Multiple fixes
This commit is contained in:
parent
d166ccf12b
commit
08be02723b
10 changed files with 132 additions and 27 deletions
|
@ -1,11 +1,13 @@
|
||||||
# install a complete mail system with
|
# ansible playbook
|
||||||
|
#
|
||||||
|
# Install a complete mail system with
|
||||||
#
|
#
|
||||||
# - postfix
|
# - postfix
|
||||||
# - dovecot
|
# - dovecot
|
||||||
# - clamav (with unofficial signatures)
|
# - clamav (with unofficial signatures)
|
||||||
# - rspamd (integrating clamav)
|
# - rspamd (integrating clamav)
|
||||||
#
|
#
|
||||||
# not included here: list server, roundcube
|
# not included here: list server, roundcube, account and alias management
|
||||||
#
|
#
|
||||||
# Please edit the host's config (inventory/host_vars/${hostname}):
|
# Please edit the host's config (inventory/host_vars/${hostname}):
|
||||||
# Add a new dictionary 'mailserver':
|
# Add a new dictionary 'mailserver':
|
||||||
|
@ -33,28 +35,36 @@
|
||||||
#
|
#
|
||||||
# Take care thate the verp_marker only contains [a-z0-9]+ (NO UPPER CASE LETTERS!).
|
# Take care thate the verp_marker only contains [a-z0-9]+ (NO UPPER CASE LETTERS!).
|
||||||
#
|
#
|
||||||
# (Use ansible-vault encrypt_string zo encrypt the password.)
|
# (Use ansible-vault encrypt_string to encrypt the password.)
|
||||||
#
|
#
|
||||||
# TODOs after running this playbook:
|
# TODOs after running this playbook:
|
||||||
#
|
#
|
||||||
# Configure mail DNS:
|
# Open the firewall:
|
||||||
|
#
|
||||||
|
# - open or DNAT the TCP ports 25, 143, 587, 4190 to the host (incoming)
|
||||||
|
# - allow outgoing traffic
|
||||||
|
#
|
||||||
|
# Configure mail DNS for your host:
|
||||||
#
|
#
|
||||||
# - MX
|
# - MX
|
||||||
# - PTR (IPv4 and IPv6)
|
# - PTR (IPv4 and IPv6)
|
||||||
#
|
#
|
||||||
# SPF, DMARC and DKIM DNS records should be created when adding a domain:
|
# Add SPF, DMARC and DKIM DNS records whenever you add a mail domain:
|
||||||
#
|
#
|
||||||
# - SPF (IN TXT "v=spf1 mx" or more)
|
# - SPF ('IN TXT "v=spf1 mx"' or more)
|
||||||
# - DMARC (_dmarc IN TXT "v=DMARC1; p=reject; rua=mailto:admin@mymaindomain.org; adkim=s; aspf=s;")
|
# - DMARC ('_dmarc IN TXT "v=DMARC1; p=reject; rua=mailto:admin@mymaindomain.org; adkim=s; aspf=s;"')
|
||||||
# - DKIM (rspamadm dkim_keygen -d mymaindomain.org -s 20190911 -b 4096;
|
# - DKIM (rspamadm dkim_keygen -d mymaindomain.org -s 20190911 -b 4096;
|
||||||
# get the DNS entry and save the private key
|
# get the DNS entry and also save the private key)
|
||||||
#
|
|
||||||
# Please open the firewall: open or DNAT tcp ports 25, 143, 587, 4190 to the host (incoming)
|
|
||||||
#
|
#
|
||||||
# Replace the ssl certificates with signed ones.
|
# Replace the ssl certificates with signed ones.
|
||||||
#
|
#
|
||||||
# Users and domains can be added to the PostgreSQL tables;
|
# Users and domains can be added to the PostgreSQL tables;
|
||||||
# code for that is not part of this playbook.
|
# code for that is not part of this playbook.
|
||||||
|
# Mind that if you create a catchall alias, you must also
|
||||||
|
# add an alias for each account to the aliases, or you can
|
||||||
|
# prepend the following to the SELECT in /etc/postfix/aliases.cf
|
||||||
|
# SELECT u.username || '@' || d.name FROM users u JOIN domains d ON u.domain_id=d.id WHERE d.relay_transport is null AND u.username || '@' || d.name = '%s'
|
||||||
|
# UNION
|
||||||
|
|
||||||
- name: install mail_system
|
- name: install mail_system
|
||||||
user: root
|
user: root
|
||||||
|
|
|
@ -62,10 +62,11 @@
|
||||||
columns:
|
columns:
|
||||||
- id bigserial primary key
|
- id bigserial primary key
|
||||||
- alias_domain_id bigint references domains(id) on delete cascade
|
- alias_domain_id bigint references domains(id) on delete cascade
|
||||||
- alias varchar(250) not null unique
|
- alias varchar(250) not null
|
||||||
- forwardings varchar(250)[] not null
|
- forwardings varchar(250)[] not null
|
||||||
- t timestamp without time zone not null default now()
|
- t timestamp without time zone not null default now()
|
||||||
- comment text null
|
- comment text null
|
||||||
|
- unique(alias_domain_id, alias)
|
||||||
|
|
||||||
- name: database index aliases__alias
|
- name: database index aliases__alias
|
||||||
postgresql_idx:
|
postgresql_idx:
|
||||||
|
|
|
@ -18,6 +18,7 @@
|
||||||
- auth-sql.conf.ext
|
- auth-sql.conf.ext
|
||||||
- 10-mail.conf
|
- 10-mail.conf
|
||||||
- 10-master.conf
|
- 10-master.conf
|
||||||
|
- 10-ssl.conf
|
||||||
- 15-mailboxes.conf
|
- 15-mailboxes.conf
|
||||||
- 20-lmtp.conf
|
- 20-lmtp.conf
|
||||||
- 20-imap.conf
|
- 20-imap.conf
|
||||||
|
|
|
@ -101,7 +101,7 @@ auth_default_realm = {{ mailserver.dovecot.auth_default_realm }}
