2022-09-26 11:01:52 +00:00
|
|
|
# install a complete mail system with
|
2019-09-19 08:43:17 +00:00
|
|
|
#
|
|
|
|
# - postfix
|
|
|
|
# - dovecot
|
|
|
|
# - clamav (with unofficial signatures)
|
|
|
|
# - rspamd (integrating clamav)
|
|
|
|
#
|
2022-09-26 11:01:52 +00:00
|
|
|
# not included here: list server, roundcube
|
2019-09-19 08:43:17 +00:00
|
|
|
#
|
|
|
|
# Please edit the host's config (inventory/host_vars/${hostname}):
|
|
|
|
# Add a new dictionary 'mailserver':
|
|
|
|
#
|
|
|
|
# mailserver:
|
|
|
|
# postgresql:
|
|
|
|
# host: 127.0.0.1
|
|
|
|
# port: 5432
|
|
|
|
# dbname: mailserver
|
|
|
|
# username: mailserver
|
|
|
|
# password: !vault |
|
|
|
|
# $ANSIBLE_VAULT;1.1;AES256
|
|
|
|
# XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
|
|
|
|
# XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
|
|
|
|
# XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
|
|
|
|
# XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
|
|
|
|
# XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
|
|
|
|
# postfix:
|
|
|
|
# overwrite_config: no
|
2019-10-10 11:47:00 +00:00
|
|
|
# reject_sender_login_mismatch: yes
|
2019-09-19 08:43:17 +00:00
|
|
|
# mynetworks: "10.0.0.0/24 [2a01:XXXX:XXXX:XXXX::]/64"
|
2019-10-11 16:14:38 +00:00
|
|
|
# verp_marker: rstxyz
|
2019-09-19 08:43:17 +00:00
|
|
|
# dovecot:
|
|
|
|
# auth_default_realm: mymaindomain.org
|
|
|
|
#
|
2022-09-26 11:01:52 +00:00
|
|
|
# Setup a Postgresql database (named as in dbname, owned by username, reachable on
|
|
|
|
# host and port) with something like that:
|
2019-10-11 16:14:38 +00:00
|
|
|
#
|
2022-09-26 11:01:52 +00:00
|
|
|
# createuser -P mailserver
|
|
|
|
# createdb -E utf8 -O mailserver -T template1 mailserver
|
2019-09-19 08:43:17 +00:00
|
|
|
#
|
2022-09-26 11:01:52 +00:00
|
|
|
# Use `ansible-vault encrypt_string` to obtain the encrypted password.
|
2019-09-19 08:43:17 +00:00
|
|
|
#
|
2022-09-26 11:01:52 +00:00
|
|
|
# Take care that the verp_marker only contains [a-z0-9]+ (NO UPPER CASE LETTERS!).
|
2022-04-25 18:10:40 +00:00
|
|
|
#
|
2022-09-26 11:01:52 +00:00
|
|
|
# TODOs after running this playbook:
|
2022-04-25 18:10:40 +00:00
|
|
|
#
|
2022-09-26 11:01:52 +00:00
|
|
|
# Configure mail DNS:
|
2019-09-19 08:43:17 +00:00
|
|
|
#
|
|
|
|
# - MX
|
|
|
|
# - PTR (IPv4 and IPv6)
|
|
|
|
#
|
2022-09-26 11:01:52 +00:00
|
|
|
# SPF, DMARC and DKIM DNS records should be created when adding a domain:
|
2019-09-19 08:43:17 +00:00
|
|
|
#
|
2022-09-26 11:01:52 +00:00
|
|
|
# - SPF (IN TXT "v=spf1 mx" or more)
|
|
|
|
# - DMARC (_dmarc IN TXT "v=DMARC1; p=reject; rua=mailto:admin@mymaindomain.org; adkim=s; aspf=s;")
|
2019-09-19 08:43:17 +00:00
|
|
|
# - DKIM (rspamadm dkim_keygen -d mymaindomain.org -s 20190911 -b 4096;
|
2022-09-26 11:01:52 +00:00
|
|
|
# put the DNS entry in your zone file and save the private key
|
|
|
|
# into /var/lib/rspamd/dkim/mymaindomain.org.20190911.key
|
|
|
|
# and
|
|
|
|
# chown _rspamd /var/lib/rspamd/dkim/*
|
|
|
|
# chmod 400 /var/lib/rspamd/dkim/*
|
|
|
|
# and enable it by putting a line
|
|
|
|
# mymaindomain.org 20190911
|
|
|
|
# into /etc/rspamd/dkim_selectors.map
|
|
|
|
# followed by systemctl reload rspamd)
|
2019-09-19 08:43:17 +00:00
|
|
|
#
|
2022-09-26 11:01:52 +00:00
|
|
|
# Please open the firewall: open or DNAT tcp ports 25, 143, 587, 4190 to the host (incoming)
|
|
|
|
#
|
|
|
|
# Replace the dovecot ssl certificates in /etc/dovecot/private with signed ones.
|
2019-09-19 08:43:17 +00:00
|
|
|
#
|
|
|
|
# Users and domains can be added to the PostgreSQL tables;
|
|
|
|
# code for that is not part of this playbook.
|
2022-09-26 11:01:52 +00:00
|
|
|
#
|
|
|
|
# - put the domain name in table domains
|
|
|
|
# - create a user in table users using `doveadm pw -s PBKDF2`
|
|
|
|
# - create aliases
|
|
|
|
#
|
|
|
|
# Users should use the following parameters for IMAP and mail submission.
|
|
|
|
# Note you will need to use the server_name for which you have installed the ssl certificates.
|
|
|
|
# Or you will have to configure dovecot to use multiple certs:
|
|
|
|
# https://doc.dovecot.org/configuration_manual/dovecot_ssl_configuration/#with-client-tls-sni-server-name-indication-support
|
|
|
|
#
|
|
|
|
# IMAP:
|
|
|
|
#
|
|
|
|
# - server_name: mail.mydomain.org
|
|
|
|
# - port: 143
|
|
|
|
# - connection_security: starttls
|
|
|
|
# - auth_method: normal password
|
|
|
|
# - username: {user}@{configured_domain}
|
|
|
|
#
|
|
|
|
# Mail submission:
|
|
|
|
#
|
|
|
|
# - server_name: mail.mydomain.org
|
|
|
|
# - port: 587
|
|
|
|
# - connection_security: starttls
|
|
|
|
# - auth_method: normal password
|
|
|
|
# - username: {user}@{configured_domain}
|
2019-09-19 08:43:17 +00:00
|
|
|
|
|
|
|
- name: install mail_system
|
|
|
|
user: root
|
|
|
|
hosts: mail
|
|
|
|
roles:
|
|
|
|
- mail_system
|