Some more config fixes

.github/workflows/main.yml

@@ -0,0 +1,10 @@
+---
+on: [push, pull_request]
+
+jobs:
+  Lint:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - name: Run ansible-lint
+        uses: ansible-community/ansible-lint-action@main

.pre-commit-config.yaml

@@ -0,0 +1,5 @@
+repos:
+  - repo: https://github.com/ansible-community/ansible-lint
+    rev: v6.5.2
+    hooks:
+      - id: ansible-lint

README.rst

@@ -43,8 +43,8 @@ Accepting mail
   accept mail. This is independent from ``mta_is_destination`` -- domains may be
   purely for forwarding purposes.
 
-* ``mta_message_size_limit`` (integer): Maximum size for a message in bytes to
-  be accepted for delivery (on either service, smtpd or submission)
+* ``mta_message_size_limit`` (integer, default 10240000): Maximum size of emails
+  that postfix will accept in bytes (on either service, smtpd or submission).
 
 * ``mta_postscreen`` (thing or false): If not false, the ``postscreen`` service
   will be enabled.
@@ -108,16 +108,16 @@ Accepting mail
   directly; it will typically be used for MTAs that only need to send cron mails
   etc.
 
-* ``mta_relayhost_auth`` (mapping): This is only meaningful if
-  ``mta_relayhost`` is set. In that case, this mapping allows to set up
-  authentication with the relay host using SASL:
+* ``mta_relayhost_auth_username`` (string): This is only meaningful
+  if ``mta_relayhost`` is set. In that case this set the SASL user name to use
+  to set up authentication with the relay host using SASL.
 
-  * ``mta_relayhost_auth.username`` (string): the SASL user name to use
-  * ``mta_relayhost_auth.mapfile`` (path): A path where a config file
-    containing the credentials will be written to.
+* ``mta_relayhost_auth_password`` (string): The password to use for relayhost SASL
+  authentication. Required if ``mta_relayhost_auth_username`` is used.
+
+* ``mta_relayhost_auth_mapfile`` (path): A path where a config file containing
+  the SASL authentication credentials will be written to.
 
-* ``mta_relayhost_password`` (string): The password to use for relayhost SASL
-  authentication. Required if ``mta_relayhost_auth`` is used.
 
 * ``mta_transport_map`` (mapping):  A lookup table, mapping destination
   address patterns to their respective nexthop.  Refer to the `postfix
@@ -239,3 +239,34 @@ Safety nets and misc
 
 * ``mta_override_hostname`` (string, optional): If set, this is used as value
   for myhostname instead of the value of ``inventory_hostname``.
+
+If you’d like to add further files from another role, install them to
+``/etc/postfix/aliases.d/`` using file names ending in ``.aliases``, and notify
+the ``update include alias file`` handler.  These files will automatically be
+concatenated and installed to ``/etc/postfix/aliases``.
+
+Running additional services
+---------------------------
+
+* ``mta_services`` (list of dictionaries). Each dictionary describes a service
+* that should be added to the ``master.cf``.
+
+  Example::
+
+    mta_services:
+      - port: 5870
+        type: inet
+        command: smtpd
+        options:
+          smtpd_tls_security_level: encrypt
+          smtpd_relay_restrictions:
+            - permit_sasl_authenticated
+            - defer_unauth_destination
+
+Mailman
+-------
+* ``mta_use_mailman`` (bool, default false):  Set this to enable the mailman
+  transport.
+
+* ``mta_mailman_script_location`` (string, default ``/usr/lib/mailman/bin/postfix-to-mailman.py``):
+  Location of the ``postfix-to-mailman.py`` program.

defaults/main.yml

@@ -1,40 +1,89 @@
 ---
-mta_alias_maps: []
-mta_relayhost: False
-mta_relayhost_auth: False
-mta_listen: True
+mta_access_databases: {}
+mta_alias_database: []
+mta_alias_maps:
+  - "$alias_database"
+  - hash:/etc/postfix/aliases
+mta_local_canonical_myorigin: ""
+mta_local_sender_canonical_maps: []
+mta_local_recipient_canonical_maps: []
+mta_local_canonical_header_checks: []
+mta_relayhost: false
+mta_relayhost_auth_username: null
+mta_relayhost_auth_mapfile: /etc/postfix/password_map
+mta_smtp_tls_wrappermode: false
+mta_smtp_tls_security_level: "may"
+mta_smtp_tls_ca_path: /etc/ssl/certs/
+mta_listen: true
+mta_smtpd_upstream_proxy_protocol: ""
+mta_smtpd_restriction_classes: {}
 mta_smtpd_client_restrictions: []
+mta_smtpd_sender_login_maps: []
 mta_smtpd_sender_restrictions: []
 mta_smtpd_relay_restrictions:
-- reject_unauth_destination
+  - reject_unauth_destination
 mta_smtpd_recipient_restrictions: []
 mta_smtpd_helo_restrictions: []
+mta_smtpd_data_restrictions: []
+mta_smtpd_end_of_data_restrictions: []
+mta_smtpd_etrn_restrictions: []
+mta_smtpd_milters: []
 mta_domains: []
-mta_postscreen: False
-mta_delay_warning: False
+mta_virtual_mailbox_domains: []
+mta_virtual_transport: []
+mta_postscreen: false
+mta_delay_warning: false
 mta_transport_map: {}
 mta_tls_security_level: "may"
-mta_tls_log: False
+mta_tls_log: false
 mta_mynetworks: []
-mta_smtpd_helo_required: False
-mta_strict_rfc821_envelopes: False
-mta_domains: []
-mta_message_size_limit: False
+mta_smtpd_helo_required: false
+mta_strict_rfc821_envelopes: false
 mta_listen_interfaces:
-- all
-mta_soft_bounce: False
+  - all
+mta_soft_bounce: false
 mta_relay_domains: []
+mta_virtual_maps: []
+mta_mailbox_command: null
 
