diff options
65 files changed, 2090 insertions, 0 deletions
@@ -0,0 +1,674 @@ | |||
1 | GNU GENERAL PUBLIC LICENSE | ||
2 | Version 3, 29 June 2007 | ||
3 | |||
4 | Copyright (C) 2007 Free Software Foundation, Inc. <http://fsf.org/> | ||
5 | Everyone is permitted to copy and distribute verbatim copies | ||
6 | of this license document, but changing it is not allowed. | ||
7 | |||
8 | Preamble | ||
9 | |||
10 | The GNU General Public License is a free, copyleft license for | ||
11 | software and other kinds of works. | ||
12 | |||
13 | The licenses for most software and other practical works are designed | ||
14 | to take away your freedom to share and change the works. By contrast, | ||
15 | the GNU General Public License is intended to guarantee your freedom to | ||
16 | share and change all versions of a program--to make sure it remains free | ||
17 | software for all its users. We, the Free Software Foundation, use the | ||
18 | GNU General Public License for most of our software; it applies also to | ||
19 | any other work released this way by its authors. You can apply it to | ||
20 | your programs, too. | ||
21 | |||
22 | When we speak of free software, we are referring to freedom, not | ||
23 | price. Our General Public Licenses are designed to make sure that you | ||
24 | have the freedom to distribute copies of free software (and charge for | ||
25 | them if you wish), that you receive source code or can get it if you | ||
26 | want it, that you can change the software or use pieces of it in new | ||
27 | free programs, and that you know you can do these things. | ||
28 | |||
29 | To protect your rights, we need to prevent others from denying you | ||
30 | these rights or asking you to surrender the rights. Therefore, you have | ||
31 | certain responsibilities if you distribute copies of the software, or if | ||
32 | you modify it: responsibilities to respect the freedom of others. | ||
33 | |||
34 | For example, if you distribute copies of such a program, whether | ||
35 | gratis or for a fee, you must pass on to the recipients the same | ||
36 | freedoms that you received. You must make sure that they, too, receive | ||
37 | or can get the source code. And you must show them these terms so they | ||
38 | know their rights. | ||
39 | |||
40 | Developers that use the GNU GPL protect your rights with two steps: | ||
41 | (1) assert copyright on the software, and (2) offer you this License | ||
42 | giving you legal permission to copy, distribute and/or modify it. | ||
43 | |||
44 | For the developers' and authors' protection, the GPL clearly explains | ||
45 | that there is no warranty for this free software. For both users' and | ||
46 | authors' sake, the GPL requires that modified versions be marked as | ||
47 | changed, so that their problems will not be attributed erroneously to | ||
48 | authors of previous versions. | ||
49 | |||
50 | Some devices are designed to deny users access to install or run | ||
51 | modified versions of the software inside them, although the manufacturer | ||
52 | can do so. This is fundamentally incompatible with the aim of | ||
53 | protecting users' freedom to change the software. The systematic | ||
54 | pattern of such abuse occurs in the area of products for individuals to | ||
55 | use, which is precisely where it is most unacceptable. Therefore, we | ||
56 | have designed this version of the GPL to prohibit the practice for those | ||
57 | products. If such problems arise substantially in other domains, we | ||
58 | stand ready to extend this provision to those domains in future versions | ||
59 | of the GPL, as needed to protect the freedom of users. | ||
60 | |||
61 | Finally, every program is threatened constantly by software patents. | ||
62 | States should not allow patents to restrict development and use of | ||
63 | software on general-purpose computers, but in those that do, we wish to | ||
64 | avoid the special danger that patents applied to a free program could | ||
65 | make it effectively proprietary. To prevent this, the GPL assures that | ||
66 | patents cannot be used to render the program non-free. | ||
67 | |||
68 | The precise terms and conditions for copying, distribution and | ||
69 | modification follow. | ||
70 | |||
71 | TERMS AND CONDITIONS | ||
72 | |||
73 | 0. Definitions. | ||
74 | |||
75 | "This License" refers to version 3 of the GNU General Public License. | ||
76 | |||
77 | "Copyright" also means copyright-like laws that apply to other kinds of | ||
78 | works, such as semiconductor masks. | ||
79 | |||
80 | "The Program" refers to any copyrightable work licensed under this | ||
81 | License. Each licensee is addressed as "you". "Licensees" and | ||
82 | "recipients" may be individuals or organizations. | ||
83 | |||
84 | To "modify" a work means to copy from or adapt all or part of the work | ||
85 | in a fashion requiring copyright permission, other than the making of an | ||
86 | exact copy. The resulting work is called a "modified version" of the | ||
87 | earlier work or a work "based on" the earlier work. | ||
88 | |||
89 | A "covered work" means either the unmodified Program or a work based | ||
90 | on the Program. | ||
91 | |||
92 | To "propagate" a work means to do anything with it that, without | ||
93 | permission, would make you directly or secondarily liable for | ||
94 | infringement under applicable copyright law, except executing it on a | ||
95 | computer or modifying a private copy. Propagation includes copying, | ||
96 | distribution (with or without modification), making available to the | ||
97 | public, and in some countries other activities as well. | ||
98 | |||
99 | To "convey" a work means any kind of propagation that enables other | ||
100 | parties to make or receive copies. Mere interaction with a user through | ||
101 | a computer network, with no transfer of a copy, is not conveying. | ||
102 | |||
103 | An interactive user interface displays "Appropriate Legal Notices" | ||
104 | to the extent that it includes a convenient and prominently visible | ||
105 | feature that (1) displays an appropriate copyright notice, and (2) | ||
106 | tells the user that there is no warranty for the work (except to the | ||
107 | extent that warranties are provided), that licensees may convey the | ||
108 | work under this License, and how to view a copy of this License. If | ||
109 | the interface presents a list of user commands or options, such as a | ||
110 | menu, a prominent item in the list meets this criterion. | ||
111 | |||
112 | 1. Source Code. | ||
113 | |||
114 | The "source code" for a work means the preferred form of the work | ||
115 | for making modifications to it. "Object code" means any non-source | ||
116 | form of a work. | ||
117 | |||
118 | A "Standard Interface" means an interface that either is an official | ||
119 | standard defined by a recognized standards body, or, in the case of | ||
120 | interfaces specified for a particular programming language, one that | ||
121 | is widely used among developers working in that language. | ||
122 | |||
123 | The "System Libraries" of an executable work include anything, other | ||
124 | than the work as a whole, that (a) is included in the normal form of | ||
125 | packaging a Major Component, but which is not part of that Major | ||
126 | Component, and (b) serves only to enable use of the work with that | ||
127 | Major Component, or to implement a Standard Interface for which an | ||
128 | implementation is available to the public in source code form. A | ||
129 | "Major Component", in this context, means a major essential component | ||
130 | (kernel, window system, and so on) of the specific operating system | ||
131 | (if any) on which the executable work runs, or a compiler used to | ||
132 | produce the work, or an object code interpreter used to run it. | ||
133 | |||
134 | The "Corresponding Source" for a work in object code form means all | ||
135 | the source code needed to generate, install, and (for an executable | ||
136 | work) run the object code and to modify the work, including scripts to | ||
137 | control those activities. However, it does not include the work's | ||
138 | System Libraries, or general-purpose tools or generally available free | ||
139 | programs which are used unmodified in performing those activities but | ||
140 | which are not part of the work. For example, Corresponding Source | ||
141 | includes interface definition files associated with source files for | ||
142 | the work, and the source code for shared libraries and dynamically | ||
143 | linked subprograms that the work is specifically designed to require, | ||
144 | such as by intimate data communication or control flow between those | ||
145 | subprograms and other parts of the work. | ||
146 | |||
147 | The Corresponding Source need not include anything that users | ||
148 | can regenerate automatically from other parts of the Corresponding | ||
149 | Source. | ||
150 | |||
151 | The Corresponding Source for a work in source code form is that | ||
152 | same work. | ||
153 | |||
154 | 2. Basic Permissions. | ||
155 | |||
156 | All rights granted under this License are granted for the term of | ||
157 | copyright on the Program, and are irrevocable provided the stated | ||
158 | conditions are met. This License explicitly affirms your unlimited | ||
159 | permission to run the unmodified Program. The output from running a | ||
160 | covered work is covered by this License only if the output, given its | ||
161 | content, constitutes a covered work. This License acknowledges your | ||
162 | rights of fair use or other equivalent, as provided by copyright law. | ||
163 | |||
164 | You may make, run and propagate covered works that you do not | ||
165 | convey, without conditions so long as your license otherwise remains | ||
166 | in force. You may convey covered works to others for the sole purpose | ||
167 | of having them make modifications exclusively for you, or provide you | ||
168 | with facilities for running those works, provided that you comply with | ||
169 | the terms of this License in conveying all material for which you do | ||
170 | not control copyright. Those thus making or running the covered works | ||
171 | for you must do so exclusively on your behalf, under your direction | ||
172 | and control, on terms that prohibit them from making any copies of | ||
173 | your copyrighted material outside their relationship with you. | ||
174 | |||
175 | Conveying under any other circumstances is permitted solely under | ||
176 | the conditions stated below. Sublicensing is not allowed; section 10 | ||
177 | makes it unnecessary. | ||
178 | |||
179 | 3. Protecting Users' Legal Rights From Anti-Circumvention Law. | ||
180 | |||
181 | No covered work shall be deemed part of an effective technological | ||
182 | measure under any applicable law fulfilling obligations under article | ||
183 | 11 of the WIPO copyright treaty adopted on 20 December 1996, or | ||
184 | similar laws prohibiting or restricting circumvention of such | ||
185 | measures. | ||
186 | |||
187 | When you convey a covered work, you waive any legal power to forbid | ||
188 | circumvention of technological measures to the extent such circumvention | ||
189 | is effected by exercising rights under this License with respect to | ||
190 | the covered work, and you disclaim any intention to limit operation or | ||
191 | modification of the work as a means of enforcing, against the work's | ||
192 | users, your or third parties' legal rights to forbid circumvention of | ||
193 | technological measures. | ||
194 | |||
195 | 4. Conveying Verbatim Copies. | ||
196 | |||
197 | You may convey verbatim copies of the Program's source code as you | ||
198 | receive it, in any medium, provided that you conspicuously and | ||
199 | appropriately publish on each copy an appropriate copyright notice; | ||
200 | keep intact all notices stating that this License and any | ||
201 | non-permissive terms added in accord with section 7 apply to the code; | ||
202 | keep intact all notices of the absence of any warranty; and give all | ||
203 | recipients a copy of this License along with the Program. | ||
204 | |||
205 | You may charge any price or no price for each copy that you convey, | ||
206 | and you may offer support or warranty protection for a fee. | ||
207 | |||
208 | 5. Conveying Modified Source Versions. | ||
209 | |||
210 | You may convey a work based on the Program, or the modifications to | ||
211 | produce it from the Program, in the form of source code under the | ||
212 | terms of section 4, provided that you also meet all of these conditions: | ||
213 | |||
214 | a) The work must carry prominent notices stating that you modified | ||
215 | it, and giving a relevant date. | ||
216 | |||
217 | b) The work must carry prominent notices stating that it is | ||
218 | released under this License and any conditions added under section | ||
219 | 7. This requirement modifies the requirement in section 4 to | ||
220 | "keep intact all notices". | ||
221 | |||
222 | c) You must license the entire work, as a whole, under this | ||
223 | License to anyone who comes into possession of a copy. This | ||
224 | License will therefore apply, along with any applicable section 7 | ||
