Multiple fixes

2022-04-25 20:10:40 +02:00 · 2022-04-25 20:10:40 +02:00 · 08be02723b
commit 08be02723b
parent d166ccf12b
10 changed files with 132 additions and 27 deletions
--- a/mail_system.yml
+++ b/mail_system.yml
@ -1,11 +1,13 @@
-# install a complete mail system with
+# ansible playbook
+#
+# Install a complete mail system with
 #
 #   - postfix
 #   - dovecot
 #   - clamav (with unofficial signatures)
 #   - rspamd (integrating clamav)
 #
-# not included here: list server, roundcube
+# not included here: list server, roundcube, account and alias management
 #
 # Please edit the host's config (inventory/host_vars/${hostname}):
 # Add a new dictionary 'mailserver':
@ -33,28 +35,36 @@
 #
 # Take care thate the verp_marker only contains [a-z0-9]+ (NO UPPER CASE LETTERS!).
 #
-# (Use ansible-vault encrypt_string zo encrypt the password.)
+# (Use ansible-vault encrypt_string to encrypt the password.)
 #
 # TODOs after running this playbook:
 #
-# Configure mail DNS:
+# Open the firewall:
+#
+#     - open or DNAT the TCP ports 25, 143, 587, 4190 to the host (incoming)
+#     - allow outgoing traffic
+#
+# Configure mail DNS for your host:
 #
 #     - MX
 #     - PTR (IPv4 and IPv6)
 #
-# SPF, DMARC and DKIM DNS records should be created when adding a domain:
+# Add SPF, DMARC and DKIM DNS records whenever you add a mail domain:
 #
-#     - SPF (IN TXT "v=spf1 mx" or more)
-#     - DMARC (_dmarc IN TXT "v=DMARC1; p=reject; rua=mailto:admin@mymaindomain.org; adkim=s; aspf=s;")
+#     - SPF ('IN TXT "v=spf1 mx"' or more)
+#     - DMARC ('_dmarc IN TXT "v=DMARC1; p=reject; rua=mailto:admin@mymaindomain.org; adkim=s; aspf=s;"')
 #     - DKIM (rspamadm dkim_keygen -d mymaindomain.org -s 20190911 -b 4096;
-#             get the DNS entry and save the private key
-#
-# Please open the firewall: open or DNAT tcp ports 25, 143, 587, 4190 to the host (incoming)
+#             get the DNS entry and also save the private key)
 #
 # Replace the ssl certificates with signed ones.
 #
 # Users and domains can be added to the PostgreSQL tables;
 # code for that is not part of this playbook.
+# Mind that if you create a catchall alias, you must also
+# add an alias for each account to the aliases, or you can
+# prepend the following to the SELECT in /etc/postfix/aliases.cf
+#     SELECT u.username || '@' || d.name FROM users u JOIN domains d ON u.domain_id=d.id WHERE d.relay_transport is null AND u.username || '@' || d.name = '%s'
+#     UNION

 - name: install mail_system
  user: root
--- a/mail_system/tasks/database.yml
+++ b/mail_system/tasks/database.yml
@ -62,10 +62,11 @@
    columns:
    - id bigserial primary key
    - alias_domain_id bigint references domains(id) on delete cascade
-    - alias varchar(250) not null unique
+    - alias varchar(250) not null
    - forwardings varchar(250)[] not null
    - t timestamp without time zone not null default now()
    - comment text null
+    - unique(alias_domain_id, alias)

 - name: database index aliases__alias
  postgresql_idx:
--- a/mail_system/tasks/dovecot.yml
+++ b/mail_system/tasks/dovecot.yml
@ -18,6 +18,7 @@
    - auth-sql.conf.ext
    - 10-mail.conf
    - 10-master.conf
+    - 10-ssl.conf
    - 15-mailboxes.conf
    - 20-lmtp.conf
    - 20-imap.conf
--- a/mail_system/templates/dovecot/10-auth.conf
+++ b/mail_system/templates/dovecot/10-auth.conf
@ -101,7 +101,7 @@ auth_default_realm = {{ mailserver.dovecot.auth_default_realm }}
 #   plain login digest-md5 cram-md5 ntlm rpa apop anonymous gssapi otp skey
 #   gss-spnego
 # NOTE: See also disable_plaintext_auth setting.
-auth_mechanisms = plain
+auth_mechanisms = plain login

