Initial commit

templates/dovecot/dovecot-dict-sql.conf.j2

@@ -0,0 +1,14 @@
+connect = dbname=postfixadmin
+
+map {
+  pattern = priv/quota/storage
+  table = quota2
+  username_field = username
+  value_field = bytes
+}
+map {
+  pattern = priv/quota/messages
+  table = quota2
+  username_field = username
+  value_field = messages
+}

templates/dovecot/dovecot-sql.conf.j2

@@ -0,0 +1,5 @@
+driver = pgsql
+connect = dbname=postfixadmin
+
+password_query = SELECT username AS user,password FROM mailbox WHERE username = '%u' AND active='1'
+user_query = SELECT '/var/mail/vmail/' || maildir AS home, '*:bytes=' || quota AS quota_rule FROM mailbox WHERE username = '%u' AND active = '1'

templates/dovecot/dovecot.conf.j2

@@ -0,0 +1,159 @@
+listen = *, ::
+protocols = imap sieve
+mail_plugins = $mail_plugins quota
+
+ssl = required
+ssl_cert = <{{ mailserver.tls_cert }}
+ssl_key = <{{ mailserver.tls_key }}
+ssl_dh = </etc/ssl/dh-4096.pem
+ssl_min_protocol = TLSv1.2
+ssl_cipher_list = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
+ssl_prefer_server_ciphers = yes
+
+# Auth
+auth_mechanisms = plain login
+
+userdb {
+  driver = sql
+  args = /etc/dovecot/dovecot-sql.conf
+  # Returns: home=/var/mail/vmail/<maildir-from-postfixadmin>, quota_rule=*:bytes=<quota-from-postfixadmin>
+
+}
+passdb {
+  driver = sql
+  args = /etc/dovecot/dovecot-sql.conf
+  # Returns: user=<username>, password=<password-hash-for-user>
+}
+
+# Mailboxes
+mail_location = maildir:~/Maildir # Expanded to maildir:/var/mail/vmail/<maildir-from-postfixadmin>/Maildir
+mail_uid = 1000
+mail_gid = 1000
+first_valid_uid = 1000
+last_valid_uid = 1000
+first_valid_gid = 1000
+last_valid_gid = 1000
+mailbox_list_index = yes
+
+namespace inbox {
+  separator = '/'
+  inbox = yes
+  mailbox Drafts {
+    special_use = \Drafts
+    auto = subscribe
+  }
+  mailbox Junk {
+    special_use = \Junk
+    auto = subscribe
+  }
+  mailbox Trash {
+    special_use = \Trash
+    auto = subscribe
+  }
+  mailbox Sent {
+    special_use = \Sent
+    auto = subscribe
+  }
+}
+
+# IMAP
+protocol imap {
+  # TODO: imap_quota?
+  mail_plugins = $mail_plugins
+}
+
+service imap-login {
+  inet_listener imap {
+    port = 0
+  }
+  inet_listener imaps {
+    port = 993
+    ssl = yes
+  }
+}
+
+# Sieve
+plugin {
+  sieve = file:~/sieve;active=~/.dovecot.sieve
+}
+
+service managesieve-login {
+  inet_listener sieve {
+    port = 4190
+  }
+}
+
+# Misc
+service auth {
+  unix_listener auth-userdb {
+    mode = 0777
+  }
+
+  # Postfix uses this socket for submission auth
+  unix_listener /var/spool/postfix/private/auth {
+    mode = 0666
+    user = postfix
+    group = postfix
+  }
+}
+
+service quota-status {
+  executable = quota-status -p postfix
+  # Postfix uses this socket to check quotas on delivery (as check_policy_service)
+  unix_listener /var/spool/postfix/private/policy-quota {
+    mode = 0666
+    user = postfix
+    group = postfix
+  }
+  client_limit = 1
+}
+
+service stats {
+  unix_listener stats-reader {
+    user = vmail
+    group = vmail
+    mode = 0660
+  }
+
+  unix_listener stats-writer {
+    user = vmail
+    group = vmail
+    # 0666 instead of 0660, so postfixadmin can call doveadm pw without errors
+    mode = 0666
+  }
+}
+
+# Postfix delivers incoming mails via lda (transport "dovecot")
+quota_full_tempfail = yes
+lda_mailbox_autocreate = yes
+protocol lda {
+  mail_plugins = $mail_plugins sieve
+}
+
+# Debugging
+auth_verbose = yes
+auth_debug = yes
+mail_debug = yes
+
+# Quota
+plugin {
+  # Use postfixadmins quota2 table, so used_quota works
+  quota = dict:User quota::proxy::pgsql
+  # Default quota rule, overwritten by userdb
+  quota_rule = *:storage=0 # 0=unlimited
+  quota_grace = 10%%
+  quota_status_success = DUNNO
+  quota_status_nouser = DUNNO
+  quota_status_overquota = "552 5.2.2 Mailbox is full"
+}
+
+service dict {
+  unix_listener dict {
+    mode = 0600
+    user = vmail
+  }
+}
+dict {
+  # proxy::pgsql
+  pgsql = pgsql:/etc/dovecot/dovecot-dict-sql.conf
+}

