Set up a postfix server in Debian-like systems and CentOS.
It's forked from ansible-postfix.
None
This role has variables as below.
-
postfix_debian_install
[default:[postfix, mailutils, libsasl2-2, sasl2-bin, libsasl2-modules]
]: Packages to install for Debian like systems. -
postfix_redhat_install
[default:[postfix, mailutils, libsasl2-2, sasl2-bin, libsasl2-modules]
]: Packages to install for CentOS and also CentOS like systems. -
postfix_hostname
[default:{{ ansible_fqdn }}
]: Host name, used formyhostname
andmydestination
in/etc/postfix/main.cf
. -
postfix_mailname
[default:{{ ansible_fqdn }}
]: Mail name (in/etc/mailname
), used formyorigin
in/etc/postfix/main.cf
. -
postfix_mailname_backup
[default:yes
]: Whether to create a back up of/etc/mailname
or not. -
postfix_compatibility_level
[default:2
]: With backwards compatibility turned on (the compatibility_level value is less than the Postfix built-in value), Postfix looks for settings that are left at their implicit default value, and logs a message when a backwards-compatible default setting is required (e.g.2
,Postfix >= 3.0
) -
postfix_main_cf_backup
[default:yes
]: Whether to create a back up of/etc/postfix/main.cf
or not. -
postfix_default_database_type
[default:hash
]: The default database type for use innewaliases
,postalias
andpostmap
commands. -
postfix_aliases
[default:[]
]: Aliases to ensure present in/etc/aliases
. -
postfix_virtual_aliases
[default:[]
]: Virtual aliases to ensure present in/etc/postfix/virtual
. -
postfix_virtual_aliases_backup
[default:yes
]: Whether to create a back up of/etc/postfix/virtual
or not. -
postfix_canonical_maps
[default:[]
]: Pattern of address rewriting in/etc/postfix/canonical
(see). -
postfix_canonical_maps_database_type
[default:"{{ postfix_default_database_type }}"
]: The database type for use inpostfix_canonical_maps
. -
postfix_canonical_backup
[default:yes
]: Whether to create a back up of/etc/postfix/canonical
or not. -
postfix_sender_canonical_maps
[default:[]
]: Sender address rewriting in/etc/postfix/sender_canonical
(see). -
postfix_sender_canonical_maps_database_type
[default:"{{ postfix_default_database_type }}"
]: The database type for use inpostfix_sender_canonical_maps
. -
postfix_sender_canonical_backup
[default:yes
]: Whether to create a back up of/etc/postfix/sender_canonical
or not. -
postfix_recipient_canonical_maps
[default:[]
]: Recipient address rewriting in/etc/postfix/recipient_canonical
(see). -
postfix_recipient_canonical_maps_database_type
[default:"{{ postfix_default_database_type }}"
]: The database type for use inpostfix_recipient_canonical_maps
-
postfix_recipient_canonical_backup
[default:yes
]: Whether to create a back up of/etc/postfix/recipient_canonical
or not. -
postfix_transport_maps
[default:[]
]: Transport mapping based on recipient address/etc/postfix/transport
(see). -
postfix_transport_maps_database_type
[default:"{{ postfix_default_database_type }}"
]: The database type for use inpostfix_transport_maps
-
postfix_transport_backup
[default:yes
]: Whether to create a back up of/etc/postfix/transport
or not. -
postfix_sender_dependent_relayhost_maps
[default:[]
]: Transport mapping based on sender address/etc/postfix/sender_dependent_relayhost
(see). -
postfix_sender_dependent_relayhost_backup
[default:yes
]: Whether to create a back up of/etc/postfix/sender_dependent_relayhost
or not. -
postfix_header_checks
[default:[]
]: Lookup tables for content inspection of primary non-MIME message headers/etc/postfix/header_checks
(see). -
postfix_header_checks_database_type
[default:regexp
]: The database type for use inheader_checks
. -
postfix_header_checks_backup
[default:yes
]: Whether to create a back up of/etc/postfix/header_checks
or not. -
postfix_generic
[default:postfix_smtp_generic_maps
]: Deprecated, usepostfix_smtp_generic
. -
postfix_smtp_generic_maps
[default:[]
]: Generic table address mapping in/etc/postfix/generic
(see). -
