clone from private repo

2019-09-19 10:43:17 +02:00 · 2019-09-19 10:43:17 +02:00 · c0ae983acb
commit c0ae983acb
48 changed files with 2766 additions and 0 deletions
--- a/mail_system/tasks/clamav.yml
+++ b/mail_system/tasks/clamav.yml
@ -0,0 +1,50 @@
+# install clamav
+# we run freshclam (with daemons stopped) and then starting the daemons should work
+# (avoiding 'clamav-daemon not started: "ConditionPathExistsGlob=/var/lib/clamav/daily.{c[vl]d,inc} was not met"')
+
+- name: install clamav
+  apt:
+    name: "{{ packages }}"
+  vars:
+    packages:
+    - clamav
+    - clamav-daemon
+    - clamav-freshclam
+
+- name: stop clamav daemons
+  systemd:
+    name: "{{ item }}"
+    state: stopped
+  loop:
+    - clamav-freshclam
+    - clamav-daemon
+
+- name: run freshclam
+  shell: freshclam
+
+- name: start clamav daemons
+  systemd:
+    name: "{{ item }}"
+    state: started
+  loop:
+    - clamav-daemon
+    - clamav-freshclam
+
+- name: install clamav-unofficial-sigs, clamdscan
+  apt:
+    name: "{{ packages }}"
+  vars:
+    packages:
+    - clamav-unofficial-sigs
+    - clamdscan
+
+- name: set clamav BytecodeSecurity to Paranoid
+  lineinfile:
+    path: /etc/clamav/clamd.conf
+    regexp: '^BytecodeSecurity'
+    line: 'BytecodeSecurity Paranoid'
+
+- name: restart clamav-daemon
+  systemd:
+    name: clamav-daemon
+    state: restarted
--- a/mail_system/tasks/database.yml
+++ b/mail_system/tasks/database.yml
@ -0,0 +1,133 @@
+- name: apt install python3-psycopg2
+  apt:
+    name: python3-psycopg2
+    state: present
+
+- name: database table domains
+  postgresql_table:
+    login_host: "{{ mailserver.postgresql.host }}"
+    port: "{{ mailserver.postgresql.port }}"
+    login_user: "{{ mailserver.postgresql.username }}"
+    login_password: "{{ mailserver.postgresql.password }}"
+    db: "{{ mailserver.postgresql.dbname }}"
+    ssl_mode: disable
+    name: domains
+    columns:
+    - id bigserial primary key
+    - name varchar(128) not null unique
+    - relay_transport text null
+
+- name: database table users
+  postgresql_table:
+    login_host: "{{ mailserver.postgresql.host }}"
+    port: "{{ mailserver.postgresql.port }}"
+    login_user: "{{ mailserver.postgresql.username }}"
+    login_password: "{{ mailserver.postgresql.password }}"
+    db: "{{ mailserver.postgresql.dbname }}"
+    ssl_mode: disable
+    name: users
+    columns:
+    - id BIGSERIAL PRIMARY KEY
+    - domain_id BIGINT references domains(id) on delete cascade
+    - username VARCHAR(128) NOT NULL
+    - realname VARCHAR(250) NOT NULL
+    - password VARCHAR(128) NOT NULL
+    - suspend_submission BOOL NOT NULL DEFAULT false
+    - suspend_imap_reason TEXT NULL
+    - quota_storage_bytes BIGINT NOT NULL DEFAULT 100000000000
+    - quota_inbox_messages INT NOT NULL DEFAULT 500000
+    - unique(domain_id, username)
+
+- name: database index users__domain_username
+  postgresql_idx:
+    login_host: "{{ mailserver.postgresql.host }}"
+    port: "{{ mailserver.postgresql.port }}"
+    login_user: "{{ mailserver.postgresql.username }}"
+    login_password: "{{ mailserver.postgresql.password }}"
+    db: "{{ mailserver.postgresql.dbname }}"
+    ssl_mode: disable
+    table: users
+    columns: domain_id, username
+    idxname: users__domain_username
+
+- name: database table aliases
+  postgresql_table:
+    login_host: "{{ mailserver.postgresql.host }}"
+    port: "{{ mailserver.postgresql.port }}"