templates/postfix/header_checks.j2

@@ -0,0 +1,5 @@
+# {{ ansible_managed }}
+
+{% for item in mailserver.postfix.header_checks.values() if not item.disabled|d(false) %}
+/{{ item.regex }}/	{{ item.action }}
+{% endfor %}

templates/postfix/main.cf.j2

@@ -0,0 +1,100 @@
+compatibility_level = 3.7
+
+# Sane defaults
+biff = no
+# TODO: v why? v
+append_dot_mydomain = no
+local_header_rewrite_clients = permit_inet_interfaces permit_sasl_authenticated
+# TODO: v why? v
+readme_directory = no
+smtpd_helo_required = yes
+strict_rfc821_envelopes = yes
+disable_vrfy_command = yes
+mailbox_size_limit = 0
+recipient_delimiter = +
+inet_protocols = all
+message_size_limit = 102400000
+# Disable all error reports to postmaster@, because they sometimes contain
+# passwords or other confidential information
+notify_classes =
+
+smtpd_helo_restrictions = permit_mynetworks,
+                          permit_sasl_authenticated,
+                          reject_invalid_helo_hostname,
+                          reject_non_fqdn_helo_hostname
+
+smtpd_sender_restrictions = reject_non_fqdn_sender,
+                            reject_unknown_sender_domain,
+                            permit_mynetworks,
+                            permit_sasl_authenticated
+
+smtpd_recipient_restrictions =  permit_mynetworks,
+                                permit_sasl_authenticated,
+                                reject_unlisted_recipient,
+                                reject_unknown_recipient_domain,
+                                reject_unauth_destination,
+                                reject_non_fqdn_recipient,
+                                # Quota check via Dovecot
+                                check_policy_service unix:private/policy-quota,
+                                permit
+
+mua_helo_restrictions = permit_mynetworks,
+                        permit_sasl_authenticated,
+                        reject_invalid_helo_hostname,
+                        reject_non_fqdn_helo_hostname
+
+mua_sender_restrictions = reject_non_fqdn_sender,
+                          reject_unknown_sender_domain,
+                          # Sender verification is disabled!
+                          warn_if_reject,
+                          reject_authenticated_sender_login_mismatch,
+                          permit_mynetworks,
+                          permit_sasl_authenticated
+
+mua_client_restrictions = permit_sasl_authenticated,
+                          reject
+
+# Host settings
+myhostname = {{ inventory_hostname }}
+mydomain = {{ ansible_domain }}
+myorigin = $mydomain
+mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
+mydestination = {{ inventory_hostname_short }} {{ inventory_hostname }} localhost
+
+# TLS parameters
+smtpd_tls_cert_file = {{ mailserver.tls_cert }}
+smtpd_tls_key_file = {{ mailserver.tls_key }}
+smtpd_use_tls = yes
+smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
+smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
+smtpd_tls_security_level = may
+smtpd_tls_auth_only = yes
+smtp_tls_security_level = may
+
+# Postfixadmin and dovecot integration
+relay_domains = $mydestination, pgsql:/etc/postfix/pgsql/relay_domains.cf
+virtual_alias_maps = pgsql:/etc/postfix/pgsql/virtual_alias_maps.cf
+virtual_mailbox_domains = pgsql:/etc/postfix/pgsql/virtual_domains_maps.cf
+virtual_mailbox_maps = pgsql:/etc/postfix/pgsql/virtual_mailbox_maps.cf
+virtual_transport = dovecot
+dovecot_destination_recipient_limit = 1
+local_transport = dovecot
+local_recipient_maps = $virtual_mailbox_maps
+smtpd_sender_login_maps = pgsql:/etc/postfix/pgsql/virtual_sender_maps.cf
+smtpd_sasl_type = dovecot
+smtpd_sasl_path = private/auth
+
+# PostSRS integration
+sender_canonical_maps = tcp:localhost:10001
+sender_canonical_classes = envelope_sender
+recipient_canonical_maps = tcp:127.0.0.1:10002
+
+# Milters
+milter_protocol = 6
+milter_default_action = accept
+smtpd_milters = {{ ' '.join(mailserver.postfix.milters) }}
+non_smtpd_milters = {{ ' '.join(mailserver.postfix.milters) }}
+
+# Header checks
+mime_header_checks = regexp:/etc/postfix/header_checks
+header_checks = regexp:/etc/postfix/header_checks

