From 448b2de58224db968de785084b7335557e6a8460 Mon Sep 17 00:00:00 2001 From: "Antonio J. Delgado" Date: Tue, 11 Oct 2022 10:18:54 +0300 Subject: [PATCH] Initial commit with previous code --- defaults/main.yml | 107 +++++++++++++ handlers/main.yml | 4 + tasks/configure_certificates.yml | 72 +++++++++ tasks/configure_dbmail.yml | 41 +++++ tasks/configure_mysql_database.yml | 74 +++++++++ tasks/configure_ufw.yml | 6 + tasks/install.yml | 78 ++++++++++ tasks/main.yml | 20 +++ templates/authmysqlrc.j2 | 17 +++ templates/dbmail.conf.j2 | 21 +++ templates/mailpw.j2 | 1 + templates/main.cf.j2 | 56 +++++++ templates/master.cf.j2 | 143 ++++++++++++++++++ templates/mysql-body_checks.cf.j2 | 5 + templates/mysql-virtual_domains.cf.j2 | 5 + templates/mysql-virtual_email2email.cf.j2 | 5 + templates/mysql-virtual_forwardings.cf.j2 | 5 + .../mysql-virtual_mailbox_limit_maps.cf.j2 | 5 + templates/mysql-virtual_mailboxes.cf.j2 | 5 + templates/mysql-virtual_transports.cf.j2 | 5 + templates/smtp.j2 | 2 + templates/smtpd.conf.j2 | 11 ++ 22 files changed, 688 insertions(+) create mode 100644 defaults/main.yml create mode 100644 handlers/main.yml create mode 100644 tasks/configure_certificates.yml create mode 100644 tasks/configure_dbmail.yml create mode 100644 tasks/configure_mysql_database.yml create mode 100644 tasks/configure_ufw.yml create mode 100644 tasks/install.yml create mode 100644 tasks/main.yml create mode 100644 templates/authmysqlrc.j2 create mode 100644 templates/dbmail.conf.j2 create mode 100644 templates/mailpw.j2 create mode 100644 templates/main.cf.j2 create mode 100644 templates/master.cf.j2 create mode 100644 templates/mysql-body_checks.cf.j2 create mode 100644 templates/mysql-virtual_domains.cf.j2 create mode 100644 templates/mysql-virtual_email2email.cf.j2 create mode 100644 templates/mysql-virtual_forwardings.cf.j2 create mode 100644 templates/mysql-virtual_mailbox_limit_maps.cf.j2 create mode 100644 templates/mysql-virtual_mailboxes.cf.j2 create mode 100644 templates/mysql-virtual_transports.cf.j2 create mode 100644 templates/smtp.j2 create mode 100644 templates/smtpd.conf.j2 diff --git a/defaults/main.yml b/defaults/main.yml new file mode 100644 index 0000000..61f80be --- /dev/null +++ b/defaults/main.yml @@ -0,0 +1,107 @@ +--- +dbmail_version: 3.3.0 +dbmail_logfolder: /var/log/dbmail +dbmail_user: dbmail +dbmail_group: dbmail +dbmail_db_driver: mysql +dbmail_db_host: 127.0.0.1 +dbmail_db_port: 3306 +dbmail_db_name: dbmail +dbmail_db_user: dbmail +dbmail_db_password: "{{ vault_dbmail_password }}" +mail_server_fqdn: mail.example.com +dbmail_domains: + - example.com +admin_email: "mailmaster@{{ dbmail_domains[0] }}" +configure_ufw: true +ufw_allow_ports: + - 995 + - 993 +dbmail_systemd_units: + - dbmail-imapd + - dbmail-lmtpd + - dbmail-pop3d + - dbmail-timsieved + +# Check dbmail.conf for all options +dbmail_configuration: + DBMAIL: + logfile: "{{ dbmail_logfolder }}/dbmail.log" + authdriver: sql + effective_user: "{{ dbmail_user }}" + effective_group: "{{ dbmail_group }}" + table_prefix: dbmail_ + encoding: utf8 + default_msg_encoding: utf8 + sendmail: /usr/sbin/sendmail + file_logging_levels: 7 + syslog_logging_levels: 31 + query_time_info: 10 + query_time_notice: 20 + query_time_warning: 30 + query_timeout: 300 + bindip: 0.0.0.0 + timeout: 300 + login_timeout: 60 + resolve_ip: no + authlog: no + errorlog: "{{ dbmail_logfolder }}/dbmail.err" + pid_directory: /var/run/dbmail + postmaster: "{{ admin_email }}" + hash_algorithm: SHA512 + # tls_cafile: + # tls_cert: + # tls_key: + # tls_ciphers: + LMTP: + port: 24 + IMAP: + port: 143 + tls_port: 993 + timeout: 4000 + imap_before_smtp: 'no' + POP: + port: 110 + tls_port: 995 + login_disabled: 'no' + pop_before_smtp: 'no' + HTTP: + port: 3112 + bindip: 127.0.0.1 + admin: "admin:{{ vault_dbmail_admin_password }}" + SIEVE: + port: 2000 + #tls_port: + LDAP: + port: 389 + version: 3 + hostname: 127.0.0.1 + base_dn: ou=People,dc=mydomain,dc=com + bind_dn: cn=dbmail_admin,dc=mydomain,dc=com + bind_pw: "{{ vault_dbmail_ldap_password }}" + cn_string: uid + field_passwd: userPassword + field_mail: mail + field_quota: mailQuota + field_fwdtarget: mailForwardingAddress + scope: SubTree + referrals: yes + user_objectclass: top,account,dbmailUser + forw_objectclass: top,account,dbmailForwardingAddress + field_uid: uid + field_nid: uidNumber + min_nid: 10000 + max_nid: 15000 + field_cid: gidNumber + min_cid: 10000 + max_cid: 15000 + DELIVERY: + SIEVE: 'yes' + SUBADDRESS: 'yes' + SIEVE_VACATION: 'yes' + SIEVE_NOTIFY: 'yes' + SIEVE_DEBUG: 'no' + AUTO_NOTIFY: 'no' + AUTO_REPLY: 'no' + suppress_duplicates: 'no' + quota_failure: hard \ No newline at end of file diff --git a/handlers/main.yml b/handlers/main.yml new file mode 100644 index 0000000..1ec6a9b --- /dev/null +++ b/handlers/main.yml @@ -0,0 +1,4 @@ +--- +- name: Reload systemd daemon + systemd: + daemon_reload: true diff --git a/tasks/configure_certificates.yml b/tasks/configure_certificates.yml new file mode 100644 index 0000000..f86155c --- /dev/null +++ b/tasks/configure_certificates.yml @@ -0,0 +1,72 @@ +--- +- name: Get external IP of the node + uri: + url: http://checkip.dyndns.org + return_content: true + register: node_external_ip + +- name: Set fact for mail server FQDN + set_fact: + mail_server_fqdn_ip: "{{ lookup('dig', mail_server_fqdn, '@1.1.1.1') }}" + +- name: Ensure server certificate exists + shell: "certbot certonly --agree-tos --email {{ admin_email }} -n --webroot -d {{ mail_server_fqdn }} --webroot-path /var/www/html" + args: + creates: "/etc/letsencrypt/live/{{ mail_server_fqdn }}" + when: mail_server_fqdn_ip == node_external_ip + +- name: Ensure dbmail certificate is configured + ini_file: + path: /etc/dbmail/dbmail.conf + create: true + section: DBMAIL + option: tls_cert + value: "/etc/letsencrypt/live/{{ mail_server_fqdn }}/cert.pem" + +- name: Ensure dbmail certificate's private key is configured + ini_file: + path: /etc/dbmail/dbmail.conf + create: true + section: DBMAIL + option: tls_key + value: "/etc/letsencrypt/live/{{ mail_server_fqdn }}/privkey.pem" + +- name: Ensure dbmail certificate's certificate authority certificate is configured + ini_file: + path: /etc/dbmail/dbmail.conf + create: true + section: DBMAIL + option: tls_cafile + value: "/etc/letsencrypt/live/{{ mail_server_fqdn }}/chain.pem" + +- name: Check if there is a public key + stat: + path: /root/.ssh/id_rsa.pub + register: pubkey + +- name: Generate new key if it doesn't exist already + shell: ssh-keygen -t rsa -b 4096 -f /root/.ssh/id_rsa -N '' + when: not pubkey.stat.exists + +- name: Get SSH public key content + shell: cat /root/.ssh/id_rsa.pub + register: ssh_pubkey + +- name: Add SSH public key to local (Ansible control node) file + lineinfile: + path: /tmp/pubkeys + regexp: "^{{ ssh_pubkey.stdout }}$" + line: "{{ ssh_pubkey.stdout }}" + create: true + delegate_to: 127.0.0.1 + +- name: Add SSH public keys to authorized_keys + authorized_key: + user: root + state: present + key: "{{ item }}" + loop: "{{ lookup('file', '/tmp/pubkeys') | split('\n') }}" + +- name: Synchronize certificates + shell: "rsync -ar -e 