From 24025f25fc48b3942e57f42a507df45789184672 Mon Sep 17 00:00:00 2001
From: iburadempa <ibu@radempa.de>
Date: Mon, 25 Apr 2022 20:22:03 +0200
Subject: [PATCH 1/3] Improve README

---
 README.md | 24 +++++++++++++-----------
 1 file changed, 13 insertions(+), 11 deletions(-)

diff --git a/README.md b/README.md
index 6267e6e..5eab544 100644
--- a/README.md
+++ b/README.md
@@ -1,21 +1,23 @@
+ansible roles and playbooks for a mail server.
+
+Branch names correspond to debian release names.
+
+
 ## mail_system
 
-ansible role for debian buster setting up a mailserver with
-postfix, rspamd, dovecot and clamav and based on PostgreSQL
+Setup a complete mail system with postfix, rspamd, dovecot and clamav, using PostgreSQL as backend.
 
-Attention: user and domain administration (in PostgreSQL) is not covered here
-
-* mail_system
-* mail_system.yml
+* `mail_system` ansible role
+* `mail_system.yml` ansible playbook
 
+NB: A user and domain administration frontend is not included.
 
 ## journal-postfix
 
-ansible role for debian buster parsing postfix entries in
-systemd journal and collecting delivery information
+Parse postfix entries in systemd journal and write delivery information to a PostgreSQL database.
 
-* journal-postfix
-* journal-postfix.yml
-* journal-postfix-doc
+* `journal-postfix` ansible role
+* `journal-postfix.yml` ansible playbook
+* `journal-postfix-doc` documentation
 
 See [journal-postfix/files/srv/README.md](journal-postfix/files/srv/README.md)

From 3686d3510846b553fa4263016b7d4f3b63375bb1 Mon Sep 17 00:00:00 2001
From: iburadempa <ibu@radempa.de>
Date: Mon, 25 Apr 2022 20:40:24 +0200
Subject: [PATCH 2/3] Update dovecot config files to bullseye, mostly adding
 comments

---
 mail_system/templates/dovecot/10-auth.conf    |  6 ++--
 mail_system/templates/dovecot/10-mail.conf    |  4 +--
 mail_system/templates/dovecot/10-ssl.conf     |  9 +++--
 .../templates/dovecot/15-mailboxes.conf       | 33 +++++++++++--------
 mail_system/templates/dovecot/20-imap.conf    |  5 +--
 mail_system/templates/dovecot/20-lmtp.conf    | 14 ++++++++
 mail_system/templates/dovecot/90-quota.conf   |  2 +-
 mail_system/templates/dovecot/90-sieve.conf   |  2 +-
 8 files changed, 50 insertions(+), 25 deletions(-)

diff --git a/mail_system/templates/dovecot/10-auth.conf b/mail_system/templates/dovecot/10-auth.conf
index 09a1d0b..88bb718 100644
--- a/mail_system/templates/dovecot/10-auth.conf
+++ b/mail_system/templates/dovecot/10-auth.conf
@@ -13,7 +13,7 @@
 #disable_plaintext_auth = yes
 
 # Authentication cache size (e.g. 10M). 0 means it's disabled. Note that
-# bsdauth, PAM and vpopmail require cache_key to be set for caching to be used.
+# bsdauth and PAM require cache_key to be set for caching to be used.
 #auth_cache_size = 0
 # Time to live for cached data. After TTL expires the cached record is no
 # longer used, *except* if the main database lookup returns internal failure.
@@ -98,7 +98,7 @@ auth_default_realm = {{ mailserver.dovecot.auth_default_realm }}
 #auth_ssl_username_from_cert = no
 
