Simplify configuration of SASL authenticated relay host

agdsn · Mar 12, 2021 · 06743f6 · 06743f6
1 parent c4431fe
commit 06743f6
Show file tree

Hide file tree

Showing 5 changed files with 17 additions and 16 deletions.
diff --git a/README.rst b/README.rst
@@ -108,16 +108,16 @@ Accepting mail
   directly; it will typically be used for MTAs that only need to send cron mails
   etc.
 
-* ``mta_relayhost_auth`` (mapping): This is only meaningful if
-  ``mta_relayhost`` is set. In that case, this mapping allows to set up
-  authentication with the relay host using SASL:
+* ``mta_relayhost_auth_username`` (string): This is only meaningful
+  if ``mta_relayhost`` is set. In that case this set the SASL user name to use
+  to set up authentication with the relay host using SASL.
 
-  * ``mta_relayhost_auth.username`` (string): the SASL user name to use
-  * ``mta_relayhost_auth.mapfile`` (path): A path where a config file
-    containing the credentials will be written to.
+* ``mta_relayhost_auth_password`` (string): The password to use for relayhost SASL
+  authentication. Required if ``mta_relayhost_auth_username`` is used.
+
+* ``mta_relayhost_auth_mapfile`` (path): A path where a config file containing
+  the SASL authentication credentials will be written to.
 
-* ``mta_relayhost_password`` (string): The password to use for relayhost SASL
-  authentication. Required if ``mta_relayhost_auth`` is used.
 
 * ``mta_transport_map`` (mapping):  A lookup table, mapping destination
   address patterns to their respective nexthop.  Refer to the `postfix

diff --git a/defaults/main.yml b/defaults/main.yml
@@ -9,7 +9,8 @@ mta_local_sender_canonical_maps: []
 mta_local_recipient_canonical_maps: []
 mta_local_canonical_header_checks: []
 mta_relayhost: False
-mta_relayhost_auth: False
+mta_relayhost_auth_username: null
+mta_relayhost_auth_mapfile: /etc/postfix/password_map
 mta_smtp_tls_wrappermode: no
 mta_smtp_tls_security_level: "may"
 mta_smtp_tls_ca_file: ""

diff --git a/tasks/postfix.yml b/tasks/postfix.yml
@@ -126,14 +126,14 @@
 
 - name: deploy sasl password map for relaying
   template: src=postfix/password_map
-            dest="{{ mta_relayhost_auth.mapfile }}"
-  when: mta_relayhost and mta_relayhost_auth
+            dest="{{ mta_relayhost_auth_mapfile }}"
+  when: mta_relayhost and mta_relayhost_auth_username
   register: password_map
   notify:
     - reload postfix
 
 - name: compile sasl password map for relaying
-  command: postmap "{{ mta_relayhost_auth.mapfile }}"
+  command: postmap "{{ mta_relayhost_auth_mapfile }}"
   when: password_map is changed
   notify:
     - reload postfix

diff --git a/templates/postfix/main.cf b/templates/postfix/main.cf
@@ -218,10 +218,10 @@ delay_warning_time = {{ mta_delay_warning }}
 {% if mta_relayhost -%}
 # origin: mta_relayhost
 relayhost = {{ mta_relayhost }}
-{% if mta_relayhost_auth -%}
-# origin: mta_relayhost and mta_relayhost_auth
+{% if mta_relayhost_auth_username and mta_relayhost_auth_password -%}
+# origin: mta_relayhost and mta_relayhost_auth_mapfile
 smtp_sasl_auth_enable = yes
-smtp_sasl_password_maps = hash:{{ mta_relayhost_auth.mapfile }}
+smtp_sasl_password_maps = hash:{{ mta_relayhost_auth_mapfile }}
 smtp_sasl_mechanism_filter =
 smtp_sasl_security_options =
 {% endif %}

diff --git a/templates/postfix/password_map b/templates/postfix/password_map
@@ -1 +1 @@
-{{ mta_relayhost }} {{ mta_relayhost_auth.username }}:{{ mta_relayhost_password }}
+{{ mta_relayhost }} {{ mta_relayhost_auth_username }}:{{ mta_relayhost_auth_password }}