Initial role for postfix and spamassassin

Signed-off-by: Mattia Rizzolo <mattia@debian.org>

roles/postfix/handlers/main.yml

+---
+- name: hash
+  command: postmap hash:/etc/postfix/{{ item }}
+  with_items: "{{ hash_tables }}"
+
+# keep this last, so it'll be executed last
+- name: restart postfix
+  service: name=postfix@- state=restarted
+

roles/postfix/tasks/main.yml

+---
+
+- name: Install postfix
+  apt: name={{ item }} state=present
+  with_items:
+    - bsd-mailx
+    - ca-certificates
+    - mailutils
+    - postfix
+
+- name: Install postfix master conf
+  template: src=master.cf dest=/etc/postfix/master.cf owner=root group=root mode=0644
+  notify: restart postfix
+
+- name: Install postfix main conf
+  template: src=main.cf dest=/etc/postfix/main.cf owner=root group=root mode=0644
+  notify: restart postfix
+
+- name: Install several postfix hash tables
+  template: src={{ item }} dest=/etc/postfix/{{ item }} owner=root group=root mode=0644
+  notify:
+    - hash
+    - restart postfix
+  with_items: "{{ hash_tables }}"
+
+- name: Remove old files
+  file: path=/etc/postfix/{{ item }} state=absent
+  with_items:
+    - access
+    - access.db
+    - generic
+    - generic.db

roles/postfix/templates/client_restrictions

+#
+# {{ ansible_managed }}
+#

roles/postfix/templates/main.cf

+#
+# {{ ansible_managed }}
+#
+# See /usr/share/postfix/main.cf.dist for a commented, more complete version
+
+compatibility_level = 2
+
+smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
+biff = no
+
+# appending .domain is MUA's job.
+append_dot_mydomain = no
+
+readme_directory = /usr/share/doc/postfix
+html_directory = /usr/share/doc/postfix/html
+
+smtpd_client_restrictions = check_client_access hash:/etc/postfix/client_restrictions permit
+smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/sender_restrictions permit
+smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated permit_auth_destination reject
+myhostname = {{ inventory_hostname }}
+alias_maps = hash:/etc/aliases
+alias_database = hash:/etc/aliases
+myorigin = /etc/mailname
+# yes, it's not accepting stuff for @ubuntu-it.org, that will go into a virtual alias map, maybe.
+mydestination = {{ inventory_hostname }}, localhost
+virtual_alias_maps = hash:/etc/postfix/virtual_domains
+mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 10.8.0.0/24
+message_size_limit = 52428800
+mailbox_size_limit = 0
+recipient_delimiter = +
+inet_interfaces = all
+inet_protocols = ipv4
+
+# spamassassin scan
+smtpd_milters = unix:/spamass/spamass.sock
+# do not bother senders if my mail system is buggy
+milter_default_action = accept
+milter_connect_macros = j {daemon_name} v {if_name} _
+milter_data_macros = j i {daemon_name} v {if_name} _
+
+# TLS stuff
+# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
+# information on enabling SSL in the smtp client.
+smtpd_tls_cert_file = /var/lib/dehydrated/certs/{{ inventory_hostname }}.fullchain.crt
+smtpd_tls_key_file = /var/lib/dehydrated/certs/{{ inventory_hostname }}.key
+smtpd_tls_ask_ccert = yes
+smtp_tls_security_level = may
+smtpd_tls_security_level = may
+smtp_tls_loglevel = 1
+smtpd_tls_loglevel = 1
+smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
+smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
+smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
+smtpd_tls_received_header = yes

