ansible-mailserver
ansible-mailserver is an Ansible playbook to deploy a simple postfix/dovecot mail server.
Features
Simple one-command installation and configuration of your very own mail server.
Includes a host of defenses needed when dealing with the world of internet mail:
- postscreen - inbound SMTP connection filtering
- postgrey - greylisting utility
- policyd-spf - SPF validation
- spamassassin - spam filter
- opendkim - DKIM signing and verification
- opendmarc - DMARC verification
Usage
Prerequisites
Before running the playbook you will need to have the following:
- An A record for your base domain
- An A record for the `mail` subdomain
- A PTR record for your mail server
Clone the repository
git clone https://git.chudnick.com/ansible-mailserver
Modify the inventory
Modify the inventory.yml for your deployment.
At a minimum, change mail.example.com to the FQDN of your mail server and
change ansible_user and remote_user to the name of your account on the
mail server.
Modify vars.yml
Modify group_vars/all/vars.yml for your deployment. Below is a list of the variables and there function:
- domain - base domain
- mail_domain - hostname of your mail server and common name on the TLS certificate
- dkim_selector - selector for your DKIM keys
- spam_score - SpamAssassin score required for mail to be considered spam
- sa_locales - locales which SpamAssassin expects to receive mail in - any locale not listed is considered spam
- cert_email - the email used to get a LetsEncrypt certificate
You must modify domain with your domain name. All other changes are optional.
Run the playbook
From the repo root directory run:
ansible-playbook run.yml -i inventory.yml --ask-become-pass
If you have passwordless sudo configured --ask-become-pass is not necessary.
Set DNS records
The playbook finishes by generating the DNS records required for mail verification. You can find these records under /home/root/dns_records once the playbook finishes. The records are in BIND9 format but the values can be extracted for use on any platform.
FAQ
Distros
I have only tested this on Debian 12 and that is currently the only "supported" distro.
This will likely not work on Debian 11 due to some changes with the spamassassin package, but could easily be modified to work.
It will likely also work with current versions of Ubuntu but may require some modifications there also.
YMMV with any non Debian-based distro.
Users
This configuration uses the local system for authentication. Additionally, postfix login and local maps are used so that not every user on the system can receive mail.
To create a new mail user use the following script:
# create unix account - do not allow user to login to system
useradd --shell /usr/sbin/nologin --create-home --user-group $username
# login map
echo "$username@$(cat /etc/mailname) $username" >> /etc/postfix/login_maps
postmap /etc/postfix/login_maps
# local recipient map
echo "$username $username" >> /etc/postfix/local_maps
postmap /etc/postfix/local_maps
# reload postfix to make changes live
postfix reload
# set the user's password
passwd $username
This will create a user on the system that is allowed to send and receive mail. As a security precaution, the user's shell is set to /usr/sbin/nologin to prevent management access to the server.
Multiple Domains
The playbook will configure the mail server for a single domain. However, there is nothing in the configuration preventing a mult-domain setup. Setting up multiple domains will require some manual configuration of postfix main.cf.