From 23ae2850e582556536418fe181d9cecd06ed71f3 Mon Sep 17 00:00:00 2001
From: Florian Lamprecht <lamprecht@telta.de>
Date: Thu, 22 Oct 2020 10:01:17 +0200
Subject: [PATCH 01/10] Add options to enable smtpd_sasl

---
 README.rst                | 15 +++++++++++++++
 templates/postfix/main.cf | 10 ++++++++++
 2 files changed, 25 insertions(+)

diff --git a/README.rst b/README.rst
index c41867b..ba3864f 100644
--- a/README.rst
+++ b/README.rst
@@ -171,6 +171,21 @@ Accepting mail
 
   __ http://www.postfix.org/postconf.5.html#smtpd_recipient_restrictions
 
+* ``mta_smtpd_sasl_path`` (string, default empty): enable authorization of incoming
+  smtp clients. See `smtpd_sasl_type`
+
+  __ http://www.postfix.org/SASL_README.html
+
+* ``mta_smtpd_sasl_type`` (string, default empty): select an other sasl implementation
+  than cyrus, which is default in postfix.
+
+  __ http://www.postfix.org/SASL_README.html#server_sasl_enable
+
+* ``mta_smtpd_broken_sasl_auth_clients`` (boolean, default false): Enables the
+  compatibility mode with old broken smtp clients.
+
+  __ http://www.postfix.org/postconf.5.html#broken_sasl_auth_clients
+
 
 Mail submission agent
 ---------------------
diff --git a/templates/postfix/main.cf b/templates/postfix/main.cf
index 449f31b..1b10431 100644
--- a/templates/postfix/main.cf
+++ b/templates/postfix/main.cf
@@ -83,6 +83,16 @@ smtpd_helo_required = {{ "yes" if mta_smtpd_helo_required else "no" }}
 # origin: mta_strict_rfc821_envelopes
 strict_rfc821_envelopes = {{ "yes" if mta_strict_rfc821_envelopes else "no" }}
 
+{% if mta_smtpd_sasl_path -%}
+# origin: mta_smtpd_sasl
+smtpd_sasl_auth_enable = yes
+{% if mta_smtpd_sasl_type -%}
+smtpd_sasl_type= {{ mta_smtpd_sasl_type }}
+{%- endif %}
+smtpd_sasl_path= {{ mta_smtpd_sasl_path }}
+broken_sasl_auth_clients = {{ "yes" if mta_smtpd_broken_sasl_auth_clients else "no" }}
+{% endif}
+
 # origin: mta_smtpd_restriction_classes
 smtpd_restriction_classes =
 {% for restriction_class in mta_smtpd_restriction_classes.keys()|sort %}

From d46e2d2cc5d76eea94dc6cff8129a1c5ad546fcf Mon Sep 17 00:00:00 2001
From: Florian Lamprecht <lamprecht@telta.de>
Date: Thu, 22 Oct 2020 12:24:41 +0200
Subject: [PATCH 02/10] Add options to set smtpd_delay_reject

---
 README.rst                | 4 ++++
 templates/postfix/main.cf | 2 +-
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/README.rst b/README.rst
index ba3864f..7feddef 100644
--- a/README.rst
+++ b/README.rst
@@ -186,6 +186,10 @@ Accepting mail
 
   __ http://www.postfix.org/postconf.5.html#broken_sasl_auth_clients
 
+* ``mta_smtpd_delay_reject`` (boolean, default false): If true the sender is rejected
+  after the ETRN command instead of the RCPT TO command.
+
+  __ http://www.postfix.org/postconf.5.html#smtpd_delay_reject
 
 Mail submission agent
 ---------------------
diff --git a/templates/postfix/main.cf b/templates/postfix/main.cf
index 1b10431..a972682 100644
--- a/templates/postfix/main.cf
+++ b/templates/postfix/main.cf
@@ -105,7 +105,7 @@ smtpd_restriction_classes =
     {{ restriction }}{{ "," if not loop.last else "" }}
 {% endfor %}
 {% endfor %}
-
+smtpd_delay_reject = {{ "yes" if mta_smtpd_delay_reject else "no" }}
 # origin: mta_smtpd_client_restrictions
 smtpd_client_restrictions =
 {% for restriction in mta_smtpd_client_restrictions %}

