diff options
| author | Guilhem Moulin <guilhem@fripost.org> | 2014-06-25 02:37:48 +0200 |
|---|---|---|
| committer | Guilhem Moulin <guilhem@fripost.org> | 2015-06-07 02:51:48 +0200 |
| commit | 2a2333cdfb016bb884887f46fbcbfdce6e064d74 (patch) | |
| tree | e85d7c802436e3c5615ee8eef2ca9c68cd5eb895 | |
| parent | e9e8ce2add2b7c020daa02228e506e7c02828c15 (diff) | |
Assume a DNS entry for each role.
E.g., ldap.fripost.org, ntp.fripost.org, etc. (Ideally the DNS zone
would be provisioned by ansible, too.) It's a bit unclear how to index
the subdomains (mx{1,2,3}, etc), though.
18 files changed, 40 insertions, 58 deletions
diff --git a/group_vars/all.yml b/group_vars/all.yml index 0dee19d..351aa09 100644 --- a/group_vars/all.yml +++ b/group_vars/all.yml @@ -1,19 +1,11 @@ --- postfix_instance: # The keys are the group names associated with a Postfix role, and the # values are the name and group (optional) of the instance dedicated # to that role. - IMAP: { name: mda } - MX: { name: mx, group: mta } - MTA-out: { name: mta-out,group: mta } - MSA: { name: msa } - webmail: { name: webmail } - lists: { name: lists } - -MTA_out: { host: outgoing.fripost.org, port: 2525 } -LDA: { host: lda.fripost.org, port: 2526 } -lists: { host: lists.fripost.org, port: 2527 } - -LDAP_provider: host1.libvirt.guilhem.org -NTP_master: host1.libvirt.guilhem.org -IMAP: host1.libvirt.guilhem.org + IMAP: { name: mda, port: 2526 } + MX: { name: mx, group: mta } + MTA-out: { name: mta-out,group: mta, port: 2525 } + MSA: { name: msa } + webmail: { name: webmail } + lists: { name: lists, port: 2527 } diff --git a/roles/IMAP-proxy/templates/etc/dovecot/conf.d/20-imapc.conf.j2 b/roles/IMAP-proxy/files/etc/dovecot/conf.d/20-imapc.conf index a6b70c6..47785a4 100644 --- a/roles/IMAP-proxy/templates/etc/dovecot/conf.d/20-imapc.conf.j2 +++ b/roles/IMAP-proxy/files/etc/dovecot/conf.d/20-imapc.conf @@ -1,18 +1,18 @@ # Smart IMAP proxying with imapc storage # # http://dovecot.org/pipermail/dovecot/2011-January/056975.html # http://wiki2.dovecot.org/HowTo/ImapcProxy # http://wiki2.dovecot.org/Migration/Dsync -imapc_host = {{ IMAP }} +imapc_host = imap.fripost.org imapc_port = 143 imapc_user = %u # Read multiple mails in parallel, improves performance mail_prefetch_count = 20 # The list of valid features can be found there # http://hg.dovecot.org/dovecot-2.1/file/f572fbafb445/src/lib-storage/index/imapc/imapc-settings.c # (in the struct 'imapc_feature_list imapc_feature_list') imapc_features = rfc822.size diff --git a/roles/IMAP-proxy/templates/etc/dovecot/conf.d/auth-imap.conf.ext.j2 b/roles/IMAP-proxy/files/etc/dovecot/conf.d/auth-imap.conf.ext index 5e2b28c..7478889 100644 --- a/roles/IMAP-proxy/templates/etc/dovecot/conf.d/auth-imap.conf.ext.j2 +++ b/roles/IMAP-proxy/files/etc/dovecot/conf.d/auth-imap.conf.ext @@ -1,17 +1,17 @@ # Authentication via remote IMAP server. Included from auth.conf. # # <doc/wiki/PasswordDatabase.IMAP.txt> passdb { driver = imap - args = host={{ IMAP }} port=143 + args = host=imap.fripost.org port=143 default_fields = userdb_imapc_user=%u userdb_imapc_password=%w } # "prefetch" user database means that the passdb already provided the # needed information and there's no need to do a separate userdb lookup. # <doc/wiki/UserDatabase.Prefetch.txt> userdb { driver = prefetch default_fields = home=/home/imapproxy/%d/%n } diff --git a/roles/IMAP-proxy/tasks/main.yml b/roles/IMAP-proxy/tasks/main.yml index c630cfd..f76ee72 100644 --- a/roles/IMAP-proxy/tasks/main.yml +++ b/roles/IMAP-proxy/tasks/main.yml @@ -1,51 +1,41 @@ - name: Install Dovecot apt: pkg={{ item }} with_items: - dovecot-core - dovecot-imapd - name: Create a user 'imapproxy' user: name=imapproxy system=yes home=/home/imapproxy shell=/bin/false password=! state=present - name: Create a home directory for user 'imapproxy' file: path=/home/imapproxy state=directory owner=imapproxy group=imapproxy mode=0700 -- name: Configure Dovecot (1) +- name: Configure Dovecot copy: src=etc/dovecot/conf.d/{{ item }} dest=/etc/dovecot/conf.d/{{ item }} owner=root group=root mode=0644 - register: r1 + register: r with_items: - 10-auth.conf - 10-logging.conf - 10-mail.conf - 10-master.conf - 15-mailboxes.conf - notify: - - Restart Dovecot - -- name: Configure Dovecot (2) - template: src=etc/dovecot/conf.d/{{ item }}.j2 - dest=/etc/dovecot/conf.d/{{ item }} - owner=root group=root - mode=0644 - register: r2 - with_items: - 20-imapc.conf - auth-imap.conf.ext notify: - Restart Dovecot - name: Start Dovecot service: name=dovecot state=started - when: not (r1.changed or r2.changed) + when: not r.changed - meta: flush_handlers diff --git a/roles/IMAP/templates/etc/amavis/conf.d/50-user.j2 b/roles/IMAP/templates/etc/amavis/conf.d/50-user.j2 index 00a82ce..503907e 100644 --- a/roles/IMAP/templates/etc/amavis/conf.d/50-user.j2 +++ b/roles/IMAP/templates/etc/amavis/conf.d/50-user.j2 @@ -94,42 +94,42 @@ $default_ldap = { }; $recipient_delimiter = '+'; $enable_dkim_verification = 1; # enable DKIM signatures verification # Per-recipient Bayes Database. @sa_username_maps = ( new_RE ( [ qr'^(.+@[^@]+)$'i => '$1' ] ), 'amavis' # catch-all ); # http://www.ijs.si/software/amavisd/amavisd-new-docs.html#pbanks-ex $inet_socket_port = 10041; $interface_policy{'10041'} = 'INBOUND'; {% if 'MTA-out' in group_names %} -$notify_method = 'smtp:[127.0.0.1]:{{ MTA_out.port }}'; +$notify_method = 'smtp:[127.0.0.1]:{{ postfix_instance["MTA-out"].port }}'; {% else %} -$notify_method = 'smtp:[{{ MTA_out.host }}]:{{ MTA_out.port }}'; +$notify_method = 'smtp:[outgoing.fripost.org]:{{ postfix_instance["MTA-out"].port }}'; {% endif %} $forward_method = 'lmtp:/var/run/dovecot/lmtp'; $requeue_method = $forward_method; $sa_tag_level_deflt = undef; $sa_tag2_level_deflt = 5; $sa_kill_level_deflt = 5; $sa_dsn_cutoff_level = undef; $sa_quarantine_cutoff_level = undef; $policy_bank{'INBOUND'} = { originating => 0, # indicates a remote client, allows checking smtpd_greeting_banner => '${helo-name} ${protocol} ${product} INBOUND service ready', mynetworks_maps => [], # avoids loading MYNETS policy unnecessarily }; #------------ Do not modify anything below this line ------------- 1; # ensure a defined return diff --git a/roles/IMAP/templates/etc/postfix/main.cf.j2 b/roles/IMAP/templates/etc/postfix/main.cf.j2 index d0421ce..46f64aa 100644 --- a/roles/IMAP/templates/etc/postfix/main.cf.j2 +++ b/roles/IMAP/templates/etc/postfix/main.cf.j2 @@ -1,37 +1,37 @@ ######################################################################## # MDA configuration # # {{ ansible_managed }} # Do NOT edit this file directly! smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU) biff = no readme_directory = no mail_owner = postfix delay_warning_time = 4h maximal_queue_lifetime = 5d myorigin = /etc/mailname myhostname = mda{{ imapno | default('') }}.