debops.nullmailer default variables¶

Sections

Basic configuration and other MTAs
APT package configuration
DNS, domain, catch-all e-mail addresses
LDAP environment
SMTP relay configuration
Nullmailer rate limits
Configuration file definitions
Nullmailer SMTPD service
Configuration for other Ansible roles

Basic configuration and other MTAs ¶

nullmailer__enabled¶

Enable or disable support for nullmailer service. The role will check for presence of other Mail Transport Agents on a host and disable itself automatically if needed.

nullmailer__enabled: True

nullmailer__skip_mta¶

The debops.nullmailer role avoids replacing the currently configured SMTP server if it's detected. To disable this functionality and force the nullmailer service to replace an existing MTA, set this variable to False.

nullmailer__skip_mta: True

nullmailer__skip_mta_packages¶

List of APT packages which, if present, will disable configuration of nullmailer service.

nullmailer__skip_mta_packages: [ 'postfix' ]

nullmailer__purge_mta_packages¶

List of APT packages which will be purged when nullmailer service is enabled, to stop them from interfering with the active MTA.

nullmailer__purge_mta_packages: [ 'exim4-base', 'exim4-config', 'exim4-daemon-light',
                                  'postfix', 'msmtp-mta', 'dma' ]

APT package configuration ¶

nullmailer__base_packages¶

List of APT packages which will be installed to configure nullmailer service.

nullmailer__base_packages: [ 'nullmailer', 'bsd-mailx' ]

nullmailer__smtpd_packages¶

List of APT packages which will be installed when the nullmailer-smtpd service is enabled.

nullmailer__smtpd_packages: '{{ [ "xinetd" ] if nullmailer__smtpd|bool else [] }}'

nullmailer__packages¶

List of custom APT packages installed with nullmailer.

nullmailer__packages: []

DNS, domain, catch-all e-mail addresses ¶

nullmailer__mailname¶

The domain name of the host, stored in the /etc/mailname configuration file. See https://wiki.debian.org/EtcMailName for more details.

nullmailer__mailname: '{{ nullmailer__fqdn }}'

nullmailer__fqdn¶

The FQDN name of the nullmailer host, used in different configuration variables of the role.

nullmailer__fqdn: '{{ ansible_fqdn }}'

nullmailer__domain¶

The default DNS domain used in different configuration variables of the role.

nullmailer__domain: '{{ ansible_domain }}'

nullmailer__adminaddr¶

If this list is not empty, all mail messages addressed to any user in the default hostname from /etc/mailname or localhost will be redirected to the specified e-mail addresses (catch-all). This is required for mail directed to local accounts because nullmailer does not support local mailboxes.

By default send all mail for local recipients to the "root" account on the mail relay host. Let the relay host deal with forwarding such e-mail messages to the proper recipients.

nullmailer__adminaddr: [ '{{ "root@" + nullmailer__relayhost }}' ]

nullmailer__idhost¶

The string used to generate the Message-Id: header of sent messages.

nullmailer__idhost: '{{ nullmailer__fqdn }}'

nullmailer__helohost¶

The string sent to the remote SMTP servers in the HELO command.

nullmailer__helohost: '{{ nullmailer__fqdn }}'

nullmailer__defaulthost¶

The string appended to the e-mail addresses without the "host" part.

nullmailer__defaulthost: '{{ nullmailer__mailname }}'

nullmailer__defaultdomain¶

The string appended to the host part of the e-mail addresses without a dot.

nullmailer__defaultdomain: '{{ nullmailer__domain }}'

nullmailer__allmailfrom¶

Force envelope sender. Needed for some mail relays with authentication if they don't allow arbitrary envelope sender addresses. (Needs nullmailer >= 1.4)

nullmailer__allmailfrom: ''

LDAP environment ¶

nullmailer__ldap_enabled¶

Enable or disable integration with the LDAP directory. The integration is enabled automatically when the debops.ldap environment is configured on the host.

nullmailer__ldap_enabled: '{{ ansible_local.ldap.enabled
                              if (ansible_local|d() and ansible_local.ldap|d() and
                                  ansible_local.ldap.enabled is defined)
                              else False }}'

nullmailer__ldap_base_dn¶

The base Distinguished Name which should be used to create Distinguished Names of the LDAP directory objects, defined as a YAML list. If this variable is empty, the LDAP account for the :command`nullmailer` SMTP service will not be created in the LDAP directory.

nullmailer__ldap_base_dn: '{{ ansible_local.ldap.base_dn|d([]) }}'

nullmailer__ldap_device_dn¶

The Distinguished Name of the current host LDAP object, defined as a YAML list. It will be used as a base for the nullmailer service account LDAP object. If the list is empty, the role will not create the account LDAP object automatically.

nullmailer__ldap_device_dn: '{{ ansible_local.ldap.device_dn|d([]) }}'

nullmailer__ldap_self_rdn¶

The Relative Distinguished Name of the account LDAP object used by the nullmailer service to send the authenticated messages to the relayhost.

nullmailer__ldap_self_rdn: 'uid=nullmailer'

nullmailer__ldap_self_object_classes¶

List of the LDAP object classes which will be used to create the LDAP object used by the nullmailer service to send authenticated mail messages.

nullmailer__ldap_self_object_classes: [ 'account', 'simpleSecurityObject',
                                        'authorizedServiceObject' ]

nullmailer__ldap_self_attributes¶

YAML dictionary that defines the attributes of the LDAP object used by the nullmailer service to send authenticated mail messages.

nullmailer__ldap_self_attributes:
  uid: '{{ nullmailer__ldap_self_rdn.split("=")[1] }}'
  userPassword: '{{ nullmailer__ldap_bindpw }}'
  host: '{{ [ ansible_fqdn, ansible_hostname ] | unique }}'
  description: 'Account used by the "nullmailer" service to send authenticated mail messages'
  authorizedService: 'mail:send'

nullmailer__ldap_binddn¶

The Distinguished Name of the account LDAP object used by the nullmailer service to bind to the LDAP directory.

nullmailer__ldap_binddn: '{{ ([ nullmailer__ldap_self_rdn ] + nullmailer__ldap_device_dn) | join(",") }}'

nullmailer__ldap_bindpw¶

The password stored in the account LDAP object used by the nullmailer service to bind to the LDAP directory.

nullmailer__ldap_bindpw: '{{ (lookup("password", secret + "/ldap/credentials/"
                                     + nullmailer__ldap_binddn | to_uuid + ".password length=32"))
                             if nullmailer__ldap_enabled|bool
                             else "" }}'

SMTP relay configuration ¶

nullmailer__starttls¶

Boolean. If enabled, all remote SMTP servers configured in /etc/nullmailer/remotes will request encrypted connections using the STARTTLS command. This can be overridden per remote, see nullmailer__remotes for more details.

nullmailer__starttls: True

nullmailer__smtp_srv_rr¶

List which contains the result of the DNS query for SMTP server SRV resource records in the host's domain. See RFC 6186 for details.

nullmailer__smtp_srv_rr: '{{ q("dig_srv", "_smtp._tcp." + nullmailer__domain,
                               "smtp." + nullmailer__domain, 25)
                             if nullmailer__enabled|bool
                             else [] }}'

nullmailer__smtp_port¶

SMTP port (default is 25; use 587 for STARTTLS or 465 for Implicit TLS.

nullmailer__smtp_port: '{{ nullmailer__smtp_srv_rr[0]["port"] }}'

nullmailer__relayhost¶

The FQDN address of the mail server which all mail messages will be forwarded to by the nullmailer service.

nullmailer__relayhost: '{{ nullmailer__smtp_srv_rr[0]["target"] }}'

nullmailer__relayhost_options¶

Additional options set for the default relayhost in the /etc/nullmailer/remotes configuration file. You can specify either a YAML dictionary with parameters used by other nullmailer remotes, or a YAML list with "raw" nullmailer options. See nullmailer__remotes for more details.

nullmailer__relayhost_options:
  - '--port={{ nullmailer__smtp_port }}'
  - '{{ "--ssl"
        if (nullmailer__smtp_port == "465")
        else "--starttls" }}'

nullmailer__default_remotes¶

The default list of SMTP servers where nullmailer forwards all mail messages. See nullmailer__remotes for more details.