From daee4705a4639f6d87a1ae04a2fbf477b2183515 Mon Sep 17 00:00:00 2001
From: Florian Lamprecht <lamprecht@telta.de>
Date: Thu, 22 Oct 2020 13:56:24 +0200
Subject: [PATCH 03/10] Add options for queue lifetimes

---
 README.rst                | 11 +++++++++++
 templates/postfix/main.cf | 10 ++++++++++
 2 files changed, 21 insertions(+)

diff --git a/README.rst b/README.rst
index 7feddef..be72f2d 100644
--- a/README.rst
+++ b/README.rst
@@ -191,6 +191,17 @@ Accepting mail
 
   __ http://www.postfix.org/postconf.5.html#smtpd_delay_reject
 
+* ``mta_maximal_queue_lifetime`` (string, default empty): Consider mail undeliverable
+  after set lifetime.
+
+  __ http://www.postfix.org/postconf.5.html#maximal_queue_lifetime
+
+* ``mta_bounce_queue_lifetime`` (string, default empty): Consider bounce mails 
+  undeliverable after set lifetime.
+
+
+  __ http://www.postfix.org/postconf.5.html#bounce_queue_lifetime
+
 Mail submission agent
 ---------------------
 
diff --git a/templates/postfix/main.cf b/templates/postfix/main.cf
index a972682..bc43543 100644
--- a/templates/postfix/main.cf
+++ b/templates/postfix/main.cf
@@ -248,6 +248,16 @@ message_size_limit = {{ mta_message_size_limit }}
 unverified_recipient_reject_code = {{ mta_unverified_recipient_reject_code }}
 {% endif %}
 
+{% if mta_maximal_queue_lifetime %}
+# origin: mta_maximal_queue_lifetime
+maximal_queue_lifetime = {{ mta_maximal_queue_lifetime }}
+{% endif %}
+
+{% if mta_bounce_queue_lifetime %}
+# origin: mta_bounce_queue_lifetime
+bounce_queue_lifetime = {{ mta_bounce_queue_lifetime }}
+{% endif %}
+
 {% for key, value in mta_parameters_all|combine(mta_parameters)|dictsort -%}
   {{ key }}=
   {%- if value is mapping -%}

From d49985c10cbd36fb3b3d849cf698bbe05dad1ead Mon Sep 17 00:00:00 2001
From: Florian Lamprecht <lamprecht@telta.de>
Date: Thu, 22 Oct 2020 16:19:14 +0200
Subject: [PATCH 04/10] Add paramter to set sasl_security_options

---
 templates/postfix/main.cf | 1 +
 1 file changed, 1 insertion(+)

diff --git a/templates/postfix/main.cf b/templates/postfix/main.cf
index bc43543..cced585 100644
--- a/templates/postfix/main.cf
+++ b/templates/postfix/main.cf
@@ -91,6 +91,7 @@ smtpd_sasl_type= {{ mta_smtpd_sasl_type }}
 {%- endif %}
 smtpd_sasl_path= {{ mta_smtpd_sasl_path }}
 broken_sasl_auth_clients = {{ "yes" if mta_smtpd_broken_sasl_auth_clients else "no" }}
+smtpd_sasl_security_options = {{ mta_smtpd_sasl_security_options }}
 {% endif}
 
 # origin: mta_smtpd_restriction_classes

From bb213e59eba050f927e801c81cf81b85b0414647 Mon Sep 17 00:00:00 2001
From: Florian Lamprecht <lamprecht@telta.de>
Date: Thu, 29 Oct 2020 14:55:00 +0100
Subject: [PATCH 05/10] Fix different problems and warnings in templates and
 remove with_dict loop condition

---
 tasks/opendkim.yml        | 4 +---
 tasks/postfix.yml         | 2 +-
 templates/postfix/access  | 4 ++--
 templates/postfix/main.cf | 6 +++---
 4 files changed, 7 insertions(+), 9 deletions(-)

diff --git a/tasks/opendkim.yml b/tasks/opendkim.yml
index 4536f1b..3fad240 100644
--- a/tasks/opendkim.yml
+++ b/tasks/opendkim.yml
@@ -1,8 +1,6 @@
 ---
 - name: install packages
-  yum: name={{ item }} state=latest
-  with_items:
-    - opendkim
+  yum: name=opendkim state=latest
   tags:
     - yum
 
diff --git a/tasks/postfix.yml b/tasks/postfix.yml
index b605ef1..a39551c 100644
--- a/tasks/postfix.yml
+++ b/tasks/postfix.yml
@@ -53,7 +53,7 @@
             mode="{{ item.mode | default('0664') }}"
             owner={{ item.owner | default("root") }}
             group={{ item.group | default("root") }}
-  with_dict: "{{ mta_access_databases }}"
+  loop: "{{ mta_access_databases }}"
   register: access_database_update
 