|
||||||
# plain login digest-md5 cram-md5 ntlm rpa apop anonymous gssapi otp skey
|
# plain login digest-md5 cram-md5 ntlm rpa apop anonymous gssapi otp skey
|
||||||
# gss-spnego
|
# gss-spnego
|
||||||
# NOTE: See also disable_plaintext_auth setting.
|
# NOTE: See also disable_plaintext_auth setting.
|
||||||
auth_mechanisms = plain
|
auth_mechanisms = plain login
|
||||||
|
|
||||||
##
|
##
|
||||||
## Password and user databases
|
## Password and user databases
|
||||||
|
|
79
mail_system/templates/dovecot/10-ssl.conf
Normal file
79
mail_system/templates/dovecot/10-ssl.conf
Normal file
|
@ -0,0 +1,79 @@
|
||||||
|
# THIS FILE IS CONTROLLED BY ANSIBLE - DO NOT CHANGE IN DEPLOYMENT!
|
||||||
|
|
||||||
|
|
||||||
|
##
|
||||||
|
## SSL settings
|
||||||
|
##
|
||||||
|
|
||||||
|
# SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt>
|
||||||
|
ssl = yes
|
||||||
|
|
||||||
|
# PEM encoded X.509 SSL/TLS certificate and private key. They're opened before
|
||||||
|
# dropping root privileges, so keep the key file unreadable by anyone but
|
||||||
|
# root. Included doc/mkcert.sh can be used to easily generate self-signed
|
||||||
|
# certificate, just make sure to update the domains in dovecot-openssl.cnf
|
||||||
|
ssl_cert = </etc/dovecot/private/dovecot.pem
|
||||||
|
ssl_key = </etc/dovecot/private/dovecot.key
|
||||||
|
|
||||||
|
# If key file is password protected, give the password here. Alternatively
|
||||||
|
# give it when starting dovecot with -p parameter. Since this file is often
|
||||||
|
# world-readable, you may want to place this setting instead to a different
|
||||||
|
# root owned 0600 file by using ssl_key_password = <path.
|
||||||
|
#ssl_key_password =
|
||||||
|
|
||||||
|
# PEM encoded trusted certificate authority. Set this only if you intend to use
|
||||||
|
# ssl_verify_client_cert=yes. The file should contain the CA certificate(s)
|
||||||
|
# followed by the matching CRL(s). (e.g. ssl_ca = </etc/ssl/certs/ca.pem)
|
||||||
|
#ssl_ca =
|
||||||
|
|
||||||
|
# Require that CRL check succeeds for client certificates.
|
||||||
|
#ssl_require_crl = yes
|
||||||
|
|
||||||
|
# Directory and/or file for trusted SSL CA certificates. These are used only
|
||||||
|
# when Dovecot needs to act as an SSL client (e.g. imapc backend or
|
||||||
|
# submission service). The directory is usually /etc/ssl/certs in
|
||||||
|
# Debian-based systems and the file is /etc/pki/tls/cert.pem in
|
||||||
|
# RedHat-based systems.
|
||||||
|
ssl_client_ca_dir = /etc/ssl/certs
|
||||||
|
#ssl_client_ca_file =
|
||||||
|
|
||||||
