blob: b3cd399987701d5b1479387680edfc79a094cb82 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
|
# Configuration for Baserock mail relay
#
# This Ansible playbook expects to be run after the image-config.yml playbook.
---
- hosts: mail
gather_facts: false
sudo: yes
vars:
LOCAL_IP: 192.168.222.145
PUBLIC_DOMAIN_NAME: mail.baserock.org
tasks:
# Fedora provides a default /etc/exim/exim.conf. Rather than copy it and
# overwrite it, since we only need to make a few changes, I've used the
# lineinfile module to do search-and-replace. It's a bit ugly though. It
# may be better to just embed exim.conf.
# Several restrictions here are also enforced by the internal-mail-relay
# security group in firewall.yml, which only opens port 25, and only for
# traffic from the local network.
# This machine is only for sending mail.
- name: do not accept any incoming mail
lineinfile:
regexp: '^domainlist\s+local_domains.*$'
line: 'domainlist local_domains = '
dest: /etc/exim/exim.conf
- name: only accept mail from local network
lineinfile:
regexp: '^hostlist\s+relay_from_hosts.*$'
line: 'hostlist relay_from_hosts = 192.168.222.0/24'
dest: /etc/exim/exim.conf
- name: only listen on internal interface
lineinfile:
regexp: '^#?local_interfaces.*$'
line: 'local_interfaces = <; ::1 ; 127.0.0.1 ; {{ LOCAL_IP }}'
insertbefore: BOF
dest: /etc/exim/exim.conf
# The automation email addresses like gerrit@baserock.org do have aliases,
# but these are currently configured at Pepperfish, where our MX (mail)
# records for baserock.org point. So Exim thinks they are not routable
# and refuses to send mail from them, unless we disable this. Note that
# the address does have to be routable by something, or the receiving mail
# server may reject the mail anyway.
- name: do not verify that sender is routable within this Exim instance
lineinfile:
regexp: '^#?\s*require\s+verify\s+=\s+sender.*$'
line: '# require verify = sender'
dest: /etc/exim/exim.conf
# We don't have DNS in the internal baserock.org cloud right now, so this
# would be pointless.
- name: do not try to resolve hosts making SMTP requests
lineinfile:
regexp: '^#?\s+host_lookup = .*$'
line: '# host_lookup = *'
dest: /etc/exim/exim.conf
# The hostname of the machine will be 'mail', which isn't a fully-qualified
# domain name so will be rejected by SMTP servers. Ideally we would have
# mail.baserock.org set up and pointing to the floating IP of this machine.
# For now, we just have the IP.
- name: set primary hostname to public IP
lineinfile:
regexp: '^#?\s+primary_hostname =.*$'
line: 'primary_hostname = {{ PUBLIC_DOMAIN_NAME }}'
dest: /etc/exim/exim.conf
- name: exim4 service
service: name=exim state=started enabled=yes
|
