ansible-role-mail/README.adoc

mail - Secure Postfix & Dovecot
===============================

Mail is pain.  For an easier setup, this role configures a mail-server
with secure default settings.

Architecture
============

Receiving email::
postfix listens on port 25.  Client should use STARTTLS.
postscreen will protect your mailserver against SPAM at first.
After postscreen allowes the connection, postfix-smtpd will receive the email.
While connection is open and mail will receive, it tries to check SPF and DKIM.
Second the recepient will be checked by connecting to dovecot-lmtpd,
If a check fails, the email will be rejected and client gets 5XX or 4XX.
After accepting email, the client gets an ack and email will be stored.
lmtp will send this email to dovecot-lmtpd, which will call sieve and stores the email.
It should never send errors by mails.  Any errors should be handled by rejecting the email.

Sending email::
postfix listens on port 587.  Client must use STARTTLS, else connection will not accepted.
No postscreen needed.  The submission-server (an other smtpd) requires authentication.
The email will not be checked for SPF or DKIM, authentication is enough.
After email is recieved and stored, postfix-smtp will try to send the email(s).
Errors should be send to authenticated user.

Reading email::
Dovecot provides IMAP4 on port 143.  STARTTLS is required.

Authentication and users::
Any user-checks should be done by dovecot, never by postfix.
Special users could exist ist dovecot-users-file.
Regular users will be searched in LDAP.  For authentication
a ldap-bind will be used.


Requirements
------------

You need to have debian (or compatible, like ubuntu) already installed.

It will install all dependencies on host-machine:

* LDAP - Yes, you need a LDAP-server.  It can be installed anywhere, but you need one.

It expects for TLS a PKI in `/etc/postfix/tls/` and `/etc/dovecot/tls/`,
where you have to place `**hostname**.key`, `**hostname**.crt`.

Role Variables
--------------

TODO

There are three different prefixes:

mail::
These are required to set or most users could be interested to set it.
The other prefixes can refer to mail-variables as default-value.

postfix::
Postfix-specific

dovecot::
Dovecot-specific

LDAP is required.  You need to define `mail_ldap_basedn`.
It will search directly in next-level of `ou=People` of `mail_ldap_basedn` for users.
The users have to be a `simpleSecurityObject` and needs `mail` and `userPassword`.
You can define others.

mail_server_fqdn::
Full qualified domain name of your mail server.
It is not possible to choose different for SMTP/Submission/IMAP/Sieve.
But you can use CNAMEs/X509-Alt-names to define different.

mail_dkim_selector::
For DKIM you need a selector, which will be used in DNS.
E.g. pick the current year.

mail_ldap_basedn::
LDAP-BaseDN.  `cn=example,cn=net`
(default: value of ldap_basedn)

mail_ldap_uris::
(default: `ldapi://`)

mail_ldap_field_user::
(default: `mail`)

mail_ldap_field_password::
(default: `userPassword`)

mail_sieve_scripts::
Installs given sieve-scripts.  It expects a list of `{file:, name:, user:}`.
`file` is the file-name, installs the script for `user` as `name`.
(default: `[]`, default for name: `"main"`)

mail_sieve_scripts_templates::
Like `mail_sieve_scripts`, but these files are templates.

postfix_tls_policy::
tls-policy for given domain.  `{smtp.example.net: enforce}`
(default: empty)


Example Playbook
----------------

TODO

----
---
# vim: set expandtab tabstop=2 shiftwidth=2:

- hosts: mailserver
  remote_user: root
  become: false

  tasks:
  - import_role:
      name: mail
----

License
-------

AGPLv3

Author Information
------------------

Denis Knauf - https://git.denkn.at/deac/ansible-role-mail
init 2020-11-07 20:27:01 +01:00			`mail - Secure Postfix & Dovecot`
			`===============================`

			`Mail is pain. For an easier setup, this role configures a mail-server`
			`with secure default settings.`

more variables. 2020-11-07 22:36:05 +01:00			`Architecture`
			`============`

			`Receiving email::`
			`postfix listens on port 25. Client should use STARTTLS.`
			`postscreen will protect your mailserver against SPAM at first.`
			`After postscreen allowes the connection, postfix-smtpd will receive the email.`
			`While connection is open and mail will receive, it tries to check SPF and DKIM.`
			`Second the recepient will be checked by connecting to dovecot-lmtpd,`
			`If a check fails, the email will be rejected and client gets 5XX or 4XX.`
			`After accepting email, the client gets an ack and email will be stored.`
			`lmtp will send this email to dovecot-lmtpd, which will call sieve and stores the email.`
			`It should never send errors by mails. Any errors should be handled by rejecting the email.`