|
# Request client to send a certificate. If you also want to require it, set
|
||||||
|
# auth_ssl_require_client_cert=yes in auth section.
|
||||||
|
#ssl_verify_client_cert = no
|
||||||
|
|
||||||
|
# Which field from certificate to use for username. commonName and
|
||||||
|
# x500UniqueIdentifier are the usual choices. You'll also need to set
|
||||||
|
# auth_ssl_username_from_cert=yes.
|
||||||
|
#ssl_cert_username_field = commonName
|
||||||
|
|
||||||
|
# SSL DH parameters
|
||||||
|
# Generate new params with `openssl dhparam -out /etc/dovecot/dh.pem 4096`
|
||||||
|
# Or migrate from old ssl-parameters.dat file with the command dovecot
|
||||||
|
# gives on startup when ssl_dh is unset.
|
||||||
|
ssl_dh = </usr/share/dovecot/dh.pem
|
||||||
|
|
||||||
|
# Minimum SSL protocol version to use. Potentially recognized values are SSLv3,
|
||||||
|
# TLSv1, TLSv1.1, and TLSv1.2, depending on the OpenSSL version used.
|
||||||
|
ssl_min_protocol = TLSv1.2
|
||||||
|
|
||||||
|
# SSL ciphers to use, the default is:
|
||||||
|
#ssl_cipher_list = ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH
|
||||||
|
# To disable non-EC DH, use:
|
||||||
|
#ssl_cipher_list = ALL:!DH:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH
|
||||||
|
|
||||||
|
# Colon separated list of elliptic curves to use. Empty value (the default)
|
||||||
|
# means use the defaults from the SSL library. P-521:P-384:P-256 would be an
|
||||||
|
# example of a valid value.
|
||||||
|
#ssl_curve_list =
|
||||||
|
|
||||||
|
# Prefer the server's order of ciphers over client's.
|
||||||
|
#ssl_prefer_server_ciphers = no
|
||||||
|
|
||||||
|
# SSL crypto device to use, for valid values run "openssl engine"
|
||||||
|
#ssl_crypto_device =
|
||||||
|
|
||||||
|
# SSL extra options. Currently supported options are:
|
||||||
|
# compression - Enable compression.
|
||||||
|
# no_ticket - Disable SSL session tickets.
|
||||||
|
#ssl_options =
|
||||||
|
|
|
@ -90,7 +90,7 @@ plugin {
|
||||||
quota_grace = 10%%
|
quota_grace = 10%%
|
||||||
quota_status_success = DUNNO
|
quota_status_success = DUNNO
|
||||||
quota_status_nouser = DUNNO
|
quota_status_nouser = DUNNO
|
||||||
quota_status_overquota = "552 5.2.2 Mailbox is full"
|
quota_status_overquota = "452 4.2.2 Mailbox is full and cannot receive any more emails"
|
||||||
quota_exceeded_message = Quota exceeded, please reduce your overall mail volume and/or the number of messages in your inbox.
|
quota_exceeded_message = Quota exceeded, please reduce your overall mail volume and/or the number of messages in your inbox.
