--- - name: Setup and Configure Mail Relay Docker Container hosts: all become: true vars: mail_relay_dir: /mnt/docker/mail-relay conf_dir: "{{ mail_relay_dir }}/conf" mail_relay_password: "{{ lookup('community.general.random_string', length=10, special=false) }}" certificate_subject: "/C=DE/ST=Germany/L=NRW/O=Asmodee Group/OU=Mail-Relay/CN=localhost/name=Mail-Relay/emailAddress=it-admin@asmodee.de" tasks: - name: Create necessary directories file: path: "{{ item }}" state: directory loop: - "{{ mail_relay_dir }}" - "{{ conf_dir }}" - "{{ mail_relay_dir }}/spool" - "{{ mail_relay_dir }}/sasl2" - name: Create Dockerfile for mail relay copy: dest: /mnt/docker/mail-relay/mail-relay.Dockerfile content: | FROM alpine:3.17 RUN apk add --no-cache bash net-tools tzdata busybox-extras postfix cyrus-sasl cyrus-sasl-static cyrus-sasl-login RUN echo 'saslauthd -a sasldb -V; postfix start-fg' | tee /start.sh; chmod 755 /start.sh CMD /start.sh - name: Create Docker Compose file copy: dest: /mnt/docker/mail-relay/docker-compose.yaml content: | version: "3" services: mail-relay: image: mail-relay-custom build: context: . dockerfile: ./mail-relay.Dockerfile container_name: mail-relay restart: unless-stopped healthcheck: test: ( grep -qr "master" /proc/*/status && grep -qr "saslauthd" /proc/*/status ) || exit 1 interval: 1m timeout: 30s retries: 3 volumes: - /etc/timezone:/etc/timezone:ro - /etc/localtime:/etc/localtime:ro - ./main.cf:/etc/postfix/main.cf:ro - ./master.cf:/etc/postfix/master.cf:ro - ./conf:/etc/postfix/conf - ./spool:/var/spool/postfix - ./sasl2:/etc/sasl2 networks: default: name: build external: true - name: Create main.cf Postfix configuration file copy: dest: "{{ conf_dir }}/main.cf" content: | # Global Postfix configuration file alias_maps = lmdb:/etc/postfix/conf/aliases alias_database = lmdb:/etc/postfix/conf/aliases myhostname = mail-relay mynetworks_style = host inet_interfaces = all inet_protocols = ipv4 message_size_limit = 10240000 soft_bounce = no # Queue Time bounce_queue_lifetime = 10h maximal_queue_lifetime = 12h maximal_backoff_time = 15m minimal_backoff_time = 5m queue_run_delay = 5m # TLS for smtp smtp_tls_session_cache_database = lmdb:${data_directory}/smtp_scache smtp_tls_loglevel = 1 smtp_tls_security_level = secure smtp_tls_mandatory_ciphers = high smtp_tls_secure_cert_match = nexthop smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt # Send over Smarthost (outgoing Emails) smtp_connection_cache_on_demand = no smtp_sender_dependent_authentication = yes smtp_sasl_type = cyrus smtp_sasl_auth_enable = yes smtp_sasl_auth_soft_bounce = yes smtp_sasl_security_options = noplaintext, noanonymous smtp_sasl_tls_security_options = noanonymous smtp_sasl_password_maps = lmdb:/etc/postfix/conf/smtp_sasl_password_maps sender_dependent_relayhost_maps = lmdb:/etc/postfix/conf/sender_dependent_relayhost_maps # Cleanup the Header smtp_header_checks = regexp:/etc/postfix/conf/smtp_header_checks # SASL authentication (incoming Emails) broken_sasl_auth_clients = no smtpd_tls_auth_only = no smtpd_sasl_auth_enable = yes smtpd_sasl_security_options = noanonymous smtpd_sasl_tls_security_options = noanonymous smtpd_sender_restrictions = permit_sasl_authenticated, reject_unauth_destination smtpd_relay_restrictions = $smtpd_sender_restrictions # TLS for smtpd smtpd_tls_security_level = may smtpd_tls_cert_file = /etc/postfix/conf/server.crt smtpd_tls_key_file = /etc/postfix/conf/server.key # connection limits smtpd_client_connection_rate_limit = 0 smtpd_client_connection_count_limit = 0 # Logging for Docker Container maillog_file = /dev/stdout - name: Create master.cf Postfix configuration file copy: dest: "{{ conf_dir }}/master.cf" content: | # Postfix master process configuration file # # ========================================================================== # service type private unpriv chroot wakeup maxproc command + args # (yes) (yes) (no) (never) (100) # ========================================================================== smtp inet n - n - - smtpd -o syslog_name=postfix/smtp submission inet n - n - - smtpd -o syslog_name=postfix/submission -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_tls_auth_only=yes smtps inet n - n - - smtpd -o syslog_name=postfix/smtps -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes pickup unix n - n 60 1 pickup cleanup unix n - n - 0 cleanup qmgr unix n - n 300 1 qmgr tlsmgr unix - - n 1000? 1 tlsmgr rewrite unix - - n - - trivial-rewrite bounce unix - - n - 0 bounce defer unix - - n - 0 bounce trace unix - - n - 0 bounce verify unix - - n - 1 verify flush unix n - n 1000? 0 flush proxymap unix - - n - - proxymap proxywrite unix - - n - 1 proxymap smtp unix - - n - - smtp relay unix - - n - - smtp -o syslog_name=postfix/$service_name showq unix n - n - - showq error unix - - n - - error retry unix - - n - - error discard unix - - n - - discard local unix - n n - - local virtual unix - n n - - virtual lmtp unix - - n - - lmtp anvil unix - - n - 1 anvil scache unix - - n - 1 scache postlog unix-dgram n - n - 1 postlogd - name: Generate RSA private key openssl_privatekey: path: "{{ conf_dir }}/server.key" size: 4096 - name: Generate a Self Signed OpenSSL certificate openssl_certificate: path: "{{ conf_dir }}/server.crt" privatekey_path: "{{ conf_dir }}/server.key" subject: "{{ certificate_subject }}" provider: selfsigned - name: Set permissions for server.key file: path: "{{ conf_dir }}/server.key" mode: '0644' - name: Create smtp_sasl_password_maps file copy: dest: "{{ conf_dir }}/smtp_sasl_password_maps" content: "mail@notifications.asmodee.de apikey:{{ password }}" mode: '0600' - name: Create sender_dependent_relayhost_maps file copy: dest: "{{ conf_dir }}/sender_dependent_relayhost_maps" content: "mail@notifications.asmodee.de [smtp.sendgrid.net]:" - name: Create aliases file file: path: "{{ conf_dir }}/aliases" state: touch - name: Create smtp_header_checks file copy: dest: "{{ conf_dir }}/smtp_header_checks" content: | /^Received:/ IGNORE /^User-Agent:/ IGNORE /^Message-ID:/ IGNORE /^X-Originating-ip:/ IGNORE /^X-Forward:/ IGNORE /^X-Mailer:/ IGNORE /^X-Virus-/ IGNORE /^X-Spam-/ IGNORE - name: Start Docker container with Docker Compose community.docker.docker_compose: project_src: "{{ mail_relay_dir }}" state: present restarted: yes - name: Update Postfix maps and aliases community.docker.docker_container_exec: container: mail-relay command: "{{ item }}" loop: - "postmap /etc/postfix/conf/smtp_sasl_password_maps" - "postmap /etc/postfix/conf/sender_dependent_relayhost_maps" - "postalias /etc/postfix/conf/aliases" - name: Configure SASL password and permissions community.docker.docker_container_exec: container: mail-relay command: "sh -c 'echo {{ mail_relay_password }} | saslpasswd2 -c -p -u mail-relay relay-apikey; chmod 640 /etc/sasl2/sasldb2; chown root:postfix /etc/sasl2/sasldb2'" - name: List SASL users community.docker.docker_container_exec: container: mail-relay command: "sasldblistusers2"