improve dovecot

defaults/main.yml

@@ -1,18 +1,22 @@
 ---
+mailserver_mail_domain: "sum7.eu"
+mailserver_mx_domain: "{{ inventory_hostname }}"
+mailserver_cert_domains: "{{ mailserver_mx_domain }} mail.{{ mailserver_mail_domain }}"
+
 mailserver_db_type: "pgsql"
 mailserver_db_host: "localhost"
 mailserver_db_name: "mailserver"
 mailserver_db_user: "mailserver"
 mailserver_db_password: "{{ lookup('password', 'credentials/' + inventory_hostname + '/mailserver/db_password length=15') }}"
+
 #mailserver_postfixadmin_setup_password: "" # after postfixadmin-setup
 mailserver_postfixadmin_domain: ""
-mailserver_postfixadmin_mail_domain: "sum7.eu"
-mailserver_postfixadmin_mail_admin: "admin@{{ mailserver_postfixadmin_mail_domain }}"
+mailserver_postfixadmin_mail_admin: "admin@{{ mailserver_mail_domain }}"
 mailserver_postfixadmin_setup: ""
 mailserver_postfixadmin_default_aliases:
-  abuse: "abuse@{{ mailserver_postfixadmin_mail_domain }}"
-  hostmaster: "hostmaster@{{ mailserver_postfixadmin_mail_domain }}"
-  postmaster: "postmaster@{{ mailserver_postfixadmin_mail_domain }}"
-  webmaster: "webmaster@{{ mailserver_postfixadmin_mail_domain }}"
-
+  abuse: "abuse@{{ mailserver_mail_domain }}"
+  hostmaster: "hostmaster@{{ mailserver_mail_domain }}"
+  postmaster: "postmaster@{{ mailserver_mail_domain }}"
+  webmaster: "webmaster@{{ mailserver_mail_domain }}"
 
+mailserver_rspamd_enabled: true

handlers/main.yml

@@ -3,3 +3,8 @@
   systemd:
     name: nginx
     state: reloaded
+
+- name: restart dovecot
+  systemd:
+    name: dovecot
+    state: restarted

tasks/db.yml

@@ -1,4 +1,4 @@
-- name: Install PostgreSQL
+- name: DB - Install PostgreSQL
   package:
     state: latest
     name:
@@ -7,12 +7,12 @@
     - postgresql-old-upgrade
     - postgis
 
-- name: Ensure a locale exists
+- name: DB - Ensure a locale exists
   locale_gen:
     name: en_US.UTF-8
     state: present
 
-- name: init db
+- name: DB - Init
   become: yes
   become_user: postgres
   become_method: su
@@ -20,19 +20,19 @@
   args:
     creates: /var/lib/postgres/data/postgresql.conf
 
-- name: start db
+- name: DB - starting
   systemd:
     name: postgresql
     enabled: yes
     state: started
 
-- name: create db user
+- name: DB - create user
   postgresql_user:
     login_host: "{{ mailserver_db_host }}"
     name: "{{ mailserver_db_user }}"
     password: "{{ mailserver_db_password }}"
 
-- name: create db
+- name: DB - create database
   postgresql_db:
     login_host: "{{ mailserver_db_host }}"
     name: "{{ mailserver_db_name }}"

tasks/dovecot.yml

@@ -1,11 +1,18 @@
-- name: Install dovecot
+- name: dovecot - install
   package:
     state: latest
     name:
       - dovecot
       - pigeonhole
 
-- name: dovecot create config folder
+- name: dovecot - generate DH
+  notify: restart dovecot
+  openssl_dhparam:
+    path: /etc/dovecot/dh.pem
+    size: 4096
+
+- name: dovecot - create config folder
+  notify: restart dovecot
   file:
     path: "{{ item }}"
     state: directory
@@ -14,7 +21,8 @@
   - /etc/dovecot
   - /etc/dovecot/conf.d
 
-- name: take default dovecot config
+- name: dovecot - take default config
+  notify: restart dovecot
   copy:
     remote_src: yes
     src:  "/usr/share/doc/dovecot/example-config/{{ item }}"
@@ -23,7 +31,8 @@
   - conf.d/auth-sql.conf.ext
 