'ssh -p 7227 -o StrictHostKeyChecking=no' {{ ansible_play_hosts[0] }}:/etc/letsencrypt /etc/letsencrypt" + when: inventory_hostname != ansible_play_hosts[0] \ No newline at end of file diff --git a/tasks/configure_dbmail.yml b/tasks/configure_dbmail.yml new file mode 100644 index 0000000..13aea98 --- /dev/null +++ b/tasks/configure_dbmail.yml @@ -0,0 +1,41 @@ +--- +- name: Ensure configureation folder exists + file: + path: /etc/dbmail + state: directory + +- name: Copy initial configuration file + copy: + remote_src: true + src: "/usr/src/dbmail-{{ dbmail_version }}/dbmail.conf" + dest: /etc/dbmail/dbmail.conf + backup: yes + +- name: Ensure dbmail is configured + template: + src: templates/dbmail.conf.j2 + dest: /etc/dbmail/dbmail.conf + backup: yes + +- name: Ensure run folder exists + file: + path: "{{ dbmail_configuration['DBMAIL']['pid_directory'] | default('/var/run/dbmail') }}" + state: directory + owner: "{{ dbmail_configuration['DBMAIL']['effective_user'] | default('dbmail') }}" + group: "{{ dbmail_configuration['DBMAIL']['effective_group'] | default('dbmail') }}" + +- name: Ensure driver is configured + ini_file: + path: /etc/dbmail/dbmail.conf + create: true + section: DBMAIL + option: dburi + value: "{{ dbmail_db_driver }}://{{ dbmail_db_user }}:{{ dbmail_db_password }}@{{ dbmail_db_host }}:{{ dbmail_db_port }}/{{ dbmail_db_name }}" + +- name: Ensure service units are enabled and started + systemd: + daemon_reload: true + name: "{{ item }}" + enabled: true + state: started + loop: "{{ dbmail_systemd_units }}" \ No newline at end of file diff --git a/tasks/configure_mysql_database.yml b/tasks/configure_mysql_database.yml new file mode 100644 index 0000000..52f3e9d --- /dev/null +++ b/tasks/configure_mysql_database.yml @@ -0,0 +1,74 @@ +--- +- name: Initialize fact create_database + set_fact: + create_database: true + +- name: Check for existing database + shell: mysql -Bqe 'show databases' + register: databases + ignore_errors: true + +- name: Check for existing tables in database + shell: "mysql {{ dbmail_db_name }} -Bqe 'show tables'" + register: tables + when: "dbmail_db_name in databases.stdout" + +- name: Update fact create_database + set_fact: + create_database: false + when: + - "dbmail_db_name in databases.stdout" + - "'dbmail_users' in tables.stdout" + +- name: Create copy of create_tables to work with + copy: + remote_src: true + src: /usr/src/dbmail-3.3.0/sql/mysql/create_tables.mysql + dest: /tmp/create_tables.sql + when: create_database + +- name: Fix index name for auto_notifications table + lineinfile: + path: /tmp/create_tables.sql + firstmatch: true + line: ' FOREIGN KEY an_user_idnr_fk (user_idnr)' + search_string: ' FOREIGN KEY user_idnr_fk (user_idnr)' + backup: yes + when: create_database + +- name: Fix index name for auto_replies table + lineinfile: + path: /tmp/create_tables.sql + firstmatch: true + line: ' FOREIGN KEY ar_user_idnr_fk (user_idnr)' + search_string: ' FOREIGN KEY user_idnr_fk (user_idnr)' + backup: yes + when: create_database + +- name: Create a new database from structure file + mysql_db: + name: "{{ dbmail_db_name }}" + state: import + target: /tmp/create_tables.sql + collation: utf8_general_ci + encoding: utf8 + login_unix_socket: /var/run/mysqld/mysqld.sock + when: create_database + +- name: Create database user with mail database privileges for remote access + mysql_user: + name: "{{ dbmail_db_user }}" + host: "{{ lookup('dig', item) }}" + password: "{{ dbmail_db_password }}" + priv: "{{ dbmail_db_name }}.