 # Space separated list of wanted authentication mechanisms:
-#   plain login digest-md5 cram-md5 ntlm rpa apop anonymous gssapi otp skey
+#   plain login digest-md5 cram-md5 ntlm rpa apop anonymous gssapi otp
 #   gss-spnego
 # NOTE: See also disable_plaintext_auth setting.
 auth_mechanisms = plain login
@@ -128,6 +128,4 @@ auth_mechanisms = plain login
 #!include auth-ldap.conf.ext
 #!include auth-passwdfile.conf.ext
 #!include auth-checkpassword.conf.ext
-#!include auth-vpopmail.conf.ext
 #!include auth-static.conf.ext
-
diff --git a/mail_system/templates/dovecot/10-mail.conf b/mail_system/templates/dovecot/10-mail.conf
index c7f8ffa..2de8bc6 100644
--- a/mail_system/templates/dovecot/10-mail.conf
+++ b/mail_system/templates/dovecot/10-mail.conf
@@ -452,10 +452,10 @@ protocol !indexer-worker {
 # Settings to control adding $HasAttachment or $HasNoAttachment keywords.
 # By default, all MIME parts with Content-Disposition=attachment, or inlines
 # with filename parameter are consired attachments.
-#   add-flags-on-save - Add the keywords when saving new mails.
+#   add-flags - Add the keywords when saving new mails or when fetching can
+#      do it efficiently.
 #   content-type=type or !type - Include/exclude content type. Excluding will
 #     never consider the matched MIME part as attachment. Including will only
 #     negate an exclusion (e.g. content-type=!foo/* content-type=foo/bar).
 #   exclude-inlined - Exclude any Content-Disposition=inline MIME part.
 #mail_attachment_detection_options =
-
diff --git a/mail_system/templates/dovecot/10-ssl.conf b/mail_system/templates/dovecot/10-ssl.conf
index 7999236..0838ef5 100644
--- a/mail_system/templates/dovecot/10-ssl.conf
+++ b/mail_system/templates/dovecot/10-ssl.conf
@@ -33,10 +33,15 @@ ssl_key = </etc/dovecot/private/dovecot.key
 # when Dovecot needs to act as an SSL client (e.g. imapc backend or
 # submission service). The directory is usually /etc/ssl/certs in
 # Debian-based systems and the file is /etc/pki/tls/cert.pem in
-# RedHat-based systems.
+# RedHat-based systems. Note that ssl_client_ca_file isn't recommended with
+# large CA bundles, because it leads to excessive memory usage.
+#ssl_client_ca_dir =
 ssl_client_ca_dir = /etc/ssl/certs
 #ssl_client_ca_file =
 
+# Require valid cert when connecting to a remote server
+#ssl_client_require_valid_cert = yes
+
 # Request client to send a certificate. If you also want to require it, set
 # auth_ssl_require_client_cert=yes in auth section.
 #ssl_verify_client_cert = no
@@ -54,6 +59,7 @@ ssl_dh = </usr/share/dovecot/dh.pem
 
 # Minimum SSL protocol version to use. Potentially recognized values are SSLv3,
 # TLSv1, TLSv1.1, and TLSv1.2, depending on the OpenSSL version used.
+#ssl_min_protocol = TLSv1
 ssl_min_protocol = TLSv1.2
 
 # SSL ciphers to use, the default is:
@@ -76,4 +82,3 @@ ssl_min_protocol = TLSv1.2
 #   compression - Enable compression.
 #   no_ticket - Disable SSL session tickets.
 #ssl_options =
-
diff --git a/mail_system/templates/dovecot/15-mailboxes.conf b/mail_system/templates/dovecot/15-mailboxes.conf
index 0f6bbdb..63ac7cb 100644
--- a/mail_system/templates/dovecot/15-mailboxes.conf
+++ b/mail_system/templates/dovecot/15-mailboxes.conf
@@ -25,18 +25,20 @@
 #   you want in here, but it's not a good idea to use flags other than the
 #   standard ones specified in the RFC:
 #
-#     \All      - This (virtual) mailbox presents all messages in the
-#                 user's message store. 
-#     \Archive  - This mailbox is used to archive messages.
-#     \Drafts   - This mailbox is used to hold draft messages.
-#     \Flagged  - This (virtual) mailbox presents all messages in the
-#                 user's message store marked with the IMAP \Flagged flag.
-#     \Junk     - This mailbox is where messages deemed to be junk mail
-#                 are held.
-#     \Sent     - This mailbox is used to hold copies of messages that
-#                 have been sent.
-#     \Trash    - This mailbox is used to hold messages that have been
-#                 deleted.
+#     \All       - This (virtual) mailbox presents all messages in the
+#                  user's message store.
+#     \Archive   - This mailbox is used to archive messages.
+#     \Drafts    - This mailbox is used to hold draft messages.
+#     \Flagged   - This (virtual) mailbox presents all messages in the
+#                  user's message store marked with the IMAP \Flagged flag.
+#     \Important - This (virtual) mailbox presents all messages in the
+#                  user's message store deemed important to user.
+#     \Junk      - This mailbox is where messages deemed to be junk mail
+#                  are held.
+#     \Sent      - This mailbox is used to hold copies of messages that
+#                  have been sent.
+#     \Trash     - This mailbox is used to hold messages that have been
+#                  deleted.
 #
 # comment:
 #   Defines a default comment or note associated with the mailbox. This
@@ -82,5 +84,10 @@ namespace inbox {
   #  special_use = \Flagged
   #  comment = All my flagged messages
   #}
-}
 
