From 884bbbfbae87b510a6331034bbb533ffd8640b22 Mon Sep 17 00:00:00 2001
From: Kishi85 <git@eightyfive.net>
Date: Mon, 15 Jul 2019 19:00:23 +0200
Subject: [PATCH] mail: use rspamd with automatic learning using sieve +
 managesieve

---
 roles/mail/files/default/spamassassin         |  34 ----
 roles/mail/files/dovecot/bin/learn-ham.sh     |   2 +
 roles/mail/files/dovecot/bin/learn-spam.sh    |   2 +
 roles/mail/files/dovecot/move-spam.sieve      |   5 +
 roles/mail/files/dovecot/report-ham.sieve     |   2 +
 roles/mail/files/dovecot/report-spam.sieve    |   2 +
 .../policyd-spf.conf                          |  14 --
 roles/mail/files/redis.conf                   |  60 +++++++
 .../mail/files/rspamd/local.d/antivirus.conf  |   9 ++
 .../rspamd/local.d/classifier-bayes.conf      |   3 +
 roles/mail/files/rspamd/local.d/greylist.conf |   2 +
 roles/mail/files/rspamd/local.d/logging.inc   |   4 +
 .../files/rspamd/local.d/milter_headers.conf  |   2 +
 roles/mail/files/rspamd/local.d/rbl.conf      |  14 ++
 .../mail/files/rspamd/local.d/rbl_group.conf  |  10 ++
 roles/mail/files/rspamd/local.d/redis.conf    |   2 +
 .../rspamd/local.d/worker-controller.inc      |   3 +
 .../files/rspamd/local.d/worker-normal.inc    |   2 +
 .../files/rspamd/local.d/worker-proxy.inc     |   7 +
 roles/mail/handlers/main.yml                  |  11 +-
 roles/mail/tasks/main.yml                     | 118 +++++++-------
 .../amavis/conf.d/15-content_filter_mode.j2   |  27 ----
 roles/mail/templates/amavis/conf.d/50-user.j2 |  37 -----
 .../dovecot/dovecot-ldap.conf.ext.j2          |  11 +-
 .../dovecot/dovecot-ldap.conf.lmtp.j2         | 150 ++++++++++++++++++
 roles/mail/templates/dovecot/local.conf.j2    |  76 +++++----
 .../mail/templates/postfix/ldap-aliases.cf.j2 |  11 --
 .../templates/postfix/ldap-virtual-maps.cf.j2 |  12 --
 roles/mail/templates/postfix/main.cf.j2       | 132 +++++++++------
 roles/mail/templates/postfix/master.cf.j2     |  44 ++---
 .../templates/postfix/recipient_access.j2     |   2 -
 .../mail/templates/rspamd/local.d/arc.conf.j2 |   6 +
 .../rspamd/local.d/dkim_signing.conf.j2       |   6 +
 .../templates/rspamd/local.d/options.inc.j2   |   1 +
 34 files changed, 511 insertions(+), 312 deletions(-)
 delete mode 100644 roles/mail/files/default/spamassassin
 create mode 100755 roles/mail/files/dovecot/bin/learn-ham.sh
 create mode 100755 roles/mail/files/dovecot/bin/learn-spam.sh
 create mode 100644 roles/mail/files/dovecot/move-spam.sieve
 create mode 100644 roles/mail/files/dovecot/report-ham.sieve
 create mode 100644 roles/mail/files/dovecot/report-spam.sieve
 delete mode 100644 roles/mail/files/postfix-policyd-spf-python/policyd-spf.conf
 create mode 100644 roles/mail/files/redis.conf
 create mode 100644 roles/mail/files/rspamd/local.d/antivirus.conf
 create mode 100644 roles/mail/files/rspamd/local.d/classifier-bayes.conf
 create mode 100644 roles/mail/files/rspamd/local.d/greylist.conf
 create mode 100644 roles/mail/files/rspamd/local.d/logging.inc
 create mode 100644 roles/mail/files/rspamd/local.d/milter_headers.conf
 create mode 100644 roles/mail/files/rspamd/local.d/rbl.conf
 create mode 100644 roles/mail/files/rspamd/local.d/rbl_group.conf
 create mode 100644 roles/mail/files/rspamd/local.d/redis.conf
 create mode 100644 roles/mail/files/rspamd/local.d/worker-controller.inc
 create mode 100644 roles/mail/files/rspamd/local.d/worker-normal.inc
 create mode 100644 roles/mail/files/rspamd/local.d/worker-proxy.inc
 delete mode 100644 roles/mail/templates/amavis/conf.d/15-content_filter_mode.j2
 delete mode 100644 roles/mail/templates/amavis/conf.d/50-user.j2
 create mode 100644 roles/mail/templates/dovecot/dovecot-ldap.conf.lmtp.j2
 delete mode 100644 roles/mail/templates/postfix/ldap-aliases.cf.j2
 delete mode 100644 roles/mail/templates/postfix/ldap-virtual-maps.cf.j2
 delete mode 100644 roles/mail/templates/postfix/recipient_access.j2
 create mode 100644 roles/mail/templates/rspamd/local.d/arc.conf.j2
 create mode 100644 roles/mail/templates/rspamd/local.d/dkim_signing.conf.j2
 create mode 100644 roles/mail/templates/rspamd/local.d/options.inc.j2

