debops.nullmailer default variables

Basic configuration and other MTAs

nullmailer__enabled

Enable or disable support for nullmailer service. The role will check for presence of other Mail Transport Agents on a host and disable itself automatically if needed.

nullmailer__enabled: True
nullmailer__skip_mta

The debops.nullmailer role avoids replacing the currently configured SMTP server if it's detected. To disable this functionality and force the nullmailer service to replace an existing MTA, set this variable to False.

nullmailer__skip_mta: True
nullmailer__skip_mta_packages

List of APT packages which, if present, will disable configuration of nullmailer service.

nullmailer__skip_mta_packages: [ 'postfix' ]
nullmailer__purge_mta_packages

List of APT packages which will be purged when nullmailer service is enabled, to stop them from interfering with the active MTA.

nullmailer__purge_mta_packages: [ 'exim4-base', 'exim4-config', 'exim4-daemon-light',
                                  'postfix', 'msmtp-mta', 'dma' ]

APT package configuration

nullmailer__base_packages

List of APT packages which will be installed to configure nullmailer service.

nullmailer__base_packages: [ 'nullmailer', 'bsd-mailx' ]
nullmailer__smtpd_packages

List of APT packages which will be installed when the nullmailer-smtpd service is enabled.

nullmailer__smtpd_packages: '{{ [ "xinetd" ] if nullmailer__smtpd|bool else [] }}'
nullmailer__packages

List of custom APT packages installed with nullmailer.

nullmailer__packages: []

DNS, domain, catch-all e-mail addresses

nullmailer__mailname

The domain name of the host, stored in the /etc/mailname configuration file. See https://wiki.debian.org/EtcMailName for more details.

nullmailer__mailname: '{{ nullmailer__fqdn }}'
nullmailer__fqdn

The FQDN name of the nullmailer host, used in different configuration variables of the role.

nullmailer__fqdn: '{{ ansible_fqdn }}'
nullmailer__domain

The default DNS domain used in different configuration variables of the role.

nullmailer__domain: '{{ ansible_domain }}'
nullmailer__adminaddr

If this list is not empty, all mail messages addressed to any user in the default hostname from /etc/mailname or localhost will be redirected to the specified e-mail addresses (catch-all). This is required for mail directed to local accounts because nullmailer does not support local mailboxes.

By default send all mail for local recipients to the "root" account on the mail relay host. Let the relay host deal with forwarding such e-mail messages to the proper recipients.

nullmailer__adminaddr: [ '{{ "root@" + nullmailer__relayhost }}' ]
nullmailer__idhost

The string used to generate the Message-Id: header of sent messages.

nullmailer__idhost: '{{ nullmailer__fqdn }}'
nullmailer__helohost

The string sent to the remote SMTP servers in the HELO command.

nullmailer__helohost: '{{ nullmailer__fqdn }}'
nullmailer__defaulthost

The string appended to the e-mail addresses without the "host" part.

nullmailer__defaulthost: '{{ nullmailer__mailname }}'
nullmailer__defaultdomain

The string appended to the host part of the e-mail addresses without a dot.

nullmailer__defaultdomain: '{{ nullmailer__domain }}'
nullmailer__allmailfrom

Force envelope sender. Needed for some mail relays with authentication if they don't allow arbitrary envelope sender addresses. (Needs nullmailer >= 1.4)

nullmailer__allmailfrom: ''

LDAP environment

nullmailer__ldap_enabled

Enable or disable integration with the LDAP directory. The integration is enabled automatically when the debops.ldap environment is configured on the host.

nullmailer__ldap_enabled: '{{ ansible_local.ldap.enabled
                              if (ansible_local|d() and ansible_local.ldap|d() and
                                  ansible_local.ldap.enabled is defined)
                              else False }}'
nullmailer__ldap_base_dn

The base Distinguished Name which should be used to create Distinguished Names of the LDAP directory objects, defined as a YAML list. If this variable is empty, the LDAP account for the :command`nullmailer` SMTP service will not be created in the LDAP directory.

