Introduce postfiy_type to differ between configuration types

2023-04-19 12:10:28 +02:00 · 2023-04-19 12:10:28 +02:00 · 237cfae5a5
parent 2c432028d0
commit 237cfae5a5
4 changed files with 34 additions and 2 deletions
--- a/README.md
+++ b/README.md
@ -8,9 +8,20 @@ Use this role to setup a Postfix mail server. It comes with the following additi
 - optional: [OnionMX](https://github.com/ehloonion/onionmx)
 - optional: Unbound

+## General type of mail server configuration
+
+You can select via the variable `postfix_type` a pre-defined set of configuraion options that best meets your needs.
+- `internet`: Mail is send received directly using SMTP. TLS is enabled.
+- `internal`: Mail is sent to another machine on the same network for delivery. TLS is disabled. Only listens on port 25.

 ## Variables

+### Required
+
+| Variable | Value | Default | Note |
+|--|--|--|--|
+| `postfix_type` | str | `internet` | Determines how to setup Postfix. Choose `internet` or `internal` |
+
 ### Scope: misc

 | Variable | Value | Default | Note |
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -11,6 +11,8 @@ postfix_daemon_dir: /usr/lib/postfix/sbin
 postfix_default_db_type: cdb
 postfix_dhparam_file: /etc/ssl/private/dhparam.pem
 postfix_pflogsum_mail_subject: "Mailserver Statistics"
+postfix_myhostname: "$myorigin"
+postfix_type: internet

 tls_helper_domains_file: tls_domains
 tls_helper_postfix_dir: /var/lib/postfix/tls-helper
--- a/templates/postfix/main.cf.j2
+++ b/templates/postfix/main.cf.j2
@ -1,6 +1,8 @@
 ### {{ ansible_managed }}

+{% if postfix_smtp_banner is defined %}
 smtpd_banner = {{ postfix_smtpd_banner }}
+{% endif %}

 {% if postfix_debug_peer_list is defined %}
 ### Debug Logging
@ -11,11 +13,18 @@ debug_peer_list = {{ postfix_debug_peer_list | join(', ') }}
 inet_interfaces = all
 inet_protocols = ipv4

-myhostname = $myorigin
+myhostname = {{ postfix_myhostname }}
+{% if postfix_myorigin is defined %}
 myorigin = {{ postfix_myorigin }}
+{% endif %}
+{% if postfix_mydestination is defined %}
 mydestination = {{ postfix_mydestination | join(', ') }}
+{% endif %}
+{% if postfix_mynetworks is defined %}
 mynetworks = {{ postfix_mynetworks | join(', ') }}
+{% endif %}

+{% if postfix_type == "internet" %}
 ### TLS settings
 tls_ssl_options = NO_COMPRESSION, NO_RENEGOTIATION
 tls_preempt_cipherlist = no
@ -58,6 +67,7 @@ smtp_tls_fingerprint_digest = sha1
 smtp_tls_loglevel = 1
 smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
 smtp_pix_workarounds = disable_esmtp
+{% endif %}

 ### Domains and recipients
 {% if postfix_virtual_mailbox_domains is defined %}
@ -67,7 +77,6 @@ virtual_mailbox_domains =
 {% endfor %}
 {% endif %}
 {% if postfix_virtual_mailbox_maps is defined %}
-# Check for existing recipients
 virtual_mailbox_maps =
 {% for map in postfix_virtual_mailbox_maps %}
    {{ map.type }}:{{ map.path }}
@ -132,6 +141,7 @@ smtp_sasl_password_maps =
 smtp_sasl_security_options = noanonymous
 {% endif %}

+{% if postfix_type == "internet" %}
 #### Postscreen
 postscreen_access_list =
    permit_mynetworks
@ -150,7 +160,9 @@ postscreen_dnsbl_sites =
 {% endfor %}
 {% endif %}
 postscreen_dnsbl_action = drop
+{% endif %}

+{% if postfix_type == "internet" %}
 # Postfix runs restrictions with the following order
 # - smtpd_client_restriction
 # - smtpd_helo_restriction
@ -229,6 +241,7 @@ smtpd_recipient_restrictions =
    permit_mynetworks,
    permit_sasl_authenticated,
    reject_unverified_recipient
+{% endif %}

 # Configuration for reject_unverified_recipient
 unverified_recipient_reject_reason = User unknown / Nutzer unbekannt
@ -253,6 +266,7 @@ default_destination_concurrency_failed_cohort_limit = 10

 header_checks = pcre:{{ postfix_conf_dir }}/header_checks

+{% if postfix_type == "internet" %}
 ### Spam and DKIM
 {% if postfix_smtpd_milters is defined %}
 smtpd_milters =
@ -274,6 +288,7 @@ milter_connect_timeout = 20s

 # Prevent DKIM signatures (don't allow spam header to change the signature)
 disable_mime_output_conversion = yes
+{% endif %}

 ### Misc

--- a/templates/postfix/master.cf
+++ b/templates/postfix/master.cf
@ -4,9 +4,13 @@
 # service type  private unpriv  chroot  wakeup  maxproc command + args
 #               (yes)   (yes)   (no)    (never) (100)
 # ==========================================================================
+{% if postfix_type == "internet" %}
 smtp      inet  n       -       y       -       1       postscreen
 smtpd     pass  -       -       y       -       100     smtpd
    -o cleanup_service_name=smtpd-in
+{% else %}
+smtp      inet  n       -       y       -       -       smtpd
+{% endif %}
 dnsblog   unix  -       -       y       -       0       dnsblog
 tlsproxy  unix  -       -       y       -       0       tlsproxy
 {% if postfix_submission is defined and postfix_submission %}