postfix
Set up a postfix server in Debian-like systems.
Requirements
None
Variables
-
postfix_install[default:[postfix, mailutils, libsasl2-2, sasl2-bin, libsasl2-modules]]: Packages to install -
postfix_hostname[default:{{ ansible_fqdn }}]: Host name, used formyhostnameand inmydestination -
postfix_mailname[default:{{ ansible_fqdn }}]: Mail name (in/etc/mailname), used formyorigin -
postfix_compatibility_level[optional]: With backwards compatibility turned on (the compatibility_level value is less than the Postfix built-in value), Postfix looks for settings that are left at their implicit default value, and logs a message when a backwards-compatible default setting is required (e.g.2,Postfix >= 3.0) -
postfix_default_database_type[default:hash]: The default database type for use innewaliases,postaliasandpostmapcommands -
postfix_aliases[default:[]]: Aliases to ensure present in/etc/aliases -
postfix_virtual_aliases[default:[]]: Virtual aliases to ensure present in/etc/postfix/virtual -
postfix_sender_canonical_maps[default:[]]: Sender address rewriting in/etc/postfix/sender_canonical_maps(see) -
postfix_sender_canonical_maps_database_type[default:"{{ postfix_default_database_type }}"]: The database type for use inpostfix_sender_canonical_maps -
postfix_recipient_canonical_maps[default:[]]: Recipient address rewriting in/etc/postfix/recipient_canonical_maps(see) -
postfix_recipient_canonical_maps_database_type[default:"{{ postfix_default_database_type }}"]: The database type for use inpostfix_recipient_canonical_maps -
postfix_transport_maps[default:[]]: Transport mapping based on recipient address/etc/postfix/transport_maps(see) -
postfix_transport_maps_database_type[default:"{{ postfix_default_database_type }}"]: The database type for use inpostfix_transport_maps -
postfix_sender_dependent_relayhost_maps[default:[]]: Transport mapping based on sender address/etc/postfix/sender_dependent_relayhost_maps(see) -
postfix_header_checks[default:[]]: Lookup tables for content inspection of primary non-MIME message headers/etc/postfix/header_checks(see) -
postfix_header_checks_database_type[default:regexp]: The database type for use inheader_checks -
postfix_generic[default:postfix_smtp_generic_maps]: Deprecated, usepostfix_smtp_generic_maps -
postfix_smtp_generic_maps[default:[]]: Generic table address mapping in/etc/postfix/generic(see) -
postfix_smtp_generic_maps_database_type[default:"{{ postfix_default_database_type }}"]: The database type for use insmtp_generic_maps -
postfix_mydestination[default:["{{ postfix_hostname }}", 'localdomain', 'localhost', 'localhost.localdomain']]: Specifies what domains this machine will deliver locally, instead of forwarding to another machine -
postfix_mynetworks[default:['127.0.0.0/8', '[::ffff:127.0.0.0]/104', '[::1]/128']]: The list of "trusted" remote SMTP clients that have more privileges than "strangers" -
postfix_inet_interfaces[default:all]: Network interfaces to bind (see) -
postfix_inet_protocols[default:all]: The Internet protocols Postfix will attempt to use when making or accepting connections (see) -
postfix_relayhost[default:''(no relay host)]: Hostname to relay all email to -
postfix_relayhost_mxlookup[default:false(not using mx lookup)]: Lookup for MX record instead of A record for relayhost -
postfix_relayhost_port[default: 587]: Relay port (onpostfix_relayhost, if set) -
postfix_relaytls[default:false]: Use TLS when sending with a relay host -
postfix_smtpd_client_restrictions[optional]: List of client restrictions (see) -
postfix_smtpd_helo_restrictions[optional]: List of helo restrictions (see) -
postfix_smtpd_sender_restrictions[optional]: List of sender restrictions (see) -
postfix_smtpd_recipient_restrictions[optional]: List of recipient restrictions (see) -
postfix_smtpd_relay_restrictions[optional]: List of access restrictions for mail relay control (see) -
postfix_smtpd_data_restrictions[optional]: List of data restrictions (see) -
postfix_sasl_auth_enable[default:true]: Enable SASL authentication in the SMTP client -
postfix_sasl_user[default:postmaster@{{ ansible_domain }}]: SASL relay username -
postfix_sasl_password[default:k8+haga4@#pR]: SASL relay password Make sure to change! -
postfix_sasl_security_options[default:noanonymous]: SMTP client SASL security options -
postfix_sasl_tls_security_option[default:noanonymous]: SMTP client SASL TLS security options -
postfix_sasl_mechanism_filter[default:'']: SMTP client SASL authentication mechanism filter (see) -
postfix_smtp_tls_security_level[default:encrypt]: The default SMTP TLS security level for the Postfix SMTP client (see) -
