diff options
Diffstat (limited to 'baserock_mail/instance-config.yml')
| -rw-r--r-- | baserock_mail/instance-config.yml | 72 |
1 files changed, 0 insertions, 72 deletions
diff --git a/baserock_mail/instance-config.yml b/baserock_mail/instance-config.yml deleted file mode 100644 index b3cd3999..00000000 --- a/baserock_mail/instance-config.yml +++ /dev/null @@ -1,72 +0,0 @@ -# Configuration for Baserock mail relay -# -# This Ansible playbook expects to be run after the image-config.yml playbook. ---- -- hosts: mail - gather_facts: false - sudo: yes - vars: - LOCAL_IP: 192.168.222.145 - PUBLIC_DOMAIN_NAME: mail.baserock.org - tasks: - # Fedora provides a default /etc/exim/exim.conf. Rather than copy it and - # overwrite it, since we only need to make a few changes, I've used the - # lineinfile module to do search-and-replace. It's a bit ugly though. It - # may be better to just embed exim.conf. - - # Several restrictions here are also enforced by the internal-mail-relay - # security group in firewall.yml, which only opens port 25, and only for - # traffic from the local network. - - # This machine is only for sending mail. - - name: do not accept any incoming mail - lineinfile: - regexp: '^domainlist\s+local_domains.*$' - line: 'domainlist local_domains = ' - dest: /etc/exim/exim.conf - - - name: only accept mail from local network - lineinfile: - regexp: '^hostlist\s+relay_from_hosts.*$' - line: 'hostlist relay_from_hosts = 192.168.222.0/24' - dest: /etc/exim/exim.conf - - - name: only listen on internal interface - lineinfile: - regexp: '^#?local_interfaces.*$' - line: 'local_interfaces = <; ::1 ; 127.0.0.1 ; {{ LOCAL_IP }}' - insertbefore: BOF - dest: /etc/exim/exim.conf - - # The automation email addresses like gerrit@baserock.org do have aliases, - # but these are currently configured at Pepperfish, where our MX (mail) - # records for baserock.org point. So Exim thinks they are not routable - # and refuses to send mail from them, unless we disable this. Note that - # the address does have to be routable by something, or the receiving mail - # server may reject the mail anyway. - - name: do not verify that sender is routable within this Exim instance - lineinfile: - regexp: '^#?\s*require\s+verify\s+=\s+sender.*$' - line: '# require verify = sender' - dest: /etc/exim/exim.conf - - # We don't have DNS in the internal baserock.org cloud right now, so this - # would be pointless. - - name: do not try to resolve hosts making SMTP requests - lineinfile: - regexp: '^#?\s+host_lookup = .*$' - line: '# host_lookup = *' - dest: /etc/exim/exim.conf - - # The hostname of the machine will be 'mail', which isn't a fully-qualified - # domain name so will be rejected by SMTP servers. Ideally we would have - # mail.baserock.org set up and pointing to the floating IP of this machine. - # For now, we just have the IP. - - name: set primary hostname to public IP - lineinfile: - regexp: '^#?\s+primary_hostname =.*$' - line: 'primary_hostname = {{ PUBLIC_DOMAIN_NAME }}' - dest: /etc/exim/exim.conf - - - name: exim4 service - service: name=exim state=started enabled=yes |