templates/postfix/master.cf.j2

@@ -0,0 +1,125 @@
+#
+# Postfix master process configuration file.  For details on the format
+# of the file, see the master(5) manual page (command: "man 5 master" or
+# on-line: http://www.postfix.org/master.5.html).
+#
+# Do not forget to execute "postfix reload" after editing this file.
+#
+# ==========================================================================
+# service type  private unpriv  chroot  wakeup  maxproc command + args
+#               (yes)   (yes)   (no)    (never) (100)
+# ==========================================================================
+smtp      inet  n       -       y       -       -       smtpd
+#smtp      inet  n       -       y       -       1       postscreen
+#smtpd     pass  -       -       y       -       -       smtpd
+#dnsblog   unix  -       -       y       -       0       dnsblog
+#tlsproxy  unix  -       -       y       -       0       tlsproxy
+submission inet n       -       y       -       -       smtpd
+  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
+  -o smtpd_tls_security_level=encrypt
+  -o syslog_name=postfix/submission
+  -o smtpd_sasl_auth_enable=yes
+  -o smtpd_reject_unlisted_recipient=no
+  -o smtpd_client_restrictions=$mua_client_restrictions
+  -o smtpd_helo_restrictions=$mua_helo_restrictions
+  -o smtpd_sender_restrictions=$mua_sender_restrictions
+  -o smtpd_recipient_restrictions=
+  -o milter_macro_daemon_name=ORIGINATING
+#submissions     inet  n       -       y       -       -       smtpd
+#  -o syslog_name=postfix/submissions
+#  -o smtpd_tls_wrappermode=yes
+#  -o smtpd_sasl_auth_enable=yes
+#  -o smtpd_reject_unlisted_recipient=no
+#  -o smtpd_client_restrictions=$mua_client_restrictions
+#  -o smtpd_helo_restrictions=$mua_helo_restrictions
+#  -o smtpd_sender_restrictions=$mua_sender_restrictions
+#  -o smtpd_recipient_restrictions=
+#  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
+#  -o milter_macro_daemon_name=ORIGINATING
+#628       inet  n       -       y       -       -       qmqpd
+pickup    unix  n       -       y       60      1       pickup
+cleanup   unix  n       -       y       -       0       cleanup
+qmgr      unix  n       -       n       300     1       qmgr
+#qmgr     unix  n       -       n       300     1       oqmgr
+tlsmgr    unix  -       -       y       1000?   1       tlsmgr
+rewrite   unix  -       -       y       -       -       trivial-rewrite
+bounce    unix  -       -       y       -       0       bounce
+defer     unix  -       -       y       -       0       bounce
+trace     unix  -       -       y       -       0       bounce
+verify    unix  -       -       y       -       1       verify
+flush     unix  n       -       y       1000?   0       flush
+proxymap  unix  -       -       n       -       -       proxymap
+proxywrite unix -       -       n       -       1       proxymap
+smtp      unix  -       -       y       -       -       smtp
+relay     unix  -       -       y       -       -       smtp
+#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
+showq     unix  n       -       y       -       -       showq
+error     unix  -       -       y       -       -       error
+retry     unix  -       -       y       -       -       error
+discard   unix  -       -       y       -       -       discard
+local     unix  -       n       n       -       -       local
+virtual   unix  -       n       n       -       -       virtual
+lmtp      unix  -       -       y       -       -       lmtp
+anvil     unix  -       -       y       -       1       anvil
+scache    unix  -       -       y       -       1       scache
+#
+# ====================================================================
+# Interfaces to non-Postfix software. Be sure to examine the manual
+# pages of the non-Postfix software to find out what options it wants.
+#
+# Many of the following services use the Postfix pipe(8) delivery
+# agent.  See the pipe(8) man page for information about ${recipient}
+# and other message envelope options.
+# ====================================================================
+#
+# maildrop. See the Postfix MAILDROP_README file for details.
+# Also specify in main.cf: maildrop_destination_recipient_limit=1
+#
+maildrop  unix  -       n       n       -       -       pipe
+  flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
+#
+# ====================================================================
+#
+# Recent Cyrus versions can use the existing "lmtp" master.cf entry.
+#
+# Specify in cyrus.conf:
+#   lmtp    cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
+#
+# Specify in main.cf one or more of the following:
+#  mailbox_transport = lmtp:inet:localhost
+#  virtual_transport = lmtp:inet:localhost
+#
+# ====================================================================
+#
+# Cyrus 2.1.5 (Amos Gouaux)
+# Also specify in main.cf: cyrus_destination_recipient_limit=1
+#
+#cyrus     unix  -       n       n       -       -       pipe
+#  user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
+#
+# ====================================================================
+# Old example of delivery via Cyrus.
+#
+#old-cyrus unix  -       n       n       -       -       pipe
+#  flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
+#
+# ====================================================================
+#
+# See the Postfix UUCP_README file for configuration details.
+#
+#uucp      unix  -       n       n       -       -       pipe
+#  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
+#
+# Other external delivery methods.
+#
+#ifmail    unix  -       n       n       -       -       pipe
+#  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
+#bsmtp     unix  -       n       n       -       -       pipe
+#  flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
+#scalemail-backend unix	-	n	n	-	2	pipe
+#  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
+mailman   unix  -       n       n       -       -       pipe
+  flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
+  ${nexthop} ${user}
+dovecot   unix  -       n       n       -       -       pipe
+  flags=DRhu user=vmail:vmail argv=/usr/lib/dovecot/dovecot-lda -f ${sender} -a ${original_recipient} -d ${user}@${domain}

