Multiple fixes
This commit is contained in:
parent
d166ccf12b
commit
08be02723b
10 changed files with 132 additions and 27 deletions
|
@ -1,11 +1,13 @@
|
|||
# install a complete mail system with
|
||||
# ansible playbook
|
||||
#
|
||||
# Install a complete mail system with
|
||||
#
|
||||
# - postfix
|
||||
# - dovecot
|
||||
# - clamav (with unofficial signatures)
|
||||
# - rspamd (integrating clamav)
|
||||
#
|
||||
# not included here: list server, roundcube
|
||||
# not included here: list server, roundcube, account and alias management
|
||||
#
|
||||
# Please edit the host's config (inventory/host_vars/${hostname}):
|
||||
# Add a new dictionary 'mailserver':
|
||||
|
@ -33,28 +35,36 @@
|
|||
#
|
||||
# Take care thate the verp_marker only contains [a-z0-9]+ (NO UPPER CASE LETTERS!).
|
||||
#
|
||||
# (Use ansible-vault encrypt_string zo encrypt the password.)
|
||||
# (Use ansible-vault encrypt_string to encrypt the password.)
|
||||
#
|
||||
# TODOs after running this playbook:
|
||||
#
|
||||
# Configure mail DNS:
|
||||
# Open the firewall:
|
||||
#
|
||||
# - open or DNAT the TCP ports 25, 143, 587, 4190 to the host (incoming)
|
||||
# - allow outgoing traffic
|
||||
#
|
||||
# Configure mail DNS for your host:
|
||||
#
|
||||
# - MX
|
||||
# - PTR (IPv4 and IPv6)
|
||||
#
|
||||
# SPF, DMARC and DKIM DNS records should be created when adding a domain:
|
||||
# Add SPF, DMARC and DKIM DNS records whenever you add a mail domain:
|
||||
#
|
||||
# - SPF (IN TXT "v=spf1 mx" or more)
|
||||
# - DMARC (_dmarc IN TXT "v=DMARC1; p=reject; rua=mailto:admin@mymaindomain.org; adkim=s; aspf=s;")
|
||||
# - SPF ('IN TXT "v=spf1 mx"' or more)
|
||||
# - DMARC ('_dmarc IN TXT "v=DMARC1; p=reject; rua=mailto:admin@mymaindomain.org; adkim=s; aspf=s;"')
|
||||
# - DKIM (rspamadm dkim_keygen -d mymaindomain.org -s 20190911 -b 4096;
|
||||
# get the DNS entry and save the private key
|
||||
#
|
||||
# Please open the firewall: open or DNAT tcp ports 25, 143, 587, 4190 to the host (incoming)
|
||||
# get the DNS entry and also save the private key)
|
||||
#
|
||||
# Replace the ssl certificates with signed ones.
|
||||
#
|
||||
# Users and domains can be added to the PostgreSQL tables;
|
||||
# code for that is not part of this playbook.
|
||||
# Mind that if you create a catchall alias, you must also
|
||||
# add an alias for each account to the aliases, or you can
|
||||
# prepend the following to the SELECT in /etc/postfix/aliases.cf
|
||||
# SELECT u.username || '@' || d.name FROM users u JOIN domains d ON u.domain_id=d.id WHERE d.relay_transport is null AND u.username || '@' || d.name = '%s'
|
||||
# UNION
|
||||
|
||||
- name: install mail_system
|
||||
user: root
|
||||
|
|
|
@ -62,10 +62,11 @@
|
|||
columns:
|
||||
- id bigserial primary key
|
||||
- alias_domain_id bigint references domains(id) on delete cascade
|
||||
- alias varchar(250) not null unique
|
||||
- alias varchar(250) not null
|
||||
- forwardings varchar(250)[] not null
|
||||
- t timestamp without time zone not null default now()
|
||||
- comment text null
|
||||
- unique(alias_domain_id, alias)
|
||||
|
||||
- name: database index aliases__alias
|
||||
postgresql_idx:
|
||||
|
|
|
@ -18,6 +18,7 @@
|
|||
- auth-sql.conf.ext
|
||||
- 10-mail.conf
|
||||
- 10-master.conf
|
||||
- 10-ssl.conf
|
||||
- 15-mailboxes.conf
|
||||
- 20-lmtp.conf
|
||||
- 20-imap.conf
|
||||
|
|
|
@ -101,7 +101,7 @@ auth_default_realm = {{ mailserver.dovecot.auth_default_realm }}