225 | additional terms, to the whole of the work, and all its parts, | ||
226 | regardless of how they are packaged. This License gives no | ||
227 | permission to license the work in any other way, but it does not | ||
228 | invalidate such permission if you have separately received it. | ||
229 | |||
230 | d) If the work has interactive user interfaces, each must display | ||
231 | Appropriate Legal Notices; however, if the Program has interactive | ||
232 | interfaces that do not display Appropriate Legal Notices, your | ||
233 | work need not make them do so. | ||
234 | |||
235 | A compilation of a covered work with other separate and independent | ||
236 | works, which are not by their nature extensions of the covered work, | ||
237 | and which are not combined with it such as to form a larger program, | ||
238 | in or on a volume of a storage or distribution medium, is called an | ||
239 | "aggregate" if the compilation and its resulting copyright are not | ||
240 | used to limit the access or legal rights of the compilation's users | ||
241 | beyond what the individual works permit. Inclusion of a covered work | ||
242 | in an aggregate does not cause this License to apply to the other | ||
243 | parts of the aggregate. | ||
244 | |||
245 | 6. Conveying Non-Source Forms. | ||
246 | |||
247 | You may convey a covered work in object code form under the terms | ||
248 | of sections 4 and 5, provided that you also convey the | ||
249 | machine-readable Corresponding Source under the terms of this License, | ||
250 | in one of these ways: | ||
251 | |||
252 | a) Convey the object code in, or embodied in, a physical product | ||
253 | (including a physical distribution medium), accompanied by the | ||
254 | Corresponding Source fixed on a durable physical medium | ||
255 | customarily used for software interchange. | ||
256 | |||
257 | b) Convey the object code in, or embodied in, a physical product | ||
258 | (including a physical distribution medium), accompanied by a | ||
259 | written offer, valid for at least three years and valid for as | ||
260 | long as you offer spare parts or customer support for that product | ||
261 | model, to give anyone who possesses the object code either (1) a | ||
262 | copy of the Corresponding Source for all the software in the | ||
263 | product that is covered by this License, on a durable physical | ||
264 | medium customarily used for software interchange, for a price no | ||
265 | more than your reasonable cost of physically performing this | ||
266 | conveying of source, or (2) access to copy the | ||
267 | Corresponding Source from a network server at no charge. | ||
268 | |||
269 | c) Convey individual copies of the object code with a copy of the | ||
270 | written offer to provide the Corresponding Source. This | ||
271 | alternative is allowed only occasionally and noncommercially, and | ||
272 | only if you received the object code with such an offer, in accord | ||
273 | with subsection 6b. | ||
274 | |||
275 | d) Convey the object code by offering access from a designated | ||
276 | place (gratis or for a charge), and offer equivalent access to the | ||
277 | Corresponding Source in the same way through the same place at no | ||
278 | further charge. You need not require recipients to copy the | ||
279 | Corresponding Source along with the object code. If the place to | ||
280 | copy the object code is a network server, the Corresponding Source | ||
281 | may be on a different server (operated by you or a third party) | ||
282 | that supports equivalent copying facilities, provided you maintain | ||
283 | clear directions next to the object code saying where to find the | ||
284 | Corresponding Source. Regardless of what server hosts the | ||
285 | Corresponding Source, you remain obligated to ensure that it is | ||
286 | available for as long as needed to satisfy these requirements. | ||
287 | |||
288 | e) Convey the object code using peer-to-peer transmission, provided | ||
289 | you inform other peers where the object code and Corresponding | ||
290 | Source of the work are being offered to the general public at no | ||
291 | charge under subsection 6d. | ||
292 | |||
293 | A separable portion of the object code, whose source code is excluded | ||
294 | from the Corresponding Source as a System Library, need not be | ||
295 | included in conveying the object code work. | ||
296 | |||
297 | A "User Product" is either (1) a "consumer product", which means any | ||
298 | tangible personal property which is normally used for personal, family, | ||
299 | or household purposes, or (2) anything designed or sold for incorporation | ||
300 | into a dwelling. In determining whether a product is a consumer product, | ||
301 | doubtful cases shall be resolved in favor of coverage. For a particular | ||
302 | product received by a particular user, "normally used" refers to a | ||
303 | typical or common use of that class of product, regardless of the status | ||
304 | of the particular user or of the way in which the particular user | ||
305 | actually uses, or expects or is expected to use, the product. A product | ||
306 | is a consumer product regardless of whether the product has substantial | ||
307 | commercial, industrial or non-consumer uses, unless such uses represent | ||
308 | the only significant mode of use of the product. | ||
309 | |||
310 | "Installation Information" for a User Product means any methods, | ||
311 | procedures, authorization keys, or other information required to install | ||
312 | and execute modified versions of a covered work in that User Product from | ||
313 | a modified version of its Corresponding Source. The information must | ||
314 | suffice to ensure that the continued functioning of the modified object | ||
315 | code is in no case prevented or interfered with solely because | ||
316 | modification has been made. | ||
317 | |||
318 | If you convey an object code work under this section in, or with, or | ||
319 | specifically for use in, a User Product, and the conveying occurs as | ||
320 | part of a transaction in which the right of possession and use of the | ||
321 | User Product is transferred to the recipient in perpetuity or for a | ||
322 | fixed term (regardless of how the transaction is characterized), the | ||
323 | Corresponding Source conveyed under this section must be accompanied | ||
324 | by the Installation Information. But this requirement does not apply | ||
325 | if neither you nor any third party retains the ability to install | ||
326 | modified object code on the User Product (for example, the work has | ||
327 | been installed in ROM). | ||
328 | |||
329 | The requirement to provide Installation Information does not include a | ||
330 | requirement to continue to provide support service, warranty, or updates | ||
331 | for a work that has been modified or installed by the recipient, or for | ||
332 | the User Product in which it has been modified or installed. Access to a | ||
333 | network may be denied when the modification itself materially and | ||
334 | adversely affects the operation of the network or violates the rules and | ||
335 | protocols for communication across the network. | ||
336 | |||
337 | Corresponding Source conveyed, and Installation Information provided, | ||
338 | in accord with this section must be in a format that is publicly | ||
339 | documented (and with an implementation available to the public in | ||
340 | source code form), and must require no special password or key for | ||
341 | unpacking, reading or copying. | ||
342 | |||
343 | 7. Additional Terms. | ||
344 | |||
345 | "Additional permissions" are terms that supplement the terms of this | ||
346 | License by making exceptions from one or more of its conditions. | ||
347 | Additional permissions that are applicable to the entire Program shall | ||
348 | be treated as though they were included in this License, to the extent | ||
349 | that they are valid under applicable law. If additional permissions | ||
350 | apply only to part of the Program, that part may be used separately | ||
351 | under those permissions, but the entire Program remains governed by | ||
352 | this License without regard to the additional permissions. | ||
353 | |||
354 | When you convey a copy of a covered work, you may at your option | ||
355 | remove any additional permissions from that copy, or from any part of | ||
356 | it. (Additional permissions may be written to require their own | ||
357 | removal in certain cases when you modify the work.) You may place | ||
358 | additional permissions on material, added by you to a covered work, | ||
359 | for which you have or can give appropriate copyright permission. | ||
360 | |||
361 | Notwithstanding any other provision of this License, for material you | ||
362 | add to a covered work, you may (if authorized by the copyright holders of | ||
363 | that material) supplement the terms of this License with terms: | ||
364 | |||
365 | a) Disclaiming warranty or limiting liability differently from the | ||
366 | terms of sections 15 and 16 of this License; or | ||
367 | |||
368 | b) Requiring preservation of specified reasonable legal notices or | ||
369 | author attributions in that material or in the Appropriate Legal | ||
370 | Notices displayed by works containing it; or | ||
371 | |||
372 | c) Prohibiting misrepresentation of the origin of that material, or | ||
373 | requiring that modified versions of such material be marked in | ||
374 | reasonable ways as different from the original version; or | ||
375 | |||
376 | d) Limiting the use for publicity purposes of names of licensors or | ||
377 | authors of the material; or | ||
378 | |||
379 | e) Declining to grant rights under trademark law for use of some | ||
380 | trade names, trademarks, or service marks; or | ||
381 | |||
382 | f) Requiring indemnification of licensors and authors of that | ||
383 | material by anyone who conveys the material (or modified versions of | ||
384 | it) with contractual assumptions of liability to the recipient, for | ||
385 | any liability that these contractual assumptions directly impose on | ||
386 | those licensors and authors. | ||
387 | |||
388 | All other non-permissive additional terms are considered "further | ||
389 | restrictions" within the meaning of section 10. If the Program as you | ||
390 | received it, or any part of it, contains a notice stating that it is | ||
391 | governed by this License along with a term that is a further | ||
392 | restriction, you may remove that term. If a license document contains | ||
393 | a further restriction but permits relicensing or conveying under this | ||
394 | License, you may add to a covered work material governed by the terms | ||
395 | of that license document, provided that the further restriction does | ||
396 | not survive such relicensing or conveying. | ||
397 | |||
398 | If you add terms to a covered work in accord with this section, you | ||
399 | must place, in the relevant source files, a statement of the | ||
400 | additional terms that apply to those files, or a notice indicating | ||
401 | where to find the applicable terms. | ||
402 | |||
403 | Additional terms, permissive or non-permissive, may be stated in the | ||
404 | form of a separately written license, or stated as exceptions; | ||
405 | the above requirements apply either way. | ||
406 | |||
407 | 8. Termination. | ||
408 | |||
409 | You may not propagate or modify a covered work except as expressly | ||
410 | provided under this License. Any attempt otherwise to propagate or | ||
411 | modify it is void, and will automatically terminate your rights under | ||
412 | this License (including any patent licenses granted under the third | ||
413 | paragraph of section 11). | ||
414 | |||
415 | However, if you cease all violation of this License, then your | ||
416 | license from a particular copyright holder is reinstated (a) | ||
417 | provisionally, unless and until the copyright holder explicitly and | ||
418 | finally terminates your license, and (b) permanently, if the copyright | ||
419 | holder fails to notify you of the violation by some reasonable means | ||
420 | prior to 60 days after the cessation. | ||
421 | |||
422 | Moreover, your license from a particular copyright holder is | ||
423 | reinstated permanently if the copyright holder notifies you of the | ||
424 | violation by some reasonable means, this is the first time you have | ||
425 | received notice of violation of this License (for any work) from that | ||
426 | copyright holder, and you cure the violation prior to 30 days after | ||
427 | your receipt of the notice. | ||
428 | |||
429 | Termination of your rights under this section does not terminate the | ||
430 | licenses of parties who have received copies or rights from you under | ||
431 | this License. If your rights have been terminated and not permanently | ||
432 | reinstated, you do not qualify to receive new licenses for the same | ||
433 | material under section 10. | ||
434 | |||
435 | 9. Acceptance Not Required for Having Copies. | ||
436 | |||
437 | You are not required to accept this License in order to receive or | ||
438 | run a copy of the Program. Ancillary propagation of a covered work | ||
