Multiple fixes

This commit is contained in:
iburadempa 2022-04-25 20:10:40 +02:00
parent d166ccf12b
commit 08be02723b
10 changed files with 132 additions and 27 deletions

View file

@ -1,11 +1,13 @@
# install a complete mail system with
# ansible playbook
#
# Install a complete mail system with
#
# - postfix
# - dovecot
# - clamav (with unofficial signatures)
# - rspamd (integrating clamav)
#
# not included here: list server, roundcube
# not included here: list server, roundcube, account and alias management
#
# Please edit the host's config (inventory/host_vars/${hostname}):
# Add a new dictionary 'mailserver':
@ -33,28 +35,36 @@
#
# Take care thate the verp_marker only contains [a-z0-9]+ (NO UPPER CASE LETTERS!).
#
# (Use ansible-vault encrypt_string zo encrypt the password.)
# (Use ansible-vault encrypt_string to encrypt the password.)
#
# TODOs after running this playbook:
#
# Configure mail DNS:
# Open the firewall:
#
# - open or DNAT the TCP ports 25, 143, 587, 4190 to the host (incoming)
# - allow outgoing traffic
#
# Configure mail DNS for your host:
#
# - MX
# - PTR (IPv4 and IPv6)
#
# SPF, DMARC and DKIM DNS records should be created when adding a domain:
# Add SPF, DMARC and DKIM DNS records whenever you add a mail domain:
#
# - SPF (IN TXT "v=spf1 mx" or more)
# - DMARC (_dmarc IN TXT "v=DMARC1; p=reject; rua=mailto:admin@mymaindomain.org; adkim=s; aspf=s;")
# - SPF ('IN TXT "v=spf1 mx"' or more)
# - DMARC ('_dmarc IN TXT "v=DMARC1; p=reject; rua=mailto:admin@mymaindomain.org; adkim=s; aspf=s;"')
# - DKIM (rspamadm dkim_keygen -d mymaindomain.org -s 20190911 -b 4096;
# get the DNS entry and save the private key
#
# Please open the firewall: open or DNAT tcp ports 25, 143, 587, 4190 to the host (incoming)
# get the DNS entry and also save the private key)
#
# Replace the ssl certificates with signed ones.
#
# Users and domains can be added to the PostgreSQL tables;
# code for that is not part of this playbook.
# Mind that if you create a catchall alias, you must also
# add an alias for each account to the aliases, or you can
# prepend the following to the SELECT in /etc/postfix/aliases.cf
# SELECT u.username || '@' || d.name FROM users u JOIN domains d ON u.domain_id=d.id WHERE d.relay_transport is null AND u.username || '@' || d.name = '%s'
# UNION
- name: install mail_system
user: root

View file

@ -62,10 +62,11 @@
columns:
- id bigserial primary key
- alias_domain_id bigint references domains(id) on delete cascade
- alias varchar(250) not null unique
- alias varchar(250) not null
- forwardings varchar(250)[] not null
- t timestamp without time zone not null default now()
- comment text null
- unique(alias_domain_id, alias)
- name: database index aliases__alias
postgresql_idx:

View file

@ -18,6 +18,7 @@
- auth-sql.conf.ext
- 10-mail.conf
- 10-master.conf
- 10-ssl.conf
- 15-mailboxes.conf
- 20-lmtp.conf
- 20-imap.conf

View file

@ -101,7 +101,7 @@ auth_default_realm = {{ mailserver.dovecot.auth_default_realm }}
# plain login digest-md5 cram-md5 ntlm rpa apop anonymous gssapi otp skey
# gss-spnego
# NOTE: See also disable_plaintext_auth setting.
auth_mechanisms = plain
auth_mechanisms = plain login
##
## Password and user databases

View file

@ -0,0 +1,79 @@
# THIS FILE IS CONTROLLED BY ANSIBLE - DO NOT CHANGE IN DEPLOYMENT!
##
## SSL settings
##
# SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt>
ssl = yes
# PEM encoded X.509 SSL/TLS certificate and private key. They're opened before
# dropping root privileges, so keep the key file unreadable by anyone but
# root. Included doc/mkcert.sh can be used to easily generate self-signed
# certificate, just make sure to update the domains in dovecot-openssl.cnf
ssl_cert = </etc/dovecot/private/dovecot.pem
ssl_key = </etc/dovecot/private/dovecot.key
# If key file is password protected, give the password here. Alternatively
# give it when starting dovecot with -p parameter. Since this file is often
# world-readable, you may want to place this setting instead to a different
# root owned 0600 file by using ssl_key_password = <path.
#ssl_key_password =
# PEM encoded trusted certificate authority. Set this only if you intend to use
# ssl_verify_client_cert=yes. The file should contain the CA certificate(s)
# followed by the matching CRL(s). (e.g. ssl_ca = </etc/ssl/certs/ca.pem)
#ssl_ca =
# Require that CRL check succeeds for client certificates.
#ssl_require_crl = yes
# Directory and/or file for trusted SSL CA certificates. These are used only
# when Dovecot needs to act as an SSL client (e.g. imapc backend or
# submission service). The directory is usually /etc/ssl/certs in
# Debian-based systems and the file is /etc/pki/tls/cert.pem in
# RedHat-based systems.
ssl_client_ca_dir = /etc/ssl/certs
#ssl_client_ca_file =
# Request client to send a certificate. If you also want to require it, set
# auth_ssl_require_client_cert=yes in auth section.
#ssl_verify_client_cert = no
# Which field from certificate to use for username. commonName and
# x500UniqueIdentifier are the usual choices. You'll also need to set
# auth_ssl_username_from_cert=yes.
#ssl_cert_username_field = commonName
# SSL DH parameters
# Generate new params with `openssl dhparam -out /etc/dovecot/dh.pem 4096`
# Or migrate from old ssl-parameters.dat file with the command dovecot
# gives on startup when ssl_dh is unset.
ssl_dh = </usr/share/dovecot/dh.pem
# Minimum SSL protocol version to use. Potentially recognized values are SSLv3,
# TLSv1, TLSv1.1, and TLSv1.2, depending on the OpenSSL version used.
ssl_min_protocol = TLSv1.2
# SSL ciphers to use, the default is:
#ssl_cipher_list = ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH
# To disable non-EC DH, use:
#ssl_cipher_list = ALL:!DH:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH
# Colon separated list of elliptic curves to use. Empty value (the default)
# means use the defaults from the SSL library. P-521:P-384:P-256 would be an
# example of a valid value.
#ssl_curve_list =
# Prefer the server's order of ciphers over client's.
#ssl_prefer_server_ciphers = no
# SSL crypto device to use, for valid values run "openssl engine"
#ssl_crypto_device =
# SSL extra options. Currently supported options are:
# compression - Enable compression.
# no_ticket - Disable SSL session tickets.
#ssl_options =

