✨: add smtp global relay

2025-03-29 08:27:18 +01:00
parent e4577d7d29
commit ed61026b45
10 changed files with 129 additions and 1 deletions
--- a/inventory/host_vars/ks3370405.yml
+++ b/inventory/host_vars/ks3370405.yml
@@ -0,0 +1,6 @@
+---
+
+allowed_smtp_ips: ["82.66.135.228", "80.67.179.200"]
+
+global_smtp_relay_allowed_ips: "{{ allowed_smtp_ips }}"
+ufw_allowed_smtp_ips: "{{ allowed_smtp_ips }}"
--- a/inventory/static.yml
+++ b/inventory/static.yml
@@ -14,6 +14,8 @@ all:
      ansible_host: muse-HP-EliteBook-820-G2.home.arpa
    pinkypie:
      ansible_host: pinkypie.home.arpa
+    ks3370405:
+      ansible_host: ks3370405.kimsufi.com

 router:
  hosts:
@@ -76,6 +78,7 @@ disabled_munin:
    baybay-ponay:
    muse-HP-EliteBook-820-G2:
    pinkypie:
+    ks3370405:

 disabled_syslog:
  hosts:
@@ -83,6 +86,7 @@ disabled_syslog:
    machinbox:
    muse-HP-EliteBook-820-G2:
    pinkypie:
+    ks3370405:

 # Those are not servers and should not be configured as such
 disabled_server_conf:
--- a/playbooks/global_smtprelay.yml
+++ b/playbooks/global_smtprelay.yml
@@ -0,0 +1,7 @@
+---
+
+- name: Install & configure the global SMTP relay
+  hosts: ks3370405
+  roles:
+    - ufw
+    - global_smtp_relay
--- a/playbooks/site.yml
+++ b/playbooks/site.yml
@@ -18,6 +18,8 @@
  import_playbook: firewall.yml
 - name: Run mail playbook
  import_playbook: mail.yml
+- name: Run global_smtprelay playbook
+  import_playbook: global_smtprelay.yml
 - name: Run xmpp playbook
  import_playbook: xmpp.yml
 - name: Run webservers playbook
--- a/playbooks/smtprelay.yml
+++ b/playbooks/smtprelay.yml
@@ -1,7 +1,7 @@
 ---

 - name: Deploy smtp relay
-  hosts: all:!disabled_server_conf:!machinbox:!mail
+  hosts: all:!disabled_server_conf:!machinbox:!mail:!ks3370405
  diff: true
  roles:
    - smtprelay
--- a/roles/global_smtp_relay/handlers/main.yml
+++ b/roles/global_smtp_relay/handlers/main.yml
@@ -0,0 +1,6 @@
+---
+- name: Restart postfix
+  ansible.bultin.service:
+    name: postfix
+    state: restarted
+    enable: true
--- a/roles/global_smtp_relay/tasks/main.yml
+++ b/roles/global_smtp_relay/tasks/main.yml
@@ -0,0 +1,15 @@
+---
+
+- name: Install postfix
+  ansible.builtin.package:
+    name: postfix
+    state: present
+
+- name: Put configuration
+  ansible.builtin.template:
+    src: main.cf.j2
+    dest: /etc/postfix/main.cf.j2
+    owner: root
+    group: root
+    mode: "0o640"
+  notify: Restart postfix
--- a/roles/global_smtp_relay/templates/main.cf.j2
+++ b/roles/global_smtp_relay/templates/main.cf.j2
@@ -0,0 +1,43 @@
+compatibility_level = 2
+queue_directory = /var/spool/postfix
+command_directory = /usr/bin
+daemon_directory = /usr/lib/postfix/bin
+data_directory = /var/lib/postfix
+mail_owner = postfix
+myhostname = mail-relay.mateu.be
+myorigin = $myhostname
+mydestination = $myhostname, localhost.$mydomain, localhost
+unknown_local_recipient_reject_code = 550
+mynetworks = 127.0.0.0/8, [::1]/128, 82.66.135.228, 80.67.179.200
+debugger_command =
+	 PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
+	 ddd $daemon_directory/$process_name $process_id & sleep 5
+sendmail_path = /usr/bin/sendmail
+newaliases_path = /usr/bin/newaliases
+mailq_path = /usr/bin/mailq
+setgid_group = postdrop
+html_directory = no
+mailbox_size_limit = 104857600
+message_size_limit = 104857600
+manpage_directory = /usr/share/man
+sample_directory = /etc/postfix
+readme_directory = /usr/share/doc/postfix
+inet_protocols = ipv4
+meta_directory = /etc/postfix
+shlib_directory = /usr/lib/postfix
+## Référence de chiffrement TLS
+# serveur SMTP
+smtpd_tls_cert_file = /etc/x509/mail-relay.mateu.be/fullchain.cer
+smtpd_tls_key_file = /etc/x509/mail-relay.mateu.be/mail-relay.mateu.be.key
+smtpd_use_tls = yes
+smtpd_tls_auth_only = yes
+smtpd_tls_protocols = !SSLv2,!SSLv3
+smtpd_tls_loglevel = 1
+# client SMTP
+smtp_tls_CApath = /etc/ssl/certs
+smtp_tls_cert_file = /etc/x509/mail-relay.mateu.be/fullchain.cer
+smtp_tls_key_file = /etc/x509/mail-relay.mateu.be/mail-relay.mateu.be.key
+smtp_use_tls = yes
+smtp_tls_protocols = !SSLv2,!SSLv3
+smtp_tls_security_level = may
+smtp_tls_loglevel = 1
--- a/roles/ufw/defaults/main.yml
+++ b/roles/ufw/defaults/main.yml
@@ -0,0 +1,2 @@
+---
+ufw_allowed_smtp_ips: []
--- a/roles/ufw/tasks/main.yml
+++ b/roles/ufw/tasks/main.yml
@@ -0,0 +1,43 @@
+---
+
+- name: Install ufw
+  ansible.builtin.package:
+    name: ufw
+    state: present
+
+- name: Permit outgoing flows
+  community.general.ufw:
+    default: allow
+    direction: outgoing
+
+- name: Deny incoming flows
+  community.general.ufw:
+    default: deny
+    direction: incoming
+
+- name: Allow incoming SSH
+  community.general.ufw:
+    rule: allow
+    port: ssh
+    proto: tcp
+
+- name: Allow incoming HTTP
+  community.general.ufw:
+    rule: allow
+    port: http
+    proto: tcp
+
+- name: Allow incoming SMTP
+  community.general.ufw:
+    rule: allow
+    port: smtp
+    src: "{{ item }}"
+  loop: "{{ ufw_allowed_smtp_ips }}"
+
+- name: Set logging
+  community.general.ufw:
+    logging: "on"
+
+- name: Enable UFW
+  community.general.ufw:
+    state: enabled