nullmailer__ldap_base_dn: '{{ ansible_local.ldap.base_dn|d([]) }}'
nullmailer__ldap_device_dn

The Distinguished Name of the current host LDAP object, defined as a YAML list. It will be used as a base for the nullmailer service account LDAP object. If the list is empty, the role will not create the account LDAP object automatically.

nullmailer__ldap_device_dn: '{{ ansible_local.ldap.device_dn|d([]) }}'
nullmailer__ldap_self_rdn

The Relative Distinguished Name of the account LDAP object used by the nullmailer service to send the authenticated messages to the relayhost.

nullmailer__ldap_self_rdn: 'uid=nullmailer'
nullmailer__ldap_self_object_classes

List of the LDAP object classes which will be used to create the LDAP object used by the nullmailer service to send authenticated mail messages.

nullmailer__ldap_self_object_classes: [ 'account', 'simpleSecurityObject',
                                        'authorizedServiceObject' ]
nullmailer__ldap_self_attributes

YAML dictionary that defines the attributes of the LDAP object used by the nullmailer service to send authenticated mail messages.

nullmailer__ldap_self_attributes:
  uid: '{{ nullmailer__ldap_self_rdn.split("=")[1] }}'
  userPassword: '{{ nullmailer__ldap_bindpw }}'
  host: '{{ [ ansible_fqdn, ansible_hostname ] | unique }}'
  description: 'Account used by the "nullmailer" service to send authenticated mail messages'
  authorizedService: 'mail:send'
nullmailer__ldap_binddn

The Distinguished Name of the account LDAP object used by the nullmailer service to bind to the LDAP directory.

nullmailer__ldap_binddn: '{{ ([ nullmailer__ldap_self_rdn ] + nullmailer__ldap_device_dn) | join(",") }}'
nullmailer__ldap_bindpw

The password stored in the account LDAP object used by the nullmailer service to bind to the LDAP directory.

nullmailer__ldap_bindpw: '{{ (lookup("password", secret + "/ldap/credentials/"
                                     + nullmailer__ldap_binddn | to_uuid + ".password length=32"))
                             if nullmailer__ldap_enabled|bool
                             else "" }}'

SMTP relay configuration

nullmailer__starttls

Boolean. If enabled, all remote SMTP servers configured in /etc/nullmailer/remotes will request encrypted connections using the STARTTLS command. This can be overridden per remote, see nullmailer__remotes for more details.

nullmailer__starttls: True
nullmailer__smtp_srv_rr

List which contains the result of the DNS query for SMTP server SRV resource records in the host's domain. See RFC 6186 for details.

nullmailer__smtp_srv_rr: '{{ q("dig_srv", "_smtp._tcp." + nullmailer__domain,
                               "smtp." + nullmailer__domain, 25)
                             if nullmailer__enabled|bool
                             else [] }}'
nullmailer__smtp_port

SMTP port (default is 25; use 587 for STARTTLS or 465 for Implicit TLS.

nullmailer__smtp_port: '{{ nullmailer__smtp_srv_rr[0]["port"] }}'
nullmailer__relayhost

The FQDN address of the mail server which all mail messages will be forwarded to by the nullmailer service.

nullmailer__relayhost: '{{ nullmailer__smtp_srv_rr[0]["target"] }}'
nullmailer__relayhost_options

Additional options set for the default relayhost in the /etc/nullmailer/remotes configuration file. You can specify either a YAML dictionary with parameters used by other nullmailer remotes, or a YAML list with "raw" nullmailer options. See nullmailer__remotes for more details.

nullmailer__relayhost_options:
  - '--port={{ nullmailer__smtp_port }}'
  - '{{ "--ssl"
        if (nullmailer__smtp_port == "465")
        else "--starttls" }}'
nullmailer__default_remotes

The default list of SMTP servers where nullmailer forwards all mail messages. See nullmailer__remotes for more details.

nullmailer__default_remotes:

  - host: '{{ nullmailer__relayhost }}'
    options: '{{ nullmailer__relayhost_options }}'
    auth: True
    user: '{{ nullmailer__ldap_self_rdn.split("=")[1] + "@" + nullmailer__fqdn }}'
    password: '{{ nullmailer__ldap_bindpw }}'
    state: '{{ "present" if nullmailer__ldap_enabled|bool else "absent" }}'

  - '{{ (nullmailer__relayhost_options | combine({"host": nullmailer__relayhost}))
        if (nullmailer__relayhost_options is mapping)
        else ({"host": nullmailer__relayhost,
               "state": ("absent" if nullmailer__ldap_enabled|bool else "present"),
               "options": nullmailer__relayhost_options}) }}'
nullmailer__remotes

The list of additional SMTP servers where nullmailer forwards all mail messages. See nullmailer__remotes for more details.

nullmailer__remotes: []

Nullmailer rate limits

nullmailer__maxpause

The maximum number of seconds to pause between successive queue runs.

nullmailer__maxpause: '86400'
nullmailer__pausetime

The minimum number of seconds to pause between successive queue runs when there are messages in the queue.

nullmailer__pausetime: '60'
nullmailer__sendtimeout

The number of seconds to wait for a thread to complete sending a message before killing it and trying again.

nullmailer__sendtimeout: '3600'

Configuration file definitions

nullmailer__configuration_files

List which defines names and contents of the configuration files managed by the debops.nullmailer role. See the nullmailer__configuration_files for more details.

nullmailer__configuration_files:

  - dest: '/etc/mailname'
    content: '{{ nullmailer__mailname }}'

  - dest: '/etc/nullmailer/adminaddr'
    content: '{{ nullmailer__adminaddr
                 if nullmailer__adminaddr is string
                 else nullmailer__adminaddr|join(",") }}'

  - dest: '/etc/nullmailer/idhost'
    content: '{{ nullmailer__idhost }}'
    mode: '0644'
    state: '{{ "present" if nullmailer__idhost else "absent" }}'

  - dest: '/etc/nullmailer/helohost'
    content: '{{ nullmailer__helohost }}'
    mode: '0644'
    state: '{{ "present" if nullmailer__helohost else "absent" }}'

  - dest: '/etc/nullmailer/defaulthost'
    content: '{{ nullmailer__defaulthost }}'
    mode: '0644'
    state: '{{ "present" if nullmailer__defaulthost else "absent" }}'

  - dest: '/etc/nullmailer/defaultdomain'
    content: '{{ nullmailer__defaultdomain }}'
    mode: '0644'
    state: '{{ "present" if nullmailer__defaultdomain else "absent" }}'

  - dest: '/etc/nullmailer/maxpause'
    content: '{{ nullmailer__maxpause }}'
    mode: '0644'
    state: '{{ "present" if nullmailer__maxpause else "absent" }}'

  - dest: '/etc/nullmailer/pausetime'
    content: '{{ nullmailer__pausetime }}'
    mode: '0644'
    state: '{{ "present" if nullmailer__pausetime else "absent" }}'

  - dest: '/etc/nullmailer/sendtimeout'
    content: '{{ nullmailer__sendtimeout }}'
    mode: '0644'
    state: '{{ "present" if nullmailer__sendtimeout else "absent" }}'

  - dest: '/etc/nullmailer/allmailfrom'
    content: '{{ nullmailer__allmailfrom }}'
    mode: '0644'
    state: '{{ "present" if nullmailer__allmailfrom else "absent" }}'
nullmailer__private_configuration_files

List which defines names and contents of the private configuration files managed by the debops.nullmailer role. Modifications to the configuration files on this list won't be logged by Ansible. See the nullmailer__configuration_files for more details.

nullmailer__private_configuration_files:

  - dest: '/etc/nullmailer/remotes'
    content: "{{ lookup('template', 'lookup/nullmailer__remotes.j2')
                 | from_yaml | join('\n') }}"
    owner: 'mail'
    group: 'mail'
    mode: '0600'

Nullmailer SMTPD service

The debops.nullmailer role can configure a nullmailer-smtpd service using nullmailer and xinetd packages. The xinetd service will listen on port 25 (can be changed) and on incoming connection will start a sendmail process which can be used to send an e-mail message.

