Add options to enable smtpd_sasl

README.rst

@@ -171,6 +171,36 @@ Accepting mail
 
   __ http://www.postfix.org/postconf.5.html#smtpd_recipient_restrictions
 
+* ``mta_smtpd_sasl_path`` (string, default empty): enable authorization of incoming
+  smtp clients. See `smtpd_sasl_type`
+
+  __ http://www.postfix.org/SASL_README.html
+
+* ``mta_smtpd_sasl_type`` (string, default empty): select an other sasl implementation
+  than cyrus, which is default in postfix.
+
+  __ http://www.postfix.org/SASL_README.html#server_sasl_enable
+
+* ``mta_smtpd_broken_sasl_auth_clients`` (boolean, default false): Enables the
+  compatibility mode with old broken smtp clients.
+
+  __ http://www.postfix.org/postconf.5.html#broken_sasl_auth_clients
+
+* ``mta_smtpd_delay_reject`` (boolean, default false): If true the sender is rejected
+  after the ETRN command instead of the RCPT TO command.
+
+  __ http://www.postfix.org/postconf.5.html#smtpd_delay_reject
+
+* ``mta_maximal_queue_lifetime`` (string, default empty): Consider mail undeliverable
+  after set lifetime.
+
+  __ http://www.postfix.org/postconf.5.html#maximal_queue_lifetime
+
+* ``mta_bounce_queue_lifetime`` (string, default empty): Consider bounce mails 
+  undeliverable after set lifetime.
+
+
+  __ http://www.postfix.org/postconf.5.html#bounce_queue_lifetime
 
 Mail submission agent
 ---------------------

defaults/main.yml

@@ -4,6 +4,7 @@ mta_alias_database: []
 mta_alias_maps:
   - "$alias_database"
   - hash:/etc/postfix/aliases
+mta_connect_timeout: False
 mta_local_canonical_myorigin: ""
 mta_local_sender_canonical_maps: []
 mta_local_recipient_canonical_maps: []

tasks/opendkim.yml

@@ -1,8 +1,6 @@
 ---
 - name: install packages
-  yum: name={{ item }} state=latest
-  with_items:
-    - opendkim
+  yum: name=opendkim state=latest
   tags:
     - yum
 

tasks/postfix.yml

@@ -53,7 +53,7 @@
             mode="{{ item.mode | default('0664') }}"
             owner={{ item.owner | default("root") }}
             group={{ item.group | default("root") }}
-  with_dict: "{{ mta_access_databases }}"
+  loop: "{{ mta_access_databases }}"
   register: access_database_update
 
 - name: compile access databases

templates/postfix/access

@@ -1,3 +1,3 @@
-{% for pattern, action in item.value.contents %}
-{{ pattern }} {{ action }}
+{% for rule in item.value.contents %}
+{{ rule.pattern }} {{ rule.action }}
 {% endfor %}

templates/postfix/main.cf

@@ -28,7 +28,11 @@ alias_database =
 
 {% if mta_listen %}
 # mta_listen is true
-inet_interfaces = {{ mta_listen_interfaces | join(", ") }}
+inet_interfaces = {% for interface in mta_listen_interfaces %}
+    {{ interface }}{{ "," if not loop.last else "" }}
+{% endfor %}
+
+{# {{ mta_listen_interfaces | join(", ") }} #}
 {% else %}
 # mta_listen is false
 inet_interfaces = loopback-only
@@ -63,6 +67,11 @@ smtp_tls_wrappermode = {{ "yes" if mta_smtp_tls_wrappermode else "no" }}
 smtp_tls_security_level = {{ mta_smtp_tls_security_level }}
 smtp_tls_CAfile = {{ mta_smtp_tls_ca_file }}
 
+{% if mta_connect_timeout -%}
+# origin: mta_connect_timeout
+smtp_connect_timeout= {{ mta_connect_timeout }}
+{% endif %}
+
 {% if mta_tls_log -%}
 # origin: mta_tls_log
 smtp_tls_loglevel = 1
@@ -83,6 +92,17 @@ smtpd_helo_required = {{ "yes" if mta_smtpd_helo_required else "no" }}
 # origin: mta_strict_rfc821_envelopes
 strict_rfc821_envelopes = {{ "yes" if mta_strict_rfc821_envelopes else "no" }}
 
