Postfix credential map not reliably created

[conorsch]

Bug

Description

The file /etc/postfix/sasl_password.db must exist in order for OSSEC alerts to be sent via email. If that file does not exist, running ./securedrop-admin install should create it—but the current config does not enforce it.

Steps to Reproduce

1. Configure prod VMs with working OSSEC alerts.
2. Run sudo rm /etc/postfix/sasl_password.db && sudo service postfix restart on the Monitor Server.
3. Run ./securedrop-admin install from Admin Workstation and confirm that /etc/postfix/sasl_password.db is still missing.

Expected Behavior

If a file required for the OSSEC functionality is absent, Ansible should create it, properly enforcing server state.

Actual Behavior

The file /etc/postfix/sasl_password.db is only created via a handler, meaning that if the contents of /etc/postfix/sasl_password change, then-and-only-then will the sasl_password.db file be created.

Comments

The handler should remain in place: we want to make sure that changes to the config file trigger updates to the hash entries in sasl_password.db. However, we must also ensure that the file exists via a task.

Something like:

- name: Create Postfix lookup table.
  command: postmap /etc/postfix/sasl_credentials
  args:
    creates: /etc/postfix/sasl_credentials.db

Possibly related to #2478, which frequently results in incomplete configuration on the Monitor Server. Therefore the changes presented in #2748 should be finalized and merge before tackling this issue.

[conorsch]

Unsure if this is still an issue. Based on the timestamps, this behavior was observed under Trusty, but we've since moved to Xenial, and are currently moving to Focal (#4768). If anyone can reproduce this issue, great, but not sure it's still a problem.