*:ALL" + state: present + login_unix_socket: /var/run/mysqld/mysqld.sock + loop: "{{ ansible_play_hosts }}" + +- name: Create database user with mail database privileges for local access + mysql_user: + name: "{{ dbmail_db_user }}" + password: "{{ dbmail_db_password }}" + priv: "{{ dbmail_db_name }}.*:ALL" + state: present + login_unix_socket: /var/run/mysqld/mysqld.sock diff --git a/tasks/configure_ufw.yml b/tasks/configure_ufw.yml new file mode 100644 index 0000000..a5b2629 --- /dev/null +++ b/tasks/configure_ufw.yml @@ -0,0 +1,6 @@ +--- +- name: Allow traffic to specific ports + ufw: + rule: allow + port: "{{ item }}" + loop: "{{ ufw_allow_ports }}" \ No newline at end of file diff --git a/tasks/install.yml b/tasks/install.yml new file mode 100644 index 0000000..d8f410b --- /dev/null +++ b/tasks/install.yml @@ -0,0 +1,78 @@ +--- +- name: Set list of required software + set_fact: + required_software: + - libsieve2-1 + - libzdb11 + - libglib2.0-dev + - libgmime-3.0-dev + - libsieve2-dev + - libmhash-dev + - libzdb-dev + - libevent-dev + - libldap-dev + - libssl-dev + - asciidoc + +- name: Ensure required software is installed + package: + name: "{{ required_software }}" + +- name: Ensure log folder exists + file: + path: "{{ dbmail_logfolder }}" + state: directory + #owner: ??? + #group: ??? + +- name: Download source + get_url: + url: "https://github.com/dbmail/dbmail/archive/refs/tags/v{{ dbmail_version }}.tar.gz" + dest: "/tmp/dbmail.{{ dbmail_version }}.tar.gz" + +- name: Decompress source + unarchive: + remote_src: true + src: "/tmp/dbmail.{{ dbmail_version }}.tar.gz" + dest: /usr/src + creates: "/usr/src/dbmail-{{ dbmail_version }}/configure" + +- name: Compile source + shell: "/usr/src/dbmail-{{ dbmail_version }}/configure --with-zdb=/usr --with-sieve --with-ldap --localstatedir=/var/run/dbmail --runstatedir=/run/dbmail --enable-systemd --enable-manpages --sysconfdir=/etc/dbmail --with-logdir={{ dbmail_logfolder }}" + args: + chdir: "/usr/src/dbmail-{{ dbmail_version }}/" + creates: "/usr/src/dbmail-{{ dbmail_version }}/Makefile" + +- name: Make source + shell: "make" + args: + chdir: "/usr/src/dbmail-{{ dbmail_version }}/" + creates: "/usr/src/dbmail-{{ dbmail_version }}/src/dbmail-imapd" + +- name: Make installation + shell: "make install" + args: + chdir: "/usr/src/dbmail-{{ dbmail_version }}/" + creates: /usr/local/sbin/dbmail-imapd + +- name: Copy cron task + copy: + remote_src: true + src: "/usr/src/dbmail-{{ dbmail_version }}/debian/dbmail.cron.d" + dest: /etc/cron.d/dbmail-util + +- name: Copy logrotate configuration + copy: + remote_src: true + src: "/usr/src/dbmail-{{ dbmail_version }}/debian/dbmail.logrotate" + dest: /etc/logrotate.d/dbmail + +- name: Ensure dbmail group exists + group: + name: "{{ dbmail_group }}" + +- name: Ensure dbmail user exists + user: + name: "{{ dbmail_user }}" + group: "{{ dbmail_group }}" + shell: /dev/null \ No newline at end of file diff --git a/tasks/main.yml b/tasks/main.yml new file mode 100644 index 0000000..d8dcd8f --- /dev/null +++ b/tasks/main.yml @@ -0,0 +1,20 @@ +--- +- name: Ensure installation of software + include_tasks: install.yml + +- name: Ensure configuration of MySQL database + include_tasks: configure_mysql_database.yml + when: + - dbmail_db_driver == 'mysql' + - "'127.0.0.' in dbmail_db_host or dbmail_db_host == 'localhost' or dbmail_db_host == ansible_host" + +- name: Ensure configuration of dbmail + include_tasks: configure_dbmail.yml + +- name: Ensure configuration of UFW for dbmail + include_tasks: configure_ufw.yml + when: configure_ufw + +- name: Ensure certificates are