debops.postconf default variables
Sections
Postfix capabilities
These variables roughly define what functionality will be enabled in Postfix. See Postfix "capabilities" for more details.
- postconf__autodetect_capabilities
List of Postfix capabilities enabled dynamically during role execution.
postconf__autodetect_capabilities: '{{ postconf__env_capabilities }}'
- postconf__default_capabilities
List of Postfix capabilities enabled by default by the role.
postconf__default_capabilities: [ 'overhead' ]
- postconf__capabilities
List of Postfix capabilities which should be enabled on all hosts in the Ansible inventory.
postconf__capabilities: []
- postconf__group_capabilities
List of Postfix capabilities which should be enabled on hosts in specific Ansible inventory group.
postconf__group_capabilities: []
- postconf__host_capabilities
List of Postfix capabilities which should be enabled in specific hosts in the Ansible inventory.
postconf__host_capabilities: []
- postconf__combined_capabilities
List that combines all Postfix capabilities from the other variables and is used in other configuration variables and Ansible tasks.
postconf__combined_capabilities: '{{ postconf__autodetect_capabilities
+ postconf__default_capabilities
+ postconf__capabilities
+ postconf__group_capabilities
+ postconf__host_capabilities }}'
Postfix configuration variables
- postconf__deploy_state
Select the state of the debops.postconf configuration options in Postfix configuration.
postconf__deploy_state: 'present'
- postconf__fqdn
The Fully Qualified Domain Name of this SMTP host.
postconf__fqdn: '{{ ansible_fqdn }}'
- postconf__sasl_auth_method
Select the preferred SASL authentication method for accepting authenticated e-mail messages. Currently supported methods are "cyrus" which will use the saslauthd service, or "dovecot" which will use the Dovecot service. The default preference is to use saslauthd when it is installed to allow for more flexible client authentication methods, authenticated mail relays, and the like.
postconf__sasl_auth_method: '{{ "cyrus"
if (ansible_local | d() and ansible_local.saslauthd | d() and
(ansible_local.saslauthd.installed | d()) | bool and
"smtpd" in ansible_local.saslauthd.instances)
else "dovecot" }}'
- postconf__unauth_sender_domains
List of FQDN domains which are handled by this Postfix instance. Any
unauthenticated mail messages from these domains that are sent from external
hosts will be blocked. This list should be synchronized with the Postfix
$mydestination
, $relay_domains
, $virtual_mailbox_domains
and
$virtual_alias_domains
configuration parameters.
postconf__unauth_sender_domains: [ '{{ postconf__fqdn }}' ]
- postconf__unauth_sender_default_action
The error message which will be sent to the SMTP servers that try to deliver unauthenticated mail messages.
postconf__unauth_sender_default_action: 'REJECT This server requires SMTP authentication'
Postfix lookup tables
These lists define Postfix lookup tables placed in the /etc/postfix/
directory. The configuration format is specified in the debops.postfix
role documentation.
- postconf__default_lookup_tables
List of default lookup tables defined by the role.
postconf__default_lookup_tables:
- name: 'auth_header_checks.pcre'
by_role: 'debops.postconf'
comment: |
Cleanup headers in mail messages sent by authenticated clients through
submission/smtps service.
Documentation: https://askubuntu.com/questions/78163/
default_action: 'IGNORE'
options:
- '/^X-Mailer:/': 'IGNORE'
- '/^User-Agent:/': 'IGNORE'
state: '{{ "present"
if (postconf__deploy_state == "present" and
"authcleanup" in postconf__combined_capabilities)
else ("absent"
if (postconf__deploy_state == "absent")
else "ignore") }}'
- name: 'mx_access.cidr'
by_role: 'debops.postconf'
comment: |
Check if sender MX server is in subnets not accessible from the public
Internet. If so, reject mail delivery from these servers, because any
replies will be non-deliverable.