			`Sending email::`
			`postfix listens on port 587. Client must use STARTTLS, else connection will not accepted.`
			`No postscreen needed. The submission-server (an other smtpd) requires authentication.`
			`The email will not be checked for SPF or DKIM, authentication is enough.`
			`After email is recieved and stored, postfix-smtp will try to send the email(s).`
			`Errors should be send to authenticated user.`

			`Reading email::`
			`Dovecot provides IMAP4 on port 143. STARTTLS is required.`

			`Authentication and users::`
			`Any user-checks should be done by dovecot, never by postfix.`
			`Special users could exist ist dovecot-users-file.`
			`Regular users will be searched in LDAP. For authentication`
			`a ldap-bind will be used.`


init 2020-11-07 20:27:01 +01:00			`Requirements`
			`------------`

			`You need to have debian (or compatible, like ubuntu) already installed.`

			`It will install all dependencies on host-machine:`

			`* LDAP - Yes, you need a LDAP-server. It can be installed anywhere, but you need one.`

			It expects for TLS a PKI in `/etc/postfix/tls/` and `/etc/dovecot/tls/`,
			where you have to place `hostname.key`, `hostname.crt`.

			`Role Variables`
			`--------------`

			`TODO`

more variables. 2020-11-07 22:36:05 +01:00			`There are three different prefixes:`

			`mail::`
			`These are required to set or most users could be interested to set it.`
			`The other prefixes can refer to mail-variables as default-value.`

			`postfix::`
			`Postfix-specific`

			`dovecot::`
			`Dovecot-specific`

			LDAP is required. You need to define `mail_ldap_basedn`.
			It will search directly in next-level of `ou=People` of `mail_ldap_basedn` for users.
			The users have to be a `simpleSecurityObject` and needs `mail` and `userPassword`.
			`You can define others.`

			`mail_server_fqdn::`
			`Full qualified domain name of your mail server.`
			`It is not possible to choose different for SMTP/Submission/IMAP/Sieve.`
			`But you can use CNAMEs/X509-Alt-names to define different.`

postfix-vars, dkim-selector 2020-11-08 00:02:54 +01:00			`mail_dkim_selector::`
			`For DKIM you need a selector, which will be used in DNS.`
			`E.g. pick the current year.`

more variables. 2020-11-07 22:36:05 +01:00			`mail_ldap_basedn::`
			LDAP-BaseDN. `cn=example,cn=net`
ldap_basedn 2020-11-07 23:18:37 +01:00			`(default: value of ldap_basedn)`
more variables. 2020-11-07 22:36:05 +01:00
			`mail_ldap_uris::`
			(default: `ldapi://`)

			`mail_ldap_field_user::`
			(default: `mail`)

			`mail_ldap_field_password::`
			(default: `userPassword`)

fixes and imports 2020-11-10 00:45:00 +01:00			`mail_sieve_scripts::`
			Installs given sieve-scripts. It expects a list of `{file:, name:, user:}`.
			`file` is the file-name, installs the script for `user` as `name`.
			(default: `[]`, default for name: `"main"`)

			`mail_sieve_scripts_templates::`
			Like `mail_sieve_scripts`, but these files are templates.

more variables. 2020-11-07 22:36:05 +01:00			`postfix_tls_policy::`
			tls-policy for given domain. `{smtp.example.net: enforce}`
			`(default: empty)`


init 2020-11-07 20:27:01 +01:00			`Example Playbook`
			`----------------`

			`TODO`

			`----`
			`---`
			`# vim: set expandtab tabstop=2 shiftwidth=2:`

			`- hosts: mailserver`
			`remote_user: root`
			`become: false`

			`tasks:`
			`- import_role:`
			`name: mail`
			`----`

			`License`
			`-------`

			`AGPLv3`

			`Author Information`
			`------------------`

			`Denis Knauf - https://git.denkn.at/deac/ansible-role-mail`