 # Mail Submission Agent settings
-mta_msa: False
+mta_msa: false
 mta_msa_smtpd_client_restrictions: []
-mta_msa_sasl_type: False
-mta_msa_sasl_path: False
-mta_msa_dkim: False
+mta_msa_sasl_type: false
+mta_msa_sasl_path: false
+mta_msa_dkim: false
+mta_msa_options:
+  smtpd_tls_security_level: "encrypt"
+  smtpd_client_restrictions: []
+  smtpd_recipient_restrictions: []
+  smtpd_helo_restrictions: []
+  smtpd_sender_restrictions: []
+  smtpd_relay_restrictions:
+    - permit_sasl_authenticated
+    - defer_unauth_destination
 
 # OpenDKIM settings
-mta_dkim: False
-mta_dkim_sign: False
-mta_dkim_verify: True
+mta_dkim: false
+mta_dkim_sign: false
+mta_dkim_verify: true
 mta_dkim_selector: "deployment"
 mta_dkim_domains: []
+
+# Mailman settings
+mta_use_mailman: false
+mta_mailman_script_location: /etc/mailman/postfix-to-mailman.py
+
+# other
+mta_recipient_delimiter: ""
+mta_message_size_limit: 10240000
+mta_pipe_transports: []
+mta_unverified_recipient_reject_code: 450
+mta_config_files_all: []
+mta_config_files: []
+
+# Additional parameters
+mta_parameters_all: {}
+mta_parameters: {}
+
+# Additional services
+mta_services: []

handlers/main.yml

@@ -1,6 +1,24 @@
 ---
 - name: reload postfix
-  service: name=postfix state=reloaded
+  ansible.builtin.service: name=postfix state=reloaded
+
+- name: restart postfix
+  ansible.builtin.service: name=postfix state=restarted
+
+- name: update include alias file
+  ansible.builtin.command: find /etc/postfix/aliases.d -type f -name '*.aliases'
+  register: alias_files
+  notify:
+    - really update include alias file
+
+- name: really update include alias file
+  ansible.builtin.shell: cat {{ alias_files.stdout_lines | join(' ') }} > /etc/postfix/aliases
+  when: '" ".join(alias_files.stdout_lines)'
+  notify:
+    - compile include alias file
+
+- name: compile include alias file
+  ansible.builtin.command: postalias /etc/postfix/aliases
 
 - name: restart opendkim
-  service: name=opendkim state=restarted
+  ansible.builtin.service: name=opendkim state=restarted

tasks/main.yml

@@ -1,4 +1,4 @@
 ---
-- include: postfix.yml
-- include: opendkim.yml
+- import_tasks: postfix.yml
+- import_tasks: opendkim.yml
   when: mta_dkim | default(False)

tasks/opendkim.yml

@@ -1,30 +1,23 @@
 ---
 - name: install packages
-  yum: name={{ item }} state=latest
+  ansible.builtin.yum: name={{ item }} state=present
   with_items:
     - opendkim
   tags:
-    - opendkim
     - yum
 
 - name: instanciate config
-  template: src=opendkim/opendkim.conf dest=/etc/opendkim.conf
-  tags:
-    - opendkim
+  ansible.builtin.template: src=opendkim/opendkim.conf dest=/etc/opendkim.conf
   notify:
     - restart opendkim
 
 - name: instanciate tables
-  template: src=opendkim/{{ item }} dest=/etc/opendkim/
+  ansible.builtin.template: src=opendkim/{{ item }} dest=/etc/opendkim/
   with_items:
     - SigningTable
     - KeyTable
-  tags:
-    - opendkim
   notify:
     - restart opendkim
 
 - name: enable and start opendkim
-  service: name=opendkim enabled=yes state=started
-  tags:
-    - opendkim
+  ansible.builtin.service: name=opendkim enabled=yes state=started