439 | occurring solely as a consequence of using peer-to-peer transmission | ||
440 | to receive a copy likewise does not require acceptance. However, | ||
441 | nothing other than this License grants you permission to propagate or | ||
442 | modify any covered work. These actions infringe copyright if you do | ||
443 | not accept this License. Therefore, by modifying or propagating a | ||
444 | covered work, you indicate your acceptance of this License to do so. | ||
445 | |||
446 | 10. Automatic Licensing of Downstream Recipients. | ||
447 | |||
448 | Each time you convey a covered work, the recipient automatically | ||
449 | receives a license from the original licensors, to run, modify and | ||
450 | propagate that work, subject to this License. You are not responsible | ||
451 | for enforcing compliance by third parties with this License. | ||
452 | |||
453 | An "entity transaction" is a transaction transferring control of an | ||
454 | organization, or substantially all assets of one, or subdividing an | ||
455 | organization, or merging organizations. If propagation of a covered | ||
456 | work results from an entity transaction, each party to that | ||
457 | transaction who receives a copy of the work also receives whatever | ||
458 | licenses to the work the party's predecessor in interest had or could | ||
459 | give under the previous paragraph, plus a right to possession of the | ||
460 | Corresponding Source of the work from the predecessor in interest, if | ||
461 | the predecessor has it or can get it with reasonable efforts. | ||
462 | |||
463 | You may not impose any further restrictions on the exercise of the | ||
464 | rights granted or affirmed under this License. For example, you may | ||
465 | not impose a license fee, royalty, or other charge for exercise of | ||
466 | rights granted under this License, and you may not initiate litigation | ||
467 | (including a cross-claim or counterclaim in a lawsuit) alleging that | ||
468 | any patent claim is infringed by making, using, selling, offering for | ||
469 | sale, or importing the Program or any portion of it. | ||
470 | |||
471 | 11. Patents. | ||
472 | |||
473 | A "contributor" is a copyright holder who authorizes use under this | ||
474 | License of the Program or a work on which the Program is based. The | ||
475 | work thus licensed is called the contributor's "contributor version". | ||
476 | |||
477 | A contributor's "essential patent claims" are all patent claims | ||
478 | owned or controlled by the contributor, whether already acquired or | ||
479 | hereafter acquired, that would be infringed by some manner, permitted | ||
480 | by this License, of making, using, or selling its contributor version, | ||
481 | but do not include claims that would be infringed only as a | ||
482 | consequence of further modification of the contributor version. For | ||
483 | purposes of this definition, "control" includes the right to grant | ||
484 | patent sublicenses in a manner consistent with the requirements of | ||
485 | this License. | ||
486 | |||
487 | Each contributor grants you a non-exclusive, worldwide, royalty-free | ||
488 | patent license under the contributor's essential patent claims, to | ||
489 | make, use, sell, offer for sale, import and otherwise run, modify and | ||
490 | propagate the contents of its contributor version. | ||
491 | |||
492 | In the following three paragraphs, a "patent license" is any express | ||
493 | agreement or commitment, however denominated, not to enforce a patent | ||
494 | (such as an express permission to practice a patent or covenant not to | ||
495 | sue for patent infringement). To "grant" such a patent license to a | ||
496 | party means to make such an agreement or commitment not to enforce a | ||
497 | patent against the party. | ||
498 | |||
499 | If you convey a covered work, knowingly relying on a patent license, | ||
500 | and the Corresponding Source of the work is not available for anyone | ||
501 | to copy, free of charge and under the terms of this License, through a | ||
502 | publicly available network server or other readily accessible means, | ||
503 | then you must either (1) cause the Corresponding Source to be so | ||
504 | available, or (2) arrange to deprive yourself of the benefit of the | ||
505 | patent license for this particular work, or (3) arrange, in a manner | ||
506 | consistent with the requirements of this License, to extend the patent | ||
507 | license to downstream recipients. "Knowingly relying" means you have | ||
508 | actual knowledge that, but for the patent license, your conveying the | ||
509 | covered work in a country, or your recipient's use of the covered work | ||
510 | in a country, would infringe one or more identifiable patents in that | ||
511 | country that you have reason to believe are valid. | ||
512 | |||
513 | If, pursuant to or in connection with a single transaction or | ||
514 | arrangement, you convey, or propagate by procuring conveyance of, a | ||
515 | covered work, and grant a patent license to some of the parties | ||
516 | receiving the covered work authorizing them to use, propagate, modify | ||
517 | or convey a specific copy of the covered work, then the patent license | ||
518 | you grant is automatically extended to all recipients of the covered | ||
519 | work and works based on it. | ||
520 | |||
521 | A patent license is "discriminatory" if it does not include within | ||
522 | the scope of its coverage, prohibits the exercise of, or is | ||
523 | conditioned on the non-exercise of one or more of the rights that are | ||
524 | specifically granted under this License. You may not convey a covered | ||
525 | work if you are a party to an arrangement with a third party that is | ||
526 | in the business of distributing software, under which you make payment | ||
527 | to the third party based on the extent of your activity of conveying | ||
528 | the work, and under which the third party grants, to any of the | ||
529 | parties who would receive the covered work from you, a discriminatory | ||
530 | patent license (a) in connection with copies of the covered work | ||
531 | conveyed by you (or copies made from those copies), or (b) primarily | ||
532 | for and in connection with specific products or compilations that | ||
533 | contain the covered work, unless you entered into that arrangement, | ||
534 | or that patent license was granted, prior to 28 March 2007. | ||
535 | |||
536 | Nothing in this License shall be construed as excluding or limiting | ||
537 | any implied license or other defenses to infringement that may | ||
538 | otherwise be available to you under applicable patent law. | ||
539 | |||
540 | 12. No Surrender of Others' Freedom. | ||
541 | |||
542 | If conditions are imposed on you (whether by court order, agreement or | ||
543 | otherwise) that contradict the conditions of this License, they do not | ||
544 | excuse you from the conditions of this License. If you cannot convey a | ||
545 | covered work so as to satisfy simultaneously your obligations under this | ||
546 | License and any other pertinent obligations, then as a consequence you may | ||
547 | not convey it at all. For example, if you agree to terms that obligate you | ||
548 | to collect a royalty for further conveying from those to whom you convey | ||
549 | the Program, the only way you could satisfy both those terms and this | ||
550 | License would be to refrain entirely from conveying the Program. | ||
551 | |||
552 | 13. Use with the GNU Affero General Public License. | ||
553 | |||
554 | Notwithstanding any other provision of this License, you have | ||
555 | permission to link or combine any covered work with a work licensed | ||
556 | under version 3 of the GNU Affero General Public License into a single | ||
557 | combined work, and to convey the resulting work. The terms of this | ||
558 | License will continue to apply to the part which is the covered work, | ||
559 | but the special requirements of the GNU Affero General Public License, | ||
560 | section 13, concerning interaction through a network will apply to the | ||
561 | combination as such. | ||
562 | |||
563 | 14. Revised Versions of this License. | ||
564 | |||
565 | The Free Software Foundation may publish revised and/or new versions of | ||
566 | the GNU General Public License from time to time. Such new versions will | ||
567 | be similar in spirit to the present version, but may differ in detail to | ||
568 | address new problems or concerns. | ||
569 | |||
570 | Each version is given a distinguishing version number. If the | ||
571 | Program specifies that a certain numbered version of the GNU General | ||
572 | Public License "or any later version" applies to it, you have the | ||
573 | option of following the terms and conditions either of that numbered | ||
574 | version or of any later version published by the Free Software | ||
575 | Foundation. If the Program does not specify a version number of the | ||
576 | GNU General Public License, you may choose any version ever published | ||
577 | by the Free Software Foundation. | ||
578 | |||
579 | If the Program specifies that a proxy can decide which future | ||
580 | versions of the GNU General Public License can be used, that proxy's | ||
581 | public statement of acceptance of a version permanently authorizes you | ||
582 | to choose that version for the Program. | ||
583 | |||
584 | Later license versions may give you additional or different | ||
585 | permissions. However, no additional obligations are imposed on any | ||
586 | author or copyright holder as a result of your choosing to follow a | ||
587 | later version. | ||
588 | |||
589 | 15. Disclaimer of Warranty. | ||
590 | |||
591 | THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY | ||
592 | APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT | ||
593 | HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY | ||
594 | OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, | ||
595 | THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR | ||
596 | PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM | ||
597 | IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF | ||
598 | ALL NECESSARY SERVICING, REPAIR OR CORRECTION. | ||
599 | |||
600 | 16. Limitation of Liability. | ||
601 | |||
602 | IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING | ||
603 | WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS | ||
604 | THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY | ||
605 | GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE | ||
606 | USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF | ||
607 | DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD | ||
608 | PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), | ||
609 | EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF | ||
610 | SUCH DAMAGES. | ||
611 | |||
612 | 17. Interpretation of Sections 15 and 16. | ||
613 | |||
614 | If the disclaimer of warranty and limitation of liability provided | ||
615 | above cannot be given local legal effect according to their terms, | ||
616 | reviewing courts shall apply local law that most closely approximates | ||
617 | an absolute waiver of all civil liability in connection with the | ||
618 | Program, unless a warranty or assumption of liability accompanies a | ||
619 | copy of the Program in return for a fee. | ||
620 | |||
621 | END OF TERMS AND CONDITIONS | ||
622 | |||
623 | How to Apply These Terms to Your New Programs | ||
624 | |||
625 | If you develop a new program, and you want it to be of the greatest | ||
626 | possible use to the public, the best way to achieve this is to make it | ||
627 | free software which everyone can redistribute and change under these terms. | ||
628 | |||
629 | To do so, attach the following notices to the program. It is safest | ||
630 | to attach them to the start of each source file to most effectively | ||
631 | state the exclusion of warranty; and each file should have at least | ||
632 | the "copyright" line and a pointer to where the full notice is found. | ||
633 | |||
634 | <one line to give the program's name and a brief idea of what it does.> | ||
635 | Copyright (C) <year> <name of author> | ||
636 | |||
637 | This program is free software: you can redistribute it and/or modify | ||
638 | it under the terms of the GNU General Public License as published by | ||
639 | the Free Software Foundation, either version 3 of the License, or | ||
640 | (at your option) any later version. | ||
641 | |||
642 | This program is distributed in the hope that it will be useful, | ||
643 | but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
644 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
645 | GNU General Public License for more details. | ||
646 | |||
647 | You should have received a copy of the GNU General Public License | ||
648 | along with this program. If not, see <http://www.gnu.org/licenses/>. | ||
649 | |||
650 | Also add information on how to contact you by electronic and paper mail. | ||
651 | |||
652 | If the program does terminal interaction, make it output a short | ||
653 | notice like this when it starts in an interactive mode: | ||
654 | |||
655 | <program> Copyright (C) <year> <name of author> | ||
