Dirk
/
Ansible-Test
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
Test Repo für Ansible Semaphore
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
50 Commits
1 Branch
0 Tags
148 KiB
 
Tree: 2825db8508
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '2825db8508'
${ noResults }
Ansible-Test/ansible-create_mailrelay.yml

265 lines
10 KiB
Raw Blame History

---
- name: Setup and Configure Mail Relay Docker Container
hosts: all
become: true
vars:
password: "Must be set - see ITM"
mail_relay_dir: /mnt/docker/mail-relay
conf_dir: "{{ mail_relay_dir }}/conf"
mail_relay_password: "{{ lookup('community.general.random_string', length=10, special=false) }}"
certificate_subject:
commonName: "localhost"
countryName: "DE"
stateOrProvinceName: "Germany"
localityName: "NRW"
organizationName: "Asmodee Group"
organizationalUnitName: "Mail-Relay"
emailAddress: "it-admin@asmodee.de"
tasks:
- name: Stelle sicher, dass die 'cryptography' Bibliothek installiert ist
ansible.builtin.pip:
name: cryptography
version: '>=1.2.3'
name: docker
name: docker-compose
become: yes
- name: Create necessary directories
file:
path: "{{ item }}"
state: directory
loop:
- "{{ mail_relay_dir }}"
- "{{ conf_dir }}"
- "{{ mail_relay_dir }}/spool"
- "{{ mail_relay_dir }}/sasl2"
- name: Create Dockerfile for mail relay
copy:
dest: /mnt/docker/mail-relay/mail-relay.Dockerfile
content: |
FROM alpine:3.17
RUN apk add --no-cache bash net-tools tzdata busybox-extras postfix cyrus-sasl cyrus-sasl-static cyrus-sasl-login
RUN echo 'saslauthd -a sasldb -V; postfix start-fg' | tee /start.sh; chmod 755 /start.sh
CMD /start.sh
- name: Create Docker Compose file
copy:
dest: /mnt/docker/mail-relay/docker-compose.yaml
content: |
version: "3"
services:
mail-relay:
image: mail-relay-custom
build:
context: .
dockerfile: ./mail-relay.Dockerfile
container_name: mail-relay
restart: unless-stopped
healthcheck:
test: ( grep -qr "master" /proc/*/status && grep -qr "saslauthd" /proc/*/status ) || exit 1
interval: 1m
timeout: 30s
retries: 3
volumes:
- /etc/timezone:/etc/timezone:ro
- /etc/localtime:/etc/localtime:ro
- {{ conf_dir }}/main.cf:/etc/postfix/main.cf:ro
- {{ conf_dir }}/master.cf:/etc/postfix/master.cf:ro
- {{ conf_dir }}/conf:/etc/postfix/conf
- {{ conf_dir }}/spool:/var/spool/postfix
- {{ conf_dir }}/sasl2:/etc/sasl2
networks:
default:
name: build
external: true
- name: Create main.cf Postfix configuration file
copy:
dest: "{{ conf_dir }}/main.cf"
content: |
# Global Postfix configuration file
alias_maps = lmdb:/etc/postfix/conf/aliases
alias_database = lmdb:/etc/postfix/conf/aliases
myhostname = mail-relay
mynetworks_style = host
inet_interfaces = all
inet_protocols = ipv4
message_size_limit = 10240000
soft_bounce = no
# Queue Time
bounce_queue_lifetime = 10h
maximal_queue_lifetime = 12h
maximal_backoff_time = 15m
minimal_backoff_time = 5m
queue_run_delay = 5m
# TLS for smtp
smtp_tls_session_cache_database = lmdb:${data_directory}/smtp_scache
smtp_tls_loglevel = 1
smtp_tls_security_level = secure
smtp_tls_mandatory_ciphers = high
smtp_tls_secure_cert_match = nexthop
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
# Send over Smarthost (outgoing Emails)
smtp_connection_cache_on_demand = no
smtp_sender_dependent_authentication = yes
smtp_sasl_type = cyrus
smtp_sasl_auth_enable = yes
smtp_sasl_auth_soft_bounce = yes
smtp_sasl_security_options = noplaintext, noanonymous
smtp_sasl_tls_security_options = noanonymous
smtp_sasl_password_maps = lmdb:/etc/postfix/conf/smtp_sasl_password_maps
sender_dependent_relayhost_maps = lmdb:/etc/postfix/conf/sender_dependent_relayhost_maps
# Cleanup the Header
smtp_header_checks = regexp:/etc/postfix/conf/smtp_header_checks
# SASL authentication (incoming Emails)
broken_sasl_auth_clients = no
