From 56b20ec5c63f9ec5b378a70af3c0c919b2ad0134 Mon Sep 17 00:00:00 2001 From: Georgeto Date: Fri, 12 Mar 2021 23:26:07 +0100 Subject: [PATCH] Simplify configuration of SASL authenticated relay host --- README.rst | 16 ++++++++-------- defaults/main.yml | 3 ++- tasks/postfix.yml | 6 +++--- templates/postfix/main.cf | 6 +++--- templates/postfix/password_map | 2 +- 5 files changed, 17 insertions(+), 16 deletions(-) diff --git a/README.rst b/README.rst index c41867b..8a5cb91 100644 --- a/README.rst +++ b/README.rst @@ -108,16 +108,16 @@ Accepting mail directly; it will typically be used for MTAs that only need to send cron mails etc. -* ``mta_relayhost_auth`` (mapping): This is only meaningful if - ``mta_relayhost`` is set. In that case, this mapping allows to set up - authentication with the relay host using SASL: +* ``mta_relayhost_auth_username`` (string): This is only meaningful + if ``mta_relayhost`` is set. In that case this set the SASL user name to use + to set up authentication with the relay host using SASL. - * ``mta_relayhost_auth.username`` (string): the SASL user name to use - * ``mta_relayhost_auth.mapfile`` (path): A path where a config file - containing the credentials will be written to. +* ``mta_relayhost_auth_password`` (string): The password to use for relayhost SASL + authentication. Required if ``mta_relayhost_auth_username`` is used. + +* ``mta_relayhost_auth_mapfile`` (path): A path where a config file containing + the SASL authentication credentials will be written to. -* ``mta_relayhost_password`` (string): The password to use for relayhost SASL - authentication. Required if ``mta_relayhost_auth`` is used. * ``mta_transport_map`` (mapping): A lookup table, mapping destination address patterns to their respective nexthop. Refer to the `postfix diff --git a/defaults/main.yml b/defaults/main.yml index 88f62f1..ce27042 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -9,7 +9,8 @@ mta_local_sender_canonical_maps: [] mta_local_recipient_canonical_maps: [] mta_local_canonical_header_checks: [] mta_relayhost: False -mta_relayhost_auth: False +mta_relayhost_auth_username: null +mta_relayhost_auth_mapfile: /etc/postfix/password_map mta_smtp_tls_wrappermode: no mta_smtp_tls_security_level: "may" mta_smtp_tls_ca_file: "" diff --git a/tasks/postfix.yml b/tasks/postfix.yml index b605ef1..4ea6f10 100644 --- a/tasks/postfix.yml +++ b/tasks/postfix.yml @@ -126,14 +126,14 @@ - name: deploy sasl password map for relaying template: src=postfix/password_map - dest="{{ mta_relayhost_auth.mapfile }}" - when: mta_relayhost and mta_relayhost_auth + dest="{{ mta_relayhost_auth_mapfile }}" + when: mta_relayhost and mta_relayhost_auth_username register: password_map notify: - reload postfix - name: compile sasl password map for relaying - command: postmap "{{ mta_relayhost_auth.mapfile }}" + command: postmap "{{ mta_relayhost_auth_mapfile }}" when: password_map is changed notify: - reload postfix diff --git a/templates/postfix/main.cf b/templates/postfix/main.cf index 449f31b..fb8d793 100644 --- a/templates/postfix/main.cf +++ b/templates/postfix/main.cf @@ -218,10 +218,10 @@ delay_warning_time = {{ mta_delay_warning }} {% if mta_relayhost -%} # origin: mta_relayhost relayhost = {{ mta_relayhost }} -{% if mta_relayhost_auth -%} -# origin: mta_relayhost and mta_relayhost_auth +{% if mta_relayhost_auth_username and mta_relayhost_auth_password -%} +# origin: mta_relayhost and mta_relayhost_auth_mapfile smtp_sasl_auth_enable = yes -smtp_sasl_password_maps = hash:{{ mta_relayhost_auth.mapfile }} +smtp_sasl_password_maps = hash:{{ mta_relayhost_auth_mapfile }} smtp_sasl_mechanism_filter = smtp_sasl_security_options = {% endif %} diff --git a/templates/postfix/password_map b/templates/postfix/password_map index 0169db4..0a7e36f 100644 --- a/templates/postfix/password_map +++ b/templates/postfix/password_map @@ -1 +1 @@ -{{ mta_relayhost }} {{ mta_relayhost_auth.username }}:{{ mta_relayhost_password }} +{{ mta_relayhost }} {{ mta_relayhost_auth_username }}:{{ mta_relayhost_auth_password }}