diff --git a/roles/mail/files/default/spamassassin b/roles/mail/files/default/spamassassin
deleted file mode 100644
index aff448e..0000000
--- a/roles/mail/files/default/spamassassin
+++ /dev/null
@@ -1,34 +0,0 @@
-# /etc/default/spamassassin
-# Duncan Findlay
-
-# WARNING: please read README.spamd before using.
-# There may be security risks.
-
-# If you're using systemd (default for jessie), the ENABLED setting is
-# not used. Instead, enable spamd by issuing:
-# systemctl enable spamassassin.service
-# Change to "1" to enable spamd on systems using sysvinit:
-ENABLED=0
-
-# Options
-# See man spamd for possible options. The -d option is automatically added.
-
-# SpamAssassin uses a preforking model, so be careful! You need to
-# make sure --max-children is not set to anything higher than 5,
-# unless you know what you're doing.
-
-OPTIONS="--create-prefs --max-children 5 --helper-home-dir"
-
-# Pid file
-# Where should spamd write its PID to file? If you use the -u or
-# --username option above, this needs to be writable by that user.
-# Otherwise, the init script will not be able to shut spamd down.
-PIDFILE="/var/run/spamd.pid"
-
-# Set nice level of spamd
-#NICE="--nicelevel 15"
-
-# Cronjob
-# Set to anything but 0 to enable the cron job to automatically update
-# spamassassin's rules on a nightly basis
-CRON=1
diff --git a/roles/mail/files/dovecot/bin/learn-ham.sh b/roles/mail/files/dovecot/bin/learn-ham.sh
new file mode 100755
index 0000000..c30528f
--- /dev/null
+++ b/roles/mail/files/dovecot/bin/learn-ham.sh
@@ -0,0 +1,2 @@
+#!/bin/sh
+exec /usr/bin/rspamc learn_ham
diff --git a/roles/mail/files/dovecot/bin/learn-spam.sh b/roles/mail/files/dovecot/bin/learn-spam.sh
new file mode 100755
index 0000000..da8e276
--- /dev/null
+++ b/roles/mail/files/dovecot/bin/learn-spam.sh
@@ -0,0 +1,2 @@
+#!/bin/sh
+exec /usr/bin/rspamc learn_spam
diff --git a/roles/mail/files/dovecot/move-spam.sieve b/roles/mail/files/dovecot/move-spam.sieve
new file mode 100644
index 0000000..fc89619
--- /dev/null
+++ b/roles/mail/files/dovecot/move-spam.sieve
@@ -0,0 +1,5 @@
+require ["fileinto","mailbox"];
+
+if header :contains "X-Spam" "Yes" {
+ fileinto "Junk";
+}
diff --git a/roles/mail/files/dovecot/report-ham.sieve b/roles/mail/files/dovecot/report-ham.sieve
new file mode 100644
index 0000000..82973c7
--- /dev/null
+++ b/roles/mail/files/dovecot/report-ham.sieve
@@ -0,0 +1,2 @@
+require ["vnd.dovecot.pipe", "copy", "imapsieve"];
+pipe :copy ".learn-ham.sh";
diff --git a/roles/mail/files/dovecot/report-spam.sieve b/roles/mail/files/dovecot/report-spam.sieve
new file mode 100644
index 0000000..512b132
--- /dev/null
+++ b/roles/mail/files/dovecot/report-spam.sieve
@@ -0,0 +1,2 @@
+require ["vnd.dovecot.pipe", "copy", "imapsieve"];
+pipe :copy ".learn-spam.sh";
diff --git a/roles/mail/files/postfix-policyd-spf-python/policyd-spf.conf b/roles/mail/files/postfix-policyd-spf-python/policyd-spf.conf
deleted file mode 100644
index 166dda1..0000000
--- a/roles/mail/files/postfix-policyd-spf-python/policyd-spf.conf
+++ /dev/null
@@ -1,14 +0,0 @@
-#  For a fully commented sample config file see policyd-spf.conf.commented
-
-debugLevel = 1
-defaultSeedOnly = 1
-
-HELO_reject = No_Check
-Mail_From_reject = False
-
-Mail_From_pass_restriction = OK
-
-PermError_reject = False
-TempError_Defer = False
-
-skip_addresses = 127.0.0.0/8,::ffff:127.0.0.0/104,::1/128
diff --git a/roles/mail/files/redis.conf b/roles/mail/files/redis.conf
new file mode 100644
index 0000000..2318b4c
--- /dev/null
+++ b/roles/mail/files/redis.conf
@@ -0,0 +1,60 @@
+bind 127.0.0.1 ::1
+protected-mode yes
+port 6379
+tcp-backlog 511
+timeout 0
+tcp-keepalive 300
+daemonize yes
+supervised no
+pidfile /var/run/redis/redis-server.pid
+loglevel notice
+logfile /var/log/redis/redis-server.log
+databases 16
+always-show-logo yes
+save 900 1
+save 300 10
+save 60 10000
+stop-writes-on-bgsave-error yes
+rdbcompression yes
+rdbchecksum yes
+dbfilename dump.rdb
+dir /var/lib/redis
+slave-serve-stale-data yes
+slave-read-only yes
+repl-diskless-sync no
+repl-diskless-sync-delay 5
+repl-disable-tcp-nodelay no
+slave-priority 100
+maxmemory 500mb
+maxmemory-policy volatile-lru
+lazyfree-lazy-eviction no
+lazyfree-lazy-expire no
+lazyfree-lazy-server-del no
+slave-lazy-flush no
+appendonly yes
+appendfilename "appendonly.aof"
+appendfsync everysec
+no-appendfsync-on-rewrite no
+auto-aof-rewrite-percentage 100
+auto-aof-rewrite-min-size 64mb
+aof-load-truncated yes
+aof-use-rdb-preamble no
+lua-time-limit 5000
+slowlog-log-slower-than 10000
+slowlog-max-len 128
+latency-monitor-threshold 0
+notify-keyspace-events ""
+hash-max-ziplist-entries 512
+hash-max-ziplist-value 64
+list-max-ziplist-size -2
+list-compress-depth 0
+set-max-intset-entries 512
+zset-max-ziplist-entries 128
+zset-max-ziplist-value 64
+hll-sparse-max-bytes 3000
+activerehashing yes
+client-output-buffer-limit normal 0 0 0
+client-output-buffer-limit slave 256mb 64mb 60
+client-output-buffer-limit pubsub 32mb 8mb 60
+hz 10
+aof-rewrite-incremental-fsync yes
diff --git a/roles/mail/files/rspamd/local.d/antivirus.conf b/roles/mail/files/rspamd/local.d/antivirus.conf
new file mode 100644
index 0000000..db0a12a
--- /dev/null
+++ b/roles/mail/files/rspamd/local.d/antivirus.conf
@@ -0,0 +1,9 @@
+clamav {
+    servers = "/var/run/clamav/clamd.ctl";
+    symbol = "CLAMAV_VIRUS";
+    attachments_only = false;
+    patterns {
+	JUST_EICAR = nan; #Disable EICAR handling
+    }
+    action = "reject";
+}
diff --git a/roles/mail/files/rspamd/local.d/classifier-bayes.conf b/roles/mail/files/rspamd/local.d/classifier-bayes.conf
new file mode 100644
index 0000000..8a60b20
--- /dev/null
+++ b/roles/mail/files/rspamd/local.d/classifier-bayes.conf
@@ -0,0 +1,3 @@
+backend = "redis";
+new_schema = true;
+expire = 8640000;
diff --git a/roles/mail/files/rspamd/local.d/greylist.conf b/roles/mail/files/rspamd/local.d/greylist.conf
new file mode 100644
index 0000000..bc91906
--- /dev/null
+++ b/roles/mail/files/rspamd/local.d/greylist.conf
@@ -0,0 +1,2 @@
+expire=30d;
+timeout=120s;
diff --git a/roles/mail/files/rspamd/local.d/logging.inc b/roles/mail/files/rspamd/local.d/logging.inc
new file mode 100644
index 0000000..230783b
--- /dev/null
+++ b/roles/mail/files/rspamd/local.d/logging.inc
@@ -0,0 +1,4 @@
+type = "file";
+filename = "/var/log/rspamd/rspamd.log";
+level = "notice";
+debug_modules = ["antivirus","dkim_signing","arc","greylist","fuzzy_check"];
diff --git a/roles/mail/files/rspamd/local.d/milter_headers.conf b/roles/mail/files/rspamd/local.d/milter_headers.conf
new file mode 100644
index 0000000..32ad1ad
--- /dev/null
+++ b/roles/mail/files/rspamd/local.d/milter_headers.conf
@@ -0,0 +1,2 @@
+use = ["authentication-results","x-spam-status","x-spam-level","x-spamd-bar", "x-spamd-result", "x-rspamd-server","x-rspamd-queue-id"];
+authenticated_headers = ["authentication-results"];
diff --git a/roles/mail/files/rspamd/local.d/rbl.conf b/roles/mail/files/rspamd/local.d/rbl.conf
new file mode 100644
index 0000000..f0e217f
--- /dev/null
+++ b/roles/mail/files/rspamd/local.d/rbl.conf
@@ -0,0 +1,14 @@
+rbls {
+   nixspam {
+       symbol = "RBL_NIXSPAM";
+       rbl = "ix.dnsbl.manitu.net";
+       ipv4 = true;
+       ipv6 = true;
+   }
+   gbudb {
+       symbol = "RBL_GBUDB";
+       rbl = "truncate.gbudb.net";
+       ipv4 = true;
+       ipv6 = true;
+   }
+}
diff --git a/roles/mail/files/rspamd/local.d/rbl_group.conf b/roles/mail/files/rspamd/local.d/rbl_group.conf
new file mode 100644
index 0000000..b32ae4e
--- /dev/null
+++ b/roles/mail/files/rspamd/local.d/rbl_group.conf
@@ -0,0 +1,10 @@
+symbols = {
+    "RBL_GBUDB" {
+        weight = 4.0;
+        description = "From address is listed in GBUDB BL";
+    }
+    "RBL_NIXSPAM" {
+        weight = 4.0;
+        description = "From address is listed in NIXSPAM BL";
+    }
+}
diff --git a/roles/mail/files/rspamd/local.d/redis.conf b/roles/mail/files/rspamd/local.d/redis.conf
new file mode 100644
index 0000000..a47448b
--- /dev/null
+++ b/roles/mail/files/rspamd/local.d/redis.conf
@@ -0,0 +1,2 @@
+write_servers = "127.0.0.1";
+read_servers = "127.0.0.1";
diff --git a/roles/mail/files/rspamd/local.d/worker-controller.inc b/roles/mail/files/rspamd/local.d/worker-controller.inc
new file mode 100644
index 0000000..6f9b875
--- /dev/null
+++ b/roles/mail/files/rspamd/local.d/worker-controller.inc
@@ -0,0 +1,3 @@
+password = "$2$tgahjcep7dkczanwry7hnyozswpbi9fx$f6acdtn47w35sek85znopneeko7fp8gmamnxxaf31ryo18dp333y";
+enable_password = "$2$tgahjcep7dkczanwry7hnyozswpbi9fx$f6acdtn47w35sek85znopneeko7fp8gmamnxxaf31ryo18dp333y";
+bind_socket = "localhost:11334";
diff --git a/roles/mail/files/rspamd/local.d/worker-normal.inc b/roles/mail/files/rspamd/local.d/worker-normal.inc
new file mode 100644
index 0000000..27dc8cb
--- /dev/null
+++ b/roles/mail/files/rspamd/local.d/worker-normal.inc
@@ -0,0 +1,2 @@
+bind_socket = "localhost:11333";
+count = 1;
diff --git a/roles/mail/files/rspamd/local.d/worker-proxy.inc b/roles/mail/files/rspamd/local.d/worker-proxy.inc
new file mode 100644
index 0000000..e49b3ec
--- /dev/null
+++ b/roles/mail/files/rspamd/local.d/worker-proxy.inc
@@ -0,0 +1,7 @@
+bind_socket = "localhost:11332";
+milter = yes;
+timeout = 120s;
+upstream "local" {
+    default = yes;
+    self_scan = yes;
+}
diff --git a/roles/mail/handlers/main.yml b/roles/mail/handlers/main.yml
index 49b03bd..ab3d510 100644
--- a/roles/mail/handlers/main.yml
+++ b/roles/mail/handlers/main.yml
@@ -1,8 +1,4 @@
 ---
-
-- name: Restart amavis
-  service: name=amavis state=restarted
-
 - name: Restart dovecot
   service: name=dovecot state=restarted
 