+{% if mta_smtpd_sasl_path -%}
+# origin: mta_smtpd_sasl
+smtpd_sasl_auth_enable = yes
+{% if mta_smtpd_sasl_type is defined -%}
+smtpd_sasl_type= {{ mta_smtpd_sasl_type }}
+{%- endif %}
+smtpd_sasl_path= {{ mta_smtpd_sasl_path }}
+broken_sasl_auth_clients = {{ "yes" if mta_smtpd_broken_sasl_auth_clients is defined and mta_smtpd_broken_sasl_auth_clients else "no" }}
+smtpd_sasl_security_options = {{ mta_smtpd_sasl_security_options }}
+{% endif %}
+
 # origin: mta_smtpd_restriction_classes
 smtpd_restriction_classes =
 {% for restriction_class in mta_smtpd_restriction_classes.keys()|sort %}
@@ -95,7 +115,7 @@ smtpd_restriction_classes =
     {{ restriction }}{{ "," if not loop.last else "" }}
 {% endfor %}
 {% endfor %}
-
+smtpd_delay_reject = {{ "yes" if mta_smtpd_delay_reject else "no" }}
 # origin: mta_smtpd_client_restrictions
 smtpd_client_restrictions =
 {% for restriction in mta_smtpd_client_restrictions %}
@@ -183,11 +203,6 @@ virtual_alias_maps =
 {% endfor %}
 {% endif %}
 
-{% if mta_message_size_limit -%}
-# origin: mta_message_size_limit
-message_size_limit = {{ mta_message_size_limit }}
-{% endif %}
-
 {% if mta_postscreen -%}
 # origin: mta_postscreen
 postscreen_access_list = permit_mynetworks
@@ -197,7 +212,7 @@ postscreen_access_list = permit_mynetworks
 postscreen_greet_action = {{ mta_postscreen.greet.action }}
 {% if mta_postscreen.greet.banner | default(False) -%}
 # origin: mta_postscreen.greet.banner
-postscreen_greet_banner = {{ inventory_hostname }} {{ mta_postscreen.greet.banner }}
+postscreen_greet_banner = {{ mta_override_hostname | default(inventory_hostname) }} {{ mta_postscreen.greet.banner }}
 {%- endif %}
 {%- endif %}
 
@@ -231,13 +246,24 @@ smtp_sasl_security_options =
 recipient_delimiter = {{ mta_recipient_delimiter }}
 {% endif %}
 
+# origin: mta_message_size_limit
 message_size_limit = {{ mta_message_size_limit }}
 
 {% if mta_unverified_recipient_reject_code %}
 # origin: mta_unverified_recipient_reject_code
 unverified_recipient_reject_code = {{ mta_unverified_recipient_reject_code }}
 {% endif %}
 
+{% if mta_maximal_queue_lifetime %}
+# origin: mta_maximal_queue_lifetime
+maximal_queue_lifetime = {{ mta_maximal_queue_lifetime }}
+{% endif %}
+
+{% if mta_bounce_queue_lifetime %}
+# origin: mta_bounce_queue_lifetime
+bounce_queue_lifetime = {{ mta_bounce_queue_lifetime }}
+{% endif %}
+
 {% for key, value in mta_parameters_all|combine(mta_parameters)|dictsort -%}
   {{ key }}=
   {%- if value is mapping -%}

templates/postfix/master.cf

@@ -13,10 +13,16 @@
 {% if mta_postscreen %}
 smtp      inet  n       -       n       -       1       postscreen
 smtpd     pass  -       -       n       -       -       smtpd
+{% if mta_dkim  %}
+  -o smtpd_milters=inet:127.0.0.1:8891
+{%- endif %}
 dnsblog   unix  -       -       n       -       0       dnsblog
 tlsproxy  unix  -       -       n       -       0       tlsproxy
 {%- else %}
 smtp      inet  n       -       n       -       -       smtpd
+{% if mta_dkim  %}
+  -o smtpd_milters=inet:127.0.0.1:8891
+{%- endif %}
 {%- endif %}
 {%- endif %}