View file

@ -90,7 +90,7 @@ plugin {
quota_grace = 10%%
quota_status_success = DUNNO
quota_status_nouser = DUNNO
quota_status_overquota = "552 5.2.2 Mailbox is full"
quota_status_overquota = "452 4.2.2 Mailbox is full and cannot receive any more emails"
quota_exceeded_message = Quota exceeded, please reduce your overall mail volume and/or the number of messages in your inbox.
# https://wiki2.dovecot.org/Quota/Configuration

View file

@ -18,24 +18,28 @@ append_dot_mydomain = no
# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h
readme_directory = no
readme_directory = /usr/share/doc/postfix
# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on
# fresh installs.
compatibility_level = 2
# TLS parameters
# TLS
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls=yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_tls_auth_only=yes
smtpd_tls_received_header = yes
smtp_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtp_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtp_tls_security_level=may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_tls_note_starttls_offer = yes
# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.
# Host names, aliases, networks
myhostname = {{ ansible_fqdn }}
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
@ -48,7 +52,7 @@ inet_interfaces = all
inet_protocols = all
# Virtual mailboxes
virtual_mailbox_domains = pgsql:/etc/postfix/domains.cf
virtual_mailbox_maps = pgsql:/etc/postfix/mailboxes.cf
virtual_alias_maps = pgsql:/etc/postfix/aliases.cf
@ -57,14 +61,13 @@ virtual_minimum_uid = 5000
virtual_uid_maps = static:5000
virtual_gid_maps = static:5000
virtual_transport=lmtp:unix:private/dovecot-lmtp
# Interaction with dovecot
virtual_transport=lmtp:unix:private/dovecot-lmtp
smtpd_sasl_type=dovecot
smtpd_sasl_path=private/auth
smtpd_sasl_auth_enable=yes
smtpd_tls_auth_only=yes
smtp_tls_security_level=may
@ -83,7 +86,8 @@ smtpd_recipient_restrictions =
reject_non_fqdn_recipient
reject_unknown_recipient_domain
reject_unauth_destination
check_policy_service inet:127.0.0.1:12480 # user quota
check_policy_service inet:127.0.0.1:12480
# 12480: user quota
smtpd_relay_restrictions =
permit_mynetworks
@ -94,9 +98,13 @@ smtpd_relay_restrictions =
# rspamd
smtpd_milters=inet:127.0.0.1:11332
non_smtpd_milters=inet:127.0.0.1:11332
milter_protocol=6
milter_mail_macros=i {mail_addr} {client_addr} {client_name} {auth_authen}
# VERP marking
# VERP marking and SRS (sender rewriting scheme)
# Envelope sender addresses matching mydomains are marked.
# The marker is removed from envelope recipient addresses.
canonical_classes = envelope_sender, envelope_recipient, header_recipient
@ -111,7 +119,7 @@ enable_long_queue_ids = yes
# convenience settings
maximal_queue_lifetime = 6w # default is 5d
maximal_queue_lifetime = 6w
bounce_queue_lifetime = 6w
message_size_limit = 20800000
@ -119,3 +127,4 @@ message_size_limit = 20800000
# debugging options (see also http://www.postfix.org/DEBUG_README.html):
#debug_peer_list = 127.0.0.1
#smtpd_tls_loglevel = 3
#smtd_tls_loglevel = 3

View file

@ -1,2 +1,4 @@
path = "/var/lib/rspamd/dkim/$domain.$selector.key";
selector_map = "/etc/rspamd/dkim_selectors.map";
allow_username_mismatch = true;
use_esld = true;

View file

@ -2,3 +2,4 @@
autolearn = true;
users_enabled = true;

View file

@ -1,2 +1,4 @@
path = "/var/lib/rspamd/dkim/$domain.$selector.key";
selector_map = "/etc/rspamd/dkim_selectors.map";
allow_username_mismatch = true;
use_esld = true;