Multiple fixes

mail_system.yml

@@ -1,11 +1,13 @@
-# install a complete mail system with
+# ansible playbook
+#
+# Install a complete mail system with
 #
 #   - postfix
 #   - dovecot
 #   - clamav (with unofficial signatures)
 #   - rspamd (integrating clamav)
 #
-# not included here: list server, roundcube
+# not included here: list server, roundcube, account and alias management
 #
 # Please edit the host's config (inventory/host_vars/${hostname}):
 # Add a new dictionary 'mailserver':
@@ -33,28 +35,36 @@
 #
 # Take care thate the verp_marker only contains [a-z0-9]+ (NO UPPER CASE LETTERS!).
 #
-# (Use ansible-vault encrypt_string zo encrypt the password.)
+# (Use ansible-vault encrypt_string to encrypt the password.)
 #
 # TODOs after running this playbook:
 #
-# Configure mail DNS:
+# Open the firewall:
+#
+#     - open or DNAT the TCP ports 25, 143, 587, 4190 to the host (incoming)
+#     - allow outgoing traffic
+#
+# Configure mail DNS for your host:
 #
 #     - MX
 #     - PTR (IPv4 and IPv6)
 #
-# SPF, DMARC and DKIM DNS records should be created when adding a domain:
+# Add SPF, DMARC and DKIM DNS records whenever you add a mail domain:
 #
-#     - SPF (IN TXT "v=spf1 mx" or more)
+#     - SPF ('IN TXT "v=spf1 mx"' or more)
-#     - DMARC (_dmarc IN TXT "v=DMARC1; p=reject; rua=mailto:admin@mymaindomain.org; adkim=s; aspf=s;")
+#     - DMARC ('_dmarc IN TXT "v=DMARC1; p=reject; rua=mailto:admin@mymaindomain.org; adkim=s; aspf=s;"')
 #     - DKIM (rspamadm dkim_keygen -d mymaindomain.org -s 20190911 -b 4096;
-#             get the DNS entry and save the private key
+#             get the DNS entry and also save the private key)
-#
-# Please open the firewall: open or DNAT tcp ports 25, 143, 587, 4190 to the host (incoming)
 #
 # Replace the ssl certificates with signed ones.
 #
 # Users and domains can be added to the PostgreSQL tables;
 # code for that is not part of this playbook.
+# Mind that if you create a catchall alias, you must also
+# add an alias for each account to the aliases, or you can
+# prepend the following to the SELECT in /etc/postfix/aliases.cf
+#     SELECT u.username || '@' || d.name FROM users u JOIN domains d ON u.domain_id=d.id WHERE d.relay_transport is null AND u.username || '@' || d.name = '%s'
+#     UNION
 
 - name: install mail_system
   user: root

mail_system/tasks/database.yml

@@ -62,10 +62,11 @@
     columns:
     - id bigserial primary key
     - alias_domain_id bigint references domains(id) on delete cascade
-    - alias varchar(250) not null unique
+    - alias varchar(250) not null
     - forwardings varchar(250)[] not null
     - t timestamp without time zone not null default now()
     - comment text null
+    - unique(alias_domain_id, alias)
 
 - name: database index aliases__alias
   postgresql_idx:

mail_system/tasks/dovecot.yml

@@ -18,6 +18,7 @@
     - auth-sql.conf.ext
     - 10-mail.conf
     - 10-master.conf
+    - 10-ssl.conf
     - 15-mailboxes.conf
     - 20-lmtp.conf
     - 20-imap.conf

mail_system/templates/dovecot/10-auth.conf

@@ -101,7 +101,7 @@ auth_default_realm = {{ mailserver.dovecot.auth_default_realm }}
 #   plain login digest-md5 cram-md5 ntlm rpa apop anonymous gssapi otp skey
 #   gss-spnego
 # NOTE: See also disable_plaintext_auth setting.
-auth_mechanisms = plain
+auth_mechanisms = plain login
 