smtpd_tls_auth_only = no
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = noanonymous
smtpd_sender_restrictions = permit_sasl_authenticated, reject_unauth_destination
smtpd_relay_restrictions = $smtpd_sender_restrictions
# TLS for smtpd
smtpd_tls_security_level = may
smtpd_tls_cert_file = /etc/postfix/conf/server.crt
smtpd_tls_key_file = /etc/postfix/conf/server.key
# connection limits
smtpd_client_connection_rate_limit = 0
smtpd_client_connection_count_limit = 0
# Logging for Docker Container
maillog_file = /dev/stdout
- name: Create master.cf Postfix configuration file
copy:
dest: "{{ conf_dir }}/master.cf"
content: |
# Postfix master process configuration file
#
# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (no) (never) (100)
# ==========================================================================
smtp inet n - n - - smtpd
-o syslog_name=postfix/smtp
submission inet n - n - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_tls_auth_only=yes
smtps inet n - n - - smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
pickup unix n - n 60 1 pickup
cleanup unix n - n - 0 cleanup
qmgr unix n - n 300 1 qmgr
tlsmgr unix - - n 1000? 1 tlsmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verify unix - - n - 1 verify
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - n - - smtp
relay unix - - n - - smtp
-o syslog_name=postfix/$service_name
showq unix n - n - - showq
error unix - - n - - error
retry unix - - n - - error
discard unix - - n - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
scache unix - - n - 1 scache
postlog unix-dgram n - n - 1 postlogd
- name: Generate RSA private key
openssl_privatekey:
path: "{{ conf_dir }}/server.key"
size: 4096
- name: Erstelle eine CSR (Certificate Signing Request)
openssl_csr:
path: "{{ conf_dir }}/server.csr"
privatekey_path: "{{ conf_dir }}/server.key"
subject: "{{ certificate_subject }}"
- name: Generate a Self Signed OpenSSL certificate
openssl_certificate:
path: "{{ conf_dir }}/server.crt"
privatekey_path: "{{ conf_dir }}/server.key"
csr_path: "{{ conf_dir }}/server.csr"
provider: selfsigned
- name: Set permissions for server.key
file:
path: "{{ conf_dir }}/server.key"
mode: '0644'
- name: Create smtp_sasl_password_maps file
copy:
dest: "{{ conf_dir }}/smtp_sasl_password_maps"
content: "mail@notifications.asmodee.de apikey:{{ password }}"
mode: '0600'
- name: Create sender_dependent_relayhost_maps file
copy:
dest: "{{ conf_dir }}/sender_dependent_relayhost_maps"
content: "mail@notifications.asmodee.de [smtp.sendgrid.net]:"
- name: Create aliases file
file:
path: "{{ conf_dir }}/aliases"
state: touch
- name: Create smtp_header_checks file
copy:
dest: "{{ conf_dir }}/smtp_header_checks"
content: |
/^Received:/ IGNORE
/^User-Agent:/ IGNORE
/^Message-ID:/ IGNORE
/^X-Originating-ip:/ IGNORE
/^X-Forward:/ IGNORE
/^X-Mailer:/ IGNORE
/^X-Virus-/ IGNORE
/^X-Spam-/ IGNORE
- name: Start Docker container with Docker Compose
community.docker.docker_compose:
project_src: "{{ mail_relay_dir }}"
state: present
restarted: yes
- name: Update Postfix maps and aliases
community.docker.docker_container_exec:
container: mail-relay
command: "{{ item }}"
loop:
- "postmap /etc/postfix/conf/smtp_sasl_password_maps"
- "postmap /etc/postfix/conf/sender_dependent_relayhost_maps"
- "postalias /etc/postfix/conf/aliases"
- name: Configure SASL password and permissions
community.docker.docker_container_exec:
container: mail-relay
command: "sh -c 'echo {{ mail_relay_password }} | saslpasswd2 -c -p -u mail-relay relay-apikey; chmod 640 /etc/sasl2/sasldb2; chown root:postfix /etc/sasl2/sasldb2'"
- name: List SASL users
community.docker.docker_container_exec:
container: mail-relay
command: "sasldblistusers2"