~tieong/ansible-role-mail

Lightweight mailserver based on postfix,dovecot, unbound, redis and rspamd there is no database whatsoever to manage the users as this configuration is intended for a personal/friends/family use, so not a lot of people.
Added defaults file and handlers.yml

refs

master
browse  log 

clone

read-only
https://git.sr.ht/~tieong/ansible-role-mail
read/write
git@git.sr.ht:~tieong/ansible-role-mail

You can also use your local clone with git send-email.

#Lightweight Mail Server (LMS)

Lightweight mailserver based on postfix,dovecot, unbound, redis and rspamd there is no database whatsoever to manage the users as this configuration is intended for a personal/friends/family use, so not a lot of people.

There is roundcube available but it is optional, same for the rspamd web ui.

400-500MB of max ram usage and this is rspamd that is being fat,on average we're around 200-250MB of ram, turning it down bring the ram down to 170~200mb of ram.

Postfix is set to use virtual users and virtual aliases.

The listening ports are 25,465 and 993, why no 587? See the 2018 RFC "Cleartext obsoleted" that deprecates ports that do not do implicit tls.

The lifecyle of the DKIM key,DNS as well as the ssl certificates are up to you.

See the defaults/main.yml for more info.

Keep in mind that I made this role for Debian 11, on a server that is behind a bastion.

#Required variables

I do advise to create these with ansible-vault in your vars/main.yml

domain: <your_domain>

# Dovecot

dovecot_ssl_cert_path:
dovecot_ssl_key_path:
dovecot_postmaster_mail:
dovecot_passwd:
  address_0:
    mail: <your_mail>
    password: 'some_argon_2id_hash'
  address_1:
    mail: <another_mail>
    password: 'some_argon2id_hash'

# Postfix

postfix_tls_cert_file:
postfix_tls_key_file:
postfix_myhostname: mail.<your_domain>

If behind a NAT:

postfix_proxy_interfaces: <your_proxy_interface>

# Virtual mail

virtual_mail:
  address_0:
    mail: <your_mail>
    name: test
  address_1:
    mail: <bob_mail>
    name: bob

# Virtual aliases

virtual_alias:
  address_0:
    alias: postmaster
    mail: postmaster@domain.tld
  address_1:
    alias: <alias>
    mail: <mail_address>

# Rspamd

Rspamd password hash generated with rspamd pw command
rspamd_controller_password: ''

# Roundcube

To generate with openssl, see https://gist.github.com/chengen/450129cb95c7159cb05001cc6bdbf6a1
roundcube_des_key: ''

#Virtual aliases

The first two aliases a and b are redirected to the same address which is foo in this instance.

The last address is a catch all.

a@domain.tld     foo@domain.tld
b@domain.tld     foo@domain.tld
c@domain.tld     bar@domain.tld
@domain.tld      baz@domain.tld

#DNS Records

It is mandatory to set up all of these DNS records to not get blackholed/junk foldered by the other mails servers(except the SRV records, these are only useful for autodiscovery by MUA like thunderbird)

To check you can try with mail-tester or https://dkimvalidator.com/ .

#A record pointing to the mail server

In my case this is pointing to a nat/bastion

mail.domain.tld 	0 	A 	\<ip of bastion\>

#MUA Autodiscovery

You need to set up the SRV records, see the examples and links below, imap.domain.tld can be a CNAME pointing to your mail.domain.tld record.

_imaps._tcp.domain.tld 0 	SRV 	5 0 993 imap.domain.tld

#MX Records

Syntax is the following

domain.tld MX mail.domain.tld

#Reverse DNS

You do need to set your reverse dns to your domain.tld

With ovh there is no ptr record to set in the dns zone, you actually have to login, then go to bare metal cloud -> ip -> reverse dns

#DKIM

This one is generated by rspamd, you just need to run this command:

See https://rspamd.com/doc/modules/dkim_signing.html

rspamadm dkim_keygen -s 'dkim' -d example.com

rspamadm dkim_keygen -s 'woosh' -b 2048 -d example.com -k example.private > example.txt

rspamadm dkim_keygen -k /var/db/rspamd/dkim/example.com.dkim.key -b 2048 -s dkim -d example.com

v=DKIM1;k=rsa;s=email;p='';t=s;

#SPF

Put a '~all' to test the config, then if everything is working try with the dash.

	
domain.tld 0 	SPF 	"v=spf1 a mx mx:mail.domain.tld -all"

#DMARC

You can also enable reporting and once you feel confortable, you can turn o na strict policy.

_dmarc.domain.tld. 0 	DMARC 	v=DMARC1;p=reject;pct=100;sp=reject;aspf=s;

#SRV Records

_submission._tcp.domain.tld. 0 	SRV 	5 0 465 mail.domain.tld.
	
_imaps._tcp.domain.tld. 0 	SRV 	5 0 993 imap.domain.tld.

#Local Resolver with Unbound

I do have my resolv.conf managed by cloud-init, so my config looks like this

nameserver 0.0.0.0
nameserver 213.186.33.99
search openstacklocal

The cloud-init config files are in /etc/cloud/cloud.cfg.d/ and there are also some in /etc/network/interfaces.d, to prevent cloud-init from managing the network settings of the machine, simply add a 99-cloud-disable.cfg in /etc/cloud/cloud.cfg.d with

network: {config: disabled}

But when the package get installed it does replace the nameserver 216... with 127.0.0.1, which is what we want.

Need to add your own logic if cloud-init is not used.

See the links below

#Nginx

The default server listen on port 80, this is because on my infrastructure my mail server is behind a Bastion that does NAT too.

Adapt it you intend to run this on a front-facing internet server.

#Roundcube

The webmail is optional, you can enable it by editing the corresponding variable in defaults.yml.

It does use sqlite by default.

#File upload

The default is set to 20mb, if you're mail server is behind a nat or another proxy don't forget that you need to tune client_max_body_size or similar config on that machine as well.

#Plugins

By default markasjunk and zipdownload are turned on.

There are plenty to choose here (enigma to encrypt the email, reset password plugin,sieve,quota...), just add the plugins that you want in defaults/main.yml and don't forget to add their templates!

#Rspamd

If you want to add more modules, add templates in the rspamd foler and change accordingly in the rspamd task file.

#Web UI

The web ui is optional and can be turned off/on in the defaults/main.yml

#Bayesian learning

Every time a message is moved in the junk folder, a train-{spam,ham}.sh script executes so that rspamd learns that message.

#DKIM key

The dkim key and dns record to add to your DNS zone are located in /var/lib/rspamd/dkim/

<domain>.dkim.key.pub contains the record to add

<domain>.dkim.key is the private key

#Security

Do note that Google and Microsoft have deprecated all the authentication methods in favor of oauth2, openid.

https://docs.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/deprecation-of-basic-authentication-exchange-online

And Hashicorp Vault can be used to manage a lot of secrets for dovecot oauth, rspamd dkim key signing, ssl certificates passphrase...

I'll take care of that if I have time in the future

#References

Big thanks to these:

#License

GPLv3