templates/postfix/pgsql/relay_domains.cf.j2

@@ -0,0 +1,4 @@
+dbname = postfixadmin
+user = postfix
+hosts = unix:/var/run/postgresql
+query = SELECT domain FROM domain WHERE domain='%s' and backupmx = true

templates/postfix/pgsql/virtual_alias_maps.cf.j2

@@ -0,0 +1,4 @@
+dbname = postfixadmin
+user = postfix
+hosts = unix:/var/run/postgresql
+query = SELECT goto FROM alias WHERE address='%s' AND active = true

templates/postfix/pgsql/virtual_domains_maps.cf.j2

@@ -0,0 +1,4 @@
+dbname = postfixadmin
+user = postfix
+hosts = unix:/var/run/postgresql
+query = SELECT domain FROM domain WHERE domain='%s' and backupmx = false and active = true

templates/postfix/pgsql/virtual_mailbox_maps.cf.j2

@@ -0,0 +1,4 @@
+dbname = postfixadmin
+user = postfix
+hosts = unix:/var/run/postgresql
+query = SELECT maildir FROM mailbox WHERE username='%s' AND active = true

templates/postfix/pgsql/virtual_sender_maps.cf.j2

@@ -0,0 +1,4 @@
+dbname = postfixadmin
+user = postfix
+hosts = unix:/var/run/postgresql
+query = SELECT username FROM mailbox WHERE username='%s' AND active = true