|
|||
# plain login digest-md5 cram-md5 ntlm rpa apop anonymous gssapi otp skey
|
||||
# gss-spnego
|
||||
# NOTE: See also disable_plaintext_auth setting.
|
||||
auth_mechanisms = plain
|
||||
auth_mechanisms = plain login
|
||||
|
||||
##
|
||||
## Password and user databases
|
||||
|
|
79
mail_system/templates/dovecot/10-ssl.conf
Normal file
79
mail_system/templates/dovecot/10-ssl.conf
Normal file
|
@ -0,0 +1,79 @@
|
|||
# THIS FILE IS CONTROLLED BY ANSIBLE - DO NOT CHANGE IN DEPLOYMENT!
|
||||
|
||||
|
||||
##
|
||||
## SSL settings
|
||||
##
|
||||
|
||||
# SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt>
|
||||
ssl = yes
|
||||
|
||||
# PEM encoded X.509 SSL/TLS certificate and private key. They're opened before
|
||||
# dropping root privileges, so keep the key file unreadable by anyone but
|
||||
# root. Included doc/mkcert.sh can be used to easily generate self-signed
|
||||
# certificate, just make sure to update the domains in dovecot-openssl.cnf
|
||||
ssl_cert = </etc/dovecot/private/dovecot.pem
|
||||
ssl_key = </etc/dovecot/private/dovecot.key
|
||||
|
||||
# If key file is password protected, give the password here. Alternatively
|
||||
# give it when starting dovecot with -p parameter. Since this file is often
|
||||
# world-readable, you may want to place this setting instead to a different
|
||||
# root owned 0600 file by using ssl_key_password = <path.
|
||||
#ssl_key_password =
|
||||
|
||||
# PEM encoded trusted certificate authority. Set this only if you intend to use
|
||||
# ssl_verify_client_cert=yes. The file should contain the CA certificate(s)
|
||||
# followed by the matching CRL(s). (e.g. ssl_ca = </etc/ssl/certs/ca.pem)
|
||||
#ssl_ca =
|
||||
|
||||
# Require that CRL check succeeds for client certificates.
|
||||
#ssl_require_crl = yes
|
||||
|
||||
# Directory and/or file for trusted SSL CA certificates. These are used only
|
||||
# when Dovecot needs to act as an SSL client (e.g. imapc backend or
|
||||
# submission service). The directory is usually /etc/ssl/certs in
|
||||
# Debian-based systems and the file is /etc/pki/tls/cert.pem in
|
||||
# RedHat-based systems.
|
||||
ssl_client_ca_dir = /etc/ssl/certs
|
||||
#ssl_client_ca_file =
|
||||
|
||||
# Request client to send a certificate. If you also want to require it, set
|
||||
# auth_ssl_require_client_cert=yes in auth section.
|
||||
#ssl_verify_client_cert = no
|
||||
|
||||
# Which field from certificate to use for username. commonName and
|
||||
# x500UniqueIdentifier are the usual choices. You'll also need to set
|
||||
# auth_ssl_username_from_cert=yes.
|
||||
#ssl_cert_username_field = commonName
|
||||
|
||||
# SSL DH parameters
|
||||
# Generate new params with `openssl dhparam -out /etc/dovecot/dh.pem 4096`
|
||||
# Or migrate from old ssl-parameters.dat file with the command dovecot
|
||||
# gives on startup when ssl_dh is unset.
|
||||
ssl_dh = </usr/share/dovecot/dh.pem
|
||||
|
||||
# Minimum SSL protocol version to use. Potentially recognized values are SSLv3,
|
||||
# TLSv1, TLSv1.1, and TLSv1.2, depending on the OpenSSL version used.
|
||||
ssl_min_protocol = TLSv1.2
|
||||
|
||||
# SSL ciphers to use, the default is:
|
||||
#ssl_cipher_list = ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH
|
||||
# To disable non-EC DH, use:
|
||||
#ssl_cipher_list = ALL:!DH:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH
|
||||
|
||||
# Colon separated list of elliptic curves to use. Empty value (the default)
|
||||
# means use the defaults from the SSL library. P-521:P-384:P-256 would be an
|
||||
# example of a valid value.
|
||||
#ssl_curve_list =
|
||||
|
||||
# Prefer the server's order of ciphers over client's.
|
||||
#ssl_prefer_server_ciphers = no
|
||||
|
||||
# SSL crypto device to use, for valid values run "openssl engine"
|
||||
#ssl_crypto_device =
|
||||
|
||||
# SSL extra options. Currently supported options are:
|
||||
# compression - Enable compression.
|
||||
# no_ticket - Disable SSL session tickets.
|
||||
#ssl_options =
|
||||
|
|
@ -90,7 +90,7 @@ plugin {
|
|||
quota_grace = 10%%
|
||||
quota_status_success = DUNNO
|
||||
quota_status_nouser = DUNNO
|
||||
quota_status_overquota = "552 5.2.2 Mailbox is full"
|
||||
quota_status_overquota = "452 4.2.2 Mailbox is full and cannot receive any more emails"
|
||||
quota_exceeded_message = Quota exceeded, please reduce your overall mail volume and/or the number of messages in your inbox.