|
||||||
|
|
||||||
# https://wiki2.dovecot.org/Quota/Configuration
|
# https://wiki2.dovecot.org/Quota/Configuration
|
||||||
|
|
|
@ -18,29 +18,33 @@ append_dot_mydomain = no
|
||||||
# Uncomment the next line to generate "delayed mail" warnings
|
# Uncomment the next line to generate "delayed mail" warnings
|
||||||
#delay_warning_time = 4h
|
#delay_warning_time = 4h
|
||||||
|
|
||||||
readme_directory = no
|
readme_directory = /usr/share/doc/postfix
|
||||||
|
|
||||||
# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on
|
# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on
|
||||||
# fresh installs.
|
# fresh installs.
|
||||||
compatibility_level = 2
|
compatibility_level = 2
|
||||||
|
|
||||||
|
|
||||||
|
# TLS
|
||||||
# TLS parameters
|
|
||||||
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
|
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
|
||||||
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
|
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
|
||||||
smtpd_use_tls=yes
|
smtpd_tls_security_level = may
|
||||||
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
|
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
|
||||||
|
smtpd_tls_auth_only=yes
|
||||||
|
smtpd_tls_received_header = yes
|
||||||
|
smtp_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
|
||||||
|
smtp_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
|
||||||
|
smtp_tls_security_level=may
|
||||||
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
|
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
|
||||||
|
smtp_tls_note_starttls_offer = yes
|
||||||
|
|
||||||
# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
|
|
||||||
# information on enabling SSL in the smtp client.
|
|
||||||
|
|
||||||
|
# Host names, aliases, networks
|
||||||
myhostname = {{ ansible_fqdn }}
|
myhostname = {{ ansible_fqdn }}
|
||||||
alias_maps = hash:/etc/aliases
|
alias_maps = hash:/etc/aliases
|
||||||
alias_database = hash:/etc/aliases
|
alias_database = hash:/etc/aliases
|
||||||
mydestination = $myhostname, {{ ansible_hostname }}, {{ ansible_fqdn }}, localhost.{{ ansible_domain }}, localhost
|
mydestination = $myhostname, {{ ansible_hostname }}, {{ ansible_fqdn }}, localhost.{{ ansible_domain }}, localhost
|
||||||
relayhost =
|
relayhost =
|
||||||
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 {{ mailserver.postfix.mynetworks }}
|
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 {{ mailserver.postfix.mynetworks }}
|
||||||
mailbox_size_limit = 0
|
mailbox_size_limit = 0
|
||||||
recipient_delimiter = +
|
recipient_delimiter = +
|
||||||
|
@ -48,7 +52,7 @@ inet_interfaces = all
|
||||||
inet_protocols = all
|
inet_protocols = all
|
||||||
|
|
||||||
|
|
||||||
|
# Virtual mailboxes
|
||||||
virtual_mailbox_domains = pgsql:/etc/postfix/domains.cf
|
virtual_mailbox_domains = pgsql:/etc/postfix/domains.cf
|
||||||
virtual_mailbox_maps = pgsql:/etc/postfix/mailboxes.cf
|
virtual_mailbox_maps = pgsql:/etc/postfix/mailboxes.cf
|
||||||
virtual_alias_maps = pgsql:/etc/postfix/aliases.cf
|
virtual_alias_maps = pgsql:/etc/postfix/aliases.cf
|
||||||
|
@ -57,14 +61,13 @@ virtual_minimum_uid = 5000
|
||||||
virtual_uid_maps = static:5000
|
virtual_uid_maps = static:5000
|
||||||
virtual_gid_maps = static:5000
|
virtual_gid_maps = static:5000
|
||||||
|
|
||||||
virtual_transport=lmtp:unix:private/dovecot-lmtp