656 | This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'. | ||
657 | This is free software, and you are welcome to redistribute it | ||
658 | under certain conditions; type `show c' for details. | ||
659 | |||
660 | The hypothetical commands `show w' and `show c' should show the appropriate | ||
661 | parts of the General Public License. Of course, your program's commands | ||
662 | might be different; for a GUI interface, you would use an "about box". | ||
663 | |||
664 | You should also get your employer (if you work as a programmer) or school, | ||
665 | if any, to sign a "copyright disclaimer" for the program, if necessary. | ||
666 | For more information on this, and how to apply and follow the GNU GPL, see | ||
667 | <http://www.gnu.org/licenses/>. | ||
668 | |||
669 | The GNU General Public License does not permit incorporating your program | ||
670 | into proprietary programs. If your program is a subroutine library, you | ||
671 | may consider it more useful to permit linking proprietary applications with | ||
672 | the library. If this is what you want to do, use the GNU Lesser General | ||
673 | Public License instead of this License. But first, please read | ||
674 | <http://www.gnu.org/philosophy/why-not-lgpl.html>. | ||
diff --git a/README.md b/README.md new file mode 100644 index 0000000..eb23991 --- /dev/null +++ b/README.md | |||
@@ -0,0 +1,56 @@ | |||
1 | # ansible-mailserver | ||
2 | ansible-mailserver is an Ansible playbook to deploy a simple postfix/dovecot mail server. | ||
3 | |||
4 | ## Features | ||
5 | Simple one-command installation and configuration of your very own mail server. | ||
6 | |||
7 | Includes a host of defenses needed when dealing with the world of internet mail: | ||
8 | - postscreen - inbound SMTP connection filtering | ||
9 | - postgrey - greylisting utility | ||
10 | - policyd-spf - SPF validation | ||
11 | - spamassassin - spam filter | ||
12 | - opendkim - DKIM signing and verification | ||
13 | - opendmarc - DMARC verification | ||
14 | |||
15 | ## Usage | ||
16 | |||
17 | ### Prerequisites | ||
18 | Before running the playbook you will need to have the following: | ||
19 | - An A record for your base domain | ||
20 | - An A record for the `mail` subdomain | ||
21 | - A PTR record for your mail server | ||
22 | |||
23 | ### Clone the repository | ||
24 | ``` | ||
25 | git clone https://git.chudnick.com/ansible-mailserver | ||
26 | ``` | ||
27 | |||
28 | ### Modify the inventory | ||
29 | Modify the inventory.yml for your deployment. | ||
30 | At a minimum, change `mail.example.com` to the FQDN of your mail server and | ||
31 | change `ansible_user` and `remote_user` to the name of your account on the | ||
32 | mail server. | ||
33 | |||
34 | ### Modify vars.yml | ||
35 | Modify group\_vars/all/vars.yml for your deployment. | ||
36 | Below is a list of the variables and there function: | ||
37 | - `domain` - base domain | ||
38 | - `mail_domain` - hostname of your mail server and common name on the TLS certificate | ||
39 | - `dkim_selector` - selector for your DKIM keys | ||
40 | - `spam_score` - SpamAssassin score required for mail to be considered spam | ||
41 | - `sa_locales` - locales which SpamAssassin expects to receive mail in - any locale not listed is considered spam | ||
42 | - `cert_email` - the email used to get a LetsEncrypt certificate | ||
43 | |||
44 | You must modify `domain` with your domain name. All other changes are optional. | ||
45 | |||
46 | ### Run the playbook | ||
47 | From the repo root directory run: | ||
48 | ``` | ||
49 | ansible-playbook run.yml -i inventory.yml --ask-become-pass | ||
50 | ``` | ||
51 | If you have passwordless sudo configured --ask-become-pass is not necessary. | ||
52 | |||
53 | ### Set DNS records | ||
54 | The playbook finishes by generating the DNS records required for mail verification. | ||
55 | You can find these records under /home/root/dns\_records once the playbook finishes. | ||
56 | The records are in BIND9 format but the values can be extracted for use on any platform. | ||
diff --git a/group_vars/all/vars.yml b/group_vars/all/vars.yml new file mode 100644 index 0000000..7d8f440 --- /dev/null +++ b/group_vars/all/vars.yml | |||
@@ -0,0 +1,8 @@ | |||
1 | domain: "example.com" | ||
2 | mail_domain: "mail.{{ domain }}" | ||
3 | dkim_selector: "mail" | ||
4 | |||
5 | spam_score: "5.0" | ||
6 | sa_locales: "en" | ||
7 | |||
8 | cert_email: "contact@{{ domain }}" | ||
diff --git a/inventory.yml b/inventory.yml new file mode 100644 index 0000000..9abd208 --- /dev/null +++ b/inventory.yml | |||
@@ -0,0 +1,8 @@ | |||
1 | all: | ||
2 | hosts: | ||
3 | children: | ||
4 | mail_server: | ||
5 | hosts: | ||
6 | mail.example.com: | ||
7 | ansible_user: admin | ||
8 | remote_user: admin | ||
diff --git a/roles/dovecot/defaults/main.yml b/roles/dovecot/defaults/main.yml new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/roles/dovecot/defaults/main.yml | |||
diff --git a/roles/dovecot/files/conf.d/10-auth.conf b/roles/dovecot/files/conf.d/10-auth.conf new file mode 100644 index 0000000..7ac1eee --- /dev/null +++ b/roles/dovecot/files/conf.d/10-auth.conf | |||
@@ -0,0 +1,10 @@ | |||
1 | # Authentication | ||
2 | disable_plaintext_auth = yes | ||
3 | auth_username_format = %n | ||
4 | auth_mechanisms = plain | ||
5 | userdb { | ||
6 | driver = passwd | ||
7 | } | ||
8 | passdb { | ||
9 | driver = pam | ||
10 | } | ||
diff --git a/roles/dovecot/files/conf.d/10-director.conf b/roles/dovecot/files/conf.d/10-director.conf new file mode 100644 index 0000000..073d8a8 --- /dev/null +++ b/roles/dovecot/files/conf.d/10-director.conf | |||
@@ -0,0 +1,60 @@ | |||
1 | ## | ||
2 | ## Director-specific settings. | ||
3 | ## | ||
4 | |||
5 | # Director can be used by Dovecot proxy to keep a temporary user -> mail server | ||
6 | # mapping. As long as user has simultaneous connections, the user is always | ||
7 | # redirected to the same server. Each proxy server is running its own director | ||
8 | # process, and the directors are communicating the state to each others. | ||
9 | # Directors are mainly useful with NFS-like setups. | ||
10 | |||
11 | # List of IPs or hostnames to all director servers, including ourself. | ||
12 | # Ports can be specified as ip:port. The default port is the same as | ||
13 | # what director service's inet_listener is using. | ||
14 | #director_servers = | ||
15 | |||
16 | # List of IPs or hostnames to all backend mail servers. Ranges are allowed | ||
17 | # too, like 10.0.0.10-10.0.0.30. | ||
18 | #director_mail_servers = | ||
19 | |||
20 | # How long to redirect users to a specific server after it no longer has | ||
21 | # any connections. | ||
22 | #director_user_expire = 15 min | ||
23 | |||
24 | # How the username is translated before being hashed. Useful values include | ||
25 | # %Ln if user can log in with or without @domain, %Ld if mailboxes are shared | ||
26 | # within domain. | ||
27 | #director_username_hash = %Lu | ||
28 | |||
29 | # To enable director service, uncomment the modes and assign a port. | ||
30 | service director { | ||
31 | unix_listener login/director { | ||
32 | #mode = 0666 | ||
33 | } | ||
34 | fifo_listener login/proxy-notify { | ||
35 | #mode = 0666 | ||
36 | } | ||
37 | unix_listener director-userdb { | ||
38 | #mode = 0600 | ||
39 | } | ||
40 | inet_listener { | ||
41 | #port = | ||
42 | } | ||
43 | } | ||
44 | |||
45 | # Enable director for the wanted login services by telling them to | ||
46 | # connect to director socket instead of the default login socket: | ||
47 | service imap-login { | ||
48 | #executable = imap-login director | ||
49 | } | ||
50 | service pop3-login { | ||
51 | #executable = pop3-login director | ||
52 | } | ||
53 | service submission-login { | ||
54 | #executable = submission-login director | ||
55 | } | ||
56 | |||
57 | # Enable director for LMTP proxying: | ||
58 | protocol lmtp { | ||
59 | #auth_socket_path = director-userdb | ||
60 | } | ||
diff --git a/roles/dovecot/files/conf.d/10-logging.conf b/roles/dovecot/files/conf.d/10-logging.conf new file mode 100644 index 0000000..bcd6dea --- /dev/null +++ b/roles/dovecot/files/conf.d/10-logging.conf | |||
@@ -0,0 +1,109 @@ | |||
1 | ## | ||
2 | ## Log destination. | ||
3 | ## | ||
4 | |||
5 | # Log file to use for error messages. "syslog" logs to syslog, | ||
6 | # /dev/stderr logs to stderr. | ||
7 | #log_path = syslog | ||
8 | |||
9 | # Log file to use for informational messages. Defaults to log_path. | ||
10 | #info_log_path = | ||
11 | # Log file to use for debug messages. Defaults to info_log_path. | ||
12 | #debug_log_path = | ||
13 | |||
14 | # Syslog facility to use if you're logging to syslog. Usually if you don't | ||
15 | # want to use "mail", you'll use local0..local7. Also other standard | ||
16 | # facilities are supported. | ||
17 | #syslog_facility = mail | ||
18 | |||
19 | ## | ||
20 | ## Logging verbosity and debugging. | ||
21 | ## | ||
22 | |||
23 | # Log filter is a space-separated list conditions. If any of the conditions | ||
24 | # match, the log filter matches (i.e. they're ORed together). Parenthesis | ||
25 | # are supported if multiple conditions need to be matched together. | ||
26 | # Supported conditions are: | ||
27 | # event:<name wildcard> - Match event name. '*' and '?' wildcards supported. | ||
28 | # source:<filename>[:<line number>] - Match source code filename [and line] | ||
29 | # field:<key>=<value wildcard> - Match field key to a value. Can be specified | ||
30 | # multiple times to match multiple keys. | ||
31 | # cat[egory]:<value> - Match a category. Can be specified multiple times to | ||
32 | # match multiple categories. | ||
33 | # For example: event:http_request_* (cat:error cat:storage) | ||
34 | |||
35 | # Filter to specify what debug logging to enable. This will eventually replace | ||
36 | # mail_debug and auth_debug settings. | ||
37 | #log_debug = | ||
38 | |||
39 | # Crash after logging a matching event. For example category:error will crash | ||
40 | # any time an error is logged, which can be useful for debugging. | ||
41 | #log_core_filter = | ||
42 | |||
43 | # Log unsuccessful authentication attempts and the reasons why they failed. | ||
44 | #auth_verbose = no | ||
45 | |||
46 | # In case of password mismatches, log the attempted password. Valid values are | ||
47 | # no, plain and sha1. sha1 can be useful for detecting brute force password | ||
48 | # attempts vs. user simply trying the same password over and over again. | ||
49 | # You can also truncate the value to n chars by appending ":n" (e.g. sha1:6). | ||
50 | #auth_verbose_passwords = no | ||
51 | |||
52 | # Even more verbose logging for debugging purposes. Shows for example SQL | ||
53 | # queries. | ||
54 | #auth_debug = no | ||
55 | |||
56 | # In case of password mismatches, log the passwords and used scheme so the | ||
57 | # problem can be debugged. Enabling this also enables auth_debug. | ||
58 | #auth_debug_passwords = no | ||
59 | |||
60 | # Enable mail process debugging. This can help you figure out why Dovecot | ||
61 | # isn't finding your mails. | ||
62 | #mail_debug = no | ||
63 | |||
64 | # Show protocol level SSL errors. | ||
65 | #verbose_ssl = no | ||
66 | |||
67 | # mail_log plugin provides more event logging for mail processes. | ||
68 | plugin { | ||
69 | # Events to log. Also available: flag_change append | ||
70 | #mail_log_events = delete undelete expunge copy mailbox_delete mailbox_rename | ||
71 | # Available fields: uid, box, msgid, from, subject, size, vsize, flags | ||
72 | # size and vsize are available only for expunge and copy events. | ||
73 | #mail_log_fields = uid box msgid size | ||
74 | } | ||
75 | |||
76 | ## | ||
77 | ## Log formatting. | ||
78 | ## | ||
79 | |||
80 | # Prefix for each line written to log file. % codes are in strftime(3) | ||
81 | # format. | ||
82 | #log_timestamp = "%b %d %H:%M:%S " | ||
83 | |||
84 | # Space-separated list of elements we want to log. The elements which have | ||
85 | # a non-empty variable value are joined together to form a comma-separated | ||
86 | # string. | ||
87 | #login_log_format_elements = user=<%u> method=%m rip=%r lip=%l mpid=%e %c | ||
88 | |||
89 | # Login log format. %s contains login_log_format_elements string, %$ contains | ||
90 | # the data we want to log. | ||
91 | #login_log_format = %$: %s | ||
92 | |||
93 | # Log prefix for mail processes. See doc/wiki/Variables.txt for list of | ||
94 | # possible variables you can use. | ||
95 | #mail_log_prefix = "%s(%u)<%{pid}><%{session}>: " | ||
96 | |||
97 | # Format to use for logging mail deliveries: | ||
98 | # %$ - Delivery status message (e.g. "saved to INBOX") | ||
99 | # %m / %{msgid} - Message-ID | ||
100 | # %s / %{subject} - Subject | ||
101 | # %f / %{from} - From address | ||
102 | # %p / %{size} - Physical size | ||
103 | # %w / %{vsize} - Virtual size | ||
104 | # %e / %{from_envelope} - MAIL FROM envelope | ||
105 | # %{to_envelope} - RCPT TO envelope | ||
106 | # %{delivery_time} - How many milliseconds it took to deliver the mail | ||
107 | # %{session_time} - How long LMTP session took, not including delivery_time | ||
108 | # %{storage_id} - Backend-specific ID for mail, e.g. Maildir filename | ||
109 | #deliver_log_format = msgid=%m: %$ | ||