@@ -12,8 +8,11 @@
 - name: Restart postfix
   service: name=postfix state=restarted
 
-- name: Restart postgrey
-  service: name=postgrey state=restarted
+- name: Restart redis
+  service: name=redis state=restarted
+
+- name: Restart rspamd
+  service: name=rspamd state=restarted
 
 - name: Run acertmgr
   command: /opt/acertmgr/acertmgr.py
diff --git a/roles/mail/tasks/main.yml b/roles/mail/tasks/main.yml
index c6801a6..0ecbb42 100644
--- a/roles/mail/tasks/main.yml
+++ b/roles/mail/tasks/main.yml
@@ -1,4 +1,13 @@
 ---
+- name: add an apt rspamd key
+  apt_key:
+    url: https://rspamd.com/apt-stable/gpg.key
+    state: present
+
+- name: add rspamd repository
+  apt_repository:
+    repo: deb http://rspamd.com/apt-stable/ {{ ansible_distribution_release }}  main
+    state: present
 
 - name: Install packages
   apt: name={{ item }}
@@ -7,18 +16,16 @@
   - bsd-mailx
   - dovecot-core
   - dovecot-imapd
+  - dovecot-lmtpd
   - dovecot-ldap
   - dovecot-managesieved
   - dovecot-sieve
   - fcgiwrap
   - mailman
   - postfix
-  - postfix-ldap
-  - postfix-policyd-spf-python
-  - postgrey
-  - pyzor
-  - razor
-  - spamassassin
+  - redis-server
+  - redis-tools
+  - rspamd
 
 - name: Create vmail group
   group: name=vmail gid=500 state=present
@@ -26,26 +33,65 @@
 - name: Create vmail user
   user: name=vmail group=vmail uid=500 createhome=yes home=/var/vmail shell=/bin/false state=present
 
-- name: Configure amavis
-  template: src={{ item }}.j2 dest=/etc/{{ item }}
-  with_items:
-  - amavis/conf.d/15-content_filter_mode
-  - amavis/conf.d/50-user
-  notify: Restart amavis
-
 - name: Create dovecot ssl directory
   file: path=/etc/dovecot/ssl state=directory mode=0750 owner=dovecot group=dovecot
 
 - name: Create dovecot log directory
   file: path=/var/log/dovecot state=directory mode=0750 owner=vmail group=vmail
 