+    login_user: "{{ mailserver.postgresql.username }}"
+    login_password: "{{ mailserver.postgresql.password }}"
+    db: "{{ mailserver.postgresql.dbname }}"
+    ssl_mode: disable
+    name: aliases
+    columns:
+    - id bigserial primary key
+    - alias_domain_id bigint references domains(id) on delete cascade
+    - alias varchar(250) not null unique
+    - forwardings varchar(250)[] not null
+    - t timestamp without time zone not null default now()
+    - comment text null
+
+- name: database index aliases__alias
+  postgresql_idx:
+    login_host: "{{ mailserver.postgresql.host }}"
+    port: "{{ mailserver.postgresql.port }}"
+    login_user: "{{ mailserver.postgresql.username }}"
+    login_password: "{{ mailserver.postgresql.password }}"
+    db: "{{ mailserver.postgresql.dbname }}"
+    ssl_mode: disable
+    table: aliases
+    columns: alias
+    idxname: aliases__alias
+
+- name: database table shared_folders
+  postgresql_table:
+    login_host: "{{ mailserver.postgresql.host }}"
+    port: "{{ mailserver.postgresql.port }}"
+    login_user: "{{ mailserver.postgresql.username }}"
+    login_password: "{{ mailserver.postgresql.password }}"
+    db: "{{ mailserver.postgresql.dbname }}"
+    ssl_mode: disable
+    name: shared_folders
+    columns:
+    - id bigserial primary key
+    - from_user varchar(128) not null
+    - to_user varchar(128) not null
+    - dummy char(1) DEFAULT '1'
+
+- name: database index shared_folders__from_to
+  postgresql_idx:
+    login_host: "{{ mailserver.postgresql.host }}"
+    port: "{{ mailserver.postgresql.port }}"
+    login_user: "{{ mailserver.postgresql.username }}"
+    login_password: "{{ mailserver.postgresql.password }}"
+    db: "{{ mailserver.postgresql.dbname }}"
+    ssl_mode: disable
+    table: shared_folders
+    columns: from_user, to_user
+    idxname: shared_folders__from_to
+
+- name: database table shared_folders_anyone
+  postgresql_table:
+    login_host: "{{ mailserver.postgresql.host }}"
+    port: "{{ mailserver.postgresql.port }}"
+    login_user: "{{ mailserver.postgresql.username }}"
+    login_password: "{{ mailserver.postgresql.password }}"
+    db: "{{ mailserver.postgresql.dbname }}"
+    ssl_mode: disable
+    name: shared_folders_anyone
+    columns:
+    - id bigserial primary key
+    - from_user varchar(128) not null
+    - dummy char(1) DEFAULT '1'
+
+- name: database index shared_folders_anyone__from
+  postgresql_idx:
+    login_host: "{{ mailserver.postgresql.host }}"
+    port: "{{ mailserver.postgresql.port }}"
+    login_user: "{{ mailserver.postgresql.username }}"
+    login_password: "{{ mailserver.postgresql.password }}"
+    db: "{{ mailserver.postgresql.dbname }}"
+    ssl_mode: disable
+    table: shared_folders_anyone
+    columns: from_user
+    idxname: shared_folders__from
--- a/mail_system/tasks/dovecot.yml
+++ b/mail_system/tasks/dovecot.yml
@ -0,0 +1,125 @@
+# here we assume that postfix.yml has run such that user 'mailstore' exists
+
+- name: install dovecot packages
+  apt:
+    name: dovecot-imapd,dovecot-lmtpd,dovecot-pgsql,dovecot-managesieved,dovecot-lucene
+    state: present
+
+- name: install dovecot config files
+  template:
+    src: "dovecot/{{ item }}"
+    dest: "/etc/dovecot/conf.d/{{ item }}"
+    owner: root
+    group: root
+    mode: 0644
+    force: yes
+  loop:
+    - 10-auth.conf
+    - auth-sql.conf.ext
+    - 10-mail.conf
+    - 10-master.conf
