Initial commit

2023-03-20 20:01:04 +01:00 · 2023-03-20 20:01:04 +01:00 · 11b84aa872
commit 11b84aa872
40 changed files with 995 additions and 0 deletions
--- a/tasks/fail2ban.yml
+++ b/tasks/fail2ban.yml
@ -0,0 +1,26 @@
+---
+- name: "Fail2ban | Copy jaiil file"
+  ansible.builtin.copy:
+    src: files/fail2ban/postfix-sasl.conf
+    dest: "{{ fail2ban_jail_dir }}/postfix-sasl.conf"
+    mode: "0644"
+  notify: reload fail2ban
+
+- name: "fail2ban | Copy SASL filter"
+  ansible.builtin.copy:
+    src: files/fail2ban/postfix-sasl.local
+    dest: "{{ fail2ban_filter_dir }}/postfix-sasl.local"
+    mode: "0644"
+  notify: reload fail2ban
+
+- name: "Fail2ban | Setup SASL logging"
+  ansible.builtin.lineinfile:
+    dest: /etc/rsyslog.d/postfix.conf
+    line: ':msg, contains, \"SASL\" /var/log/{{ mail_sasl_log }}'
+  notify: restart rsyslog
+
+- name: "Fail2ban | Setup logrotate"
+  ansible.builtin.template:
+    src: mail-sasl.j2
+    dest: /etc/logrotate.d/mail-sasl
+    mode: "0644"
--- a/tasks/hostname.yml
+++ b/tasks/hostname.yml
@ -0,0 +1,10 @@
+---
+- name: "Hostname | Set hostname"
+  ansible.builtin.hostname:
+    name: "{{ inventory_hostname }}"
+    use: systemd
+
+- name: "Hostname | Set hostname in /etc/hosts"
+  ansible.builtin.lineinfile:
+    path: /etc/hosts
+    line: '127.0.0.1 {{ ansible_hostname }}'
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -0,0 +1,29 @@
+---
+- name: Packages
+  ansible.builtin.import_tasks: packages.yml
+  tags: packages
+
+- name: Postfix
+  ansible.builtin.import_tasks: postfix.yml
+  tags: postfix
+
+- name: OnionMX
+  ansible.builtin.import_tasks: onionmx.yml
+  tags: onionmx
+  when: postfix_onionmx is defined and postfix_onionmx
+
+- name: Fail2ban
+  ansible.builtin.import_tasks: fail2ban.yml
+  tags: fail2ban
+
+- name: TLS-helper
+  ansible.builtin.import_tasks: tls-helper.yml
+  tags: tls-helper
+
+- name: Hostname
+  ansible.builtin.import_tasks: hostname.yml
+  tags: hostname
+
+- name: Monitoring
+  ansible.builtin.import_tasks: monitoring.yml
+  tags: monitoring
--- a/tasks/monitoring.yml
+++ b/tasks/monitoring.yml
@ -0,0 +1,16 @@
+---
+- name: "Monitoring | Enable Monit monitoring for Postfix"
+  ansible.builtin.copy:
+    src: monit/postix
+    dest: /etc/monit/conf-enabled/postfix
+    mode: "0644"
+  notify: reload monit
+  when: "'monit' in ansible_facts.packages"
+
+- name: "Monitoring | Enable Monit Monitoring for MTA-STS"
+  ansible.builtin.copy:
+    src: monit/mta-sts-daemon
+    dest: /etc/monit/conf-enabled/mta-sts-daemon
+    mode: "0644"
+  notify: reload monit
+  when: "'monit' in ansible_facts.packages"
--- a/tasks/onionmx.yml
+++ b/tasks/onionmx.yml
@ -0,0 +1,22 @@
+---
+- name: "OnionMX | Install torsocks"
+  ansible.builtin.apt:
+    pkg: torsocks
+    cache_valid_time: 3600
+
+- name: "OnionMX | Copy script"
+  ansible.builtin.copy:
+    src: smtp_tor
+    dest: "{{ postfix_daemon_dir }}"
+    mode: "0755"
+
+- name: "OnionMX | Copy transport table"
+  ansible.builtin.template:
+    src: postfix/conf.d/transport_tor.j2
+    dest: "{{ postfix_conf_dir }}/transport_tor"
+    mode: "0644"
+
+- name: "OnionMX | Run postmap"
+  ansible.builtin.command:
+    cmd: "postmap {{ postfix_default_db_type }}:transport_tor"
+    chdir: "{{ postfix_conf_dir }}"
--- a/tasks/packages.yml
+++ b/tasks/packages.yml
@ -0,0 +1,23 @@
+---
+- name: "Packages | Get installed packages"
+  ansible.builtin.package_facts:
+    manager: apt
+
+- name: "Packages | Install packages"
+  ansible.builtin.apt:
+    pkg:
+      - fail2ban
+      - libsasl2-modules
+      - pflogsumm
+      - pfqueue
+      - postfix
+      - postfix-cdb
+      - postfix-pcre
+      - postfix-mta-sts-resolver
+    cache_valid_time: 3600
+
+- name: "Packages | Install Unbound"
+  ansible.builtin.apt:
+    pkg:
+      - unbound
+  when: unbound_install is defined and unbound_install
--- a/tasks/postfix.yml
+++ b/tasks/postfix.yml
@ -0,0 +1,77 @@
+---
+- name: "Postfix | Copy main.cf"
+  ansible.builtin.template:
+    src: postfix/main.cf.j2
