Last active
May 24, 2022 11:51
-
-
Save l0neranger/fe4a292164387db24521 to your computer and use it in GitHub Desktop.
Ansible Playbook - Postfix for SES Delivery
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # | |
| # According to AWS Docs - http://docs.aws.amazon.com/ses/latest/DeveloperGuide/postfix.html | |
| # | |
| # Rewrites all sender addresses to a single canonical ses verified address. | |
| # | |
| # Expects a vars files at ../vars/PostfixSES-vars.yml with the following variables: | |
| # - ses_host: email-smtp.us-west-x.amazonaws.com | |
| # - ses_port: 587 | |
| # - ses_username: ses-smtp-username | |
| # - ses_password: ses-smtp-password | |
| # - postfix_canonical_name: ses-verified@email.address | |
| # | |
| # Tested on Ubuntu 14.04 | |
| # | |
| --- | |
| - hosts: '{{ host }}' | |
| user: '{{ user }}' | |
| sudo: True | |
| gather_facts: yes | |
| tasks: | |
| - include_vars: ../vars/PostfixSES-vars.yml | |
| - name: Install Postfix and libsasl2-mod | |
| apt: > | |
| name={{ item }} | |
| state=latest | |
| update_cache=yes | |
| with_items: | |
| - postfix | |
| - heirloom-mailx | |
| tags: | |
| - install | |
| - name: Configure Postfix main.cf | |
| lineinfile: > | |
| backup=yes | |
| dest=/etc/postfix/main.cf | |
| regexp="^{{ item.variable }}\ =" | |
| line="{{ item.variable }} = {{ item.value }}" | |
| state=present | |
| with_items: | |
| - { variable: 'relayhost', value: "{{ ses_host }}:{{ ses_port }}" } | |
| - { variable: 'smtp_sasl_auth_enable', value: 'yes' } | |
| - { variable: 'smtp_sasl_security_options', value: 'noanonymous' } | |
| - { variable: 'smtp_sasl_password_maps', value: 'hash:/etc/postfix/sasl_passwd' } | |
| - { variable: 'smtp_use_tls', value: 'yes' } | |
| - { variable: 'smtp_tls_security_level', value: 'encrypt' } | |
| - { variable: 'smtp_tls_note_starttls_offer', value: 'yes' } | |
| - { variable: 'sender_canonical_maps', value: 'regexp:/etc/postfix/sender_canonical' } | |
| tags: | |
| - config | |
| - name: Create /etc/postfix/sasl_passwd | |
| lineinfile: > | |
| backup=yes | |
| create=yes | |
| dest=/etc/postfix/sasl_passwd | |
| regexp="^{{ ses_host }}" | |
| line="{{ ses_host }}:{{ ses_port }} {{ ses_username }}:{{ ses_password }}" | |
| state=present | |
| tags: | |
| - config | |
| - name: postmap hash:/etc/postfix/sasl_passwd | |
| command: postmap hash:/etc/postfix/sasl_passwd | |
| tags: | |
| - config | |
| - name: Remove /etc/postfix/sasl_passwd | |
| command: rm /etc/postfix/sasl_passwd | |
| tags: | |
| - config | |
| - name: Change permissions on /etc/postfix/sasl_passwd.db | |
| command: chmod 0600 /etc/postfix/sasl_passwd.db | |
| tags: | |
| - config | |
| - name: postfix CA cert | |
| command: postconf -e 'smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt' | |
| tags: | |
| - config | |
| - name: Create /etc/postfix/sender_canonical | |
| lineinfile: > | |
| backup=yes | |
| create=yes | |
| dest=/etc/postfix/sender_canonical | |
| regexp=".*{{postfix_canonical_name}}" | |
| line="/(.*?)@(.*)/ {{postfix_canonical_name}}" | |
| state=present | |
| tags: | |
| - config | |
| - name: Restart postfix | |
| service: > | |
| name=postfix | |
| state=restarted | |
| tags: | |
| - config |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
You should add
libsasl2-modulesto the packages, otherwise postfix will not authenticate against the aws smtp server.If you also want to have postfix only send notifications from internal connections, it could be helpful to add this to the
main.cfconfiguration:this will allow the system to send internal notifications, without having the server open up to the world on port 25.