ansible/roles/mail/tasks/main.yml

---

- name: add rspamd apt key
  apt_key: url="https://rspamd.com/apt-stable/gpg.key"

- name: add rspamd repository
  apt_repository: repo="deb http://rspamd.com/apt-stable/ {{ ansible_distribution_release }} main"

- name: Install packages
  apt:
    name:
    - bsd-mailx
    - clamav-daemon
    - dovecot-core
    - dovecot-imapd
    - dovecot-lmtpd
    - dovecot-ldap
    - dovecot-managesieved
    - dovecot-sieve
    - mailman3-full
    - python3-psycopg2
    - postgresql
    - postfix
    - postsrsd
    - redis-server
    - redis-tools
    - rspamd

- name: Create vmail group
  group: name=vmail gid=500 state=present

- name: Create vmail user
  user: name=vmail group=vmail uid=500 createhome=yes home=/var/vmail shell=/bin/false state=present

- name: Create dovecot ssl directory
  file: path=/etc/dovecot/ssl state=directory mode=0750 owner=dovecot group=dovecot

- name: Create dovecot log directory
  file: path=/var/log/dovecot state=directory mode=0750 owner=vmail group=vmail

- name: Create vmail sieve directory
  file: path=/var/vmail/.sieve state=directory mode=0755 owner=vmail group=vmail

- name: Create vmail sieve-bin directory
  file: path=/var/vmail/.sieve/bin state=directory mode=0755 owner=vmail group=vmail

- name: Configure redis
  copy: src=redis.conf dest=/etc/redis/redis.conf
  notify: Restart redis

- name: Copy static rspamd config
  copy: src={{ item }} dest=/etc/rspamd/local.d/
  notify: Restart rspamd
  with_fileglob: "rspamd/local.d/*"

- name: Render rspamd config templates
  template: src=rspamd/local.d/{{ item }}.j2 dest=/etc/rspamd/local.d/{{ item }}
  notify: Restart rspamd
  with_items:
  - options.inc
  - settings.conf
  - arc.conf
  - dkim_signing.conf

- name: Copy spam learn/unlearn sieve and shell scripts
  copy: src=dovecot/{{ item }} dest=/var/vmail/.sieve/{{ item }}
  with_items:
  - bin/learn-spam.sh
  - bin/learn-ham.sh
  - move-spam.sieve
  - report-spam.sieve
  - report-ham.sieve

- name: Configure dovecot
  template: src={{ item }}.j2 dest=/etc/{{ item }}
  with_items:
  - dovecot/dovecot-ldap.conf.ext
  - dovecot/dovecot-ldap.conf.lmtp
  - dovecot/local.conf
  notify: Restart dovecot

- name: Compile sieve scripts
  shell: sievec /var/vmail/.sieve/{{ item|basename }}
  with_items:
  - move-spam.sieve
  - report-spam.sieve
  - report-ham.sieve

- name: Ensure learn scripts are executable
  file: mode=0755 path=/var/vmail/.sieve/bin/{{ item }}
  with_items:
  - learn-spam.sh
  - learn-ham.sh

- name: Ensure dovecot certificates are available
  command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/dovecot/ssl/{{ mail_server }}.key -out /etc/dovecot/ssl/{{ mail_server }}.crt -days 730 -subj "/CN={{ mail_server }}" creates=/etc/dovecot/ssl/{{ mail_server }}.crt
  notify: Restart dovecot

- name: Ensure correct dovecot certificate permissions
  file: path=/etc/dovecot/ssl/{{ mail_server }}.key owner=dovecot mode=0400
  notify: Restart dovecot

- name: Configure mailman vhost
  template: src=nginx/vhost.j2 dest=/etc/nginx/sites-available/mailman
  notify: Restart nginx

- name: Enable mailman vhost
  file: src=/etc/nginx/sites-available/mailman dest=/etc/nginx/sites-enabled/mailman state=link
  notify: Restart nginx