 - name: compile access databases
diff --git a/templates/postfix/access b/templates/postfix/access
index bf56660..75988f8 100644
--- a/templates/postfix/access
+++ b/templates/postfix/access
@@ -1,3 +1,3 @@
-{% for pattern, action in item.value.contents %}
-{{ pattern }} {{ action }}
+{% for rule in item.value.contents %}
+{{ rule.pattern }} {{ rule.action }}
 {% endfor %}
diff --git a/templates/postfix/main.cf b/templates/postfix/main.cf
index cced585..5eb0085 100644
--- a/templates/postfix/main.cf
+++ b/templates/postfix/main.cf
@@ -86,13 +86,13 @@ strict_rfc821_envelopes = {{ "yes" if mta_strict_rfc821_envelopes else "no" }}
 {% if mta_smtpd_sasl_path -%}
 # origin: mta_smtpd_sasl
 smtpd_sasl_auth_enable = yes
-{% if mta_smtpd_sasl_type -%}
+{% if mta_smtpd_sasl_type is defined -%}
 smtpd_sasl_type= {{ mta_smtpd_sasl_type }}
 {%- endif %}
 smtpd_sasl_path= {{ mta_smtpd_sasl_path }}
-broken_sasl_auth_clients = {{ "yes" if mta_smtpd_broken_sasl_auth_clients else "no" }}
+broken_sasl_auth_clients = {{ "yes" if mta_smtpd_broken_sasl_auth_clients is defined and mta_smtpd_broken_sasl_auth_clients else "no" }}
 smtpd_sasl_security_options = {{ mta_smtpd_sasl_security_options }}
-{% endif}
+{% endif %}
 
 # origin: mta_smtpd_restriction_classes
 smtpd_restriction_classes =

From 5ed88a7d731b467e84c928ae786b87392d06fdc7 Mon Sep 17 00:00:00 2001
From: Florian Lamprecht <lamprecht@telta.de>
Date: Tue, 3 Nov 2020 17:39:06 +0100
Subject: [PATCH 06/10] Consistently use mta_override_hostname

---
 templates/postfix/main.cf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/templates/postfix/main.cf b/templates/postfix/main.cf
index 5eb0085..3e4cab5 100644
--- a/templates/postfix/main.cf
+++ b/templates/postfix/main.cf
@@ -208,7 +208,7 @@ postscreen_access_list = permit_mynetworks
 postscreen_greet_action = {{ mta_postscreen.greet.action }}
 {% if mta_postscreen.greet.banner | default(False) -%}
 # origin: mta_postscreen.greet.banner
-postscreen_greet_banner = {{ inventory_hostname }} {{ mta_postscreen.greet.banner }}
+postscreen_greet_banner = {{ mta_override_hostname | default(inventory_hostname) }} {{ mta_postscreen.greet.banner }}
 {%- endif %}
 {%- endif %}
 

From 1f37760c13b7a44cbe53a5b0f165749fa59d223b Mon Sep 17 00:00:00 2001
From: Florian Lamprecht <lamprecht@telta.de>
Date: Fri, 13 Nov 2020 11:38:22 +0100
Subject: [PATCH 07/10] Always include size limit, as a size of zero would also
 be false

---
 templates/postfix/main.cf | 6 +-----
 1 file changed, 1 insertion(+), 5 deletions(-)

diff --git a/templates/postfix/main.cf b/templates/postfix/main.cf
index 3e4cab5..a480b24 100644
--- a/templates/postfix/main.cf
+++ b/templates/postfix/main.cf
@@ -194,11 +194,6 @@ virtual_alias_maps =
 {% endfor %}
 {% endif %}
 
-{% if mta_message_size_limit -%}
-# origin: mta_message_size_limit
-message_size_limit = {{ mta_message_size_limit }}
-{% endif %}
-
 {% if mta_postscreen -%}
 # origin: mta_postscreen
 postscreen_access_list = permit_mynetworks
@@ -242,6 +237,7 @@ smtp_sasl_security_options =
 recipient_delimiter = {{ mta_recipient_delimiter }}
 {% endif %}
 