+- name: Create vmail sieve directory
+  file: path=/var/vmail/.sieve state=directory mode=0750 owner=vmail group=vmail
+
+- name: Create vmail sieve-bin directory
+  file: path=/var/vmail/.sieve/bin state=directory mode=0750 owner=vmail group=vmail
+
+- name: Copy redis config
+  copy: src=redis.conf dest=/etc/redis/redis.conf
+  notify: Restart redis
+
+- name: Copy static rspamd config
+  copy: src={{ item }} dest=/etc/rspamd/local.d/
+  notify: Restart rspamd
+  with_fileglob: "rspamd/local.d/*"
+
+- name: Render rspamd config templates
+  template: src=rspamd/local.d/{{ item }}.j2 dest=/etc/rspamd/local.d/{{ item }}
+  notify: Restart rspamd
+  loop:
+    - "options.inc"
+    - "arc.conf"
+    - "dkim_signing.conf"
+
+- name: Copy spam learn/unlearn sieve and shell scripts
+  copy: src=dovecot/{{ item }} dest=/var/vmail/.sieve/{{ item }}
+  with_items:
+  - bin/learn-spam.sh
+  - bin/learn-ham.sh
+  - move-spam.sieve
+  - report-spam.sieve
+  - report-ham.sieve
+
 - name: Configure dovecot
   template: src={{ item }}.j2 dest=/etc/{{ item }}
   with_items:
   - dovecot/dovecot-ldap.conf.ext
+  - dovecot/dovecot-ldap.conf.lmtp
   - dovecot/local.conf
   notify: Restart dovecot
 
+- name: Compile sieve scripts
+  shell: sievec /var/vmail/.sieve/{{ item|basename }}
+  with_items:
+  - move-spam.sieve
+  - report-spam.sieve
+  - report-ham.sieve
+
+- name: Ensure learn scripts are executable
+  file: mode=0750 path=/var/vmail/.sieve/bin/{{ item }}
+  with_items:
+  - learn-spam.sh
+  - learn-ham.sh
+
 - name: Configure logrotate for dovecot
   copy: src=logrotate.d/dovecot dest=/etc/logrotate.d/dovecot
 
@@ -79,11 +125,6 @@
   file: path=/etc/nginx/ssl/{{ mailman_domain }}.key owner=root mode=0400
   notify: Restart nginx
 
-- name: Configure policyd
-  copy: src={{ item }} dest=/etc/{{ item }}
-  with_items:
-  - postfix-policyd-spf-python/policyd-spf.conf
-
 - name: Create postfix ssl directory
   file: path=/etc/postfix/ssl state=directory mode=0750 owner=postfix group=postfix
 
@@ -98,9 +139,6 @@
   template: src={{ item }}.j2 dest=/etc/{{ item }}
   with_items:
   - postfix/helo_access
-  - postfix/ldap-aliases.cf
-  - postfix/ldap-virtual-maps.cf
-  - postfix/recipient_access
   - postfix/transport
   - postfix/virtual-alias
   notify: Run postmap
@@ -116,32 +154,6 @@
   file: path=/etc/postfix/ssl/{{ mail_server }}.key owner=postfix mode=0400
   notify: Restart postfix
 
-- name: Create razor directory structure
-  command: razor-admin -create chdir=/var/lib/amavis creates=/var/lib/amavis/.razor
-  become: yes
-  become_user: amavis
-
-- name: Register razor
-  command: razor-admin -register chdir=/var/lib/amavis creates=/var/lib/amavis/.razor/identity
-  become: yes
-  become_user: amavis
-
-- name: Download GPG key for Sought ruleset
-  get_url: url=http://yerp.org/rules/GPG.KEY dest=/etc/spamassassin/sought.key
-
-- name: Import GPG key for Sought ruleset
-  become: yes
-  become_user: debian-spamd
-  shell: sa-update --gpghomedir /var/lib/spamassassin/sa-update-keys --import /etc/spamassassin/sought.key && touch sought.imported chdir=/var/lib/spamassassin creates=sought.imported
-
-- name: Enable sa-update cron-job
-  cron: name=sa-update minute="0" hour="*/6" job="/usr/bin/sa-update -v --gpghomedir /var/lib/spamassassin/sa-update-keys --gpgkey 6C6191E3 --channel sought.rules.yerp.org --channel updates.spamassassin.org"
-
-- name: Enable spamd cron-job
-  copy: src={{ item }} dest=/etc/{{ item }}
-  with_items:
-  - default/spamassassin
-
 - name: Configure certificate manager
   template: src=certs.j2 dest=/etc/acertmgr/{{ mail_server }}_mail.conf
   notify: Run acertmgr
@@ -150,10 +162,6 @@
   template: src=mailman/certs.j2 dest=/etc/acertmgr/{{ mailman_domain }}_mailman.conf
   notify: Run acertmgr
 
-- name: Start amavis
-  service: name=amavis state=started enabled=yes
-  tags: mail
-
 - name: Start dovecot
   service: name=dovecot state=started enabled=yes
   tags: mail
@@ -166,6 +174,10 @@
   service: name=postfix state=started enabled=yes
   tags: mail
 
-- name: Start postgrey
-  service: name=postgrey state=started enabled=yes
+- name: Start redis
+  service: name=rspamd state=started enabled=yes
+  tags: mail
+
+- name: Start rspamd
+  service: name=rspamd state=started enabled=yes
   tags: mail
diff --git a/roles/mail/templates/amavis/conf.d/15-content_filter_mode.j2 b/roles/mail/templates/amavis/conf.d/15-content_filter_mode.j2
deleted file mode 100644
index 1d5ffab..0000000
--- a/roles/mail/templates/amavis/conf.d/15-content_filter_mode.j2
+++ /dev/null
@@ -1,27 +0,0 @@
-use strict;
-
-# You can modify this file to re-enable SPAM checking through spamassassin
-# and to re-enable antivirus checking.
-
-#
-# Default antivirus checking mode
-# Please note, that anti-virus checking is DISABLED by 
-# default.
-# If You wish to enable it, please uncomment the following lines:
-
-
-#@bypass_virus_checks_maps = (
-#   \%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re);
-
-
-#
-# Default SPAM checking mode
-# Please note, that anti-spam checking is DISABLED by 
-# default.
-# If You wish to enable it, please uncomment the following lines:
-
-
-@bypass_spam_checks_maps = (
-   \%bypass_spam_checks, \@bypass_spam_checks_acl, \$bypass_spam_checks_re);
-
-1;  # ensure a defined return
diff --git a/roles/mail/templates/amavis/conf.d/50-user.j2 b/roles/mail/templates/amavis/conf.d/50-user.j2
deleted file mode 100644
index 7f80dde..0000000
--- a/roles/mail/templates/amavis/conf.d/50-user.j2
+++ /dev/null
@@ -1,37 +0,0 @@
-use strict;
-
-#
-# Place your configuration directives here.  They will override those in
-# earlier files.
-#
-# See /usr/share/doc/amavisd-new/ for documentation and examples of
-# the directives you can use in this file
-#
-
-$remove_existing_spam_headers = 1;
-
-$sa_tag_level_deflt = undef;
-$sa_tag2_level_deflt = 5.0;
-$sa_kill_level_deflt = $sa_tag2_level_deflt;
-$sa_spam_subject_tag = undef;
-
-$final_virus_destiny      = D_PASS;
-$final_banned_destiny     = D_PASS;
-$final_spam_destiny       = D_PASS;
-$final_bad_header_destiny = D_PASS;
-
-$virus_admin = undef;
-
-$virus_quarantine_to = undef;
-$spam_quarantine_to = undef;
-
-$X_HEADER_LINE = "$myproduct_name at $mydomain";
-
-@local_domains_acl = ("{{ mail_domain }}"
-{%- for domain in mail_domains %}
-, "{{ domain }}"
-{%- endfor %}
-);
-
-#------------ Do not modify anything below this line -------------
-1;  # ensure a defined return
diff --git a/roles/mail/templates/dovecot/dovecot-ldap.conf.ext.j2 b/roles/mail/templates/dovecot/dovecot-ldap.conf.ext.j2
index a8f5048..d57c387 100644
--- a/roles/mail/templates/dovecot/dovecot-ldap.conf.ext.j2
+++ b/roles/mail/templates/dovecot/dovecot-ldap.conf.ext.j2
@@ -108,7 +108,9 @@ scope = subtree
 # There are also other special fields which can be returned, see
 # http://wiki2.dovecot.org/UserDatabase/ExtraFields
 #user_attrs = homeDirectory=home,uidNumber=uid,gidNumber=gid
-user_attrs =
+user_attrs = \
+  =user=%{ldap:uid}, \
+  =home=/var/vmail/%{ldap:uid}
 