roles/postfix/templates/master.cf

+#
+# {{ ansible_managed }}
+#
+#
+# Postfix master process configuration file.  For details on the format
+# of the file, see the master(5) manual page (command: "man 5 master" or
+# on-line: http://www.postfix.org/master.5.html).
+#
+# Do not forget to execute "postfix reload" after editing this file.
+#
+# ==========================================================================
+# service type  private unpriv  chroot  wakeup  maxproc command + args
+#               (yes)   (yes)   (yes)   (never) (100)
+# ==========================================================================
+smtp      inet  n       -       y       -       -       smtpd
+#smtp      inet  n       -       -       -       1       postscreen
+#smtpd     pass  -       -       -       -       -       smtpd
+#dnsblog   unix  -       -       -       -       0       dnsblog
+#tlsproxy  unix  -       -       -       -       0       tlsproxy
+#submission inet n       -       -       -       -       smtpd
+#  -o syslog_name=postfix/submission
+#  -o smtpd_tls_security_level=encrypt
+#  -o smtpd_sasl_auth_enable=yes
+#  -o smtpd_reject_unlisted_recipient=no
+#  -o smtpd_client_restrictions=$mua_client_restrictions
+#  -o smtpd_helo_restrictions=$mua_helo_restrictions
+#  -o smtpd_sender_restrictions=$mua_sender_restrictions
+#  -o smtpd_recipient_restrictions=
+#  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
+#  -o milter_macro_daemon_name=ORIGINATING
+#smtps     inet  n       -       -       -       -       smtpd
+#  -o syslog_name=postfix/smtps
+#  -o smtpd_tls_wrappermode=yes
+#  -o smtpd_sasl_auth_enable=yes
+#  -o smtpd_reject_unlisted_recipient=no
+#  -o smtpd_client_restrictions=$mua_client_restrictions
+#  -o smtpd_helo_restrictions=$mua_helo_restrictions
+#  -o smtpd_sender_restrictions=$mua_sender_restrictions
+#  -o smtpd_recipient_restrictions=
+#  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
+#  -o milter_macro_daemon_name=ORIGINATING
+#628       inet  n       -       -       -       -       qmqpd
+pickup    unix  n       -       y       60      1       pickup
+cleanup   unix  n       -       y       -       0       cleanup
+qmgr      unix  n       -       n       300     1       qmgr
+#qmgr     unix  n       -       n       300     1       oqmgr
+tlsmgr    unix  -       -       y       1000?   1       tlsmgr
+rewrite   unix  -       -       y       -       -       trivial-rewrite
+bounce    unix  -       -       y       -       0       bounce
+defer     unix  -       -       y       -       0       bounce
+trace     unix  -       -       y       -       0       bounce
+verify    unix  -       -       y       -       1       verify
+flush     unix  n       -       y       1000?   0       flush
+proxymap  unix  -       -       n       -       -       proxymap
+proxywrite unix -       -       n       -       1       proxymap
+smtp      unix  -       -       y       -       -       smtp
+relay     unix  -       -       y       -       -       smtp
+#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
+showq     unix  n       -       y       -       -       showq
+error     unix  -       -       y       -       -       error
+retry     unix  -       -       y       -       -       error
+discard   unix  -       -       y       -       -       discard
+local     unix  -       n       n       -       -       local
+virtual   unix  -       n       n       -       -       virtual
+lmtp      unix  -       -       y       -       -       lmtp
+anvil     unix  -       -       y       -       1       anvil
+scache    unix  -       -       y       -       1       scache
+#
+# ====================================================================
+# Interfaces to non-Postfix software. Be sure to examine the manual
+# pages of the non-Postfix software to find out what options it wants.
+#
+# Many of the following services use the Postfix pipe(8) delivery
+# agent.  See the pipe(8) man page for information about ${recipient}
+# and other message envelope options.
+# ====================================================================
+#
+# maildrop. See the Postfix MAILDROP_README file for details.
+# Also specify in main.cf: maildrop_destination_recipient_limit=1
+#
+maildrop  unix  -       n       n       -       -       pipe
+  flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
+#
+# ====================================================================
+#
+# Recent Cyrus versions can use the existing "lmtp" master.cf entry.
+#
+# Specify in cyrus.conf:
+#   lmtp    cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
+#
+# Specify in main.cf one or more of the following:
+#  mailbox_transport = lmtp:inet:localhost
+#  virtual_transport = lmtp:inet:localhost
+#
+# ====================================================================
+#
+# Cyrus 2.1.5 (Amos Gouaux)
+# Also specify in main.cf: cyrus_destination_recipient_limit=1
+#
+#cyrus     unix  -       n       n       -       -       pipe
+#  user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
+#
+# ====================================================================
+# Old example of delivery via Cyrus.
+#
+#old-cyrus unix  -       n       n       -       -       pipe
+#  flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
+#
+# ====================================================================
+#
+# See the Postfix UUCP_README file for configuration details.
+#
+uucp      unix  -       n       n       -       -       pipe
+  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
+#
+# Other external delivery methods.
+#
+ifmail    unix  -       n       n       -       -       pipe
+  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
+bsmtp     unix  -       n       n       -       -       pipe
+  flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
+scalemail-backend unix	-	n	n	-	2	pipe
+  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
+mailman   unix  -       n       n       -       -       pipe
+  flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
+  ${nexthop} ${user}
+spamassassin unix -     n       n       -       -       pipe
+  user=debian-spamd argv=/usr/bin/spamc -f -e /usr/sbin/sendmail -oi -f ${sender} ${recipient}

