Mail is pain. Let's do it with pliers.
Find a file
2023-10-20 00:47:15 +02:00
defaults fixes and imports 2020-11-10 00:45:00 +01:00
files postscreen spf generator. dependencies: python3 instead of python2. cdb -> lmdb for aliases 2022-12-01 14:05:00 +01:00
handlers init 2020-11-07 20:27:01 +01:00
meta postscreen spf generator. dependencies: python3 instead of python2. cdb -> lmdb for aliases 2022-12-01 14:05:00 +01:00
tasks postscreen spf generator. dependencies: python3 instead of python2. cdb -> lmdb for aliases 2022-12-01 14:05:00 +01:00
templates fixes and imports 2020-11-10 00:45:00 +01:00
tests init 2020-11-07 20:27:01 +01:00
vars duplicate in vars removed. 2023-10-20 00:47:15 +02:00
.gitignore init 2020-11-07 20:27:01 +01:00
README.adoc fixes and imports 2020-11-10 00:45:00 +01:00

mail - Secure Postfix & Dovecot
===============================

Mail is pain.  For an easier setup, this role configures a mail-server
with secure default settings.

Architecture
============

Receiving email::
postfix listens on port 25.  Client should use STARTTLS.
postscreen will protect your mailserver against SPAM at first.
After postscreen allowes the connection, postfix-smtpd will receive the email.
While connection is open and mail will receive, it tries to check SPF and DKIM.
Second the recepient will be checked by connecting to dovecot-lmtpd,
If a check fails, the email will be rejected and client gets 5XX or 4XX.
After accepting email, the client gets an ack and email will be stored.
lmtp will send this email to dovecot-lmtpd, which will call sieve and stores the email.
It should never send errors by mails.  Any errors should be handled by rejecting the email.

Sending email::
postfix listens on port 587.  Client must use STARTTLS, else connection will not accepted.
No postscreen needed.  The submission-server (an other smtpd) requires authentication.
The email will not be checked for SPF or DKIM, authentication is enough.
After email is recieved and stored, postfix-smtp will try to send the email(s).
Errors should be send to authenticated user.

Reading email::
Dovecot provides IMAP4 on port 143.  STARTTLS is required.

Authentication and users::
Any user-checks should be done by dovecot, never by postfix.
Special users could exist ist dovecot-users-file.
Regular users will be searched in LDAP.  For authentication
a ldap-bind will be used.


Requirements
------------

You need to have debian (or compatible, like ubuntu) already installed.

It will install all dependencies on host-machine:

* LDAP - Yes, you need a LDAP-server.  It can be installed anywhere, but you need one.

It expects for TLS a PKI in `/etc/postfix/tls/` and `/etc/dovecot/tls/`,
where you have to place `**hostname**.key`, `**hostname**.crt`.

Role Variables
--------------

TODO

There are three different prefixes:

mail::
These are required to set or most users could be interested to set it.
The other prefixes can refer to mail-variables as default-value.

postfix::
Postfix-specific

dovecot::
Dovecot-specific

LDAP is required.  You need to define `mail_ldap_basedn`.
It will search directly in next-level of `ou=People` of `mail_ldap_basedn` for users.
The users have to be a `simpleSecurityObject` and needs `mail` and `userPassword`.
You can define others.

mail_server_fqdn::
Full qualified domain name of your mail server.
It is not possible to choose different for SMTP/Submission/IMAP/Sieve.
But you can use CNAMEs/X509-Alt-names to define different.

mail_dkim_selector::
For DKIM you need a selector, which will be used in DNS.
E.g. pick the current year.

mail_ldap_basedn::
LDAP-BaseDN.  `cn=example,cn=net`
(default: value of ldap_basedn)

mail_ldap_uris::
(default: `ldapi://`)

mail_ldap_field_user::
(default: `mail`)

mail_ldap_field_password::
(default: `userPassword`)

mail_sieve_scripts::
Installs given sieve-scripts.  It expects a list of `{file:, name:, user:}`.
`file` is the file-name, installs the script for `user` as `name`.
(default: `[]`, default for name: `"main"`)

mail_sieve_scripts_templates::
Like `mail_sieve_scripts`, but these files are templates.

postfix_tls_policy::
tls-policy for given domain.  `{smtp.example.net: enforce}`
(default: empty)


Example Playbook
----------------

TODO

----
---
# vim: set expandtab tabstop=2 shiftwidth=2:

- hosts: mailserver
  remote_user: root
  become: false

  tasks:
  - import_role:
      name: mail
----

License
-------

AGPLv3

Author Information
------------------

Denis Knauf - https://git.denkn.at/deac/ansible-role-mail