+    dest: /etc/postfix/main.cf
+    mode: "0644"
+  notify: reload postfix
+
+- name: "Postfix | Copy master.cf"
+  ansible.builtin.template:
+    src: postfix/master.cf
+    dest: /etc/postfix/master.cf
+    mode: "0644"
+  notify: restart postfix
+
+- name: "Postfix | Create configuration directory"
+  ansible.builtin.file:
+    path: "{{ postfix_conf_dir }}"
+    state: directory
+    mode: "0755"
+
+- name: "Postfix | Copy lookup tables"
+  ansible.builtin.copy:
+    src: "postfix/conf.d/{{ item }}"
+    dest: "{{ postfix_conf_dir }}/{{ item }}"
+    mode: "0644"
+  loop:
+    - bogus_mx
+    - header_checks
+    - header_checks_inbound
+
+- name: "Postfix | Copy lookup tables from templates"
+  ansible.builtin.template:
+    src: "postfix/conf.d/{{ item }}.j2"
+    dest: "{{ postfix_conf_dir }}/{{ item }}"
+    mode: "0644"
+  loop:
+    - bad_smtp_auth_users
+    - client_checks
+    - destination_limit
+    - header_add
+    - header_treatment
+    - permit_sasl_login_mismatch
+    - postscreen_access
+    - relay_by_sender
+    - relay_checks
+    - sender_checks
+    - transport_global_exceptions
+    - transport_relay
+  notify: reload postfix
+
+- name: "Postfix | Run postmap"
+  ansible.builtin.command: "postmap {{ item.table | default('cdb') }}:{{ item.file }}"
+  args:
+    chdir: "{{ postfix_conf_dir }}"
+  changed_when: false
+  notify: reload postfix
+  loop:
+    - file: bad_smtp_auth_users
+    - file: client_checks
+    - file: destination_limit
+    - file: permit_sasl_login_mismatch
+    - file: relay_checks
+    - file: sender_checks
+    - file: transport_relay
+
+- name: "Postfix | Create dhparam file"
+  community.crypto.openssl_dhparam:
+    path: "{{ postfix_dhparam_file }}"
+    size: 4096
+
+- name: "Postfix | Setup cron job for pflogsum"
+  ansible.builtin.cron:
+    name: "Ansible: Daily pflogsum statistics"
+    job: /usr/sbin/pflogsumm --detail 8 --problems-first --no-no-msg-size --reject-detail 12 /var/log/mail.log.1 | mail -s "{{ postfix_pflogsum_mail_subject }} ({{ inventory_hostname }})" {{ postfix_pflogsum_recipient }}
+    hour: "06"
+    minute: "24"
--- a/tasks/tls-helper.yml
+++ b/tasks/tls-helper.yml
@ -0,0 +1,65 @@
+---
+- name: "TLS-helper | Clone repository"
+  ansible.builtin.git:
+    repo: "https://github.com/systemli/mail-tls-helper.git"
+    dest: "/opt/mail-tls-helper"
+    version: main
+
+- name: "TLS-helper | Copy Readme"
+  ansible.builtin.copy:
+    src: mail-tls-helper/readme.txt
+    dest: /opt/mail-tls-helper/
+    mode: "0644"
+
+- name: "TLS-help | Copy allowlist"
+  ansible.builtin.template:
+    src: postfix/allowlist.txt
+    dest: /opt/mail-tls-helper/allowlist.txt
+    mode: "0644"
+
+- name: "TLS-helper | Create directory"
+  ansible.builtin.file:
+    path: "{{ tls_helper_postfix_dir }}"
+    state: directory
+    owner: postfix
+    group: postfix
+    mode: "0755"
+
+- name: "TLS-helper | Create transport map"
+  ansible.builtin.file:
+    path: "{{ tls_helper_postfix_dir }}/{{ tls_helper_domains_file }}"
+    state: touch
+    owner: postfix
+    group: postfix
+    mode: "0644"
+
+- name: "TLS-helper | Run postmap"
+  ansible.builtin.command:
+    cmd: "postmap {{ postfix_default_db_type }}:{{ tls_helper_domains_file }}"
+    chdir: "{{ tls_helper_postfix_dir }}"
+
+- name: "TLS-helper | Link files"
+  ansible.builtin.file:
+    path: "{{ postfix_conf_dir }}/{{ item }}"
+    src: "{{ tls_helper_postfix_dir }}/{{ item }}"
+    state: link
+  loop:
+    - "{{ tls_helper_domains_file }}"
+    - "{{ tls_helper_domains_file }}.{{ postfix_default_db_type }}"
+
+- name: "TLS-helper | Remove default logrotate configuration for mail logging"
+  ansible.builtin.lineinfile:
+    path: /etc/logrotate.d/rsyslog
+    line: "{{ item }}"
+    state: absent
+  loop:
+    - /var/log/mail.info
+    - /var/log/mail.warn
+    - /var/log/mail.err
+    - /var/log/mail.log
+
+- name: "TLS-helper | Create new logrotate configuration"
+  ansible.builtin.template:
+    src: logrotate.conf
+    dest: /etc/logrotate.d/maillog
+    mode: "0644"