configured + include_tasks: configure_certificates.yml + when: dbmail_configuration['POP']['tls_port'] > 0 or dbmail_configuration['IMAP']['tls_port'] > 0 or dbmail_configuration['SIEVE']['tls_port'] > 0 \ No newline at end of file diff --git a/templates/authmysqlrc.j2 b/templates/authmysqlrc.j2 new file mode 100644 index 0000000..50fd829 --- /dev/null +++ b/templates/authmysqlrc.j2 @@ -0,0 +1,17 @@ +MYSQL_SERVER localhost +MYSQL_USERNAME {{ dbmail_db_user }} +MYSQL_PASSWORD {{ dbmail_db_password }} +MYSQL_PORT 0 +MYSQL_DATABASE {{ dbmail_db_name }} +MYSQL_USER_TABLE users +MYSQL_CRYPT_PWFIELD password +#MYSQL_CLEAR_PWFIELD password +MYSQL_UID_FIELD 5000 +MYSQL_GID_FIELD 5000 +MYSQL_LOGIN_FIELD email +MYSQL_HOME_FIELD "/home/vmail" +MYSQL_MAILDIR_FIELD CONCAT(SUBSTRING_INDEX(email,'@',-1),'/',SUBSTRING_INDEX(email,'@',1),'/') +#MYSQL_NAME_FIELD +MYSQL_QUOTA_FIELD quota +MYSQL_OPT 0 +##NAME: MARKER:0 # # Do not remove this section from this configuration file. This section # must be present at the end of this file. diff --git a/templates/dbmail.conf.j2 b/templates/dbmail.conf.j2 new file mode 100644 index 0000000..6ad80f2 --- /dev/null +++ b/templates/dbmail.conf.j2 @@ -0,0 +1,21 @@ +# Configuration file for DBMAIL +# ATTENTION! This file is managed by ansible local changes might get changed +# +# Copyright (c) 2000-2006 IC&S, The Netherlands +# Copyright (c) 2004-2013 NFG Net Facilities Group BV support@nfg.nl +# Copyright (c) 2014-2019 Paul J Stevens, The Netherlands, support@nfg.nl +# Copyright (c) 2020-2022 Alan Hicks, Persistent Objects Ltd support@p-o.co.uk +# +{% for section_name, section_options in dbmail_configuration.items() %} +[{{ section_name }}] +{% for key, value in section_options.items() %} +{% if value == True %} +{{ key }} = yes +{% else %}{% if value == False%} +{{ key }} = no +{% else %} +{{ key }} = {{ value }} +{% endif %} +{% endif %} +{% endfor %} +{% endfor %} \ No newline at end of file diff --git a/templates/mailpw.j2 b/templates/mailpw.j2 new file mode 100644 index 0000000..847002a --- /dev/null +++ b/templates/mailpw.j2 @@ -0,0 +1 @@ +{{ masterpassword }} diff --git a/templates/main.cf.j2 b/templates/main.cf.j2 new file mode 100644 index 0000000..523be58 --- /dev/null +++ b/templates/main.cf.j2 @@ -0,0 +1,56 @@ +alias_database = hash:/etc/aliases +alias_maps = hash:/etc/aliases +append_dot_mydomain = no +biff = no +body_checks = regexp:/etc/postfix/maps/ecco_body_check.map +broken_sasl_auth_clients = yes +compatibility_level = 2 +header_checks = regexp:/etc/postfix/maps/whitelist_senders.map regexp:/etc/postfix/maps/ecco_header_check.map regexp:/etc/postfix/maps/ecco_header_check_manual.map regexp:/etc/postfix/maps/spam_filter_header_check +html_directory = /usr/share/doc/postfix/html +inet_interfaces = all +inet_protocols = all +mailbox_size_limit = 0 +mydestination = {{ mail_server_fqdn }}; localhost; localhost.localdomain +myhostname = {{ mail_server_fqdn }} +mynetworks = 127.0.0.0/8 /etc/postfix/allowed_clients{% if mail_own_networks %}{% for ip in mail_own_networks %} {{ ip }}{% endfor %}{% endif %} + +myorigin = /etc/mailname +policy-spf_time_limit = 3600s +proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $virtual_mailbox_limit_maps +readme_directory = /usr/share/doc/postfix +recipient_delimiter = + +relay_recipient_maps = +smtpd_banner = $myhostname ESMTP $mail_name +# Block clients that speak too early. +smtpd_data_restrictions = reject_unauth_pipelining +# Don't talk to mail systems that don't know their own hostname. +smtpd_helo_restrictions = reject_unknown_helo_hostname +smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, permit_auth_destination, reject_unauth_destination, check_policy_service unix:private/policy-spf +smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination +smtpd_sasl_auth_enable = yes +smtpd_sasl_authenticated_header = yes +smtpd_tls_cert_file = /etc/letsencrypt/live/{{ mail_server_fqdn }}/fullchain.pem +smtpd_tls_dh1024_param_file = /etc/ssl/private/dhparams.pem +smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5, CBC3-SHA +smtpd_tls_key_file = /etc/letsencrypt/live/{{ mail_server_fqdn }}/privkey.pem +smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache +smtpd_use_tls = yes +# If this is a backupmx or satellite then smtp_sasl_auth_enable = yes +smtp_sasl_auth_enable = no +#smtp_sasl_password_maps = hash:/etc/postfix/claves_smtp +smtp_sasl_security_options = noanonymous +smtp_sasl_type = cyrus +smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_scache +smtp_use_tls = yes +transport_maps = proxy:mysql:/etc/postfix/mysql-virtual_transports.cf +virtual_alias_domains = +virtual_alias_maps = proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, mysql:/etc/postfix/mysql-virtual_email2email.cf +virtual_gid_maps = static:5000 +virtual_mailbox_base = /home/vmail +virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf +virtual_mailbox_limit_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailbox_limit_maps.cf +virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf +virtual_uid_maps = static:5000 + +# For dbmail +virtual_transport = dbmail-lmtp:127.0.0.1:{{ dbmail_configuration['LMTP']['port'] }} \ No newline at end of file diff --git a/templates/master.cf.j2 b/templates/master.cf.j2 new file mode 100644 index 0000000..f25483f --- /dev/null +++ b/templates/master.cf.j2 @@ -0,0 +1,143 @@ +# +# Postfix master process configuration file. +# ATTENTION! Managed by Ansible +# For details on the format +# of the file, see the master(5) manual page (command: "man 5 master"). +# +# Do not forget to execute "postfix reload" after editing this file. +# +# ========================================================================== +# service type private unpriv chroot wakeup maxproc command + args +# (yes) (yes) (no) (never) (100) +# ========================================================================== +# SMTP: Port 25 +smtp inet n - y - - smtpd +# -o content_filter=filter: +# Submission: Port 587 +submission inet n - y - - smtpd + -o smtpd_tls_security_level=encrypt + -o smtpd_sasl_auth_enable=yes + -o smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject + -o milter_macro_daemon_name=ORIGINATING + -o content_filter=filter: +# SMTPS: Port 465 +smtps inet n - y - - smtpd + -o smtpd_tls_wrappermode=yes + -o smtpd_sasl_auth_enable=yes + -o smtpd_client_restrictions=permit_sasl_authenticated,reject + -o milter_macro_daemon_name=ORIGINATING + -o content_filter=filter: +#628 inet n - y - - qmqpd +pickup unix n - y 60 1 pickup +cleanup unix n - y - 0 cleanup +qmgr unix n - n 300 1 qmgr +#qmgr unix n - n 300 1 oqmgr +tlsmgr unix - - y 1000? 1 tlsmgr +rewrite unix - - y - - trivial-rewrite +bounce unix - - y - 0 bounce +defer unix - - y - 0 bounce +trace unix - - y - 0 bounce +verify unix - - y - 1 verify +flush unix n - y 1000? 