nullmailer__default_remotes:

  - host: '{{ nullmailer__relayhost }}'
    options: '{{ nullmailer__relayhost_options }}'
    auth: True
    user: '{{ nullmailer__ldap_self_rdn.split("=")[1] + "@" + nullmailer__fqdn }}'
    password: '{{ nullmailer__ldap_bindpw }}'
    state: '{{ "present" if nullmailer__ldap_enabled|bool else "absent" }}'

  - '{{ (nullmailer__relayhost_options | combine({"host": nullmailer__relayhost}))
        if (nullmailer__relayhost_options is mapping)
        else ({"host": nullmailer__relayhost,
               "state": ("absent" if nullmailer__ldap_enabled|bool else "present"),
               "options": nullmailer__relayhost_options}) }}'

nullmailer__remotes¶

The list of additional SMTP servers where nullmailer forwards all mail messages. See nullmailer__remotes for more details.

nullmailer__remotes: []

Nullmailer rate limits ¶

nullmailer__maxpause¶

The maximum number of seconds to pause between successive queue runs.

nullmailer__maxpause: '86400'

nullmailer__pausetime¶

The minimum number of seconds to pause between successive queue runs when there are messages in the queue.

nullmailer__pausetime: '60'

nullmailer__sendtimeout¶

The number of seconds to wait for a thread to complete sending a message before killing it and trying again.

nullmailer__sendtimeout: '3600'

Configuration file definitions ¶

nullmailer__configuration_files¶

List which defines names and contents of the configuration files managed by the debops.nullmailer role. See the nullmailer__configuration_files for more details.

nullmailer__configuration_files:

  - dest: '/etc/mailname'
    content: '{{ nullmailer__mailname }}'

  - dest: '/etc/nullmailer/adminaddr'
    content: '{{ nullmailer__adminaddr
                 if nullmailer__adminaddr is string
                 else nullmailer__adminaddr|join(",") }}'

  - dest: '/etc/nullmailer/idhost'
    content: '{{ nullmailer__idhost }}'
    mode: '0644'
    state: '{{ "present" if nullmailer__idhost else "absent" }}'

  - dest: '/etc/nullmailer/helohost'
    content: '{{ nullmailer__helohost }}'
    mode: '0644'
    state: '{{ "present" if nullmailer__helohost else "absent" }}'

  - dest: '/etc/nullmailer/defaulthost'
    content: '{{ nullmailer__defaulthost }}'
    mode: '0644'
    state: '{{ "present" if nullmailer__defaulthost else "absent" }}'

  - dest: '/etc/nullmailer/defaultdomain'
    content: '{{ nullmailer__defaultdomain }}'
    mode: '0644'
    state: '{{ "present" if nullmailer__defaultdomain else "absent" }}'

  - dest: '/etc/nullmailer/maxpause'
    content: '{{ nullmailer__maxpause }}'
    mode: '0644'
    state: '{{ "present" if nullmailer__maxpause else "absent" }}'

  - dest: '/etc/nullmailer/pausetime'
    content: '{{ nullmailer__pausetime }}'
    mode: '0644'
    state: '{{ "present" if nullmailer__pausetime else "absent" }}'

  - dest: '/etc/nullmailer/sendtimeout'
    content: '{{ nullmailer__sendtimeout }}'
    mode: '0644'
    state: '{{ "present" if nullmailer__sendtimeout else "absent" }}'

  - dest: '/etc/nullmailer/allmailfrom'
    content: '{{ nullmailer__allmailfrom }}'
    mode: '0644'
    state: '{{ "present" if nullmailer__allmailfrom else "absent" }}'

nullmailer__private_configuration_files¶

List which defines names and contents of the private configuration files managed by the debops.nullmailer role. Modifications to the configuration files on this list won't be logged by Ansible. See the nullmailer__configuration_files for more details.

nullmailer__private_configuration_files:

  - dest: '/etc/nullmailer/remotes'
    content: "{{ lookup('template', 'lookup/nullmailer__remotes.j2')
                 | from_yaml | join('\n') }}"
    owner: 'mail'
    group: 'mail'
    mode: '0600'

Nullmailer SMTPD service ¶

The debops.nullmailer role can configure a nullmailer-smtpd service using nullmailer and xinetd packages. The xinetd service will listen on port 25 (can be changed) and on incoming connection will start a sendmail process which can be used to send an e-mail message.

