Coder Social home page Coder Social logo

ansible-role-postfix-dovecot's Introduction

ansible-role-postfix-dovecot

An Ansible role that automates the installation and configuration of Postfix and Dovecot with MySQL authentication on Ubuntu. The MySQL schema is derived from the following Digital Ocean tutorial. You can view the MySQL schema used in schema.sql.

Role Variables

Required Variables

  • dovecot_ssl_cert - the path to the SSL certificate used by Dovecot. Note that if you need to provide a certificate chain, it must be concatenated after the certificate in the same file.
  • dovecot_ssl_key - the path to the SSL key used by Dovecot.
  • postfix_ssl_cert - the path to the SSL certificate used by Postfix. This should include the intermediary CA as well if applicable.
  • postfix_ssl_key - the path to the SSL key used by Postfix.
  • postfix_dovecot_mysql_password - the password to the user that has permission to query the database on the SQL database server used for authentication.

Optional Variables

  • postfix_dovecot_mysql_host - the FQDN or IP address to the MySQL server for authentication. This defaults to 127.0.0.1.
  • postfix_dovecot_mysql_db_name - the database name on the MySQL server used for authentication. This defaults to servermail.
  • postfix_dovecot_mysql_user - the user that has permission to query the database on the MySQL server used for authentication. This defaults to usermail.
  • postfix_dovecot_mysql_password_scheme - the password scheme used to encrypt passwords in the database. This defaults to SHA512-CRYPT.
  • postfix_default_domain - the value to set the default domain used by Postfix, particularly when Postfix determines the sender's domain when sending bounce messages. This sets the contents of /etc/mailname.
  • postfix_inet_protocols - the protocol that Postfix should listen on. To have only IPv4, set this value to ipv4. This defaults to all.
  • postfix_submission_smtpd_client_restrictions - a list of client restrictions on the mail submission port (587). For more information visit the Postfix documentation. This defaults to permit_sasl_authenticated and reject.
  • postfix_smtpd_tls_auth_only - whether to only allow SASL authentication over SSL/TLS. This defaults to yes.
  • postfix_smtpd_recipient_restrictions - a list of restrictions of recipients of incoming email. For more information visit the Postfix documentation. This defaults to permit_sasl_authenticated, permit_mynetworks, and reject_unauth_destination.
  • postfix_smtpd_relay_restrictions - a list of relay restrictions. For more information visit the Postfix documentation. This defaults to permit_mynetworks, permit_sasl_authenticated, and defer_unauth_destination.
  • postfix_mynetworks - a list of trusted SMTP clients. For more information visit the Postfix documentation. This defaults to 127.0.0.0/8, [::ffff:127.0.0.0]/104, [::1]/128.
  • postfix_mydestination - a list for the Postfix configuration value of mydestination. For information on visit the Postfix documentation. This defaults to localhost.
  • postfix_mysql_alias_query - the query used to find the destination of an alias when the source is supplied. This defaults to SELECT destination FROM virtual_aliases WHERE source='%s';.
  • postfix_mysql_domains_query - the query used to determine if a domain is valid. This defaults to SELECT 1 FROM virtual_domains WHERE name='%s';.
  • postfix_mysql_users_query - the query used to determine if an email address is valid. This defaults to SELECT 1 FROM virtual_users WHERE email='%s';.
  • dovecot_mysql_password_query - the query used to authenticate a user on the MySQL server used for authentication. This defaults to SELECT email as user, password FROM virtual_users WHERE email='%u';.
  • postfix_relayhost - sends email via an upstream relay host. For more information visit the Postfix documentation.
  • postfix_smtp_tls_security_level - the SMTP TLS security level for the Postfix SMTP server (sending). Default for Debian and Red Hat >= 8 is dane, for Red Hat 7 is may. For more information visit the Postfix documentation
  • dovecot_protocols - a list of protocols to be enabled. This defaults to lmtp and imap. To enable POP3, add pop3 to this variable. (note: apt install dovecot-pop3d on the target to use pop3)
  • dovecot_mail_privileged_group - the group that owns the folder defined in dovecot_mail_location. This gives Dovecot's mail process the ability to write in the folder. This defaults to mail.
  • dovecot_disable_plaintext_auth - determines if authentication without SSL is enabled. This defaults to 'yes'.
  • dovecot_auth_mechanisms - a list of authentication mechanisms allowed by Dovecot. This defaults to plain and login. For more informationm read Dovecot's Authentication Mechanisms documentation.
  • dovecot_force_imaps - determines whether or not to disable IMAP and force IMAPS. This defaults to true.
  • dovecot_force_pop3s - determines whether or not to disable POP3 and force POP3S. This defaults to true. Note that to also enable POP3S, you need to add pop3 to the dovecot_protocols list variable.
  • dovecot_ssl - determines whether or not SSL is enforced across all protocols. This defaults to required. For more information, read Dovecot's SSL Configuration documentation.
  • dovecot_listen - a list of IP or host addresses where Dovecot listens for connections. This defaults to * (all IPv4) and '::' (all IPv6).
  • dovecot_add_example_users - when set to true, adds example users to the database