diff --git a/roles/dovecot/files/conf.d/10-mail.conf b/roles/dovecot/files/conf.d/10-mail.conf new file mode 100644 index 0000000..683c5e9 --- /dev/null +++ b/roles/dovecot/files/conf.d/10-mail.conf | |||
@@ -0,0 +1,10 @@ | |||
1 | # Mail location | ||
2 | mail_location = maildir:~/Mail:INBOX=~/Mail/Inbox:LAYOUT=fs | ||
3 | namespace inbox { | ||
4 | type = private | ||
5 | prefix = | ||
6 | separator = / | ||
7 | inbox = yes | ||
8 | subscriptions = yes | ||
9 | list = yes | ||
10 | } | ||
diff --git a/roles/dovecot/files/conf.d/10-master.conf b/roles/dovecot/files/conf.d/10-master.conf new file mode 100644 index 0000000..c2c9493 --- /dev/null +++ b/roles/dovecot/files/conf.d/10-master.conf | |||
@@ -0,0 +1,22 @@ | |||
1 | # Master Configuration | ||
2 | service imap-login { | ||
3 | # Run login processes in high-security mode (see: LoginProcess.txt in dovecot docs) | ||
4 | service_count = 1 | ||
5 | # Disable unencrypted IMAP by setting port for plain IMAP to 0 | ||
6 | inet_listener imap { | ||
7 | port = 0 | ||
8 | } | ||
9 | inet_listener imaps { | ||
10 | port = 993 | ||
11 | ssl = yes | ||
12 | } | ||
13 | } | ||
14 | |||
15 | # Allow postfix to user dovecot SASL | ||
16 | service auth { | ||
17 | unix_listener /var/spool/postfix/private/auth { | ||
18 | mode = 0660 | ||
19 | user = postfix | ||
20 | group = postfix | ||
21 | } | ||
22 | } | ||
diff --git a/roles/dovecot/files/conf.d/10-tcpwrapper.conf b/roles/dovecot/files/conf.d/10-tcpwrapper.conf new file mode 100644 index 0000000..b237d96 --- /dev/null +++ b/roles/dovecot/files/conf.d/10-tcpwrapper.conf | |||
@@ -0,0 +1,14 @@ | |||
1 | # 10-tcpwrapper.conf | ||
2 | # | ||
3 | # service name for hosts.{allow|deny} are those defined as | ||
4 | # inet_listener in master.conf | ||
5 | # | ||
6 | #login_access_sockets = tcpwrap | ||
7 | # | ||
8 | #service tcpwrap { | ||
9 | # unix_listener login/tcpwrap { | ||
10 | # group = $default_login_user | ||
11 | # mode = 0600 | ||
12 | # user = $default_login_user | ||
13 | # } | ||
14 | #} | ||
diff --git a/roles/dovecot/files/conf.d/15-lda.conf b/roles/dovecot/files/conf.d/15-lda.conf new file mode 100644 index 0000000..8538f79 --- /dev/null +++ b/roles/dovecot/files/conf.d/15-lda.conf | |||
@@ -0,0 +1,4 @@ | |||
1 | # Local Delivery Agent | ||
2 | protocol lda { | ||
3 | mail_plugins = $mail_plugins sieve | ||
4 | } | ||
diff --git a/roles/dovecot/files/conf.d/15-mailboxes.conf b/roles/dovecot/files/conf.d/15-mailboxes.conf new file mode 100644 index 0000000..4de88b0 --- /dev/null +++ b/roles/dovecot/files/conf.d/15-mailboxes.conf | |||
@@ -0,0 +1,25 @@ | |||
1 | # Mailboxes | ||
2 | namespace inbox { | ||
3 | mailbox Sent { | ||
4 | special_use = \Sent | ||
5 | auto = subscribe | ||
6 | } | ||
7 | mailbox Trash { | ||
8 | special_use = \Trash | ||
9 | auto = create | ||
10 | autoexpunge = 30d | ||
11 | } | ||
12 | mailbox Drafts { | ||
13 | special_use = \Drafts | ||
14 | auto = subscribe | ||
15 | } | ||
16 | mailbox Spam { | ||
17 | special_use = \Junk | ||
18 | auto = create | ||
19 | autoexpunge = 30d | ||
20 | } | ||
21 | mailbox Archive { | ||
22 | special_use = \Archive | ||
23 | auto = create | ||
24 | } | ||
25 | } | ||
diff --git a/roles/dovecot/files/conf.d/20-imap.conf b/roles/dovecot/files/conf.d/20-imap.conf new file mode 100644 index 0000000..0e7d4ae --- /dev/null +++ b/roles/dovecot/files/conf.d/20-imap.conf | |||
@@ -0,0 +1,2 @@ | |||
1 | # IMAP | ||
2 | imap_capability = +SPECIAL-USE | ||
diff --git a/roles/dovecot/files/conf.d/90-acl.conf b/roles/dovecot/files/conf.d/90-acl.conf new file mode 100644 index 0000000..f0c0e7a --- /dev/null +++ b/roles/dovecot/files/conf.d/90-acl.conf | |||
@@ -0,0 +1,19 @@ | |||
1 | ## | ||
2 | ## Mailbox access control lists. | ||
3 | ## | ||
4 | |||
5 | # vfile backend reads ACLs from "dovecot-acl" file from mail directory. | ||
6 | # You can also optionally give a global ACL directory path where ACLs are | ||
7 | # applied to all users' mailboxes. The global ACL directory contains | ||
8 | # one file for each mailbox, eg. INBOX or sub.mailbox. cache_secs parameter | ||
9 | # specifies how many seconds to wait between stat()ing dovecot-acl file | ||
10 | # to see if it changed. | ||
11 | plugin { | ||
12 | #acl = vfile:/etc/dovecot/global-acls:cache_secs=300 | ||
13 | } | ||
14 | |||
15 | # To let users LIST mailboxes shared by other users, Dovecot needs a | ||
16 | # shared mailbox dictionary. For example: | ||
17 | plugin { | ||
18 | #acl_shared_dict = file:/var/lib/dovecot/shared-mailboxes | ||
19 | } | ||
diff --git a/roles/dovecot/files/conf.d/90-plugin.conf b/roles/dovecot/files/conf.d/90-plugin.conf new file mode 100644 index 0000000..8c8fccf --- /dev/null +++ b/roles/dovecot/files/conf.d/90-plugin.conf | |||
@@ -0,0 +1,11 @@ | |||
1 | ## | ||
2 | ## Plugin settings | ||
3 | ## | ||
4 | |||
5 | # All wanted plugins must be listed in mail_plugins setting before any of the | ||
6 | # settings take effect. See <doc/wiki/Plugins.txt> for list of plugins and | ||
7 | # their configuration. Note that %variable expansion is done for all values. | ||
8 | |||
9 | plugin { | ||
10 | #setting_name = value | ||
11 | } | ||
diff --git a/roles/dovecot/files/conf.d/90-quota.conf b/roles/dovecot/files/conf.d/90-quota.conf new file mode 100644 index 0000000..3308c05 --- /dev/null +++ b/roles/dovecot/files/conf.d/90-quota.conf | |||
@@ -0,0 +1,83 @@ | |||
1 | ## | ||
2 | ## Quota configuration. | ||
3 | ## | ||
4 | |||
5 | # Note that you also have to enable quota plugin in mail_plugins setting. | ||
6 | # <doc/wiki/Quota.txt> | ||
7 | |||
8 | ## | ||
9 | ## Quota limits | ||
10 | ## | ||
11 | |||
12 | # Quota limits are set using "quota_rule" parameters. To get per-user quota | ||
13 | # limits, you can set/override them by returning "quota_rule" extra field | ||
14 | # from userdb. It's also possible to give mailbox-specific limits, for example | ||
15 | # to give additional 100 MB when saving to Trash: | ||
16 | |||
17 | plugin { | ||
18 | #quota_rule = *:storage=1G | ||
19 | #quota_rule2 = Trash:storage=+100M | ||
20 | |||
21 | # LDA/LMTP allows saving the last mail to bring user from under quota to | ||
22 | # over quota, if the quota doesn't grow too high. Default is to allow as | ||
23 | # long as quota will stay under 10% above the limit. Also allowed e.g. 10M. | ||
24 | #quota_grace = 10%% | ||
25 | |||
26 | # Quota plugin can also limit the maximum accepted mail size. | ||
27 | #quota_max_mail_size = 100M | ||
28 | } | ||
29 | |||
30 | ## | ||
31 | ## Quota warnings | ||
32 | ## | ||
33 | |||
34 | # You can execute a given command when user exceeds a specified quota limit. | ||
35 | # Each quota root has separate limits. Only the command for the first | ||
36 | # exceeded limit is executed, so put the highest limit first. | ||
37 | # The commands are executed via script service by connecting to the named | ||
38 | # UNIX socket (quota-warning below). | ||
39 | # Note that % needs to be escaped as %%, otherwise "% " expands to empty. | ||
40 | |||
41 | plugin { | ||
42 | #quota_warning = storage=95%% quota-warning 95 %u | ||
43 | #quota_warning2 = storage=80%% quota-warning 80 %u | ||
44 | } | ||
45 | |||
46 | # Example quota-warning service. The unix listener's permissions should be | ||
47 | # set in a way that mail processes can connect to it. Below example assumes | ||
48 | # that mail processes run as vmail user. If you use mode=0666, all system users | ||
49 | # can generate quota warnings to anyone. | ||
50 | #service quota-warning { | ||
51 | # executable = script /usr/local/bin/quota-warning.sh | ||
52 | # user = dovecot | ||
53 | # unix_listener quota-warning { | ||
54 | # user = vmail | ||
55 | # } | ||
56 | #} | ||
57 | |||
58 | ## | ||
59 | ## Quota backends | ||
60 | ## | ||
61 | |||
62 | # Multiple backends are supported: | ||
63 | # dirsize: Find and sum all the files found from mail directory. | ||
64 | # Extremely SLOW with Maildir. It'll eat your CPU and disk I/O. | ||
65 | # dict: Keep quota stored in dictionary (eg. SQL) | ||
66 | # maildir: Maildir++ quota | ||
67 | # fs: Read-only support for filesystem quota | ||
68 | |||
69 | plugin { | ||
70 | #quota = dirsize:User quota | ||
71 | #quota = maildir:User quota | ||
72 | #quota = dict:User quota::proxy::quota | ||
73 | #quota = fs:User quota | ||
74 | } | ||
75 | |||
76 | # Multiple quota roots are also possible, for example this gives each user | ||
77 | # their own 100MB quota and one shared 1GB quota within the domain: | ||
78 | plugin { | ||
79 | #quota = dict:user::proxy::quota | ||
80 | #quota2 = dict:domain:%d:proxy::quota_domain | ||
81 | #quota_rule = *:storage=102400 | ||
82 | #quota2_rule = *:storage=1048576 | ||
83 | } | ||
diff --git a/roles/dovecot/files/conf.d/90-sieve-extprograms.conf b/roles/dovecot/files/conf.d/90-sieve-extprograms.conf new file mode 100644 index 0000000..17dcb77 --- /dev/null +++ b/roles/dovecot/files/conf.d/90-sieve-extprograms.conf | |||
@@ -0,0 +1,44 @@ | |||
1 | # Sieve Extprograms plugin configuration | ||
2 | |||
3 | # Don't forget to add the sieve_extprograms plugin to the sieve_plugins setting. | ||
4 | # Also enable the extensions you need (one or more of vnd.dovecot.pipe, | ||
5 | # vnd.dovecot.filter and vnd.dovecot.execute) by adding these to the | ||
6 | # sieve_extensions or sieve_global_extensions settings. Restricting these | ||
7 | # extensions to a global context using sieve_global_extensions is recommended. | ||
8 | |||
9 | plugin { | ||
10 | |||
11 | # The directory where the program sockets are located for the | ||
12 | # vnd.dovecot.pipe, vnd.dovecot.filter and vnd.dovecot.execute extension | ||
13 | # respectively. The name of each unix socket contained in that directory | ||
14 | # directly maps to a program-name referenced from the Sieve script. | ||
15 | #sieve_pipe_socket_dir = sieve-pipe | ||
16 | #sieve_filter_socket_dir = sieve-filter | ||
17 | #sieve_execute_socket_dir = sieve-execute | ||
18 | |||
19 | # The directory where the scripts are located for direct execution by the | ||
20 | # vnd.dovecot.pipe, vnd.dovecot.filter and vnd.dovecot.execute extension | ||
21 | # respectively. The name of each script contained in that directory | ||
22 | # directly maps to a program-name referenced from the Sieve script. | ||
23 | #sieve_pipe_bin_dir = /usr/lib/dovecot/sieve-pipe | ||
24 | #sieve_filter_bin_dir = /usr/lib/dovecot/sieve-filter | ||
25 | #sieve_execute_bin_dir = /usr/lib/dovecot/sieve-execute | ||
26 | } | ||
27 | |||
28 | # An example program service called 'do-something' to pipe messages to | ||
29 | #service do-something { | ||
30 | # Define the executed script as parameter to the sieve service | ||
31 | #executable = script /usr/lib/dovecot/sieve-pipe/do-something.sh | ||
32 | |||
33 | # Use some unprivileged user for executing the program | ||
34 | #user = dovenull | ||
35 | |||
36 | # The unix socket located in the sieve_pipe_socket_dir (as defined in the | ||
37 | # plugin {} section above) | ||
38 | #unix_listener sieve-pipe/do-something { | ||
39 | # LDA/LMTP must have access | ||
40 | # user = vmail | ||
41 | # mode = 0600 | ||
42 | #} | ||
43 | #} | ||
44 | |||
diff --git a/roles/dovecot/files/conf.d/90-sieve.conf b/roles/dovecot/files/conf.d/90-sieve.conf new file mode 100644 index 0000000..c7ef6c4 --- /dev/null +++ b/roles/dovecot/files/conf.d/90-sieve.conf | |||
@@ -0,0 +1,6 @@ | |||
1 | # Sieve Configuration | ||
2 | plugin { | ||
3 | sieve = ~/.dovecot.sieve | ||
4 | sieve_default = /var/lib/dovecot/sieve/default.sieve | ||
5 | sieve_global = /var/lib/dovecot/sieve/ | ||
6 | } | ||
diff --git a/roles/dovecot/files/conf.d/auth-checkpassword.conf.ext b/roles/dovecot/files/conf.d/auth-checkpassword.conf.ext new file mode 100644 index 0000000..b2fb13a --- /dev/null +++ b/roles/dovecot/files/conf.d/auth-checkpassword.conf.ext | |||
@@ -0,0 +1,21 @@ | |||
1 | # Authentication for checkpassword users. Included from 10-auth.conf. | ||
2 | # | ||
3 | # <doc/wiki/AuthDatabase.CheckPassword.txt> | ||
4 | |||
5 | passdb { | ||
6 | driver = checkpassword | ||
7 | args = /usr/bin/checkpassword | ||
8 | } | ||
9 | |||
10 | # passdb lookup should return also userdb info | ||
11 | userdb { | ||
12 | driver = prefetch | ||
13 | } | ||
14 | |||
15 | # Standard checkpassword doesn't support direct userdb lookups. | ||
16 | # If you need checkpassword userdb, the checkpassword must support | ||
17 | # Dovecot-specific extensions. | ||
18 | #userdb { | ||
19 | # driver = checkpassword | ||
20 | # args = /usr/bin/checkpassword | ||
21 | #} | ||
diff --git a/roles/dovecot/files/conf.d/auth-deny.conf.ext b/roles/dovecot/files/conf.d/auth-deny.conf.ext new file mode 100644 index 0000000..ce3f1cf --- /dev/null +++ b/roles/dovecot/files/conf.d/auth-deny.conf.ext | |||
@@ -0,0 +1,15 @@ | |||
1 | # Deny access for users. Included from 10-auth.conf. | ||
2 | |||
3 | # Users can be (temporarily) disabled by adding a passdb with deny=yes. | ||
4 | # If the user is found from that database, authentication will fail. | ||
5 | # The deny passdb should always be specified before others, so it gets | ||
6 | # checked first. | ||
7 | |||
8 | # Example deny passdb using passwd-file. You can use any passdb though. | ||
9 | passdb { | ||
10 | driver = passwd-file | ||
11 | deny = yes | ||
12 | |||
13 | # File contains a list of usernames, one per line | ||
14 | args = /etc/dovecot/deny-users | ||