This service does not perform any user authentication, therefore debops.ferm and debops.tcpwrappers roles are used to limit the access from the network to specific IP addresses or CIDR subnets. By default, the nullmailer-smtpd service listens for new TCP connections only on the loopback interface, and firewall/TCP Wrappers do not accept any connections from the network.

nullmailer__smtpd¶

Enable or disable custom xinetd-based SMTP service which allows access to the sendmail program from other hosts over the network.

nullmailer__smtpd: False

nullmailer__smtpd_bind¶

Specify the IPv4 address on which the xinetd SMTP server should listen for new connections. By default it listens only on lo interface.

nullmailer__smtpd_bind: '127.0.0.1'

nullmailer__smtpd_bind6¶

Specify the IPv6 address on which the xinetd SMTP server should listen for new connections. By default it listens only on lo interface.

nullmailer__smtpd_bind6: '::1'

nullmailer__smtpd_port¶

Default port to listen on for the SMTP connections.

nullmailer__smtpd_port: '25'

nullmailer__smtpd_allow¶

Specify list of IP addresses or CIDR subnets which are allowed to connect to the nullmailer-smtpd service. These lists will be configured in the iptables firewall using debops.ferm role and in the TCP Wrappers using debops.tcpwrappers role.

If this list is empty, nobody is allowed to connect remotely.

nullmailer__smtpd_allow: []

Configuration for other Ansible roles ¶

nullmailer__ldap__dependent_tasks¶

Configuration for the debops.ldap Ansible role.

nullmailer__ldap__dependent_tasks:

  - name: 'Create nullmailer account for {{ nullmailer__ldap_device_dn | join(",") }}'
    dn: '{{ nullmailer__ldap_binddn }}'
    objectClass: '{{ nullmailer__ldap_self_object_classes }}'
    attributes: '{{ nullmailer__ldap_self_attributes }}'
    no_log: True
    state: '{{ "present" if nullmailer__ldap_device_dn|d() else "ignore" }}'

nullmailer__ferm__dependent_rules¶

Configuration for the debops.ferm role.

nullmailer__ferm__dependent_rules:

  - type: 'accept'
    dport: [ '{{ nullmailer__smtpd_port }}' ]
    saddr: '{{ nullmailer__smtpd_allow }}'
    accept_any: False
    weight: '50'
    role: 'debops.nullmailer'
    rule_state: '{{ "present"
                    if (nullmailer__deploy_state|d("present") != "absent" and
                        nullmailer__smtpd|bool) else "absent" }}'

nullmailer__tcpwrappers__dependent_allow¶

Configuration for the debops.tcpwrappers Ansible role.

nullmailer__tcpwrappers__dependent_allow:

  - daemon: 'sendmail'
    client: '{{ nullmailer__smtpd_allow }}'
    accept_any: False
    weight: '50'
    filename: 'nullmailer_dependent_allow'
    comment: 'Allow remote connections to SMTP server'
    state: '{{ "present"
               if (nullmailer__deploy_state|d("present") != "absent" and
                   nullmailer__smtpd|bool) else "absent" }}'

nullmailer__dpkg_cleanup__dependent_packages¶

Configuration for the debops.dpkg_cleanup Ansible role.

nullmailer__dpkg_cleanup__dependent_packages:

  - name: 'nullmailer'
    remove_files:
      - '{{ (nullmailer__configuration_files
             | selectattr("dest", "defined")
             | map(attribute="dest") | list)
            | difference("/etc/mailname") }}'
      - '{{ nullmailer__private_configuration_files
            | selectattr("dest", "defined")
            | map(attribute="dest") | list }}'
      - '/etc/ferm/ferm.d/50_debops.nullmailer_accept_25.conf'
      - '/etc/hosts.allow.d/50_nullmailer_dependent_allow'
      - '/etc/xinetd.d/nullmailer-smtpd'
      - '/etc/xinetd.d/nullmailer-smtpd6'
    reload_services:
      - 'xinetd'
    restart_services:
      - 'ferm'