From 423729cc3cb0644060c97fa02f609ae05c78f3e3 Mon Sep 17 00:00:00 2001
From: Denis Knauf <deac@denkn.at>
Date: Sat, 7 Nov 2020 22:36:05 +0100
Subject: [PATCH] more variables.

---
 README.adoc       | 70 +++++++++++++++++++++++++++++++++++++++++++++++
 defaults/main.yml | 19 ++++++++++++-
 tasks/dovecot.yml | 25 +++++++++--------
 tasks/main.yml    |  2 +-
 tasks/postfix.yml | 10 +++----
 5 files changed, 107 insertions(+), 19 deletions(-)

diff --git a/README.adoc b/README.adoc
index 388d5b0..08d1c6c 100644
--- a/README.adoc
+++ b/README.adoc
@@ -4,6 +4,37 @@ mail - Secure Postfix & Dovecot
 Mail is pain.  For an easier setup, this role configures a mail-server
 with secure default settings.
 
+Architecture
+============
+
+Receiving email::
+postfix listens on port 25.  Client should use STARTTLS.
+postscreen will protect your mailserver against SPAM at first.
+After postscreen allowes the connection, postfix-smtpd will receive the email.
+While connection is open and mail will receive, it tries to check SPF and DKIM.
+Second the recepient will be checked by connecting to dovecot-lmtpd,
+If a check fails, the email will be rejected and client gets 5XX or 4XX.
+After accepting email, the client gets an ack and email will be stored.
+lmtp will send this email to dovecot-lmtpd, which will call sieve and stores the email.
+It should never send errors by mails.  Any errors should be handled by rejecting the email.
+
+Sending email::
+postfix listens on port 587.  Client must use STARTTLS, else connection will not accepted.
+No postscreen needed.  The submission-server (an other smtpd) requires authentication.
+The email will not be checked for SPF or DKIM, authentication is enough.
+After email is recieved and stored, postfix-smtp will try to send the email(s).
+Errors should be send to authenticated user.
+
+Reading email::
+Dovecot provides IMAP4 on port 143.  STARTTLS is required.
+
+Authentication and users::
+Any user-checks should be done by dovecot, never by postfix.
+Special users could exist ist dovecot-users-file.
+Regular users will be searched in LDAP.  For authentication
+a ldap-bind will be used.
+
+
 Requirements
 ------------
 
@@ -21,6 +52,45 @@ Role Variables
 
 TODO
 
+There are three different prefixes:
+
+mail::
+These are required to set or most users could be interested to set it.
+The other prefixes can refer to mail-variables as default-value.
+
+postfix::
+Postfix-specific
+
+dovecot::
+Dovecot-specific
+
+LDAP is required.  You need to define `mail_ldap_basedn`.
+It will search directly in next-level of `ou=People` of `mail_ldap_basedn` for users.
+The users have to be a `simpleSecurityObject` and needs `mail` and `userPassword`.
+You can define others.
+
+mail_server_fqdn::
+Full qualified domain name of your mail server.
+It is not possible to choose different for SMTP/Submission/IMAP/Sieve.
+But you can use CNAMEs/X509-Alt-names to define different.
+
+mail_ldap_basedn::
+LDAP-BaseDN.  `cn=example,cn=net`
+
+mail_ldap_uris::
+(default: `ldapi://`)
+
+mail_ldap_field_user::
+(default: `mail`)
+
+mail_ldap_field_password::
+(default: `userPassword`)
+
+postfix_tls_policy::
+tls-policy for given domain.  `{smtp.example.net: enforce}`
+(default: empty)
+
+
 Example Playbook
 ----------------
 
diff --git a/defaults/main.yml b/defaults/main.yml
index 6c9791f..7975c88 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -1,5 +1,22 @@
 ---
 # vim: set et sw=2 ts=2 sts=2:
 
-postfix_tls_policy: []
+mail_server_fqdn: '{{ansible_fqdn}}'
+mail_ldap_uris: ldapi://
+mail_ldap_field_user: mail
+mail_ldap_field_password: userPassword
+mail_ldap_filter: '(&(objectClass=simpleSecurityObject)({{mail_ldap_field_user}}=%u))'
 