 
-- name: dovecot config
+- name: dovecot - config
+  notify: restart dovecot
   template:
     src:       "dovecot/{{ item }}"
     dest: "/etc/dovecot/{{ item }}"
@@ -31,4 +40,19 @@
   - dovecot-sql.conf.ext
   - dovecot.conf
   - conf.d/10-auth.conf
+  - conf.d/10-mail.conf
+  - conf.d/10-master.conf
+  - conf.d/10-ssl.conf
+  - conf.d/15-mailboxes.conf
+  - conf.d/20-imap.conf
+  - conf.d/20-lmtp.conf
+  - conf.d/20-managesieve.conf
+  - conf.d/90-quota.conf
+  - conf.d/90-sieve.conf
+  - conf.d/91-stats.conf
 
+- name: dovecot - start and enable on boot
+  systemd:
+    name: dovecot
+    enabled: yes
+    state: restarted

tasks/main.yml

@@ -16,6 +16,12 @@
     shell: /usr/bin/nologin
     home: /srv/mail
 
+- name: get mx cert
+  notify: dehydrated
+  lineinfile:
+    path: /etc/dehydrated/domains.txt
+    line: "{{ mailserver_cert_domains }}"
+
 - name: Run userdatabase
   import_tasks: db.yml
   
@@ -27,6 +33,7 @@
   
 - name: Run rspamd
   import_tasks: rspamd.yml
+  when: mailserver_rspamd_enabled
   
 - name: Run mailman
   import_tasks: mailman.yml

tasks/postfixadmin.yml

@@ -1,28 +1,28 @@
-- name: package
+- name: postfixadmin - install
   package:
     name:
     - postfixadmin
 
-- name: nginx local
+- name: postfixadmin - nginx local
   notify: reload nginx
   when: mailserver_postfixadmin_domain == ""
   template:
     src: postfixadmin-local.nginx
     dest: /etc/nginx/local.d/postfixadmin.act
 
-- name: nginx domain
+- name: postfixadmin - nginx domain
   notify: reload nginx
   when: mailserver_postfixadmin_domain != ""
   template:
     src: postfixadmin-domain.nginx
     dest: /etc/nginx/sites.d/postfixadmin.act
 
-- name: config postfixadmin
+- name: postfixadmin - config
   template:
     src: postfixadmin.local.php
     dest: /etc/webapps/postfixadmin/config.local.php
 
-- name: allow access php to postfixadmin.conf
+- name: postfixadmin - fix config access
   file:
     path: "/etc/webapps/postfixadmin/{{ item }}"
     owner: http
@@ -31,7 +31,7 @@
   - config.inc.php
   - config.local.php
 
-- name: config caching
+- name: postfixadmin - fix caching access
   file:
     path: "{{ item }}"
     owner: http

templates/dovecot/conf.d/10-mail.conf

@@ -0,0 +1,8 @@
+#mail_location = mbox:~/mail:INBOX=/var/mail/%u
+mail_location = maildir:~/Maildir
+namespace inbox {
+  inbox = yes
+}
+mail_uid = 5000
+mail_gid = 5000
+mail_plugins = quota old_stats

templates/dovecot/conf.d/10-master.conf

@@ -0,0 +1,45 @@
+service imap-login {
+  inet_listener imap {
+  }
+  inet_listener imaps {
+  }
+}
+service pop3-login {
+  inet_listener pop3 {
+  }
+  inet_listener pop3s {
+  }
+}
+service lmtp {
+  unix_listener lmtp {
+  }
+  unix_listener /var/spool/postfix/private/dovecot-lmtp {
+    mode = 0600
+    user = postfix
+    group = postfix
+  }
+}
+service imap {
+  executable = imap
+}
+service pop3 {
+  executable = pop3
+}
+service auth {
+  unix_listener auth-userdb {
+    user = vmail
+  }
+  unix_listener /var/spool/postfix/private/auth {
+    mode = 0666
+    user = postfix
+    group = postfix
+  }
+}
+service auth-worker {
+}
+service dict {
+  unix_listener dict {
+    mode = 0600
+    user = vmail
+  }
+}