 # Filter for user lookup. Some variables can be used (see
 # http://wiki2.dovecot.org/Variables for full list):
@@ -116,7 +118,7 @@ user_attrs =
 #   %n - user part in user@domain, same as %u if there's no domain
 #   %d - domain part in user@domain, empty if user there's no domain
 #user_filter = (&(objectClass=posixAccount)(uid=%u))
-user_filter = (&(objectClass=posixAccount)(uid=%u))
+user_filter = (&(objectClass=kitchenUser)(uid=%n))
 
 # Password checking attributes:
 #  user: Virtual user name (user@domain), if you wish to change the
@@ -124,7 +126,9 @@ user_filter = (&(objectClass=posixAccount)(uid=%u))
 #  password: Password, may optionally start with {type}, eg. {crypt}
 # There are also other special fields which can be returned, see
 # http://wiki2.dovecot.org/PasswordDatabase/ExtraFields
-#pass_attrs = uid=user,userPassword=password
+pass_attrs = \
+  =user=%{ldap:uid}, \
+  =home=/var/vmail/%{ldap:uid}
 
 # If you wish to avoid two LDAP lookups (passdb + userdb), you can use
 # userdb prefetch instead of userdb ldap in dovecot.conf. In that case you'll
@@ -135,6 +139,7 @@ user_filter = (&(objectClass=posixAccount)(uid=%u))
 
 # Filter for password lookups
 #pass_filter = (&(objectClass=posixAccount)(uid=%u))
+pass_filter = (&(objectClass=kitchenUser)(uid=%n))
 
 # Attributes and filter to get a list of all users
 #iterate_attrs = uid=user
diff --git a/roles/mail/templates/dovecot/dovecot-ldap.conf.lmtp.j2 b/roles/mail/templates/dovecot/dovecot-ldap.conf.lmtp.j2
new file mode 100644
index 0000000..e9ed401
--- /dev/null
+++ b/roles/mail/templates/dovecot/dovecot-ldap.conf.lmtp.j2
@@ -0,0 +1,150 @@
+# This file is commonly accessed via passdb {} or userdb {} section in
+# conf.d/auth-ldap.conf.ext
+
+# This file is opened as root, so it should be owned by root and mode 0600.
+#
+# http://wiki2.dovecot.org/AuthDatabase/LDAP
+#
+# NOTE: If you're not using authentication binds, you'll need to give
+# dovecot-auth read access to userPassword field in the LDAP server.
+# With OpenLDAP this is done by modifying /etc/ldap/slapd.conf. There should
+# already be something like this:
+
+# access to attribute=userPassword
+#        by dn="<dovecot's dn>" read # add this
+#        by anonymous auth
+#        by self write
+#        by * none
+
+# Space separated list of LDAP hosts to use. host:port is allowed too.
+#hosts =
+
+# LDAP URIs to use. You can use this instead of hosts list. Note that this
+# setting isn't supported by all LDAP libraries.
+uris = {{ ldap_uri }}
+
+# Distinguished Name - the username used to login to the LDAP server.
+# Leave it commented out to bind anonymously (useful with auth_bind=yes).
+dn = {{ ldap_binddn }}
+
+# Password for LDAP server, if dn is specified.
+dnpass = {{ ldap_bindpw }}
+
+# Use SASL binding instead of the simple binding. Note that this changes
+# ldap_version automatically to be 3 if it's lower. Also note that SASL binds
+# and auth_bind=yes don't work together.
+#sasl_bind = no
+# SASL mechanism name to use.
+#sasl_mech =
+# SASL realm to use.
+#sasl_realm =
+# SASL authorization ID, ie. the dnpass is for this "master user", but the
+# dn is still the logged in user. Normally you want to keep this empty.
+#sasl_authz_id =
+
+# Use TLS to connect to the LDAP server.
+#tls = no
+# TLS options, currently supported only with OpenLDAP:
+tls_ca_cert_file = /etc/ssl/certs/ca-certificates.crt
+#tls_ca_cert_dir = /etc/ssl/certs
+#tls_cipher_suite =
+# TLS cert/key is used only if LDAP server requires a client certificate.
+#tls_cert_file =
+#tls_key_file =
+# Valid values: never, hard, demand, allow, try
+tls_require_cert = demand
+
+# Use the given ldaprc path.
+#ldaprc_path =
+
+# LDAP library debug level as specified by LDAP_DEBUG_* in ldap_log.h.
+# -1 = everything. You may need to recompile OpenLDAP with debugging enabled
+# to get enough output.
+#debug_level = 0
+
+# Use authentication binding for verifying password's validity. This works by
+# logging into LDAP server using the username and password given by client.
+# The pass_filter is used to find the DN for the user. Note that the pass_attrs
+# is still used, only the password field is ignored in it. Before doing any
+# search, the binding is switched back to the default DN.
+auth_bind = yes
+
+# If authentication binding is used, you can save one LDAP request per login
+# if users' DN can be specified with a common template. The template can use
+# the standard %variables (see user_filter). Note that you can't
+# use any pass_attrs if you use this setting.
+#
+# If you use this setting, it's a good idea to use a different
+# dovecot-ldap.conf.ext for userdb (it can even be a symlink, just as long as
+# the filename is different in userdb's args). That way one connection is used
+# only for LDAP binds and another connection is used for user lookups.
+# Otherwise the binding is changed to the default DN before each user lookup.
+#
+# For example:
+#   auth_bind_userdn = cn=%u,ou=people,o=org
+#
+#auth_bind_userdn =
+
+# LDAP protocol version to use. Likely 2 or 3.
+#ldap_version = 3
+
+# LDAP base. %variables can be used here.
+# For example: dc=mail, dc=example, dc=org
+base = {{ ldap_base }}
+
+# Dereference: never, searching, finding, always
+deref = never
+
+# Search scope: base, onelevel, subtree
+scope = subtree
+
+# User attributes are given in LDAP-name=dovecot-internal-name list. The
+# internal names are:
+#   uid - System UID
+#   gid - System GID
+#   home - Home directory
+#   mail - Mail location
+#
+# There are also other special fields which can be returned, see
+# http://wiki2.dovecot.org/UserDatabase/ExtraFields
+#user_attrs = homeDirectory=home,uidNumber=uid,gidNumber=gid
+user_attrs = \
+  =user=%{ldap:uid}, \
+  =home=/var/vmail/%{ldap:uid}
+
+# Filter for user lookup. Some variables can be used (see
+# http://wiki2.dovecot.org/Variables for full list):
+#   %u - username
+#   %n - user part in user@domain, same as %u if there's no domain
+#   %d - domain part in user@domain, empty if user there's no domain
+#user_filter = (&(objectClass=posixAccount)(uid=%u))
+user_filter = (&(objectClass=kitchenUser)(|(mail=%u)(mailAlternateAddress=%u)))
+
+# Password checking attributes:
+#  user: Virtual user name (user@domain), if you wish to change the
+#        user-given username to something else
+#  password: Password, may optionally start with {type}, eg. {crypt}
+# There are also other special fields which can be returned, see
+# http://wiki2.dovecot.org/PasswordDatabase/ExtraFields
+pass_attrs = \
+  =user=%{ldap:uid}, \
+  =home=/var/vmail/%{ldap:uid}
+
+# If you wish to avoid two LDAP lookups (passdb + userdb), you can use
+# userdb prefetch instead of userdb ldap in dovecot.conf. In that case you'll
+# also have to include user_attrs in pass_attrs field prefixed with "userdb_"
+# string. For example:
+#pass_attrs = uid=user,userPassword=password,\
+#  homeDirectory=userdb_home,uidNumber=userdb_uid,gidNumber=userdb_gid
+
+# Filter for password lookups
+#pass_filter = (&(objectClass=posixAccount)(uid=%u))
+pass_filter = (&(objectClass=kitchenUser)(uid=%n))
+
+# Attributes and filter to get a list of all users
+#iterate_attrs = uid=user
+#iterate_filter = (objectClass=posixAccount)
+
+# Default password scheme. "{scheme}" before password overrides this.
+# List of supported schemes is in: http://wiki2.dovecot.org/Authentication
+#default_pass_scheme = CRYPT
diff --git a/roles/mail/templates/dovecot/local.conf.j2 b/roles/mail/templates/dovecot/local.conf.j2
index 34a44a8..441ed1b 100644
--- a/roles/mail/templates/dovecot/local.conf.j2
+++ b/roles/mail/templates/dovecot/local.conf.j2
@@ -9,11 +9,9 @@ info_log_path = /var/log/dovecot/info.log
 #log_timestamp = "%Y-%m-%d %H:%M:%S "
 
