diff options
Diffstat (limited to 'roles')
60 files changed, 1265 insertions, 0 deletions
diff --git a/roles/dovecot/defaults/main.yml b/roles/dovecot/defaults/main.yml new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/roles/dovecot/defaults/main.yml | |||
diff --git a/roles/dovecot/files/conf.d/10-auth.conf b/roles/dovecot/files/conf.d/10-auth.conf new file mode 100644 index 0000000..7ac1eee --- /dev/null +++ b/roles/dovecot/files/conf.d/10-auth.conf | |||
@@ -0,0 +1,10 @@ | |||
1 | # Authentication | ||
2 | disable_plaintext_auth = yes | ||
3 | auth_username_format = %n | ||
4 | auth_mechanisms = plain | ||
5 | userdb { | ||
6 | driver = passwd | ||
7 | } | ||
8 | passdb { | ||
9 | driver = pam | ||
10 | } | ||
diff --git a/roles/dovecot/files/conf.d/10-director.conf b/roles/dovecot/files/conf.d/10-director.conf new file mode 100644 index 0000000..073d8a8 --- /dev/null +++ b/roles/dovecot/files/conf.d/10-director.conf | |||
@@ -0,0 +1,60 @@ | |||
1 | ## | ||
2 | ## Director-specific settings. | ||
3 | ## | ||
4 | |||
5 | # Director can be used by Dovecot proxy to keep a temporary user -> mail server | ||
6 | # mapping. As long as user has simultaneous connections, the user is always | ||
7 | # redirected to the same server. Each proxy server is running its own director | ||
8 | # process, and the directors are communicating the state to each others. | ||
9 | # Directors are mainly useful with NFS-like setups. | ||
10 | |||
11 | # List of IPs or hostnames to all director servers, including ourself. | ||
12 | # Ports can be specified as ip:port. The default port is the same as | ||
13 | # what director service's inet_listener is using. | ||
14 | #director_servers = | ||
15 | |||
16 | # List of IPs or hostnames to all backend mail servers. Ranges are allowed | ||
17 | # too, like 10.0.0.10-10.0.0.30. | ||
18 | #director_mail_servers = | ||
19 | |||
20 | # How long to redirect users to a specific server after it no longer has | ||
21 | # any connections. | ||
22 | #director_user_expire = 15 min | ||
23 | |||
24 | # How the username is translated before being hashed. Useful values include | ||
25 | # %Ln if user can log in with or without @domain, %Ld if mailboxes are shared | ||
26 | # within domain. | ||
27 | #director_username_hash = %Lu | ||
28 | |||
29 | # To enable director service, uncomment the modes and assign a port. | ||
30 | service director { | ||
31 | unix_listener login/director { | ||
32 | #mode = 0666 | ||
33 | } | ||
34 | fifo_listener login/proxy-notify { | ||
35 | #mode = 0666 | ||
36 | } | ||
37 | unix_listener director-userdb { | ||
38 | #mode = 0600 | ||
39 | } | ||
40 | inet_listener { | ||
41 | #port = | ||
42 | } | ||
43 | } | ||
44 | |||
45 | # Enable director for the wanted login services by telling them to | ||
46 | # connect to director socket instead of the default login socket: | ||
47 | service imap-login { | ||
48 | #executable = imap-login director | ||
49 | } | ||
50 | service pop3-login { | ||
51 | #executable = pop3-login director | ||
52 | } | ||
53 | service submission-login { | ||
54 | #executable = submission-login director | ||
55 | } | ||
56 | |||
57 | # Enable director for LMTP proxying: | ||
58 | protocol lmtp { | ||
59 | #auth_socket_path = director-userdb | ||
60 | } | ||
diff --git a/roles/dovecot/files/conf.d/10-logging.conf b/roles/dovecot/files/conf.d/10-logging.conf new file mode 100644 index 0000000..bcd6dea --- /dev/null +++ b/roles/dovecot/files/conf.d/10-logging.conf | |||
@@ -0,0 +1,109 @@ | |||
1 | ## | ||
2 | ## Log destination. | ||
3 | ## | ||
4 | |||
5 | # Log file to use for error messages. "syslog" logs to syslog, | ||
6 | # /dev/stderr logs to stderr. | ||
7 | #log_path = syslog | ||
8 | |||
9 | # Log file to use for informational messages. Defaults to log_path. | ||
10 | #info_log_path = | ||
11 | # Log file to use for debug messages. Defaults to info_log_path. | ||
12 | #debug_log_path = | ||
13 | |||
14 | # Syslog facility to use if you're logging to syslog. Usually if you don't | ||
15 | # want to use "mail", you'll use local0..local7. Also other standard | ||
16 | # facilities are supported. | ||
17 | #syslog_facility = mail | ||
18 | |||
19 | ## | ||
20 | ## Logging verbosity and debugging. | ||
21 | ## | ||
22 | |||
23 | # Log filter is a space-separated list conditions. If any of the conditions | ||
24 | # match, the log filter matches (i.e. they're ORed together). Parenthesis | ||
25 | # are supported if multiple conditions need to be matched together. | ||
26 | # Supported conditions are: | ||
27 | # event:<name wildcard> - Match event name. '*' and '?' wildcards supported. | ||
28 | # source:<filename>[:<line number>] - Match source code filename [and line] | ||
29 | # field:<key>=<value wildcard> - Match field key to a value. Can be specified | ||
30 | # multiple times to match multiple keys. | ||
31 | # cat[egory]:<value> - Match a category. Can be specified multiple times to | ||
32 | # match multiple categories. | ||
33 | # For example: event:http_request_* (cat:error cat:storage) | ||
34 | |||
35 | # Filter to specify what debug logging to enable. This will eventually replace | ||
36 | # mail_debug and auth_debug settings. | ||
37 | #log_debug = | ||
38 | |||
39 | # Crash after logging a matching event. For example category:error will crash | ||
40 | # any time an error is logged, which can be useful for debugging. | ||
41 | #log_core_filter = | ||
42 | |||
43 | # Log unsuccessful authentication attempts and the reasons why they failed. | ||
44 | #auth_verbose = no | ||
45 | |||
46 | # In case of password mismatches, log the attempted password. Valid values are | ||
47 | # no, plain and sha1. sha1 can be useful for detecting brute force password | ||
48 | # attempts vs. user simply trying the same password over and over again. | ||
49 | # You can also truncate the value to n chars by appending ":n" (e.g. sha1:6). | ||
50 | #auth_verbose_passwords = no | ||
51 | |||
52 | # Even more verbose logging for debugging purposes. Shows for example SQL | ||
53 | # queries. | ||
54 | #auth_debug = no | ||
55 | |||
56 | # In case of password mismatches, log the passwords and used scheme so the | ||
57 | # problem can be debugged. Enabling this also enables auth_debug. | ||
58 | #auth_debug_passwords = no | ||
59 | |||
60 | # Enable mail process debugging. This can help you figure out why Dovecot | ||
61 | # isn't finding your mails. | ||
62 | #mail_debug = no | ||
63 | |||
64 | # Show protocol level SSL errors. | ||
65 | #verbose_ssl = no | ||
66 | |||
67 | # mail_log plugin provides more event logging for mail processes. | ||
68 | plugin { | ||
69 | # Events to log. Also available: flag_change append | ||
70 | #mail_log_events = delete undelete expunge copy mailbox_delete mailbox_rename | ||
71 | # Available fields: uid, box, msgid, from, subject, size, vsize, flags | ||
72 | # size and vsize are available only for expunge and copy events. | ||
73 | #mail_log_fields = uid box msgid size | ||
74 | } | ||
75 | |||
76 | ## | ||
77 | ## Log formatting. | ||
78 | ## | ||
79 | |||
80 | # Prefix for each line written to log file. % codes are in strftime(3) | ||
81 | # format. | ||
82 | #log_timestamp = "%b %d %H:%M:%S " | ||
83 | |||
84 | # Space-separated list of elements we want to log. The elements which have | ||
85 | # a non-empty variable value are joined together to form a comma-separated | ||
86 | # string. | ||
87 | #login_log_format_elements = user=<%u> method=%m rip=%r lip=%l mpid=%e %c | ||