+postfix_tls_policy: {}
+
+dovecot_ldap_uris: "{{mail_ldap_uris}}"
+dovecot_ldap_ldaprc_path: /etc/ldap/ldap.conf
+dovecot_ldap_base: 'ou=People,{{mail_ldap_basedn}}'
+dovecot_ldap_scope: onelevel
+dovecot_ldap_filter: '{{mail_ldap_filter}}'
+dovecot_ldap_user_filter: '{{dovecot_ldap_filter}}'
+dovecot_ldap_user_attrs: '{{mail_ldap_field_user}}=user'
+dovecot_ldap_pass_filter: '{{dovecot_ldap_filter}}'
+dovecot_ldap_pass_attrs: '{{mail_ldap_field_user}}=user,{{mail_ldap_field_password}}=password'
+dovecot_ldap_iterate_attrs: '{{mail_ldap_field_user}}=user'
+dovecot_ldap_iterate_filter: '{{dovecot_ldap_filter}}'
diff --git a/tasks/dovecot.yml b/tasks/dovecot.yml
index 633eca3..ec827d7 100644
--- a/tasks/dovecot.yml
+++ b/tasks/dovecot.yml
@@ -49,8 +49,8 @@
 		line: "{{item.key}} = {{item.value}}"
 	with_dict:
 		ssl: required
-		ssl_key: "</etc/dovecot/tls/{{fqdn}}.key"
-		ssl_cert: "</etc/dovecot/tls/{{fqdn}}.crt"
+		ssl_key: "</etc/dovecot/tls/{{mail_server_fqdn}}.key"
+		ssl_cert: "</etc/dovecot/tls/{{mail_server_fqdn}}.crt"
     ssl_min_protocol: 'TLSv1.2'
     #ssl_cipher_list: 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA'
     ssl_cipher_list: ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH
@@ -106,18 +106,18 @@
 		regexp: "^{{item.key}} *= *"
 		line: "{{item.key}} = {{item.value}}"
 	with_dict:
-		uris: ldapi://
-		ldaprc_path: /etc/ldap/ldap.conf
+		uris: '{{dovecot_ldap_utis}}'
+		ldaprc_path: '{{dovecot_ldap_ldaprc_path}}'
 		auth_bind: 'yes'
 		ldap_version: 3
-		base: 'ou=People,{{mail_ldap_basedn}}'
-		scope: onelevel
-		user_filter: '(&(objectClass=simpleSecurityObject)(mail=%u))'
-		user_attrs: mail=user
-		pass_filter: '(&(objectClass=simpleSecurityObject)(mail=%u))'
-		pass_attrs: mail=user,userPassword=password
-		iterate_attrs: 'mail=user'
-		iterate_filter: '(&(objectClass=simpleSecurityObject)(mail=*))'
+		base: '{{dovecot_ldap_base}}'
+		scope: '{{dovecot_ldap_scope}}'
+		user_filter: '{{dovecot_ldap_user_filter}}'
+		user_attrs: '{{dovecot_ldap_user_attrs}}'
+		pass_filter: '{{dovecot_ldap_pass_filter}}'
+		pass_attrs: '{{dovecot_ldap_pass_attrs}}'
+		iterate_attrs: '{{dovecot_ldap_iterate_attrs}}'
+		iterate_filter: '{{dovecot_ldap_iterate_filter}}'
 
 - name: dummy files if needed
 	copy:
@@ -132,6 +132,7 @@
 		path: /etc/dovecot/users
 		line: '{{item}}::::::::'
 		regexp: '{{item|regex_escape()}}'
+  with_items: '{{dovecot_special_users}}'
 
 - name: 'install sieve-scripts (templates)'
 	shell: 'doveadm sieve put -u {{item.user|quote}} -a {{item.name|default("main")|quote}}'
diff --git a/tasks/main.yml b/tasks/main.yml
index 1502596..1369559 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -108,7 +108,7 @@
 - name: /etc/mailname
 	copy:
 		dest: /etc/mailname
-		content: "{{fqdn}}"
+		content: "{{mail_server_fqdn}}"
 
 - file:
 		dest: /var/spool/postfix/milter
diff --git a/tasks/postfix.yml b/tasks/postfix.yml
index b3041e9..90eb0bf 100644
--- a/tasks/postfix.yml
+++ b/tasks/postfix.yml
@@ -23,8 +23,8 @@
       default_database_type: lmdb
 
       # Verbindungssicherheit / Verschluesselung:
-      smtpd_tls_cert_file: "/etc/postfix/tls/{{fqdn}}.crt"
-      smtpd_tls_key_file: "/etc/postfix/tls/{{fqdn}}.key"
+      smtpd_tls_cert_file: "/etc/postfix/tls/{{mail_server_fqdn}}.crt"
+      smtpd_tls_key_file: "/etc/postfix/tls/{{mail_server_fqdn}}.key"
       smtpd_use_tls: 'yes'
       smtpd_tls_session_cache_database: 'lmdb:${data_directory}/smtpd_scache'
       smtp_tls_session_cache_database: 'lmdb:${data_directory}/smtp_scache'
@@ -129,9 +129,9 @@
 - name: force TLS for these
 	lineinfile:
 		path: /etc/postfix/tls_policy
-		regexp: '^{{item}}[ \t]'
-		line: '{{item}} encrypt'
-	with_items: '{{postfix_tls_policy}}'
+		regexp: '^{{key}}[ \t]'
+		line: '{{key}} {{value}}'
+	with_dict: '{{postfix_tls_policy}}'
 
 - name: prepare aliases-lookup-tables
 	command: newaliases