15 | } | ||
diff --git a/roles/dovecot/files/conf.d/auth-dict.conf.ext b/roles/dovecot/files/conf.d/auth-dict.conf.ext new file mode 100644 index 0000000..0be4847 --- /dev/null +++ b/roles/dovecot/files/conf.d/auth-dict.conf.ext | |||
@@ -0,0 +1,16 @@ | |||
1 | # Authentication via dict backend. Included from 10-auth.conf. | ||
2 | # | ||
3 | # <doc/wiki/AuthDatabase.Dict.txt> | ||
4 | |||
5 | passdb { | ||
6 | driver = dict | ||
7 | |||
8 | # Path for dict configuration file, see | ||
9 | # example-config/dovecot-dict-auth.conf.ext | ||
10 | args = /etc/dovecot/dovecot-dict-auth.conf.ext | ||
11 | } | ||
12 | |||
13 | userdb { | ||
14 | driver = dict | ||
15 | args = /etc/dovecot/dovecot-dict-auth.conf.ext | ||
16 | } | ||
diff --git a/roles/dovecot/files/conf.d/auth-master.conf.ext b/roles/dovecot/files/conf.d/auth-master.conf.ext new file mode 100644 index 0000000..2cf128f --- /dev/null +++ b/roles/dovecot/files/conf.d/auth-master.conf.ext | |||
@@ -0,0 +1,16 @@ | |||
1 | # Authentication for master users. Included from 10-auth.conf. | ||
2 | |||
3 | # By adding master=yes setting inside a passdb you make the passdb a list | ||
4 | # of "master users", who can log in as anyone else. | ||
5 | # <doc/wiki/Authentication.MasterUsers.txt> | ||
6 | |||
7 | # Example master user passdb using passwd-file. You can use any passdb though. | ||
8 | passdb { | ||
9 | driver = passwd-file | ||
10 | master = yes | ||
11 | args = /etc/dovecot/master-users | ||
12 | |||
13 | # Unless you're using PAM, you probably still want the destination user to | ||
14 | # be looked up from passdb that it really exists. pass=yes does that. | ||
15 | pass = yes | ||
16 | } | ||
diff --git a/roles/dovecot/files/conf.d/auth-passwdfile.conf.ext b/roles/dovecot/files/conf.d/auth-passwdfile.conf.ext new file mode 100644 index 0000000..c89d28c --- /dev/null +++ b/roles/dovecot/files/conf.d/auth-passwdfile.conf.ext | |||
@@ -0,0 +1,20 @@ | |||
1 | # Authentication for passwd-file users. Included from 10-auth.conf. | ||
2 | # | ||
3 | # passwd-like file with specified location. | ||
4 | # <doc/wiki/AuthDatabase.PasswdFile.txt> | ||
5 | |||
6 | passdb { | ||
7 | driver = passwd-file | ||
8 | args = scheme=CRYPT username_format=%u /etc/dovecot/users | ||
9 | } | ||
10 | |||
11 | userdb { | ||
12 | driver = passwd-file | ||
13 | args = username_format=%u /etc/dovecot/users | ||
14 | |||
15 | # Default fields that can be overridden by passwd-file | ||
16 | #default_fields = quota_rule=*:storage=1G | ||
17 | |||
18 | # Override fields from passwd-file | ||
19 | #override_fields = home=/home/virtual/%u | ||
20 | } | ||
diff --git a/roles/dovecot/files/conf.d/auth-sql.conf.ext b/roles/dovecot/files/conf.d/auth-sql.conf.ext new file mode 100644 index 0000000..ccbea86 --- /dev/null +++ b/roles/dovecot/files/conf.d/auth-sql.conf.ext | |||
@@ -0,0 +1,30 @@ | |||
1 | # Authentication for SQL users. Included from 10-auth.conf. | ||
2 | # | ||
3 | # <doc/wiki/AuthDatabase.SQL.txt> | ||
4 | |||
5 | passdb { | ||
6 | driver = sql | ||
7 | |||
8 | # Path for SQL configuration file, see example-config/dovecot-sql.conf.ext | ||
9 | args = /etc/dovecot/dovecot-sql.conf.ext | ||
10 | } | ||
11 | |||
12 | # "prefetch" user database means that the passdb already provided the | ||
13 | # needed information and there's no need to do a separate userdb lookup. | ||
14 | # <doc/wiki/UserDatabase.Prefetch.txt> | ||
15 | #userdb { | ||
16 | # driver = prefetch | ||
17 | #} | ||
18 | |||
19 | userdb { | ||
20 | driver = sql | ||
21 | args = /etc/dovecot/dovecot-sql.conf.ext | ||
22 | } | ||
23 | |||
24 | # If you don't have any user-specific settings, you can avoid the user_query | ||
25 | # by using userdb static instead of userdb sql, for example: | ||
26 | # <doc/wiki/UserDatabase.Static.txt> | ||
27 | #userdb { | ||
28 | #driver = static | ||
29 | #args = uid=vmail gid=vmail home=/var/vmail/%u | ||
30 | #} | ||
diff --git a/roles/dovecot/files/conf.d/auth-static.conf.ext b/roles/dovecot/files/conf.d/auth-static.conf.ext new file mode 100644 index 0000000..90890c5 --- /dev/null +++ b/roles/dovecot/files/conf.d/auth-static.conf.ext | |||
@@ -0,0 +1,24 @@ | |||
1 | # Static passdb. Included from 10-auth.conf. | ||
2 | |||
3 | # This can be used for situations where Dovecot doesn't need to verify the | ||
4 | # username or the password, or if there is a single password for all users: | ||
5 | # | ||
6 | # - proxy frontend, where the backend verifies the password | ||
7 | # - proxy backend, where the frontend already verified the password | ||
8 | # - authentication with SSL certificates | ||
9 | # - simple testing | ||
10 | |||
11 | #passdb { | ||
12 | # driver = static | ||
13 | # args = proxy=y host=%1Mu.example.com nopassword=y | ||
14 | #} | ||
15 | |||
16 | #passdb { | ||
17 | # driver = static | ||
18 | # args = password=test | ||
19 | #} | ||
20 | |||
21 | #userdb { | ||
22 | # driver = static | ||
23 | # args = uid=vmail gid=vmail home=/home/%u | ||
24 | #} | ||
diff --git a/roles/dovecot/files/conf.d/auth-system.conf.ext b/roles/dovecot/files/conf.d/auth-system.conf.ext new file mode 100644 index 0000000..dadb9f7 --- /dev/null +++ b/roles/dovecot/files/conf.d/auth-system.conf.ext | |||
@@ -0,0 +1,74 @@ | |||
1 | # Authentication for system users. Included from 10-auth.conf. | ||
2 | # | ||
3 | # <doc/wiki/PasswordDatabase.txt> | ||
4 | # <doc/wiki/UserDatabase.txt> | ||
5 | |||
6 | # PAM authentication. Preferred nowadays by most systems. | ||
7 | # PAM is typically used with either userdb passwd or userdb static. | ||
8 | # REMEMBER: You'll need /etc/pam.d/dovecot file created for PAM | ||
9 | # authentication to actually work. <doc/wiki/PasswordDatabase.PAM.txt> | ||
10 | passdb { | ||
11 | driver = pam | ||
12 | # [session=yes] [setcred=yes] [failure_show_msg=yes] [max_requests=<n>] | ||
13 | # [cache_key=<key>] [<service name>] | ||
14 | #args = dovecot | ||
15 | } | ||
16 | |||
17 | # System users (NSS, /etc/passwd, or similar). | ||
18 | # In many systems nowadays this uses Name Service Switch, which is | ||
19 | # configured in /etc/nsswitch.conf. <doc/wiki/AuthDatabase.Passwd.txt> | ||
20 | #passdb { | ||
21 | #driver = passwd | ||
22 | # [blocking=no] | ||
23 | #args = | ||
24 | #} | ||
25 | |||
26 | # Shadow passwords for system users (NSS, /etc/shadow or similar). | ||
27 | # Deprecated by PAM nowadays. | ||
28 | # <doc/wiki/PasswordDatabase.Shadow.txt> | ||
29 | #passdb { | ||
30 | #driver = shadow | ||
31 | # [blocking=no] | ||
32 | #args = | ||
33 | #} | ||
34 | |||
35 | # PAM-like authentication for OpenBSD. | ||
36 | # <doc/wiki/PasswordDatabase.BSDAuth.txt> | ||
37 | #passdb { | ||
38 | #driver = bsdauth | ||
39 | # [blocking=no] [cache_key=<key>] | ||
40 | #args = | ||
41 | #} | ||
42 | |||
43 | ## | ||
44 | ## User databases | ||
45 | ## | ||
46 | |||
47 | # System users (NSS, /etc/passwd, or similar). In many systems nowadays this | ||
48 | # uses Name Service Switch, which is configured in /etc/nsswitch.conf. | ||
49 | userdb { | ||
50 | # <doc/wiki/AuthDatabase.Passwd.txt> | ||
51 | driver = passwd | ||
52 | # [blocking=no] | ||
53 | #args = | ||
54 | |||
55 | # Override fields from passwd | ||
56 | #override_fields = home=/home/virtual/%u | ||
57 | } | ||
58 | |||
59 | # Static settings generated from template <doc/wiki/UserDatabase.Static.txt> | ||
60 | #userdb { | ||
61 | #driver = static | ||
62 | # Can return anything a userdb could normally return. For example: | ||
63 | # | ||
64 | # args = uid=500 gid=500 home=/var/mail/%u | ||
65 | # | ||
66 | # LDA and LMTP needs to look up users only from the userdb. This of course | ||
67 | # doesn't work with static userdb because there is no list of users. | ||
68 | # Normally static userdb handles this by doing a passdb lookup. This works | ||
69 | # with most passdbs, with PAM being the most notable exception. If you do | ||
70 | # the user verification another way, you can add allow_all_users=yes to | ||
71 | # the args in which case the passdb lookup is skipped. | ||
72 | # | ||
73 | #args = | ||
74 | #} | ||
diff --git a/roles/dovecot/files/default.sieve b/roles/dovecot/files/default.sieve new file mode 100644 index 0000000..6709988 --- /dev/null +++ b/roles/dovecot/files/default.sieve | |||
@@ -0,0 +1,22 @@ | |||
1 | require ["fileinto", "mailbox"]; | ||
2 | /* | ||
3 | * Discard mail that has a spam score greater than or equal to 5 | ||
4 | */ | ||
5 | if header :contains "X-Spam-Level" "*****" { | ||
6 | discard; | ||
7 | stop; | ||
8 | } | ||
9 | /* | ||
10 | * Discard messages marked as infected by virus scanner | ||
11 | */ | ||
12 | if header :contains "X-Virus-Scan" "infected" { | ||
13 | discard; | ||
14 | stop; | ||
15 | } | ||
16 | /* | ||
17 | * If message is marked as spam (and falls below discard threshold) put into spam mailbox | ||
18 | */ | ||
19 | if header :contains "X-Spam-Flag" "YES" { | ||
20 | fileinto "Spam"; | ||
21 | } | ||
22 | |||
diff --git a/roles/dovecot/files/dovecot.conf b/roles/dovecot/files/dovecot.conf new file mode 100644 index 0000000..14a4cf0 --- /dev/null +++ b/roles/dovecot/files/dovecot.conf | |||
@@ -0,0 +1,16 @@ | |||
1 | # Enable installed protocols | ||
2 | !include_try /usr/share/dovecot/protocols.d/*.protocol | ||
3 | |||
4 | dict { | ||
5 | #quota = mysql:/etc/dovecot/dovecot-dict-sql.conf.ext | ||
6 | #expire = sqlite:/etc/dovecot/dovecot-dict-sql.conf.ext | ||
7 | } | ||
8 | |||
9 | # Most of the actual configuration gets included below. The filenames are | ||
10 | # first sorted by their ASCII value and parsed in that order. The 00-prefixes | ||
11 | # in filenames are intended to make it easier to understand the ordering. | ||
12 | !include conf.d/*.conf | ||
13 | |||
14 | # A config file can also tried to be included without giving an error if | ||
15 | # it's not found: | ||
16 | !include_try local.conf | ||
diff --git a/roles/dovecot/files/dovecot_pam b/roles/dovecot/files/dovecot_pam new file mode 100644 index 0000000..af0e0dd --- /dev/null +++ b/roles/dovecot/files/dovecot_pam | |||
@@ -0,0 +1,8 @@ | |||
1 | #%PAM-1.0 | ||
2 | |||
3 | @include common-auth | ||
4 | @include common-account | ||
5 | @include common-session | ||
6 | |||
7 | auth required pam_unix.so | ||
8 | account required pam_unix.so | ||
diff --git a/roles/dovecot/handlers/main.yml b/roles/dovecot/handlers/main.yml new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/roles/dovecot/handlers/main.yml | |||
diff --git a/roles/dovecot/tasks/main.yml b/roles/dovecot/tasks/main.yml new file mode 100644 index 0000000..ce5eb2c --- /dev/null +++ b/roles/dovecot/tasks/main.yml | |||
@@ -0,0 +1,67 @@ | |||
1 | - name: install packages | ||
2 | package: | ||
3 | name: | ||
4 | - dovecot-imapd | ||
5 | - dovecot-sieve | ||
6 | state: latest | ||
7 | |||
8 | - name: deploy dovecot.conf | ||
9 | copy: | ||
10 | src: dovecot.conf | ||
11 | dest: /etc/dovecot/dovecot.conf | ||
12 | owner: root | ||
13 | group: root | ||
14 | mode: '0644' | ||
15 | |||
16 | - name: deploy dovecot configuration files | ||
17 | copy: | ||
18 | src: "{{ item }}" | ||
19 | dest: /etc/dovecot/conf.d/ | ||
20 | owner: root | ||
21 | group: root | ||
22 | mode: '0644' | ||
23 | with_fileglob: "files/conf.d/*" | ||
24 | |||
25 | - name: deploy dovecot tls configuration file | ||
26 | template: | ||
27 | src: templates/10-ssl.conf.j2 | ||
28 | dest: /etc/dovecot/conf.d/10-ssl.conf | ||
29 | owner: root | ||
30 | group: root | ||
31 | mode: '0644' | ||
32 | |||
33 | - name: create sieve dir | ||
34 | file: | ||
35 | path: /var/lib/dovecot/sieve | ||
36 | state: directory | ||
37 | |||
38 | - name: deploy default sieve script | ||
39 | copy: | ||
40 | src: default.sieve | ||
41 | dest: /var/lib/dovecot/sieve/default.sieve | ||
42 | owner: root | ||
43 | group: root | ||
44 | mode: '0644' | ||
45 | |||
46 | - name: compile default sieve script | ||
47 | command: | ||
48 | cmd: sievec /var/lib/dovecot/sieve/default.sieve | ||
49 | |||
50 | - name: deploy dovecot PAM configuration | ||
51 | copy: | ||
52 | src: dovecot_pam | ||
53 | dest: /etc/pam.d/dovecot | ||
54 | owner: root | ||
55 | group: root | ||
56 | mode: '0644' | ||
57 | |||
58 | - name: enable dovecot | ||
59 | systemd: | ||
60 | enabled: yes | ||
61 | masked: no | ||
62 | name: dovecot | ||
63 | |||
64 | - name: restart dovecot | ||
65 | service: | ||
66 | name: dovecot | ||
67 | state: restarted | ||
diff --git a/roles/dovecot/templates/10-ssl.conf.j2 b/roles/dovecot/templates/10-ssl.conf.j2 new file mode 100644 index 0000000..8efa1d2 --- /dev/null +++ b/roles/dovecot/templates/10-ssl.conf.j2 | |||
@@ -0,0 +1,20 @@ | |||
1 | # SSL/TLS Configuration | ||
2 | ssl = required | ||
3 | ssl_key = "</etc/letsencrypt/live/{{ mail_domain }}/privkey.pem" | ||
4 | ssl_cert = "</etc/letsencrypt/live/{{ mail_domain }}/fullchain.pem" | ||
5 | ssl_client_ca_dir = /etc/ssl/certs | ||
6 | ssl_dh = </usr/share/dovecot/dh.pem | ||
7 | |||
8 | # Mozilla modern compatibility (https://wiki.mozilla.org/Security/Server_Side_TLS) | ||
9 | # This is here for future use - Dovecot does not support using only TLSv1.3 right now. | ||
10 | #ssl_min_protocol = TLSv1.3 | ||
11 | # Ciphers listed here are just for reference, DO NOT uncomment, this is not a valid | ||
12 | # openssl cipherlist | ||
13 | #ssl_cipher_list = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256 | ||