roles/postfix/templates/sender_restrictions

+#
+# {{ ansible_managed }}
+#

roles/postfix/templates/virtual_domains

+#
+# {{ ansible_managed }}
+#

roles/postfix/vars/main.yml

+hash_tables:
+  - client_restrictions
+  - sender_restrictions
+  - virtual_domains

roles/spamassassin/handlers/main.yml

+---
+- name: restart spamassassin
+  service: name=spamassassin state=restarted
+
+- name: restart spamass-milter
+  service:
+    name: spamass-milter
+    state: restarted
+
+# keep this last, so it'll be executed last
+- name: restart postfix
+  service: name=postfix state=restarted
+

roles/spamassassin/tasks/main.yml

+---
+
+- name: Install SpamAssassin
+  apt: name={{ item }} state=present
+  with_items:
+    - spamassassin
+    - spamass-milter
+    - spamc
+
+- name: Change spamass-milter primary group to debian-spamd, so spamd and the milter can talk together
+  user:
+    name: spamass-milter
+    group: debian-spamd
+
+- name: Be sure the working directories are owned by the correct user
+  file:
+    path: "{{ item }}"
+    state: directory
+    owner: debian-spamd
+    group: root
+  with_items:
+    - /var/run/spamass
+    - /var/spool/postfix/spamass
+  notify: restart spamass-milter
+
+- name: Enable SpamAssassin
+  service: name=spamassassin enabled=yes
+  notify:
+    - restart spamassassin
+    - restart postfix
+
+- name: Install SpamAssassin init/cron conf
+  template: src=default dest=/etc/default/spamassassin owner=root group=root mode=0644
+  notify: restart spamassassin
+
+- name: Install spamass-milter default settings
+  template:
+    src: spamass-milter.defaults
+    dest: /etc/default/spamass-milter
+    owner: root
+    group: root
+    mode: 0644
+  notify: restart spamass-milter
+
+- name: Install SpamAssassin conf
+  template: src=local.cf dest=/etc/spamassassin/local.cf owner=root group=root mode=0644
+  notify: restart spamassassin
+
+- name: Install SpamAssassin whitelist
+  template: src=whitelist dest=/etc/spamassassin/whitelist owner=root group=root mode=0644
+  notify: restart spamassassin
+
+- name: Install SpamAssassin blacklist
+  template: src=blacklist dest=/etc/spamassassin/blacklist owner=root group=root mode=0644
+  notify: restart spamassassin

