2022-04-25 20:10:40 +02:00
# ansible playbook
#
# Install a complete mail system with
2019-09-19 10:43:17 +02:00
#
# - postfix
# - dovecot
# - clamav (with unofficial signatures)
# - rspamd (integrating clamav)
#
2022-04-25 20:10:40 +02:00
# not included here: list server, roundcube, account and alias management
2019-09-19 10:43:17 +02:00
#
# Please edit the host's config (inventory/host_vars/${hostname}):
# Add a new dictionary 'mailserver':
#
# mailserver:
# postgresql:
# host: 127.0.0.1
# port: 5432
# dbname: mailserver
# username: mailserver
# password: !vault |
# $ANSIBLE_VAULT;1.1;AES256
# XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
# XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
# XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
# XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
# XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
# postfix:
# overwrite_config: no
2019-10-10 13:47:00 +02:00
# reject_sender_login_mismatch: yes
2019-09-19 10:43:17 +02:00
# mynetworks: "10.0.0.0/24 [2a01:XXXX:XXXX:XXXX::]/64"
2019-10-11 18:14:38 +02:00
# verp_marker: rstxyz
2019-09-19 10:43:17 +02:00
# dovecot:
# auth_default_realm: mymaindomain.org
2026-03-22 13:09:26 +01:00
# postmaster_email: root@mymaindomain.org
2019-09-19 10:43:17 +02:00
#
2026-03-22 13:09:26 +01:00
# Setup a Postgresql database (named as in dbname, owned by username, reachable on
# host and port) with something like that:
2019-10-11 18:14:38 +02:00
#
2026-03-22 13:09:26 +01:00
# createuser -P mailserver
# createdb -E utf8 -O mailserver -T template1 mailserver
2019-09-19 10:43:17 +02:00
#
2026-03-22 13:09:26 +01:00
# Use `ansible-vault encrypt_string` to obtain the encrypted password.
2019-09-19 10:43:17 +02:00
#
2026-03-22 13:09:26 +01:00
# Take care that the verp_marker only contains [a-z0-9]+ (NO UPPER CASE LETTERS!).
2022-04-25 20:10:40 +02:00
#
2026-03-22 13:09:26 +01:00
# TODOs after running this playbook:
2022-04-25 20:10:40 +02:00
#
2026-03-22 13:09:26 +01:00
# Configure mail DNS:
2019-09-19 10:43:17 +02:00
#
# - MX
# - PTR (IPv4 and IPv6)
#
2026-03-22 13:09:26 +01:00
# SPF, DMARC and DKIM DNS records should be created when adding a domain:
2019-09-19 10:43:17 +02:00
#
2026-03-22 13:09:26 +01:00
# - SPF (`IN TXT "v=spf1 mx" or more`)
# - DMARC (`_dmarc IN TXT "v=DMARC1; p=reject; rua=mailto:admin@mymaindomain.org; adkim=s; aspf=s;"`)
2019-09-19 10:43:17 +02:00
# - DKIM (rspamadm dkim_keygen -d mymaindomain.org -s 20190911 -b 4096;
2026-03-22 13:09:26 +01:00
# put the DNS entry in your zone file and save the private key
# into /var/lib/rspamd/dkim/mymaindomain.org.20190911.key
# and
# chown _rspamd /var/lib/rspamd/dkim/*
# chmod 400 /var/lib/rspamd/dkim/*
# and enable it by putting a line
# mymaindomain.org 20190911
# into /etc/rspamd/dkim_selectors.map
# followed by systemctl reload rspamd)
2019-09-19 10:43:17 +02:00
#
2026-03-22 13:09:26 +01:00
# Please open the firewall: open or DNAT tcp ports 25, 143, 587, 4190 to the host (incoming)
#
# Replace the dovecot and postfix ssl certificates in /etc/dovecot/private with signed ones.
2019-09-19 10:43:17 +02:00
#
# Users and domains can be added to the PostgreSQL tables;
# code for that is not part of this playbook.
2026-03-22 13:09:26 +01:00
#
# - put the domain name in table domains
# - create a user in table users using `doveadm pw -s PBKDF2`
# - create aliases
#
#
2022-04-25 20:10:40 +02:00
# Mind that if you create a catchall alias, you must also
# add an alias for each account to the aliases, or you can
# prepend the following to the SELECT in /etc/postfix/aliases.cf
# SELECT u.username || '@' || d.name FROM users u JOIN domains d ON u.domain_id=d.id WHERE d.relay_transport is null AND u.username || '@' || d.name = '%s'
# UNION
2026-03-22 13:09:26 +01:00
#
# Users should use the following parameters for IMAP and mail submission.
# Note you will need to use the server_name for which you have installed the ssl certificates.
# Or you will have to configure dovecot to use multiple certs:
# https://doc.dovecot.org/configuration_manual/dovecot_ssl_configuration/#with-client-tls-sni-server-name-indication-support
#
# IMAP:
#
# - server_name: mail.mydomain.org
# - port: 143
# - connection_security: starttls
# - auth_method: normal password
# - username: {user}@{configured_domain}
#
# Mail submission:
#
# - server_name: mail.mydomain.org
# - port: 587
# - connection_security: starttls
# - auth_method: normal password
# - username: {user}@{configured_domain}
#
# UPGRADING to the trixie version:
#
# Note that the database schema has slightly changed.
#
# When installing on a new host, transfer this data:
# * postgres db `mailserver` (data only, not schema)
# * contents of /var/lib/rspamd/dkim/
# * /etc/rspamd/dkim_selectors.map
# * /srv/mailstore (keep uid:gid 5000:5000)
# * tls key(s) and certificate(s) for postgres and dovecot
#
# And open the firewall. If the external IPs have changed, also update DNS entries.
2019-09-19 10:43:17 +02:00
- name : install mail_system
user : root
hosts : mail
roles :
- mail_system