postfix_smtp_generic_maps_database_type
[default:"{{ postfix_default_database_type }}"
]: The database type for use insmtp_generic_maps
. -
postfix_smtp_generic_backup
[default:yes
]: Whether to create a back up of/etc/postfix/generic
or not. -
postfix_relayhost
[default:''
(no relay host)]: Hostname to relay all email to. -
postfix_relayhost_mxlookup
[default:false
(not using mx lookup)]: Lookup for MX record instead of A record for relayhost. -
postfix_relayhost_port
[default: 587]: Relay port (onpostfix_relayhost
, if set). -
postfix_relaytls
[default:no
when os_family is Debian, otherwiseyes
]: Use TLS when sending with a relay host. -
postfix_sasl_passwd_backup
[default:yes
]: Whether to create a back up of/etc/postfix/sasl_passwd
or not. -
postfix_sasl_auth_enable
[default:true
]: Enable SASL authentication in the SMTP client. -
postfix_sasl_user
[default:postmaster@{{ ansible_domain }}
]: SASL relay username. -
postfix_sasl_password
[default:k8+haga4@#pR
]: SASL relay password Make sure to change!. -
postfix_sasl_security_options
[default:noanonymous
]: SMTP client SASL security options. -
postfix_sasl_tls_security_option
[default:noanonymous
]: SMTP client SASL TLS security options. -
postfix_sasl_mechanism_filter
[default:''
]: SMTP client SASL authentication mechanism filter (see). -
postfix_smtp_tls_ca_path
[default:/etc/ssl/certs
when os_family is Debian, otherwise/etc/pki/tls/certs
]: A file containing CA certificates of root CAs trusted to sign either remote SMTP server certificates or intermediate CA certificates. -
postfix_smtp_tls_security_level
[default:encrypt
when os_family is Debian, otherwisemay
]: The default SMTP TLS security level for the Postfix SMTP client (see) -
postfix_smtp_tls_wrappermode
[default:false
]: Request that the Postfix SMTP client connects using the legacy SMTPS protocol instead of using the STARTTLS command (see). -
postfix_smtp_tls_note_starttls_offer
[default:true
]: Log the hostname of a remote SMTP server that offers STARTTLS, when TLS is not already enabled for that server (see). -
postfix_inet_interfaces
[default:all
]: Network interfaces to bind (see). -
postfix_inet_protocols
[default:all
]: The Internet protocols Postfix will attempt to use when making or accepting connections (see). -
postfix_mydestination
[default:["{{ postfix_hostname }}", 'localdomain', 'localhost', 'localhost.localdomain']
]: Specifies what domains this machine will deliver locally, instead of forwarding to another machine. -
postfix_mynetworks
[default:['127.0.0.0/8', '[::ffff:127.0.0.0]/104', '[::1]/128']
]: The list of "trusted" remote SMTP clients that have more privileges than "strangers". -
postfix_disable_vrfy_command
[default:true
]: Disable theSMTP VRFY
command. This stops some techniques used to harvest email addresses. -
postfix_message_size_limit
[default:10240000
]: The maximal size in bytes of a message, including envelope information. -
postfix_smtpd_tls_cert_file
[default:/etc/ssl/certs/ssl-cert-snakeoil.pem
when os_family is Debian, otherwise/etc/pki/tls/certs/postfix.pem
]: Path to certificate file. -
postfix_smtpd_tls_key_file
[default:/etc/ssl/certs/ssl-cert-snakeoil.key
when os_family is Debian, otherwise/etc/pki/tls/private/postfix.key
]: Path to key file. -
postfix_smtpd_relay_restrictions
[default:'permit_mynetworks', 'permit_sasl_authenticated', 'defer_unauth_destination'
]: List of access restrictions for mail relay control (see). -
postfix_smtpd_client_restrictions
[optional]: List of client restrictions (see). -
postfix_smtpd_helo_restrictions
[optional]: List of helo restrictions (see). -
postfix_smtpd_sender_restrictions
[optional]: List of sender restrictions (see). -
postfix_smtpd_recipient_restrictions
[optional]: List of recipient restrictions (see). -
postfix_smtpd_data_restrictions
[optional]: List of data restrictions (see). -
postfix_raw_options
[default:[]
]: List of lines (to pass extra (unsupported) configuration).