88 | |||
89 | # Login log format. %s contains login_log_format_elements string, %$ contains | ||
90 | # the data we want to log. | ||
91 | #login_log_format = %$: %s | ||
92 | |||
93 | # Log prefix for mail processes. See doc/wiki/Variables.txt for list of | ||
94 | # possible variables you can use. | ||
95 | #mail_log_prefix = "%s(%u)<%{pid}><%{session}>: " | ||
96 | |||
97 | # Format to use for logging mail deliveries: | ||
98 | # %$ - Delivery status message (e.g. "saved to INBOX") | ||
99 | # %m / %{msgid} - Message-ID | ||
100 | # %s / %{subject} - Subject | ||
101 | # %f / %{from} - From address | ||
102 | # %p / %{size} - Physical size | ||
103 | # %w / %{vsize} - Virtual size | ||
104 | # %e / %{from_envelope} - MAIL FROM envelope | ||
105 | # %{to_envelope} - RCPT TO envelope | ||
106 | # %{delivery_time} - How many milliseconds it took to deliver the mail | ||
107 | # %{session_time} - How long LMTP session took, not including delivery_time | ||
108 | # %{storage_id} - Backend-specific ID for mail, e.g. Maildir filename | ||
109 | #deliver_log_format = msgid=%m: %$ | ||
diff --git a/roles/dovecot/files/conf.d/10-mail.conf b/roles/dovecot/files/conf.d/10-mail.conf new file mode 100644 index 0000000..683c5e9 --- /dev/null +++ b/roles/dovecot/files/conf.d/10-mail.conf | |||
@@ -0,0 +1,10 @@ | |||
1 | # Mail location | ||
2 | mail_location = maildir:~/Mail:INBOX=~/Mail/Inbox:LAYOUT=fs | ||
3 | namespace inbox { | ||
4 | type = private | ||
5 | prefix = | ||
6 | separator = / | ||
7 | inbox = yes | ||
8 | subscriptions = yes | ||
9 | list = yes | ||
10 | } | ||
diff --git a/roles/dovecot/files/conf.d/10-master.conf b/roles/dovecot/files/conf.d/10-master.conf new file mode 100644 index 0000000..c2c9493 --- /dev/null +++ b/roles/dovecot/files/conf.d/10-master.conf | |||
@@ -0,0 +1,22 @@ | |||
1 | # Master Configuration | ||
2 | service imap-login { | ||
3 | # Run login processes in high-security mode (see: LoginProcess.txt in dovecot docs) | ||
4 | service_count = 1 | ||
5 | # Disable unencrypted IMAP by setting port for plain IMAP to 0 | ||
6 | inet_listener imap { | ||
7 | port = 0 | ||
8 | } | ||
9 | inet_listener imaps { | ||
10 | port = 993 | ||
11 | ssl = yes | ||
12 | } | ||
13 | } | ||
14 | |||
15 | # Allow postfix to user dovecot SASL | ||
16 | service auth { | ||
17 | unix_listener /var/spool/postfix/private/auth { | ||
18 | mode = 0660 | ||
19 | user = postfix | ||
20 | group = postfix | ||
21 | } | ||
22 | } | ||
diff --git a/roles/dovecot/files/conf.d/10-tcpwrapper.conf b/roles/dovecot/files/conf.d/10-tcpwrapper.conf new file mode 100644 index 0000000..b237d96 --- /dev/null +++ b/roles/dovecot/files/conf.d/10-tcpwrapper.conf | |||
@@ -0,0 +1,14 @@ | |||
1 | # 10-tcpwrapper.conf | ||
2 | # | ||
3 | # service name for hosts.{allow|deny} are those defined as | ||
4 | # inet_listener in master.conf | ||
5 | # | ||
6 | #login_access_sockets = tcpwrap | ||
7 | # | ||
8 | #service tcpwrap { | ||
9 | # unix_listener login/tcpwrap { | ||
10 | # group = $default_login_user | ||
11 | # mode = 0600 | ||
12 | # user = $default_login_user | ||
13 | # } | ||
14 | #} | ||
diff --git a/roles/dovecot/files/conf.d/15-lda.conf b/roles/dovecot/files/conf.d/15-lda.conf new file mode 100644 index 0000000..8538f79 --- /dev/null +++ b/roles/dovecot/files/conf.d/15-lda.conf | |||
@@ -0,0 +1,4 @@ | |||
1 | # Local Delivery Agent | ||
2 | protocol lda { | ||
3 | mail_plugins = $mail_plugins sieve | ||
4 | } | ||
diff --git a/roles/dovecot/files/conf.d/15-mailboxes.conf b/roles/dovecot/files/conf.d/15-mailboxes.conf new file mode 100644 index 0000000..4de88b0 --- /dev/null +++ b/roles/dovecot/files/conf.d/15-mailboxes.conf | |||
@@ -0,0 +1,25 @@ | |||
1 | # Mailboxes | ||
2 | namespace inbox { | ||
3 | mailbox Sent { | ||
4 | special_use = \Sent | ||
5 | auto = subscribe | ||
6 | } | ||
7 | mailbox Trash { | ||
8 | special_use = \Trash | ||
9 | auto = create | ||
10 | autoexpunge = 30d | ||
11 | } | ||
12 | mailbox Drafts { | ||
13 | special_use = \Drafts | ||
14 | auto = subscribe | ||
15 | } | ||
16 | mailbox Spam { | ||
17 | special_use = \Junk | ||
18 | auto = create | ||
19 | autoexpunge = 30d | ||
20 | } | ||
21 | mailbox Archive { | ||
22 | special_use = \Archive | ||
23 | auto = create | ||
24 | } | ||
25 | } | ||
diff --git a/roles/dovecot/files/conf.d/20-imap.conf b/roles/dovecot/files/conf.d/20-imap.conf new file mode 100644 index 0000000..0e7d4ae --- /dev/null +++ b/roles/dovecot/files/conf.d/20-imap.conf | |||
@@ -0,0 +1,2 @@ | |||
1 | # IMAP | ||
2 | imap_capability = +SPECIAL-USE | ||
diff --git a/roles/dovecot/files/conf.d/90-acl.conf b/roles/dovecot/files/conf.d/90-acl.conf new file mode 100644 index 0000000..f0c0e7a --- /dev/null +++ b/roles/dovecot/files/conf.d/90-acl.conf | |||
@@ -0,0 +1,19 @@ | |||
1 | ## | ||
2 | ## Mailbox access control lists. | ||
3 | ## | ||
4 | |||
5 | # vfile backend reads ACLs from "dovecot-acl" file from mail directory. | ||
6 | # You can also optionally give a global ACL directory path where ACLs are | ||
7 | # applied to all users' mailboxes. The global ACL directory contains | ||
8 | # one file for each mailbox, eg. INBOX or sub.mailbox. cache_secs parameter | ||
9 | # specifies how many seconds to wait between stat()ing dovecot-acl file | ||
10 | # to see if it changed. | ||
11 | plugin { | ||
12 | #acl = vfile:/etc/dovecot/global-acls:cache_secs=300 | ||
13 | } | ||
14 | |||
15 | # To let users LIST mailboxes shared by other users, Dovecot needs a | ||
16 | # shared mailbox dictionary. For example: | ||
17 | plugin { | ||
18 | #acl_shared_dict = file:/var/lib/dovecot/shared-mailboxes | ||
19 | } | ||
diff --git a/roles/dovecot/files/conf.d/90-plugin.conf b/roles/dovecot/files/conf.d/90-plugin.conf new file mode 100644 index 0000000..8c8fccf --- /dev/null +++ b/roles/dovecot/files/conf.d/90-plugin.conf | |||
@@ -0,0 +1,11 @@ | |||
1 | ## | ||
2 | ## Plugin settings | ||
3 | ## | ||
4 | |||
5 | # All wanted plugins must be listed in mail_plugins setting before any of the | ||
6 | # settings take effect. See <doc/wiki/Plugins.txt> for list of plugins and | ||
7 | # their configuration. Note that %variable expansion is done for all values. | ||
8 | |||
9 | plugin { | ||
10 | #setting_name = value | ||
11 | } | ||
diff --git a/roles/dovecot/files/conf.d/90-quota.conf b/roles/dovecot/files/conf.d/90-quota.conf new file mode 100644 index 0000000..3308c05 --- /dev/null +++ b/roles/dovecot/files/conf.d/90-quota.conf | |||
@@ -0,0 +1,83 @@ | |||
1 | ## | ||
2 | ## Quota configuration. | ||
3 | ## | ||
4 | |||
5 | # Note that you also have to enable quota plugin in mail_plugins setting. | ||
6 | # <doc/wiki/Quota.txt> | ||
7 | |||
8 | ## | ||
9 | ## Quota limits | ||
10 | ## | ||
11 | |||
12 | # Quota limits are set using "quota_rule" parameters. To get per-user quota | ||
13 | # limits, you can set/override them by returning "quota_rule" extra field | ||
14 | # from userdb. It's also possible to give mailbox-specific limits, for example | ||
15 | # to give additional 100 MB when saving to Trash: | ||
16 | |||
17 | plugin { | ||
18 | #quota_rule = *:storage=1G | ||
19 | #quota_rule2 = Trash:storage=+100M | ||
20 | |||
21 | # LDA/LMTP allows saving the last mail to bring user from under quota to | ||
22 | # over quota, if the quota doesn't grow too high. Default is to allow as | ||
23 | # long as quota will stay under 10% above the limit. Also allowed e.g. 10M. | ||
