forked from infra/ansible
mail: use rspamd with automatic learning using sieve + managesieve
This commit is contained in:
parent
4b1952a6e0
commit
884bbbfbae
@ -1,34 +0,0 @@
|
|||||||
# /etc/default/spamassassin
|
|
||||||
# Duncan Findlay
|
|
||||||
|
|
||||||
# WARNING: please read README.spamd before using.
|
|
||||||
# There may be security risks.
|
|
||||||
|
|
||||||
# If you're using systemd (default for jessie), the ENABLED setting is
|
|
||||||
# not used. Instead, enable spamd by issuing:
|
|
||||||
# systemctl enable spamassassin.service
|
|
||||||
# Change to "1" to enable spamd on systems using sysvinit:
|
|
||||||
ENABLED=0
|
|
||||||
|
|
||||||
# Options
|
|
||||||
# See man spamd for possible options. The -d option is automatically added.
|
|
||||||
|
|
||||||
# SpamAssassin uses a preforking model, so be careful! You need to
|
|
||||||
# make sure --max-children is not set to anything higher than 5,
|
|
||||||
# unless you know what you're doing.
|
|
||||||
|
|
||||||
OPTIONS="--create-prefs --max-children 5 --helper-home-dir"
|
|
||||||
|
|
||||||
# Pid file
|
|
||||||
# Where should spamd write its PID to file? If you use the -u or
|
|
||||||
# --username option above, this needs to be writable by that user.
|
|
||||||
# Otherwise, the init script will not be able to shut spamd down.
|
|
||||||
PIDFILE="/var/run/spamd.pid"
|
|
||||||
|
|
||||||
# Set nice level of spamd
|
|
||||||
#NICE="--nicelevel 15"
|
|
||||||
|
|
||||||
# Cronjob
|
|
||||||
# Set to anything but 0 to enable the cron job to automatically update
|
|
||||||
# spamassassin's rules on a nightly basis
|
|
||||||
CRON=1
|
|
2
roles/mail/files/dovecot/bin/learn-ham.sh
Executable file
2
roles/mail/files/dovecot/bin/learn-ham.sh
Executable file
@ -0,0 +1,2 @@
|
|||||||
|
#!/bin/sh
|
||||||
|
exec /usr/bin/rspamc learn_ham
|
2
roles/mail/files/dovecot/bin/learn-spam.sh
Executable file
2
roles/mail/files/dovecot/bin/learn-spam.sh
Executable file
@ -0,0 +1,2 @@
|
|||||||
|
#!/bin/sh
|
||||||
|
exec /usr/bin/rspamc learn_spam
|
5
roles/mail/files/dovecot/move-spam.sieve
Normal file
5
roles/mail/files/dovecot/move-spam.sieve
Normal file
@ -0,0 +1,5 @@
|
|||||||
|
require ["fileinto","mailbox"];
|
||||||
|
|
||||||
|
if header :contains "X-Spam" "Yes" {
|
||||||
|
fileinto "Junk";
|
||||||
|
}
|
2
roles/mail/files/dovecot/report-ham.sieve
Normal file
2
roles/mail/files/dovecot/report-ham.sieve
Normal file
@ -0,0 +1,2 @@
|
|||||||
|
require ["vnd.dovecot.pipe", "copy", "imapsieve"];
|
||||||
|
pipe :copy ".learn-ham.sh";
|
2
roles/mail/files/dovecot/report-spam.sieve
Normal file
2
roles/mail/files/dovecot/report-spam.sieve
Normal file
@ -0,0 +1,2 @@
|
|||||||
|
require ["vnd.dovecot.pipe", "copy", "imapsieve"];
|
||||||
|
pipe :copy ".learn-spam.sh";
|
@ -1,14 +0,0 @@
|
|||||||
# For a fully commented sample config file see policyd-spf.conf.commented
|
|
||||||
|
|
||||||
debugLevel = 1
|
|
||||||
defaultSeedOnly = 1
|
|
||||||
|
|
||||||
HELO_reject = No_Check
|
|
||||||
Mail_From_reject = False
|
|
||||||
|
|
||||||
Mail_From_pass_restriction = OK
|
|
||||||
|
|
||||||
PermError_reject = False
|
|
||||||
TempError_Defer = False
|
|
||||||
|
|
||||||
skip_addresses = 127.0.0.0/8,::ffff:127.0.0.0/104,::1/128
|
|
60
roles/mail/files/redis.conf
Normal file
60
roles/mail/files/redis.conf
Normal file
@ -0,0 +1,60 @@
|
|||||||
|
bind 127.0.0.1 ::1
|
||||||
|
protected-mode yes
|
||||||
|
port 6379
|
||||||
|
tcp-backlog 511
|
||||||
|
timeout 0
|
||||||
|
tcp-keepalive 300
|
||||||
|
daemonize yes
|
||||||
|
supervised no
|
||||||
|
pidfile /var/run/redis/redis-server.pid
|
||||||
|
loglevel notice
|
||||||
|
logfile /var/log/redis/redis-server.log
|
||||||
|
databases 16
|
||||||
|
always-show-logo yes
|
||||||
|
save 900 1
|
||||||
|
save 300 10
|
||||||
|
save 60 10000
|
||||||
|
stop-writes-on-bgsave-error yes
|
||||||
|
rdbcompression yes
|
||||||
|
rdbchecksum yes
|
||||||
|
dbfilename dump.rdb
|
||||||
|
dir /var/lib/redis
|
||||||
|
slave-serve-stale-data yes
|
||||||
|
slave-read-only yes
|
||||||
|
repl-diskless-sync no
|
||||||
|
repl-diskless-sync-delay 5
|
||||||
|
repl-disable-tcp-nodelay no
|
||||||
|
slave-priority 100
|
||||||
|
maxmemory 500mb
|
||||||
|
maxmemory-policy volatile-lru
|
||||||
|
lazyfree-lazy-eviction no
|
||||||
|
lazyfree-lazy-expire no
|
||||||
|
lazyfree-lazy-server-del no
|
||||||
|
slave-lazy-flush no
|
||||||
|
appendonly yes
|
||||||
|
appendfilename "appendonly.aof"
|
||||||
|
appendfsync everysec
|
||||||
|
no-appendfsync-on-rewrite no
|
||||||
|
auto-aof-rewrite-percentage 100
|
||||||
|
auto-aof-rewrite-min-size 64mb
|
||||||
|
aof-load-truncated yes
|
||||||
|
aof-use-rdb-preamble no
|
||||||
|
lua-time-limit 5000
|
||||||
|
slowlog-log-slower-than 10000
|
||||||
|
slowlog-max-len 128
|
||||||
|
latency-monitor-threshold 0
|
||||||
|
notify-keyspace-events ""
|
||||||
|
hash-max-ziplist-entries 512
|
||||||
|
hash-max-ziplist-value 64
|
||||||
|
list-max-ziplist-size -2
|
||||||
|
list-compress-depth 0
|
||||||
|
set-max-intset-entries 512
|
||||||
|
zset-max-ziplist-entries 128
|
||||||
|
zset-max-ziplist-value 64
|
||||||
|
hll-sparse-max-bytes 3000
|
||||||
|
activerehashing yes
|
||||||
|
client-output-buffer-limit normal 0 0 0
|
||||||
|
client-output-buffer-limit slave 256mb 64mb 60
|
||||||
|
client-output-buffer-limit pubsub 32mb 8mb 60
|
||||||
|
hz 10
|
||||||
|
aof-rewrite-incremental-fsync yes
|
9
roles/mail/files/rspamd/local.d/antivirus.conf
Normal file
9
roles/mail/files/rspamd/local.d/antivirus.conf
Normal file
@ -0,0 +1,9 @@
|
|||||||
|
clamav {
|
||||||
|
servers = "/var/run/clamav/clamd.ctl";
|
||||||
|
symbol = "CLAMAV_VIRUS";
|
||||||
|
attachments_only = false;
|
||||||
|
patterns {
|
||||||
|
JUST_EICAR = nan; #Disable EICAR handling
|
||||||
|
}
|
||||||
|
action = "reject";
|
||||||
|
}
|
3
roles/mail/files/rspamd/local.d/classifier-bayes.conf
Normal file
3
roles/mail/files/rspamd/local.d/classifier-bayes.conf
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
backend = "redis";
|
||||||
|
new_schema = true;
|
||||||
|
expire = 8640000;
|
2
roles/mail/files/rspamd/local.d/greylist.conf
Normal file
2
roles/mail/files/rspamd/local.d/greylist.conf
Normal file
@ -0,0 +1,2 @@
|
|||||||
|
expire=30d;
|
||||||
|
timeout=120s;
|
4