A simple example that doesn't use SASL relaying:
---
- hosts: all
roles:
- postfix
vars:
postfix_aliases:
- user: root
alias: you@yourdomain.org
A simple example with virtual aliases for mail forwarding that doesn't use SASL relaying:
---
- hosts: all
roles:
- postfix
vars:
postfix_mydestination:
- "{{ postfix_hostname }}"
- '$mydomain'
- localdomain
- localhost
- localhost.localdomain
postfix_virtual_aliases:
- virtual: webmaster@yourdomain.com
alias: personal_email@gmail.com
- virtual: billandbob@yourdomain.com
alias: bill@gmail.com, bob@gmail.com
A simple example that rewrites the sender address:
---
- hosts: all
roles:
- postfix
vars:
postfix_sender_canonical_maps:
- sender: root
rewrite: postmaster@yourdomain.org
Provide the relay host name if you want to enable relaying:
---
- hosts: all
roles:
- postfix
vars:
postfix_aliases:
- user: root
alias: you@yourdomain.org
postfix_relayhost: mail.yourdomain.org
Provide the relay domain name and use MX records if you want to enable relaying to DNS MX records of a domain:
---
- hosts: all
roles:
- postfix
vars:
postfix_aliases:
- user: root
alias: you@yourdomain.org
postfix_relayhost: yourdomain.org
postfix_relayhost_mxlookup: true
Conditional relaying:
---
- hosts: all
roles:
- postfix
vars:
postfix_transport_maps:
- pattern: 'root@yourdomain.org'
result: ':'
- pattern: '*'
result: "smtp:{{ ansible_lo['ipv4']['address'] }}:1025"
postfix_sender_dependent_relayhost_maps:
- pattern: 'logcheck@yourdomain.org'
result: 'DUNNO'
- pattern: 'pflogsumm@yourdomain.org'
result: 'DUNNO'
- pattern: '*'
result: "smtp:{{ ansible_lo['ipv4']['address'] }}:1025"
For AWS SES support:
---
- hosts: all
roles:
- postfix
vars:
postfix_aliases:
- user: root
alias: sesverified@yourdomain.org
postfix_relayhost: email-smtp.us-east-1.amazonaws.com
postfix_relaytls: true
# AWS IAM SES credentials (not access key):
postfix_sasl_user: AKIXXXXXXXXXXXXXXXXX
postfix_sasl_password: ASDFXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
For MailHog support:
---
- hosts: all
roles:
- postfix
vars:
postfix_aliases:
- user: root
alias: you@yourdomain.org
postfix_relayhost: "{{ ansible_lo['ipv4']['address'] }}"
postfix_relayhost_port: 1025
postfix_sasl_auth_enable: false
For Gmail support:
---
- hosts: all
roles:
- postfix
vars:
postfix_aliases:
- user: root
alias: you@yourdomain.org
postfix_relayhost: smtp.gmail.com
postfix_relaytls: true
postfix_smtp_tls_cafile: /etc/ssl/certs/ca-certificates.crt
postfix_sasl_user: 'foo'
postfix_sasl_password: 'bar'
If you configure your Google account for extra security to use the 2-step verification, then
postfix won't send out emails anymore and you might notice error messages in the /var/log/mail.log
file
To fix this issue, you need to visit the (Authorizing applications & sites)
page under your Google Account settings. On this page enter the name of the application to be authorized (Postfix) and click on Generate button.
Set the postfix_sasl_password
variable with the password generated by this page.
A simple example that shows how to add some raw config:
---
- hosts: all
roles:
- postfix
vars:
postfix_raw_options:
- |
milter_default_action = accept
milter_protocol = 6
smtpd_milters = unix:opendkim/opendkim.sock unix:opendmarc/opendmarc.sock unix:spamass/spamass.sock unix:clamav/clamav-milter.ctl
milter_connect_macros = "i j {daemon_name} v {if_name} _"
policyd-spf_time_limit = 3600
Are welcome!
Start VM instance kind of Ubuntu 18.04, Ubuntu 20.04, Ubuntu 22.04, CentOS7 and CentOS8 and
run ansible-playbook command such as ansible-playbook -i inventory -CD playbook.yml --private-key ~/.ssh/your_private_key --tags mail
.
- Not support CentOS9
- We give up on using
molecule
because sometime molecule are broken and don't work correctly.