options:
- '0.0.0.0/8': 'REJECT Domain MX in broadcast network'
- '10.0.0.0/8': 'REJECT Domain MX in RFC 1918 private network'
- '127.0.0.0/8': 'REJECT Domain MX in loopback network'
- '169.254.0.0/16': 'REJECT Domain MX in link local network'
- '172.16.0.0/12': 'REJECT Domain MX in RFC 1918 private network'
- '192.0.2.0/24': 'REJECT Domain MX in TEST-NET-1 network'
- '192.168.0.0/16': 'REJECT Domain MX in RFC 1918 private network'
- '198.51.100.0/24': 'REJECT Domain MX in TEST-NET-2 network'
- '203.0.113.0/24': 'REJECT Domain MX in TEST-NET-3 network'
- '224.0.0.0/4': 'REJECT Domain MX in class D multicast network'
- '240.0.0.0/5': 'REJECT Domain MX in class E reserved network'
- '248.0.0.0/5': 'REJECT Domain MX in reserved network'
- '::1/128': 'REJECT Domain MX is Loopback address'
- '::/128': 'REJECT Domain MX is Unspecified address'
- '::/96': 'REJECT Domain MX in IPv4-Compatible IPv6'
- '::ffff:0:0/96': 'REJECT Domain MX in IPv4-Mapped IPv6'
- 'ff00::/8': 'REJECT Domain MX in Multicast network'
- 'fe80::/10': 'REJECT Domain MX in Link-local unicast network'
- 'fec0::/10': 'REJECT Domain MX in Site-local unicast network'
state: '{{ "present"
if (postconf__deploy_state == "present" and
"public-mx-required" in postconf__combined_capabilities)
else ("absent"
if (postconf__deploy_state == "absent")
else "ignore") }}'
- name: 'unauth_sender_access.in'
by_role: 'debops.postconf'
comment: |
Block any unauthenticated external mail that uses our domain names. Users
that send this mail need to enable SMTP authentication and use the
'submission' service.
Documentation: https://serverfault.com/a/51122
default_action: '{{ postconf__unauth_sender_default_action }}'
content: '{{ postconf__unauth_sender_domains }}'
state: '{{ "present"
if (postconf__deploy_state == "present" and
"auth" in postconf__combined_capabilities and
"unauth-sender" in postconf__combined_capabilities)
else ("absent"
if (postconf__deploy_state == "absent")
else "ignore") }}'
- name: 'overhead_checks.pcre'
by_role: 'debops.postconf'
comment: |
"A man is not dead while his name is still spoken."
- Going Postal, Chapter 4 prologue
Ref: http://www.gnuterrypratchett.com/
options:
- '/^X-Clacks-Overhead:/': 'IGNORE'
- '/^To:/': 'PREPEND X-Clacks-Overhead: GNU Terry Pratchett'
state: '{{ "present"
if (postconf__deploy_state == "present" and
"overhead" in postconf__combined_capabilities)
else ("absent"
if (postconf__deploy_state == "absent")
else "ignore") }}'
- postconf__lookup_tables
List of lookup tables that are managed on all hosts in the Ansible inventory.
postconf__lookup_tables: []
- postconf__group_lookup_tables
List of lookup tables that are managed on hosts in specific Ansible inventory group.
postconf__group_lookup_tables: []
- postconf__host_lookup_tables
List of lookup tables that are managed on specific hosts in the Ansible inventory.
postconf__host_lookup_tables: []
- postconf__combined_lookup_tables
Variable that combines the other lookup table lists together for eas of use.
postconf__combined_lookup_tables: '{{ postconf__default_lookup_tables
+ postconf__lookup_tables
+ postconf__group_lookup_tables
+ postconf__host_lookup_tables }}'
Configuration for other Ansible roles
- postconf__postfix__dependent_packages
List of APT packages to install passed to the debops.postfix Ansible role.
postconf__postfix__dependent_packages:
- '{{ "libsasl2-modules"
if ("auth" in postconf__combined_capabilities)
else [] }}'
- postconf__postfix__dependent_lookup_tables
Lookup table configuration passed to the debops.postfix Ansible role.
postconf__postfix__dependent_lookup_tables:
- '{{ postconf__combined_lookup_tables }}'
- postconf__postfix__dependent_maincf
The main.cf
configuration passed to the debops.postfix Ansible role.