 ##
 ## Password and user databases
--- a/mail_system/templates/dovecot/10-ssl.conf
+++ b/mail_system/templates/dovecot/10-ssl.conf
@ -0,0 +1,79 @@
+# THIS FILE IS CONTROLLED BY ANSIBLE - DO NOT CHANGE IN DEPLOYMENT!
+
+
+##
+## SSL settings
+##
+
+# SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt>
+ssl = yes
+
+# PEM encoded X.509 SSL/TLS certificate and private key. They're opened before
+# dropping root privileges, so keep the key file unreadable by anyone but
+# root. Included doc/mkcert.sh can be used to easily generate self-signed
+# certificate, just make sure to update the domains in dovecot-openssl.cnf
+ssl_cert = </etc/dovecot/private/dovecot.pem
+ssl_key = </etc/dovecot/private/dovecot.key
+
+# If key file is password protected, give the password here. Alternatively
+# give it when starting dovecot with -p parameter. Since this file is often
+# world-readable, you may want to place this setting instead to a different
+# root owned 0600 file by using ssl_key_password = <path.
+#ssl_key_password =
+
+# PEM encoded trusted certificate authority. Set this only if you intend to use
+# ssl_verify_client_cert=yes. The file should contain the CA certificate(s)
+# followed by the matching CRL(s). (e.g. ssl_ca = </etc/ssl/certs/ca.pem)
+#ssl_ca = 
+
+# Require that CRL check succeeds for client certificates.
+#ssl_require_crl = yes
+
+# Directory and/or file for trusted SSL CA certificates. These are used only
+# when Dovecot needs to act as an SSL client (e.g. imapc backend or
+# submission service). The directory is usually /etc/ssl/certs in
+# Debian-based systems and the file is /etc/pki/tls/cert.pem in
+# RedHat-based systems.
+ssl_client_ca_dir = /etc/ssl/certs
+#ssl_client_ca_file =
+
+# Request client to send a certificate. If you also want to require it, set
+# auth_ssl_require_client_cert=yes in auth section.
+#ssl_verify_client_cert = no
+
+# Which field from certificate to use for username. commonName and
+# x500UniqueIdentifier are the usual choices. You'll also need to set
+# auth_ssl_username_from_cert=yes.
+#ssl_cert_username_field = commonName
+
+# SSL DH parameters
+# Generate new params with `openssl dhparam -out /etc/dovecot/dh.pem 4096`
+# Or migrate from old ssl-parameters.dat file with the command dovecot
+# gives on startup when ssl_dh is unset.
+ssl_dh = </usr/share/dovecot/dh.pem
+
+# Minimum SSL protocol version to use. Potentially recognized values are SSLv3,
+# TLSv1, TLSv1.1, and TLSv1.2, depending on the OpenSSL version used.
+ssl_min_protocol = TLSv1.2
+
+# SSL ciphers to use, the default is:
+#ssl_cipher_list = ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH
+# To disable non-EC DH, use:
+#ssl_cipher_list = ALL:!DH:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH
+
+# Colon separated list of elliptic curves to use. Empty value (the default)
+# means use the defaults from the SSL library. P-521:P-384:P-256 would be an
+# example of a valid value.
+#ssl_curve_list =
+
+# Prefer the server's order of ciphers over client's.
+#ssl_prefer_server_ciphers = no
+
+# SSL crypto device to use, for valid values run "openssl engine"
+#ssl_crypto_device =
+
+# SSL extra options. Currently supported options are:
+#   compression - Enable compression.
+#   no_ticket - Disable SSL session tickets.
+#ssl_options =
+
--- a/mail_system/templates/dovecot/90-quota.conf
+++ b/mail_system/templates/dovecot/90-quota.conf
@ -90,7 +90,7 @@ plugin {
  quota_grace = 10%%
  quota_status_success = DUNNO
  quota_status_nouser = DUNNO
-  quota_status_overquota = "552 5.2.2 Mailbox is full"
+  quota_status_overquota = "452 4.2.2 Mailbox is full and cannot receive any more emails"
  quota_exceeded_message = Quota exceeded, please reduce your overall mail volume and/or the number of messages in your inbox.