14 | |||
15 | # Mozilla intermediate compatibility (https://wiki.mozilla.org/Security/Server_Side_TLS) | ||
16 | ssl_min_protocol = TLSv1.2 | ||
17 | ssl_cipher_list = ECDHE+ECDSA+AESGCM:ECDHE+aRSA+AESGCM:ECDHE+ECDSA+CHACHA20:ECDHE+aRSA+CHACHA20:DHE+aRSA+AESGCM:!aNULL:!eNULL | ||
18 | |||
19 | ssl_prefer_server_ciphers = yes | ||
20 | ssl_client_require_valid_cert = yes | ||
diff --git a/roles/opendkim/defaults/main.yml b/roles/opendkim/defaults/main.yml new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/roles/opendkim/defaults/main.yml | |||
diff --git a/roles/opendkim/handlers/main.yml b/roles/opendkim/handlers/main.yml new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/roles/opendkim/handlers/main.yml | |||
diff --git a/roles/opendkim/tasks/main.yml b/roles/opendkim/tasks/main.yml new file mode 100644 index 0000000..b56081a --- /dev/null +++ b/roles/opendkim/tasks/main.yml | |||
@@ -0,0 +1,57 @@ | |||
1 | - name: install packages | ||
2 | package: | ||
3 | name: | ||
4 | - opendkim | ||
5 | - opendkim-tools | ||
6 | state: latest | ||
7 | |||
8 | - name: create dkimkeys directory | ||
9 | file: | ||
10 | path: /etc/dkimkeys | ||
11 | owner: opendkim | ||
12 | group: opendkim | ||
13 | mode: '700' | ||
14 | state: directory | ||
15 | |||
16 | - name: generate opendkim key | ||
17 | command: | ||
18 | cmd: "opendkim-genkey -D /etc/dkimkeys -d {{ domain }} -s {{ dkim_selector }}" | ||
19 | |||
20 | - name: rename dkim key file | ||
21 | command: "mv /etc/dkimkeys/{{ dkim_selector }}.private /etc/dkimkeys/{{ dkim_selector }}.pem" | ||
22 | args: | ||
23 | removes: "/etc/dkimkeys/{{ dkim_selector }}.private" | ||
24 | creates: "/etc/dkimkeys/{{ dkim_selector }}.pem" | ||
25 | |||
26 | - name: make directory for socket inside postfix chroot | ||
27 | file: | ||
28 | path: /var/spool/postfix/opendkim | ||
29 | owner: opendkim | ||
30 | group: opendkim | ||
31 | mode: '770' | ||
32 | state: directory | ||
33 | |||
34 | - name: add postfix user to opendkim group | ||
35 | user: | ||
36 | name: postfix | ||
37 | groups: opendkim | ||
38 | append: yes | ||
39 | |||
40 | - name: deploy configuration | ||
41 | template: | ||
42 | src: opendkim.conf.j2 | ||
43 | dest: /etc/opendkim.conf | ||
44 | owner: root | ||
45 | group: root | ||
46 | mode: '0644' | ||
47 | |||
48 | - name: enable opendkim | ||
49 | systemd: | ||
50 | enabled: yes | ||
51 | masked: no | ||
52 | name: opendkim | ||
53 | |||
54 | - name: restart opendkim | ||
55 | service: | ||
56 | name: opendkim | ||
57 | state: restarted | ||
diff --git a/roles/opendkim/templates/opendkim.conf.j2 b/roles/opendkim/templates/opendkim.conf.j2 new file mode 100644 index 0000000..d3335a2 --- /dev/null +++ b/roles/opendkim/templates/opendkim.conf.j2 | |||
@@ -0,0 +1,21 @@ | |||
1 | # OpenDKIM Configuration | ||
2 | On-BadSignature reject | ||
3 | On-Security reject | ||
4 | Syslog yes | ||
5 | SyslogSuccess yes | ||
6 | LogResults yes | ||
7 | Canonicalization simple | ||
8 | Mode sv | ||
9 | OversignHeaders From | ||
10 | Domain {{ domain }} | ||
11 | Selector {{ dkim_selector }} | ||
12 | KeyFile /etc/dkimkeys/{{ dkim_selector }}.pem | ||
13 | UserID opendkim | ||
14 | UMask 007 | ||
15 | Socket local:/var/spool/postfix/opendkim/opendkim.sock | ||
16 | PidFile /run/opendkim/opendkim.pid | ||
17 | TemporaryDirectory /run/opendkim | ||
18 | InternalHosts 127.0.0.1 | ||
19 | TrustAnchorFile /usr/share/dns/root.key | ||
20 | RequireSafeKeys True | ||
21 | AlwaysAddARHeader True | ||
diff --git a/roles/opendmarc/defaults/main.yml b/roles/opendmarc/defaults/main.yml new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/roles/opendmarc/defaults/main.yml | |||
diff --git a/roles/opendmarc/files/opendmarc.conf b/roles/opendmarc/files/opendmarc.conf new file mode 100644 index 0000000..85a05c2 --- /dev/null +++ b/roles/opendmarc/files/opendmarc.conf | |||
@@ -0,0 +1,11 @@ | |||
1 | # OpenDMARC Configuration | ||
2 | PidFile /run/opendmarc/opendmarc.pid | ||
3 | PublicSuffixList /usr/share/publicsuffix/public_suffix_list.dat | ||
4 | RejectFailures True | ||
5 | Socket local:/var/spool/postfix/opendmarc/opendmarc.sock | ||
6 | Syslog True | ||
7 | SyslogFacility mail | ||
8 | UMask 002 | ||
9 | UserID opendmarc | ||
10 | SPFIgnoreResults True | ||
11 | SPFSelfValidate True | ||
diff --git a/roles/opendmarc/handlers/main.yml b/roles/opendmarc/handlers/main.yml new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/roles/opendmarc/handlers/main.yml | |||
diff --git a/roles/opendmarc/tasks/main.yml b/roles/opendmarc/tasks/main.yml new file mode 100644 index 0000000..6c2fb8b --- /dev/null +++ b/roles/opendmarc/tasks/main.yml | |||
@@ -0,0 +1,39 @@ | |||
1 | - name: install packages | ||
2 | package: | ||
3 | name: | ||
4 | - opendmarc | ||
5 | - dbconfig-no-thanks | ||
6 | state: latest | ||
7 | |||
8 | - name: make directory for socket inside postfix chroot | ||
9 | file: | ||
10 | path: /var/spool/postfix/opendmarc | ||
11 | owner: opendmarc | ||
12 | group: opendmarc | ||
13 | mode: '770' | ||
14 | state: directory | ||
15 | |||
16 | - name: add postfix user to opendmarc group | ||
17 | user: | ||
18 | name: postfix | ||
19 | groups: opendmarc | ||
20 | append: yes | ||
21 | |||
22 | - name: deploy configuration | ||
23 | copy: | ||
24 | src: opendmarc.conf | ||
25 | dest: /etc/opendmarc.conf | ||
26 | owner: root | ||
27 | group: root | ||
28 | mode: '0644' | ||
29 | |||
30 | - name: enable opendmarc | ||
31 | systemd: | ||
32 | enabled: yes | ||
33 | masked: no | ||
34 | name: opendmarc | ||
35 | |||
36 | - name: restart opendmarc | ||
37 | service: | ||
38 | name: opendmarc | ||
39 | state: restarted | ||
diff --git a/roles/policyd_spf/defaults/main.yml b/roles/policyd_spf/defaults/main.yml new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/roles/policyd_spf/defaults/main.yml | |||
diff --git a/roles/policyd_spf/files/policyd-spf.conf b/roles/policyd_spf/files/policyd-spf.conf new file mode 100644 index 0000000..7fba9ba --- /dev/null +++ b/roles/policyd_spf/files/policyd-spf.conf | |||
@@ -0,0 +1,8 @@ | |||
1 | # postfix-policyd-spf configuration | ||
2 | debugLevel = 1 | ||
3 | TestOnly = 1 | ||
4 | HELO_reject = Fail | ||
5 | Mail_From_reject = Fail | ||
6 | PermError_reject = True | ||
7 | TempError_Defer = True | ||
8 | Header_Type = AR | ||
diff --git a/roles/policyd_spf/handlers/main.yml b/roles/policyd_spf/handlers/main.yml new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/roles/policyd_spf/handlers/main.yml | |||
diff --git a/roles/policyd_spf/tasks/main.yml b/roles/policyd_spf/tasks/main.yml new file mode 100644 index 0000000..48aa12d --- /dev/null +++ b/roles/policyd_spf/tasks/main.yml | |||
@@ -0,0 +1,13 @@ | |||
1 | - name: install packages | ||
2 | package: | ||
3 | name: | ||
4 | - postfix-policyd-spf-python | ||
5 | state: latest | ||
6 | |||
7 | - name: deploy configuration | ||
8 | copy: | ||
9 | src: policyd-spf.conf | ||
10 | dest: /etc/postfix-policyd-spf-python/policyd-spf.conf | ||
11 | owner: root | ||
12 | group: root | ||
13 | mode: '0644' | ||
diff --git a/roles/postfix/defaults/main.yml b/roles/postfix/defaults/main.yml new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/roles/postfix/defaults/main.yml | |||
diff --git a/roles/postfix/files/body_checks b/roles/postfix/files/body_checks new file mode 100644 index 0000000..795c922 --- /dev/null +++ b/roles/postfix/files/body_checks | |||
@@ -0,0 +1,2 @@ | |||
1 | #Block iframe vulnerability | ||
2 | /<iframe/ REJECT | ||
diff --git a/roles/postfix/files/header_checks b/roles/postfix/files/header_checks new file mode 100644 index 0000000..f655904 --- /dev/null +++ b/roles/postfix/files/header_checks | |||
@@ -0,0 +1,11 @@ | |||
1 | #Block attachments with executable extensions | ||
2 | /name=[^>]*\.(exe|pif|com|dll|vbs|bat|sh|bash|so|zip|tar|gz|cpio)/ REJECT | ||
3 | # Block message/partial vulnerability | ||
4 | /message\/partial/ REJECT | ||
5 | # CVE-2022-1328 mitigation - block messages with uuencode | ||
6 | /^Content-Transfer-Encoding:.*uuencode.*/ REJECT | ||
7 | # Remove Received string that is created when spamassassin reinjects message into postfix | ||
8 | # This is to prevent leaking the userid of the spamassassin user | ||
9 | /^Received:.*userid.*/ IGNORE | ||
10 | # Remove User-Agent strings from headers | ||
11 | /^User-Agent: .*/ IGNORE | ||
diff --git a/roles/postfix/handlers/main.yml b/roles/postfix/handlers/main.yml new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/roles/postfix/handlers/main.yml | |||
diff --git a/roles/postfix/tasks/main.yml b/roles/postfix/tasks/main.yml new file mode 100644 index 0000000..0b482ea --- /dev/null +++ b/roles/postfix/tasks/main.yml | |||
@@ -0,0 +1,84 @@ | |||
1 | - name: install packages | ||
2 | package: | ||
3 | name: | ||
4 | - postfix | ||
5 | state: latest | ||
6 | |||
7 | - name: deploy postfix main.cf | ||
8 | template: | ||
9 | src: main.cf.j2 | ||
10 | dest: /etc/postfix/main.cf | ||
11 | owner: root | ||
12 | group: root | ||
13 | mode: '0644' | ||
14 | |||
15 | - name: deploy postfix master.cf | ||
16 | template: | ||
17 | src: master.cf.j2 | ||
18 | dest: /etc/postfix/master.cf | ||
19 | owner: root | ||
20 | group: root | ||
21 | mode: '0644' | ||
22 | |||
23 | - name: create mailadmin user | ||
24 | user: | ||
25 | name: mailadmin | ||
26 | shell: /usr/sbin/nologin | ||
27 | password_lock: yes | ||
28 | |||
29 | - name: deploy aliases file | ||
30 | template: | ||
31 | src: aliases | ||
32 | dest: /etc/aliases | ||
33 | owner: root | ||
34 | group: root | ||
35 | mode: '0644' | ||
36 | |||
37 | - name: deploy login_maps | ||
38 | template: | ||
39 | src: login_maps | ||
40 | dest: /etc/postfix/login_maps | ||
41 | owner: root | ||
42 | group: root | ||
43 | mode: '0644' | ||
44 | |||
45 | - name: deploy local_maps | ||
46 | template: | ||
47 | src: local_maps | ||
48 | dest: /etc/postfix/local_maps | ||
49 | owner: root | ||
50 | group: root | ||
51 | mode: '0644' | ||
52 | |||
53 | - name: update address databases | ||
54 | shell: | | ||
55 | newaliases | ||
56 | postmap /etc/postfix/login_maps | ||
57 | postmap /etc/postfix/local_maps | ||
58 | |||
59 | - name: deploy header checks file | ||
60 | copy: | ||
61 | src: header_checks | ||
62 | dest: /etc/postfix/header_checks | ||
63 | owner: root | ||
64 | group: root | ||
65 | mode: '0644' | ||
66 | |||
67 | - name: deploy body checks file | ||
68 | copy: | ||
69 | src: body_checks | ||
70 | dest: /etc/postfix/body_checks | ||
71 | owner: root | ||
72 | group: root | ||
73 | mode: '0644' | ||
74 | |||
75 | - name: enable postfix | ||
76 | systemd: | ||
77 | enabled: yes | ||
78 | masked: no | ||
79 | name: postfix | ||
80 | |||
81 | - name: restart postfix | ||
82 | service: | ||
83 | name: postfix | ||
84 | state: restarted | ||
diff --git a/roles/postfix/templates/aliases b/roles/postfix/templates/aliases new file mode 100644 index 0000000..6cb2ca6 --- /dev/null +++ b/roles/postfix/templates/aliases | |||
@@ -0,0 +1,3 @@ | |||
1 | postmaster: mailadmin | ||
2 | root: mailadmin | ||
3 | dmarc: mailadmin | ||
diff --git a/roles/postfix/templates/local_maps b/roles/postfix/templates/local_maps new file mode 100644 index 0000000..57592f9 --- /dev/null +++ b/roles/postfix/templates/local_maps | |||
@@ -0,0 +1 @@ | |||
mailadmin mailadmin | |||
diff --git a/roles/postfix/templates/login_maps b/roles/postfix/templates/login_maps new file mode 100644 index 0000000..d3ace34 --- /dev/null +++ b/roles/postfix/templates/login_maps | |||
@@ -0,0 +1 @@ | |||
mailadmin@{{ domain }} mailadmin | |||
diff --git a/roles/postfix/templates/main.cf.j2 b/roles/postfix/templates/main.cf.j2 new file mode 100644 index 0000000..8a2d767 --- /dev/null +++ b/roles/postfix/templates/main.cf.j2 | |||
@@ -0,0 +1,69 @@ | |||
1 | smtpd_banner = $myhostname ESMTP $mail_name | ||
2 | biff = no | ||
3 | |||
4 | # appending .domain is the MUA's job. | ||
5 | append_dot_mydomain = no | ||
6 | |||
7 | # Uncomment the next line to generate "delayed mail" warnings | ||
8 | #delay_warning_time = 4h | ||
9 | |||
10 | readme_directory = no | ||
11 | |||
12 | # See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on | ||
13 | # fresh installs. | ||
14 | compatibility_level = 2 | ||
15 | |||
16 | # TLS parameters | ||
17 | smtpd_tls_cert_file = /etc/letsencrypt/live/mail.{{ domain }}/fullchain.pem | ||
18 | smtpd_tls_key_file = /etc/letsencrypt/live/mail.{{ domain }}/privkey.pem | ||
19 | smtpd_tls_security_level = encrypt | ||
20 | smtp_tls_CApath=/etc/ssl/certs | ||
21 | smtp_tls_CAfile=/etc/ssl/certs/ca-certificates.crt | ||
22 | smtp_tls_security_level = encrypt | ||
23 | smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache | ||
24 | |||
25 | smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination | ||
26 | myhostname = {{ mail_domain }} | ||
27 | alias_maps = hash:/etc/aliases | ||
28 | alias_database = hash:/etc/aliases | ||
29 | myorigin = $mydomain | ||
30 | mydestination = $myhostname, $mydomain, localhost | ||
31 | relayhost = | ||
32 | mynetworks = 127.0.0.0/8 [::1]/128 | ||
33 | mailbox_size_limit = 0 | ||
34 | recipient_delimiter = + | ||
35 | inet_interfaces = all | ||
36 | inet_protocols = ipv4 | ||
37 | smtpd_tls_auth_only = yes | ||
38 | smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 | ||
