Ansible, Postfix, and Mailgun
Here's a simple set of Ansible files that allow your hosts to send mail through
Mailgun via Postfix. I've incorporated this setup into my common.yml playbook that
acts as a baseline configuration for all my hosts (handling timezone setup,
hostname normalization, etc.). With this addition, all my hosts can send email,
regardless of their network.
This setup aggressively rewrites any outgoing From: addresses. This may not suit your needs, but it's fine for me.
roles/common/tasks/smtp.yml, included from roles/common/tasks/main.yml:
- name: install mail packages
apt: pkg={{item}}
with_items:
- postfix
- mailutils
- libsasl2-modules
- name: install postfix config files
template: src={{item.src}} dest={{item.dest}} owner=root group=root mode=0644
notify: restart postfix
with_items:
- { src: header_check, dest: /etc/postfix/header_check }
- { src: main.cf, dest: /etc/postfix/main.cf }
- { src: mailname, dest: /etc/mailname }
- { src: sender_canonical_maps, dest: /etc/postfix/sender_canonical_maps }
- name: enable postfix service
service: name=postfix enabled=yes
roles/common/defaults/main.cf, default variables:
---
# 2525 is allowed on Google Cloud Platform
mailgun_port: 2525
mailgun_domain: put.your.hostname.here.example.com
mailgun_from_address: somebody@{{mailgun_domain}}
mailgun_from: "\"{{inventory_hostname_short}}\" <{{mailgun_from_address}}>"
# smtp login credentials
mailgun_login: postmaster@{{mailgun_domain}}
mailgun_api_key: put-your-api-key-here
roles/common/templates/main.cf:
# {{ansible_managed}}
# See /usr/share/postfix/main.cf.dist for a commented, more complete version
# Debian specific: Specifying a file name will cause the first
# line of that file to be used as the name. The Debian default
# is /etc/mailname.
myorigin = /etc/mailname
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no
# appending .domain is the MUA's job.
append_dot_mydomain = no
# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h
readme_directory = no
#
# mailgun configuration
# https://documentation.mailgun.com/en/latest/user_manual.html#smtp-relay
#
mydestination = localhost.localdomain, localhost
relayhost = [smtp.mailgun.org]:{{mailgun_port}}
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = static:{{mailgun_login}}:{{mailgun_api_key}}
smtp_sasl_security_options = noanonymous
# TLS support
smtp_tls_security_level = may
smtpd_tls_security_level = may
smtp_tls_note_starttls_offer = yes
smtpd_tls_key_file = /etc/ssl/private/smtpd.key
smtpd_tls_cert_file = /etc/ssl/certs/smtpd.crt
smtpd_tls_CApath = /etc/ssl/certs
sender_canonical_classes = envelope_sender, header_sender
sender_canonical_maps = regexp:/etc/postfix/sender_canonical_maps
smtp_header_checks = regexp:/etc/postfix/header_check
roles/common/templates/mailname, appended to bare addresses. Probably not needed due to other
rewrites, but I include it for completeness. See also: EtcMailName.
{{mailgun_domain}}
roles/common/templates/header_check:
# {{ansible_managed}}
/From:.*/ REPLACE From: {{mailgun_from}}
roles/common/templates/sender_canonical_maps:
# {{ansible_managed}}
/.+/ {{mailgun_from_address}}