 ##
 ## Password and user databases

mail_system/templates/dovecot/10-ssl.conf

@@ -0,0 +1,79 @@
+# THIS FILE IS CONTROLLED BY ANSIBLE - DO NOT CHANGE IN DEPLOYMENT!
+
+
+##
+## SSL settings
+##
+
+# SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt>
+ssl = yes
+
+# PEM encoded X.509 SSL/TLS certificate and private key. They're opened before
+# dropping root privileges, so keep the key file unreadable by anyone but
+# root. Included doc/mkcert.sh can be used to easily generate self-signed
+# certificate, just make sure to update the domains in dovecot-openssl.cnf
+ssl_cert = </etc/dovecot/private/dovecot.pem
+ssl_key = </etc/dovecot/private/dovecot.key
+
+# If key file is password protected, give the password here. Alternatively
+# give it when starting dovecot with -p parameter. Since this file is often
+# world-readable, you may want to place this setting instead to a different
+# root owned 0600 file by using ssl_key_password = <path.
+#ssl_key_password =
+
+# PEM encoded trusted certificate authority. Set this only if you intend to use
+# ssl_verify_client_cert=yes. The file should contain the CA certificate(s)
+# followed by the matching CRL(s). (e.g. ssl_ca = </etc/ssl/certs/ca.pem)
+#ssl_ca = 
+
+# Require that CRL check succeeds for client certificates.
+#ssl_require_crl = yes
+
+# Directory and/or file for trusted SSL CA certificates. These are used only
+# when Dovecot needs to act as an SSL client (e.g. imapc backend or
+# submission service). The directory is usually /etc/ssl/certs in
+# Debian-based systems and the file is /etc/pki/tls/cert.pem in
+# RedHat-based systems.
+ssl_client_ca_dir = /etc/ssl/certs
+#ssl_client_ca_file =
+
+# Request client to send a certificate. If you also want to require it, set
+# auth_ssl_require_client_cert=yes in auth section.
+#ssl_verify_client_cert = no
+
+# Which field from certificate to use for username. commonName and
+# x500UniqueIdentifier are the usual choices. You'll also need to set
+# auth_ssl_username_from_cert=yes.
+#ssl_cert_username_field = commonName
+
+# SSL DH parameters
+# Generate new params with `openssl dhparam -out /etc/dovecot/dh.pem 4096`
+# Or migrate from old ssl-parameters.dat file with the command dovecot
+# gives on startup when ssl_dh is unset.
+ssl_dh = </usr/share/dovecot/dh.pem
+
+# Minimum SSL protocol version to use. Potentially recognized values are SSLv3,
+# TLSv1, TLSv1.1, and TLSv1.2, depending on the OpenSSL version used.
+ssl_min_protocol = TLSv1.2
+
+# SSL ciphers to use, the default is:
+#ssl_cipher_list = ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH
+# To disable non-EC DH, use:
+#ssl_cipher_list = ALL:!DH:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH
+
+# Colon separated list of elliptic curves to use. Empty value (the default)
+# means use the defaults from the SSL library. P-521:P-384:P-256 would be an
+# example of a valid value.
+#ssl_curve_list =
+
+# Prefer the server's order of ciphers over client's.
+#ssl_prefer_server_ciphers = no
+
+# SSL crypto device to use, for valid values run "openssl engine"
+#ssl_crypto_device =
+
+# SSL extra options. Currently supported options are:
+#   compression - Enable compression.
+#   no_ticket - Disable SSL session tickets.
+#ssl_options =
+

mail_system/templates/dovecot/90-quota.conf

@@ -90,7 +90,7 @@ plugin {
   quota_grace = 10%%
   quota_status_success = DUNNO
   quota_status_nouser = DUNNO
-  quota_status_overquota = "552 5.2.2 Mailbox is full"
+  quota_status_overquota = "452 4.2.2 Mailbox is full and cannot receive any more emails"
   quota_exceeded_message = Quota exceeded, please reduce your overall mail volume and/or the number of messages in your inbox.
 
