[WIP] Postfix+Dovecot

8 years ago · 55922ca636
--- a/mail_server.yaml
+++ b/mail_server.yaml
@ -0,0 +1,10 @@
 ---
 - hosts: biff
  roles:
      - role: lxc_guest
        vm_name: mail
 - hosts: mail
  roles:
      - role: postfix
        ldap_server: "{{ hostvars['ldap'].ansible_host }}"
        fqdn_domain: "lilik.it"
--- a/roles/postfix/handlers/main.yml
+++ b/roles/postfix/handlers/main.yml
@ -0,0 +1,5 @@
 - name: restart_postfix
  service: name=postfix state=restarted

 - name: restart_dovecot
  service: name=dovecot state=restarted
--- a/roles/postfix/tasks/main.yaml
+++ b/roles/postfix/tasks/main.yaml
@ -0,0 +1,115 @@
 - name: configure Postfix (domain)
  debconf:
      name: 'postfix'
      question: 'postfix/domainpostfix/main_mailer_type'
      vtype: 'string'
      value: 'Internet Site'
 - name: configure Postfix (organization)
  debconf:
      name: 'postfix'
      question: 'postfix/mailname'
      vtype: 'string'
      value: 'lilik.it'
 - name: install postfix packages
  apt:
      name: '{{ item }}'
      state: latest
      install_recommends: false
  with_items:
      - postfix
 #      - postfix-ldap
      - dovecot-ldap
      - dovecot-imapd
      - rsyslog
      - dovecot-lmtpd
 #      - amavisd-new
 #      - postgrey #TODO
 #      - spamassassin
 #      - clamav-daemon

 #- name: upload ldap-aliases.cf
 #  template:
 #      src: ldap-aliases.cf.j2
 #      dest: "/etc/postfix/ldap-aliases.cf"
 #  notify: restart_postfix
 #- lineinfile: dest=/etc/postfix/main.cf line="virtual_alias_maps = proxy:ldap:/etc/postfix/ldap-aliases.cf"
 #  notify: restart_postfix

 #- name: upload ldap-domains.cf
 #  template:
 #      src: ldap-domains.cf.j2
 #      dest: "/etc/postfix/ldap-domains.cf"
 #  notify: restart_postfix
 #- lineinfile: dest=/etc/postfix/main.cf line="virtual_mailbox_domains = proxy:ldap:/etc/postfix/ldap-domains.cf"
 #  notify: restart_postfix

 #- name: upload ldap-accounts.cf
 #  template:
 #      src: ldap-accounts.cf.j2
 #      dest: "/etc/postfix/ldap-accounts.cf"
 #  notify: restart_postfix
 #- lineinfile: dest=/etc/postfix/main.cf line="virtual_mailbox_maps = proxy:ldap:/etc/postfix/ldap-accounts.cf"
 #  notify: restart_postfix

 - lineinfile: dest=/etc/postfix/main.cf line="virtual_transport = lmtp:unix:private/dovecot-lmtp" state=present
  notify: restart_postfix

 - name: create postman group
  group: name=postman state=present gid=800

 - name: create postman user
  user: name=postman state=present uid=800 shell=/dev/null

 - lineinfile: dest=/etc/dovecot/conf.d/10-mail.conf regexp='^mail_location' state=absent
  notify: restart_dovecot

 - lineinfile: dest=/etc/dovecot/conf.d/10-mail.conf line='mail_location = maildir:/home/postman/%d/%n' state=present
  notify: restart_dovecot

 - lineinfile: dest=/etc/dovecot/conf.d/10-mail.conf line='mail_gid = 800' state=present
  notify: restart_dovecot

 - lineinfile: dest=/etc/dovecot/conf.d/10-mail.conf line='mail_uid = 800' state=present
  notify: restart_dovecot

 - lineinfile: dest=/etc/dovecot/conf.d/10-auth.conf line="!include auth-system.conf.ext" state=absent
  notify: restart_dovecot

 - lineinfile: dest=/etc/dovecot/conf.d/10-auth.conf line="!include auth-ldap.conf.ext" state=present
  notify: restart_dovecot

 - lineinfile: dest=/etc/dovecot/conf.d/10-auth.conf line="auth_default_realm = {{ fqdn_domain }}"

 - template: src=dovecot-ldap.conf.ext.j2 dest=/etc/dovecot/dovecot-ldap.conf.ext
  notify: restart_dovecot

 #- lineinfile: dest=/etc/postfix/main.cf line="content_filter=smtp-amavis:[127.0.0.1]:10024" state=present
 #  notify: restart_postfix

 #- blockinfile: |
 #    dest=/etc/postfix/master.cf
 #    content=" smtp-amavis unix    -       -       n       -       2     smtp
 #    -o smtp_data_done_timeout=1200
 #    -o smtp_send_xforward_command=yes
 #    -o disable_dns_lookups=yes
 #    -o max_use=20
 #
 #     127.0.0.1:10025 inet n    -       n       -       -     smtpd
 #    -o content_filter=
 #    -o smtpd_delay_reject=no
 #    -o smtpd_client_restrictions=permit_mynetworks,reject
 #    -o smtpd_helo_restrictions=
 #    -o smtpd_sender_restrictions=
 #    -o smtpd_recipient_restrictions=permit_mynetworks,reject
 #    -o smtpd_data_restrictions=reject_unauth_pipelining
 #    -o smtpd_end_of_data_restrictions=
 #    -o smtpd_restriction_classes=
 #    -o mynetworks=127.0.0.0/8
 #    -o smtpd_error_sleep_time=0
 #    -o smtpd_soft_error_limit=1001
 #    -o smtpd_hard_error_limit=1000
 #    -o smtpd_client_connection_count_limit=0
 #    -o smtpd_client_connection_rate_limit=0
 #    -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters
 #    -o local_header_rewrite_clients="
 #  notify: restart_postfix
--- a/roles/postfix/templates/dovecot-ldap.conf.ext.j2
+++ b/roles/postfix/templates/dovecot-ldap.conf.ext.j2
@ -0,0 +1,41 @@
 uris = ldap://{{ ldap_server }}

 # choose bind method instead of simple authentication
 auth_bind = yes

 # pass_attrs
 # specifies a comma-separated list of attributes that are returned from the LDAP.
 # If you set it to empty, all the attributes are returned.
 # http://wiki2.dovecot.org/AuthDatabase/LDAP/PasswordLookups
 # pass_attrs = user=mail,

 # http://wiki.dovecot.org/PasswordDatabase
 # Returning a user field can be used to change the username. Typically used only for case changes (e.g. "UseR" -> "user").
 # username: Like user, but doesn't drop existing domain name (e.g. "username=foo" for "user@domain" gives "foo@domain").
 # domain: Updates the domain part of the username; domain=%{ldap:vd}
 pass_attrs = disableUser=user

 # pass_filter
 # specifies the LDAP filter how user is found from the LDAP.
 # You can use all the normal variables like %u in the filter.
 pass_filter = (&(objectClass=VirtualMailAccount)(mail=%n)(accountActive=TRUE)(delete=FALSE))

 ldap_version = 3

 # search in vd=domain,o=hosting,dc=lilik,dc=it
 base = vd=%d,o=hosting,dc=lilik,dc=it

 deref = always

 scope = subtree

 # ldap filter, return an entity that is a virtual mail account
 user_filter = (&(objectClass=VirtualMailAccount)(mail=%n)(accountActive=TRUE)(delete=FALSE))

 # to prevent the uid and gid mappings from the ldap object to
 # dovecot mailbox, we map them to unused ldap fields
 # the sytnax is: "ldap_attribute = dovecot_attribute"
 # this is done because otherwise dovecot will deliver
 # emails to the user directory instead of the maildir directory
 # handled by the user postman
 user_attrs = disablehomeDirectory=home,disableuidNumber=uid,disablegidNumber=gid
--- a/roles/postfix/templates/ldap-accounts.cf.j2
+++ b/roles/postfix/templates/ldap-accounts.cf.j2
@ -0,0 +1,9 @@
 server_host = {{ ldap_server }}
 search_base = vd=%D,o=hosting,dc=lilik,dc=it
 #query_filter = (&(objectClass=simpleSecurityObject)(mail=%s))
 query_filter = (&(objectClass=VirtualMailAccount)(mail=%u)(accountActive=TRUE)(delete=FALSE))
 result_attribute = mail
 #result_attribute = uid
 #result_format  =  %D/%s/
 dereference = 3
 version = 3
--- a/roles/postfix/templates/ldap-aliases.cf.j2
+++ b/roles/postfix/templates/ldap-aliases.cf.j2
@ -0,0 +1,9 @@
 server_host = {{ ldap_server }}
 search_base = vd=%D,o=hosting,dc=lilik,dc=it
 #query_filter = (&(objectClass=simpleSecurityObject)(mail=%s))
 query_filter = (&(objectClass=VirtualMailAlias)(mail=%u)(accountActive=TRUE))
 result_attribute = maildrop
 #result_attribute = uid
 #result_format  =  %D/%s/
 dereference = 3
 version = 3
--- a/roles/postfix/templates/ldap-domains.cf.j2
+++ b/roles/postfix/templates/ldap-domains.cf.j2
@ -0,0 +1,8 @@
 server_host = {{ ldap_server }}
 search_base = o=hosting,dc=lilik,dc=it
 query_filter = (&(vd=%s)(objectClass=VirtualDomain))
 result_attribute = vd
 #scope = one
 #cache = yes
 dereference = 3
 version = 3
--- a/roles/postfix/templates/newldap.ldif
+++ b/roles/postfix/templates/newldap.ldif
@ -0,0 +1,144 @@
 # LDIF Export for dc=lilik,dc=it
 # Server: My LDAP Server (127.0.0.1)
 # Search Scope: sub
 # Search Filter: (objectClass=*)
 # Total Entries: 611
 #
 # Generated by phpLDAPadmin (http://phpldapadmin.sourceforge.net) on February 19, 2016 7:30 pm
 # Version: 1.2.2

 # Entry 4: o=Group,dc=lilik,dc=it
 dn: o=Group,dc=lilik,dc=it
 hassubordinates: TRUE
 o: Group
 objectclass: organization
 objectclass: top
 structuralobjectclass: organization
 subschemasubentry: cn=Subschema

 # Entry 10: cn=stdusers,o=Group,dc=lilik,dc=it
 dn: cn=stdusers,o=Group,dc=lilik,dc=it
 cn: stdusers
 gidnumber: 9000
 hassubordinates: FALSE
 objectclass: posixGroup
 objectclass: top
 structuralobjectclass: posixGroup
 subschemasubentry: cn=Subschema

 # Entry 12: cn=users_sites,o=Group,dc=lilik,dc=it
 dn: cn=users_sites,o=Group,dc=lilik,dc=it
 cn: users_sites
 gidnumber: 500
 hassubordinates: FALSE
 memberuid: tommyblue
 objectclass: posixGroup
 objectclass: top
 structuralobjectclass: posixGroup
 subschemasubentry: cn=Subschema


 # Entry 14: o=hosting,dc=lilik,dc=it
 dn: o=hosting,dc=lilik,dc=it
 description: mail.lilik.it hosting root
 hassubordinates: TRUE
 o: hosting
 objectclass: top
 objectclass: organization
 structuralobjectclass: organization
 subschemasubentry: cn=Subschema

 # Entry 22: vd=lilik.it,o=hosting,dc=lilik,dc=it
 dn: vd=lilik.it,o=hosting,dc=lilik,dc=it
 accountactive: TRUE
 delete: FALSE
 editav: FALSE
 hassubordinates: TRUE
 maxalias: 20
 maxmail: 11
 maxquota: 250
 objectclass: top
 objectclass: VirtualDomain
 postfixtransport: maildrop:
 structuralobjectclass: VirtualDomain
 subschemasubentry: cn=Subschema
 vd: lilik.it
 lastChange: 1228821387

 # Entry 23: cn=postmaster,vd=lilik.it,o=hosting,dc=lilik,dc=it
 dn: cn=postmaster,vd=lilik.it,o=hosting,dc=lilik,dc=it
 accountactive: TRUE
 cn: postmaster
 editaccounts: TRUE
 hassubordinates: FALSE
 mail: postmaster
 maildrop: postmaster
 objectclass: top
 objectclass: VirtualMailAlias
 sn: postmaster
 structuralobjectclass: VirtualMailAlias
 subschemasubentry: cn=Subschema
 userpassword: {SSHA}4IuBxQNWgMNPX/lCtP2GgbJeiYX+u4ud
 lastChange: 1228821387

 # Entry 24: mail=abuse,vd=lilik.it,o=hosting,dc=lilik,dc=it
 dn: mail=abuse,vd=lilik.it,o=hosting,dc=lilik,dc=it
 accountactive: TRUE
 cn: NONAME
 givenname: NONAME
 hassubordinates: FALSE
 mail: abuse
 maildrop: root
 objectclass: top
 objectclass: VirtualMailAlias
 smtpauth: FALSE
 sn: NONAME
 structuralobjectclass: VirtualMailAlias
 subschemasubentry: cn=Subschema
 userpassword: {CRYPT}!
 lastChange: 1228821387

 dn: mail=tommyblue,vd=lilik.it,o=hosting,dc=lilik,dc=it
 objectclass: alias
 objectclass: extensibleObject
 uid: alias
 aliasedobjectname: uid=tommyblue,o=People,dc=lilik,dc=it


 # Entry 319: o=People,dc=lilik,dc=it
 dn: o=People,dc=lilik,dc=it
 hassubordinates: TRUE
 o: People
 objectclass: organization
 objectclass: top
 structuralobjectclass: organization
 subschemasubentry: cn=Subschema

 dn: uid=tommyblue,o=People,dc=lilik,dc=it
 accountactive: TRUE
 cn: Tommaso Visconti
 delete: FALSE
 gidnumber: 100
 givenname: Tommaso
 hassubordinates: FALSE
 homedirectory: /home/tommyblue
 loginshell: /bin/sh
 mail: tommyblue
 mailbox: lilik.it/tommyblue/
 objectclass: top
 objectclass: inetOrgPerson
 objectclass: VirtualMailAccount
 objectclass: posixAccount
 objectclass: shadowAccount
 othertransport: phamm:
 quota: 1024000
 shadowlastchange: 14281
 smtpauth: FALSE
 sn: Visconti
 structuralobjectclass: VirtualMailAccount
 subschemasubentry: cn=Subschema
 uid: tommyblue
 uidnumber: 10001
 userpassword: {CRYPT}$1$8jnl0tRQ$YiKqohvCe8M63Zmlx5T/h1
 vdhome: /home/mail_deliver/lilik.it/tommyblue
 lastChange: 1228821387