24 | #quota_grace = 10%% | ||
25 | |||
26 | # Quota plugin can also limit the maximum accepted mail size. | ||
27 | #quota_max_mail_size = 100M | ||
28 | } | ||
29 | |||
30 | ## | ||
31 | ## Quota warnings | ||
32 | ## | ||
33 | |||
34 | # You can execute a given command when user exceeds a specified quota limit. | ||
35 | # Each quota root has separate limits. Only the command for the first | ||
36 | # exceeded limit is executed, so put the highest limit first. | ||
37 | # The commands are executed via script service by connecting to the named | ||
38 | # UNIX socket (quota-warning below). | ||
39 | # Note that % needs to be escaped as %%, otherwise "% " expands to empty. | ||
40 | |||
41 | plugin { | ||
42 | #quota_warning = storage=95%% quota-warning 95 %u | ||
43 | #quota_warning2 = storage=80%% quota-warning 80 %u | ||
44 | } | ||
45 | |||
46 | # Example quota-warning service. The unix listener's permissions should be | ||
47 | # set in a way that mail processes can connect to it. Below example assumes | ||
48 | # that mail processes run as vmail user. If you use mode=0666, all system users | ||
49 | # can generate quota warnings to anyone. | ||
50 | #service quota-warning { | ||
51 | # executable = script /usr/local/bin/quota-warning.sh | ||
52 | # user = dovecot | ||
53 | # unix_listener quota-warning { | ||
54 | # user = vmail | ||
55 | # } | ||
56 | #} | ||
57 | |||
58 | ## | ||
59 | ## Quota backends | ||
60 | ## | ||
61 | |||
62 | # Multiple backends are supported: | ||
63 | # dirsize: Find and sum all the files found from mail directory. | ||
64 | # Extremely SLOW with Maildir. It'll eat your CPU and disk I/O. | ||
65 | # dict: Keep quota stored in dictionary (eg. SQL) | ||
66 | # maildir: Maildir++ quota | ||
67 | # fs: Read-only support for filesystem quota | ||
68 | |||
69 | plugin { | ||
70 | #quota = dirsize:User quota | ||
71 | #quota = maildir:User quota | ||
72 | #quota = dict:User quota::proxy::quota | ||
73 | #quota = fs:User quota | ||
74 | } | ||
75 | |||
76 | # Multiple quota roots are also possible, for example this gives each user | ||
77 | # their own 100MB quota and one shared 1GB quota within the domain: | ||
78 | plugin { | ||
79 | #quota = dict:user::proxy::quota | ||
80 | #quota2 = dict:domain:%d:proxy::quota_domain | ||
81 | #quota_rule = *:storage=102400 | ||
82 | #quota2_rule = *:storage=1048576 | ||
83 | } | ||
diff --git a/roles/dovecot/files/conf.d/90-sieve-extprograms.conf b/roles/dovecot/files/conf.d/90-sieve-extprograms.conf new file mode 100644 index 0000000..17dcb77 --- /dev/null +++ b/roles/dovecot/files/conf.d/90-sieve-extprograms.conf | |||
@@ -0,0 +1,44 @@ | |||
1 | # Sieve Extprograms plugin configuration | ||
2 | |||
3 | # Don't forget to add the sieve_extprograms plugin to the sieve_plugins setting. | ||
4 | # Also enable the extensions you need (one or more of vnd.dovecot.pipe, | ||
5 | # vnd.dovecot.filter and vnd.dovecot.execute) by adding these to the | ||
6 | # sieve_extensions or sieve_global_extensions settings. Restricting these | ||
7 | # extensions to a global context using sieve_global_extensions is recommended. | ||
8 | |||
9 | plugin { | ||
10 | |||
11 | # The directory where the program sockets are located for the | ||
12 | # vnd.dovecot.pipe, vnd.dovecot.filter and vnd.dovecot.execute extension | ||
13 | # respectively. The name of each unix socket contained in that directory | ||
14 | # directly maps to a program-name referenced from the Sieve script. | ||
15 | #sieve_pipe_socket_dir = sieve-pipe | ||
16 | #sieve_filter_socket_dir = sieve-filter | ||
17 | #sieve_execute_socket_dir = sieve-execute | ||
18 | |||
19 | # The directory where the scripts are located for direct execution by the | ||
20 | # vnd.dovecot.pipe, vnd.dovecot.filter and vnd.dovecot.execute extension | ||
21 | # respectively. The name of each script contained in that directory | ||
22 | # directly maps to a program-name referenced from the Sieve script. | ||
23 | #sieve_pipe_bin_dir = /usr/lib/dovecot/sieve-pipe | ||
24 | #sieve_filter_bin_dir = /usr/lib/dovecot/sieve-filter | ||
25 | #sieve_execute_bin_dir = /usr/lib/dovecot/sieve-execute | ||
26 | } | ||
27 | |||
28 | # An example program service called 'do-something' to pipe messages to | ||
29 | #service do-something { | ||
30 | # Define the executed script as parameter to the sieve service | ||
31 | #executable = script /usr/lib/dovecot/sieve-pipe/do-something.sh | ||
32 | |||
33 | # Use some unprivileged user for executing the program | ||
34 | #user = dovenull | ||
35 | |||
36 | # The unix socket located in the sieve_pipe_socket_dir (as defined in the | ||
37 | # plugin {} section above) | ||
38 | #unix_listener sieve-pipe/do-something { | ||
39 | # LDA/LMTP must have access | ||
40 | # user = vmail | ||
41 | # mode = 0600 | ||
42 | #} | ||
43 | #} | ||
44 | |||
diff --git a/roles/dovecot/files/conf.d/90-sieve.conf b/roles/dovecot/files/conf.d/90-sieve.conf new file mode 100644 index 0000000..c7ef6c4 --- /dev/null +++ b/roles/dovecot/files/conf.d/90-sieve.conf | |||
@@ -0,0 +1,6 @@ | |||
1 | # Sieve Configuration | ||
2 | plugin { | ||
3 | sieve = ~/.dovecot.sieve | ||
4 | sieve_default = /var/lib/dovecot/sieve/default.sieve | ||
5 | sieve_global = /var/lib/dovecot/sieve/ | ||
6 | } | ||
diff --git a/roles/dovecot/files/conf.d/auth-checkpassword.conf.ext b/roles/dovecot/files/conf.d/auth-checkpassword.conf.ext new file mode 100644 index 0000000..b2fb13a --- /dev/null +++ b/roles/dovecot/files/conf.d/auth-checkpassword.conf.ext | |||
@@ -0,0 +1,21 @@ | |||
1 | # Authentication for checkpassword users. Included from 10-auth.conf. | ||
2 | # | ||
3 | # <doc/wiki/AuthDatabase.CheckPassword.txt> | ||
4 | |||
5 | passdb { | ||
6 | driver = checkpassword | ||
7 | args = /usr/bin/checkpassword | ||
8 | } | ||
9 | |||
10 | # passdb lookup should return also userdb info | ||
11 | userdb { | ||
12 | driver = prefetch | ||
13 | } | ||
14 | |||
15 | # Standard checkpassword doesn't support direct userdb lookups. | ||
16 | # If you need checkpassword userdb, the checkpassword must support | ||
17 | # Dovecot-specific extensions. | ||
18 | #userdb { | ||
19 | # driver = checkpassword | ||
20 | # args = /usr/bin/checkpassword | ||
21 | #} | ||
diff --git a/roles/dovecot/files/conf.d/auth-deny.conf.ext b/roles/dovecot/files/conf.d/auth-deny.conf.ext new file mode 100644 index 0000000..ce3f1cf --- /dev/null +++ b/roles/dovecot/files/conf.d/auth-deny.conf.ext | |||
@@ -0,0 +1,15 @@ | |||
1 | # Deny access for users. Included from 10-auth.conf. | ||
2 | |||
3 | # Users can be (temporarily) disabled by adding a passdb with deny=yes. | ||
4 | # If the user is found from that database, authentication will fail. | ||
5 | # The deny passdb should always be specified before others, so it gets | ||
6 | # checked first. | ||
7 | |||
8 | # Example deny passdb using passwd-file. You can use any passdb though. | ||
9 | passdb { | ||
10 | driver = passwd-file | ||
11 | deny = yes | ||
12 | |||
13 | # File contains a list of usernames, one per line | ||
14 | args = /etc/dovecot/deny-users | ||
15 | } | ||
diff --git a/roles/dovecot/files/conf.d/auth-dict.conf.ext b/roles/dovecot/files/conf.d/auth-dict.conf.ext new file mode 100644 index 0000000..0be4847 --- /dev/null +++ b/roles/dovecot/files/conf.d/auth-dict.conf.ext | |||
@@ -0,0 +1,16 @@ | |||
1 | # Authentication via dict backend. Included from 10-auth.conf. | ||
2 | # | ||
3 | # <doc/wiki/AuthDatabase.Dict.txt> | ||
4 | |||