templates/postfixadmin/config.local.php.j2

@@ -0,0 +1,30 @@
+<?php
+
+/* {{ ansible_managed }} */
+
+{% macro php_obj(obj) %}
+{%- if obj is string -%}
+'{{ obj|replace('\\', '\\\\')|replace('\'', '\\\'') }}'
+{%- elif obj is number -%}
+{{ obj }}
+{%- elif obj is boolean -%}
+{{ obj }}
+{%- elif obj is none -%}
+null
+{%- elif obj is mapping %}
+[
+{% for key, value in obj.items() %}
+    '{{ key|replace('\\', '\\\\')|replace('\'', '\\\'') }}' => {{ php_obj(value)|indent }},
+{% endfor %}
+]
+{%- elif obj is iterable -%}
+[
+{% for item in obj %}
+{{ php_obj(item)|indent(first=true) }},
+{% endfor %}
+]
+{% endif %}
+{% endmacro %}
+{% for key, value in mailserver.postfixadmin.config.items() %}
+$CONF['{{ key|replace('\\', '\\\\')|replace('\'', '\\\'') }}'] = {{ php_obj(value)|indent }};
+{% endfor %}

templates/postfixadmin/php-fpm-pool.conf.j2

@@ -0,0 +1,5 @@
+[postfixadmin]
+
+{% for key, value in mailserver.postfixadmin.php_fpm_config.items() %}
+{{ key }} = {{ value }}
+{% endfor %}

templates/postsrsd/default.j2

@@ -0,0 +1,62 @@
+# Default settings for PostSRSd
+
+# Local domain name.
+# Addresses are rewritten to originate from this domain. The default value
+# is taken from `postconf -h mydomain` and probably okay.
+#
+#SRS_DOMAIN=
+
+# Exclude additional domains.
+# You may list domains which shall not be subjected to address rewriting.
+# If a domain name starts with a dot, it matches all subdomains, but not
+# the domain itself. Separate multiple domains by space or comma.
+#
+SRS_EXCLUDE_DOMAINS={{ mailserver.domains|join(',') }}
+
+# First separator character after SRS0 or SRS1.
+# Can be one of: -+=
+SRS_SEPARATOR==
+
+# Secret key to sign rewritten addresses.
+# When postsrsd is installed for the first time, a random secret is generated
+# and stored in /etc/postsrsd.secret. For most installations, that's just fine.
+#
+SRS_SECRET=/etc/postsrsd.secret
+
+# Length of hash to be used in rewritten addresses
+SRS_HASHLENGTH=4
+
+# Minimum length of hash to accept when validating return addresses.
+# When increasing SRS_HASHLENGTH, set this to its previous value and
+# wait for the duration of SRS return address validity (21 days) before
+# increading this value as well.
+SRS_HASHMIN=4
+
+# Local ports for TCP list.
+# These ports are used to bind the TCP list for postfix. If you change
+# these, you have to modify the postfix settings accordingly. The ports
+# are bound to the loopback interface, and should never be exposed on
+# the internet.
+#
+SRS_FORWARD_PORT=10001
+SRS_REVERSE_PORT=10002
+
+# Drop root privileges and run as another user after initialization.
+# This is highly recommended as postsrsd handles untrusted input.
+#
+RUN_AS=postsrsd
+
+# Bind to this address
+#
+SRS_LISTEN_ADDR=127.0.0.1
+
+# Jail daemon in chroot environment
+#
+CHROOT=/var/lib/postsrsd
+
+# Additional Options
+# PostSRSd understands a few rarely needed extra options:
+# -A     always rewrite email addresses, even from SRS_DOMAIN
+# -t<n>  set connection timeout to <n> seconds (default: 1800)
+#
+#SRS_EXTRA_OPTIONS=-A

templates/prometheus-postfix-exporter/default.j2

@@ -0,0 +1,15 @@
+# Private log file from Postfix to read and truncate. Configured in
+# /etc/rsyslog.d/prometheus-postfix-exporter.conf
+POSTFIXLOGFILE=/var/lib/prometheus/postfix-exporter/mail.log
+
+# Extra arguments for the daemon.
+ARGS='--web.listen-address {{ mailserver.postfix.metrics_address }}'
+
+# Prometheus-postfix-exporter supports the following options:
+#  --postfix.showq_path string
+#        Path at which Postfix places its showq socket.
+#        (default "/var/spool/postfix/public/showq")
+#  --web.listen-address string
+#        Address to listen on for web interface and telemetry. (default ":9154")
+#  --web.telemetry-path string
+#        Path under which to expose metrics. (default "/metrics")