$mydomain -mydomain = {{ ansible_domain }} +mydomain = fripost.org append_dot_mydomain = no # Turn off all TCP/IP listener ports except that necessary for the MDA. master_service_disable = !2526.inet inet queue_directory = /var/spool/postfix-{{ postfix_instance[inst].name }} data_directory = /var/lib/postfix-{{ postfix_instance[inst].name }} multi_instance_group = {{ postfix_instance[inst].group | default('') }} multi_instance_name = postfix-{{ postfix_instance[inst].name }} multi_instance_enable = yes # This server is a Mail Delivery Agent mynetworks_style = host inet_interfaces = 172.16.0.1 {% if 'MX' in group_names %} 127.0.0.1 {% endif %} inet_protocols = ipv4 # No local delivery diff --git a/roles/MSA/templates/etc/postfix/main.cf.j2 b/roles/MSA/templates/etc/postfix/main.cf.j2 index 88cb3be..b15b907 100644 --- a/roles/MSA/templates/etc/postfix/main.cf.j2 +++ b/roles/MSA/templates/etc/postfix/main.cf.j2 @@ -1,68 +1,68 @@ ######################################################################## # MSA configuration # # {{ ansible_managed }} # Do NOT edit this file directly! smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU) biff = no readme_directory = no mail_owner = postfix delay_warning_time = 4h maximal_queue_lifetime = 5d myorigin = /etc/mailname -myhostname = smtp{{ mdano | default('') }}.$mydomain -mydomain = {{ ansible_domain }} +myhostname = smtp{{ msano | default('') }}.$mydomain +mydomain = fripost.org append_dot_mydomain = no # Turn off all TCP/IP listener ports except that necessary for the MSA. master_service_disable = !submission.inet inet queue_directory = /var/spool/postfix-{{ postfix_instance[inst].name }} data_directory = /var/lib/postfix-{{ postfix_instance[inst].name }} multi_instance_group = {{ postfix_instance[inst].group | default('') }} multi_instance_name = postfix-{{ postfix_instance[inst].name }} multi_instance_enable = yes # This server is a Mail Submission Agent mynetworks_style = host inet_interfaces = all inet_protocols = all # No local delivery mydestination = local_transport = error:5.1.1 Mailbox unavailable alias_maps = alias_database = local_recipient_maps = message_size_limit = 67108864 recipient_delimiter = + # Forward everything to our internal mailhub {% if 'MTA-out' in group_names %} -relayhost = [127.0.0.1]:{{ MTA_out.port }} +relayhost = [127.0.0.1]:{{ postfix_instance["MTA-out"].port }} {% else %} -relayhost = [{{ MTA_out.host }}]:{{ MTA_out.port }} +relayhost = [outgoing.fripost.org]:{{ postfix_instance["MTA-out"].port }} {% endif %} relay_domains = # Don't rewrite remote headers local_header_rewrite_clients = # Avoid splitting the envelope and scanning messages multiple times smtp_destination_recipient_limit = 1000 # Tolerate occasional high latency smtp_data_done_timeout = 1200s # Anonymize the (authenticated) sender; pass the mail to the antivirus header_checks = pcre:$config_directory/anonymize_sender.pcre #content_filter = amavisfeed:unix:public/amavisfeed-antivirus # Tunnel everything through IPSec smtp_tls_security_level = none {% if 'MTA-out' in group_names %} smtp_bind_address = 127.0.0.1 {% else %} smtp_bind_address = 172.16.0.1 diff --git a/roles/MX/templates/etc/postfix/main.cf.j2 b/roles/MX/templates/etc/postfix/main.cf.j2 index 8bed701..e842537 100644 --- a/roles/MX/templates/etc/postfix/main.cf.j2 +++ b/roles/MX/templates/etc/postfix/main.cf.j2 @@ -1,69 +1,69 @@ ######################################################################## # MX configuration # # {{ ansible_managed }} # Do NOT edit this file directly! smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU) biff = no readme_directory = no mail_owner = postfix delay_warning_time = 4h maximal_queue_lifetime = 5d myorigin = /etc/mailname myhostname = mx{{ mxno | default('') }}.$mydomain -mydomain = {{ ansible_domain }} +mydomain = fripost.org append_dot_mydomain = no # Turn off all TCP/IP listener ports except that necessary for the mail # exchange. master_service_disable = !smtp.inet inet queue_directory = /var/spool/postfix-{{ postfix_instance[inst].name }} data_directory = /var/lib/postfix-{{ postfix_instance[inst].name }} multi_instance_group = {{ postfix_instance[inst].group | default('') }} multi_instance_name = postfix-{{ postfix_instance[inst].name }} multi_instance_enable = yes # This server is a Mail eXchange mynetworks_style = host inet_interfaces = all inet_protocols = all # No local delivery mydestination = local_transport = error:5.1.1 Mailbox unavailable alias_maps = alias_database = local_recipient_maps = message_size_limit = 67108864 recipient_delimiter = + # Forward everything to our internal mailhub {% if 'MTA-out' in group_names %} -relayhost = [127.0.0.1]:{{ MTA_out.port }} +relayhost = [127.0.0.1]:{{ postfix_instance["MTA-out"].port }} {% else %} -relayhost = [{{ MTA_out.host }}]:{{ MTA_out.port }} +relayhost = [outgoing.fripost.org]:{{ postfix_instance["MTA-out"].port }} {% endif %} relay_domains = # Virtual transport # We use a dedicated "virtual" domain to decongestion potential # bottlenecks on trivial_rewrite(8) due to slow LDAP lookups in # tranport_maps. virtual_transport = error:5.1.1 Virtual transport unavailable virtual_mailbox_domains = ldap:$config_directory/virtual/mailbox_domains.cf virtual_alias_maps = pcre:$config_directory/virtual/reserved_alias.pcre # first we do the alias resolution... ldap:$config_directory/virtual/alias.cf # ...and unless there is matching mailbox/list... ldap:$config_directory/virtual/mailbox.cf ldap:$config_directory/virtual/list.cf # ...we resolve alias domains and catch alls ldap:$config_directory/virtual/alias_domains.cf ldap:$config_directory/virtual/catchall.cf virtual_mailbox_maps = transport_maps = cdb:$config_directory/virtual/transport diff --git a/roles/MX/templates/etc/postfix/virtual/list.cf.j2 b/roles/MX/templates/etc/postfix/virtual/list.cf.j2 index 6100c01..5988159 100644 --- a/roles/MX/templates/etc/postfix/virtual/list.cf.j2 +++ b/roles/MX/templates/etc/postfix/virtual/list.cf.j2 @@ -1,11 +1,11 @@ server_host = ldapi://%2Fprivate%2Fldapi/ version = 3 search_base = fvl=%u,fvd=%d,ou=virtual,o=mailHosting,dc=fripost,dc=org domain = static:all scope = base bind = none query_filter = (&(objectClass=FripostVirtualList)(fvl=%u)) result_attribute = fvl # Use a dedicated "virtual" domain to decongestion potential bottlenecks # on trivial_rewrite(8) due to slow LDAP lookups in tranport_maps. -result_format = %D/%U@lists.guilhem.org +result_format = %D/%U@lists.fripost.org diff --git a/roles/MX/templates/etc/postfix/virtual/mailbox.cf.j2 b/roles/MX/templates/etc/postfix/virtual/mailbox.cf.j2 index fe27124..a108c0d 100644 --- a/roles/MX/templates/etc/postfix/virtual/mailbox.cf.j2 +++ b/roles/MX/templates/etc/postfix/virtual/mailbox.cf.j2 @@ -1,11 +1,11 @@ server_host = ldapi://%2Fprivate%2Fldapi/ version = 3 search_base = fvl=%u,fvd=%d,ou=virtual,o=mailHosting,dc=fripost,dc=org domain = static:all scope = base bind = none query_filter = (&(objectClass=FripostVirtualUser)(fvl=%u)) result_attribute = fvl # Use a dedicated "virtual" domain to decongestion potential bottlenecks # on trivial_rewrite(8) due to slow LDAP lookups in tranport_maps. -result_format = %D/%U@mda.guilhem.org +result_format = %D/%U@mda.fripost.org diff --git a/roles/MX/templates/etc/postfix/virtual/transport.j2 b/roles/MX/templates/etc/postfix/virtual/transport.j2 index 6d244dc..2250a71 100644 --- a/roles/MX/templates/etc/postfix/virtual/transport.j2 +++ b/roles/MX/templates/etc/postfix/virtual/transport.j2 @@ -1,13 +1,13 @@ reserved.locahost.localdomain reserved-alias: {% if 'LDA' in group_names %} -mda.guilhem.org smtpl:[127.0.0.1]:{{ LDA.port }} +mda.fripost.org smtpl:[127.0.0.1]:{{ postfix_instance.IMAP.port }} {% else %} -mda.guilhem.org smtps:[{{ LDA.host }}]:{{ LDA.port }} +mda.fripost.org smtps:[mda.fripost.org]:{{ postfix_instance.IMAP.port }} {% endif %} {% if 'lists' in group_names %} -lists.guilhem.org smtpl:[127.0.0.1]:{{ lists.port }} +lists.fripost.org smtpl:[127.0.0.1]:{{ postfix_instance.lists.port }} {% else %} -lists.guilhem.org smtps:[{{ lists.host }}]:{{ lists.port }} +lists.fripost.org smtps:[lists.fripost.org]:{{ postfix_instance.lists.port }} {% endif %} diff --git a/roles/common-LDAP/templates/etc/ldap/database.ldif.j2 b/roles/common-LDAP/templates/etc/ldap/database.ldif.j2 index 33ef108..cde9069 100644 --- a/roles/common-LDAP/templates/etc/ldap/database.ldif.j2 +++ b/roles/common-LDAP/templates/etc/ldap/database.ldif.j2 @@ -69,55 +69,55 @@ olcDbIndex: entryCSN,entryUUID eq # Sync Replication # TODO: replace the simple bind by Kerberos/GSSAPI # # References: # - http://www.openldap.org/doc/admin24/replication.html#Syncrepl # - http://www.zytrax.com/books/ldap/ch7/#ol-syncrepl-rap # {% if 'LDAP-provider' in group_names %} olcLimits: dn.exact="cn=MX-replicate,ou=services,o=mailHosting,dc=fripost,dc=org" time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited olcLimits: dn.exact="cn=lists-replicate,ou=services,o=mailHosting,dc=fripost,dc=org" time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited {% elif 'MX' in group_names %} olcSyncrepl: rid=000 - provider=ldap://{{ LDAP_provider }} + provider=ldap://ldap.fripost.org type=refreshAndPersist retry="5 5 300 +" searchbase="ou=virtual,o=mailHosting,dc=fripost,dc=org" attrs=objectClass,fvd,fvl,fripostMaildrop,fripostOptionalMaildrop,fripostPostmaster,fripostOwner scope=sub schemachecking=off bindmethod=simple binddn="cn=MX-replicate,ou=services,o=mailHosting,dc=fripost,dc=org" credentials=mx {% elif 'lists' in group_names %} # XXX: mlmmj is not compatible with the MX, see # http://mlmmj.org/bugs/bug.php?id=51 olcSyncrepl: rid=001 - provider=ldap://{{ LDAP_provider }} + provider=ldap://ldap.fripost.org type=refreshAndPersist retry="5 5 300 +" searchbase="ou=virtual,o=mailHosting,dc=fripost,dc=org" attrs=objectClass,fvd,fvl,fripostListManager,fripostOwner scope=sub schemachecking=off bindmethod=simple binddn="cn=lists-replicate,ou=services,o=mailHosting,dc=fripost,dc=org" credentials=lists {% endif %} # # ######################################################################## ######################################################################## # Access control # /!\ WARN: All modification to the ACL should be reflected to the test # /!\ suite as well! # # References: # - http://www.openldap.org/doc/admin24/access-control.html diff --git a/roles/common/templates/etc/ntp.conf.j2 b/roles/common/templates/etc/ntp.conf.j2 index 2f70cef..96cc16c 100644 --- a/roles/common/templates/etc/ntp.conf.j2 +++ b/roles/common/templates/etc/ntp.conf.j2 @@ -7,41 +7,41 @@ driftfile /var/lib/ntp/ntp.drift #statsdir /var/log/ntpstats/ statistics loopstats peerstats clockstats filegen loopstats file loopstats type day enable filegen peerstats file peerstats type day enable filegen clockstats file clockstats type day enable # You do need to talk to an NTP server or two (or three). {% if 'NTP-master' in group_names %} # Use Stratum One Time Servers: # http://support.ntp.org/bin/view/Servers/StratumOneTimeServers server ntp1.sp.se iburst server ntp2.sp.se iburst server ntp2.gbg.netnod.se iburst server ntp1.sth.netnod.se iburst server ntp2.sth.netnod.se iburst {% else %} # Sychronize to our (stratum 2) NTP server through IPSec, to ensure our # network has a consistent time. -server {{ NTP_master }} iburst +server ntp.fripost.org iburst {% endif %} # Access control configuration; see /usr/share/doc/ntp-doc/html/accopt.html for # details. The web page <http://support.ntp.org/bin/view/Support/AccessRestrictions> # might also be helpful. # # Note that "restrict" applies to both servers and clients, so a configuration # that might be intended to block requests from certain clients could also end # up blocking replies from your own upstream servers. # By default, exchange time with everybody, but don't allow configuration. restrict -4 default kod notrap nomodify nopeer noquery restrict -6 default kod notrap nomodify nopeer noquery # Local users may interrogate the ntp server more closely. restrict 127.0.0.1 restrict ::1 # Clients from this (example!) subnet have unlimited access, but only if diff --git a/roles/common/templates/etc/postfix/main.cf.j2 b/roles/common/templates/etc/postfix/main.cf.j2 index 83f97b4..169ad40 100644 --- a/roles/common/templates/etc/postfix/main.cf.j2 +++ b/roles/common/templates/etc/postfix/main.cf.j2 @@ -18,43 +18,43 @@ append_dot_mydomain = no mynetworks_style = host inet_interfaces = loopback-only inet_protocols = ipv4 # No local delivery mydestination = local_transport = error:5.1.1 Mailbox unavailable alias_maps = local_recipient_maps = # All aliases are virtual default_database_type = cdb virtual_alias_maps = cdb:/etc/aliases alias_database = $virtual_alias_maps # Transform local FQDN addresses to addresses routable on the internet smtp_generic_maps = pcre:$config_directory/generic.pcre # Forward everything to our internal mailhub {% if 'MTA-out' in group_names %} -relayhost = [127.0.0.1]:{{ MTA_out.port }} +relayhost = [127.0.0.1]:{{ postfix_instance["MTA-out"].port }} {% else %} -relayhost = [{{ MTA_out.host }}]:{{ MTA_out.port }} +relayhost = [outgoing.fripost.org]:{{ postfix_instance["MTA-out"].port }} {% endif %} relay_domains = # Tunnel everything through IPSec smtp_tls_security_level = none {% if 'MTA-out' in group_names %} smtp_bind_address = 127.0.0.1 {% else %} smtp_bind_address = 172.16.0.1 {% endif %} smtpd_tls_security_level = none # Turn off all TCP/IP listener ports except that dedicated to # samhain(8), which sadly cannot use pickup through the sendmail binary. master_service_disable = !127.0.0.1:16132.inet inet {% set multi_instance = False %} {%- for g in postfix_instance.keys() | sort -%} {%- if g in group_names -%} {%- if not multi_instance -%} diff --git a/roles/lists/templates/etc/postfix/main.cf.j2 b/roles/lists/templates/etc/postfix/main.cf.j2 index 955b901..45e66aa 100644 --- a/roles/lists/templates/etc/postfix/main.cf.j2 +++ b/roles/lists/templates/etc/postfix/main.cf.j2 @@ -1,73 +1,73 @@ ######################################################################## # Lists configuration # # {{ ansible_managed }} # Do NOT edit this file directly! smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU) biff = no readme_directory = no mail_owner = postfix delay_warning_time = 4h maximal_queue_lifetime = 5d myorigin = /etc/mailname myhostname = lists{{ listsno | default('') }}.$mydomain -mydomain = {{ ansible_domain }} +mydomain = fripost.org append_dot_mydomain = no # Turn off all TCP/IP listener ports except that necessary for the list server. # XXX: mlmmj is not compatible with the MX, see # http://mlmmj.org/bugs/bug.php?id=51 master_service_disable = !127.0.0.1:smtp.inet !2527.inet inet queue_directory = /var/spool/postfix-{{ postfix_instance[inst].name }} data_directory = /var/lib/postfix-{{ postfix_instance[inst].name }} multi_instance_group = {{ postfix_instance[inst].group | default('') }} multi_instance_name = postfix-{{ postfix_instance[inst].name }} multi_instance_enable = yes # This server is a Mail Delivery Agent