 mail_privileged_group = mail
+mail_location = maildir:~/.maildir
 
-mail_location = maildir:/var/vmail/%u/.maildir
-mail_home = maildir:/var/vmail/%u
-mail_uid = vmail
-mail_gid = vmail
+postmaster_address = postmaster@binary-kitchen.de
 
 ssl = yes
 ssl_cert = </etc/dovecot/ssl/{{ mail_server }}.crt
@@ -21,24 +19,20 @@ ssl_key = </etc/dovecot/ssl/{{ mail_server }}.key
 ssl_protocols = !SSLv3
 ssl_cipher_list = ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
 
-passdb {
-  driver = ldap
-  args = /etc/dovecot/dovecot-ldap.conf.ext
+service lmtp {
+  unix_listener /var/spool/postfix/private/dovecot-lmtpd {
+    group = postfix
+    mode = 0660
+    user = postfix
+  }
 }
-
-userdb {
-  driver = static
-  args = uid=vmail gid=vmail home=/var/vmail/%u
-}
-
 service auth {
-  unix_listener /var/spool/postfix/private/auth {
+  unix_listener /var/spool/postfix/private/dovecot-auth {
     mode = 0660
     user = postfix
     group = postfix
   }
 }
-
 service imap-login {
   inet_listener imap {
     address = 0.0.0.0 ::
@@ -50,27 +44,49 @@ service imap-login {
   }
 }
 
-service managesieve-login {
-  inet_listener sieve {
-    address = 127.0.0.1 ::1
-    port = 2000
+passdb {
+  driver = ldap
+  args = /etc/dovecot/dovecot-ldap.conf.ext
+}
+protocols = "imap lmtp sieve"
+protocol sieve {
+  userdb {
+    driver = ldap
+    args = /etc/dovecot/dovecot-ldap.conf.ext
+    default_fields = uid=vmail gid=vmail
   }
 }
-
-protocol lda {
-  mail_plugins = sieve
-  log_path = /var/log/dovecot/deliver.log
-  info_log_path = /var/log/dovecot/deliver.log
-}
-
 protocol imap {
+  userdb {
+    driver = ldap
+    args = /etc/dovecot/dovecot-ldap.conf.ext
+    default_fields = uid=vmail gid=vmail
+  }
+  mail_plugins = "imap_sieve"
   mail_max_userip_connections = 50
 }
-
+protocol lmtp {
+  userdb {
+    driver = ldap
+    args = /etc/dovecot/dovecot-ldap.conf.lmtp
+    default_fields = uid=vmail gid=vmail
+  }
+  mail_plugins = "sieve notify push_notification"
+}
 plugin {
-  sieve = ~/.dovecot.sieve
-  sieve_before = /var/vmail/default.sieve
-  sieve_global_path = /var/vmail/default.sieve
+  imapsieve_mailbox1_before = file:/var/vmail/.sieve/report-spam.sieve
+  imapsieve_mailbox1_causes = COPY
+  imapsieve_mailbox1_name = Junk
+  imapsieve_mailbox2_before = file:/var/vmail/.sieve/report-ham.sieve
+  imapsieve_mailbox2_causes = COPY
+  imapsieve_mailbox2_from = Junk
+  imapsieve_mailbox2_name = *
+  sieve_after = /var/vmail/.sieve/move-spam.sieve
+  sieve_global = /var/vmail/.sieve
+  sieve_global_extensions = +vnd.dovecot.pipe
+  sieve_pipe_bin_dir = /var/vmail/.sieve/bin
+  sieve_plugins = "sieve_imapsieve sieve_extprograms"
+  sieve = file:~/.sieve;active=~/.dovecot.sieve
 }
 