+  # If you have a virtual "Important" mailbox:
+  #mailbox virtual/Important {
+  #  special_use = \Important
+  #  comment = All my important messages
+  #}
+}
diff --git a/mail_system/templates/dovecot/20-imap.conf b/mail_system/templates/dovecot/20-imap.conf
index b818ab2..56a8119 100644
--- a/mail_system/templates/dovecot/20-imap.conf
+++ b/mail_system/templates/dovecot/20-imap.conf
@@ -46,7 +46,8 @@
 
 # ID field names and values to send to clients. Using * as the value makes
 # Dovecot use the default value. The following fields have default values
-# currently: name, version, os, os-version, support-url, support-email.
+# currently: name, version, os, os-version, support-url, support-email,
+# revision.
 #imap_id_send = 
 
 # ID fields sent by client to log. * means everything.
@@ -93,10 +94,10 @@
 
 protocol imap {
   # Space separated list of plugins to load (default is global mail_plugins).
+  #mail_plugins = $mail_plugins
   mail_plugins = $mail_plugins imap_sieve imap_acl imap_quota
 
   # Maximum number of IMAP connections allowed for a user from each IP address.
   # NOTE: The username is compared case-sensitively.
   #mail_max_userip_connections = 10
 }
-
diff --git a/mail_system/templates/dovecot/20-lmtp.conf b/mail_system/templates/dovecot/20-lmtp.conf
index 34cfa67..dcf6d63 100644
--- a/mail_system/templates/dovecot/20-lmtp.conf
+++ b/mail_system/templates/dovecot/20-lmtp.conf
@@ -16,6 +16,9 @@
 # Verify quota before replying to RCPT TO. This adds a small overhead.
 #lmtp_rcpt_check_quota = no
 
+# Add "Received:" header to mails delivered.
+#lmtp_add_received_header = yes
+
 # Which recipient address to use for Delivered-To: header and Received:
 # header. The default is "final", which is the same as the one given to
 # RCPT TO command. "original" uses the address given in RCPT TO's ORCPT
@@ -23,6 +26,17 @@
 # when a mail has multiple recipients.
 #lmtp_hdr_delivery_address = final
 
+# Workarounds for various client bugs:
+#   whitespace-before-path:
+#     Allow one or more spaces or tabs between `MAIL FROM:' and path and between
+#     `RCPT TO:' and path.
+#   mailbox-for-path:
+#     Allow using bare Mailbox syntax (i.e., without <...>) instead of full path
+#     syntax.
+#
+# The list is space-separated.
+#lmtp_client_workarounds =
+
 protocol lmtp {
   # Space separated list of plugins to load (default is global mail_plugins).
   #mail_plugins = $mail_plugins
diff --git a/mail_system/templates/dovecot/90-quota.conf b/mail_system/templates/dovecot/90-quota.conf
index 04b9452..5e80818 100644
--- a/mail_system/templates/dovecot/90-quota.conf
+++ b/mail_system/templates/dovecot/90-quota.conf
@@ -90,7 +90,7 @@ plugin {
   quota_grace = 10%%
   quota_status_success = DUNNO
   quota_status_nouser = DUNNO
-  quota_status_overquota = "452 4.2.2 Mailbox is full and cannot receive any more emails"
+  quota_status_overquota = "552 5.2.2 Mailbox is full"
   quota_exceeded_message = Quota exceeded, please reduce your overall mail volume and/or the number of messages in your inbox.
 
   # https://wiki2.dovecot.org/Quota/Configuration
diff --git a/mail_system/templates/dovecot/90-sieve.conf b/mail_system/templates/dovecot/90-sieve.conf
index 25c0703..8f8ca8e 100644
--- a/mail_system/templates/dovecot/90-sieve.conf
+++ b/mail_system/templates/dovecot/90-sieve.conf
@@ -63,7 +63,7 @@ plugin {
   # the "discard" action, and no actions that deliver the message are executed.
   # This "discard script" can prevent discarding the message, by executing
   # alternative actions. If the discard script does nothing, the message is
-    # still discarded as it would be when no discard script is configured.
+	# still discarded as it would be when no discard script is configured.
   #sieve_discard =
 
   # Location Sieve of scripts that need to be executed before the user's

From e0c6d4bda55993ef3db9b10b6698a729c822c1ff Mon Sep 17 00:00:00 2001
From: iburadempa <ibu@radempa.de>
Date: Mon, 26 Sep 2022 13:01:52 +0200
Subject: [PATCH 3/3] Improve playbook doc