roles/mail/files/rspamd/local.d/logging.inc
Normal file
4
roles/mail/files/rspamd/local.d/logging.inc
Normal file
@ -0,0 +1,4 @@
|
|||||||
|
type = "file";
|
||||||
|
filename = "/var/log/rspamd/rspamd.log";
|
||||||
|
level = "notice";
|
||||||
|
debug_modules = ["antivirus","dkim_signing","arc","greylist","fuzzy_check"];
|
2
roles/mail/files/rspamd/local.d/milter_headers.conf
Normal file
2
roles/mail/files/rspamd/local.d/milter_headers.conf
Normal file
@ -0,0 +1,2 @@
|
|||||||
|
use = ["authentication-results","x-spam-status","x-spam-level","x-spamd-bar", "x-spamd-result", "x-rspamd-server","x-rspamd-queue-id"];
|
||||||
|
authenticated_headers = ["authentication-results"];
|
14
roles/mail/files/rspamd/local.d/rbl.conf
Normal file
14
roles/mail/files/rspamd/local.d/rbl.conf
Normal file
@ -0,0 +1,14 @@
|
|||||||
|
rbls {
|
||||||
|
nixspam {
|
||||||
|
symbol = "RBL_NIXSPAM";
|
||||||
|
rbl = "ix.dnsbl.manitu.net";
|
||||||
|
ipv4 = true;
|
||||||
|
ipv6 = true;
|
||||||
|
}
|
||||||
|
gbudb {
|
||||||
|
symbol = "RBL_GBUDB";
|
||||||
|
rbl = "truncate.gbudb.net";
|
||||||
|
ipv4 = true;
|
||||||
|
ipv6 = true;
|
||||||
|
}
|
||||||
|
}
|
10
roles/mail/files/rspamd/local.d/rbl_group.conf
Normal file
10
roles/mail/files/rspamd/local.d/rbl_group.conf
Normal file
@ -0,0 +1,10 @@
|
|||||||
|
symbols = {
|
||||||
|
"RBL_GBUDB" {
|
||||||
|
weight = 4.0;
|
||||||
|
description = "From address is listed in GBUDB BL";
|
||||||
|
}
|
||||||
|
"RBL_NIXSPAM" {
|
||||||
|
weight = 4.0;
|
||||||
|
description = "From address is listed in NIXSPAM BL";
|
||||||
|
}
|
||||||
|
}
|
2
roles/mail/files/rspamd/local.d/redis.conf
Normal file
2
roles/mail/files/rspamd/local.d/redis.conf
Normal file
@ -0,0 +1,2 @@
|
|||||||
|
write_servers = "127.0.0.1";
|
||||||
|
read_servers = "127.0.0.1";
|
3
roles/mail/files/rspamd/local.d/worker-controller.inc
Normal file
3
roles/mail/files/rspamd/local.d/worker-controller.inc
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
password = "$2$tgahjcep7dkczanwry7hnyozswpbi9fx$f6acdtn47w35sek85znopneeko7fp8gmamnxxaf31ryo18dp333y";
|
||||||
|
enable_password = "$2$tgahjcep7dkczanwry7hnyozswpbi9fx$f6acdtn47w35sek85znopneeko7fp8gmamnxxaf31ryo18dp333y";
|
||||||
|
bind_socket = "localhost:11334";
|
2
roles/mail/files/rspamd/local.d/worker-normal.inc
Normal file
2
roles/mail/files/rspamd/local.d/worker-normal.inc
Normal file
@ -0,0 +1,2 @@
|
|||||||
|
bind_socket = "localhost:11333";
|
||||||
|
count = 1;
|
7
roles/mail/files/rspamd/local.d/worker-proxy.inc
Normal file
7
roles/mail/files/rspamd/local.d/worker-proxy.inc
Normal file
@ -0,0 +1,7 @@
|
|||||||
|
bind_socket = "localhost:11332";
|
||||||
|
milter = yes;
|
||||||
|
timeout = 120s;
|
||||||
|
upstream "local" {
|
||||||
|
default = yes;
|
||||||
|
self_scan = yes;
|
||||||
|
}
|
@ -1,8 +1,4 @@
|
|||||||
---
|
---
|
||||||
|
|
||||||
- name: Restart amavis
|
|
||||||
service: name=amavis state=restarted
|
|
||||||
|
|
||||||
- name: Restart dovecot
|
- name: Restart dovecot
|
||||||
service: name=dovecot state=restarted
|
service: name=dovecot state=restarted
|
||||||
|
|
||||||
@ -12,8 +8,11 @@
|
|||||||
- name: Restart postfix
|
- name: Restart postfix
|
||||||
service: name=postfix state=restarted
|
service: name=postfix state=restarted
|
||||||
|
|
||||||
- name: Restart postgrey
|
- name: Restart redis
|
||||||
service: name=postgrey state=restarted
|
service: name=redis state=restarted
|
||||||
|
|
||||||
|
- name: Restart rspamd
|
||||||
|
service: name=rspamd state=restarted
|
||||||
|
|
||||||
- name: Run acertmgr
|
- name: Run acertmgr
|
||||||
command: /opt/acertmgr/acertmgr.py
|
command: /opt/acertmgr/acertmgr.py
|
||||||
|
@ -1,4 +1,13 @@
|
|||||||
---
|
---
|
||||||
|
- name: add an apt rspamd key
|
||||||
|
apt_key:
|
||||||
|
url: https://rspamd.com/apt-stable/gpg.key
|
||||||
|
state: present
|
||||||
|
|
||||||
|
- name: add rspamd repository
|
||||||
|
apt_repository:
|
||||||
|
repo: deb http://rspamd.com/apt-stable/ {{ ansible_distribution_release }} main
|
||||||
|
state: present
|
||||||
|
|
||||||
- name: Install packages
|
- name: Install packages
|
||||||
apt: name={{ item }}
|
apt: name={{ item }}
|
||||||
@ -7,18 +16,16 @@
|
|||||||
- bsd-mailx
|
- bsd-mailx
|
||||||
- dovecot-core
|
- dovecot-core
|
||||||
- dovecot-imapd
|
- dovecot-imapd
|
||||||
|
- dovecot-lmtpd
|
||||||
- dovecot-ldap
|
- dovecot-ldap
|
||||||
- dovecot-managesieved
|
- dovecot-managesieved
|
||||||
- dovecot-sieve
|
- dovecot-sieve
|
||||||
- fcgiwrap
|
- fcgiwrap
|
||||||
- mailman
|
- mailman
|
||||||
- postfix
|
- postfix
|
||||||
- postfix-ldap
|
- redis-server
|
||||||
- postfix-policyd-spf-python
|
- redis-tools
|
||||||
- postgrey
|
- rspamd
|
||||||
- pyzor
|
|
||||||
- razor
|
|
||||||
- spamassassin
|
|
||||||
|
|
||||||
- name: Create vmail group
|
- name: Create vmail group
|
||||||
group: name=vmail gid=500 state=present
|
group: name=vmail gid=500 state=present
|
||||||
@ -26,26 +33,65 @@
|
|||||||
- name: Create vmail user
|
- name: Create vmail user
|
||||||
user: name=vmail group=vmail uid=500 createhome=yes home=/var/vmail shell=/bin/false state=present
|
user: name=vmail group=vmail uid=500 createhome=yes home=/var/vmail shell=/bin/false state=present
|
||||||
|
|
||||||
- name: Configure amavis
|
|
||||||
template: src={{ item }}.j2 dest=/etc/{{ item }}
|
|
||||||
with_items:
|
|
||||||
- amavis/conf.d/15-content_filter_mode
|
|
||||||
- amavis/conf.d/50-user
|
|
||||||
notify: Restart amavis
|
|
||||||
|
|
||||||
- name: Create dovecot ssl directory
|
- name: Create dovecot ssl directory
|
||||||
file: path=/etc/dovecot/ssl state=directory mode=0750 owner=dovecot group=dovecot
|
file: path=/etc/dovecot/ssl state=directory mode=0750 owner=dovecot group=dovecot
|
||||||
|
|
||||||
- name: Create dovecot log directory
|
- name: Create dovecot log directory
|
||||||
file: path=/var/log/dovecot state=directory mode=0750 owner=vmail group=vmail
|
file: path=/var/log/dovecot state=directory mode=0750 owner=vmail group=vmail
|
||||||
|
|
||||||
|
- name: Create vmail sieve directory
|
||||||
|
file: path=/var/vmail/.sieve state=directory mode=0750 owner=vmail group=vmail
|
||||||
|
|
||||||
|
- name: Create vmail sieve-bin directory
|
||||||
|
file: path=/var/vmail/.sieve/bin state=directory mode=0750 owner=vmail group=vmail
