122 lines
3.2 KiB
Plaintext
122 lines
3.2 KiB
Plaintext
mail - Secure Postfix & Dovecot
|
|
===============================
|
|
|
|
Mail is pain. For an easier setup, this role configures a mail-server
|
|
with secure default settings.
|
|
|
|
Architecture
|
|
============
|
|
|
|
Receiving email::
|
|
postfix listens on port 25. Client should use STARTTLS.
|
|
postscreen will protect your mailserver against SPAM at first.
|
|
After postscreen allowes the connection, postfix-smtpd will receive the email.
|
|
While connection is open and mail will receive, it tries to check SPF and DKIM.
|
|
Second the recepient will be checked by connecting to dovecot-lmtpd,
|
|
If a check fails, the email will be rejected and client gets 5XX or 4XX.
|
|
After accepting email, the client gets an ack and email will be stored.
|
|
lmtp will send this email to dovecot-lmtpd, which will call sieve and stores the email.
|
|
It should never send errors by mails. Any errors should be handled by rejecting the email.
|
|
|
|
Sending email::
|
|
postfix listens on port 587. Client must use STARTTLS, else connection will not accepted.
|
|
No postscreen needed. The submission-server (an other smtpd) requires authentication.
|
|
The email will not be checked for SPF or DKIM, authentication is enough.
|
|
After email is recieved and stored, postfix-smtp will try to send the email(s).
|
|
Errors should be send to authenticated user.
|
|
|
|
Reading email::
|
|
Dovecot provides IMAP4 on port 143. STARTTLS is required.
|
|
|
|
Authentication and users::
|
|
Any user-checks should be done by dovecot, never by postfix.
|
|
Special users could exist ist dovecot-users-file.
|
|
Regular users will be searched in LDAP. For authentication
|
|
a ldap-bind will be used.
|
|
|
|
|
|
Requirements
|
|
------------
|
|
|
|
You need to have debian (or compatible, like ubuntu) already installed.
|
|
|
|
It will install all dependencies on host-machine:
|
|
|
|
* LDAP - Yes, you need a LDAP-server. It can be installed anywhere, but you need one.
|
|
|
|
It expects for TLS a PKI in `/etc/postfix/tls/` and `/etc/dovecot/tls/`,
|
|
where you have to place `**hostname**.key`, `**hostname**.crt`.
|
|
|
|
Role Variables
|
|
--------------
|
|
|
|
TODO
|
|
|
|
There are three different prefixes:
|
|
|
|
mail::
|
|
These are required to set or most users could be interested to set it.
|
|
The other prefixes can refer to mail-variables as default-value.
|
|
|
|
postfix::
|
|
Postfix-specific
|
|
|
|
dovecot::
|
|
Dovecot-specific
|
|
|
|
LDAP is required. You need to define `mail_ldap_basedn`.
|
|
It will search directly in next-level of `ou=People` of `mail_ldap_basedn` for users.
|
|
The users have to be a `simpleSecurityObject` and needs `mail` and `userPassword`.
|
|
You can define others.
|
|
|
|
mail_server_fqdn::
|
|
Full qualified domain name of your mail server.
|
|
It is not possible to choose different for SMTP/Submission/IMAP/Sieve.
|
|
But you can use CNAMEs/X509-Alt-names to define different.
|
|
|
|
mail_ldap_basedn::
|
|
LDAP-BaseDN. `cn=example,cn=net`
|
|
(default: value of ldap_basedn)
|
|
|
|
mail_ldap_uris::
|
|
(default: `ldapi://`)
|
|
|
|
mail_ldap_field_user::
|
|
(default: `mail`)
|
|
|
|
mail_ldap_field_password::
|
|
(default: `userPassword`)
|
|
|
|
postfix_tls_policy::
|
|
tls-policy for given domain. `{smtp.example.net: enforce}`
|
|
(default: empty)
|
|
|
|
|
|
Example Playbook
|
|
----------------
|
|
|
|
TODO
|
|
|
|
----
|
|
---
|
|
# vim: set expandtab tabstop=2 shiftwidth=2:
|
|
|
|
- hosts: mailserver
|
|
remote_user: root
|
|
become: false
|
|
|
|
tasks:
|
|
- import_role:
|
|
name: mail
|
|
----
|
|
|
|
License
|
|
-------
|
|
|
|
AGPLv3
|
|
|
|
Author Information
|
|
------------------
|
|
|
|
Denis Knauf - https://git.denkn.at/deac/ansible-role-mail
|