Default variable details
some of debops.postfix
default variables have more extensive configuration
than simple strings or lists, here you can find documentation and examples for
them.
postfix__maincf
Configuration of the postfix__*_maincf
variables is described in a separate
document, Default variable details: postfix__maincf.
postfix__mastercf
Configuration of the postfix__*_mastercf
variables is described in
a separate document, Default variable details: postfix__mastercf.
postfix__maincf_sections
The /etc/postfix/main.cf
configuration file is managed using informal
"sections", each section groups the common Postfix options.
The postfix__maincf_sections
variable contains a list of sections defined
by YAML dictionaries with specific parameters:
name
Required. Short name of the section, used in the configuration parameters to put a given option in a particular section.
title
Optional. A short description of the section included as its header.
state
Optional. If not specified or
present
, the section will be added in the configuration file. Ifabsent
, the section will not be included in the file.
Examples
Define a set of configuration sections:
postfix__maincf_sections:
- name: 'base'
- name: 'admin'
title: 'Administrator options'
- name: 'unknown'
title: 'Other options'
postfix__lookup_tables
The postfix__*_lookup_tables
variables can be used to manage
Postfix lookup tables.
Each lookup table is a separate file located in the /etc/postfix/
directory. The entries in the variables are merged together, therefore by using
the same name
key in multiple entries you can modify existing
configuration, for example through Ansible inventory.
The lookup tables can be defined by other roles via role dependent variables,
however the state of each dependent role is not tracked. Because of that it's
best to use separate lookup tables for each Ansible role and join them together
at the Postfix configuration level, via options defined in the main.cf
or master.cf
configuration files.
Each entry that manages a lookup table is a YAML dictionary with specific parameters:
name
Required. Name of the lookup table to manage, it will be a file in the
/etc/postfix/
directory. This parameter is used as an anchor to merge separate entries together.Files which names end with the
*.in
extension are assumed to be hashed tables, and will be processed automatically by make when any changes are detected during role execution.state
Optional. If not specified or
present
, the lookup table will be generated. Ifabsent
, the lookup table will be removed (hashed table files are not removed automatically). Ifignore
, a given configuration entry will not be evaluated by Ansible.owner
Optional. The UNIX account which will be the owner of the generated file. If not specified,
root
will be used by default.group
Optional. The UNIX group which will be the primary group of the generated file. If not specified,
postfix
will be used by default.mode
Optional. The attributes set on the generated file. If not specified,
0640
will be set by default.If you specify
0600
or0640
file attributes, the task which manages the file will automatically set theno_log
Ansible parameter toTrue
, so that the contents of the file are not logged or displayed during Ansible execution.no_log
Optional, boolean. If not specified or
False
, the task will be processed normally. IfTrue
, the task execution will not be logged and any file contents will not be displayed in the Ansible output.
The parameters below are related to the contents of the lookup table file:
comment
Optional. String or YAML text block with a comment added at the beginning of the lookup table file.
raw
Optional. String or YAML text block with the file contents which will be stored "as-is" in the lookup table file.
config
Optional. An YAML dictionary which defines an external Postfix lookup table, for example in a SQL database. Each dictionary key is an option name, and dictionary value is the option value. Values can be either strings or YAML lists. See the manpage of specific lookup tables for the supported options.
connection
Optional. An YAML dictionary which uses the same syntax as the
config
parameter. Theconnection
parameter can be used to define connection details for a particular database in a separate YAML dictionary, which then can be referenced in multiple lookup tables at once with different query configuration. See the examples below for an example usage.options
Optional. An YAML list with lookup table entries. Each entry is a YAML dictionary. If the dictionary has a
name
key, it will be interpreted as an extended entry with specific parameters:name
The lookup key used by Postfix to find the specific entry in the table.
value
The value or action returned by the lookup table.
state
Optional. If not specified or
present
, a given lookup table entry will be added in the file. Ifabsent
, a given entry will be removed from the file. Ifignore
, a given configuration will not be parsed by Ansible. Ifcomment
, a given lookup table entry will be added but commented out.comment
Optional. A string or YAML text block with a comment related to a given lookup table entry.