|
||||||
|
|
||||||
|
- name: Copy redis config
|
||||||
|
copy: src=redis.conf dest=/etc/redis/redis.conf
|
||||||
|
notify: Restart redis
|
||||||
|
|
||||||
|
- name: Copy static rspamd config
|
||||||
|
copy: src={{ item }} dest=/etc/rspamd/local.d/
|
||||||
|
notify: Restart rspamd
|
||||||
|
with_fileglob: "rspamd/local.d/*"
|
||||||
|
|
||||||
|
- name: Render rspamd config templates
|
||||||
|
template: src=rspamd/local.d/{{ item }}.j2 dest=/etc/rspamd/local.d/{{ item }}
|
||||||
|
notify: Restart rspamd
|
||||||
|
loop:
|
||||||
|
- "options.inc"
|
||||||
|
- "arc.conf"
|
||||||
|
- "dkim_signing.conf"
|
||||||
|
|
||||||
|
- name: Copy spam learn/unlearn sieve and shell scripts
|
||||||
|
copy: src=dovecot/{{ item }} dest=/var/vmail/.sieve/{{ item }}
|
||||||
|
with_items:
|
||||||
|
- bin/learn-spam.sh
|
||||||
|
- bin/learn-ham.sh
|
||||||
|
- move-spam.sieve
|
||||||
|
- report-spam.sieve
|
||||||
|
- report-ham.sieve
|
||||||
|
|
||||||
- name: Configure dovecot
|
- name: Configure dovecot
|
||||||
template: src={{ item }}.j2 dest=/etc/{{ item }}
|
template: src={{ item }}.j2 dest=/etc/{{ item }}
|
||||||
with_items:
|
with_items:
|
||||||
- dovecot/dovecot-ldap.conf.ext
|
- dovecot/dovecot-ldap.conf.ext
|
||||||
|
- dovecot/dovecot-ldap.conf.lmtp
|
||||||
- dovecot/local.conf
|
- dovecot/local.conf
|
||||||
notify: Restart dovecot
|
notify: Restart dovecot
|
||||||
|
|
||||||
|
- name: Compile sieve scripts
|
||||||
|
shell: sievec /var/vmail/.sieve/{{ item|basename }}
|
||||||
|
with_items:
|
||||||
|
- move-spam.sieve
|
||||||
|
- report-spam.sieve
|
||||||
|
- report-ham.sieve
|
||||||
|
|
||||||
|
- name: Ensure learn scripts are executable
|
||||||
|
file: mode=0750 path=/var/vmail/.sieve/bin/{{ item }}
|
||||||
|
with_items:
|
||||||
|
- learn-spam.sh
|
||||||
|
- learn-ham.sh
|
||||||
|
|
||||||
- name: Configure logrotate for dovecot
|
- name: Configure logrotate for dovecot
|
||||||
copy: src=logrotate.d/dovecot dest=/etc/logrotate.d/dovecot
|
copy: src=logrotate.d/dovecot dest=/etc/logrotate.d/dovecot
|
||||||
|
|
||||||
@ -79,11 +125,6 @@
|
|||||||
file: path=/etc/nginx/ssl/{{ mailman_domain }}.key owner=root mode=0400
|
file: path=/etc/nginx/ssl/{{ mailman_domain }}.key owner=root mode=0400
|
||||||
notify: Restart nginx
|
notify: Restart nginx
|
||||||
|
|
||||||
- name: Configure policyd
|
|
||||||
copy: src={{ item }} dest=/etc/{{ item }}
|
|
||||||
with_items:
|
|
||||||
- postfix-policyd-spf-python/policyd-spf.conf
|
|
||||||
|
|
||||||
- name: Create postfix ssl directory
|
- name: Create postfix ssl directory
|
||||||
file: path=/etc/postfix/ssl state=directory mode=0750 owner=postfix group=postfix
|
file: path=/etc/postfix/ssl state=directory mode=0750 owner=postfix group=postfix
|
||||||
|
|
||||||
@ -98,9 +139,6 @@
|
|||||||
template: src={{ item }}.j2 dest=/etc/{{ item }}
|
template: src={{ item }}.j2 dest=/etc/{{ item }}
|
||||||
with_items:
|
with_items:
|
||||||
- postfix/helo_access
|
- postfix/helo_access
|
||||||
- postfix/ldap-aliases.cf
|
|
||||||
- postfix/ldap-virtual-maps.cf
|
|
||||||
- postfix/recipient_access
|
|
||||||
- postfix/transport
|
- postfix/transport
|
||||||
- postfix/virtual-alias
|
- postfix/virtual-alias
|
||||||
notify: Run postmap
|
notify: Run postmap
|
||||||
@ -116,32 +154,6 @@
|
|||||||
file: path=/etc/postfix/ssl/{{ mail_server }}.key owner=postfix mode=0400
|
file: path=/etc/postfix/ssl/{{ mail_server }}.key owner=postfix mode=0400
|
||||||
notify: Restart postfix
|
notify: Restart postfix
|
||||||
|
|
||||||
- name: Create razor directory structure
|
|
||||||
command: razor-admin -create chdir=/var/lib/amavis creates=/var/lib/amavis/.razor
|
|
||||||
become: yes
|
|
||||||
become_user: amavis
|
|
||||||
|
|
||||||
- name: Register razor
|
|
||||||
command: razor-admin -register chdir=/var/lib/amavis creates=/var/lib/amavis/.razor/identity
|
|
||||||
become: yes
|
|
||||||
become_user: amavis
|
|
||||||
|
|
||||||
- name: Download GPG key for Sought ruleset
|
|
||||||
get_url: url=http://yerp.org/rules/GPG.KEY dest=/etc/spamassassin/sought.key
|
|
||||||
|
|
||||||
- name: Import GPG key for Sought ruleset
|
|
||||||
become: yes
|
|
||||||
become_user: debian-spamd
|
|
||||||
shell: sa-update --gpghomedir /var/lib/spamassassin/sa-update-keys --import /etc/spamassassin/sought.key && touch sought.imported chdir=/var/lib/spamassassin creates=sought.imported
|
|
||||||
|
|
||||||
- name: Enable sa-update cron-job
|
|
||||||
cron: name=sa-update minute="0" hour="*/6" job="/usr/bin/sa-update -v --gpghomedir /var/lib/spamassassin/sa-update-keys --gpgkey 6C6191E3 --channel sought.rules.yerp.org --channel updates.spamassassin.org"
|
|
||||||
|
|
||||||
- name: Enable spamd cron-job
|
|
||||||
copy: src={{ item }} dest=/etc/{{ item }}
|
|
||||||
with_items:
|
|
||||||
- default/spamassassin
|
|
||||||
|
|
||||||
- name: Configure certificate manager
|
- name: Configure certificate manager
|
||||||
template: src=certs.j2 dest=/etc/acertmgr/{{ mail_server }}_mail.conf
|
template: src=certs.j2 dest=/etc/acertmgr/{{ mail_server }}_mail.conf
|
||||||
notify: Run acertmgr
|
notify: Run acertmgr
|
||||||
@ -150,10 +162,6 @@
|
|||||||
template: src=mailman/certs.j2 dest=/etc/acertmgr/{{ mailman_domain }}_mailman.conf
|
template: src=mailman/certs.j2 dest=/etc/acertmgr/{{ mailman_domain }}_mailman.conf
|
||||||
notify: Run acertmgr
|
notify: Run acertmgr
|
||||||
|
|
||||||
- name: Start amavis
|
|
||||||
service: name=amavis state=started enabled=yes
|
|
||||||
tags: mail
|
|
||||||
|
|
||||||
- name: Start dovecot
|
- name: Start dovecot
|
||||||
service: name=dovecot state=started enabled=yes
|
service: name=dovecot state=started enabled=yes
|
||||||
tags: mail
|
tags: mail
|
||||||
@ -166,6 +174,10 @@
|
|||||||
service: name=postfix state=started enabled=yes
|
service: name=postfix state=started enabled=yes
|
||||||
tags: mail
|
tags: mail
|
||||||
|
|
||||||
- name: Start postgrey
|
- name: Start redis
|
||||||
service: name=postgrey state=started enabled=yes
|
service: name=rspamd state=started enabled=yes
|
||||||
|
tags: mail
|
||||||
|
|
||||||
|
- name: Start rspamd
|
||||||
|
service: name=rspamd state=started enabled=yes
|
||||||
tags: mail
|
tags: mail
|
||||||
|
@ -1,27 +0,0 @@
|
|||||||
use strict;
