Mail is pain. Let's do it with pliers.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

3.6 KiB

mail - Secure Postfix & Dovecot

Mail is pain. For an easier setup, this role configures a mail-server
with secure default settings.


Receiving email::
postfix listens on port 25. Client should use STARTTLS.
postscreen will protect your mailserver against SPAM at first.
After postscreen allowes the connection, postfix-smtpd will receive the email.
While connection is open and mail will receive, it tries to check SPF and DKIM.
Second the recepient will be checked by connecting to dovecot-lmtpd,
If a check fails, the email will be rejected and client gets 5XX or 4XX.
After accepting email, the client gets an ack and email will be stored.
lmtp will send this email to dovecot-lmtpd, which will call sieve and stores the email.
It should never send errors by mails. Any errors should be handled by rejecting the email.

Sending email::
postfix listens on port 587. Client must use STARTTLS, else connection will not accepted.
No postscreen needed. The submission-server (an other smtpd) requires authentication.
The email will not be checked for SPF or DKIM, authentication is enough.
After email is recieved and stored, postfix-smtp will try to send the email(s).
Errors should be send to authenticated user.

Reading email::
Dovecot provides IMAP4 on port 143. STARTTLS is required.

Authentication and users::
Any user-checks should be done by dovecot, never by postfix.
Special users could exist ist dovecot-users-file.
Regular users will be searched in LDAP. For authentication
a ldap-bind will be used.


You need to have debian (or compatible, like ubuntu) already installed.

It will install all dependencies on host-machine:

* LDAP - Yes, you need a LDAP-server. It can be installed anywhere, but you need one.

It expects for TLS a PKI in `/etc/postfix/tls/` and `/etc/dovecot/tls/`,
where you have to place `**hostname**.key`, `**hostname**.crt`.

Role Variables


There are three different prefixes:

These are required to set or most users could be interested to set it.
The other prefixes can refer to mail-variables as default-value.



LDAP is required. You need to define `mail_ldap_basedn`.
It will search directly in next-level of `ou=People` of `mail_ldap_basedn` for users.
The users have to be a `simpleSecurityObject` and needs `mail` and `userPassword`.
You can define others.

Full qualified domain name of your mail server.
It is not possible to choose different for SMTP/Submission/IMAP/Sieve.
But you can use CNAMEs/X509-Alt-names to define different.

For DKIM you need a selector, which will be used in DNS.
E.g. pick the current year.

LDAP-BaseDN. `cn=example,cn=net`
(default: value of ldap_basedn)

(default: `ldapi://`)

(default: `mail`)

(default: `userPassword`)

Installs given sieve-scripts. It expects a list of `{file:, name:, user:}`.
`file` is the file-name, installs the script for `user` as `name`.
(default: `[]`, default for name: `"main"`)

Like `mail_sieve_scripts`, but these files are templates.

tls-policy for given domain. `{ enforce}`
(default: empty)

Example Playbook


# vim: set expandtab tabstop=2 shiftwidth=2:

- hosts: mailserver
remote_user: root
become: false

- import_role:
name: mail



Author Information

Denis Knauf -