 namespace inbox {
diff --git a/roles/mail/templates/postfix/ldap-aliases.cf.j2 b/roles/mail/templates/postfix/ldap-aliases.cf.j2
deleted file mode 100644
index 7319ca7..0000000
--- a/roles/mail/templates/postfix/ldap-aliases.cf.j2
+++ /dev/null
@@ -1,11 +0,0 @@
-server_host = {{ ldap_uri }}
-tls_ca_cert_file = /etc/ssl/certs/ca-certificates.crt
-tls_require_cert = yes
-bind = yes
-bind_dn = {{ ldap_binddn }}
-bind_pw = {{ ldap_bindpw }}
-version = 3
-
-search_base = {{ ldap_base }}
-query_filter = (&(objectClass=kitchenUser)(mailAlternateAddress=%s))
-result_attribute = mail
diff --git a/roles/mail/templates/postfix/ldap-virtual-maps.cf.j2 b/roles/mail/templates/postfix/ldap-virtual-maps.cf.j2
deleted file mode 100644
index f9e6f23..0000000
--- a/roles/mail/templates/postfix/ldap-virtual-maps.cf.j2
+++ /dev/null
@@ -1,12 +0,0 @@
-server_host = {{ ldap_uri }}
-tls_ca_cert_file = /etc/ssl/certs/ca-certificates.crt
-tls_require_cert = yes
-bind = yes
-bind_dn = {{ ldap_binddn }}
-bind_pw = {{ ldap_bindpw }}
-version = 3
-
-search_base = {{ ldap_base }}
-query_filter = (&(objectClass=kitchenUser)(mail=%s))
-result_attribute = uid
-result_format = %u/.maildir/
diff --git a/roles/mail/templates/postfix/main.cf.j2 b/roles/mail/templates/postfix/main.cf.j2
index 01f60d2..2c81949 100644
--- a/roles/mail/templates/postfix/main.cf.j2
+++ b/roles/mail/templates/postfix/main.cf.j2
@@ -1,37 +1,55 @@
-# See /usr/share/postfix/main.cf.dist for a commented, more complete version
+# Uncomment soft_bounce for testing
+#soft_bounce = yes
 
-smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
+# Generic postfix parameters
+compatibility_level = 2
+smtpd_banner = $myhostname ESMTP $mail_name
 biff = no
-
-# appending .domain is the MUA's job.
 append_dot_mydomain = no
-
-# Uncomment the next line to generate "delayed mail" warnings
-#delay_warning_time = 4h
-
 readme_directory = no
-
 inet_interfaces = all
 inet_protocols = all
-
 message_size_limit = 50000000
 recipient_delimiter = +
-
-mydomain = {{ mail_domain }}
-myhostname = {{ ansible_fqdn }}
-myorigin = {{ ansible_fqdn }}
-mydestination = localhost.{{ mail_domain }}, localhost
-mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 {{ mail_trusted }}
-
-alias_maps = hash:/etc/aliases
-alias_database = hash:/etc/aliases
+unknown_local_recipient_reject_code = 550
+strict_rfc821_envelopes = yes
+disable_vrfy_command = yes
+smtpd_delay_reject = yes
+smtpd_helo_required = yes
 relayhost =
 
-# TLS parameters
+# Postscreen (pre-greet only, rspamd does the rest)
+postscreen_greet_banner = $myhostname ESMTP $mail_name
+postscreen_greet_action = enforce
+
+# Network parameters
+mydomain = {{ mail_domain }}
+myhostname = {{ ansible_fqdn }}
+myorigin = $myhostname
+mydestination = localhost.$mydomain, localhost
+mynetworks = 
+	127.0.0.0/8
+	[::ffff:127.0.0.0]/104
+	[::1]/128
+{% for cidr in mail_trusted.split(' ') %}
+	{{ cidr }}
+{% endfor %}
+
+# Alias configuration
+alias_maps = hash:/etc/aliases
+alias_database = hash:/etc/aliases
+
+# Client TLS parameters
 smtp_tls_security_level = may
 smtp_tls_loglevel = 1
 smtp_tls_CApath = /etc/ssl/certs
+smtp_tls_cert_file=/etc/postfix/ssl/{{ mail_server }}.crt
+smtp_tls_key_file=/etc/postfix/ssl/{{ mail_server }}.key
+smtp_tls_CApath = /etc/ssl/certs
+smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
+smtp_tls_fingerprint_digest=sha256
 
+# Server TLS parameters
 smtpd_tls_cert_file=/etc/postfix/ssl/{{ mail_server }}.crt
 smtpd_tls_key_file=/etc/postfix/ssl/{{ mail_server }}.key
 smtpd_tls_CApath = /etc/ssl/certs
@@ -39,50 +57,62 @@ smtpd_tls_security_level = may
 smtpd_tls_auth_only = yes
 smtpd_tls_ciphers = medium
 smtpd_tls_received_header = yes
-
-smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
 smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
+smtpd_tls_fingerprint_digest=sha256
 
-# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
-# information on enabling SSL in the smtp client.
-
+# Submission SASL configuration
 smtpd_sasl_type = dovecot
-smtpd_sasl_path = private/auth
+smtpd_sasl_path = private/dovecot-auth
 smtpd_sasl_auth_enable = yes
 smtpd_sasl_security_options = noanonymous
 
-smtpd_helo_restrictions = permit_mynetworks
-                          warn_if_reject reject_non_fqdn_hostname
-                          check_helo_access hash:/etc/postfix/helo_access
-                          #check_client_access cidr:/etc/postfix/client_access
+# SMTPd restrictions
+smtpd_helo_restrictions =
+    permit_sasl_authenticated
+    permit_mynetworks
+    warn_if_reject reject_non_fqdn_hostname
+    check_helo_access hash:/etc/postfix/helo_access
 
-smtpd_recipient_restrictions = permit_mynetworks
-                               permit_sasl_authenticated
-                               reject_unauth_destination
-                               reject_rbl_client sbl.spamhaus.org
-                               reject_rbl_client cbl.abuseat.org
-                               check_recipient_access hash:/etc/postfix/recipient_access
+smtpd_client_restrictions =
+    permit_sasl_authenticated
+    permit_mynetworks
+    reject_unknown_reverse_client_hostname
 
-smtpd_data_restrictions = warn_if_reject reject_unauth_pipelining
+smtpd_sender_restrictions =
+    reject_unknown_sender_domain
+    reject_non_fqdn_sender
+    permit_mynetworks
+    permit_tls_clientcerts
+    permit_sasl_authenticated
+    reject_unauth_pipelining
+    reject_unauthenticated_sender_login_mismatch
+    reject_sender_login_mismatch
 
-smtpd_restriction_classes = greylisting
+smtpd_recipient_restrictions =
+    reject_unknown_recipient_domain
+    reject_non_fqdn_recipient
+    permit_mynetworks
+    permit_tls_clientcerts
+    permit_sasl_authenticated
+    reject_unauth_destination
+    reject_unauth_pipelining
+    reject_unverified_recipient
 
