# ansible-mailserver ansible-mailserver is an Ansible playbook to deploy a simple postfix/dovecot mail server. ## Features Simple one-command installation and configuration of your very own mail server. Includes a host of defenses needed when dealing with the world of internet mail: - postscreen - inbound SMTP connection filtering - postgrey - greylisting utility - policyd-spf - SPF validation - spamassassin - spam filter - opendkim - DKIM signing and verification - opendmarc - DMARC verification ## Usage ### Prerequisites Before running the playbook you will need to have the following: - An A record for your base domain - An A record for the `mail` subdomain - A PTR record for your mail server ### Clone the repository ``` git clone https://git.chudnick.com/ansible-mailserver ``` ### Modify the inventory Modify the inventory.yml for your deployment. At a minimum, change `mail.example.com` to the FQDN of your mail server and change `ansible_user` and `remote_user` to the name of your account on the mail server. ### Modify vars.yml Modify group\_vars/all/vars.yml for your deployment. Below is a list of the variables and there function: - domain - base domain - mail_domain - hostname of your mail server and common name on the TLS certificate - dkim_selector - selector for your DKIM keys - spam_score - SpamAssassin score required for mail to be considered spam - sa_locales - locales which SpamAssassin expects to receive mail in - any locale not listed is considered spam - cert_email - the email used to get a LetsEncrypt certificate You must modify `domain` with your domain name. All other changes are optional. ### Run the playbook From the repo root directory run: ``` ansible-playbook run.yml -i inventory.yml --ask-become-pass ``` If you have passwordless sudo configured --ask-become-pass is not necessary. ### Set DNS records The playbook finishes by generating the DNS records required for mail verification. You can find these records under /home/root/dns\_records once the playbook finishes. The records are in BIND9 format but the values can be extracted for use on any platform. ## FAQ ### Distros I have only tested this on Debian 12 and 13 and that is currently the only "supported" distro. It will likely also work with current versions of Ubuntu but may require some modifications there also. YMMV with any non Debian-based distro. ### Users This configuration uses the local system for authentication. Additionally, postfix login and local maps are used so that not every user on the system can receive mail. To create a new mail user use the following script: ``` # create unix account - do not allow user to login to system useradd --shell /usr/sbin/nologin --create-home --user-group $username # login map echo "$username@$(cat /etc/mailname) $username" >> /etc/postfix/login_maps postmap /etc/postfix/login_maps # local recipient map echo "$username $username" >> /etc/postfix/local_maps postmap /etc/postfix/local_maps # reload postfix to make changes live postfix reload # set the user's password passwd $username ``` This will create a user on the system that is allowed to send and receive mail. As a security precaution, the user's shell is set to /usr/sbin/nologin to prevent management access to the server. ### Multiple Domains The playbook will configure the mail server for a single domain. However, there is nothing in the configuration preventing a multi-domain setup. Setting up multiple domains will require some manual configuration of postfix main.cf.