ansible-role-postfix/README.md

92 lines
3.6 KiB
Markdown

Postfix
=======
Use this role to setup a Postfix mail server. It comes with the following additions:
- [Mail-TLS-Helper](https://github.com/systemli/mail-tls-helper)
- Fail2ban
- optional: [MTA-STS-Resolver](https://github.com/Snawoot/postfix-mta-sts-resolver)
- optional: [OnionMX](https://github.com/ehloonion/onionmx)
- optional: Unbound
## General type of mail server configuration
You can select via the variable `postfix_type` a pre-defined set of configuraion options that best meets your needs.
- `internet`: Mail is send received directly using SMTP. TLS is enabled.
- `internal`: Mail is sent to another machine on the same network for delivery. TLS is disabled. Only listens on port 25.
## Dual use of RSA and ECDSA certificates
Newer versions of Let's Encrypt clients (as of [Certbot 2.0.0](https://eff-certbot.readthedocs.io/en/stable/using.html#rsa-and-ecdsa-keys)
or Dehydrated ) defaults to ECDSA certificates.
This could be a problem with older mail servers which only support RSA ciphers. Postfix can use both RSA and ECDSA certificates
at the same time.
If you use [Dehydrated](https://github.com/dehydrated-io/dehydrated) follow these steps:
- Add your domain to `/etc/dehydrated/domains.txt`:
```Shell
mx.example.org
```
- Add another entry to `/etc/dehydrated/domains.txt` for the RSA certificate and use the alias to force a different directory name:
```
mx.example.org
mx.example.org > mx.example.org_rsa
```
- Create the certificate's directory:
```Shell
mkdir /var/lib/dehydrated/certs/mx.example.org_rsa
chmod 0700 /var/lib/dehydrated/certs/mx.example.org_rsa
```
- Create a config `/var/lib/dehydrated/certs/mx.example.org_rsa/config` with the following setting:
```
KEY_ALGO="rsa"
```
- Obtain the certificate:
```Shell
dehydrated --cron
```
- Add all certificates to Postfix' `main.cf`:
```
smtpd_tls_cert_file = /var/lib/dehydrated/certs/mx.example.org_rsa/fullchain.pem
smtpd_tls_key_file = /var/lib/dehydrated/certs/mx.example.org_rsa/privkey.pem
smtpd_tls_eccert_file = /var/lib/dehydrated/certs/mx.example.org/fullchain.pem
smtpd_tls_eckey_file = /var/lib/dehydrated/certs/mx.example.org/privkey.pem
```
## Variables
### Required
| Variable | Value | Default | Note |
|--|--|--|--|
| `postfix_type` | str | `internet` | Determines how to setup Postfix. Choose `internet` or `internal` |
### Scope: misc
| Variable | Value | Default | Note |
|--|--|--|--|
| `unbound_install` | bool | | `True` if you whish to install unbound |
| `postfix_onionmx` | bool | | `True` to setup OnionMX delivery |
| `postfix_tls_herlp` | bool | `True` to setup Mail-TLS-Helper |
| `postfix_mydestination` | List | | List with hostnames |
| `postfix_mynetworks` | List | | List with network addresses |
### Scope: submission
| Variable | Value | Default | Note |
|--|--|--|--|
| `postfix_submission` | bool | | Set `True` to configure submission port settings |
| `postfix_submission_smtpd_tls_cert_file` | string | |Path to TLS cert file |
| `postfix_submission_smtpd_tls_key_file` | string | | Path to TLS key file |
| `postfix_submission_non_tls_port` | int | | Port number for an additional (internal) submission port without TLS |
### Scope: SASL Auth
| Variable | Value | Default | Note |
|--|--|--|--|
| `postfix_smtpd_sasl_type` | string | | |
| `postfix_smtpd_sasl_path` | string | | |
| `postfix_smtp_sasl_auth_enabled` | bool | `no` | |
| `postfix_smtp_sasl_auth_relay` | string | | Relay server which provides SASL-Auth |
| `postfix_smtp_sasl_auth_user` | string | | Username for SASL authentication |
| `postfix_smtp_sasl_auth_password` | string | | Password for SASL authenticatio |