This service does not perform any user authentication, therefore debops.ferm and debops.tcpwrappers roles are used to limit the access from the network to specific IP addresses or CIDR subnets. By default, the nullmailer-smtpd service listens for new TCP connections only on the loopback interface, and firewall/TCP Wrappers do not accept any connections from the network.

nullmailer__smtpd

Enable or disable custom xinetd-based SMTP service which allows access to the sendmail program from other hosts over the network.

nullmailer__smtpd: False
nullmailer__smtpd_bind

Specify the IPv4 address on which the xinetd SMTP server should listen for new connections. By default it listens only on lo interface.

nullmailer__smtpd_bind: '127.0.0.1'
nullmailer__smtpd_bind6

Specify the IPv6 address on which the xinetd SMTP server should listen for new connections. By default it listens only on lo interface.

nullmailer__smtpd_bind6: '::1'
nullmailer__smtpd_port

Default port to listen on for the SMTP connections.

nullmailer__smtpd_port: '25'
nullmailer__smtpd_allow

Specify list of IP addresses or CIDR subnets which are allowed to connect to the nullmailer-smtpd service. These lists will be configured in the iptables firewall using debops.ferm role and in the TCP Wrappers using debops.tcpwrappers role.

If this list is empty, nobody is allowed to connect remotely.

nullmailer__smtpd_allow: []

Configuration for other Ansible roles

nullmailer__ldap__dependent_tasks

Configuration for the debops.ldap Ansible role.

nullmailer__ldap__dependent_tasks:

  - name: 'Create nullmailer account for {{ nullmailer__ldap_device_dn | join(",") }}'
    dn: '{{ nullmailer__ldap_binddn }}'
    objectClass: '{{ nullmailer__ldap_self_object_classes }}'
    attributes: '{{ nullmailer__ldap_self_attributes }}'
    no_log: True
    state: '{{ "present" if nullmailer__ldap_device_dn|d() else "ignore" }}'
nullmailer__ferm__dependent_rules

Configuration for the debops.ferm role.

nullmailer__ferm__dependent_rules:

  - type: 'accept'
    dport: [ '{{ nullmailer__smtpd_port }}' ]
    saddr: '{{ nullmailer__smtpd_allow }}'
    accept_any: False
    weight: '50'
    role: 'debops.nullmailer'
    rule_state: '{{ "present"
                    if (nullmailer__deploy_state|d("present") != "absent" and
                        nullmailer__smtpd|bool) else "absent" }}'
nullmailer__tcpwrappers__dependent_allow

Configuration for the debops.tcpwrappers Ansible role.

nullmailer__tcpwrappers__dependent_allow:

  - daemon: 'sendmail'
    client: '{{ nullmailer__smtpd_allow }}'
    accept_any: False
    weight: '50'
    filename: 'nullmailer_dependent_allow'
    comment: 'Allow remote connections to SMTP server'
    state: '{{ "present"
               if (nullmailer__deploy_state|d("present") != "absent" and
                   nullmailer__smtpd|bool) else "absent" }}'
nullmailer__dpkg_cleanup__dependent_packages

Configuration for the debops.dpkg_cleanup Ansible role.

nullmailer__dpkg_cleanup__dependent_packages:

  - name: 'nullmailer'
    remove_files:
      - '{{ (nullmailer__configuration_files
             | selectattr("dest", "defined")
             | map(attribute="dest") | list)
            | difference("/etc/mailname") }}'
      - '{{ nullmailer__private_configuration_files
            | selectattr("dest", "defined")
            | map(attribute="dest") | list }}'
      - '/etc/ferm/ferm.d/50_debops.nullmailer_accept_25.conf'
      - '/etc/hosts.allow.d/50_nullmailer_dependent_allow'
      - '/etc/xinetd.d/nullmailer-smtpd'
      - '/etc/xinetd.d/nullmailer-smtpd6'
    reload_services:
      - 'xinetd'
    restart_services:
      - 'ferm'