mynetworks_style = host inet_interfaces = 172.16.0.1 {% if 'MX' in group_names %} 127.0.0.1 {% endif %} inet_protocols = ipv4 # No local delivery mydestination = local_transport = error:5.1.1 Mailbox unavailable alias_maps = alias_database = local_recipient_maps = message_size_limit = 67108864 recipient_delimiter = + # Forward everything to our internal mailhub {% if 'MTA-out' in group_names %} -relayhost = [127.0.0.1]:{{ MTA_out.port }} +relayhost = [127.0.0.1]:{{ postfix_instance["MTA-out"].port }} {% else %} -relayhost = [{{ MTA_out.host }}]:{{ MTA_out.port }} +relayhost = [outgoing.fripost.org]:{{ postfix_instance["MTA-out"].port }} {% endif %} relay_domains = # Virtual transport (the alias resolution is already done by the MX:es) transport_maps = ldap:$config_directory/virtual/transport_list.cf mlmmj_destination_recipient_limit = 1 # Don't rewrite remote headers local_header_rewrite_clients = # Avoid splitting the envelope and scanning messages multiple times smtp_destination_recipient_limit = 1000 # Tolerate occasional high latency smtp_data_done_timeout = 1200s smtpd_timeout = 1200s # Tunnel everything through IPSec smtp_tls_security_level = none {% if 'MTA-out' in group_names %} smtp_bind_address = 127.0.0.1 {% else %} diff --git a/roles/webmail/templates/etc/postfix/main.cf.j2 b/roles/webmail/templates/etc/postfix/main.cf.j2 index 2ee2849..5d678a1 100644 --- a/roles/webmail/templates/etc/postfix/main.cf.j2 +++ b/roles/webmail/templates/etc/postfix/main.cf.j2 @@ -1,68 +1,68 @@ ######################################################################## # Webmail configuration # # {{ ansible_managed }} # Do NOT edit this file directly! smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU) biff = no readme_directory = no mail_owner = postfix delay_warning_time = 4h maximal_queue_lifetime = 5d myorigin = /etc/mailname myhostname = webmail{{ webmailno | default('') }}.$mydomain -mydomain = {{ ansible_domain }} +mydomain = fripost.org append_dot_mydomain = no # Turn off all TCP/IP listener ports except that necessary for the webmail. master_service_disable = !127.0.0.1:2580.inet inet queue_directory = /var/spool/postfix-{{ postfix_instance[inst].name }} data_directory = /var/lib/postfix-{{ postfix_instance[inst].name }} multi_instance_group = {{ postfix_instance[inst].group | default('') }} multi_instance_name = postfix-{{ postfix_instance[inst].name }} multi_instance_enable = yes # This server is a nullclient mynetworks_style = host inet_interfaces = loopback-only inet_protocols = all # No local delivery mydestination = local_transport = error:5.1.1 Mailbox unavailable alias_maps = alias_database = local_recipient_maps = message_size_limit = 67108864 recipient_delimiter = + # Forward everything to our internal mailhub {% if 'MTA-out' in group_names %} -relayhost = [127.0.0.1]:{{ MTA_out.port }} +relayhost = [127.0.0.1]:{{ postfix_instance["MTA-out"].port }} {% else %} -relayhost = [{{ MTA_out.host }}]:{{ MTA_out.port }} +relayhost = [outgoing.fripost.org]:{{ postfix_instance["MTA-out"].port }} {% endif %} relay_domains = # Don't rewrite remote headers local_header_rewrite_clients = # Avoid splitting the envelope and scanning messages multiple times smtp_destination_recipient_limit = 1000 # Tolerate occasional high latency smtp_data_done_timeout = 1200s # Pass the mail to the antivirus #content_filter = amavisfeed:unix:public/amavisfeed-antivirus # Tunnel everything through IPSec smtp_tls_security_level = none {% if 'MTA-out' in group_names %} smtp_bind_address = 127.0.0.1 {% else %} smtp_bind_address = 172.16.0.1 {% endif %} diff --git a/roles/webmail/templates/usr/share/roundcube/plugins/managesieve/config.inc.php.j2 