postconf__postfix__dependent_maincf:
- name: 'smtpd_sasl_auth_enable'
value: True
state: '{{ "present"
if ("auth" in postconf__combined_capabilities)
else "ignore" }}'
- name: 'smtpd_sasl_authenticated_header'
value: True
state: '{{ "present"
if ("auth" in postconf__combined_capabilities)
else "ignore" }}'
- name: 'broken_sasl_auth_clients'
value: True
state: '{{ "present"
if ("auth" in postconf__combined_capabilities)
else "ignore" }}'
- name: 'smtpd_sasl_security_options'
value: [ 'noanonymous', 'noplaintext' ]
state: '{{ "present"
if ("auth" in postconf__combined_capabilities)
else "ignore" }}'
- name: 'smtpd_sasl_tls_security_options'
value: [ 'noanonymous' ]
state: '{{ "present"
if ("auth" in postconf__combined_capabilities)
else "ignore" }}'
- name: 'smtpd_sasl_type'
value: '{{ "cyrus"
if (postconf__sasl_auth_method == "cyrus")
else "dovecot" }}'
state: '{{ "present"
if ("auth" in postconf__combined_capabilities)
else "ignore" }}'
- name: 'smtpd_sasl_path'
value: '{{ "smtpd"
if (postconf__sasl_auth_method == "cyrus")
else "private/auth" }}'
state: '{{ "present"
if ("auth" in postconf__combined_capabilities)
else "ignore" }}'
- name: 'smtpd_sender_restrictions'
value:
- name: 'check_sender_mx_access cidr:${config_directory}/mx_access.cidr'
weight: 50
state: '{{ "present"
if ("public-mx-required" in postconf__combined_capabilities)
else "ignore" }}'
- name: 'smtpd_sender_restrictions'
value:
- name: 'permit_mynetworks'
- name: 'reject_authenticated_sender_login_mismatch'
copy_id_from: 'permit_mynetworks'
weight: 10
- name: 'permit_sasl_authenticated'
copy_id_from: 'reject_authenticated_sender_login_mismatch'
weight: 10
- name: 'check_sender_access hash:${config_directory}/unauth_sender_access'
copy_id_from: 'permit_sasl_authenticated'
weight: 10
state: '{{ "present"
if ("auth" in postconf__combined_capabilities and
"unauth-sender" in postconf__combined_capabilities)
else "ignore" }}'
- name: 'smtpd_relay_restrictions'
value:
- name: 'reject_authenticated_sender_login_mismatch'
copy_id_from: 'permit_mynetworks'
weight: 10
state: '{{ "present"
if ("auth" in postconf__combined_capabilities and
"unauth-sender" in postconf__combined_capabilities)
else "ignore" }}'
- name: 'smtp_header_checks'
value: [ 'pcre:${config_directory}/overhead_checks.pcre' ]
state: '{{ "present"
if ("overhead" in postconf__combined_capabilities)
else "ignore" }}'
- postconf__postfix__dependent_mastercf
The master.cf
configuration passed to the debops.postfix Ansible
role.
postconf__postfix__dependent_mastercf:
- name: 'submission'
options:
- name: 'smtpd_helo_restrictions'
value: ''
state: '{{ "present"
if ("public-mx-required" in postconf__combined_capabilities)
else "ignore" }}'
- name: 'smtpd_sender_restrictions'
value: 'reject_authenticated_sender_login_mismatch'
state: '{{ "present"
if ("unauth-sender" in postconf__combined_capabilities)
else "ignore" }}'
- name: 'cleanup_service_name'
value: 'authcleanup'
state: '{{ "present"
if ("authcleanup" in postconf__combined_capabilities)
else "ignore" }}'
state: '{{ "present"
if ("auth" in postconf__combined_capabilities)
else "ignore" }}'
- name: 'smtps'
options:
- name: 'smtpd_helo_restrictions'
value: ''
state: '{{ "present"
if ("public-mx-required" in postconf__combined_capabilities)
else "ignore" }}'
- name: 'smtpd_sender_restrictions'
value: 'reject_authenticated_sender_login_mismatch'
state: '{{ "present"
if ("unauth-sender" in postconf__combined_capabilities)
else "ignore" }}'
- name: 'cleanup_service_name'
value: 'authcleanup'
state: '{{ "present"
if ("authcleanup" in postconf__combined_capabilities)
else "ignore" }}'
state: '{{ "present"
if ("auth" in postconf__combined_capabilities)
else "ignore" }}'
- name: 'authcleanup'
type: 'unix'
private: False
maxproc: 0
command: 'cleanup'
options:
- name: 'syslog_name'
value: 'postfix/authcleanup'
- name: 'header_checks'
value: [ 'regexp:/etc/postfix/auth_header_checks.pcre' ]
state: '{{ "present"
if ("authcleanup" in postconf__combined_capabilities)
else "ignore" }}'
copy_id_from: 'cleanup'
weight: 10