|
|
||||||
|
|
||||||
# You can modify this file to re-enable SPAM checking through spamassassin
|
|
||||||
# and to re-enable antivirus checking.
|
|
||||||
|
|
||||||
#
|
|
||||||
# Default antivirus checking mode
|
|
||||||
# Please note, that anti-virus checking is DISABLED by
|
|
||||||
# default.
|
|
||||||
# If You wish to enable it, please uncomment the following lines:
|
|
||||||
|
|
||||||
|
|
||||||
#@bypass_virus_checks_maps = (
|
|
||||||
# \%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re);
|
|
||||||
|
|
||||||
|
|
||||||
#
|
|
||||||
# Default SPAM checking mode
|
|
||||||
# Please note, that anti-spam checking is DISABLED by
|
|
||||||
# default.
|
|
||||||
# If You wish to enable it, please uncomment the following lines:
|
|
||||||
|
|
||||||
|
|
||||||
@bypass_spam_checks_maps = (
|
|
||||||
\%bypass_spam_checks, \@bypass_spam_checks_acl, \$bypass_spam_checks_re);
|
|
||||||
|
|
||||||
1; # ensure a defined return
|
|
@ -1,37 +0,0 @@
|
|||||||
use strict;
|
|
||||||
|
|
||||||
#
|
|
||||||
# Place your configuration directives here. They will override those in
|
|
||||||
# earlier files.
|
|
||||||
#
|
|
||||||
# See /usr/share/doc/amavisd-new/ for documentation and examples of
|
|
||||||
# the directives you can use in this file
|
|
||||||
#
|
|
||||||
|
|
||||||
$remove_existing_spam_headers = 1;
|
|
||||||
|
|
||||||
$sa_tag_level_deflt = undef;
|
|
||||||
$sa_tag2_level_deflt = 5.0;
|
|
||||||
$sa_kill_level_deflt = $sa_tag2_level_deflt;
|
|
||||||
$sa_spam_subject_tag = undef;
|
|
||||||
|
|
||||||
$final_virus_destiny = D_PASS;
|
|
||||||
$final_banned_destiny = D_PASS;
|
|
||||||
$final_spam_destiny = D_PASS;
|
|
||||||
$final_bad_header_destiny = D_PASS;
|
|
||||||
|
|
||||||
$virus_admin = undef;
|
|
||||||
|
|
||||||
$virus_quarantine_to = undef;
|
|
||||||
$spam_quarantine_to = undef;
|
|
||||||
|
|
||||||
$X_HEADER_LINE = "$myproduct_name at $mydomain";
|
|
||||||
|
|
||||||
@local_domains_acl = ("{{ mail_domain }}"
|
|
||||||
{%- for domain in mail_domains %}
|
|
||||||
, "{{ domain }}"
|
|
||||||
{%- endfor %}
|
|
||||||
);
|
|
||||||
|
|
||||||
#------------ Do not modify anything below this line -------------
|
|
||||||
1; # ensure a defined return
|
|
@ -108,7 +108,9 @@ scope = subtree
|
|||||||
# There are also other special fields which can be returned, see
|
# There are also other special fields which can be returned, see
|
||||||
# http://wiki2.dovecot.org/UserDatabase/ExtraFields
|
# http://wiki2.dovecot.org/UserDatabase/ExtraFields
|
||||||
#user_attrs = homeDirectory=home,uidNumber=uid,gidNumber=gid
|
#user_attrs = homeDirectory=home,uidNumber=uid,gidNumber=gid
|
||||||
user_attrs =
|
user_attrs = \
|
||||||
|
=user=%{ldap:uid}, \
|
||||||
|
=home=/var/vmail/%{ldap:uid}
|
||||||
|
|
||||||
# Filter for user lookup. Some variables can be used (see
|
# Filter for user lookup. Some variables can be used (see
|
||||||
# http://wiki2.dovecot.org/Variables for full list):
|
# http://wiki2.dovecot.org/Variables for full list):
|
||||||
@ -116,7 +118,7 @@ user_attrs =
|
|||||||
# %n - user part in user@domain, same as %u if there's no domain
|
# %n - user part in user@domain, same as %u if there's no domain
|
||||||
# %d - domain part in user@domain, empty if user there's no domain
|
# %d - domain part in user@domain, empty if user there's no domain
|
||||||
#user_filter = (&(objectClass=posixAccount)(uid=%u))
|
#user_filter = (&(objectClass=posixAccount)(uid=%u))
|
||||||
user_filter = (&(objectClass=posixAccount)(uid=%u))
|
user_filter = (&(objectClass=kitchenUser)(uid=%n))
|
||||||
|
|
||||||
# Password checking attributes:
|
# Password checking attributes:
|
||||||
# user: Virtual user name (user@domain), if you wish to change the
|
# user: Virtual user name (user@domain), if you wish to change the
|
||||||
@ -124,7 +126,9 @@ user_filter = (&(objectClass=posixAccount)(uid=%u))
|
|||||||
# password: Password, may optionally start with {type}, eg. {crypt}
|
# password: Password, may optionally start with {type}, eg. {crypt}
|
||||||
# There are also other special fields which can be returned, see
|
# There are also other special fields which can be returned, see
|
||||||
# http://wiki2.dovecot.org/PasswordDatabase/ExtraFields
|
# http://wiki2.dovecot.org/PasswordDatabase/ExtraFields
|
||||||
#pass_attrs = uid=user,userPassword=password
|
pass_attrs = \
|
||||||
|
=user=%{ldap:uid}, \
|
||||||
|
=home=/var/vmail/%{ldap:uid}
|
||||||
|
|
||||||
# If you wish to avoid two LDAP lookups (passdb + userdb), you can use
|
# If you wish to avoid two LDAP lookups (passdb + userdb), you can use
|
||||||
# userdb prefetch instead of userdb ldap in dovecot.conf. In that case you'll
|
# userdb prefetch instead of userdb ldap in dovecot.conf. In that case you'll
|
||||||
@ -135,6 +139,7 @@ user_filter = (&(objectClass=posixAccount)(uid=%u))
|
|||||||
|
|
||||||
# Filter for password lookups
|
# Filter for password lookups
|
||||||
#pass_filter = (&(objectClass=posixAccount)(uid=%u))
|
#pass_filter = (&(objectClass=posixAccount)(uid=%u))
|
||||||
|
pass_filter = (&(objectClass=kitchenUser)(uid=%n))