- name: Ensure mailman certificates are available
  command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/{{ mailman_domain }}.key -out /etc/nginx/ssl/{{ mailman_domain }}.crt -days 730 -subj "/CN={{ mailman_domain }}" creates=/etc/nginx/ssl/{{ mailman_domain }}.crt
  notify: Restart nginx

- name: Ensure correct mailman certificate permissions
  file: path=/etc/nginx/ssl/{{ mailman_domain }}.key owner=root mode=0400
  notify: Restart nginx

- name: Configure PostgreSQL database for mailman3
  postgresql_db: name={{ mailman3_dbname }}
  become: true
  become_user: postgres

- name: Configure PostgreSQL user
  postgresql_user: db={{ mailman3_dbname }} name={{ mailman3_dbuser }} password={{ mailman3_dbpass }} priv=ALL state=present
  become: true
  become_user: postgres

- name: Configure PostgreSQL database for mailman3-web
  postgresql_db: name={{ mailman3web_dbname }} owner={{ mailman3_dbuser }}
  become: true
  become_user: postgres
  register: mailman_createdb

- name: Configure mailman3
  template: src=mailman/mailman.cfg.j2 dest=/etc/mailman3/mailman.cfg
  notify: Restart mailman3

- name: Configure mailman3 hyperkitty plugin
  template: src=mailman/mailman-hyperkitty.cfg.j2 dest=/etc/mailman3/mailman-hyperkitty.cfg
  notify: Restart mailman3

- name: Configure mailman3-web
  template: src=mailman/mailman-web.py.j2 dest=/etc/mailman3/mailman-web.py
  notify: Restart mailman3web

- name: Configure mailman3-web uwsgi
  copy: src=mailman/uwsgi.ini dest=/etc/mailman3/uwsgi.ini
  notify: Restart mailman3web

- name: Run mailman3-web migration script
  command:
    cmd: ./manage.py migrate
    chdir: /usr/share/mailman3-web
  when: mailman_createdb.changed

- name: Create postfix ssl directory
  file: path=/etc/postfix/ssl state=directory mode=0750 owner=postfix group=postfix

- name: Configure postfix
  template: src={{ item }}.j2 dest=/etc/{{ item }}
  with_items:
  - postfix/main.cf
  - postfix/master.cf
  notify: Restart postfix

- name: Configure postsrsd
  template: src={{ item }}.j2 dest=/etc/{{ item }}
  with_items:
  - default/postsrsd
  - postsrsd.secret
  notify: Restart postsrsd

- name: Configure postfix maps
  template: src={{ item }}.j2 dest=/etc/{{ item }}
  with_items:
  - postfix/helo_access
  - postfix/virtual-alias
  notify: Run postmap

- name: Ensure postfix chroot has an up2date ca-certificates.crt file
  copy: remote_src=yes src=/etc/ssl/certs/ca-certificates.crt dest=/var/spool/postfix/etc/ssl/certs/ca-certificates.crt

- name: Ensure postfix certificates are available
  command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/postfix/ssl/{{ mail_server }}.key -out /etc/postfix/ssl/{{ mail_server }}.crt -days 730 -subj "/CN={{ mail_server }}" creates=/etc/postfix/ssl/{{ mail_server }}.crt
  notify: Restart postfix

- name: Ensure correct postfix certificate permissions
  file: path=/etc/postfix/ssl/{{ mail_server }}.key owner=postfix mode=0400
  notify: Restart postfix

- name: Configure certificate manager
  template: src=certs.j2 dest=/etc/acertmgr/{{ mail_server }}_mail.conf
  notify: Run acertmgr

- name: Configure certificate manager for mailman
  template: src=mailman/certs.j2 dest=/etc/acertmgr/{{ mailman_domain }}_mailman.conf
  notify: Run acertmgr