+    - 15-mailboxes.conf
+    - 20-lmtp.conf
+    - 20-imap.conf
+    - 90-sieve.conf
+    - 90-sieve-extprograms.conf
+    - 90-plugin.conf
+    - 90-acl.conf
+    - 90-quota.conf
+
+- name: install more dovecot config files
+  template:
+    src: "dovecot/{{ item }}"
+    dest: "/etc/dovecot/{{ item }}"
+    owner: root
+    group: dovecot
+    mode: 0640
+    force: yes
+  loop:
+    - dovecot.conf
+    - dovecot-sql.conf.ext
+    - dovecot-dict-sql.conf.ext
+
+- name: directories /etc/dovecot/sieve_before /etc/dovecot/sieve_after
+  file:
+    path: "/etc/dovecot/{{ item }}"
+    state: directory
+    owner: root
+    group: root
+    mode: 0755
+  loop:
+    - sieve_pipes
+    - sieve_filters
+    - sieve_execute
+    - sieve_before
+    - sieve_after
+
+- name: file /etc/dovecot/sieve_after/spam-to-folder.sieve
+  template:
+    src: dovecot/spam-to-folder.sieve
+    dest: /etc/dovecot/sieve_after/spam-to-folder.sieve
+    owner: root
+    group: root
+    mode: 0644
+    force: yes
+
+- name: files /etc/dovecot/sieve_pipes/*.sieve
+  template:
+    src: "dovecot/{{ item }}"
+    dest: "/etc/dovecot/sieve_pipes/{{ item }}"
+    owner: mailstore
+    group: mailstore
+    mode: 0600
+    force: yes
+  loop:
+    - learn-spam.sieve
+    - learn-ham.sieve
+
+- name: files /etc/dovecot/sieve_pipes/*.sh
+  template:
+    src: "dovecot/{{ item }}"
+    dest: "/etc/dovecot/sieve_pipes/{{ item }}"
+    owner: mailstore
+    group: mailstore
+    mode: 0700
+    force: yes
+  loop:
+    - rspamd-learn-spam.sh
+    - rspamd-learn-ham.sh
+
+- name: README files
+  template:
+    src: "dovecot/README_{{ item }}"
+    dest: "/etc/dovecot/sieve_{{ item }}/README"
+    owner: mailstore
+    group: mailstore
+    mode: 0600
+    force: yes
+  loop:
+    - filters
+    - execute
+    - before
+    - after
+
+- name: restart dovecot
+  systemd:
+    name: dovecot
+    state: restarted
+
+- name: compile sieve files
+  shell: "/usr/bin/sievec /etc/dovecot/{{ item }}"
+  loop:
+    - "sieve_after/spam-to-folder.sieve"
+    - "sieve_pipes/learn-spam.sieve"
+    - "sieve_pipes/learn-ham.sieve"
+
+- name: permissions of .svbin
+  file:
+    path: "/etc/dovecot/{{ item }}"
+    owner: mailstore
+    group: mailstore
+    mode: 0600
+  loop:
+    - "sieve_after/spam-to-folder.sieve"
+    - "sieve_pipes/learn-spam.svbin"
+    - "sieve_pipes/learn-ham.svbin"
--- a/mail_system/tasks/main.yml
+++ b/mail_system/tasks/main.yml
@ -0,0 +1,6 @@
+- include: remove_other_mtas.yml
+- include: database.yml
+- include: postfix.yml
+- include: dovecot.yml
+- include: clamav.yml
+- include: rspamd.yml
--- a/mail_system/tasks/postfix.yml
+++ b/mail_system/tasks/postfix.yml
@ -0,0 +1,79 @@
+- name: install postfix packages
+  apt:
+    name: postfix,postfix-pgsql,postfix-doc
+    state: present
+    update_cache: yes
+    install_recommends: no
+
+- name: divert /etc/postfix/main.cf
+  shell: dpkg-divert --add --rename --divert /etc/postfix/main.cf.orig /etc/postfix/main.cf
+
+- name: divert /etc/postfix/master.cf
+  shell: dpkg-divert --add --rename --divert /etc/postfix/master.cf.orig /etc/postfix/master.cf
+
+- name: group 'mailstore'
+  group:
+    name: mailstore
+    state: present
+    system: yes
+    gid: 5000
+
+- name: user 'mailstore'
+  user:
+    name: mailstore
+    group: mailstore
+    state: present
+    system: yes
+    uid: 5000
+    create_home: no
+    home: /srv/mailstore
+    password: '!'
