From 98315f8738e4fde2c92db53a1076f1114e1312fb Mon Sep 17 00:00:00 2001
From: Luciano Giacchetta <giacchetta-@outlook.com>
Date: Tue, 29 Jul 2025 18:53:19 -0300
Subject: [PATCH] #1 - Define postfix_mynetworks as variable to adjust with
 local nets

---
 README.md            | 19 ++++++++++---------
 defaults/main.yml    |  3 +++
 templates/main.cf.j2 |  3 ++-
 3 files changed, 15 insertions(+), 10 deletions(-)

diff --git a/README.md b/README.md
index b0b91c4..eaf998e 100644
--- a/README.md
+++ b/README.md
@@ -27,18 +27,19 @@ The role's behavior can be customized using the following variables. The default
 
 | Variable | Default Value | Description |
 | :---- | :---- | :---- |
-| postfix\_relayhost | "" (empty string) | **Required.** The smarthost for relaying all mail. Use square brackets \[\] to prevent MX lookups (e.g., \[smtp.sendgrid.net\]:587). |
-| postfix\_relayhost\_user | (undefined) | The username for SASL authentication with the smarthost. If defined with a password, SASL auth will be enabled. |
-| postfix\_relayhost\_password | (undefined) | The password or API key for the smarthost user. **It** is strongly recommended to store this in Ansible **Vault.** |
-| postfix\_mail\_domain | \`{{ ansible\_domain | default('internal.local') }}\` |
-| postfix\_myhostname | mail.{{ postfix\_mail\_domain }} | The fully qualified domain name (FQDN) of the mail server itself (e.g., mail.example.com). |
-| postfix\_mydestination | $myhostname, localhost... | A comma-separated list of domains this server will accept mail for. The default is usually sufficient for an internal relay. |
-| postfix\_inet\_interfaces | all | The network interfaces Postfix listens on. Set to loopback-only to only accept mail from the server itself. |
-| postfix\_inet\_protocols | all | The IP protocols to use (ipv4, ipv6, or all). |
+| postfix_relayhost | "" (empty string) | **Required.** The smarthost for relaying all mail. Use square brackets [] to prevent MX lookups (e.g., \[smtp.sendgrid.net\]:587). |
+| postfix_relayhost_user | (undefined) | The username for SASL authentication with the smarthost. If defined with a password, SASL auth will be enabled. |
+| postfix_relayhost_password | (undefined) | The password or API key for the smarthost user. **It** is strongly recommended to store this in Ansible **Vault.** |
+| postfix_mail_domain | `{{ ansible_domain \| default('internal.local') }}` | The primary mail domain for this server |
+| postfix_myhostname | `mail.{{ postfix_mail_domain }}` | The fully qualified domain name (FQDN) of the mail server itself (e.g., mail.example.com). |
+| postfix_mydestination | `$myhostname, localhost.{{ postfix_mail_domain }}, localhost, {{ postfix_mail_domain }}` | A comma-separated list of domains this server will accept mail for. The default is usually sufficient for an internal relay. |
+| postfix_mynetworks | `"127.0.0.0/8 [::1]/128"` | The list of "trusted" remote SMTP clients that have more privileges than "strangers"|
+| postfix_inet_interfaces | all | The network interfaces Postfix listens on. Set to loopback-only to only accept mail from the server itself. |
+| postfix_inet_protocols | all | The IP protocols to use (ipv4, ipv6, or all). |
 
 ### **SASL Authentication**
 
-SASL authentication for the smarthost is **automatically enabled** if both postfix\_relayhost\_user and postfix\_relayhost\_password are defined. If they are not defined, Postfix will attempt to send mail without authentication.
+SASL authentication for the smarthost is **automatically enabled** if both postfix_relayhost_user and postfix_relayhost_password are defined. If they are not defined, Postfix will attempt to send mail without authentication.
 
 ## **Dependencies**
 
diff --git a/defaults/main.yml b/defaults/main.yml
index 558223e..4a95e62 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -22,6 +22,9 @@ postfix_myhostname: "mail.{{ postfix_mail_domain }}"
 # It's critical that this includes the server's own hostname and mail domain.
 postfix_mydestination: "$myhostname, localhost.{{ postfix_mail_domain }}, localhost, {{ postfix_mail_domain }}"
 
+# The list of "trusted" remote SMTP clients that have more privileges than "strangers".
+postfix_mynetworks: "127.0.0.0/8 [::1]/128"
+
 # The relayhost (smarthost) for all outgoing mail.
 # This variable MUST be set for the role to work as intended.
 # Example: "[smtp.sendgrid.net]:587"
diff --git a/templates/main.cf.j2 b/templates/main.cf.j2
index b79b4ec..cab9889 100644
--- a/templates/main.cf.j2
+++ b/templates/main.cf.j2
@@ -19,13 +19,14 @@ recipient_delimiter = +
 # For a production server, replace snakeoil with real certificates.
 smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
 smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
+smtpd_tls_security_level=may
 smtpd_use_tls=yes
 
 # Host and domain configuration
 myhostname = {{ postfix_myhostname }}
 myorigin = /etc/mailname
 mydestination = {{ postfix_mydestination }}
-mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
+mynetworks = {{ postfix_mynetworks }}
 
 # Relayhost (smarthost) configuration
 # All outgoing mail will be sent through this host. This is the only