Getting started
Default configuration
The debops.postldap
role configures a Postfix SMTP server with
support for a virtual user mail system
, i.e. where the senders and
recipients do not correspond to the Linux system users.
Hence it is possible to host emails for other domains.
The users, email alias and domains will be managed with LDAP.
This role use the organization defined in the mailservice schema setup by
debops.slapd by default. The schema is designed to use the 'mail' LDAP
attribute as an uniqueness constraint for the mailAddress
,
mailAlternateAddress
and other attributes across LDAP entries. The 'mail'
attribute itself is not used in e-mail service operation.
For example, the following LDAP entry sets the user user1
with
user1@mydomain.net as main address and alias1@mydomain.net as alias.
objectClass: inetOrgPerson
objectClass: mailRecipient
objectClass: authorizedServiceObject
authorizedService: all
mail: user1@mydomain.net
mailAddress: user1@mydomain.net
mailAlternateAddress: alias1@mydomain.net
Local mail is enabled by default, support for mail aliases is provided by
the debops.etc_aliases Ansible role and the LDAP user attribute
mailAlternateAddress
.
From a single address it is also possible to deliver the message to several
recipients by using the mailAlias
structural object to define a standalone
e-mail aliases:
objectClass: mailAlias
objectClass: authorizedServiceObject
authorizedService: all
mail: alias@mydomain.net
mailAddress: alias@mydomain.net
mailForwardTo: user1@mydomain.net
mailForwardTo: user2@mydomain.net
It is also possible to attach an email existing entity using the 'mailDistributionList' auxiliary object:
objectClass: organizationalUnit
objectClass: mailDistributionList
objectClass: authorizedServiceObject
authorizedService: all
ou: IT Department
mail: itdept@mydomain.net
mailAddress: itdept@mydomain.net
mailForwardTo: admin1@mydomain.net
mailForwardTo: admin2@mydomain.net
The mailAddress
attribute of the different objects will ensure that the
addess is unique in the mail system.
This role only works when LDAP support is explicitly enabled and the environment has a working LDAP infrastructure. See the debops.ldap role and its documentation for more details about setting up LDAP client support on a host.
Overriding lookup table configuration
The Postfix LDAP lookup tables defined by the debops.ldap Ansible role are designed to work with the LDAP directory set up by the debops.ldap and debops.slapd roles. If you want to use different LDAP directory configuration, or tailor the default configuration to your own needs, you can override specific parameters in the looup table configuration via the Ansible inventory.
The role defers to the debops.postfix Ansible role for actual looup table configuration and passes the details via the role dependent variables. You can find more about the details in the postfix__lookup_tables documentation.
For example, if you want to change the LDAP filter of the
ldap_virtual_recipients.cf
lookup table, you can defined in the Ansible
inventory:
# ansible/inventory/host_vars/mail-server/postfix.yml
postfix__host_lookup_tables:
- name: 'ldap_virtual_recipients.cf`
state: 'append'
query_filter: '(&(|(mail=%s)(mailAlias=%s)))'
Please note that the configuration is defined in the postfix__*
variables,
not postldap__*
variables. It is also important to use the append
state
to make sure that the configuration is only applied when the
debops.postldap configuration is "active".
If you want to disable a part of the LDAP configuration defined in the Ansible
inventory, you can change the state to ignore
, which will then use the
definition from the role defaults.
Avoid any other states in this case, because the resulting configuration will be applied in different contexts, for example when you run the debops.postfix role directly, and will break your configuration.
After making your changes, you can apply them by running the command:
debops service/postldap -l mail-server -t role::postfix --diff
This will execute the debops.postfix role in the context of the debops.postldap role and correct set of variables will be active.
Example inventory
To install and configure Postfix Virtual Mail Server on a host,
it needs to be present in the [debops_service_postldap]
Ansible inventory group:
[debops_service_slapd]
ldap-server
[debops_service_postfix]
mail-server
[debops_service_postconf]
mail-server
[debops_service_postldap]
mail-server
The debops.postldap
playbook configures only the LDAP part of postfix
configuration, you should use the debops.postfix role and its playbook
to set up Postfix mail server. Additional useful configuration can be found in
the debops.postconf role.
Example playbook
If you are using this role without DebOps, here's an example Ansible playbook
that uses the debops.postldap
role:
---
- name: Manage Postfix service with Virtual Mail LDAP backend
collections: [ 'debops.debops', 'debops.roles01',
'debops.roles02', 'debops.roles03' ]
hosts: [ 'debops_service_postldap' ]
become: True
environment: '{{ inventory__environment | d({})
| combine(inventory__group_environment | d({}))
| combine(inventory__host_environment | d({})) }}'
pre_tasks:
- name: Prepare postfix environment
import_role:
name: 'postfix'
tasks_from: 'main_env'
vars:
postfix__dependent_packages:
- '{{ postldap__postfix__dependent_packages }}'
postfix__dependent_lookup_tables:
- '{{ postldap__postfix__dependent_lookup_tables }}'
postfix__dependent_maincf:
- role: 'postldap'
config: '{{ postldap__postfix__dependent_maincf }}'
tags: [ 'role::postfix:env', 'role::postfix', 'role::postldap', 'role::secret', 'role::ferm' ]
roles:
- role: secret
tags: [ 'role::secret', 'role::postfix', 'role::postldap' ]
secret__directories:
- '{{ postfix__secret__directories }}'
- role: postldap
tags: [ 'role::postldap', 'skip::postldap', 'role::postfix' ]
- role: ldap
tags: [ 'role::ldap', 'skip::ldap' ]
ldap__dependent_tasks:
- '{{ postldap__ldap__dependent_tasks }}'
- role: postfix
tags: [ 'role::postfix', 'skip::postfix' ]
postfix__dependent_packages:
- '{{ postldap__postfix__dependent_packages }}'
postfix__dependent_lookup_tables:
- '{{ postldap__postfix__dependent_lookup_tables }}'
postfix__dependent_maincf:
- role: 'postldap'
config: '{{ postldap__postfix__dependent_maincf }}'