0 flush +proxymap unix - - n - - proxymap +proxywrite unix - - n - 1 proxymap +smtp unix - - y - - smtp +# When relaying mail as backup MX, disable fallback_relay to avoid MX loops +relay unix - - y - - smtp + -o smtp_fallback_relay= +# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5 +showq unix n - y - - showq +error unix - - y - - error +retry unix - - y - - error +discard unix - - y - - discard +local unix - n n - - local +virtual unix - n n - - virtual +lmtp unix - - y - - lmtp +anvil unix - - y - 1 anvil +scache unix - - y - 1 scache +# +# ==================================================================== +# Interfaces to non-Postfix software. Be sure to examine the manual +# pages of the non-Postfix software to find out what options it wants. +# +# Many of the following services use the Postfix pipe(8) delivery +# agent. See the pipe(8) man page for information about ${recipient} +# and other message envelope options. +# ==================================================================== +# +# maildrop. See the Postfix MAILDROP_README file for details. +# Also specify in main.cf: maildrop_destination_recipient_limit=1 +# +maildrop unix - n n - - pipe + flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient} +# +# ==================================================================== +# +# Recent Cyrus versions can use the existing "lmtp" master.cf entry. +# +# Specify in cyrus.conf: +# lmtp cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4 +# +# Specify in main.cf one or more of the following: +# mailbox_transport = lmtp:inet:localhost +# virtual_transport = lmtp:inet:localhost +# +# ==================================================================== +# +# Cyrus 2.1.5 (Amos Gouaux) +# Also specify in main.cf: cyrus_destination_recipient_limit=1 +# +#cyrus unix - n n - - pipe +# user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user} +# +# ==================================================================== +# Old example of delivery via Cyrus. +# +#old-cyrus unix - n n - - pipe +# flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user} +# +# ==================================================================== +# +# See the Postfix UUCP_README file for configuration details. +# +uucp unix - n n - - pipe + flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient) +# +# Other external delivery methods. +# +ifmail unix - n n - - pipe + flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient) +bsmtp unix - n n - - pipe + flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient +scalemail-backend unix - n n - 2 pipe + flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension} +mailman unix - n n - - pipe + flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py + ${nexthop} ${user} + +amavis unix y y y - 2 smtp + -o smtp_data_done_timeout=1200 + -o smtp_send_xforward_command=yes + +127.0.0.1:10025 inet n y y - - smtpd + -o content_filter= + -o local_recipient_maps= + -o relay_recipient_maps= + -o smtpd_restriction_classes= + -o smtpd_client_restrictions= + -o smtpd_helo_restrictions= + -o smtpd_sender_restrictions= + -o smtpd_recipient_restrictions=permit_mynetworks,reject + -o mynetworks=127.0.0.0/8 + -o strict_rfc821_envelopes=yes + -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks +{# filter unix - n n - - pipe + flags=Rq user=filter argv=/etc/postfix/scripts/disclaimer.sh -f ${sender} -- ${recipient} #} +policy-spf unix - n n - - spawn + user=nobody argv=/usr/bin/policyd-spf +greypolicy unix - n n - - spawn + user=nobody argv=/usr/bin/perl + /usr/local/libexec/postfix/greylist.pl + +# For dbmail +dbmail-lmtp unix - - n - - lmtp \ No newline at end of file diff --git a/templates/mysql-body_checks.cf.j2 b/templates/mysql-body_checks.cf.j2 new file mode 100644 index 0000000..2e22d82 --- /dev/null +++ b/templates/mysql-body_checks.cf.j2 @@ -0,0 +1,5 @@ +user = {{ mail_db_user}} +password = {{ mail_db_password }} +dbname = {{ mail_db_name }} +query = SELECT action FROM bannedcontent WHERE regexp='%s' +hosts = 127.0.0.1 diff --git a/templates/mysql-virtual_domains.cf.j2 b/templates/mysql-virtual_domains.cf.j2 new file mode 100644 index 0000000..3b2f4c4 --- /dev/null +++ b/templates/mysql-virtual_domains.cf.j2 @@ -0,0 +1,5 @@ +user = {{ mail_db_user}} +password = {{ mail_db_password }} +dbname = {{ mail_db_name }} +query = SELECT domain AS virtuald FROM domains WHERE domain='%s' +hosts = 127.0.0.1 diff --git a/templates/mysql-virtual_email2email.cf.j2 b/templates/mysql-virtual_email2email.cf.j2 new file mode 100644 index 0000000..08efe82 --- /dev/null +++ b/templates/mysql-virtual_email2email.cf.j2 @@ -0,0 +1,5 @@ +user = {{ mail_db_user}} +password = {{ mail_db_password }} +dbname = {{ mail_db_name }} +query = SELECT email FROM users WHERE email='%s' +hosts = 127.0.0.1 diff --git a/templates/mysql-virtual_forwardings.cf.j2 b/templates/mysql-virtual_forwardings.cf.j2 new file mode 100644 index 0000000..db61e71 --- /dev/null +++ b/templates/mysql-virtual_forwardings.cf.j2 @@ -0,0 +1,5 @@ +user = {{ mail_db_user}} +password = {{ mail_db_password }} +dbname = {{ mail_db_name }} +query = SELECT destination FROM forwardings WHERE source='%s' +hosts = 127.0.0.1 diff --git a/templates/mysql-virtual_mailbox_limit_maps.cf.j2 b/templates/mysql-virtual_mailbox_limit_maps.cf.j2 new file mode 100644 index 0000000..ea6a6af --- /dev/null +++ b/templates/mysql-virtual_mailbox_limit_maps.cf.j2 @@ -0,0 +1,5 @@ +user = {{ mail_db_user}} +password = {{ mail_db_password }} +dbname = {{ mail_db_name }} +query = SELECT quota FROM users WHERE email='%s' +hosts = 127.0.0.1 diff --git a/templates/mysql-virtual_mailboxes.cf.j2 b/templates/mysql-virtual_mailboxes.cf.j2 new file mode 100644 index 0000000..db327a2 --- /dev/null +++ b/templates/mysql-virtual_mailboxes.cf.j2 @@ -0,0 +1,5 @@ +user = {{ mail_db_user}} +password = {{ mail_db_password }} +dbname = {{ mail_db_name }} +query = SELECT CONCAT(SUBSTRING_INDEX(email,'@',-1),'/',SUBSTRING_INDEX(email,'@',1),'/') FROM users WHERE email='%s' +hosts = 127.0.0.1 diff --git a/templates/mysql-virtual_transports.cf.j2 b/templates/mysql-virtual_transports.cf.j2 new file mode 100644 index 0000000..8a6d00e --- /dev/null +++ b/templates/mysql-virtual_transports.cf.j2 @@ -0,0 +1,5 @@ +user = {{ mail_db_user}} +password = {{ mail_db_password }} +dbname = {{ mail_db_name }} +query = SELECT transport FROM transport WHERE domain='%s' +hosts = 127.0.0.1 diff --git a/templates/smtp.j2 b/templates/smtp.j2 new file mode 100644 index 0000000..9f3cd6b --- /dev/null +++ b/templates/smtp.j2 @@ -0,0 +1,2 @@ +auth required pam_mysql.so user={{ mail_db_user}} passwd={{ mail_db_password }} host=127.0.0.1 db={{ mail_db_name }} table=users usercolumn=email passwdcolumn=password crypt=1 +account sufficient pam_mysql.so user={{ mail_db_user}} passwd={{ mail_db_password }} host=127.0.0.1 db={{ mail_db_name }} table=users usercolumn=email passwdcolumn=password crypt=1 diff --git a/templates/smtpd.conf.j2 b/templates/smtpd.conf.j2 new file mode 100644 index 0000000..477a240 --- /dev/null +++ b/templates/smtpd.conf.j2 @@ -0,0 +1,11 @@ +pwcheck_method: saslauthd +mech_list: plain login +allow_plaintext: true +auxprop_plugin: sql +sql_engine: mysql +sql_hostnames: 127.0.0.1 +sql_user: {{ mail_db_user}} +sql_passwd: {{ mail_db_password }} +sql_database: {{ mail_db_name }} +sql_select: select password from users where email = '%u@%r' +log_level: 9