|
||||||
|
|
||||||
# Attributes and filter to get a list of all users
|
# Attributes and filter to get a list of all users
|
||||||
#iterate_attrs = uid=user
|
#iterate_attrs = uid=user
|
||||||
|
150
roles/mail/templates/dovecot/dovecot-ldap.conf.lmtp.j2
Normal file
150
roles/mail/templates/dovecot/dovecot-ldap.conf.lmtp.j2
Normal file
@ -0,0 +1,150 @@
|
|||||||
|
# This file is commonly accessed via passdb {} or userdb {} section in
|
||||||
|
# conf.d/auth-ldap.conf.ext
|
||||||
|
|
||||||
|
# This file is opened as root, so it should be owned by root and mode 0600.
|
||||||
|
#
|
||||||
|
# http://wiki2.dovecot.org/AuthDatabase/LDAP
|
||||||
|
#
|
||||||
|
# NOTE: If you're not using authentication binds, you'll need to give
|
||||||
|
# dovecot-auth read access to userPassword field in the LDAP server.
|
||||||
|
# With OpenLDAP this is done by modifying /etc/ldap/slapd.conf. There should
|
||||||
|
# already be something like this:
|
||||||
|
|
||||||
|
# access to attribute=userPassword
|
||||||
|
# by dn="<dovecot's dn>" read # add this
|
||||||
|
# by anonymous auth
|
||||||
|
# by self write
|
||||||
|
# by * none
|
||||||
|
|
||||||
|
# Space separated list of LDAP hosts to use. host:port is allowed too.
|
||||||
|
#hosts =
|
||||||
|
|
||||||
|
# LDAP URIs to use. You can use this instead of hosts list. Note that this
|
||||||
|
# setting isn't supported by all LDAP libraries.
|
||||||
|
uris = {{ ldap_uri }}
|
||||||
|
|
||||||
|
# Distinguished Name - the username used to login to the LDAP server.
|
||||||
|
# Leave it commented out to bind anonymously (useful with auth_bind=yes).
|
||||||
|
dn = {{ ldap_binddn }}
|
||||||
|
|
||||||
|
# Password for LDAP server, if dn is specified.
|
||||||
|
dnpass = {{ ldap_bindpw }}
|
||||||
|
|
||||||
|
# Use SASL binding instead of the simple binding. Note that this changes
|
||||||
|
# ldap_version automatically to be 3 if it's lower. Also note that SASL binds
|
||||||
|
# and auth_bind=yes don't work together.
|
||||||
|
#sasl_bind = no
|
||||||
|
# SASL mechanism name to use.
|
||||||
|
#sasl_mech =
|
||||||
|
# SASL realm to use.
|
||||||
|
#sasl_realm =
|
||||||
|
# SASL authorization ID, ie. the dnpass is for this "master user", but the
|
||||||
|
# dn is still the logged in user. Normally you want to keep this empty.
|
||||||
|
#sasl_authz_id =
|
||||||
|
|
||||||
|
# Use TLS to connect to the LDAP server.
|
||||||
|
#tls = no
|
||||||
|
# TLS options, currently supported only with OpenLDAP:
|
||||||
|
tls_ca_cert_file = /etc/ssl/certs/ca-certificates.crt
|
||||||
|
#tls_ca_cert_dir = /etc/ssl/certs
|
||||||
|
#tls_cipher_suite =
|
||||||
|
# TLS cert/key is used only if LDAP server requires a client certificate.
|
||||||
|
#tls_cert_file =
|
||||||
|
#tls_key_file =
|
||||||
|
# Valid values: never, hard, demand, allow, try
|
||||||
|
tls_require_cert = demand
|
||||||
|
|
||||||
|
# Use the given ldaprc path.
|
||||||
|
#ldaprc_path =
|
||||||
|
|
||||||
|
# LDAP library debug level as specified by LDAP_DEBUG_* in ldap_log.h.
|
||||||
|
# -1 = everything. You may need to recompile OpenLDAP with debugging enabled
|
||||||
|
# to get enough output.
|
||||||
|
#debug_level = 0
|
||||||
|
|
||||||
|
# Use authentication binding for verifying password's validity. This works by
|
||||||
|
# logging into LDAP server using the username and password given by client.
|
||||||
|
# The pass_filter is used to find the DN for the user. Note that the pass_attrs
|
||||||
|
# is still used, only the password field is ignored in it. Before doing any
|
||||||
|
# search, the binding is switched back to the default DN.
|
||||||
|
auth_bind = yes
|
||||||
|
|
||||||
|
# If authentication binding is used, you can save one LDAP request per login
|
||||||
|
# if users' DN can be specified with a common template. The template can use
|
||||||
|
# the standard %variables (see user_filter). Note that you can't
|
||||||
|
# use any pass_attrs if you use this setting.
|
||||||
|
#
|
||||||
|
# If you use this setting, it's a good idea to use a different
|
||||||
|
# dovecot-ldap.conf.ext for userdb (it can even be a symlink, just as long as
|
||||||
|
# the filename is different in userdb's args). That way one connection is used
|
||||||
|
# only for LDAP binds and another connection is used for user lookups.
|
||||||
|
# Otherwise the binding is changed to the default DN before each user lookup.
|
||||||
|
#
|
||||||
|
# For example:
|
||||||
|
# auth_bind_userdn = cn=%u,ou=people,o=org
|
||||||
|
#
|
||||||
|
#auth_bind_userdn =
|
||||||
|
|
||||||
|
# LDAP protocol version to use. Likely 2 or 3.
|
||||||
|
#ldap_version = 3
|
||||||
|
|
||||||
|
# LDAP base. %variables can be used here.
|
||||||
|
# For example: dc=mail, dc=example, dc=org
|
||||||
|
base = {{ ldap_base }}
|
||||||
|
|
||||||
|
# Dereference: never, searching, finding, always
|
||||||
|
deref = never
|
||||||
|
|
||||||
|
# Search scope: base, onelevel, subtree
|
||||||
|
scope = subtree
|
||||||
|
|
||||||
|
# User attributes are given in LDAP-name=dovecot-internal-name list. The
|
||||||
|
# internal names are:
|
||||||
|
# uid - System UID
|
||||||
|
# gid - System GID
|
||||||
|
# home - Home directory
|
||||||
|
# mail - Mail location
|
||||||
|
#
|
||||||
|
# There are also other special fields which can be returned, see
|
||||||
|
# http://wiki2.dovecot.org/UserDatabase/ExtraFields
|
||||||
|
#user_attrs = homeDirectory=home,uidNumber=uid,gidNumber=gid
|
||||||
|
user_attrs = \
|
||||||
|
=user=%{ldap:uid}, \
|
||||||
|
=home=/var/vmail/%{ldap:uid}
|
||||||
|
|
||||||
|
# Filter for user lookup. Some variables can be used (see
|
||||||
|
# http://wiki2.dovecot.org/Variables for full list):
|
||||||
|
# %u - username
|
||||||
|
# %n - user part in user@domain, same as %u if there's no domain
|
||||||
|
# %d - domain part in user@domain, empty if user there's no domain
|
||||||
|
#user_filter = (&(objectClass=posixAccount)(uid=%u))
|
||||||
|
user_filter = (&(objectClass=kitchenUser)(|(mail=%u)(mailAlternateAddress=%u)))
|
||||||
|
|
||||||
|
# Password checking attributes:
|
||||||
|
# user: Virtual user name (user@domain), if you wish to change the
|
||||||
|
# user-given username to something else
|
||||||
|
# password: Password, may optionally start with {type}, eg. {crypt}
|
||||||
|
# There are also other special fields which can be returned, see
|
||||||
|
# http://wiki2.dovecot.org/PasswordDatabase/ExtraFields
|
||||||
|
pass_attrs = \
|
||||||
|
=user=%{ldap:uid}, \
|
||||||
|
=home=/var/vmail/%{ldap:uid}
|
||||||
|
|
||||||
|
# If you wish to avoid two LDAP lookups (passdb + userdb), you can use
|
||||||
|
# userdb prefetch instead of userdb ldap in dovecot.conf. In that case you'll
|
||||||
|
# also have to include user_attrs in pass_attrs field prefixed with "userdb_"
|
||||||
|
# string. For example:
|
||||||
|
#pass_attrs = uid=user,userPassword=password,\
|
||||||
|
# homeDirectory=userdb_home,uidNumber=userdb_uid,gidNumber=userdb_gid
|
||||||
|
|
||||||
|
# Filter for password lookups
|
||||||
|
#pass_filter = (&(objectClass=posixAccount)(uid=%u))
|
||||||
|
pass_filter = (&(objectClass=kitchenUser)(uid=%n))
|
||||||
|
|
||||||
|
# Attributes and filter to get a list of all users
|
||||||
|
#iterate_attrs = uid=user
|
||||||
|
#iterate_filter = (objectClass=posixAccount)