If the
name
parameter is not found, first entry in a YAML dictionary is parsed as a key/value lookup table entry.When a given lookup table is defined by multiple entries, the
options
parameters are merged together.content
Optional. An YAML list with lookup table entries. Each entry can be a string that defines a lookup table key, its value will be defined by the
default_action
parameter. Otherwise you can specify parameters similar to those supported by theoptions
list. Contents of thecontent
parameter are appended to theoptions
contents. Thecontent
parameters from multiple entries are not merged together.default_action
Optional. The default action defined for the lookup table entries that don't specify one themselves.
If the connection
or config
parameters are specified, for convenience
you can specify the options that control the lookup table configuration from
the ldap_table(5), mysql_table(5), sqlite_table(5) and
pgsql_table(5) as the lookup table parameters, on the same level as the
name
parameter.
Examples
Define a set of virtual mail aliases using a raw YAML text block, stored in a hashed lookup table:
postfix__lookup_tables:
- name: 'virtual_alias_maps.in'
raw: |
name.surname@example.org user1@example.org
name.othername@example.org user2@example.org
postfix__maincf:
- virtual_alias_maps: [ 'hash:${config_directory}/virtual_alias_maps' ]
Define virtual mailbox table stored in a MySQL database. Lookup table file will
be only readable by the root
account to secure the password for the
database:
postfix__lookup_tables:
- name: 'virtual_mailbox_maps.cf'
config:
hosts: [ 'db1.example.net', 'db2.example.net' ]
user: 'mailuser'
password: 'mailpassword'
dbname: 'mail'
query: "SELECT maildir FROM mailbox WHERE local_part='%u' AND domain='%d' AND active='1'"
postfix__maincf:
- virtual_mailbox_maps: [ 'proxy:mysql:${config_directory}/virtual_mailbox_maps.cf' ]
The same example with connection details defined in a separate variable which can be reused in multiple lookup tables:
db_connection:
hosts: [ 'db1.example.net', 'db2.example.net' ]
user: 'mailuser'
password: 'mailpassword'
dbname: 'mail'
postfix__lookup_tables:
- name: 'virtual_mailbox_maps.cf'
connection: '{{ db_connection }}'
query: "SELECT maildir FROM mailbox WHERE local_part='%u' AND domain='%d' AND active='1'"
postfix__maincf:
- virtual_mailbox_maps: [ 'proxy:mysql:${config_directory}/virtual_mailbox_maps.cf' ]
Note that the parameters of a particular table can be defined on the same level
as the name
parameter, for ease of use.
Create a list of banned HELO/EHLO names which contains the host's IP addresses and FQDN hostname, stored in a hashed lookup table:
postfix__lookup_tables:
- name: 'banned_helo_names.in'
content: '{{ ansible_all_ipv4_addresses + ansible_all_ipv6_addresses
+ [ ansible_fqdn, "localhost", "127.0.0.1" ] }}'
default_action: 'REJECT You are not me'
postfix__maincf:
- name: 'smtpd_helo_restrictions'
value:
- name: 'check_helo_access hash:${config_directory}/banned_helo_names'
weight: -100
Create a CIDR lookup table that contains a custom blacklist/whitelist of networks that can talk to the SMTP 'submission' service:
postfix__lookup_tables:
- name: 'submission_client_access.cidr'
options:
- name: '192.0.2.0/24'
value: 'REJECT Connections not allowed from TEST-NET-1 network'
- '10.10.0.0/16': 'OK'
postfix__maincf:
- name: 'submission_smtpd_client_restrictions'
value:
- 'check_client_access cidr:${config_directory}/submission_client_access.cidr'
- 'reject'
postfix__mastercf:
- name: 'submission'
options:
- name: 'smtpd_client_restrictions'
value: '${submission_smtpd_client_restrictions}'