Getting started

Default configuration

By default Postscreen will enable the DNS Blocklists if the host has public IPv4/IPv6 addresses. The DNS Blocklists will be disabled on private networks.

Most of the Postfix configuration is defined in the dependent variables, you can change the configuration through the inventory directly. Check the debops.postfix documentation to see how to do this.

Example inventory

To install and configure Postscreen on a host, it needs to be present in the [debops_service_postscreen] Ansible inventory group. The Postfix server should also be configured beforehand.

[debops_service_postfix]
hostname

[debops_service_postscreen]
hostname

Example playbook

If you are using this role without DebOps, here's an example Ansible playbook that uses the debops.postscreen role:

---

- name: Manage Postfix postscreen configuration
  collections: [ 'debops.debops', 'debops.roles01',
                 'debops.roles02', 'debops.roles03' ]
  hosts: [ 'debops_service_postscreen' ]
  become: True

  environment: '{{ inventory__environment | d({})
                   | combine(inventory__group_environment | d({}))
                   | combine(inventory__host_environment  | d({})) }}'

  pre_tasks:

    - name: Prepare postfix environment
      ansible.builtin.import_role:
        name: 'postfix'
        tasks_from: 'main_env'
      vars:
        postfix__dependent_packages:
          - '{{ postscreen__postfix__dependent_packages }}'
        postfix__dependent_maincf:
          - role: 'postscreen'
            config: '{{ postscreen__postfix__dependent_maincf }}'
        postfix__dependent_mastercf:
          - role: 'postscreen'
            config: '{{ postscreen__postfix__dependent_mastercf }}'
      tags: [ 'role::postfix', 'role::secret' ]

  roles:

    - role: secret
      tags: [ 'role::secret', 'role::postfix' ]
      secret__directories:
        - '{{ postfix__secret__directories }}'

    - role: postfix
      tags: [ 'role::postfix', 'skip::postfix' ]
      postfix__dependent_packages:
        - '{{ postscreen__postfix__dependent_packages }}'
      postfix__dependent_maincf:
        - role: 'postscreen'
          config: '{{ postscreen__postfix__dependent_maincf }}'
      postfix__dependent_mastercf:
        - role: 'postscreen'
          config: '{{ postscreen__postfix__dependent_mastercf }}'

    - role: postscreen
      tags: [ 'role::postscreen', 'skip::postscreen' ]

Keep in mind that the default Postscreen playbook does not configure firewall access for Postfix. You still need to use the Postfix playbook to configure the server instance initially.