- name: Start dovecot
  service: name=dovecot state=started enabled=yes

- name: Start postfix
  service: name=postfix state=started enabled=yes

- name: Start postsrsd
  service: name=postfix state=started enabled=yes

- name: Start redis
  service: name=redis-server state=started enabled=yes

- name: Start rspamd
  service: name=rspamd state=started enabled=yes

- name: Start mailman3
  service: name=mailman3 state=started enabled=yes
Add very basic and incomplete mail role. 2016-01-25 19:21:36 +01:00			`---`
cleanup roles 2019-07-23 12:00:59 +02:00
mail: cleanup 2019-09-17 13:29:59 +02:00			`- name: add rspamd apt key`
cleanup roles 2019-07-23 12:00:59 +02:00			`apt_key: url="https://rspamd.com/apt-stable/gpg.key"`
mail: use rspamd with automatic learning using sieve + managesieve 2019-07-15 19:00:23 +02:00
			`- name: add rspamd repository`
cleanup roles 2019-07-23 12:00:59 +02:00			`apt_repository: repo="deb http://rspamd.com/apt-stable/ {{ ansible_distribution_release }} main"`
Add very basic and incomplete mail role. 2016-01-25 19:21:36 +01:00
			`- name: Install packages`
mail: use list instead of with_items 2020-11-13 18:24:23 +01:00			`apt:`
			`name:`
			`- bsd-mailx`
mail: install clamav 2023-11-07 16:49:34 +01:00			`- clamav-daemon`
mail: use list instead of with_items 2020-11-13 18:24:23 +01:00			`- dovecot-core`
			`- dovecot-imapd`
			`- dovecot-lmtpd`
			`- dovecot-ldap`
			`- dovecot-managesieved`
			`- dovecot-sieve`
mail: Setup postfix up for mailman3 2020-02-29 19:09:37 +01:00			`- mailman3-full`
mail: Use postgresql for mailman3 2020-02-29 20:23:56 +01:00			`- python3-psycopg2`
mail: Setup postfix up for mailman3 2020-02-29 19:09:37 +01:00			`- postgresql`
mail: use list instead of with_items 2020-11-13 18:24:23 +01:00			`- postfix`
			`- postsrsd`
			`- redis-server`
			`- redis-tools`
			`- rspamd`
Add config files and extend tasks for mail role. 2016-02-15 21:04:01 +01:00
			`- name: Create vmail group`
			`group: name=vmail gid=500 state=present`

			`- name: Create vmail user`
Create dovecot log dir and fix vmail user for mail role. 2016-02-15 23:48:24 +01:00			`user: name=vmail group=vmail uid=500 createhome=yes home=/var/vmail shell=/bin/false state=present`
Add config files and extend tasks for mail role. 2016-02-15 21:04:01 +01:00
Create dovecot log dir and fix vmail user for mail role. 2016-02-15 23:48:24 +01:00			`- name: Create dovecot ssl directory`
			`file: path=/etc/dovecot/ssl state=directory mode=0750 owner=dovecot group=dovecot`

			`- name: Create dovecot log directory`
Fix ownership of /var/log/dovecot. 2016-02-23 14:56:18 +01:00			`file: path=/var/log/dovecot state=directory mode=0750 owner=vmail group=vmail`
Create dovecot log dir and fix vmail user for mail role. 2016-02-15 23:48:24 +01:00
mail: use rspamd with automatic learning using sieve + managesieve 2019-07-15 19:00:23 +02:00			`- name: Create vmail sieve directory`
mail: fix sieve path name and permissions 2020-05-20 08:35:44 +02:00			`file: path=/var/vmail/.sieve state=directory mode=0755 owner=vmail group=vmail`
mail: use rspamd with automatic learning using sieve + managesieve 2019-07-15 19:00:23 +02:00
			`- name: Create vmail sieve-bin directory`
mail: fix sieve path name and permissions 2020-05-20 08:35:44 +02:00			`file: path=/var/vmail/.sieve/bin state=directory mode=0755 owner=vmail group=vmail`
mail: use rspamd with automatic learning using sieve + managesieve 2019-07-15 19:00:23 +02:00
cleanup roles 2019-07-23 12:00:59 +02:00			`- name: Configure redis`
mail: use rspamd with automatic learning using sieve + managesieve 2019-07-15 19:00:23 +02:00			`copy: src=redis.conf dest=/etc/redis/redis.conf`
			`notify: Restart redis`