5 | passdb { | ||
6 | driver = dict | ||
7 | |||
8 | # Path for dict configuration file, see | ||
9 | # example-config/dovecot-dict-auth.conf.ext | ||
10 | args = /etc/dovecot/dovecot-dict-auth.conf.ext | ||
11 | } | ||
12 | |||
13 | userdb { | ||
14 | driver = dict | ||
15 | args = /etc/dovecot/dovecot-dict-auth.conf.ext | ||
16 | } | ||
diff --git a/roles/dovecot/files/conf.d/auth-master.conf.ext b/roles/dovecot/files/conf.d/auth-master.conf.ext new file mode 100644 index 0000000..2cf128f --- /dev/null +++ b/roles/dovecot/files/conf.d/auth-master.conf.ext | |||
@@ -0,0 +1,16 @@ | |||
1 | # Authentication for master users. Included from 10-auth.conf. | ||
2 | |||
3 | # By adding master=yes setting inside a passdb you make the passdb a list | ||
4 | # of "master users", who can log in as anyone else. | ||
5 | # <doc/wiki/Authentication.MasterUsers.txt> | ||
6 | |||
7 | # Example master user passdb using passwd-file. You can use any passdb though. | ||
8 | passdb { | ||
9 | driver = passwd-file | ||
10 | master = yes | ||
11 | args = /etc/dovecot/master-users | ||
12 | |||
13 | # Unless you're using PAM, you probably still want the destination user to | ||
14 | # be looked up from passdb that it really exists. pass=yes does that. | ||
15 | pass = yes | ||
16 | } | ||
diff --git a/roles/dovecot/files/conf.d/auth-passwdfile.conf.ext b/roles/dovecot/files/conf.d/auth-passwdfile.conf.ext new file mode 100644 index 0000000..c89d28c --- /dev/null +++ b/roles/dovecot/files/conf.d/auth-passwdfile.conf.ext | |||
@@ -0,0 +1,20 @@ | |||
1 | # Authentication for passwd-file users. Included from 10-auth.conf. | ||
2 | # | ||
3 | # passwd-like file with specified location. | ||
4 | # <doc/wiki/AuthDatabase.PasswdFile.txt> | ||
5 | |||
6 | passdb { | ||
7 | driver = passwd-file | ||
8 | args = scheme=CRYPT username_format=%u /etc/dovecot/users | ||
9 | } | ||
10 | |||
11 | userdb { | ||
12 | driver = passwd-file | ||
13 | args = username_format=%u /etc/dovecot/users | ||
14 | |||
15 | # Default fields that can be overridden by passwd-file | ||
16 | #default_fields = quota_rule=*:storage=1G | ||
17 | |||
18 | # Override fields from passwd-file | ||
19 | #override_fields = home=/home/virtual/%u | ||
20 | } | ||
diff --git a/roles/dovecot/files/conf.d/auth-sql.conf.ext b/roles/dovecot/files/conf.d/auth-sql.conf.ext new file mode 100644 index 0000000..ccbea86 --- /dev/null +++ b/roles/dovecot/files/conf.d/auth-sql.conf.ext | |||
@@ -0,0 +1,30 @@ | |||
1 | # Authentication for SQL users. Included from 10-auth.conf. | ||
2 | # | ||
3 | # <doc/wiki/AuthDatabase.SQL.txt> | ||
4 | |||
5 | passdb { | ||
6 | driver = sql | ||
7 | |||
8 | # Path for SQL configuration file, see example-config/dovecot-sql.conf.ext | ||
9 | args = /etc/dovecot/dovecot-sql.conf.ext | ||
10 | } | ||
11 | |||
12 | # "prefetch" user database means that the passdb already provided the | ||
13 | # needed information and there's no need to do a separate userdb lookup. | ||
14 | # <doc/wiki/UserDatabase.Prefetch.txt> | ||
15 | #userdb { | ||
16 | # driver = prefetch | ||
17 | #} | ||
18 | |||
19 | userdb { | ||
20 | driver = sql | ||
21 | args = /etc/dovecot/dovecot-sql.conf.ext | ||
22 | } | ||
23 | |||
24 | # If you don't have any user-specific settings, you can avoid the user_query | ||
25 | # by using userdb static instead of userdb sql, for example: | ||
26 | # <doc/wiki/UserDatabase.Static.txt> | ||
27 | #userdb { | ||
28 | #driver = static | ||
29 | #args = uid=vmail gid=vmail home=/var/vmail/%u | ||
30 | #} | ||
diff --git a/roles/dovecot/files/conf.d/auth-static.conf.ext b/roles/dovecot/files/conf.d/auth-static.conf.ext new file mode 100644 index 0000000..90890c5 --- /dev/null +++ b/roles/dovecot/files/conf.d/auth-static.conf.ext | |||
@@ -0,0 +1,24 @@ | |||
1 | # Static passdb. Included from 10-auth.conf. | ||
2 | |||
3 | # This can be used for situations where Dovecot doesn't need to verify the | ||
4 | # username or the password, or if there is a single password for all users: | ||
5 | # | ||
6 | # - proxy frontend, where the backend verifies the password | ||
7 | # - proxy backend, where the frontend already verified the password | ||
8 | # - authentication with SSL certificates | ||
9 | # - simple testing | ||
10 | |||
11 | #passdb { | ||
12 | # driver = static | ||
13 | # args = proxy=y host=%1Mu.example.com nopassword=y | ||
14 | #} | ||
15 | |||
16 | #passdb { | ||
17 | # driver = static | ||
18 | # args = password=test | ||
19 | #} | ||
20 | |||
21 | #userdb { | ||
22 | # driver = static | ||
23 | # args = uid=vmail gid=vmail home=/home/%u | ||
24 | #} | ||
diff --git a/roles/dovecot/files/conf.d/auth-system.conf.ext b/roles/dovecot/files/conf.d/auth-system.conf.ext new file mode 100644 index 0000000..dadb9f7 --- /dev/null +++ b/roles/dovecot/files/conf.d/auth-system.conf.ext | |||
@@ -0,0 +1,74 @@ | |||
1 | # Authentication for system users. Included from 10-auth.conf. | ||
2 | # | ||
3 | # <doc/wiki/PasswordDatabase.txt> | ||
4 | # <doc/wiki/UserDatabase.txt> | ||
5 | |||
6 | # PAM authentication. Preferred nowadays by most systems. | ||
7 | # PAM is typically used with either userdb passwd or userdb static. | ||
8 | # REMEMBER: You'll need /etc/pam.d/dovecot file created for PAM | ||
9 | # authentication to actually work. <doc/wiki/PasswordDatabase.PAM.txt> | ||
10 | passdb { | ||
11 | driver = pam | ||
12 | # [session=yes] [setcred=yes] [failure_show_msg=yes] [max_requests=<n>] | ||
13 | # [cache_key=<key>] [<service name>] | ||
14 | #args = dovecot | ||
15 | } | ||
16 | |||
17 | # System users (NSS, /etc/passwd, or similar). | ||
18 | # In many systems nowadays this uses Name Service Switch, which is | ||
19 | # configured in /etc/nsswitch.conf. <doc/wiki/AuthDatabase.Passwd.txt> | ||
20 | #passdb { | ||
21 | #driver = passwd | ||
22 | # [blocking=no] | ||
23 | #args = | ||
24 | #} | ||
25 | |||
26 | # Shadow passwords for system users (NSS, /etc/shadow or similar). | ||
27 | # Deprecated by PAM nowadays. | ||
28 | # <doc/wiki/PasswordDatabase.Shadow.txt> | ||
29 | #passdb { | ||
30 | #driver = shadow | ||
31 | # [blocking=no] | ||
32 | #args = | ||
33 | #} | ||
34 | |||
35 | # PAM-like authentication for OpenBSD. | ||
36 | # <doc/wiki/PasswordDatabase.BSDAuth.txt> | ||
37 | #passdb { | ||
38 | #driver = bsdauth | ||
39 | # [blocking=no] [cache_key=<key>] | ||
40 | #args = | ||
41 | #} | ||
42 | |||
43 | ## | ||
44 | ## User databases | ||
45 | ## | ||
46 | |||
47 | # System users (NSS, /etc/passwd, or similar). In many systems nowadays this | ||
48 | # uses Name Service Switch, which is configured in /etc/nsswitch.conf. | ||
49 | userdb { | ||
50 | # <doc/wiki/AuthDatabase.Passwd.txt> | ||
51 | driver = passwd | ||
52 | # [blocking=no] | ||
53 | #args = | ||
54 | |||
55 | # Override fields from passwd | ||
56 | #override_fields = home=/home/virtual/%u | ||
57 | } | ||
58 | |||
59 | # Static settings generated from template <doc/wiki/UserDatabase.Static.txt> | ||
60 | #userdb { | ||
61 | #driver = static | ||
62 | # Can return anything a userdb could normally return. For example: | ||
63 | # | ||
64 | # args = uid=500 gid=500 home=/var/mail/%u | ||
65 | # | ||
66 | # LDA and LMTP needs to look up users only from the userdb. This of course | ||
67 | # doesn't work with static userdb because there is no list of users. | ||
68 | # Normally static userdb handles this by doing a passdb lookup. This works | ||
69 | # with most passdbs, with PAM being the most notable exception. If you do | ||
