The ansible-zimbra-single from jancubillan

Template not parsed for installer phase 2 ?

Hi,

I'm trying and adapting your project for my needs.

I'm encountering and issue in the phase 2 installer where the jinja template does not take the facts on the zimbra host.

Here's a screenshot of my localconfig :

It seems that the facts are not used when I start the playbook.

Gathering facts alone from my computer that run ansible gave me the correct fqdn :

"ansible_fqdn": "gwenzim.mydomain.com"

I'm not an ansible expert so I might have gone wrong somewhere but I was thinking that the template would autofill with gathered variable since ansible_fqdn is not declared in any file in the role.

Regards

Don't set public IP on postfix mynetworks

Hi Jan, nice project! I have tested it on a couple of cloud provider and it works smoothly.
While trying on a cloud provider that assign a public IP directly on the NIC, I have noticed that due to this line:
https://github.com/jancubillan/ansible-zimbra-single/blob/master/templates/zimbra_config.txt.j2#L84

inside postfix main.cf file it will set a wide public subnet as permitted networks.
This cause of being an open-relay for any IPs inside that subnet range.

Example:

root@mail:~# cat /opt/zimbra/common/conf/main.cf|grep mynetworks
# The mynetworks parameter specifies the list of "trusted" SMTP
# By default (mynetworks_style = subnet), Postfix "trusts" SMTP
# Specify "mynetworks_style = class" when Postfix should "trust" SMTP
# mynetworks list by hand, as described below.
# Specify "mynetworks_style = host" when Postfix should "trust"
#mynetworks_style = class
mynetworks_style = subnet
smtpd_recipient_restrictions = reject_non_fqdn_recipient, permit_sasl_authenticated, permit_mynetworks, reject_unlisted_recipient, reject_invalid_helo_hostname, reject_non_fqdn_sender, permit
local_header_rewrite_clients = permit_mynetworks,permit_sasl_authenticated
postscreen_access_list = permit_mynetworks
mynetworks = 127.0.0.0/8 [::1]/128 206.81.16.0/20

As a workaround, I have added is_public: True variable inside the playbook file:

--- 
- hosts: all
  vars:
    zimbra_timezone: Europe/Rome
    zimbra_fqdn: mail.example.com
    zimbra_admin_password: zimbra4ever
    is_public: True
  roles:
    - ansible-zimbra-single

With this conditional check inside zimbra_config.txt.j2 template:

{% if is_public %}
zimbraMtaMyNetworks="127.0.0.0/8 [::1]/128"
{% else %}
zimbraMtaMyNetworks="127.0.0.0/8 [::1]/128 {{ (ansible_default_ipv4.address + '/' + ansible_default_ipv4.netmask) | ansible.netcommon.ipaddr('network/prefix') }}"
{% endif %}

Would be nice to add inside the task a check that verifies if a NIC have a public address assigned

jancubillan / ansible-zimbra-single Goto Github PK

ansible-zimbra-single's People

Contributors

Stargazers

Watchers

Forkers

ansible-zimbra-single's Issues

Template not parsed for installer phase 2 ?

Don't set public IP on postfix mynetworks

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent