Updated metadata
Updated License
Added defaults file and handlers.yml
Lightweight mailserver based on postfix,dovecot, unbound, redis and rspamd there is no database whatsoever to manage the users as this configuration is intended for a personal/friends/family use, so not a lot of people.
There is roundcube available but it is optional, same for the rspamd web ui.
400-500MB of max ram usage and this is rspamd that is being fat,on average we're around 200-250MB of ram, turning it down bring the ram down to 170~200mb of ram.
Postfix is set to use virtual users and virtual aliases.
The listening ports are 25,465 and 993, why no 587? See the 2018 RFC "Cleartext obsoleted" that deprecates ports that do not do implicit tls.
The lifecyle of the DKIM key,DNS as well as the ssl certificates are up to you.
See the defaults/main.yml for more info.
Keep in mind that I made this role for Debian 11, on a server that is behind a bastion.
I do advise to create these with ansible-vault in your vars/main.yml
domain: <your_domain>
# Dovecot
dovecot_ssl_cert_path:
dovecot_ssl_key_path:
dovecot_postmaster_mail:
dovecot_passwd:
address_0:
mail: <your_mail>
password: 'some_argon_2id_hash'
address_1:
mail: <another_mail>
password: 'some_argon2id_hash'
# Postfix
postfix_tls_cert_file:
postfix_tls_key_file:
postfix_myhostname: mail.<your_domain>
If behind a NAT:
postfix_proxy_interfaces: <your_proxy_interface>
# Virtual mail
virtual_mail:
address_0:
mail: <your_mail>
name: test
address_1:
mail: <bob_mail>
name: bob
# Virtual aliases
virtual_alias:
address_0:
alias: postmaster
mail: postmaster@domain.tld
address_1:
alias: <alias>
mail: <mail_address>
# Rspamd
Rspamd password hash generated with rspamd pw command
rspamd_controller_password: ''
# Roundcube
To generate with openssl, see https://gist.github.com/chengen/450129cb95c7159cb05001cc6bdbf6a1
roundcube_des_key: ''
The first two aliases a and b are redirected to the same address which is foo in this instance.
The last address is a catch all.
a@domain.tld foo@domain.tld
b@domain.tld foo@domain.tld
c@domain.tld bar@domain.tld
@domain.tld baz@domain.tld
It is mandatory to set up all of these DNS records to not get blackholed/junk foldered by the other mails servers(except the SRV records, these are only useful for autodiscovery by MUA like thunderbird)
To check you can try with mail-tester or https://dkimvalidator.com/ .
In my case this is pointing to a nat/bastion
mail.domain.tld 0 A \<ip of bastion\>
You need to set up the SRV records, see the examples and links below, imap.domain.tld can be a CNAME pointing to your mail.domain.tld record.
_imaps._tcp.domain.tld 0 SRV 5 0 993 imap.domain.tld
Syntax is the following
domain.tld MX mail.domain.tld
You do need to set your reverse dns to your domain.tld
With ovh there is no ptr record to set in the dns zone, you actually have to login, then go to bare metal cloud -> ip -> reverse dns
This one is generated by rspamd, you just need to run this command:
See https://rspamd.com/doc/modules/dkim_signing.html
rspamadm dkim_keygen -s 'dkim' -d example.com
rspamadm dkim_keygen -s 'woosh' -b 2048 -d example.com -k example.private > example.txt
rspamadm dkim_keygen -k /var/db/rspamd/dkim/example.com.dkim.key -b 2048 -s dkim -d example.com
v=DKIM1;k=rsa;s=email;p='';t=s;
Put a '~all' to test the config, then if everything is working try with the dash.
domain.tld 0 SPF "v=spf1 a mx mx:mail.domain.tld -all"
You can also enable reporting and once you feel confortable, you can turn o na strict policy.
_dmarc.domain.tld. 0 DMARC v=DMARC1;p=reject;pct=100;sp=reject;aspf=s;
_submission._tcp.domain.tld. 0 SRV 5 0 465 mail.domain.tld.
_imaps._tcp.domain.tld. 0 SRV 5 0 993 imap.domain.tld.
I do have my resolv.conf managed by cloud-init, so my config looks like this
nameserver 0.0.0.0
nameserver 213.186.33.99
search openstacklocal
The cloud-init config files are in /etc/cloud/cloud.cfg.d/ and there are also some in /etc/network/interfaces.d, to prevent cloud-init from managing the network settings of the machine, simply add a 99-cloud-disable.cfg in /etc/cloud/cloud.cfg.d with
network: {config: disabled}
But when the package get installed it does replace the nameserver 216... with 127.0.0.1, which is what we want.
Need to add your own logic if cloud-init is not used.
See the links below
The default server listen on port 80, this is because on my infrastructure my mail server is behind a Bastion that does NAT too.
Adapt it you intend to run this on a front-facing internet server.
The webmail is optional, you can enable it by editing the corresponding variable in defaults.yml.
It does use sqlite by default.
The default is set to 20mb, if you're mail server is behind a nat or another proxy don't forget that you need to tune client_max_body_size or similar config on that machine as well.
By default markasjunk and zipdownload are turned on.
There are plenty to choose here (enigma to encrypt the email, reset password plugin,sieve,quota...), just add the plugins that you want in defaults/main.yml and don't forget to add their templates!
If you want to add more modules, add templates in the rspamd foler and change accordingly in the rspamd task file.
The web ui is optional and can be turned off/on in the defaults/main.yml
Every time a message is moved in the junk folder, a train-{spam,ham}.sh script executes so that rspamd learns that message.
The dkim key and dns record to add to your DNS zone are located in /var/lib/rspamd/dkim/
<domain>.dkim.key.pub contains the record to add
<domain>.dkim.key is the private key
Do note that Google and Microsoft have deprecated all the authentication methods in favor of oauth2, openid.
And Hashicorp Vault can be used to manage a lot of secrets for dovecot oauth, rspamd dkim key signing, ssl certificates passphrase...
I'll take care of that if I have time in the future
Big thanks to these:
GPLv3