blob: 2335ab0ea06123e42df35f20761ec64b3fd34477 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
|
# ansible-mailserver
ansible-mailserver is an Ansible playbook to deploy a simple postfix/dovecot mail server.
## Features
Simple one-command installation and configuration of your very own mail server.
Includes a host of defenses needed when dealing with the world of internet mail:
- postscreen - inbound SMTP connection filtering
- postgrey - greylisting utility
- policyd-spf - SPF validation
- spamassassin - spam filter
- opendkim - DKIM signing and verification
- opendmarc - DMARC verification
## Usage
### Prerequisites
Before running the playbook you will need to have the following:
- An A record for your base domain
- An A record for the `mail` subdomain
- A PTR record for your mail server
### Clone the repository
```
git clone https://git.chudnick.com/ansible-mailserver
```
### Modify the inventory
Modify the inventory.yml for your deployment.
At a minimum, change `mail.example.com` to the FQDN of your mail server and
change `ansible_user` and `remote_user` to the name of your account on the
mail server.
### Modify vars.yml
Modify group\_vars/all/vars.yml for your deployment.
Below is a list of the variables and there function:
- domain - base domain
- mail_domain - hostname of your mail server and common name on the TLS certificate
- dkim_selector - selector for your DKIM keys
- spam_score - SpamAssassin score required for mail to be considered spam
- sa_locales - locales which SpamAssassin expects to receive mail in - any locale not listed is considered spam
- cert_email - the email used to get a LetsEncrypt certificate
You must modify `domain` with your domain name. All other changes are optional.
### Run the playbook
From the repo root directory run:
```
ansible-playbook run.yml -i inventory.yml --ask-become-pass
```
If you have passwordless sudo configured --ask-become-pass is not necessary.
### Set DNS records
The playbook finishes by generating the DNS records required for mail verification.
You can find these records under /home/root/dns\_records once the playbook finishes.
The records are in BIND9 format but the values can be extracted for use on any platform.
## FAQ
### Distros
I have only tested this on Debian 12 and 13 and that is currently the only "supported" distro.
It will likely also work with current versions of Ubuntu but may require some modifications there also.
YMMV with any non Debian-based distro.
### Users
This configuration uses the local system for authentication.
Additionally, postfix login and local maps are used so that not every user on the system can receive mail.
To create a new mail user use the following script:
```
# create unix account - do not allow user to login to system
useradd --shell /usr/sbin/nologin --create-home --user-group $username
# login map
echo "$username@$(cat /etc/mailname) $username" >> /etc/postfix/login_maps
postmap /etc/postfix/login_maps
# local recipient map
echo "$username $username" >> /etc/postfix/local_maps
postmap /etc/postfix/local_maps
# reload postfix to make changes live
postfix reload
# set the user's password
passwd $username
```
This will create a user on the system that is allowed to send and receive mail.
As a security precaution, the user's shell is set to /usr/sbin/nologin to prevent
management access to the server.
### Multiple Domains
The playbook will configure the mail server for a single domain. However, there is nothing in the configuration preventing a multi-domain setup.
Setting up multiple domains will require some manual configuration of postfix main.cf.
|