			`- name: Copy static rspamd config`
			`copy: src={{ item }} dest=/etc/rspamd/local.d/`
			`notify: Restart rspamd`
			`with_fileglob: "rspamd/local.d/*"`

			`- name: Render rspamd config templates`
			`template: src=rspamd/local.d/{{ item }}.j2 dest=/etc/rspamd/local.d/{{ item }}`
			`notify: Restart rspamd`
cleanup roles 2019-07-23 12:00:59 +02:00			`with_items:`
			`- options.inc`
mail: disable rspamd actions for mail from localhost 2019-07-24 10:11:38 +02:00			`- settings.conf`
cleanup roles 2019-07-23 12:00:59 +02:00			`- arc.conf`
			`- dkim_signing.conf`
mail: use rspamd with automatic learning using sieve + managesieve 2019-07-15 19:00:23 +02:00
			`- name: Copy spam learn/unlearn sieve and shell scripts`
			`copy: src=dovecot/{{ item }} dest=/var/vmail/.sieve/{{ item }}`
			`with_items:`
			`- bin/learn-spam.sh`
			`- bin/learn-ham.sh`
			`- move-spam.sieve`
			`- report-spam.sieve`
			`- report-ham.sieve`

Add config files and extend tasks for mail role. 2016-02-15 21:04:01 +01:00			`- name: Configure dovecot`
			`template: src={{ item }}.j2 dest=/etc/{{ item }}`
			`with_items:`
			`- dovecot/dovecot-ldap.conf.ext`
mail: use rspamd with automatic learning using sieve + managesieve 2019-07-15 19:00:23 +02:00			`- dovecot/dovecot-ldap.conf.lmtp`
Add config files and extend tasks for mail role. 2016-02-15 21:04:01 +01:00			`- dovecot/local.conf`
			`notify: Restart dovecot`

mail: use rspamd with automatic learning using sieve + managesieve 2019-07-15 19:00:23 +02:00			`- name: Compile sieve scripts`
			`shell: sievec /var/vmail/.sieve/{{ item\|basename }}`
			`with_items:`
			`- move-spam.sieve`
			`- report-spam.sieve`
			`- report-ham.sieve`

			`- name: Ensure learn scripts are executable`
mail: fix sieve path name and permissions 2020-05-20 08:35:44 +02:00			`file: mode=0755 path=/var/vmail/.sieve/bin/{{ item }}`
mail: use rspamd with automatic learning using sieve + managesieve 2019-07-15 19:00:23 +02:00			`with_items:`
			`- learn-spam.sh`
			`- learn-ham.sh`

Cleanup mail role. 2016-04-06 22:58:54 +02:00			`- name: Ensure dovecot certificates are available`
			`command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/dovecot/ssl/{{ mail_server }}.key -out /etc/dovecot/ssl/{{ mail_server }}.crt -days 730 -subj "/CN={{ mail_server }}" creates=/etc/dovecot/ssl/{{ mail_server }}.crt`
			`notify: Restart dovecot`

			`- name: Ensure correct dovecot certificate permissions`
Adjust mail role to reality (now with working fcgi). 2016-04-08 20:00:21 +02:00			`file: path=/etc/dovecot/ssl/{{ mail_server }}.key owner=dovecot mode=0400`
Cleanup mail role. 2016-04-06 22:58:54 +02:00			`notify: Restart dovecot`

Configure mailman vhost. 2016-02-29 21:29:44 +01:00			`- name: Configure mailman vhost`
Fix mailman vhost. 2016-02-29 21:55:12 +01:00			`template: src=nginx/vhost.j2 dest=/etc/nginx/sites-available/mailman`
Configure mailman vhost. 2016-02-29 21:29:44 +01:00			`notify: Restart nginx`

			`- name: Enable mailman vhost`
			`file: src=/etc/nginx/sites-available/mailman dest=/etc/nginx/sites-enabled/mailman state=link`
			`notify: Restart nginx`

