From e822e40945e0bc85b5cdb9621656562a1c72fea3 Mon Sep 17 00:00:00 2001 From: Tunui Franken Date: Sat, 1 Feb 2025 20:59:14 +0100 Subject: [PATCH] [mailserver_postfix] Enable submissions (465 without STARTTLS) --- .../files/nftables/input.d/smtp-submission.conf | 1 - .../files/nftables/output.d/smtp-submission.conf | 1 - roles/mailserver_postfix/tasks/main.yml | 4 ++-- roles/mailserver_postfix/templates/master.cf.j2 | 11 +++++++++++ .../nftables/input.d/smtp-submission.conf.j2 | 3 +++ .../nftables/output.d/smtp-submission.conf.j2 | 3 +++ 6 files changed, 19 insertions(+), 4 deletions(-) delete mode 100644 roles/mailserver_postfix/files/nftables/input.d/smtp-submission.conf delete mode 100644 roles/mailserver_postfix/files/nftables/output.d/smtp-submission.conf create mode 100644 roles/mailserver_postfix/templates/nftables/input.d/smtp-submission.conf.j2 create mode 100644 roles/mailserver_postfix/templates/nftables/output.d/smtp-submission.conf.j2 diff --git a/roles/mailserver_postfix/files/nftables/input.d/smtp-submission.conf b/roles/mailserver_postfix/files/nftables/input.d/smtp-submission.conf deleted file mode 100644 index 1cf888d..0000000 --- a/roles/mailserver_postfix/files/nftables/input.d/smtp-submission.conf +++ /dev/null @@ -1 +0,0 @@ -tcp dport {25, 587} accept comment "Allow SMTP/submission from all" diff --git a/roles/mailserver_postfix/files/nftables/output.d/smtp-submission.conf b/roles/mailserver_postfix/files/nftables/output.d/smtp-submission.conf deleted file mode 100644 index 2d6e814..0000000 --- a/roles/mailserver_postfix/files/nftables/output.d/smtp-submission.conf +++ /dev/null @@ -1 +0,0 @@ -tcp dport {25, 587} accept comment "Allow SMTP/submission to all" diff --git a/roles/mailserver_postfix/tasks/main.yml b/roles/mailserver_postfix/tasks/main.yml index 29bbcbc..61649f8 100644 --- a/roles/mailserver_postfix/tasks/main.yml +++ b/roles/mailserver_postfix/tasks/main.yml @@ -52,8 +52,8 @@ - name: Allow incoming and outgoing SMTP/submission become: true - ansible.builtin.copy: - src: "nftables/{{ item }}.d/smtp-submission.conf" + ansible.builtin.template: + src: "nftables/{{ item }}.d/smtp-submission.conf.j2" dest: "/etc/nftables/{{ item }}.d/smtp-submission.conf" mode: 0640 notify: Reload nftables service diff --git a/roles/mailserver_postfix/templates/master.cf.j2 b/roles/mailserver_postfix/templates/master.cf.j2 index 80e348e..b6cf06b 100644 --- a/roles/mailserver_postfix/templates/master.cf.j2 +++ b/roles/mailserver_postfix/templates/master.cf.j2 @@ -27,6 +27,17 @@ submission inet n - y - - smtpd -o smtpd_relay_restrictions= -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING +submissions inet n - y - - smtpd + -o syslog_name=postfix/submissions + -o smtpd_tls_wrappermode=yes + -o smtpd_sasl_auth_enable=yes + -o smtpd_reject_unlisted_recipient=no + -o smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject + -o smtpd_helo_restrictions= + -o smtpd_sender_restrictions=permit_mynetworks,reject_sender_login_mismatch,permit_sasl_authenticated,reject + -o smtpd_relay_restrictions= + -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject + -o milter_macro_daemon_name=ORIGINATING #628 inet n - y - - qmqpd pickup unix n - y 60 1 pickup cleanup unix n - y - 0 cleanup diff --git a/roles/mailserver_postfix/templates/nftables/input.d/smtp-submission.conf.j2 b/roles/mailserver_postfix/templates/nftables/input.d/smtp-submission.conf.j2 new file mode 100644 index 0000000..c1e259e --- /dev/null +++ b/roles/mailserver_postfix/templates/nftables/input.d/smtp-submission.conf.j2 @@ -0,0 +1,3 @@ +# {{ ansible_managed }} + +tcp dport {25, 465, 587} accept comment "Allow SMTP/submission from all" diff --git a/roles/mailserver_postfix/templates/nftables/output.d/smtp-submission.conf.j2 b/roles/mailserver_postfix/templates/nftables/output.d/smtp-submission.conf.j2 new file mode 100644 index 0000000..6df788e --- /dev/null +++ b/roles/mailserver_postfix/templates/nftables/output.d/smtp-submission.conf.j2 @@ -0,0 +1,3 @@ +# {{ ansible_managed }} + +tcp dport {25, 465, 587} accept comment "Allow SMTP/submission to all"