70 | # the user verification another way, you can add allow_all_users=yes to | ||
71 | # the args in which case the passdb lookup is skipped. | ||
72 | # | ||
73 | #args = | ||
74 | #} | ||
diff --git a/roles/dovecot/files/default.sieve b/roles/dovecot/files/default.sieve new file mode 100644 index 0000000..6709988 --- /dev/null +++ b/roles/dovecot/files/default.sieve | |||
@@ -0,0 +1,22 @@ | |||
1 | require ["fileinto", "mailbox"]; | ||
2 | /* | ||
3 | * Discard mail that has a spam score greater than or equal to 5 | ||
4 | */ | ||
5 | if header :contains "X-Spam-Level" "*****" { | ||
6 | discard; | ||
7 | stop; | ||
8 | } | ||
9 | /* | ||
10 | * Discard messages marked as infected by virus scanner | ||
11 | */ | ||
12 | if header :contains "X-Virus-Scan" "infected" { | ||
13 | discard; | ||
14 | stop; | ||
15 | } | ||
16 | /* | ||
17 | * If message is marked as spam (and falls below discard threshold) put into spam mailbox | ||
18 | */ | ||
19 | if header :contains "X-Spam-Flag" "YES" { | ||
20 | fileinto "Spam"; | ||
21 | } | ||
22 | |||
diff --git a/roles/dovecot/files/dovecot.conf b/roles/dovecot/files/dovecot.conf new file mode 100644 index 0000000..14a4cf0 --- /dev/null +++ b/roles/dovecot/files/dovecot.conf | |||
@@ -0,0 +1,16 @@ | |||
1 | # Enable installed protocols | ||
2 | !include_try /usr/share/dovecot/protocols.d/*.protocol | ||
3 | |||
4 | dict { | ||
5 | #quota = mysql:/etc/dovecot/dovecot-dict-sql.conf.ext | ||
6 | #expire = sqlite:/etc/dovecot/dovecot-dict-sql.conf.ext | ||
7 | } | ||
8 | |||
9 | # Most of the actual configuration gets included below. The filenames are | ||
10 | # first sorted by their ASCII value and parsed in that order. The 00-prefixes | ||
11 | # in filenames are intended to make it easier to understand the ordering. | ||
12 | !include conf.d/*.conf | ||
13 | |||
14 | # A config file can also tried to be included without giving an error if | ||
15 | # it's not found: | ||
16 | !include_try local.conf | ||
diff --git a/roles/dovecot/files/dovecot_pam b/roles/dovecot/files/dovecot_pam new file mode 100644 index 0000000..af0e0dd --- /dev/null +++ b/roles/dovecot/files/dovecot_pam | |||
@@ -0,0 +1,8 @@ | |||
1 | #%PAM-1.0 | ||
2 | |||
3 | @include common-auth | ||
4 | @include common-account | ||
5 | @include common-session | ||
6 | |||
7 | auth required pam_unix.so | ||
8 | account required pam_unix.so | ||
diff --git a/roles/dovecot/handlers/main.yml b/roles/dovecot/handlers/main.yml new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/roles/dovecot/handlers/main.yml | |||
diff --git a/roles/dovecot/tasks/main.yml b/roles/dovecot/tasks/main.yml new file mode 100644 index 0000000..ce5eb2c --- /dev/null +++ b/roles/dovecot/tasks/main.yml | |||
@@ -0,0 +1,67 @@ | |||
1 | - name: install packages | ||
2 | package: | ||
3 | name: | ||
4 | - dovecot-imapd | ||
5 | - dovecot-sieve | ||
6 | state: latest | ||
7 | |||
8 | - name: deploy dovecot.conf | ||
9 | copy: | ||
10 | src: dovecot.conf | ||
11 | dest: /etc/dovecot/dovecot.conf | ||
12 | owner: root | ||
13 | group: root | ||
14 | mode: '0644' | ||
15 | |||
16 | - name: deploy dovecot configuration files | ||
17 | copy: | ||
18 | src: "{{ item }}" | ||
19 | dest: /etc/dovecot/conf.d/ | ||
20 | owner: root | ||
21 | group: root | ||
22 | mode: '0644' | ||
23 | with_fileglob: "files/conf.d/*" | ||
24 | |||
25 | - name: deploy dovecot tls configuration file | ||
26 | template: | ||
27 | src: templates/10-ssl.conf.j2 | ||
28 | dest: /etc/dovecot/conf.d/10-ssl.conf | ||
29 | owner: root | ||
30 | group: root | ||
31 | mode: '0644' | ||
32 | |||
33 | - name: create sieve dir | ||
34 | file: | ||
35 | path: /var/lib/dovecot/sieve | ||
36 | state: directory | ||
37 | |||
38 | - name: deploy default sieve script | ||
39 | copy: | ||
40 | src: default.sieve | ||
41 | dest: /var/lib/dovecot/sieve/default.sieve | ||
42 | owner: root | ||
43 | group: root | ||
44 | mode: '0644' | ||
45 | |||
46 | - name: compile default sieve script | ||
47 | command: | ||
48 | cmd: sievec /var/lib/dovecot/sieve/default.sieve | ||
49 | |||
50 | - name: deploy dovecot PAM configuration | ||
51 | copy: | ||
52 | src: dovecot_pam | ||
53 | dest: /etc/pam.d/dovecot | ||
54 | owner: root | ||
55 | group: root | ||
56 | mode: '0644' | ||
57 | |||
58 | - name: enable dovecot | ||
59 | systemd: | ||
60 | enabled: yes | ||
61 | masked: no | ||
62 | name: dovecot | ||
63 | |||
64 | - name: restart dovecot | ||
65 | service: | ||
66 | name: dovecot | ||
67 | state: restarted | ||
diff --git a/roles/dovecot/templates/10-ssl.conf.j2 b/roles/dovecot/templates/10-ssl.conf.j2 new file mode 100644 index 0000000..8efa1d2 --- /dev/null +++ b/roles/dovecot/templates/10-ssl.conf.j2 | |||
@@ -0,0 +1,20 @@ | |||
1 | # SSL/TLS Configuration | ||
2 | ssl = required | ||
3 | ssl_key = "</etc/letsencrypt/live/{{ mail_domain }}/privkey.pem" | ||
4 | ssl_cert = "</etc/letsencrypt/live/{{ mail_domain }}/fullchain.pem" | ||
5 | ssl_client_ca_dir = /etc/ssl/certs | ||
6 | ssl_dh = </usr/share/dovecot/dh.pem | ||
7 | |||
8 | # Mozilla modern compatibility (https://wiki.mozilla.org/Security/Server_Side_TLS) | ||
9 | # This is here for future use - Dovecot does not support using only TLSv1.3 right now. | ||
10 | #ssl_min_protocol = TLSv1.3 | ||
11 | # Ciphers listed here are just for reference, DO NOT uncomment, this is not a valid | ||
12 | # openssl cipherlist | ||
13 | #ssl_cipher_list = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256 | ||
14 | |||
15 | # Mozilla intermediate compatibility (https://wiki.mozilla.org/Security/Server_Side_TLS) | ||
16 | ssl_min_protocol = TLSv1.2 | ||
17 | ssl_cipher_list = ECDHE+ECDSA+AESGCM:ECDHE+aRSA+AESGCM:ECDHE+ECDSA+CHACHA20:ECDHE+aRSA+CHACHA20:DHE+aRSA+AESGCM:!aNULL:!eNULL | ||
18 | |||
19 | ssl_prefer_server_ciphers = yes | ||
20 | ssl_client_require_valid_cert = yes | ||
diff --git a/roles/opendkim/defaults/main.yml b/roles/opendkim/defaults/main.yml new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/roles/opendkim/defaults/main.yml | |||
diff --git a/roles/opendkim/handlers/main.yml b/roles/opendkim/handlers/main.yml new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/roles/opendkim/handlers/main.yml | |||
diff --git a/roles/opendkim/tasks/main.yml b/roles/opendkim/tasks/main.yml new file mode 100644 index 0000000..b56081a --- /dev/null +++ b/roles/opendkim/tasks/main.yml | |||
@@ -0,0 +1,57 @@ | |||
1 | - name: install packages | ||
2 | package: | ||
3 | name: | ||
4 | - opendkim | ||
5 | - opendkim-tools | ||
6 | state: latest | ||
7 | |||
8 | - name: create dkimkeys directory | ||
9 | file: | ||
10 | path: /etc/dkimkeys | ||
11 | owner: opendkim | ||
12 | group: opendkim | ||
13 | mode: '700' | ||
14 | state: directory | ||
15 | |||
16 | - name: generate opendkim key | ||
17 | command: | ||
18 | cmd: "opendkim-genkey -D /etc/dkimkeys -d {{ domain }} -s {{ dkim_selector }}" | ||
19 | |||
20 | - name: rename dkim key file | ||
21 | command: "mv /etc/dkimkeys/{{ dkim_selector }}.private /etc/dkimkeys/{{ dkim_selector }}.pem" | ||
22 | args: | ||
23 | removes: "/etc/dkimkeys/{{ dkim_selector }}.private" | ||
24 | creates: "/etc/dkimkeys/{{ dkim_selector }}.pem" | ||
25 | |||
26 | - name: make directory for socket inside postfix chroot | ||
27 | file: | ||
28 | path: /var/spool/postfix/opendkim | ||
29 | owner: opendkim | ||
30 | group: opendkim | ||
31 | mode: '770' | ||
32 | state: directory | ||
33 | |||
34 | - name: add postfix user to opendkim group | ||