+    password_lock: yes
+    comment: created by ansible
+
+- name: directories /srv/mailstore /srv/mailstore/role_specific
+  file:
+    path: "{{ item }}"
+    state: directory
+    owner: mailstore
+    group: mailstore
+    mode: 0755
+  loop:
+    - /srv/mailstore
+    - /srv/mailstore/role_specific
+    - /srv/mailstore/role_specific/roles
+
+- name: postfix configuration files
+  template:
+    src: "postfix/{{ item }}"
+    dest: "/etc/postfix/{{ item }}"
+    owner: root
+    group: root
+    mode: 0644
+    force: "{{ mailserver.postfix.overwrite_config }}"
+  loop:
+    - main.cf
+    - master.cf
+    - header_checks
+
+- name: postfix database queries
+  template:
+    src: "postfix/{{ item }}"
+    dest: "/etc/postfix/{{ item }}"
+    owner: root
+    group: root
+    mode: 0600
+    force: yes
+  loop:
+    - domains.cf
+    - mailboxes.cf
+    - aliases.cf
+    - email_existence_check.cf
+    - relay_domains.cf
+    - relay_recipient_maps.cf
+    - transport_maps.cf
+
+- name: restart postfix
+  systemd:
+    name: postfix
+    state: restarted
--- a/mail_system/tasks/remove_other_mtas.yml
+++ b/mail_system/tasks/remove_other_mtas.yml
@ -0,0 +1,10 @@
+- name: find all installed versions of mail-transport-agent except postfix
+  shell: aptitude search '~i~Pmail-transport-agent' | sed -e 's/^...\(.*\)/\1/' | awk '{ print $1 }' | grep -v postfix || /bin/true
+  register: mtas
+
+- name: purge MTAs other than postfix
+  apt:
+    name: "{{ item }}"
+    state: absent
+    purge: yes
+  loop: "{{ mtas.stdout_lines|list }}"
--- a/mail_system/tasks/rspamd.yml
+++ b/mail_system/tasks/rspamd.yml
@ -0,0 +1,81 @@
+- name: apt install rspamd
+  apt:
+    name: rspamd
+    state: present
+
+# postfix integration
+
+- name: postfix setting milter_mail_macros
+  lineinfile:
+    path: /etc/postfix/main.cf
+    regexp: '^milter_mail_macros='
+    line: 'milter_mail_macros=i {mail_addr} {client_addr} {client_name} {auth_authen}'
+    insertafter: '^# rspamd'
+
+- name: postfix setting milter_protocol
+  lineinfile:
+    path: /etc/postfix/main.cf
+    regexp: '^milter_protocol='
+    line: 'milter_protocol=6'
+    insertafter: '^# rspamd'
+
+- name: postfix setting non_smtpd_milters
+  lineinfile:
+    path: /etc/postfix/main.cf
+    regexp: '^non_smtpd_milters='
+    line: 'non_smtpd_milters=inet:127.0.0.1:11332'
+    insertafter: '^# rspamd'
+
+- name: postfix setting smtpd_milters
+  lineinfile:
+    path: /etc/postfix/main.cf
+    regexp: '^smtpd_milters='
+    line: 'smtpd_milters=inet:127.0.0.1:11332'
+    insertafter: '^# rspamd'
+
+- name: restart postfix
+  systemd:
+    name: postfix
+    state: restarted
+
+# rspamd configuration
+
+- name: rspamd configure extended_spam_headers true
+  template:
+    src: "rspamd/{{ item }}"
+    dest: "/etc/rspamd/override.d/{{ item }}"
+    owner: root
+    group: root
+    mode: 0644
+  loop:
+    - milter_headers.conf
+    - classifier-bayes.conf
+    - antivirus.conf
+
+# install dkim
+
+- name: mkdir /var/lib/rspamd/dkim
+  file:
+    path: /var/lib/rspamd/dkim
+    state: directory
+    owner: _rspamd
+    group: _rspamd
+    mode: '0755'
+
+- name: rspamd config dkim_signing.conf and arc.conf
+  template:
+    src: "rspamd/{{ item }}"
+    dest: "/etc/rspamd/local.d/{{ item }}"
+    owner: root
+    group: root
+    mode: 0644
+  loop:
+    - dkim_signing.conf
+    - arc.conf
+
+# restart rspamd
+
+- name: restart rspamd
+  systemd:
+    name: rspamd
+    state: restarted