  # https://wiki2.dovecot.org/Quota/Configuration
--- a/mail_system/templates/postfix/main.cf
+++ b/mail_system/templates/postfix/main.cf
@ -18,29 +18,33 @@ append_dot_mydomain = no
 # Uncomment the next line to generate "delayed mail" warnings
 #delay_warning_time = 4h

-readme_directory = no
+readme_directory = /usr/share/doc/postfix

 # See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on
 # fresh installs.
 compatibility_level = 2


-
-# TLS parameters
+# TLS
 smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
 smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
-smtpd_use_tls=yes
+smtpd_tls_security_level = may
 smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
+smtpd_tls_auth_only=yes
+smtpd_tls_received_header = yes
+smtp_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
+smtp_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
+smtp_tls_security_level=may
 smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
+smtp_tls_note_starttls_offer = yes

-# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
-# information on enabling SSL in the smtp client.

+# Host names, aliases, networks
 myhostname = {{ ansible_fqdn }}
 alias_maps = hash:/etc/aliases
 alias_database = hash:/etc/aliases
 mydestination = $myhostname, {{ ansible_hostname }}, {{ ansible_fqdn }}, localhost.{{ ansible_domain }}, localhost
-relayhost = 
+relayhost =
 mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 {{ mailserver.postfix.mynetworks }}
 mailbox_size_limit = 0
 recipient_delimiter = +
@ -48,7 +52,7 @@ inet_interfaces = all
 inet_protocols = all


-
+# Virtual mailboxes
 virtual_mailbox_domains = pgsql:/etc/postfix/domains.cf
 virtual_mailbox_maps = pgsql:/etc/postfix/mailboxes.cf
 virtual_alias_maps = pgsql:/etc/postfix/aliases.cf
@ -57,14 +61,13 @@ virtual_minimum_uid = 5000
 virtual_uid_maps = static:5000
 virtual_gid_maps = static:5000

-virtual_transport=lmtp:unix:private/dovecot-lmtp

+# Interaction with dovecot
+virtual_transport=lmtp:unix:private/dovecot-lmtp
 smtpd_sasl_type=dovecot
 smtpd_sasl_path=private/auth
 smtpd_sasl_auth_enable=yes

-smtpd_tls_auth_only=yes
-smtp_tls_security_level=may



@ -83,7 +86,8 @@ smtpd_recipient_restrictions =
  reject_non_fqdn_recipient
  reject_unknown_recipient_domain
  reject_unauth_destination
-  check_policy_service inet:127.0.0.1:12480  # user quota
+  check_policy_service inet:127.0.0.1:12480
+  # 12480: user quota

 smtpd_relay_restrictions =
  permit_mynetworks
@ -94,9 +98,13 @@ smtpd_relay_restrictions =


 # rspamd
+smtpd_milters=inet:127.0.0.1:11332
+non_smtpd_milters=inet:127.0.0.1:11332
+milter_protocol=6
+milter_mail_macros=i {mail_addr} {client_addr} {client_name} {auth_authen}


-# VERP marking
+# VERP marking and SRS (sender rewriting scheme)
 # Envelope sender addresses matching mydomains are marked.
 # The marker is removed from envelope recipient addresses.
 canonical_classes = envelope_sender, envelope_recipient, header_recipient
@ -111,7 +119,7 @@ enable_long_queue_ids = yes


 # convenience settings
-maximal_queue_lifetime = 6w  # default is 5d
+maximal_queue_lifetime = 6w
 bounce_queue_lifetime = 6w
 message_size_limit = 20800000

@ -119,3 +127,4 @@ message_size_limit = 20800000
 # debugging options (see also http://www.postfix.org/DEBUG_README.html):
 #debug_peer_list = 127.0.0.1
 #smtpd_tls_loglevel = 3
+#smtd_tls_loglevel = 3
--- a/mail_system/templates/rspamd/arc.conf
+++ b/mail_system/templates/rspamd/arc.conf
@ -1,2 +1,4 @@
 path = "/var/lib/rspamd/dkim/$domain.$selector.key";
 selector_map = "/etc/rspamd/dkim_selectors.map";
+allow_username_mismatch = true;
+use_esld = true;
--- a/mail_system/templates/rspamd/classifier-bayes.conf
+++ b/mail_system/templates/rspamd/classifier-bayes.conf
@ -2,3 +2,4 @@


 autolearn = true;
+users_enabled = true;
--- a/mail_system/templates/rspamd/dkim_signing.conf
+++ b/mail_system/templates/rspamd/dkim_signing.conf
@ -1,2 +1,4 @@
 path = "/var/lib/rspamd/dkim/$domain.$selector.key";
 selector_map = "/etc/rspamd/dkim_selectors.map";
+allow_username_mismatch = true;
+use_esld = true;