Cleanup mail role. 2016-04-06 22:58:54 +02:00			`- name: Ensure mailman certificates are available`
			`command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/{{ mailman_domain }}.key -out /etc/nginx/ssl/{{ mailman_domain }}.crt -days 730 -subj "/CN={{ mailman_domain }}" creates=/etc/nginx/ssl/{{ mailman_domain }}.crt`
			`notify: Restart nginx`

			`- name: Ensure correct mailman certificate permissions`
			`file: path=/etc/nginx/ssl/{{ mailman_domain }}.key owner=root mode=0400`
			`notify: Restart nginx`

Setup mailman3-web configuration 2021-11-25 15:43:36 +01:00			`- name: Configure PostgreSQL database for mailman3`
mail: Use postgresql for mailman3 2020-02-29 20:23:56 +01:00			`postgresql_db: name={{ mailman3_dbname }}`
			`become: true`
			`become_user: postgres`

			`- name: Configure PostgreSQL user`
			`postgresql_user: db={{ mailman3_dbname }} name={{ mailman3_dbuser }} password={{ mailman3_dbpass }} priv=ALL state=present`
			`become: true`
			`become_user: postgres`

Setup mailman3-web configuration 2021-11-25 15:43:36 +01:00			`- name: Configure PostgreSQL database for mailman3-web`
mail: fix typos 2021-11-25 16:10:34 +01:00			`postgresql_db: name={{ mailman3web_dbname }} owner={{ mailman3_dbuser }}`
Setup mailman3-web configuration 2021-11-25 15:43:36 +01:00			`become: true`
			`become_user: postgres`
mail: run migration script after creating db 2021-11-25 17:56:19 +01:00			`register: mailman_createdb`
Setup mailman3-web configuration 2021-11-25 15:43:36 +01:00
mail: Use postgresql for mailman3 2020-02-29 20:23:56 +01:00			`- name: Configure mailman3`
			`template: src=mailman/mailman.cfg.j2 dest=/etc/mailman3/mailman.cfg`
			`notify: Restart mailman3`

mail: Add mailman3 hyperkitty archiver config 2022-05-11 15:18:00 +02:00			`- name: Configure mailman3 hyperkitty plugin`
			`template: src=mailman/mailman-hyperkitty.cfg.j2 dest=/etc/mailman3/mailman-hyperkitty.cfg`
			`notify: Restart mailman3`

Setup mailman3-web configuration 2021-11-25 15:43:36 +01:00			`- name: Configure mailman3-web`
			`template: src=mailman/mailman-web.py.j2 dest=/etc/mailman3/mailman-web.py`
			`notify: Restart mailman3web`

Serve mailman3 on lists.binary-kitchen.de/mailman3/ 2021-12-02 14:28:26 +01:00			`- name: Configure mailman3-web uwsgi`
			`copy: src=mailman/uwsgi.ini dest=/etc/mailman3/uwsgi.ini`
			`notify: Restart mailman3web`

mail: run migration script after creating db 2021-11-25 17:56:19 +01:00			`- name: Run mailman3-web migration script`
			`command:`
			`cmd: ./manage.py migrate`
			`chdir: /usr/share/mailman3-web`
			`when: mailman_createdb.changed`

Create dovecot log dir and fix vmail user for mail role. 2016-02-15 23:48:24 +01:00			`- name: Create postfix ssl directory`
			`file: path=/etc/postfix/ssl state=directory mode=0750 owner=postfix group=postfix`

Add very basic and incomplete mail role. 2016-01-25 19:21:36 +01:00			`- name: Configure postfix`
Run postmap after relevant files have changed. 2016-02-22 18:07:24 +01:00			`template: src={{ item }}.j2 dest=/etc/{{ item }}`
			`with_items:`
			`- postfix/main.cf`
			`- postfix/master.cf`
			`notify: Restart postfix`

mail: add postsrsd to stop breaking forwards for SPF domains 2019-07-23 15:53:52 +02:00			`- name: Configure postsrsd`
			`template: src={{ item }}.j2 dest=/etc/{{ item }}`
			`with_items:`
			`- default/postsrsd`
			`- postsrsd.secret`
			`notify: Restart postsrsd`

