Mail is pain. Let's do it with pliers.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
Denis Knauf 3049e878a0 postfix expects listed TLS-versions. 1 year ago
defaults fixes and imports 2 years ago
files fixes and imports 2 years ago
handlers init 2 years ago
meta init 2 years ago
tasks postfix expects listed TLS-versions. 1 year ago
templates fixes and imports 2 years ago
tests init 2 years ago
vars init 2 years ago
.gitignore init 2 years ago
README.adoc fixes and imports 2 years ago

README.adoc

mail - Secure Postfix & Dovecot

Mail is pain. For an easier setup, this role configures a mail-server with secure default settings.

Architecture

Receiving email

postfix listens on port 25. Client should use STARTTLS. postscreen will protect your mailserver against SPAM at first. After postscreen allowes the connection, postfix-smtpd will receive the email. While connection is open and mail will receive, it tries to check SPF and DKIM. Second the recepient will be checked by connecting to dovecot-lmtpd, If a check fails, the email will be rejected and client gets 5XX or 4XX. After accepting email, the client gets an ack and email will be stored. lmtp will send this email to dovecot-lmtpd, which will call sieve and stores the email. It should never send errors by mails. Any errors should be handled by rejecting the email.

Sending email

postfix listens on port 587. Client must use STARTTLS, else connection will not accepted. No postscreen needed. The submission-server (an other smtpd) requires authentication. The email will not be checked for SPF or DKIM, authentication is enough. After email is recieved and stored, postfix-smtp will try to send the email(s). Errors should be send to authenticated user.

Reading email

Dovecot provides IMAP4 on port 143. STARTTLS is required.

Authentication and users

Any user-checks should be done by dovecot, never by postfix. Special users could exist ist dovecot-users-file. Regular users will be searched in LDAP. For authentication a ldap-bind will be used.

Requirements

You need to have debian (or compatible, like ubuntu) already installed.

It will install all dependencies on host-machine:

  • LDAP - Yes, you need a LDAP-server. It can be installed anywhere, but you need one.

It expects for TLS a PKI in /etc/postfix/tls/ and /etc/dovecot/tls/, where you have to place **hostname**.key, **hostname**.crt.

Role Variables

TODO

There are three different prefixes:

mail

These are required to set or most users could be interested to set it. The other prefixes can refer to mail-variables as default-value.

postfix

Postfix-specific

dovecot

Dovecot-specific

LDAP is required. You need to define mail_ldap_basedn. It will search directly in next-level of ou=People of mail_ldap_basedn for users. The users have to be a simpleSecurityObject and needs mail and userPassword. You can define others.

mail_server_fqdn

Full qualified domain name of your mail server. It is not possible to choose different for SMTP/Submission/IMAP/Sieve. But you can use CNAMEs/X509-Alt-names to define different.

mail_dkim_selector

For DKIM you need a selector, which will be used in DNS. E.g. pick the current year.

mail_ldap_basedn

LDAP-BaseDN. cn=example,cn=net (default: value of ldap_basedn)

mail_ldap_uris

(default: ldapi://)

mail_ldap_field_user

(default: mail)

mail_ldap_field_password

(default: userPassword)

mail_sieve_scripts

Installs given sieve-scripts. It expects a list of {file:, name:, user:}. file is the file-name, installs the script for user as name. (default: [], default for name: "main")

mail_sieve_scripts_templates

Like mail_sieve_scripts, but these files are templates.

postfix_tls_policy

tls-policy for given domain. {smtp.example.net: enforce} (default: empty)

Example Playbook

TODO

---
# vim: set expandtab tabstop=2 shiftwidth=2:

- hosts: mailserver
  remote_user: root
  become: false

  tasks:
  - import_role:
      name: mail

License

AGPLv3

Author Information