|
||||||
|
|
||||||
|
# Default password scheme. "{scheme}" before password overrides this.
|
||||||
|
# List of supported schemes is in: http://wiki2.dovecot.org/Authentication
|
||||||
|
#default_pass_scheme = CRYPT
|
@ -9,11 +9,9 @@ info_log_path = /var/log/dovecot/info.log
|
|||||||
#log_timestamp = "%Y-%m-%d %H:%M:%S "
|
#log_timestamp = "%Y-%m-%d %H:%M:%S "
|
||||||
|
|
||||||
mail_privileged_group = mail
|
mail_privileged_group = mail
|
||||||
|
mail_location = maildir:~/.maildir
|
||||||
|
|
||||||
mail_location = maildir:/var/vmail/%u/.maildir
|
postmaster_address = postmaster@binary-kitchen.de
|
||||||
mail_home = maildir:/var/vmail/%u
|
|
||||||
mail_uid = vmail
|
|
||||||
mail_gid = vmail
|
|
||||||
|
|
||||||
ssl = yes
|
ssl = yes
|
||||||
ssl_cert = </etc/dovecot/ssl/{{ mail_server }}.crt
|
ssl_cert = </etc/dovecot/ssl/{{ mail_server }}.crt
|
||||||
@ -21,24 +19,20 @@ ssl_key = </etc/dovecot/ssl/{{ mail_server }}.key
|
|||||||
ssl_protocols = !SSLv3
|
ssl_protocols = !SSLv3
|
||||||
ssl_cipher_list = ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
|
ssl_cipher_list = ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
|
||||||
|
|
||||||
passdb {
|
service lmtp {
|
||||||
driver = ldap
|
unix_listener /var/spool/postfix/private/dovecot-lmtpd {
|
||||||
args = /etc/dovecot/dovecot-ldap.conf.ext
|
group = postfix
|
||||||
|
mode = 0660
|
||||||
|
user = postfix
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
userdb {
|
|
||||||
driver = static
|
|
||||||
args = uid=vmail gid=vmail home=/var/vmail/%u
|
|
||||||
}
|
|
||||||
|
|
||||||
service auth {
|
service auth {
|
||||||
unix_listener /var/spool/postfix/private/auth {
|
unix_listener /var/spool/postfix/private/dovecot-auth {
|
||||||
mode = 0660
|
mode = 0660
|
||||||
user = postfix
|
user = postfix
|
||||||
group = postfix
|
group = postfix
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
service imap-login {
|
service imap-login {
|
||||||
inet_listener imap {
|
inet_listener imap {
|
||||||
address = 0.0.0.0 ::
|
address = 0.0.0.0 ::
|
||||||
@ -50,27 +44,49 @@ service imap-login {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
service managesieve-login {
|
passdb {
|
||||||
inet_listener sieve {
|
driver = ldap
|
||||||
address = 127.0.0.1 ::1
|
args = /etc/dovecot/dovecot-ldap.conf.ext
|
||||||
port = 2000
|
}
|
||||||
|
protocols = "imap lmtp sieve"
|
||||||
|
protocol sieve {
|
||||||
|
userdb {
|
||||||
|
driver = ldap
|
||||||
|
args = /etc/dovecot/dovecot-ldap.conf.ext
|
||||||
|
default_fields = uid=vmail gid=vmail
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
protocol lda {
|
|
||||||
mail_plugins = sieve
|
|
||||||
log_path = /var/log/dovecot/deliver.log
|
|
||||||
info_log_path = /var/log/dovecot/deliver.log
|
|
||||||
}
|
|
||||||
|
|
||||||
protocol imap {
|
protocol imap {
|
||||||
|
userdb {
|
||||||
|
driver = ldap
|
||||||
|
args = /etc/dovecot/dovecot-ldap.conf.ext
|
||||||
|
default_fields = uid=vmail gid=vmail
|
||||||
|
}
|
||||||
|
mail_plugins = "imap_sieve"
|
||||||
mail_max_userip_connections = 50
|
mail_max_userip_connections = 50
|
||||||
}
|
}
|
||||||
|
protocol lmtp {
|
||||||
|
userdb {
|
||||||
|
driver = ldap
|
||||||
|
args = /etc/dovecot/dovecot-ldap.conf.lmtp
|
||||||
|
default_fields = uid=vmail gid=vmail
|
||||||
|
}
|
||||||
|
mail_plugins = "sieve notify push_notification"
|
||||||
|
}
|
||||||
plugin {
|
plugin {
|
||||||
sieve = ~/.dovecot.sieve
|
imapsieve_mailbox1_before = file:/var/vmail/.sieve/report-spam.sieve
|
||||||
sieve_before = /var/vmail/default.sieve
|
imapsieve_mailbox1_causes = COPY
|
||||||
sieve_global_path = /var/vmail/default.sieve
|
imapsieve_mailbox1_name = Junk
|
||||||
|
imapsieve_mailbox2_before = file:/var/vmail/.sieve/report-ham.sieve
|
||||||
|
imapsieve_mailbox2_causes = COPY
|
||||||
|
imapsieve_mailbox2_from = Junk
|
||||||
|
imapsieve_mailbox2_name = *
|
||||||
|
sieve_after = /var/vmail/.sieve/move-spam.sieve
|
||||||
|
sieve_global = /var/vmail/.sieve
|
||||||
|
sieve_global_extensions = +vnd.dovecot.pipe
|
||||||
|
sieve_pipe_bin_dir = /var/vmail/.sieve/bin
|
||||||
|
sieve_plugins = "sieve_imapsieve sieve_extprograms"
|
||||||
|
sieve = file:~/.sieve;active=~/.dovecot.sieve
|
||||||
}
|
}
|
||||||
|
|
||||||
namespace inbox {
|
namespace inbox {
|
||||||
|
@ -1,11 +0,0 @@
|
|||||||
server_host = {{ ldap_uri }}
|
|
||||||
tls_ca_cert_file = /etc/ssl/certs/ca-certificates.crt
|
|
||||||
tls_require_cert = yes
|
|
||||||
bind = yes
|
|
||||||
bind_dn = {{ ldap_binddn }}
|
|
||||||
bind_pw = {{ ldap_bindpw }}
|
|
||||||
version = 3
|
|
||||||
|
|
||||||
search_base = {{ ldap_base }}
|
|
||||||
query_filter = (&(objectClass=kitchenUser)(mailAlternateAddress=%s))
|
|
||||||
result_attribute = mail
|
|
@ -1,12 +0,0 @@
|
|||||||
server_host = {{ ldap_uri }}
|
|
||||||
tls_ca_cert_file = /etc/ssl/certs/ca-certificates.crt
|
|
||||||
tls_require_cert = yes
|
|
||||||
bind = yes
|
|
||||||
bind_dn = {{ ldap_binddn }}
|
|
||||||
bind_pw = {{ ldap_bindpw }}
|
|
||||||
version = 3
|
|
||||||
|
|
||||||
search_base = {{ ldap_base }}
|
|
||||||
query_filter = (&(objectClass=kitchenUser)(mail=%s))