39 | smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 | ||
40 | smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 | ||
41 | smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 | ||
42 | tls_preempt_cipherlist = yes | ||
43 | smtpd_tls_ciphers = high | ||
44 | smtpd_tls_mandatory_ciphers = high | ||
45 | smtp_tls_ciphers = high | ||
46 | smtp_tls_mandatory_ciphers = high | ||
47 | smtpd_tls_exclude_ciphers = aNULL, eNULL, EXP, LOW, MEDIUM, PSK, SRP, SHA1, kRSA, CAMELLIA, ARIA, DSS, RSA+AES, ADH, AECDH | ||
48 | smtp_tls_exclude_ciphers = aNULL, eNULL, EXP, LOW, MEDIUM, PSK, SRP, SHA1, kRSA, CAMELLIA, ARIA, DSS, RSA+AES, ADH, AECDH | ||
49 | smtpd_sasl_type = dovecot | ||
50 | smtpd_sasl_path = private/auth | ||
51 | smtpd_sasl_auth_enable = yes | ||
52 | smtpd_sasl_security_options = noanonymous, noplaintext | ||
53 | smtpd_sasl_tls_security_options = noanonymous | ||
54 | smtpd_helo_required = yes | ||
55 | smtpd_sender_login_maps = proxy:hash:/etc/postfix/login_maps | ||
56 | smtpd_helo_restrictions = reject_unknown_helo_hostname, reject_non_fqdn_helo_hostname | ||
57 | smtpd_sender_restrictions = reject_sender_login_mismatch, reject_non_fqdn_sender, reject_unknown_sender_domain | ||
58 | smtpd_recipient_restrictions = reject_non_fqdn_recipient, reject_unknown_recipient_domain, permit_sasl_authenticated, reject_unauth_destination, check_policy_service unix:private/postgrey, check_policy_service unix:private/policyd-spf, reject_rbl_client zen.spamhaus.org | ||
59 | smtpd_data_restrictions = reject_unauth_pipelining | ||
60 | disable_vrfy_command = yes | ||
61 | local_recipient_maps = proxy:hash:/etc/postfix/local_maps $alias_maps | ||
62 | home_mailbox = Mail/Inbox/ | ||
63 | mailbox_command = /usr/lib/dovecot/deliver | ||
64 | header_checks = regexp:/etc/postfix/header_checks | ||
65 | body_checks = regexp:/etc/postfix/body_checks | ||
66 | postscreen_dnsbl_sites = zen.spamhaus.org | ||
67 | postscreen_dnsbl_action = enforce | ||
68 | postscreen_greet_action = enforce | ||
69 | policyd-spf_time_limit = 3600 | ||
diff --git a/roles/postfix/templates/master.cf.j2 b/roles/postfix/templates/master.cf.j2 new file mode 100644 index 0000000..ea64537 --- /dev/null +++ b/roles/postfix/templates/master.cf.j2 | |||
@@ -0,0 +1,84 @@ | |||
1 | # ========================================================================== | ||
2 | # service type private unpriv chroot wakeup maxproc command + args | ||
3 | # (yes) (yes) (no) (never) (100) | ||
4 | # ========================================================================== | ||
5 | smtp inet n - y - 1 postscreen | ||
6 | pickup unix n - y 60 1 pickup | ||
7 | cleanup unix n - y - 0 cleanup | ||
8 | qmgr unix n - n 300 1 qmgr | ||
9 | tlsmgr unix - - y 1000? 1 tlsmgr | ||
10 | rewrite unix - - y - - trivial-rewrite | ||
11 | bounce unix - - y - 0 bounce | ||
12 | defer unix - - y - 0 bounce | ||
13 | trace unix - - y - 0 bounce | ||
14 | verify unix - - y - 1 verify | ||
15 | flush unix n - y 1000? 0 flush | ||
16 | proxymap unix - - n - - proxymap | ||
17 | proxywrite unix - - n - 1 proxymap | ||
18 | smtp unix - - y - - smtp | ||
19 | relay unix - - y - - smtp | ||
20 | -o syslog_name=postfix/$service_name | ||
21 | showq unix n - y - - showq | ||
22 | error unix - - y - - error | ||
23 | retry unix - - y - - error | ||
24 | discard unix - - y - - discard | ||
25 | local unix - n n - - local | ||
26 | virtual unix - n n - - virtual | ||
27 | lmtp unix - - y - - lmtp | ||
28 | anvil unix - - y - 1 anvil | ||
29 | scache unix - - y - 1 scache | ||
30 | postlog unix-dgram n - n - 1 postlogd | ||
31 | |||
32 | # ==================================================================== | ||
33 | # Interfaces to non-Postfix software. Be sure to examine the manual | ||
34 | # pages of the non-Postfix software to find out what options it wants. | ||
35 | # | ||
36 | # Many of the following services use the Postfix pipe(8) delivery | ||
37 | # agent. See the pipe(8) man page for information about ${recipient} | ||
38 | # and other message envelope options. | ||
39 | # ==================================================================== | ||
40 | maildrop unix - n n - - pipe | ||
41 | flags=DRXhu user=vmail argv=/usr/bin/maildrop -d ${recipient} | ||
42 | |||
43 | uucp unix - n n - - pipe | ||
44 | flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient) | ||
45 | |||
46 | ifmail unix - n n - - pipe | ||
47 | flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient) | ||
48 | |||
49 | bsmtp unix - n n - - pipe | ||
50 | flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient | ||
51 | |||
52 | scalemail-backend unix - n n - 2 pipe | ||
53 | flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension} | ||
54 | |||
55 | mailman unix - n n - - pipe | ||
56 | flags=FRX user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py ${nexthop} ${user} | ||
57 | |||
58 | smtpd pass - - y - - smtpd | ||
59 | -o content_filter=spamassassin | ||
60 | -o smtpd_milters=unix:opendkim/opendkim.sock,unix:opendmarc/opendmarc.sock | ||
61 | tlsproxy unix - - y - 0 tlsproxy | ||
62 | |||
63 | dnsblog unix - - y - 0 dnsblog | ||
64 | |||
65 | submissions inet n - y - - smtpd | ||
66 | -o smtpd_tls_wrappermode=yes | ||
67 | -o smtpd_tls_security_level=encrypt | ||
68 | -o smtpd_tls_auth_only=yes | ||
69 | -o smtpd_sasl_auth_enable=yes | ||
70 | -o smtpd_client_restrictions=permit_sasl_authenticated,permit_mynetworks,reject | ||
71 | -o smtpd_helo_restrictions= | ||
72 | -o smtpd_sender_restrictions=permit_mynetworks,reject_sender_login_mismatch | ||
73 | -o smtpd_recipient_restrictions=reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,permit_mynetworks,reject | ||
74 | -o syslog_name=postfix/submissions | ||
75 | -o smtpd_tls_protocols=!SSLv2,!SSLv3,!TLSv1,!TLSv1.1,!TLSv1.2 | ||
76 | -o smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3,!TLSv1,!TLSv1.1,!TLSv1.2 | ||
77 | -o smtpd_milters=unix:opendkim/opendkim.sock | ||
78 | |||
79 | spamassassin unix - n n - - pipe user=debian-spamd | ||
80 | argv=/usr/bin/spamc --socket=/var/spool/postfix/spamd/spamd.sock -e /usr/sbin/sendmail -oi | ||
81 | -f ${sender} ${recipient} | ||
82 | |||
83 | policyd-spf unix - n n - 0 spawn user=policyd-spf | ||
84 | argv=/usr/bin/policyd-spf | ||
diff --git a/roles/postgrey/defaults/main.yml b/roles/postgrey/defaults/main.yml new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/roles/postgrey/defaults/main.yml | |||
diff --git a/roles/postgrey/files/postgrey b/roles/postgrey/files/postgrey new file mode 100644 index 0000000..d9a79d5 --- /dev/null +++ b/roles/postgrey/files/postgrey | |||
@@ -0,0 +1,2 @@ | |||
1 | POSTGREY_OPTS="--unix=/var/spool/postfix/private/postgrey --privacy" | ||
2 | POSTGREY_TEXT="Greylisted - see https://www.greylisting.org" | ||
diff --git a/roles/postgrey/handlers/main.yml b/roles/postgrey/handlers/main.yml new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/roles/postgrey/handlers/main.yml | |||
diff --git a/roles/postgrey/tasks/main.yml b/roles/postgrey/tasks/main.yml new file mode 100644 index 0000000..7c0caa7 --- /dev/null +++ b/roles/postgrey/tasks/main.yml | |||
@@ -0,0 +1,24 @@ | |||
1 | - name: install packages | ||
2 | package: | ||
3 | name: | ||
4 | - postgrey | ||
5 | state: latest | ||
6 | |||
7 | - name: deploy configuration | ||
8 | copy: | ||
9 | src: postgrey | ||
10 | dest: /etc/default/postgrey | ||
11 | owner: root | ||
12 | group: root | ||
13 | mode: '0644' | ||
14 | |||
15 | - name: enable postgrey | ||
16 | systemd: | ||
17 | enabled: yes | ||
18 | masked: no | ||
19 | name: postgrey | ||
20 | |||
21 | - name: restart postgrey | ||
22 | service: | ||
23 | name: postgrey | ||
24 | state: restarted | ||
diff --git a/roles/spamassassin/defaults/main.yml b/roles/spamassassin/defaults/main.yml new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/roles/spamassassin/defaults/main.yml | |||
diff --git a/roles/spamassassin/files/defaults b/roles/spamassassin/files/defaults new file mode 100644 index 0000000..a38795c --- /dev/null +++ b/roles/spamassassin/files/defaults | |||
@@ -0,0 +1,9 @@ | |||
1 | OPTIONS="--listen /var/run/spamd.sock --max-children 5 --socketpath=/var/spool/postfix/spamd/spamd.sock --socketowner root --socketgroup root --socketmode 0666" | ||
2 | |||
3 | PIDFILE=/var/run/spamd.pid | ||
4 | |||
5 | # Cronjob | ||
6 | # Set to anything but 0 to enable the cron job to automatically update | ||
7 | # spamassassin's rules on a nightly basis | ||
8 | CRON=1 | ||
9 | |||
diff --git a/roles/spamassassin/handlers/main.yml b/roles/spamassassin/handlers/main.yml new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/roles/spamassassin/handlers/main.yml | |||
diff --git a/roles/spamassassin/tasks/main.yml b/roles/spamassassin/tasks/main.yml new file mode 100644 index 0000000..4c69be5 --- /dev/null +++ b/roles/spamassassin/tasks/main.yml | |||
@@ -0,0 +1,40 @@ | |||
1 | - name: install packages | ||
2 | package: | ||
3 | name: | ||
4 | - spamassassin | ||
5 | state: latest | ||
6 | |||
7 | - name: make directory in postfix chroot | ||
8 | file: | ||
9 | path: /var/spool/postfix/spamd | ||
10 | owner: root | ||
11 | group: root | ||
12 | mode: '0755' | ||
13 | state: directory | ||
14 | |||
15 | - name: deploy configuration | ||
16 | template: | ||
17 | src: local.cf.j2 | ||
18 | dest: /etc/spamassassin/local.cf | ||
19 | owner: root | ||
20 | group: root | ||
21 | mode: '0644' | ||
22 | |||
23 | - name: deploy defaults file | ||
24 | copy: | ||
25 | src: defaults | ||
26 | dest: /etc/default/spamd | ||
27 | owner: root | ||
28 | group: root | ||
29 | mode: '0644' | ||
30 | |||
31 | - name: enable spamassassin | ||
32 | systemd: | ||
33 | enabled: yes | ||
34 | masked: no | ||
35 | name: spamd | ||
36 | |||
37 | - name: restart spamassassin | ||
38 | service: | ||
39 | name: spamd | ||
40 | state: restarted | ||
diff --git a/roles/spamassassin/templates/local.cf.j2 b/roles/spamassassin/templates/local.cf.j2 new file mode 100644 index 0000000..1fdc978 --- /dev/null +++ b/roles/spamassassin/templates/local.cf.j2 | |||
@@ -0,0 +1,18 @@ | |||
1 | # SpamAssassin Configuration | ||
2 | # Clearly indicate message is spam to user | ||
3 | rewrite_header Subject *****SPAM***** | ||
4 | rewrite_header From *****SPAM***** | ||
5 | |||
6 | # Halves default spam score thus implementing a very strict spam policy | ||
7 | # Comment or edit as needed for your deployment | ||
8 | required_score {{ spam_score }} | ||
9 | |||
10 | # Attach original messages as text/plain instead of message/rfc822 to spam reports | ||
11 | # This is basically a safety net to prevent mail clients from automatically loading | ||
12 | # attached spam messages. Note though that this makes the original message harder to recover | ||
13 | # If this is not something you are worried about, comment the next line to use the default. | ||
14 | report_safe 2 | ||
15 | |||
16 | # This specifies languages considered OK for incoming mail | ||
17 | # If you expect to receive mail in non-western character sets, comment or edit as needed | ||
18 | ok_locales {{ sa_locales }} | ||
@@ -0,0 +1,79 @@ | |||
1 | - name: setup | ||
2 | hosts: mail_server | ||
3 | become: yes | ||
4 | |||
5 | tasks: | ||
6 | - name: set system hostname | ||
7 | hostname: | ||
8 | name: "{{ mail_domain }}" | ||
9 | |||
10 | - name: install packages | ||
11 | package: | ||
12 | name: | ||
13 | - ufw | ||
14 | - gnupg | ||
15 | - certbot | ||
16 | state: latest | ||
17 | |||
18 | - name: allow http for certificate challenges | ||
19 | ufw: | ||
20 | rule: allow | ||
21 | port: '80' | ||
22 | proto: tcp | ||
23 | |||
24 | - name: allow smtp | ||
25 | ufw: | ||
26 | rule: allow | ||
27 | port: '25' | ||
28 | proto: tcp | ||
29 | |||
30 | - name: allow smtps | ||
31 | become: yes | ||
32 | ufw: | ||
33 | rule: allow | ||
34 | port: '465' | ||
35 | proto: tcp | ||
36 | |||
37 | - name: allow imaps | ||
38 | ufw: | ||
39 | rule: allow | ||
40 | port: '993' | ||
41 | proto: tcp | ||
42 | |||
43 | - name: get certificate | ||
44 | command: | ||
45 | cmd: "certbot certonly --standalone -d {{ mail_domain }} -m {{ cert_email }} --non-interactive --agree-tos --no-eff-email" | ||
46 | |||
47 | - name: configure services | ||
48 | hosts: mail_server | ||
49 | become: yes | ||
50 | roles: | ||
51 | - postfix | ||
52 | - dovecot | ||
53 | - opendkim | ||
54 | - opendmarc | ||
55 | - postgrey | ||
56 | - spamassassin | ||
57 | - policyd_spf | ||
58 | |||
59 | - name: get dns recordV | ||
60 | hosts: mail_server | ||
61 | become: yes | ||
62 | |||
63 | tasks: | ||
64 | - name: get dns entries | ||
65 | shell: | | ||
66 | pubkey="$(tr -d '\n' </etc/dkimkeys/{{ dkim_selector }}.txt | sed "s/^.*p=/p=/;s/\" ) ;.*$//" | tr -d "\"[:space:]")" | ||
67 | dkimdns="{{ dkim_selector }}._domainkey IN TXT \"v=DKIM1; k=rsa; $pubkey\"" | ||
68 | dmarcdns="_dmarc IN TXT \"v=DMARC1; p=reject; rua=mailto:dmarc@{{ domain }}; fo=1\"" | ||
69 | spfdns="@ IN TXT \"v=spf1 a:{{ mail_domain }} -all\"" | ||
70 | |||
71 | echo "DNS Entries | ||
72 | DKIM: $dkimdns | ||
73 | DMARC: $dmarcdns | ||
74 | SPF: $spfdns" > $HOME/dns_records | ||
75 | register: dns_result | ||
76 | |||
77 | - name: inform where to get records | ||
78 | debug: | ||
79 | msg: "You can now find the DNS records you need to set at /home/root/dns_records" | ||