---
 mail_system.yml | 73 ++++++++++++++++++++++++++++++++++---------------
 1 file changed, 51 insertions(+), 22 deletions(-)

diff --git a/mail_system.yml b/mail_system.yml
index eafb54c..6ee1b8b 100644
--- a/mail_system.yml
+++ b/mail_system.yml
@@ -1,13 +1,11 @@
-# ansible playbook
-#
-# Install a complete mail system with
+# install a complete mail system with
 #
 #   - postfix
 #   - dovecot
 #   - clamav (with unofficial signatures)
 #   - rspamd (integrating clamav)
 #
-# not included here: list server, roundcube, account and alias management
+# not included here: list server, roundcube
 #
 # Please edit the host's config (inventory/host_vars/${hostname}):
 # Add a new dictionary 'mailserver':
@@ -33,38 +31,69 @@
 #   dovecot:
 #     auth_default_realm: mymaindomain.org
 #
-# Take care thate the verp_marker only contains [a-z0-9]+ (NO UPPER CASE LETTERS!).
+# Setup a Postgresql database (named as in dbname, owned by username, reachable on
+# host and port) with something like that:
 #
-# (Use ansible-vault encrypt_string to encrypt the password.)
+#   createuser -P mailserver
+#   createdb -E utf8 -O mailserver -T template1 mailserver
+#
+# Use `ansible-vault encrypt_string` to obtain the encrypted password.
+#
+# Take care that the verp_marker only contains [a-z0-9]+ (NO UPPER CASE LETTERS!).
 #
 # TODOs after running this playbook:
 #
-# Open the firewall:
-#
-#     - open or DNAT the TCP ports 25, 143, 587, 4190 to the host (incoming)
-#     - allow outgoing traffic
-#
-# Configure mail DNS for your host:
+# Configure mail DNS:
 #
 #     - MX
 #     - PTR (IPv4 and IPv6)
 #
-# Add SPF, DMARC and DKIM DNS records whenever you add a mail domain:
+# SPF, DMARC and DKIM DNS records should be created when adding a domain:
 #
-#     - SPF ('IN TXT "v=spf1 mx"' or more)
-#     - DMARC ('_dmarc IN TXT "v=DMARC1; p=reject; rua=mailto:admin@mymaindomain.org; adkim=s; aspf=s;"')
+#     - SPF (IN TXT "v=spf1 mx" or more)
+#     - DMARC (_dmarc IN TXT "v=DMARC1; p=reject; rua=mailto:admin@mymaindomain.org; adkim=s; aspf=s;")
 #     - DKIM (rspamadm dkim_keygen -d mymaindomain.org -s 20190911 -b 4096;
-#             get the DNS entry and also save the private key)
+#             put the DNS entry in your zone file and save the private key
+#             into /var/lib/rspamd/dkim/mymaindomain.org.20190911.key
+#             and
+#                 chown _rspamd /var/lib/rspamd/dkim/*
+#                 chmod 400 /var/lib/rspamd/dkim/*
+#             and enable it by putting a line
+#                 mymaindomain.org 20190911
+#             into /etc/rspamd/dkim_selectors.map
+#             followed by systemctl reload rspamd)
 #
-# Replace the ssl certificates with signed ones.
+# Please open the firewall: open or DNAT tcp ports 25, 143, 587, 4190 to the host (incoming)
+#
+# Replace the dovecot ssl certificates in /etc/dovecot/private with signed ones.
 #
 # Users and domains can be added to the PostgreSQL tables;
 # code for that is not part of this playbook.
-# Mind that if you create a catchall alias, you must also
-# add an alias for each account to the aliases, or you can
-# prepend the following to the SELECT in /etc/postfix/aliases.cf
-#     SELECT u.username || '@' || d.name FROM users u JOIN domains d ON u.domain_id=d.id WHERE d.relay_transport is null AND u.username || '@' || d.name = '%s'
-#     UNION
+#
+#     - put the domain name in table domains
+#     - create a user in table users using `doveadm pw -s PBKDF2`
+#     - create aliases
+#
+# Users should use the following parameters for IMAP and mail submission.
+# Note you will need to use the server_name for which you have installed the ssl certificates.
+# Or you will have to configure dovecot to use multiple certs:
+# https://doc.dovecot.org/configuration_manual/dovecot_ssl_configuration/#with-client-tls-sni-server-name-indication-support
+#
+# IMAP:
+#
+#     - server_name: mail.mydomain.org
+#     - port: 143
+#     - connection_security: starttls
+#     - auth_method: normal password
+#     - username: {user}@{configured_domain}
+#
+# Mail submission:
+#
+#     - server_name: mail.mydomain.org
+#     - port: 587
+#     - connection_security: starttls
+#     - auth_method: normal password
+#     - username: {user}@{configured_domain}
 
 - name: install mail_system
   user: root