WarlockFish/fedora-infra_ansible
1
0
Fork 0
mirror of https://pagure.io/fedora-infra/ansible.git synced 2026-05-03 10:24:01 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
b7e5056a4ec6fda678d33f052d6980775fa16cf1
fedora-infra_ansible/roles/base/tasks/postfix.yml
Kevin Fenzi 9ddd3e2e6d postfix / gateway: add bysender map 
This is a hack to work around SPF screwing us for @fedoraproject.org
aliases. It only fixes email from @redhat.com, but due to bugzilla thats
a lot of email.

Without this:
bugzilla@redhat.com -> user@fedoraproject.org (expands) ->
user@gmail.com sent out directly to gmail and gets rejected because
we aren't in the redhat.com SPF record.

With this:

bugzilla@redhat.com -> user@fedoraproject.org (expands) ->
user@gmail.com but sent to mx2.redhat.com to deliver. Since
mx2.redhat.com definitely is in the redhat.com SPF record the email is
delivered fine and SPF checks pass.

This won't help for other domains with -all SPF records, but at least it
helps for all the redhat.com emails, of which there are a lot going to
fedoraproject.org aliases. :)

Signed-off-by: Kevin Fenzi <kevin@scrye.com>
2022-07-26 15:58:43 -07:00

109 lines
3.0 KiB
YAML
Raw Blame History

- name: /etc/postfix/main.cf
copy: src={{ item }} dest=/etc/postfix/main.cf
with_first_found:
- "{{ postfix_maincf }}"
- "postfix/main.cf/main.cf.{{ ansible_fqdn }}"
- "postfix/main.cf/main.cf.{{ inventory_hostname }}"
- "postfix/main.cf/main.cf.{{ host_group }}"
- "postfix/main.cf/main.cf.{{ postfix_group }}"
- "postfix/main.cf/main.cf.{{ datacenter }}"
- "postfix/main.cf/main.cf"
notify:
- restart postfix
tags:
- postfix
- config
- base
- name: install /etc/postfix/master.cf file
copy: src={{ item }} dest=/etc/postfix/master.cf mode=0644
with_first_found:
- "postfix/master.cf/master.cf.{{ inventory_hostname }}"
- "postfix/master.cf/master.cf.{{ host_group }}"
- "postfix/master.cf/master.cf.{{ postfix_group }}"
- "postfix/master.cf/master.cf"
when: inventory_hostname.startswith(('smtp-mm', 'mailman', 'noc02', 'bastion'))
notify:
- restart postfix
tags:
- postfix
- config
- base
- name: Deploy sender_access file
copy: src="{{private}}/files/smtpd/sender_access.{{postfix_group}}" dest="/etc/postfix/sender_access"
when: postfix_group == "smtp-mm" or postfix_group == "mailman" or postfix_group == "gateway"
notify:
- restart postfix
tags:
- postfix
- config
- base
- name: work around s390 privatedevices bug
ini_file:
path: /usr/lib/systemd/system/postfix.service
section: Service
option: PrivateDevices
value: false
notify:
- reload systemd
when: inventory_hostname.startswith(('buildvm-s390x','buildvmhost-s390x'))
tags:
- postfix
- config
- base
- name: enable postfix to start
service: name=postfix state=started enabled=true
tags:
- service
- base
- name: install /etc/postfix/transport file
copy: src="postfix/{{ postfix_transport_filename }}" dest=/etc/postfix/transport
when: inventory_hostname.startswith(('smtp-mm','bastion','noc02')) and env != 'staging'
notify:
- rebuild postfix transport
- restart postfix
tags:
- postfix
- base
- config
- name: install /etc/postfix/bysender file
copy: src="postfix/bysender" dest=/etc/postfix/bysender
when: inventory_hostname.startswith(('bastion')) and env != 'staging'
notify:
- rebuild postfix bysender
- restart postfix
tags:
- postfix
- base
- config
- name: create /etc/postfix/tls_policy
copy: src="postfix/tls_policy" dest=/etc/postfix/tls_policy
when: inventory_hostname.startswith(('bastion','smtp-mm','pagure')) and env != 'staging'
notify:
- rebuild postfix tls_policy
- restart postfix
tags:
- postfix
# Install gateway tls cert as a pem file.
# This has: private key, then cert, then intermediate cert
# This cert is a digicert one, renew it there.
- name: install /etc/pki/tls/private/gateway-chain.pem
copy:
src="{{private}}/files/smtpd/gateway-chain.pem"
dest=/etc/pki/tls/private/gateway-chain.pem
owner=root
group=root
mode=0600
when: inventory_hostname.startswith(('bastion','smtp-mm')) and env != 'staging'
notify:
- restart postfix
tags:
- postfix
Reference in New Issue View Git Blame Copy Permalink