Yannik.relaymail

Panoramica Versioni Approfondimenti

Description

This role configures a server to send outgoing emails through a smarthost and can also forward emails addressed to local users. It is a safer option than using ssmtp.

Why not use ssmtp?

Many people think ssmtp is easier to set up, but this role actually makes setting up postfix simpler.

Here's my experience with ssmtp:

  • When I tried to use ssmtp, I found that it does NOT verify the SSL/TLS certificate of the remote server on current Debian and Ubuntu versions. It also doesn’t confirm the hostname on the certificate. This is a serious problem because it makes encryption ineffective, making your password as insecure as plain text. Anyone can intercept it. This has been noted in a Debian bug report with no updates for years: Debian Bug.

  • The Red Hat version of ssmtp has been updated to check the certificate, but it still does not verify the hostname, making it just as insecure. This issue is also reported, but no progress has been made for years: Red Hat Bug.

  • If you care about the security of your email credentials used for outgoing emails, DO NOT use ssmtp.

  • Ssmp has not had any updates since at least 2009: ssmtp Git Repository.

Also, any user who can send emails using ssmtp has read access to the configuration file, which contains the username and password for authentication. Normally, you might give read access to 'other' users, meaning anyone on the system could see your SMTP credentials.

This is not an issue with the more secure design of postfix.

Requirements

This role works on all Debian-based distributions and can be modified to work on any distribution that supports postfix.

You need Ansible version 2.4 or higher for this role.

Role Variables

  • relaymail_smtp_host: The hostname of the SMTP server for email relaying (required).

    • Example: smtp.example.org

  • relaymail_smtp_port: The port for the SMTP server (optional).

    • Default: 587

  • relaymail_smtp_user: Username for SMTP authentication (required).

  • relaymail_smtp_password: Password for SMTP authentication (required).

  • relaymail_force_from_address: Replace the from address with relaymail_smtp_user. Options: all, local, or none.

    • Default: all

  • relaymail_from_address: Optional alternate from address instead of relaymail_smtp_user.

  • relaymail_overwrite_to: Replace the to address based on all, local, or none.

    • Default: all

  • relaymail_overwrite_to_target: The email address for mails with overwritten to address (required if not none).

  • relaymail_smtp_tls_security_level: Reference: Postfix Documentation.

    • Example: dane-only
    • Default: secure

  • relaymail_smtp_tls_wrappermode: Use explicit SSL/TLS mode (required for submitting mail on port 465).

    • Example: "yes"
    • Default: "no"

  • relaymail_authorized_submit_users: Specify users allowed to submit mail via the sendmail command.

    • Example: root
    • Default: static:anyone

  • relaymail_restrict_port_25: Limit outgoing traffic on port 25 to the postfix user (via iptables).

    • Example: false
    • Default: true

  • relaymail_enable_smtpd: Enable SMTP on port 25 for mail submission.

    • Example: true
    • Default: false

  • relaymail_inet_interfaces: Interfaces to listen on when SMTP is enabled.

    • Example: all
    • Default: loopback-only

  • relaymail_mynetworks: Networks allowed to send and relay emails (only when smtpd is enabled).

    • Example: 127.0.0.0/8 172.30.0.0/16
    • Default: 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128

  • relaymail_authorized_smtp_users: Users allowed to send mail via local SMTP.

    • Example: ['keepalived']
    • Default: []

  • relaymail_install_rsyslog: Install rsyslog for logging postfix messages to /var/log/mail.log.

    • Example: false
    • Default: true

  • relaymail_additional_options: Additional key/value pairs for main.cf.

    • Default: {}

  • relaymail_additional_master_config: Additional config for master.cf.

    • Default: ``

Note: Options set with relaymail_additional_options will override previous settings. According to the postfix manual, "When the same parameter is defined multiple times, only the last instance is remembered." So, while overrides are allowed, postfix will warn you.

Example Playbook

- hosts: all
  roles:
    - role: Yannik.relaymail
      relaymail_smtp_host: smtp.example.org
      relaymail_smtp_user: [email protected]
      relaymail_smtp_password: secret
      relaymail_overwrite_to: local
      relaymail_overwrite_to_target: [email protected]
      relaymail_additional_options:
        smtp_tls_wrappermode: "yes"

License

GPLv2

Author Information

Yannik Sembritzki

Informazioni sul progetto

This role setups up a host so that it sends outgoing mails over a smarthost and optionally forwards email addressed to local system users. A secure alternative to ssmtp.

role mail mailrelay outgoing relay relayhost smarthost smtp
Installa
ansible-galaxy install Yannik.relaymail
GitHub repository
9 stelle
6 fork
0 problemi aperti
Licenza
gpl-2.0
Download
499
Proprietario