Run postmap after relevant files have changed. 2016-02-22 18:07:24 +01:00			`- name: Configure postfix maps`
Add config files and extend tasks for mail role. 2016-02-15 21:04:01 +01:00			`template: src={{ item }}.j2 dest=/etc/{{ item }}`
Add very basic mail role. 2016-02-01 20:52:34 +01:00			`with_items:`
Add config files and extend tasks for mail role. 2016-02-15 21:04:01 +01:00			`- postfix/helo_access`
Run postmap after relevant files have changed. 2016-02-22 18:07:24 +01:00			`- postfix/virtual-alias`
			`notify: Run postmap`
Add very basic and incomplete mail role. 2016-01-25 19:21:36 +01:00
Change BKCA to a system CA for migration to Let's Encrypt 2018-09-20 18:30:42 +02:00			`- name: Ensure postfix chroot has an up2date ca-certificates.crt file`
			`copy: remote_src=yes src=/etc/ssl/certs/ca-certificates.crt dest=/var/spool/postfix/etc/ssl/certs/ca-certificates.crt`
Fix problems related to postfix running ldap maps in chroot. 2016-04-06 22:40:38 +02:00
Fix mail-related certificate handling. 2016-04-01 08:10:00 +02:00			`- name: Ensure postfix certificates are available`
			`command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/postfix/ssl/{{ mail_server }}.key -out /etc/postfix/ssl/{{ mail_server }}.crt -days 730 -subj "/CN={{ mail_server }}" creates=/etc/postfix/ssl/{{ mail_server }}.crt`
			`notify: Restart postfix`

			`- name: Ensure correct postfix certificate permissions`
Adjust mail role to reality (now with working fcgi). 2016-04-08 20:00:21 +02:00			`file: path=/etc/postfix/ssl/{{ mail_server }}.key owner=postfix mode=0400`
Fix mail-related certificate handling. 2016-04-01 08:10:00 +02:00			`notify: Restart postfix`

Cleanup mail role. 2016-04-06 22:58:54 +02:00			`- name: Configure certificate manager`
acertmgr: migrate from legacy paths 2019-05-20 19:49:08 +02:00			`template: src=certs.j2 dest=/etc/acertmgr/{{ mail_server }}_mail.conf`
acertmgr: rename from certmgr, run on config change 2019-02-23 23:54:24 +01:00			`notify: Run acertmgr`
Cleanup mail role. 2016-04-06 22:58:54 +02:00
			`- name: Configure certificate manager for mailman`
acertmgr: migrate from legacy paths 2019-05-20 19:49:08 +02:00			`template: src=mailman/certs.j2 dest=/etc/acertmgr/{{ mailman_domain }}_mailman.conf`
acertmgr: rename from certmgr, run on config change 2019-02-23 23:54:24 +01:00			`notify: Run acertmgr`
Add config files and extend tasks for mail role. 2016-02-15 21:04:01 +01:00
Add very basic and incomplete mail role. 2016-01-25 19:21:36 +01:00			`- name: Start dovecot`
			`service: name=dovecot state=started enabled=yes`

			`- name: Start postfix`
			`service: name=postfix state=started enabled=yes`
Add very basic mail role. 2016-02-01 20:52:34 +01:00
mail: add postsrsd to stop breaking forwards for SPF domains 2019-07-23 15:53:52 +02:00			`- name: Start postsrsd`
			`service: name=postfix state=started enabled=yes`

mail: use rspamd with automatic learning using sieve + managesieve 2019-07-15 19:00:23 +02:00			`- name: Start redis`
mail: fix redis config 2019-07-23 17:23:14 +02:00			`service: name=redis-server state=started enabled=yes`
mail: use rspamd with automatic learning using sieve + managesieve 2019-07-15 19:00:23 +02:00
			`- name: Start rspamd`
			`service: name=rspamd state=started enabled=yes`
mail: Use postgresql for mailman3 2020-02-29 20:23:56 +01:00
			`- name: Start mailman3`
			`service: name=mailman3 state=started enabled=yes`