-greylisting = check_policy_service unix:private/spfpolicy
-              check_policy_service inet:127.0.0.1:10023
-
-content_filter = amavis:[127.0.0.1]:10024
-receive_override_options = no_address_mappings
+# rspamd Milter setup
+smtpd_milters = inet:localhost:11332
+non_smtpd_milters = inet:localhost:11332
+milter_default_action = accept
+milter_protocol = 6
 
+# mailbox / forward definitions
 virtual_mailbox_domains = {{ mail_domain }}
-{%- for domain in mail_domains %}
+{% for domain in mail_domains %}
  {{ domain }}
-{%- endfor %}
-
-virtual_mailbox_maps = ldap:/etc/postfix/ldap-virtual-maps.cf
-virtual_alias_maps = hash:/etc/postfix/virtual-alias, ldap:/etc/postfix/ldap-aliases.cf
-
-virtual_transport = dovecot
-dovecot_destination_recipient_limit = 1
+{% endfor %}
+virtual_alias_maps = hash:/etc/postfix/virtual-alias
+virtual_transport = lmtp:unix:private/dovecot-lmtpd
+unverified_recipient_reject_code = 550
+unverified_recipient_reject_reason = Recipient unknown
 
 # mailman
 relay_domains = {{ mailman_domain }}
diff --git a/roles/mail/templates/postfix/master.cf.j2 b/roles/mail/templates/postfix/master.cf.j2
index 012f139..a8cd31d 100644
--- a/roles/mail/templates/postfix/master.cf.j2
+++ b/roles/mail/templates/postfix/master.cf.j2
@@ -9,12 +9,19 @@
 # service type  private unpriv  chroot  wakeup  maxproc command + args
 #               (yes)   (yes)   (yes)   (never) (100)
 # ==========================================================================
-smtp      inet  n       -       -       -       -       smtpd
-#smtp      inet  n       -       -       -       1       postscreen
-#smtpd     pass  -       -       -       -       -       smtpd
-#dnsblog   unix  -       -       -       -       0       dnsblog
-#tlsproxy  unix  -       -       -       -       0       tlsproxy
+#smtp      inet  n       -       -       -       -       smtpd
+smtp      inet  n       -       -       -       1       postscreen
+smtpd     pass  -       -       -       -       -       smtpd
+dnsblog   unix  -       -       -       -       0       dnsblog
+tlsproxy  unix  -       -       -       -       0       tlsproxy
 submission inet n       -       -       -       -       smtpd
+  -o syslog_name=postfix/submission
+  -o smtpd_tls_security_level=encrypt
+  -o smtpd_sasl_auth_enable=yes
+  -o smtpd_reject_unlisted_recipient=no
+  -o smtpd_recipient_restrictions=
+  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
+  -o { milter_macro_daemon_name = ORIGINATING }
 #  -o syslog_name=postfix/submission
 #  -o smtpd_tls_security_level=encrypt
 #  -o smtpd_sasl_auth_enable=yes
@@ -24,7 +31,6 @@ submission inet n       -       -       -       -       smtpd
 #  -o smtpd_sender_restrictions=$mua_sender_restrictions
 #  -o smtpd_recipient_restrictions=
 #  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-#  -o milter_macro_daemon_name=ORIGINATING
 #smtps     inet  n       -       -       -       -       smtpd
 #  -o syslog_name=postfix/smtps
 #  -o smtpd_tls_wrappermode=yes
@@ -120,29 +126,3 @@ scalemail-backend unix	-	n	n	-	2	pipe
   flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
 mailman   unix  -       n       n       -       -       pipe
   flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py ${nexthop} ${user}
-
-# dovecot
-dovecot unix - n n - - pipe
-   flags=DRhu user=vmail:vmail argv=/usr/lib/dovecot/dovecot-lda -f ${sender} -d ${user} -m ${extension}
-
-# amavis
-amavis unix - - - - 2 smtp
-    -o smtp_data_done_timeout=1200
-    -o smtp_send_xforward_command=yes
-
-127.0.0.1:10025 inet n - - - - smtpd
-    -o content_filter=
-    -o local_recipient_maps=
-    -o relay_recipient_maps=
-    -o smtpd_restriction_classes=
-    -o smtpd_client_restrictions=
-    -o smtpd_helo_restrictions=
-    -o smtpd_sender_restrictions=
-    -o smtpd_recipient_restrictions=permit_mynetworks,reject
-    -o mynetworks=127.0.0.0/8
-    -o strict_rfc821_envelopes=yes
-    -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
-
-# spf
-spfpolicy  unix  -       n       n       -       0       spawn
-  user=nobody argv=/usr/bin/policyd-spf /etc/postfix-policyd-spf-python/policyd-spf.conf
diff --git a/roles/mail/templates/postfix/recipient_access.j2 b/roles/mail/templates/postfix/recipient_access.j2
deleted file mode 100644
index da67880..0000000
--- a/roles/mail/templates/postfix/recipient_access.j2
+++ /dev/null
@@ -1,2 +0,0 @@
-info@binary-kitchen.de greylisting
-vorstand@binary-kitchen.de greylisting
diff --git a/roles/mail/templates/rspamd/local.d/arc.conf.j2 b/roles/mail/templates/rspamd/local.d/arc.conf.j2
new file mode 100644
index 0000000..8ae0f3d
--- /dev/null
+++ b/roles/mail/templates/rspamd/local.d/arc.conf.j2
@@ -0,0 +1,6 @@
+allow_username_mismatch = true;
+sign_networks = [127.0.0.1, ::1, {{ mail_trusted }}];
+check_pubkey = true;
+try_fallback = false;
+path = "/var/lib/rspamd/dkim/$domain.$selector.key";
+selector_map = "/etc/rspamd/local.d/arc_selectors.map";
diff --git a/roles/mail/templates/rspamd/local.d/dkim_signing.conf.j2 b/roles/mail/templates/rspamd/local.d/dkim_signing.conf.j2
new file mode 100644
index 0000000..ae822f0
--- /dev/null
+++ b/roles/mail/templates/rspamd/local.d/dkim_signing.conf.j2
@@ -0,0 +1,6 @@
+allow_username_mismatch = true;
+sign_networks = [127.0.0.1, ::1, {{ mail_trusted }}];
+check_pubkey = true;
+try_fallback = false;
+path = "/var/lib/rspamd/dkim/$domain.$selector.key";
+selector_map = "/etc/rspamd/local.d/dkim_selectors.map";
diff --git a/roles/mail/templates/rspamd/local.d/options.inc.j2 b/roles/mail/templates/rspamd/local.d/options.inc.j2
new file mode 100644
index 0000000..87a5d1f
--- /dev/null
+++ b/roles/mail/templates/rspamd/local.d/options.inc.j2
@@ -0,0 +1 @@
+local_addrs = [127.0.0.1, ::1, {{ mail_trusted }}];