Multiple fixes

mail_system/templates/dovecot/10-auth.conf

@@ -101,7 +101,7 @@ auth_default_realm = {{ mailserver.dovecot.auth_default_realm }}
 #   plain login digest-md5 cram-md5 ntlm rpa apop anonymous gssapi otp skey
 #   gss-spnego
 # NOTE: See also disable_plaintext_auth setting.
-auth_mechanisms = plain
+auth_mechanisms = plain login
 
 ##
 ## Password and user databases

mail_system/templates/dovecot/10-ssl.conf

@@ -0,0 +1,79 @@
+# THIS FILE IS CONTROLLED BY ANSIBLE - DO NOT CHANGE IN DEPLOYMENT!
+
+
+##
+## SSL settings
+##
+
+# SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt>
+ssl = yes
+
+# PEM encoded X.509 SSL/TLS certificate and private key. They're opened before
+# dropping root privileges, so keep the key file unreadable by anyone but
+# root. Included doc/mkcert.sh can be used to easily generate self-signed
+# certificate, just make sure to update the domains in dovecot-openssl.cnf
+ssl_cert = </etc/dovecot/private/dovecot.pem
+ssl_key = </etc/dovecot/private/dovecot.key
+
+# If key file is password protected, give the password here. Alternatively
+# give it when starting dovecot with -p parameter. Since this file is often
+# world-readable, you may want to place this setting instead to a different
+# root owned 0600 file by using ssl_key_password = <path.
+#ssl_key_password =
+
+# PEM encoded trusted certificate authority. Set this only if you intend to use
+# ssl_verify_client_cert=yes. The file should contain the CA certificate(s)
+# followed by the matching CRL(s). (e.g. ssl_ca = </etc/ssl/certs/ca.pem)
+#ssl_ca = 
+
+# Require that CRL check succeeds for client certificates.
+#ssl_require_crl = yes
+
+# Directory and/or file for trusted SSL CA certificates. These are used only
+# when Dovecot needs to act as an SSL client (e.g. imapc backend or
+# submission service). The directory is usually /etc/ssl/certs in
+# Debian-based systems and the file is /etc/pki/tls/cert.pem in
+# RedHat-based systems.
+ssl_client_ca_dir = /etc/ssl/certs
+#ssl_client_ca_file =
+
+# Request client to send a certificate. If you also want to require it, set
+# auth_ssl_require_client_cert=yes in auth section.
+#ssl_verify_client_cert = no
+
+# Which field from certificate to use for username. commonName and
+# x500UniqueIdentifier are the usual choices. You'll also need to set
+# auth_ssl_username_from_cert=yes.
+#ssl_cert_username_field = commonName
+
+# SSL DH parameters
+# Generate new params with `openssl dhparam -out /etc/dovecot/dh.pem 4096`
+# Or migrate from old ssl-parameters.dat file with the command dovecot
+# gives on startup when ssl_dh is unset.
+ssl_dh = </usr/share/dovecot/dh.pem
+
+# Minimum SSL protocol version to use. Potentially recognized values are SSLv3,
+# TLSv1, TLSv1.1, and TLSv1.2, depending on the OpenSSL version used.
+ssl_min_protocol = TLSv1.2
+
+# SSL ciphers to use, the default is:
+#ssl_cipher_list = ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH
+# To disable non-EC DH, use:
+#ssl_cipher_list = ALL:!DH:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH
+
+# Colon separated list of elliptic curves to use. Empty value (the default)
+# means use the defaults from the SSL library. P-521:P-384:P-256 would be an
+# example of a valid value.
+#ssl_curve_list =
+
+# Prefer the server's order of ciphers over client's.
+#ssl_prefer_server_ciphers = no
+
+# SSL crypto device to use, for valid values run "openssl engine"
+#ssl_crypto_device =
+
+# SSL extra options. Currently supported options are:
+#   compression - Enable compression.
+#   no_ticket - Disable SSL session tickets.
+#ssl_options =
+

mail_system/templates/dovecot/90-quota.conf

@@ -90,7 +90,7 @@ plugin {
   quota_grace = 10%%
   quota_status_success = DUNNO
   quota_status_nouser = DUNNO
-  quota_status_overquota = "552 5.2.2 Mailbox is full"
+  quota_status_overquota = "452 4.2.2 Mailbox is full and cannot receive any more emails"
   quota_exceeded_message = Quota exceeded, please reduce your overall mail volume and/or the number of messages in your inbox.
 