Requirements

  • This role must be run with sudo/become or as root, otherwise the role will fail.
  • The MySQL server needs to be pre-configured, and the user should already have the appropriate permissions to the database (see [defaults/main.yml] for default values).
  • On Red Hat servers, you need to pre-install PyMSQL (python{2,3}-PyMySQL, which ever is more appropriate to you)

Example Playbook

requirements.yml

roles:
  - name: stackfocus.postfix-dovecot

site.yml

- hosts: all
  become: yes
  gather_facts: true
  roles:
    - stackfocus.postfix-dovecot
  vars:
    postfix_dovecot_mysql_db_name: mailserver
    postfix_dovecot_mysql_user: mailuser
    postfix_dovecot_mysql_password: mailpass
    postfix_default_domain: example.com
    dovecot_protocols:
      - imap
      - pop3
      - lmtp
    dovecot_mail_privileged_group: vmail
    dovecot_ssl_cert: /etc/ssl/certs/dovecot.pem
    dovecot_ssl_key: /etc/ssl/private/dovecot.pem
    postfix_ssl_cert: /etc/ssl/certs/postfix.pem
    postfix_ssl_key: /etc/ssl/private/postfix.pem

$ ansible-galaxy install -r requirements.yml
$ ansible-playbook -i inventory site.yml --ask-become-pass

Extended Example playbook for fresh server

In this example we use some geerlingguy's roles to handle database and certbot's certificates.

requirements.yml

roles:
  - name: stackfocus.postfix-dovecot
  - name: geerlingguy.mysql
  - name: geerlingguy.certbot

Playbook prepare for you:

  • database and its users
  • Let's Encrypt certificate
  • mail transport service postfix
  • mailbox service dovecot
---
- name: Setup mail
  hosts: mailserver.tld
  become: true
  vars:
    mail_domain: mycooldomain.com
    mail_database: maildb
    mail_db_pass: 'ultrasafepassword'
  roles:
    - role: geerlingguy.mysql
      mysql_databases:
        - name: '{{ mail_database }}'
          encoding: utf8mb4
          collation: utf8mb4_czech_ci
      mysql_users:
        - name: '{{ mail_database }}'
          host: "localhost"
          password: '{{ mail_db_pass }}'
          priv: "{{ mail_database }}.*:ALL"
    - role: geerlingguy.certbot
      certbot_certs:
        - domains:
            - '{{ mail_domain }}'
            - 'mail.{{ mail_domain }}'
    - role: stackfocus.postfix-dovecot
      postfix_dovecot_mysql_db_name: '{{ mail_database }}'
      postfix_dovecot_mysql_user: '{{ mail_database }}'
      postfix_dovecot_mysql_password: '{{ mail_db_pass }}'
      postfix_default_domain: '{{ mail_domain }}'
      dovecot_protocols:
        - imap
        - pop3
        - lmtp
      dovecot_mail_privileged_group: vmail
      dovecot_ssl_cert: /etc/letsencrypt/live/{{ mail_domain }}/fullchain.pem
      dovecot_ssl_key: /etc/letsencrypt/live/{{ mail_domain }}/privkey.pem
      postfix_ssl_cert: /etc/letsencrypt/live/{{ mail_domain }}/fullchain.pem
      postfix_ssl_key: /etc/letsencrypt/live/{{ mail_domain }}/privkey.pem
      postfix_smtp_tls_security_level: 'dane'
      postfix_mydestination: '{{mail_domain}}'
      postfix_myhostname: 'mail.{{mail_domain}}'

ansible-role-postfix-dovecot's People

Contributors

badnetmask avatar mikysal78 avatar mprahl avatar thatarchguy avatar vitexus avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar

Forkers

spivegin okanaganrusty cbrake cyberxml scronkfinkle kth5 iomarian mikysal78 fnzv roumano hamal03 badnetmask vitexus nicovs labrown mfrancka alexandrumarian-portal

ansible-role-postfix-dovecot's Issues

Users?

I use debian buster and roles ansible-role-postmaster don't work on my system.
You have other for manage users and domain?
Thanks.

Error with clients

I testing webmail roundcube and thunderbird.
webmail login is ok but error autenticate for send message
roundcube don't login

postmaster_address

Initial setup on my CentOS 7 guest fails without a postmaster_address definition in file 15-lda.conf. Suggest creating a variable to allow configuration.

Templating error

Hey, I am getting this error when trying to run the role on Ubuntu focal LTS:

fatal: [default]: FAILED! => {"changed": false, "msg": "AnsibleError: Unexpected templating type error occurred on (# {{ ansible_managed }}\n#\n# # Debian specific: Specifying a file name will cause the first\n# line of that file to be used as the name. The Debian default\n# is /etc/mailname.\n\nsmtpd_banner = $myhostname ESMTP $mail_name\nbiff = no\n\n# appending .domain is the MUA's job.\nappend_dot_mydomain = no\n\n# Uncomment the next line to generate \"delayed mail\" warnings\n#delay_warning_time = 4h\n\n# TLS parameters\nsmtpd_tls_cert_file = {{ postfix_ssl_cert }}\nsmtpd_tls_key_file = {{ postfix_ssl_key }}\n\nsmtpd_use_tls = yes\nsmtpd_tls_session_cache_database =\nsmtp_tls_session_cache_database =\n\n# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for\n# information on enabling SSL in the smtp client.\n\nsmtpd_relay_restrictions = {{ postfix_smtpd_relay_restrictions | join(', ') }}\nmyhostname = {{ postfix_myhostname | default(ansible_fqdn) }}\nalias_maps = hash:/etc/aliases\nalias_database = hash:/etc/aliases\nmyorigin = /etc/mailname\nmydestination = {{ postfix_mydestination | join(', ') }}\nrelayhost = {{ postfix_relayhost | default() }}\nmynetworks = {{ postfix_mynetworks | join(' ') }}\nmailbox_size_limit = 0\nrecipient_delimiter = +\ninet_interfaces = all\ninet_protocols = {{ postfix_inet_protocols }}\n\n# Additional parameters\nsmtpd_tls_auth_only = {{ postfix_smtpd_tls_auth_only }}\nsmtpd_sasl_type = dovecot\nsmtpd_sasl_path = private/auth\nsmtpd_sasl_auth_enable = yes\nsmtpd_recipient_restrictions = {{ postfix_smtpd_recipient_restrictions | join(', ') }}\n\nsmtpd_helo_required = yes\nsmtpd_helo_restrictions = {{ postfix_smtpd_helo_restrictions | join(', ') }}\n\nsmtpd_sender_restrictions = {{ postfix_smtpd_sender_restrictions | join(', ') }}\n\nvirtual_transport = lmtp:unix:private/dovecot-lmtp\nvirtual_mailbox_domains = mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf\nvirtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf\nvirtual_alias_maps = mysql:/etc/postfix/mysql-virtual-alias-maps.cf\n\naddress_verify_negative_refresh_time = 60s\naddress_verify_sender_ttl = 15686s\nbroken_sasl_auth_clients = yes\n{% if (ansible_os_family != 'RedHat') and (ansible_distribution_major_version <= 7) %}\ncompatibility_level = 2\n{% endif %}\nhtml_directory = /usr/share/doc/postfix/html\nreadme_directory = /usr/share/doc/postfix\nsmtpd_client_message_rate_limit = {{ postfix_smtpd_client_message_rate_limit }}\nsmtpd_tls_exclude_ciphers = RC4, aNULL\nsmtp_tls_exclude_ciphers = RC4, aNULL\nsmtp_tls_protocols = !SSLv2,!SSLv3\nsmtp_tls_security_level = {{ postfix_smtp_tls_security_level }}\n{% if postfix_smtp_dns_support_level is sameas true %}\nsmtp_dns_support_level = dnssec\n{% endif %}\n): '<=' not supported between instances of 'AnsibleUnsafeText' and 'int'"}

include mysql db schema

For users not interested in running this alongside postmaster, it would be useful to include the MySQL db schema. Currently there are two options for anyone wanting to use this role as a single-hit solution:
1 - Reverse engineer the table structure from all the SQL queries used in the config files in this role
2 - Hunt around for clues as to what the database structure is.

After a few hours of looking around, I finally found out that this role is meant as a supplement to the PostMaster web gui frontend, however even at the PostMaster git repository I could hardly find any clue other than the fact that the software is supposed to ease the administration of a specific setup recommended by two separate tutorials;
For anyone else looking, here's the database schema:

CREATE TABLE `virtual_domains` (
  `id` int(11) NOT NULL auto_increment,
  `name` varchar(50) NOT NULL,
  PRIMARY KEY (`id`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8;
CREATE TABLE `virtual_users` (
  `id` int(11) NOT NULL auto_increment,
  `domain_id` int(11) NOT NULL,
  `password` varchar(106) NOT NULL,
  `email` varchar(100) NOT NULL,
  PRIMARY KEY (`id`),
  UNIQUE KEY `email` (`email`),
  FOREIGN KEY (domain_id) REFERENCES virtual_domains(id) ON DELETE CASCADE
) ENGINE=InnoDB DEFAULT CHARSET=utf8;
CREATE TABLE `virtual_aliases` (
  `id` int(11) NOT NULL auto_increment,
  `domain_id` int(11) NOT NULL,
  `source` varchar(100) NOT NULL,
  `destination` varchar(100) NOT NULL,
  PRIMARY KEY (`id`),
  FOREIGN KEY (domain_id) REFERENCES virtual_domains(id) ON DELETE CASCADE
) ENGINE=InnoDB DEFAULT CHARSET=utf8;

Install MySQL for Vagrant tests

We currently don't install MySQL and setup the schema that is required in our Vagrant tests. We should do that for better testing. An easy way to do this is to use the PostMaster role as a dependency in testing.

Several improvement

Hi,
thank you to provide this ansible role, it's was usefull but not coresponding to our need.

So i have make several modification :

if you are interested, i can create a Merge Request per branch (But will have some conflict to manage) or you can use all at once via this branch : https://github.com/roumano/ansible-role-postfix-dovecot/tree/all

Better Usage Example

Current example is only for clever people.
Lazy people need something special.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.