|
||||
|
||||
# https://wiki2.dovecot.org/Quota/Configuration
|
||||
|
|
|
@ -18,24 +18,28 @@ append_dot_mydomain = no
|
|||
# Uncomment the next line to generate "delayed mail" warnings
|
||||
#delay_warning_time = 4h
|
||||
|
||||
readme_directory = no
|
||||
readme_directory = /usr/share/doc/postfix
|
||||
|
||||
# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on
|
||||
# fresh installs.
|
||||
compatibility_level = 2
|
||||
|
||||
|
||||
|
||||
# TLS parameters
|
||||
# TLS
|
||||
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
|
||||
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
|
||||
smtpd_use_tls=yes
|
||||
smtpd_tls_security_level = may
|
||||
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
|
||||
smtpd_tls_auth_only=yes
|
||||
smtpd_tls_received_header = yes
|
||||
smtp_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
|
||||
smtp_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
|
||||
smtp_tls_security_level=may
|
||||
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
|
||||
smtp_tls_note_starttls_offer = yes
|
||||
|
||||
# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
|
||||
# information on enabling SSL in the smtp client.
|
||||
|
||||
# Host names, aliases, networks
|
||||
myhostname = {{ ansible_fqdn }}
|
||||
alias_maps = hash:/etc/aliases
|
||||
alias_database = hash:/etc/aliases
|
||||
|
@ -48,7 +52,7 @@ inet_interfaces = all
|
|||
inet_protocols = all
|
||||
|
||||
|
||||
|
||||
# Virtual mailboxes
|
||||
virtual_mailbox_domains = pgsql:/etc/postfix/domains.cf
|
||||
virtual_mailbox_maps = pgsql:/etc/postfix/mailboxes.cf
|
||||
virtual_alias_maps = pgsql:/etc/postfix/aliases.cf
|
||||
|
@ -57,14 +61,13 @@ virtual_minimum_uid = 5000
|
|||
virtual_uid_maps = static:5000
|
||||
virtual_gid_maps = static:5000
|
||||
|
||||
virtual_transport=lmtp:unix:private/dovecot-lmtp
|
||||
|
||||
# Interaction with dovecot
|
||||
virtual_transport=lmtp:unix:private/dovecot-lmtp
|
||||
smtpd_sasl_type=dovecot
|
||||
smtpd_sasl_path=private/auth
|
||||
smtpd_sasl_auth_enable=yes
|
||||
|
||||
smtpd_tls_auth_only=yes
|
||||
smtp_tls_security_level=may
|
||||
|
||||
|
||||
|
||||
|
@ -83,7 +86,8 @@ smtpd_recipient_restrictions =
|
|||
reject_non_fqdn_recipient
|
||||
reject_unknown_recipient_domain
|
||||
reject_unauth_destination
|
||||
check_policy_service inet:127.0.0.1:12480 # user quota
|
||||
check_policy_service inet:127.0.0.1:12480
|
||||
# 12480: user quota
|
||||
|
||||
smtpd_relay_restrictions =
|
||||
permit_mynetworks
|
||||
|
@ -94,9 +98,13 @@ smtpd_relay_restrictions =
|
|||
|
||||
|
||||
# rspamd
|
||||
smtpd_milters=inet:127.0.0.1:11332
|
||||
non_smtpd_milters=inet:127.0.0.1:11332
|
||||
milter_protocol=6
|
||||
milter_mail_macros=i {mail_addr} {client_addr} {client_name} {auth_authen}
|
||||
|
||||
|
||||
# VERP marking
|
||||
# VERP marking and SRS (sender rewriting scheme)
|
||||
# Envelope sender addresses matching mydomains are marked.
|
||||
# The marker is removed from envelope recipient addresses.
|
||||
canonical_classes = envelope_sender, envelope_recipient, header_recipient
|
||||
|
@ -111,7 +119,7 @@ enable_long_queue_ids = yes
|
|||
|
||||
|
||||
# convenience settings
|
||||
maximal_queue_lifetime = 6w # default is 5d
|
||||
maximal_queue_lifetime = 6w
|
||||
bounce_queue_lifetime = 6w
|
||||
message_size_limit = 20800000
|
||||
|
||||
|
@ -119,3 +127,4 @@ message_size_limit = 20800000
|
|||
# debugging options (see also http://www.postfix.org/DEBUG_README.html):
|
||||
#debug_peer_list = 127.0.0.1
|
||||
#smtpd_tls_loglevel = 3
|
||||
#smtd_tls_loglevel = 3
|
||||
|
|
|
@ -1,2 +1,4 @@
|
|||
path = "/var/lib/rspamd/dkim/$domain.$selector.key";
|
||||
selector_map = "/etc/rspamd/dkim_selectors.map";
|
||||
allow_username_mismatch = true;
|
||||
use_esld = true;
|
||||
|
|
|
@ -2,3 +2,4 @@
|
|||
|
||||
|
||||
autolearn = true;
|
||||
users_enabled = true;
|
||||
|
|
|
@ -1,2 +1,4 @@
|
|||
path = "/var/lib/rspamd/dkim/$domain.$selector.key";
|
||||
selector_map = "/etc/rspamd/dkim_selectors.map";
|
||||
allow_username_mismatch = true;
|
||||
use_esld = true;
|
||||
|
|
Loading…
Reference in a new issue