feat: add postfix-mta-sts-resolver

2023-07-16 23:31:52 +02:00 · 2023-07-16 23:31:52 +02:00 · 7d950a4b51
commit 7d950a4b51
parent 4eb3a4714f
7 changed files with 79 additions and 4 deletions
--- a/galaxy.yml
+++ b/galaxy.yml
@ -8,7 +8,7 @@ namespace: s3lph
 name: mailserver

 # The version of the collection. Must be compatible with semantic versioning
-version: '0.4.3'
+version: '0.4.4'

 # The path to the Markdown (.md) readme file. This path is relative to the root of the collection
 readme: README.md
--- a/roles/postfix/defaults/main/mta_sts_resolver.yml
+++ b/roles/postfix/defaults/main/mta_sts_resolver.yml
@ -0,0 +1,17 @@
+---
+
+postfix_mtastsresolver_host: 127.0.0.1
+postfix_mtastsresolver_port: 8461
+postfix_mtastsresolver_mode: "0666"
+postfix_mtastsresolver_reuse_port: true
+postfix_mtastsresolver_cache_grace: 60
+postfix_mtastsresolver_shutdown_timeout: 20
+postfix_mtastsresolver_cache_type: sqlite
+postfix_mtastsresolver_cache_internal_size: 10000
+postfix_mtastsresolver_cache_sqlite_filename: /var/lib/mta-sts/cache.db
+postfix_mtastsresolver_cache_sqlite_threads: "{{ ansible_facts.processor_vcpus }}"
+postfix_mtastsresolver_cache_sqlite_timeout: 5
+postfix_mtastsresolver_cache_redis_options: {}
+postfix_mtastsresolver_defaultzone_stricttesting: false
+postfix_mtastsresolver_defaultzone_timeout: 4
+postfix_mtastsresolver_zones: {}
--- a/roles/postfix/handlers/main.yml
+++ b/roles/postfix/handlers/main.yml
@ -10,5 +10,10 @@
    name: postfix
    state: reloaded

+- name: restart postfix-mta-sts-resolver
+  ansible.builtin.service:
+    name: postfix-mta-sts-resolver
+    state: restarted
+
 - name: postalias /etc/aliases
  ansible.builtin.command: postalias /etc/aliases
--- a/roles/postfix/tasks/config.yml
+++ b/roles/postfix/tasks/config.yml
@ -1,6 +1,6 @@
 ---

- name: render /etc/postfix/main.cf
+- name: Render /etc/postfix/main.cf
  ansible.builtin.template:
    src: etc/postfix/main.cf.j2
    dest: /etc/postfix/main.cf
@ -9,7 +9,7 @@
    mode: 0644
  notify: restart postfix

- name: render /etc/postfix/master.cf
+- name: Render /etc/postfix/master.cf
  ansible.builtin.template:
    src: etc/postfix/master.cf.j2
    dest: /etc/postfix/master.cf
@ -18,7 +18,7 @@
    mode: 0644
  notify: restart postfix

- name: render /etc/postfix-policyd-spf-python/policyd-spf.conf
+- name: Render /etc/postfix-policyd-spf-python/policyd-spf.conf
  ansible.builtin.template:
    src: etc/postfix-policyd-spf-python/policyd-spf.conf.j2
    dest: /etc/postfix-policyd-spf-python/policyd-spf.conf
@ -26,3 +26,18 @@
    group: root
    mode: 0644
  notify: restart postfix
+
+- name: Render /etc/mta-sts-daemon.yml
+  ansible.builtin.template:
+    src: etc/mta-sts-daemon.yml.j2
+    dest: /etc/mta-sts-daemon.yml
+    owner: root
+    group: root
+    mode: 0644
+  notify: restart postfix-mta-sts-resolver
+
+- name: Start and enable postfix-mta-sts-resolver
+  ansible.builtin.service:
+    name: postfix-mta-sts-resolver
+    state: started
+    enabled: true
--- a/roles/postfix/tasks/install.yml
+++ b/roles/postfix/tasks/install.yml
@ -7,3 +7,4 @@
      - postfix-mysql
      - mailutils
      - postfix-policyd-spf-python
+      - postfix-mta-sts-resolver
--- a/roles/postfix/templates/etc/mta-sts-daemon.yml.j2
+++ b/roles/postfix/templates/etc/mta-sts-daemon.yml.j2
@ -0,0 +1,33 @@
+---
+{{ ansible_managed | comment }}
+
+host: "{{ postfix_mtastsresolver_host }}"
+port: {{ postfix_mtastsresolver_port }}
+{% if postfix_mtastsresolver_path is defined -%}
+path: "{{ postfix_mtastsresolver_path }}"
+mode: {{ postfix_mtastsresolver_mode }}
+{% endif -%}
+reuse_port: {{ postfix_mtastsresolver_reuse_port | ternary('true', 'false') }}
+cache_grace: {{ postfix_mtastsresolver_cache_grace }}
+shutdown_timeout: {{ postfix_mtastsresolver_shutdown_timeout }}
+cache:
+  type: "{{ postfix_mtastsresolver_cache_type }}"
+  options:
+{% if postfix_mtastsresolver_cache_type == 'internal' -%}
+    cache_size: {{ postfix_mtastsresolver_cache_internal_size }}
+{% elif postfix_mtastsresolver_cache_type == 'sqlite' -%}
+    filename: "{{ postfix_mtastsresolver_cache_sqlite_filename }}"
+    threads: {{ postfix_mtastsresolver_cache_sqlite_threads }}
+    timeout: {{ postfix_mtastsresolver_cache_sqlite_timeout }}
+{% elif postfix_mtastsresolver_cache_type == 'redis' -%}
+    {{ postfix_mtastsresolver_cache_redis_options | to_yaml(indent=2) | indent(4) }}
+{% endif -%}
+default_zone:
+  strict_testing: {{ postfix_mtastsresolver_defaultzone_stricttesting | ternary('true', 'false') }}
+  timeout: {{ postfix_mtastsresolver_defaultzone_timeout }}
+zones:
+{% for zone, options in postfix_mtastsresolver_zones.items() -%}
+  {{ zone }}:
+    strict_testing: {{ options.strict_testing | default postfix_mtastsresolver_defaultzone_stricttesting | ternary('true', 'false') }}
+    timeout: {{ options.timeout | default postfix_mtastsresolver_defaultzone_timeout }}
+{% endfor -%}
--- a/roles/postfix/templates/etc/postfix/main.cf.j2
+++ b/roles/postfix/templates/etc/postfix/main.cf.j2
@ -91,6 +91,10 @@ tls_random_source = {{ postfix_tls_random_source }}
 # TLS - SMTP Client
 smtp_tls_security_level = {{ postfix_smtp_tls_security_level }}
 smtp_tls_session_cache_database = {{ postfix_smtp_tls_session_cache_database }}
+{% if postfix_mtastsresolver_socket is defined %}
+smtp_tls_policy_maps = {{ postfix_mtastsresolver_socket }}
+smtp_tls_CApath = /etc/ssl/certs/
+{% endif %}

 # Restrictions & Checks
 disable_vrfy_command = yes