+# origin: mta_message_size_limit
 message_size_limit = {{ mta_message_size_limit }}
 
 {% if mta_unverified_recipient_reject_code %}

From 15b5a04ceb4c837b74f02df6eeb99c7694b029b0 Mon Sep 17 00:00:00 2001
From: Florian Lamprecht <lamprecht@telta.de>
Date: Fri, 13 Nov 2020 11:39:11 +0100
Subject: [PATCH 08/10] Add option to set smtp timeout

---
 defaults/main.yml         | 1 +
 templates/postfix/main.cf | 5 +++++
 2 files changed, 6 insertions(+)

diff --git a/defaults/main.yml b/defaults/main.yml
index 88f62f1..fe8971c 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -4,6 +4,7 @@ mta_alias_database: []
 mta_alias_maps:
   - "$alias_database"
   - hash:/etc/postfix/aliases
+mta_connect_timeout: False
 mta_local_canonical_myorigin: ""
 mta_local_sender_canonical_maps: []
 mta_local_recipient_canonical_maps: []
diff --git a/templates/postfix/main.cf b/templates/postfix/main.cf
index a480b24..324703f 100644
--- a/templates/postfix/main.cf
+++ b/templates/postfix/main.cf
@@ -63,6 +63,11 @@ smtp_tls_wrappermode = {{ "yes" if mta_smtp_tls_wrappermode else "no" }}
 smtp_tls_security_level = {{ mta_smtp_tls_security_level }}
 smtp_tls_CAfile = {{ mta_smtp_tls_ca_file }}
 
+{% if mta_connect_timeout -%}
+# origin: mta_connect_timeout
+smtp_connect_timeout= {{ mta_connect_timeout }}
+{% endif %}
+
 {% if mta_tls_log -%}
 # origin: mta_tls_log
 smtp_tls_loglevel = 1

From 60f74d1cb6c23b3162991155c9ed7abe0c9f3df1 Mon Sep 17 00:00:00 2001
From: Florian Lamprecht <lamprecht@telta.de>
Date: Fri, 13 Nov 2020 11:40:09 +0100
Subject: [PATCH 09/10] Write listen interfaces to multiple lines for better
 readability

---
 templates/postfix/main.cf | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/templates/postfix/main.cf b/templates/postfix/main.cf
index 324703f..2bb492f 100644
--- a/templates/postfix/main.cf
+++ b/templates/postfix/main.cf
@@ -28,7 +28,11 @@ alias_database =
 
 {% if mta_listen %}
 # mta_listen is true
-inet_interfaces = {{ mta_listen_interfaces | join(", ") }}
+inet_interfaces = {% for interface in mta_listen_interfaces %}
+    {{ interface }}{{ "," if not loop.last else "" }}
+{% endfor %}
+
+{# {{ mta_listen_interfaces | join(", ") }} #}
 {% else %}
 # mta_listen is false
 inet_interfaces = loopback-only

From be4f39144717b10ac3391e2f2b1110712e33573e Mon Sep 17 00:00:00 2001
From: Florian Lamprecht <lamprecht@telta.de>
Date: Wed, 24 Feb 2021 14:49:25 +0100
Subject: [PATCH 10/10] Add dkim signging to mails delivered via smtp, not just
 submission

---
 templates/postfix/master.cf | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/templates/postfix/master.cf b/templates/postfix/master.cf
index 94d6fc0..3f941e2 100644
--- a/templates/postfix/master.cf
+++ b/templates/postfix/master.cf
@@ -13,10 +13,16 @@
 {% if mta_postscreen %}
 smtp      inet  n       -       n       -       1       postscreen
 smtpd     pass  -       -       n       -       -       smtpd
+{% if mta_dkim  %}
+  -o smtpd_milters=inet:127.0.0.1:8891
+{%- endif %}
 dnsblog   unix  -       -       n       -       0       dnsblog
 tlsproxy  unix  -       -       n       -       0       tlsproxy
 {%- else %}
 smtp      inet  n       -       n       -       -       smtpd
+{% if mta_dkim  %}
+  -o smtpd_milters=inet:127.0.0.1:8891
+{%- endif %}
 {%- endif %}
 {%- endif %}