35 | user: | ||
36 | name: postfix | ||
37 | groups: opendkim | ||
38 | append: yes | ||
39 | |||
40 | - name: deploy configuration | ||
41 | template: | ||
42 | src: opendkim.conf.j2 | ||
43 | dest: /etc/opendkim.conf | ||
44 | owner: root | ||
45 | group: root | ||
46 | mode: '0644' | ||
47 | |||
48 | - name: enable opendkim | ||
49 | systemd: | ||
50 | enabled: yes | ||
51 | masked: no | ||
52 | name: opendkim | ||
53 | |||
54 | - name: restart opendkim | ||
55 | service: | ||
56 | name: opendkim | ||
57 | state: restarted | ||
diff --git a/roles/opendkim/templates/opendkim.conf.j2 b/roles/opendkim/templates/opendkim.conf.j2 new file mode 100644 index 0000000..d3335a2 --- /dev/null +++ b/roles/opendkim/templates/opendkim.conf.j2 | |||
@@ -0,0 +1,21 @@ | |||
1 | # OpenDKIM Configuration | ||
2 | On-BadSignature reject | ||
3 | On-Security reject | ||
4 | Syslog yes | ||
5 | SyslogSuccess yes | ||
6 | LogResults yes | ||
7 | Canonicalization simple | ||
8 | Mode sv | ||
9 | OversignHeaders From | ||
10 | Domain {{ domain }} | ||
11 | Selector {{ dkim_selector }} | ||
12 | KeyFile /etc/dkimkeys/{{ dkim_selector }}.pem | ||
13 | UserID opendkim | ||
14 | UMask 007 | ||
15 | Socket local:/var/spool/postfix/opendkim/opendkim.sock | ||
16 | PidFile /run/opendkim/opendkim.pid | ||
17 | TemporaryDirectory /run/opendkim | ||
18 | InternalHosts 127.0.0.1 | ||
19 | TrustAnchorFile /usr/share/dns/root.key | ||
20 | RequireSafeKeys True | ||
21 | AlwaysAddARHeader True | ||
diff --git a/roles/opendmarc/defaults/main.yml b/roles/opendmarc/defaults/main.yml new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/roles/opendmarc/defaults/main.yml | |||
diff --git a/roles/opendmarc/files/opendmarc.conf b/roles/opendmarc/files/opendmarc.conf new file mode 100644 index 0000000..85a05c2 --- /dev/null +++ b/roles/opendmarc/files/opendmarc.conf | |||
@@ -0,0 +1,11 @@ | |||
1 | # OpenDMARC Configuration | ||
2 | PidFile /run/opendmarc/opendmarc.pid | ||
3 | PublicSuffixList /usr/share/publicsuffix/public_suffix_list.dat | ||
4 | RejectFailures True | ||
5 | Socket local:/var/spool/postfix/opendmarc/opendmarc.sock | ||
6 | Syslog True | ||
7 | SyslogFacility mail | ||
8 | UMask 002 | ||
9 | UserID opendmarc | ||
10 | SPFIgnoreResults True | ||
11 | SPFSelfValidate True | ||
diff --git a/roles/opendmarc/handlers/main.yml b/roles/opendmarc/handlers/main.yml new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/roles/opendmarc/handlers/main.yml | |||
diff --git a/roles/opendmarc/tasks/main.yml b/roles/opendmarc/tasks/main.yml new file mode 100644 index 0000000..6c2fb8b --- /dev/null +++ b/roles/opendmarc/tasks/main.yml | |||
@@ -0,0 +1,39 @@ | |||
1 | - name: install packages | ||
2 | package: | ||
3 | name: | ||
4 | - opendmarc | ||
5 | - dbconfig-no-thanks | ||
6 | state: latest | ||
7 | |||
8 | - name: make directory for socket inside postfix chroot | ||
9 | file: | ||
10 | path: /var/spool/postfix/opendmarc | ||
11 | owner: opendmarc | ||
12 | group: opendmarc | ||
13 | mode: '770' | ||
14 | state: directory | ||
15 | |||
16 | - name: add postfix user to opendmarc group | ||
17 | user: | ||
18 | name: postfix | ||
19 | groups: opendmarc | ||
20 | append: yes | ||
21 | |||
22 | - name: deploy configuration | ||
23 | copy: | ||
24 | src: opendmarc.conf | ||
25 | dest: /etc/opendmarc.conf | ||
26 | owner: root | ||
27 | group: root | ||
28 | mode: '0644' | ||
29 | |||
30 | - name: enable opendmarc | ||
31 | systemd: | ||
32 | enabled: yes | ||
33 | masked: no | ||
34 | name: opendmarc | ||
35 | |||
36 | - name: restart opendmarc | ||
37 | service: | ||
38 | name: opendmarc | ||
39 | state: restarted | ||
diff --git a/roles/policyd_spf/defaults/main.yml b/roles/policyd_spf/defaults/main.yml new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/roles/policyd_spf/defaults/main.yml | |||
diff --git a/roles/policyd_spf/files/policyd-spf.conf b/roles/policyd_spf/files/policyd-spf.conf new file mode 100644 index 0000000..7fba9ba --- /dev/null +++ b/roles/policyd_spf/files/policyd-spf.conf | |||
@@ -0,0 +1,8 @@ | |||
1 | # postfix-policyd-spf configuration | ||
2 | debugLevel = 1 | ||
3 | TestOnly = 1 | ||
4 | HELO_reject = Fail | ||
5 | Mail_From_reject = Fail | ||
6 | PermError_reject = True | ||
7 | TempError_Defer = True | ||
8 | Header_Type = AR | ||
diff --git a/roles/policyd_spf/handlers/main.yml b/roles/policyd_spf/handlers/main.yml new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/roles/policyd_spf/handlers/main.yml | |||
diff --git a/roles/policyd_spf/tasks/main.yml b/roles/policyd_spf/tasks/main.yml new file mode 100644 index 0000000..48aa12d --- /dev/null +++ b/roles/policyd_spf/tasks/main.yml | |||
@@ -0,0 +1,13 @@ | |||
1 | - name: install packages | ||
2 | package: | ||
3 | name: | ||
4 | - postfix-policyd-spf-python | ||
5 | state: latest | ||
6 | |||
7 | - name: deploy configuration | ||
8 | copy: | ||
9 | src: policyd-spf.conf | ||
10 | dest: /etc/postfix-policyd-spf-python/policyd-spf.conf | ||
11 | owner: root | ||
12 | group: root | ||
13 | mode: '0644' | ||
diff --git a/roles/postfix/defaults/main.yml b/roles/postfix/defaults/main.yml new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/roles/postfix/defaults/main.yml | |||
diff --git a/roles/postfix/files/body_checks b/roles/postfix/files/body_checks new file mode 100644 index 0000000..795c922 --- /dev/null +++ b/roles/postfix/files/body_checks | |||
@@ -0,0 +1,2 @@ | |||
1 | #Block iframe vulnerability | ||
2 | /<iframe/ REJECT | ||
diff --git a/roles/postfix/files/header_checks b/roles/postfix/files/header_checks new file mode 100644 index 0000000..f655904 --- /dev/null +++ b/roles/postfix/files/header_checks | |||
@@ -0,0 +1,11 @@ | |||
1 | #Block attachments with executable extensions | ||
2 | /name=[^>]*\.(exe|pif|com|dll|vbs|bat|sh|bash|so|zip|tar|gz|cpio)/ REJECT | ||
3 | # Block message/partial vulnerability | ||
4 | /message\/partial/ REJECT | ||
5 | # CVE-2022-1328 mitigation - block messages with uuencode | ||
6 | /^Content-Transfer-Encoding:.*uuencode.*/ REJECT | ||
7 | # Remove Received string that is created when spamassassin reinjects message into postfix | ||
8 | # This is to prevent leaking the userid of the spamassassin user | ||
9 | /^Received:.*userid.*/ IGNORE | ||
10 | # Remove User-Agent strings from headers | ||
11 | /^User-Agent: .*/ IGNORE | ||
diff --git a/roles/postfix/handlers/main.yml b/roles/postfix/handlers/main.yml new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/roles/postfix/handlers/main.yml | |||
diff --git a/roles/postfix/tasks/main.yml b/roles/postfix/tasks/main.yml new file mode 100644 index 0000000..0b482ea --- /dev/null +++ b/roles/postfix/tasks/main.yml | |||
@@ -0,0 +1,84 @@ | |||
1 | - name: install packages | ||
2 | package: | ||
3 | name: | ||
4 | - postfix | ||
5 | state: latest | ||
6 | |||
7 | - name: deploy postfix main.cf | ||
8 | template: | ||
9 | src: main.cf.j2 | ||
10 | dest: /etc/postfix/main.cf | ||
11 | owner: root | ||
12 | group: root | ||
13 | mode: '0644' | ||
14 | |||
15 | - name: deploy postfix master.cf | ||
16 | template: | ||
17 | src: master.cf.j2 | ||
18 | dest: /etc/postfix/master.cf | ||
19 | owner: root | ||
20 | group: root | ||
21 | mode: '0644' | ||
22 | |||
23 | - name: create mailadmin user | ||
24 | user: | ||
25 | name: mailadmin | ||
26 | shell: /usr/sbin/nologin | ||
27 | password_lock: yes | ||
28 | |||
29 | - name: deploy aliases file | ||
30 | template: | ||
31 | src: aliases | ||
