf__combined_capabilities)
                   else "ignore" }}'

      - name: 'smtpd_sender_restrictions'
        value: 'reject_authenticated_sender_login_mismatch'
        state: '{{ "present"
                   if ("unauth-sender" in postconf__combined_capabilities)
                   else "ignore" }}'

      - name: 'cleanup_service_name'
        value: 'authcleanup'
        state: '{{ "present"
                   if ("authcleanup" in postconf__combined_capabilities)
                   else "ignore" }}'
    state: '{{ "present"
               if ("auth" in postconf__combined_capabilities)
               else "ignore" }}'

  - name: 'authcleanup'
    type: 'unix'
    private: False
    maxproc: 0
    command: 'cleanup'
    options:
      - name: 'syslog_name'
        value: 'postfix/authcleanup'
      - name: 'header_checks'
        value: [ 'regexp:/etc/postfix/auth_header_checks.pcre' ]
    state: '{{ "present"
               if ("authcleanup" in postconf__combined_capabilities)
               else "ignore" }}'
    copy_id_from: 'cleanup'
    weight: 10