|
|
||||||
result_attribute = uid
|
|
||||||
result_format = %u/.maildir/
|
|
@ -1,37 +1,55 @@
|
|||||||
# See /usr/share/postfix/main.cf.dist for a commented, more complete version
|
# Uncomment soft_bounce for testing
|
||||||
|
#soft_bounce = yes
|
||||||
|
|
||||||
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
|
# Generic postfix parameters
|
||||||
|
compatibility_level = 2
|
||||||
|
smtpd_banner = $myhostname ESMTP $mail_name
|
||||||
biff = no
|
biff = no
|
||||||
|
|
||||||
# appending .domain is the MUA's job.
|
|
||||||
append_dot_mydomain = no
|
append_dot_mydomain = no
|
||||||
|
|
||||||
# Uncomment the next line to generate "delayed mail" warnings
|
|
||||||
#delay_warning_time = 4h
|
|
||||||
|
|
||||||
readme_directory = no
|
readme_directory = no
|
||||||
|
|
||||||
inet_interfaces = all
|
inet_interfaces = all
|
||||||
inet_protocols = all
|
inet_protocols = all
|
||||||
|
|
||||||
message_size_limit = 50000000
|
message_size_limit = 50000000
|
||||||
recipient_delimiter = +
|
recipient_delimiter = +
|
||||||
|
unknown_local_recipient_reject_code = 550
|
||||||
mydomain = {{ mail_domain }}
|
strict_rfc821_envelopes = yes
|
||||||
myhostname = {{ ansible_fqdn }}
|
disable_vrfy_command = yes
|
||||||
myorigin = {{ ansible_fqdn }}
|
smtpd_delay_reject = yes
|
||||||
mydestination = localhost.{{ mail_domain }}, localhost
|
smtpd_helo_required = yes
|
||||||
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 {{ mail_trusted }}
|
|
||||||
|
|
||||||
alias_maps = hash:/etc/aliases
|
|
||||||
alias_database = hash:/etc/aliases
|
|
||||||
relayhost =
|
relayhost =
|
||||||
|
|
||||||
# TLS parameters
|
# Postscreen (pre-greet only, rspamd does the rest)
|
||||||
|
postscreen_greet_banner = $myhostname ESMTP $mail_name
|
||||||
|
postscreen_greet_action = enforce
|
||||||
|
|
||||||
|
# Network parameters
|
||||||
|
mydomain = {{ mail_domain }}
|
||||||
|
myhostname = {{ ansible_fqdn }}
|
||||||
|
myorigin = $myhostname
|
||||||
|
mydestination = localhost.$mydomain, localhost
|
||||||
|
mynetworks =
|
||||||
|
127.0.0.0/8
|
||||||
|
[::ffff:127.0.0.0]/104
|
||||||
|
[::1]/128
|
||||||
|
{% for cidr in mail_trusted.split(' ') %}
|
||||||
|
{{ cidr }}
|
||||||
|
{% endfor %}
|
||||||
|
|
||||||
|
# Alias configuration
|
||||||
|
alias_maps = hash:/etc/aliases
|
||||||
|
alias_database = hash:/etc/aliases
|
||||||
|
|
||||||
|
# Client TLS parameters
|
||||||
smtp_tls_security_level = may
|
smtp_tls_security_level = may
|
||||||
smtp_tls_loglevel = 1
|
smtp_tls_loglevel = 1
|
||||||
smtp_tls_CApath = /etc/ssl/certs
|
smtp_tls_CApath = /etc/ssl/certs
|
||||||
|
smtp_tls_cert_file=/etc/postfix/ssl/{{ mail_server }}.crt
|
||||||
|
smtp_tls_key_file=/etc/postfix/ssl/{{ mail_server }}.key
|
||||||
|
smtp_tls_CApath = /etc/ssl/certs
|
||||||
|
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
|
||||||
|
smtp_tls_fingerprint_digest=sha256
|
||||||
|
|
||||||
|
# Server TLS parameters
|
||||||
smtpd_tls_cert_file=/etc/postfix/ssl/{{ mail_server }}.crt
|
smtpd_tls_cert_file=/etc/postfix/ssl/{{ mail_server }}.crt
|
||||||
smtpd_tls_key_file=/etc/postfix/ssl/{{ mail_server }}.key
|
smtpd_tls_key_file=/etc/postfix/ssl/{{ mail_server }}.key
|
||||||
smtpd_tls_CApath = /etc/ssl/certs
|
smtpd_tls_CApath = /etc/ssl/certs
|
||||||
@ -39,50 +57,62 @@ smtpd_tls_security_level = may
|
|||||||
smtpd_tls_auth_only = yes
|
smtpd_tls_auth_only = yes
|
||||||
smtpd_tls_ciphers = medium
|
smtpd_tls_ciphers = medium
|
||||||
smtpd_tls_received_header = yes
|
smtpd_tls_received_header = yes
|
||||||
|
|
||||||
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
|
|
||||||
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
|
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
|
||||||
|
smtpd_tls_fingerprint_digest=sha256
|
||||||
|
|
||||||
# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
|
# Submission SASL configuration
|
||||||
# information on enabling SSL in the smtp client.
|
|
||||||
|
|
||||||
smtpd_sasl_type = dovecot
|
smtpd_sasl_type = dovecot
|
||||||
smtpd_sasl_path = private/auth
|
smtpd_sasl_path = private/dovecot-auth
|
||||||
smtpd_sasl_auth_enable = yes
|
smtpd_sasl_auth_enable = yes
|
||||||
smtpd_sasl_security_options = noanonymous
|
smtpd_sasl_security_options = noanonymous
|
||||||
|
|
||||||
smtpd_helo_restrictions = permit_mynetworks
|
# SMTPd restrictions
|
||||||
warn_if_reject reject_non_fqdn_hostname
|
smtpd_helo_restrictions =
|
||||||
check_helo_access hash:/etc/postfix/helo_access
|
permit_sasl_authenticated
|
||||||
#check_client_access cidr:/etc/postfix/client_access
|
permit_mynetworks
|
||||||
|
warn_if_reject reject_non_fqdn_hostname
|
||||||
|
check_helo_access hash:/etc/postfix/helo_access
|
||||||
|
|
||||||
smtpd_recipient_restrictions = permit_mynetworks
|
smtpd_client_restrictions =
|
||||||
permit_sasl_authenticated
|
permit_sasl_authenticated
|
||||||
reject_unauth_destination
|
permit_mynetworks
|
||||||
reject_rbl_client sbl.spamhaus.org
|
reject_unknown_reverse_client_hostname
|
||||||
reject_rbl_client cbl.abuseat.org
|
|
||||||
check_recipient_access hash:/etc/postfix/recipient_access
|
|
||||||
|
|
||||||
smtpd_data_restrictions = warn_if_reject reject_unauth_pipelining
|
smtpd_sender_restrictions =
|
||||||
|
reject_unknown_sender_domain
|
||||||
|
reject_non_fqdn_sender
|
||||||
|
permit_mynetworks
|
||||||
|
permit_tls_clientcerts
|
||||||
|
permit_sasl_authenticated
|
||||||
|
reject_unauth_pipelining
|
||||||
|
reject_unauthenticated_sender_login_mismatch
|
||||||
|
reject_sender_login_mismatch
|
||||||
|
|
||||||
smtpd_restriction_classes = greylisting
|
smtpd_recipient_restrictions =
|
||||||
|
reject_unknown_recipient_domain
|
||||||
|
reject_non_fqdn_recipient
|
||||||
|
permit_mynetworks
|
||||||
|
permit_tls_clientcerts
|
||||||
|
permit_sasl_authenticated
|
||||||
|
reject_unauth_destination
|
||||||
|
reject_unauth_pipelining
|
||||||
|
reject_unverified_recipient
|
||||||
|
|
||||||
greylisting = check_policy_service unix:private/spfpolicy
|
# rspamd Milter setup
|
||||||