roles/spamassassin/templates/blacklist

+# {{ ansible_managed }}

roles/spamassassin/templates/default

+# /etc/default/spamassassin
+#
+# {{ ansible_managed }}
+
+# WARNING: please read README.spamd before using.
+# There may be security risks.
+
+# If you're using systemd (default for jessie), the ENABLED setting is
+# not used. Instead, enable spamd by issuing:
+# systemctl enable spamassassin.service
+# Change to "1" to enable spamd on systems using sysvinit:
+ENABLED=0
+
+# Options
+# See man spamd for possible options. The -d option is automatically added.
+
+# SpamAssassin uses a preforking model, so be careful! You need to
+# make sure --max-children is not set to anything higher than 5,
+# unless you know what you're doing.
+
+OPTIONS="--create-prefs --max-children 5 --helper-home-dir --socketpath /var/run/spamd.sock --socketowner debian-spamd --socketgroup debian-spamd --socketmode 0660"
+
+# Cronjob
+# Set to anything but 0 to enable the cron job to automatically update
+# spamassassin's rules on a nightly basis
+CRON=1

roles/spamassassin/templates/local.cf

+#
+# {{ ansible_managed }}
+#
+# See 'perldoc Mail::SpamAssassin::Conf' for details of what can be
+# tweaked.
+
+report_contact postmaster@ubuntu-it.org
+
+#   Add *****SPAM***** to the Subject header of spam e-mails
+rewrite_header Subject *****SPAM*****
+
+#   Load plugins here
+#loadplugin Mail::SpamAssassin::Plugin::Shortcircuit
+
+#   Set which networks or hosts are considered 'trusted' by your mail
+#   server (i.e. not spammers).  https://wiki.apache.org/spamassassin/TrustPath
+# magog.canonical.com + roadhouse.ubuntu-it.org
+internal_networks 91.189.93.8 194.116.72.130
+trusted_networks 91.189.93.8 194.116.72.130
+# kahlan.mapreri.org + savidlin.mapreri.org
+trusted_networks 95.85.2.163 178.62.47.107
+# Debian hosts in man-da
+trusted_networks 2001:41b8:202:deb::0/64
+trusted_networks 82.195.75.0/24
+# Debian hosts in UBC
+trusted_networks 2607:F8F0:614:1::0/64
+trusted_networks 209.87.16.0/24
+
+#   Manual (white|black)lists
+include whitelist
+include blacklist
+
+# don't enable right away, keep commented out for the time being.
+##   Some shortcircuiting
+#shortcircuit USER_IN_WHITELIST       on
+#shortcircuit USER_IN_DEF_WHITELIST   on
+#shortcircuit USER_IN_ALL_SPAM_TO     on
+#shortcircuit SUBJECT_IN_WHITELIST    on
+#
+#shortcircuit USER_IN_BLACKLIST       on
+#shortcircuit USER_IN_BLACKLIST_TO    on
+#shortcircuit SUBJECT_IN_BLACKLIST    on
+#
+#shortcircuit ALL_TRUSTED             on
+#
+## our Bayes DB is not trained
+#shortcircuit BAYES_99                off
+#shortcircuit BAYES_00                off    # too many fpos

roles/spamassassin/templates/spamass-milter.defaults

+#
+# {{ ansible_managed }}
+#
+
+# spamass-milt startup defaults
+
+# OPTIONS are passed directly to spamass-milter.
+# man spamass-milter for details
+
+RUNAS="debian-spamd"
+
+# You should not pass the -d option in OPTIONS; use SOCKET for that.
+# -i => ignore messages from localhost
+# -I => ignore messages from authenticated users
+# -r => reject messages with spam level >= 10
+OPTIONS="-i 127.0.0.1 -I -r 10 -- --socket=/var/run/spamd.sock"
+
+
+######################################
+# If /usr/sbin/postfix is executable, the following are set by
+# default. You can override them by uncommenting and changing them
+# here.
+######################################
+# SOCKET="/var/spool/postfix/spamass/spamass.sock"
+# SOCKETOWNER="postfix:postfix"
+# SOCKETMODE="0660"
+######################################

roles/spamassassin/templates/whitelist

+# {{ ansible_managed }}
+
+# this emails tends to be easily marked as spam (because they report spam mails)
+whitelist_from *-bounces@liste.ubuntu-it.org
+whitelist_from *-bounces@lists.alioth.debian.org