   # https://wiki2.dovecot.org/Quota/Configuration

mail_system/templates/postfix/main.cf

@@ -18,29 +18,33 @@ append_dot_mydomain = no
 # Uncomment the next line to generate "delayed mail" warnings
 #delay_warning_time = 4h
 
-readme_directory = no
+readme_directory = /usr/share/doc/postfix
 
 # See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on
 # fresh installs.
 compatibility_level = 2
 
 
-
-# TLS parameters
+# TLS
 smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
 smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
-smtpd_use_tls=yes
+smtpd_tls_security_level = may
 smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
+smtpd_tls_auth_only=yes
+smtpd_tls_received_header = yes
+smtp_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
+smtp_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
+smtp_tls_security_level=may
 smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
+smtp_tls_note_starttls_offer = yes
 
-# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
-# information on enabling SSL in the smtp client.
 
+# Host names, aliases, networks
 myhostname = {{ ansible_fqdn }}
 alias_maps = hash:/etc/aliases
 alias_database = hash:/etc/aliases
 mydestination = $myhostname, {{ ansible_hostname }}, {{ ansible_fqdn }}, localhost.{{ ansible_domain }}, localhost
-relayhost = 
+relayhost =
 mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 {{ mailserver.postfix.mynetworks }}
 mailbox_size_limit = 0
 recipient_delimiter = +
@@ -48,7 +52,7 @@ inet_interfaces = all
 inet_protocols = all
 
 
-
+# Virtual mailboxes
 virtual_mailbox_domains = pgsql:/etc/postfix/domains.cf
 virtual_mailbox_maps = pgsql:/etc/postfix/mailboxes.cf
 virtual_alias_maps = pgsql:/etc/postfix/aliases.cf
@@ -57,14 +61,13 @@ virtual_minimum_uid = 5000
 virtual_uid_maps = static:5000
 virtual_gid_maps = static:5000
 
-virtual_transport=lmtp:unix:private/dovecot-lmtp
 
+# Interaction with dovecot
+virtual_transport=lmtp:unix:private/dovecot-lmtp
 smtpd_sasl_type=dovecot
 smtpd_sasl_path=private/auth
 smtpd_sasl_auth_enable=yes
 
-smtpd_tls_auth_only=yes
-smtp_tls_security_level=may
 
 
 
@@ -83,7 +86,8 @@ smtpd_recipient_restrictions =
   reject_non_fqdn_recipient
   reject_unknown_recipient_domain
   reject_unauth_destination
-  check_policy_service inet:127.0.0.1:12480  # user quota
+  check_policy_service inet:127.0.0.1:12480
+  # 12480: user quota
 
 smtpd_relay_restrictions =
   permit_mynetworks
@@ -94,9 +98,13 @@ smtpd_relay_restrictions =
 
 
 # rspamd
+smtpd_milters=inet:127.0.0.1:11332
+non_smtpd_milters=inet:127.0.0.1:11332
+milter_protocol=6
+milter_mail_macros=i {mail_addr} {client_addr} {client_name} {auth_authen}
 
 
-# VERP marking
+# VERP marking and SRS (sender rewriting scheme)
 # Envelope sender addresses matching mydomains are marked.
 # The marker is removed from envelope recipient addresses.
 canonical_classes = envelope_sender, envelope_recipient, header_recipient
@@ -111,7 +119,7 @@ enable_long_queue_ids = yes
 
 
 # convenience settings
-maximal_queue_lifetime = 6w  # default is 5d
+maximal_queue_lifetime = 6w
 bounce_queue_lifetime = 6w
 message_size_limit = 20800000
 
@@ -119,3 +127,4 @@ message_size_limit = 20800000
 # debugging options (see also http://www.postfix.org/DEBUG_README.html):
 #debug_peer_list = 127.0.0.1
 #smtpd_tls_loglevel = 3
+#smtd_tls_loglevel = 3

mail_system/templates/rspamd/arc.conf

@@ -1,2 +1,4 @@
 path = "/var/lib/rspamd/dkim/$domain.$selector.key";
 selector_map = "/etc/rspamd/dkim_selectors.map";
+allow_username_mismatch = true;
+use_esld = true;

mail_system/templates/rspamd/classifier-bayes.conf

@@ -2,3 +2,4 @@
 
 
 autolearn = true;
+users_enabled = true;

mail_system/templates/rspamd/dkim_signing.conf

@@ -1,2 +1,4 @@
 path = "/var/lib/rspamd/dkim/$domain.$selector.key";
 selector_map = "/etc/rspamd/dkim_selectors.map";
+allow_username_mismatch = true;
+use_esld = true;