postfix_smtp_tls_wrappermode[default:false]: Request that the Postfix SMTP client connects using the legacy SMTPS protocol instead of using the STARTTLS command (see) -
postfix_smtp_tls_note_starttls_offer[default:true]: Log the hostname of a remote SMTP server that offers STARTTLS, when TLS is not already enabled for that server (see) -
postfix_smtp_tls_cafile[optional]: A file containing CA certificates of root CAs trusted to sign either remote SMTP server certificates or intermediate CA certificates (e.g./etc/ssl/certs/ca-certificates.crt) -
postfix_smtpd_banner[default:$myhostname ESMTP $mail_name (Ubuntu)]: Greeting banner You MUST specify $myhostname at the start of the text. This is required by the SMTP protocol. -
postfix_disable_vrfy_command[default:true]: Disable theSMTP VRFYcommand. This stops some techniques used to harvest email addresses -
postfix_message_size_limit[default:10240000]: The maximal size in bytes of a message, including envelope information -
postfix_smtpd_tls_cert_file[default:/etc/ssl/certs/ssl-cert-snakeoil.pem]: Path to certificate file -
postfix_smtpd_tls_key_file[default:/etc/ssl/certs/ssl-cert-snakeoil.key]: Path to key file -
postfix_raw_options[default:[]]: List of lines (to pass extra (unsupported) configuration)
Dependencies
debconfdebconf-utils
Example(s)
A simple example that doesn't use SASL relaying:
---
- hosts: all
roles:
- postfix
vars:
postfix_aliases:
- user: root
alias: [email protected]A simple example with virtual aliases for mail forwarding that doesn't use SASL relaying:
---
- hosts: all
roles:
- postfix
vars:
postfix_mydestination:
- "{{ postfix_hostname }}"
- '$mydomain'
- localdomain
- localhost
- localhost.localdomain
postfix_virtual_aliases:
- virtual: [email protected]
alias: [email protected]
- virtual: [email protected]
alias: [email protected], [email protected]A simple example that rewrites the sender address:
---
- hosts: all
roles:
- postfix
vars:
postfix_sender_canonical_maps:
- sender: root
rewrite: [email protected]Provide the relay host name if you want to enable relaying:
---
- hosts: all
roles:
- postfix
vars:
postfix_aliases:
- user: root
alias: [email protected]
postfix_relayhost: mail.yourdomain.orgProvide the relay domain name and use MX records if you want to enable relaying to DNS MX records of a domain:
---
- hosts: all
roles:
- postfix
vars:
postfix_aliases:
- user: root
alias: [email protected]
postfix_relayhost: yourdomain.org
postfix_relayhost_mxlookup: trueConditional relaying:
---
- hosts: all
roles:
- postfix
vars:
postfix_transport_maps:
- pattern: '[email protected]'
result: ':'
- pattern: '*'
result: "smtp:{{ ansible_lo['ipv4']['address'] }}:1025"
postfix_sender_dependent_relayhost_maps:
- pattern: '[email protected]'
result: 'DUNNO'
- pattern: '[email protected]'
result: 'DUNNO'
- pattern: '*'
result: "smtp:{{ ansible_lo['ipv4']['address'] }}:1025"For AWS SES support:
---
- hosts: all
roles:
- postfix
vars:
postfix_aliases:
- user: root
alias: [email protected]
postfix_relayhost: email-smtp.us-east-1.amazonaws.com
postfix_relaytls: true
# AWS IAM SES credentials (not access key):
postfix_sasl_user: AKIXXXXXXXXXXXXXXXXX
postfix_sasl_password: ASDFXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXFor MailHog support:
---
- hosts: all
roles:
- postfix
vars:
postfix_aliases:
- user: root
alias: [email protected]
postfix_relayhost: "{{ ansible_lo['ipv4']['address'] }}"
postfix_relayhost_port: 1025
postfix_sasl_auth_enable: falseFor Gmail support:
---
- hosts: all
roles:
- postfix
vars:
postfix_aliases:
- user: root
alias: [email protected]
postfix_relayhost: smtp.gmail.com
postfix_relaytls: true
postfix_smtp_tls_cafile: /etc/ssl/certs/ca-certificates.crt
postfix_sasl_user: 'foo'
postfix_sasl_password: 'bar'If you configure your Google account for extra security to use the 2-step verification, then
postfix won't send out emails anymore and you might notice error messages in the /var/log/mail.log file
To fix this issue, you need to visit the (Authorizing applications & sites)
page under your Google Account settings. On this page enter the name of the application to be authorized (Postfix) and click on Generate button.
Set the postfix_sasl_password variable with the password generated by this page.
A simple example that shows how to add some raw config:
---
- hosts: all
roles:
- postfix
vars:
postfix_raw_options:
- |
milter_default_action = accept
milter_protocol = 6
smtpd_milters = unix:opendkim/opendkim.sock unix:opendmarc/opendmarc.sock unix:spamass/spamass.sock unix:clamav/clamav-milter.ctl
milter_connect_macros = "i j {daemon_name} v {if_name} _"
policyd-spf_time_limit = 3600License
MIT
Author Information
Mischa ter Smitten
Feedback, bug-reports, requests, ...
Are welcome!