|
|
||||||
|
|
||||||
|
# Interaction with dovecot
|
||||||
|
virtual_transport=lmtp:unix:private/dovecot-lmtp
|
||||||
smtpd_sasl_type=dovecot
|
smtpd_sasl_type=dovecot
|
||||||
smtpd_sasl_path=private/auth
|
smtpd_sasl_path=private/auth
|
||||||
smtpd_sasl_auth_enable=yes
|
smtpd_sasl_auth_enable=yes
|
||||||
|
|
||||||
smtpd_tls_auth_only=yes
|
|
||||||
smtp_tls_security_level=may
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
@ -83,7 +86,8 @@ smtpd_recipient_restrictions =
|
||||||
reject_non_fqdn_recipient
|
reject_non_fqdn_recipient
|
||||||
reject_unknown_recipient_domain
|
reject_unknown_recipient_domain
|
||||||
reject_unauth_destination
|
reject_unauth_destination
|
||||||
check_policy_service inet:127.0.0.1:12480 # user quota
|
check_policy_service inet:127.0.0.1:12480
|
||||||
|
# 12480: user quota
|
||||||
|
|
||||||
smtpd_relay_restrictions =
|
smtpd_relay_restrictions =
|
||||||
permit_mynetworks
|
permit_mynetworks
|
||||||
|
@ -94,9 +98,13 @@ smtpd_relay_restrictions =
|
||||||
|
|
||||||
|
|
||||||
# rspamd
|
# rspamd
|
||||||
|
smtpd_milters=inet:127.0.0.1:11332
|
||||||
|
non_smtpd_milters=inet:127.0.0.1:11332
|
||||||
|
milter_protocol=6
|
||||||
|
milter_mail_macros=i {mail_addr} {client_addr} {client_name} {auth_authen}
|
||||||
|
|
||||||
|
|
||||||
# VERP marking
|
# VERP marking and SRS (sender rewriting scheme)
|
||||||
# Envelope sender addresses matching mydomains are marked.
|
# Envelope sender addresses matching mydomains are marked.
|
||||||
# The marker is removed from envelope recipient addresses.
|
# The marker is removed from envelope recipient addresses.
|
||||||
canonical_classes = envelope_sender, envelope_recipient, header_recipient
|
canonical_classes = envelope_sender, envelope_recipient, header_recipient
|
||||||
|
@ -111,7 +119,7 @@ enable_long_queue_ids = yes
|
||||||
|
|
||||||
|
|
||||||
# convenience settings
|
# convenience settings
|
||||||
maximal_queue_lifetime = 6w # default is 5d
|
maximal_queue_lifetime = 6w
|
||||||
bounce_queue_lifetime = 6w
|
bounce_queue_lifetime = 6w
|
||||||
message_size_limit = 20800000
|
message_size_limit = 20800000
|
||||||
|
|
||||||
|
@ -119,3 +127,4 @@ message_size_limit = 20800000
|
||||||
# debugging options (see also http://www.postfix.org/DEBUG_README.html):
|
# debugging options (see also http://www.postfix.org/DEBUG_README.html):
|
||||||
#debug_peer_list = 127.0.0.1
|
#debug_peer_list = 127.0.0.1
|
||||||
#smtpd_tls_loglevel = 3
|
#smtpd_tls_loglevel = 3
|
||||||
|
#smtd_tls_loglevel = 3
|
||||||
|
|
|
@ -1,2 +1,4 @@
|
||||||
path = "/var/lib/rspamd/dkim/$domain.$selector.key";
|
path = "/var/lib/rspamd/dkim/$domain.$selector.key";
|
||||||
selector_map = "/etc/rspamd/dkim_selectors.map";
|
selector_map = "/etc/rspamd/dkim_selectors.map";
|
||||||
|
allow_username_mismatch = true;
|
||||||
|
use_esld = true;
|
||||||
|
|
|
@ -2,3 +2,4 @@
|
||||||
|
|
||||||
|
|
||||||
autolearn = true;
|
autolearn = true;
|
||||||
|
users_enabled = true;
|
||||||
|
|
|
@ -1,2 +1,4 @@
|
||||||
path = "/var/lib/rspamd/dkim/$domain.$selector.key";
|
path = "/var/lib/rspamd/dkim/$domain.$selector.key";
|
||||||
selector_map = "/etc/rspamd/dkim_selectors.map";
|
selector_map = "/etc/rspamd/dkim_selectors.map";
|
||||||
|
allow_username_mismatch = true;
|
||||||
|
use_esld = true;
|
||||||
|
|
Loading…
Reference in a new issue