   # https://wiki2.dovecot.org/Quota/Configuration

mail_system/templates/postfix/main.cf

@@ -18,24 +18,28 @@ append_dot_mydomain = no
 # Uncomment the next line to generate "delayed mail" warnings
 #delay_warning_time = 4h
 
-readme_directory = no
+readme_directory = /usr/share/doc/postfix
 
 # See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on
 # fresh installs.
 compatibility_level = 2
 
 
-
+# TLS
-# TLS parameters
 smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
 smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
-smtpd_use_tls=yes
+smtpd_tls_security_level = may
 smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
+smtpd_tls_auth_only=yes
+smtpd_tls_received_header = yes
+smtp_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
+smtp_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
+smtp_tls_security_level=may
 smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
+smtp_tls_note_starttls_offer = yes
 
-# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
-# information on enabling SSL in the smtp client.
 
+# Host names, aliases, networks
 myhostname = {{ ansible_fqdn }}
 alias_maps = hash:/etc/aliases
 alias_database = hash:/etc/aliases
@@ -48,7 +52,7 @@ inet_interfaces = all
 inet_protocols = all
 
 
-
+# Virtual mailboxes
 virtual_mailbox_domains = pgsql:/etc/postfix/domains.cf
 virtual_mailbox_maps = pgsql:/etc/postfix/mailboxes.cf
 virtual_alias_maps = pgsql:/etc/postfix/aliases.cf
@@ -57,14 +61,13 @@ virtual_minimum_uid = 5000
 virtual_uid_maps = static:5000
 virtual_gid_maps = static:5000
 
-virtual_transport=lmtp:unix:private/dovecot-lmtp
 
+# Interaction with dovecot
+virtual_transport=lmtp:unix:private/dovecot-lmtp
 smtpd_sasl_type=dovecot
 smtpd_sasl_path=private/auth
 smtpd_sasl_auth_enable=yes
 
-smtpd_tls_auth_only=yes
-smtp_tls_security_level=may
 
 
 
@@ -83,7 +86,8 @@ smtpd_recipient_restrictions =
   reject_non_fqdn_recipient
   reject_unknown_recipient_domain
   reject_unauth_destination
-  check_policy_service inet:127.0.0.1:12480  # user quota
+  check_policy_service inet:127.0.0.1:12480
+  # 12480: user quota
 
 smtpd_relay_restrictions =
   permit_mynetworks
@@ -94,9 +98,13 @@ smtpd_relay_restrictions =
 
 
 # rspamd
+smtpd_milters=inet:127.0.0.1:11332
+non_smtpd_milters=inet:127.0.0.1:11332
+milter_protocol=6
+milter_mail_macros=i {mail_addr} {client_addr} {client_name} {auth_authen}
 
 
-# VERP marking
+# VERP marking and SRS (sender rewriting scheme)
 # Envelope sender addresses matching mydomains are marked.
 # The marker is removed from envelope recipient addresses.
 canonical_classes = envelope_sender, envelope_recipient, header_recipient
@@ -111,7 +119,7 @@ enable_long_queue_ids = yes
 
 
 # convenience settings
-maximal_queue_lifetime = 6w  # default is 5d
+maximal_queue_lifetime = 6w
 bounce_queue_lifetime = 6w
 message_size_limit = 20800000
 
@@ -119,3 +127,4 @@ message_size_limit = 20800000
 # debugging options (see also http://www.postfix.org/DEBUG_README.html):
 #debug_peer_list = 127.0.0.1
 #smtpd_tls_loglevel = 3
+#smtd_tls_loglevel = 3

mail_system/templates/rspamd/arc.conf

@@ -1,2 +1,4 @@
 path = "/var/lib/rspamd/dkim/$domain.$selector.key";
 selector_map = "/etc/rspamd/dkim_selectors.map";
+allow_username_mismatch = true;
+use_esld = true;

mail_system/templates/rspamd/classifier-bayes.conf

@@ -2,3 +2,4 @@
 
 
 autolearn = true;
+users_enabled = true;

mail_system/templates/rspamd/dkim_signing.conf

@@ -1,2 +1,4 @@
 path = "/var/lib/rspamd/dkim/$domain.$selector.key";
 selector_map = "/etc/rspamd/dkim_selectors.map";
+allow_username_mismatch = true;
+use_esld = true;