b/roles/webmail/templates/usr/share/roundcube/plugins/managesieve/config.inc.php.j2 index 27b5b44..c716ddc 100644 --- a/roles/webmail/templates/usr/share/roundcube/plugins/managesieve/config.inc.php.j2 +++ b/roles/webmail/templates/usr/share/roundcube/plugins/managesieve/config.inc.php.j2 @@ -1,32 +1,32 @@ <?php // managesieve server port $rcmail_config['managesieve_port'] = 4190; // managesieve server address, default is localhost. // Replacement variables supported in host name: // %h - user's IMAP hostname // %n - http hostname ($_SERVER['SERVER_NAME']) // %d - domain (http hostname without the first part) // For example %n = mail.domain.tld, %d = domain.tld -$rcmail_config['managesieve_host'] = '{{ IMAP }}'; +$rcmail_config['managesieve_host'] = 'imap.fripost.org'; // authentication method. Can be CRAM-MD5, DIGEST-MD5, PLAIN, LOGIN, EXTERNAL // or none. Optional, defaults to best method supported by server. $rcmail_config['managesieve_auth_type'] = 'PLAIN'; // Optional managesieve authentication identifier to be used as authorization proxy. // Authenticate as a different user but act on behalf of the logged in user. // Works with PLAIN and DIGEST-MD5 auth. $rcmail_config['managesieve_auth_cid'] = null; // Optional managesieve authentication password to be used for imap_auth_cid $rcmail_config['managesieve_auth_pw'] = null; // use or not TLS for managesieve server connection // it's because I've problems with TLS and dovecot's managesieve plugin // and it's not needed on localhost $rcmail_config['managesieve_usetls'] = FALSE; // default contents of filters script (eg. default spam filter) $rcmail_config['managesieve_default'] = '/etc/dovecot/sieve/global'; diff --git a/roles/webmail/templates/usr/share/roundcube/plugins/password/config.inc.php.j2 b/roles/webmail/templates/usr/share/roundcube/plugins/password/config.inc.php.j2 index 35c73f9..a661909 100644 --- a/roles/webmail/templates/usr/share/roundcube/plugins/password/config.inc.php.j2 +++ b/roles/webmail/templates/usr/share/roundcube/plugins/password/config.inc.php.j2 @@ -11,41 +11,41 @@ $rcmail_config['password_driver'] = 'ldap_simple'; $rcmail_config['password_confirm_current'] = true; // Require the new password to be a certain length. // set to blank to allow passwords of any length $rcmail_config['password_minimum_length'] = 12; // Require the new password to contain a letter and punctuation character // Change to false to remove this check. $rcmail_config['password_require_nonalpha'] = false; // Enables logging of password changes into logs/password $rcmail_config['password_log'] = false; // LDAP and LDAP_SIMPLE Driver options // ----------------------------------- // LDAP server name to connect to. // You can provide one or several hosts in an array in which case the hosts are tried from left to right. // Exemple: array('ldap1.exemple.com', 'ldap2.exemple.com'); // Default: 'localhost' -$rcmail_config['password_ldap_host'] = '{{ LDAP_provider }}'; +$rcmail_config['password_ldap_host'] = 'ldap.fripost.org'; // LDAP server port to connect to // Default: '389' $rcmail_config['password_ldap_port'] = '389'; // TLS is started after connecting // Using TLS for password modification is recommanded. // Default: false $rcmail_config['password_ldap_starttls'] = false; // LDAP version // Default: '3' $rcmail_config['password_ldap_version'] = '3'; // LDAP base name (root directory) // Exemple: 'dc=exemple,dc=com' $rcmail_config['password_ldap_basedn'] = 'ou=virtual,o=mailHosting,dc=fripost,dc=org'; // LDAP connection method // There is two connection method for changing a user's LDAP password. |