32 | dest: /etc/aliases | ||
33 | owner: root | ||
34 | group: root | ||
35 | mode: '0644' | ||
36 | |||
37 | - name: deploy login_maps | ||
38 | template: | ||
39 | src: login_maps | ||
40 | dest: /etc/postfix/login_maps | ||
41 | owner: root | ||
42 | group: root | ||
43 | mode: '0644' | ||
44 | |||
45 | - name: deploy local_maps | ||
46 | template: | ||
47 | src: local_maps | ||
48 | dest: /etc/postfix/local_maps | ||
49 | owner: root | ||
50 | group: root | ||
51 | mode: '0644' | ||
52 | |||
53 | - name: update address databases | ||
54 | shell: | | ||
55 | newaliases | ||
56 | postmap /etc/postfix/login_maps | ||
57 | postmap /etc/postfix/local_maps | ||
58 | |||
59 | - name: deploy header checks file | ||
60 | copy: | ||
61 | src: header_checks | ||
62 | dest: /etc/postfix/header_checks | ||
63 | owner: root | ||
64 | group: root | ||
65 | mode: '0644' | ||
66 | |||
67 | - name: deploy body checks file | ||
68 | copy: | ||
69 | src: body_checks | ||
70 | dest: /etc/postfix/body_checks | ||
71 | owner: root | ||
72 | group: root | ||
73 | mode: '0644' | ||
74 | |||
75 | - name: enable postfix | ||
76 | systemd: | ||
77 | enabled: yes | ||
78 | masked: no | ||
79 | name: postfix | ||
80 | |||
81 | - name: restart postfix | ||
82 | service: | ||
83 | name: postfix | ||
84 | state: restarted | ||
diff --git a/roles/postfix/templates/aliases b/roles/postfix/templates/aliases new file mode 100644 index 0000000..6cb2ca6 --- /dev/null +++ b/roles/postfix/templates/aliases | |||
@@ -0,0 +1,3 @@ | |||
1 | postmaster: mailadmin | ||
2 | root: mailadmin | ||
3 | dmarc: mailadmin | ||
diff --git a/roles/postfix/templates/local_maps b/roles/postfix/templates/local_maps new file mode 100644 index 0000000..57592f9 --- /dev/null +++ b/roles/postfix/templates/local_maps | |||
@@ -0,0 +1 @@ | |||
mailadmin mailadmin | |||
diff --git a/roles/postfix/templates/login_maps b/roles/postfix/templates/login_maps new file mode 100644 index 0000000..d3ace34 --- /dev/null +++ b/roles/postfix/templates/login_maps | |||
@@ -0,0 +1 @@ | |||
mailadmin@{{ domain }} mailadmin | |||
diff --git a/roles/postfix/templates/main.cf.j2 b/roles/postfix/templates/main.cf.j2 new file mode 100644 index 0000000..8a2d767 --- /dev/null +++ b/roles/postfix/templates/main.cf.j2 | |||
@@ -0,0 +1,69 @@ | |||
1 | smtpd_banner = $myhostname ESMTP $mail_name | ||
2 | biff = no | ||
3 | |||
4 | # appending .domain is the MUA's job. | ||
5 | append_dot_mydomain = no | ||
6 | |||
7 | # Uncomment the next line to generate "delayed mail" warnings | ||
8 | #delay_warning_time = 4h | ||
9 | |||
10 | readme_directory = no | ||
11 | |||
12 | # See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on | ||
13 | # fresh installs. | ||
14 | compatibility_level = 2 | ||
15 | |||
16 | # TLS parameters | ||
17 | smtpd_tls_cert_file = /etc/letsencrypt/live/mail.{{ domain }}/fullchain.pem | ||
18 | smtpd_tls_key_file = /etc/letsencrypt/live/mail.{{ domain }}/privkey.pem | ||
19 | smtpd_tls_security_level = encrypt | ||
20 | smtp_tls_CApath=/etc/ssl/certs | ||
21 | smtp_tls_CAfile=/etc/ssl/certs/ca-certificates.crt | ||
22 | smtp_tls_security_level = encrypt | ||
23 | smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache | ||
24 | |||
25 | smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination | ||
26 | myhostname = {{ mail_domain }} | ||
27 | alias_maps = hash:/etc/aliases | ||
28 | alias_database = hash:/etc/aliases | ||
29 | myorigin = $mydomain | ||
30 | mydestination = $myhostname, $mydomain, localhost | ||
31 | relayhost = | ||
32 | mynetworks = 127.0.0.0/8 [::1]/128 | ||
33 | mailbox_size_limit = 0 | ||
34 | recipient_delimiter = + | ||
35 | inet_interfaces = all | ||
36 | inet_protocols = ipv4 | ||
37 | smtpd_tls_auth_only = yes | ||
38 | smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 | ||
39 | smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 | ||
40 | smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 | ||
41 | smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 | ||
42 | tls_preempt_cipherlist = yes | ||
43 | smtpd_tls_ciphers = high | ||
44 | smtpd_tls_mandatory_ciphers = high | ||
45 | smtp_tls_ciphers = high | ||
46 | smtp_tls_mandatory_ciphers = high | ||
47 | smtpd_tls_exclude_ciphers = aNULL, eNULL, EXP, LOW, MEDIUM, PSK, SRP, SHA1, kRSA, CAMELLIA, ARIA, DSS, RSA+AES, ADH, AECDH | ||
48 | smtp_tls_exclude_ciphers = aNULL, eNULL, EXP, LOW, MEDIUM, PSK, SRP, SHA1, kRSA, CAMELLIA, ARIA, DSS, RSA+AES, ADH, AECDH | ||
49 | smtpd_sasl_type = dovecot | ||
50 | smtpd_sasl_path = private/auth | ||
51 | smtpd_sasl_auth_enable = yes | ||
52 | smtpd_sasl_security_options = noanonymous, noplaintext | ||
53 | smtpd_sasl_tls_security_options = noanonymous | ||
54 | smtpd_helo_required = yes | ||
55 | smtpd_sender_login_maps = proxy:hash:/etc/postfix/login_maps | ||
56 | smtpd_helo_restrictions = reject_unknown_helo_hostname, reject_non_fqdn_helo_hostname | ||
57 | smtpd_sender_restrictions = reject_sender_login_mismatch, reject_non_fqdn_sender, reject_unknown_sender_domain | ||
58 | smtpd_recipient_restrictions = reject_non_fqdn_recipient, reject_unknown_recipient_domain, permit_sasl_authenticated, reject_unauth_destination, check_policy_service unix:private/postgrey, check_policy_service unix:private/policyd-spf, reject_rbl_client zen.spamhaus.org | ||
59 | smtpd_data_restrictions = reject_unauth_pipelining | ||
60 | disable_vrfy_command = yes | ||
61 | local_recipient_maps = proxy:hash:/etc/postfix/local_maps $alias_maps | ||
62 | home_mailbox = Mail/Inbox/ | ||
63 | mailbox_command = /usr/lib/dovecot/deliver | ||
64 | header_checks = regexp:/etc/postfix/header_checks | ||
65 | body_checks = regexp:/etc/postfix/body_checks | ||
66 | postscreen_dnsbl_sites = zen.spamhaus.org | ||
67 | postscreen_dnsbl_action = enforce | ||
68 | postscreen_greet_action = enforce | ||
69 | policyd-spf_time_limit = 3600 | ||
diff --git a/roles/postfix/templates/master.cf.j2 b/roles/postfix/templates/master.cf.j2 new file mode 100644 index 0000000..ea64537 --- /dev/null +++ b/roles/postfix/templates/master.cf.j2 | |||
@@ -0,0 +1,84 @@ | |||
1 | # ========================================================================== | ||
2 | # service type private unpriv chroot wakeup maxproc command + args | ||
3 | # (yes) (yes) (no) (never) (100) | ||
4 | # ========================================================================== | ||
5 | smtp inet n - y - 1 postscreen | ||
6 | pickup unix n - y 60 1 pickup | ||
7 | cleanup unix n - y - 0 cleanup | ||
8 | qmgr unix n - n 300 1 qmgr | ||
9 | tlsmgr unix - - y 1000? 1 tlsmgr | ||
10 | rewrite unix - - y - - trivial-rewrite | ||
11 | bounce unix - - y - 0 bounce | ||
12 | defer unix - - y - 0 bounce | ||
13 | trace unix - - y - 0 bounce | ||
14 | verify unix - - y - 1 verify | ||
15 | flush unix n - y 1000? 0 flush | ||
16 | proxymap unix - - n - - proxymap | ||
17 | proxywrite unix - - n - 1 proxymap | ||
18 | smtp unix - - y - - smtp | ||
19 | relay unix - - y - - smtp | ||
20 | -o syslog_name=postfix/$service_name | ||
21 | showq unix n - y - - showq | ||
22 | error unix - - y - - error | ||
23 | retry unix - - y - - error | ||
24 | discard unix - - y - - discard | ||
25 | local unix - n n - - local | ||
26 | virtual unix - n n - - virtual | ||
27 | lmtp unix - - y - - lmtp | ||
28 | anvil unix - - y - 1 anvil | ||
29 | scache unix - - y - 1 scache | ||
30 | postlog unix-dgram n - n - 1 postlogd | ||
31 | |||