templates/dovecot/conf.d/10-ssl.conf

@@ -0,0 +1,6 @@
+ssl = required
+ssl_cert = </etc/dehydrated/certs/{{ mailserver_cert_domains.split(' ')[0] }}/fullchain.pem
+ssl_key = </etc/dehydrated/certs/{{ mailserver_cert_domains.split(' ')[0] }}/privkey.pem
+ssl_dh = </etc/dovecot/dh.pem
+ssl_min_protocol = TLSv1.1
+ssl_cipher_list = EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4

templates/dovecot/conf.d/15-mailboxes.conf

@@ -0,0 +1,18 @@
+namespace inbox {
+  mailbox Drafts {
+    auto = subscribe
+    special_use = \Drafts
+  }
+  mailbox Junk {
+    auto = subscribe
+    special_use = \Junk
+  }
+  mailbox Trash {
+    auto = subscribe
+    special_use = \Trash
+  }
+  mailbox Sent {
+    auto = subscribe
+    special_use = \Sent
+  }
+}

templates/dovecot/conf.d/20-imap.conf

@@ -0,0 +1,4 @@
+protocol imap {
+  mail_plugins = $mail_plugins imap_quota imap_sieve imap_old_stats
+  imap_idle_notify_interval = 29 mins
+}

templates/dovecot/conf.d/20-lmtp.conf

@@ -0,0 +1,4 @@
+protocol lmtp {
+  postmaster_address = postmaster@{{ mailserver_mail_domain }}
+  mail_plugins = $mail_plugins sieve
+}

templates/dovecot/conf.d/20-managesieve.conf

@@ -0,0 +1,6 @@
+service managesieve-login {
+}
+service managesieve {
+}
+protocol sieve {
+}

templates/dovecot/conf.d/90-quota.conf

@@ -0,0 +1,3 @@
+plugin {
+  quota = dict:User quota::proxy::quota
+}

templates/dovecot/conf.d/90-sieve.conf

@@ -0,0 +1,17 @@
+plugin {
+  sieve = ~/.dovecot.sieve
+  sieve_dir = ~/sieve
+  sieve_before =  /srv/mail/sieve/spam.sieve
+  sieve_global_extensions = +vnd.dovecot.pipe
+  sieve_plugins = sieve_imapsieve sieve_extprograms
+  sieve_pipe_bin_dir = /usr/bin
+{% if mailserver_rspamd_enabled %}
+  imapsieve_mailbox1_name = Junk
+  imapsieve_mailbox1_causes = COPY
+  imapsieve_mailbox1_before = file:/srv/mail/sieve/learn-spam.sieve
+  imapsieve_mailbox2_name = *
+  imapsieve_mailbox2_from = Junk
+  imapsieve_mailbox2_causes = COPY
+  imapsieve_mailbox2_before = file:/srv/mail/sieve/learn-ham.sieve
+{% endif %}
+}

templates/dovecot/conf.d/91-stats.conf

@@ -0,0 +1,16 @@
+protocol imap {
+	mail_plugins = $mail_plugins imap_old_stats
+}
+plugin {
+	old_stats_refresh = 30 secs
+}
+service old-stats {
+	fifo_listener old-stats-mail {
+		user = vmail
+		mode = 0600
+	}
+	inet_listener {
+		address = 127.0.0.1
+		port = 24242
+	}
+}

templates/postfixadmin.local.php

@@ -37,7 +37,7 @@ $CONF['default_aliases'] = array (
 {% endfor %}
 );
 $CONF['admin_email'] = '{{ mailserver_postfixadmin_mail_admin }}';
-$CONF['admin_name'] = 'Hosting of {{ mailserver_postfixadmin_mail_domain }}';
+$CONF['admin_name'] = 'Hosting of {{ mailserver_mail_domain }}';
 
 $CONF['password_validation'] = array(
 #    '/regular expression/' => '$PALANG key (optional: + parameter)',