check_policy_service inet:127.0.0.1:10023
|
smtpd_milters = inet:localhost:11332
|
||||||
|
non_smtpd_milters = inet:localhost:11332
|
||||||
content_filter = amavis:[127.0.0.1]:10024
|
milter_default_action = accept
|
||||||
receive_override_options = no_address_mappings
|
milter_protocol = 6
|
||||||
|
|
||||||
|
# mailbox / forward definitions
|
||||||
virtual_mailbox_domains = {{ mail_domain }}
|
virtual_mailbox_domains = {{ mail_domain }}
|
||||||
{%- for domain in mail_domains %}
|
{% for domain in mail_domains %}
|
||||||
{{ domain }}
|
{{ domain }}
|
||||||
{%- endfor %}
|
{% endfor %}
|
||||||
|
virtual_alias_maps = hash:/etc/postfix/virtual-alias
|
||||||
virtual_mailbox_maps = ldap:/etc/postfix/ldap-virtual-maps.cf
|
virtual_transport = lmtp:unix:private/dovecot-lmtpd
|
||||||
virtual_alias_maps = hash:/etc/postfix/virtual-alias, ldap:/etc/postfix/ldap-aliases.cf
|
unverified_recipient_reject_code = 550
|
||||||
|
unverified_recipient_reject_reason = Recipient unknown
|
||||||
virtual_transport = dovecot
|
|
||||||
dovecot_destination_recipient_limit = 1
|
|
||||||
|
|
||||||
# mailman
|
# mailman
|
||||||
relay_domains = {{ mailman_domain }}
|
relay_domains = {{ mailman_domain }}
|
||||||
|
@ -9,12 +9,19 @@
|
|||||||
# service type private unpriv chroot wakeup maxproc command + args
|
# service type private unpriv chroot wakeup maxproc command + args
|
||||||
# (yes) (yes) (yes) (never) (100)
|
# (yes) (yes) (yes) (never) (100)
|
||||||
# ==========================================================================
|
# ==========================================================================
|
||||||
smtp inet n - - - - smtpd
|
#smtp inet n - - - - smtpd
|
||||||
#smtp inet n - - - 1 postscreen
|
smtp inet n - - - 1 postscreen
|
||||||
#smtpd pass - - - - - smtpd
|
smtpd pass - - - - - smtpd
|
||||||
#dnsblog unix - - - - 0 dnsblog
|
dnsblog unix - - - - 0 dnsblog
|
||||||
#tlsproxy unix - - - - 0 tlsproxy
|
tlsproxy unix - - - - 0 tlsproxy
|
||||||
submission inet n - - - - smtpd
|
submission inet n - - - - smtpd
|
||||||
|
-o syslog_name=postfix/submission
|
||||||
|
-o smtpd_tls_security_level=encrypt
|
||||||
|
-o smtpd_sasl_auth_enable=yes
|
||||||
|
-o smtpd_reject_unlisted_recipient=no
|
||||||
|
-o smtpd_recipient_restrictions=
|
||||||
|
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
|
||||||
|
-o { milter_macro_daemon_name = ORIGINATING }
|
||||||
# -o syslog_name=postfix/submission
|
# -o syslog_name=postfix/submission
|
||||||
# -o smtpd_tls_security_level=encrypt
|
# -o smtpd_tls_security_level=encrypt
|
||||||
# -o smtpd_sasl_auth_enable=yes
|
# -o smtpd_sasl_auth_enable=yes
|
||||||
@ -24,7 +31,6 @@ submission inet n - - - - smtpd
|
|||||||
# -o smtpd_sender_restrictions=$mua_sender_restrictions
|
# -o smtpd_sender_restrictions=$mua_sender_restrictions
|
||||||
# -o smtpd_recipient_restrictions=
|
# -o smtpd_recipient_restrictions=
|
||||||
# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
|
# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
|
||||||
# -o milter_macro_daemon_name=ORIGINATING
|
|
||||||
#smtps inet n - - - - smtpd
|
#smtps inet n - - - - smtpd
|
||||||
# -o syslog_name=postfix/smtps
|
# -o syslog_name=postfix/smtps
|
||||||
# -o smtpd_tls_wrappermode=yes
|
# -o smtpd_tls_wrappermode=yes
|
||||||
@ -120,29 +126,3 @@ scalemail-backend unix - n n - 2 pipe
|
|||||||
flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
|
flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
|
||||||
mailman unix - n n - - pipe
|
mailman unix - n n - - pipe
|
||||||
flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py ${nexthop} ${user}
|
flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py ${nexthop} ${user}
|
||||||
|
|
||||||
# dovecot
|
|
||||||
dovecot unix - n n - - pipe
|
|
||||||
flags=DRhu user=vmail:vmail argv=/usr/lib/dovecot/dovecot-lda -f ${sender} -d ${user} -m ${extension}
|
|
||||||
|
|
||||||
# amavis
|
|
||||||
amavis unix - - - - 2 smtp
|
|
||||||
-o smtp_data_done_timeout=1200
|
|
||||||
-o smtp_send_xforward_command=yes
|
|
||||||
|
|
||||||
127.0.0.1:10025 inet n - - - - smtpd
|
|
||||||
-o content_filter=
|
|
||||||
-o local_recipient_maps=
|
|
||||||
-o relay_recipient_maps=
|
|
||||||
-o smtpd_restriction_classes=
|
|
||||||
-o smtpd_client_restrictions=
|
|
||||||
-o smtpd_helo_restrictions=
|
|
||||||
-o smtpd_sender_restrictions=
|
|
||||||
-o smtpd_recipient_restrictions=permit_mynetworks,reject
|
|
||||||
-o mynetworks=127.0.0.0/8
|
|
||||||
-o strict_rfc821_envelopes=yes
|
|
||||||
-o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
|
|
||||||
|
|
||||||
# spf
|
|
||||||
spfpolicy unix - n n - 0 spawn
|
|
||||||
user=nobody argv=/usr/bin/policyd-spf /etc/postfix-policyd-spf-python/policyd-spf.conf
|
|
||||||
|
@ -1,2 +0,0 @@
|
|||||||
info@binary-kitchen.de greylisting
|
|
||||||
vorstand@binary-kitchen.de greylisting
|
|
6
roles/mail/templates/rspamd/local.d/arc.conf.j2
Normal file
6
roles/mail/templates/rspamd/local.d/arc.conf.j2
Normal file
@ -0,0 +1,6 @@
|
|||||||
|
allow_username_mismatch = true;
|
||||||
|
sign_networks = [127.0.0.1, ::1, {{ mail_trusted }}];
|
||||||
|
check_pubkey = true;
|
||||||
|
try_fallback = false;
|
||||||
|
path = "/var/lib/rspamd/dkim/$domain.$selector.key";
|
||||||
|
selector_map = "/etc/rspamd/local.d/arc_selectors.map";
|
6
roles/mail/templates/rspamd/local.d/dkim_signing.conf.j2
Normal file
6
roles/mail/templates/rspamd/local.d/dkim_signing.conf.j2
Normal file
@ -0,0 +1,6 @@
|
|||||||
|
allow_username_mismatch = true;
|
||||||
|
sign_networks = [127.0.0.1, ::1, {{ mail_trusted }}];
|
||||||
|
check_pubkey = true;
|
||||||
|
try_fallback = false;
|
||||||
|
path = "/var/lib/rspamd/dkim/$domain.$selector.key";
|
||||||
|
selector_map = "/etc/rspamd/local.d/dkim_selectors.map";
|
1
roles/mail/templates/rspamd/local.d/options.inc.j2
Normal file
1
roles/mail/templates/rspamd/local.d/options.inc.j2
Normal file
@ -0,0 +1 @@
|
|||||||
|
local_addrs = [127.0.0.1, ::1, {{ mail_trusted }}];
|
Loading…
Reference in New Issue
Block a user