32 | # ==================================================================== | ||
33 | # Interfaces to non-Postfix software. Be sure to examine the manual | ||
34 | # pages of the non-Postfix software to find out what options it wants. | ||
35 | # | ||
36 | # Many of the following services use the Postfix pipe(8) delivery | ||
37 | # agent. See the pipe(8) man page for information about ${recipient} | ||
38 | # and other message envelope options. | ||
39 | # ==================================================================== | ||
40 | maildrop unix - n n - - pipe | ||
41 | flags=DRXhu user=vmail argv=/usr/bin/maildrop -d ${recipient} | ||
42 | |||
43 | uucp unix - n n - - pipe | ||
44 | flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient) | ||
45 | |||
46 | ifmail unix - n n - - pipe | ||
47 | flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient) | ||
48 | |||
49 | bsmtp unix - n n - - pipe | ||
50 | flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient | ||
51 | |||
52 | scalemail-backend unix - n n - 2 pipe | ||
53 | flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension} | ||
54 | |||
55 | mailman unix - n n - - pipe | ||
56 | flags=FRX user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py ${nexthop} ${user} | ||
57 | |||
58 | smtpd pass - - y - - smtpd | ||
59 | -o content_filter=spamassassin | ||
60 | -o smtpd_milters=unix:opendkim/opendkim.sock,unix:opendmarc/opendmarc.sock | ||
61 | tlsproxy unix - - y - 0 tlsproxy | ||
62 | |||
63 | dnsblog unix - - y - 0 dnsblog | ||
64 | |||
65 | submissions inet n - y - - smtpd | ||
66 | -o smtpd_tls_wrappermode=yes | ||
67 | -o smtpd_tls_security_level=encrypt | ||
68 | -o smtpd_tls_auth_only=yes | ||
69 | -o smtpd_sasl_auth_enable=yes | ||
70 | -o smtpd_client_restrictions=permit_sasl_authenticated,permit_mynetworks,reject | ||
71 | -o smtpd_helo_restrictions= | ||
72 | -o smtpd_sender_restrictions=permit_mynetworks,reject_sender_login_mismatch | ||
73 | -o smtpd_recipient_restrictions=reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,permit_mynetworks,reject | ||
74 | -o syslog_name=postfix/submissions | ||
75 | -o smtpd_tls_protocols=!SSLv2,!SSLv3,!TLSv1,!TLSv1.1,!TLSv1.2 | ||
76 | -o smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3,!TLSv1,!TLSv1.1,!TLSv1.2 | ||
77 | -o smtpd_milters=unix:opendkim/opendkim.sock | ||
78 | |||
79 | spamassassin unix - n n - - pipe user=debian-spamd | ||
80 | argv=/usr/bin/spamc --socket=/var/spool/postfix/spamd/spamd.sock -e /usr/sbin/sendmail -oi | ||
81 | -f ${sender} ${recipient} | ||
82 | |||
83 | policyd-spf unix - n n - 0 spawn user=policyd-spf | ||
84 | argv=/usr/bin/policyd-spf | ||
diff --git a/roles/postgrey/defaults/main.yml b/roles/postgrey/defaults/main.yml new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/roles/postgrey/defaults/main.yml | |||
diff --git a/roles/postgrey/files/postgrey b/roles/postgrey/files/postgrey new file mode 100644 index 0000000..d9a79d5 --- /dev/null +++ b/roles/postgrey/files/postgrey | |||
@@ -0,0 +1,2 @@ | |||
1 | POSTGREY_OPTS="--unix=/var/spool/postfix/private/postgrey --privacy" | ||
2 | POSTGREY_TEXT="Greylisted - see https://www.greylisting.org" | ||
diff --git a/roles/postgrey/handlers/main.yml b/roles/postgrey/handlers/main.yml new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/roles/postgrey/handlers/main.yml | |||
diff --git a/roles/postgrey/tasks/main.yml b/roles/postgrey/tasks/main.yml new file mode 100644 index 0000000..7c0caa7 --- /dev/null +++ b/roles/postgrey/tasks/main.yml | |||
@@ -0,0 +1,24 @@ | |||
1 | - name: install packages | ||
2 | package: | ||
3 | name: | ||
4 | - postgrey | ||
5 | state: latest | ||
6 | |||
7 | - name: deploy configuration | ||
8 | copy: | ||
9 | src: postgrey | ||
10 | dest: /etc/default/postgrey | ||
11 | owner: root | ||
12 | group: root | ||
13 | mode: '0644' | ||
14 | |||
15 | - name: enable postgrey | ||
16 | systemd: | ||
17 | enabled: yes | ||
18 | masked: no | ||
19 | name: postgrey | ||
20 | |||
21 | - name: restart postgrey | ||
22 | service: | ||
23 | name: postgrey | ||
24 | state: restarted | ||
diff --git a/roles/spamassassin/defaults/main.yml b/roles/spamassassin/defaults/main.yml new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/roles/spamassassin/defaults/main.yml | |||
diff --git a/roles/spamassassin/files/defaults b/roles/spamassassin/files/defaults new file mode 100644 index 0000000..a38795c --- /dev/null +++ b/roles/spamassassin/files/defaults | |||
@@ -0,0 +1,9 @@ | |||
1 | OPTIONS="--listen /var/run/spamd.sock --max-children 5 --socketpath=/var/spool/postfix/spamd/spamd.sock --socketowner root --socketgroup root --socketmode 0666" | ||
2 | |||
3 | PIDFILE=/var/run/spamd.pid | ||
4 | |||
5 | # Cronjob | ||
6 | # Set to anything but 0 to enable the cron job to automatically update | ||
7 | # spamassassin's rules on a nightly basis | ||
8 | CRON=1 | ||
9 | |||
diff --git a/roles/spamassassin/handlers/main.yml b/roles/spamassassin/handlers/main.yml new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/roles/spamassassin/handlers/main.yml | |||
diff --git a/roles/spamassassin/tasks/main.yml b/roles/spamassassin/tasks/main.yml new file mode 100644 index 0000000..4c69be5 --- /dev/null +++ b/roles/spamassassin/tasks/main.yml | |||
@@ -0,0 +1,40 @@ | |||
1 | - name: install packages | ||
2 | package: | ||
3 | name: | ||
4 | - spamassassin | ||
5 | state: latest | ||
6 | |||
7 | - name: make directory in postfix chroot | ||
8 | file: | ||
9 | path: /var/spool/postfix/spamd | ||
10 | owner: root | ||
11 | group: root | ||
12 | mode: '0755' | ||
13 | state: directory | ||
14 | |||
15 | - name: deploy configuration | ||
16 | template: | ||
17 | src: local.cf.j2 | ||
18 | dest: /etc/spamassassin/local.cf | ||
19 | owner: root | ||
20 | group: root | ||
21 | mode: '0644' | ||
22 | |||
23 | - name: deploy defaults file | ||
24 | copy: | ||
25 | src: defaults | ||
26 | dest: /etc/default/spamd | ||
27 | owner: root | ||
28 | group: root | ||
29 | mode: '0644' | ||
30 | |||
31 | - name: enable spamassassin | ||
32 | systemd: | ||
33 | enabled: yes | ||
34 | masked: no | ||
35 | name: spamd | ||
36 | |||
37 | - name: restart spamassassin | ||
38 | service: | ||
39 | name: spamd | ||
40 | state: restarted | ||
diff --git a/roles/spamassassin/templates/local.cf.j2 b/roles/spamassassin/templates/local.cf.j2 new file mode 100644 index 0000000..1fdc978 --- /dev/null +++ b/roles/spamassassin/templates/local.cf.j2 | |||
@@ -0,0 +1,18 @@ | |||
1 | # SpamAssassin Configuration | ||
2 | # Clearly indicate message is spam to user | ||
3 | rewrite_header Subject *****SPAM***** | ||
4 | rewrite_header From *****SPAM***** | ||
5 | |||
6 | # Halves default spam score thus implementing a very strict spam policy | ||
7 | # Comment or edit as needed for your deployment | ||
8 | required_score {{ spam_score }} | ||
9 | |||
10 | # Attach original messages as text/plain instead of message/rfc822 to spam reports | ||
11 | # This is basically a safety net to prevent mail clients from automatically loading | ||
12 | # attached spam messages. Note though that this makes the original message harder to recover | ||
13 | # If this is not something you are worried about, comment the next line to use the default. | ||
14 | report_safe 2 | ||
15 | |||
16 | # This specifies languages considered OK for incoming mail | ||
17 | # If you expect to receive mail in non-western character sets, comment or edit as needed | ||
18 | ok_locales {{ sa_locales }} | ||