diff options
Diffstat (limited to 'roles/IMAP/tasks')
| -rw-r--r-- | roles/IMAP/tasks/imap.yml | 143 | ||||
| -rw-r--r-- | roles/IMAP/tasks/main.yml | 18 | ||||
| -rw-r--r-- | roles/IMAP/tasks/mda.yml | 31 | ||||
| -rw-r--r-- | roles/IMAP/tasks/spam.yml | 34 |
4 files changed, 144 insertions, 82 deletions
diff --git a/roles/IMAP/tasks/imap.yml b/roles/IMAP/tasks/imap.yml index 0c55535..c2bdca9 100644 --- a/roles/IMAP/tasks/imap.yml +++ b/roles/IMAP/tasks/imap.yml @@ -1,156 +1,197 @@ - name: Install Dovecot - apt: pkg={{ item }} - with_items: + apt: pkg={{ packages }} + vars: + packages: - dovecot-core - dovecot-ldap - dovecot-imapd - dovecot-lmtpd - dovecot-antispam - dovecot-managesieved - dovecot-sieve - name: Create a user 'vmail' user: name=vmail system=yes createhome=no home=/home/mail shell=/usr/sbin/nologin password=! state=present -## TODO: make a LDAP query listing all users using iterate_attrs and -## iterate_filter. (Alternatively, use a dict, see -## https://www.opensource.apple.com/source/dovecot/dovecot-293/dovecot.Config/dovecot-dict-auth.conf.ext) -## Required for dbox, see -## http://wiki2.dovecot.org/MailboxFormat/dbox#Multi-dbox -#- name: Create a nightly cron job to purge expunged messages -# cron: name="Purge expunged messages" -# minute=7 hour=5 -# user=vmail cron_file=doveadm-purge -# job="/usr/bin/doveadm purge -A" +- name: Install Net::LDAP and Authen::SASL + apt: pkg={{ packages }} + vars: + packages: + - libnet-ldap-perl + - libauthen-sasl-perl + +- name: Copy dovecot auth proxy + copy: src=usr/local/bin/dovecot-auth-proxy.pl + dest=/usr/local/bin/dovecot-auth-proxy.pl + owner=root group=staff + mode=0755 + +# Required for IDLE as all imap processes have the same UID (vmail). +- name: Set per user maximum number of inotify instances to 512 + sysctl: name=fs.inotify.max_user_instances value=512 sysctl_set=yes + tags: + - sysctl + +- name: Create '_dovecot-auth-proxy' user + user: name=_dovecot-auth-proxy system=yes + group=nogroup + createhome=no + home=/nonexistent + shell=/usr/sbin/nologin + password=! + state=present + +- name: Copy dovecot auth proxy systemd unit files + copy: src=etc/systemd/system/{{ item }} + dest=/etc/systemd/system/{{ item }} + owner=root group=root + mode=0644 + with_items: + - dovecot-auth-proxy.service + - dovecot-auth-proxy.socket + notify: + - systemctl daemon-reload + +- meta: flush_handlers + +- name: Enable dovecot auth proxy + service: name=dovecot-auth-proxy.socket state=started enabled=yes # The ownership and permissions ensure that dovecot won't try to # deliver mails under an umounted mountpoint. - name: Create a home directory for user 'vmail' file: path=/home/mail state=directory owner=root group=root mode=0755 -- name: Create /home/mail/virtual - file: path=/home/mail/virtual +- name: Mount /home/mail + mount: src=/dev/mapper/luksMail + path=/home/mail + fstype=ext4 + opts=noauto + state=mounted + +- name: Create /home/mail/{virtual,attachments,spamspool} + file: path=/home/mail/{{ item }} state=directory owner=vmail group=vmail mode=0700 + with_items: + - virtual + - attachments + - spamspool + +- name: Create a cronjob for purging and SIS deduplication + copy: src=etc/cron.d/doveadm + dest=/etc/cron.d/doveadm + owner=root group=root + mode=0644 - name: Create virtual mailbox directories file: path=/etc/dovecot/virtual/{{ item }} state=directory owner=root group=root mode=0755 with_items: - all - flagged - recent - unseen - name: Create virtual mailboxes copy: src=etc/dovecot/virtual/{{ item }}/dovecot-virtual dest=/etc/dovecot/virtual/{{ item }}/dovecot-virtual owner=root group=root mode=0644 with_items: - all - flagged - recent - unseen -- name: Create directory /home/mail/spamspool - file: path=/home/mail/spamspool - state=directory - owner=vmail group=vmail - mode=0700 - - name: Create directory /etc/dovecot/ssl file: path=/etc/dovecot/ssl state=directory owner=root group=root mode=0755 -- name: Generate a private key and a X.509 certificate for Dovecot - command: genkeypair.sh x509 - --pubkey=/etc/dovecot/ssl/imap.fripost.org.pem - --privkey=/etc/dovecot/ssl/imap.fripost.org.key - --ou=IMAP --cn=imap.fripost.org - -t rsa -b 4096 -h sha512 - register: r1 - changed_when: r1.rc == 0 - failed_when: r1.rc > 1 - notify: - - Restart Dovecot - tags: - - genkey - name: Fetch Dovecot's X.509 certificate # Ensure we don't fetch private data - sudo: False - fetch: src=/etc/dovecot/ssl/imap.fripost.org.pem - dest=certs/dovecot/ - fail_on_missing=yes - flat=yes + become: False + fetch_cmd: cmd="openssl x509 -noout -pubkey" + stdin=/etc/dovecot/ssl/imap.fripost.org.pem + dest=certs/public/imap.fripost.org.pub tags: - genkey - name: Configure Dovecot copy: src=etc/dovecot/{{ item }} dest=/etc/dovecot/{{ item }} owner=root group=root mode=0644 - register: r2 + register: r1 with_items: - conf.d/10-auth.conf - - conf.d/10-logging.conf - - conf.d/10-mail.conf - - conf.d/10-master.conf - - conf.d/10-ssl.conf - - conf.d/15-mailboxes.conf - - conf.d/20-imap.conf - - conf.d/20-lmtp.conf - - conf.d/90-plugin.conf - - conf.d/90-sieve.conf - conf.d/auth-ldap.conf.ext - dovecot-ldap.conf.ext - dovecot-ldap-userdb.conf.ext notify: - Restart Dovecot +- name: Configure Dovecot (2) + template: src=etc/dovecot/{{ item }}.j2 + dest=/etc/dovecot/{{ item }} + owner=root group=root + mode=0644 + register: r2 + with_items: + - conf.d/99-local.conf + notify: + - Restart Dovecot + +# TODO bookworm remove the below and inline the !include_try +- name: Copy /etc/dovecot/ssl/config workaround + copy: src=etc/dovecot/ssl/config + dest=/etc/dovecot/ssl/config + owner=root group=root + mode=0600 + notify: + - Restart Dovecot + - name: Tell Dovecot we have a remote IMAP proxy - # XXX: we should have an automatic lookup here lineinfile: dest=/etc/dovecot/dovecot.conf regexp='^(\s*#)?\s*login_trusted_networks\s*=' - line='login_trusted_networks = 171.25.193.76/32' + line="login_trusted_networks = {{ ipsec_subnet }}" state=present create=yes owner=root group=root mode=0644 register: r3 - when: "'IMAP' in group_names and 'webmail' not in group_names" + when: "groups.all | length > 1" notify: - Restart Dovecot - name: Start Dovecot service: name=dovecot state=started when: not (r1.changed or r2.changed or r3.changed) - meta: flush_handlers - name: Install 'dovecot_stats_' Munin wildcard plugin file: src=/usr/local/share/munin/plugins/dovecot_stats_ dest=/etc/munin/plugins/dovecot_stats_fripost.org owner=root group=root state=link force=yes tags: - munin - munin-node notify: - Restart munin-node diff --git a/roles/IMAP/tasks/main.yml b/roles/IMAP/tasks/main.yml index 9ed2ea6..694fa69 100644 --- a/roles/IMAP/tasks/main.yml +++ b/roles/IMAP/tasks/main.yml @@ -1,4 +1,16 @@ --- -- include: imap.yml tags=imap,dovecot -- include: mda.yml tags=mda,mail,postfix -#- include: spam.yml tags=spam,spamassassin # TODO spam filter +- import_tasks: imap.yml + tags: + - imap + - dovecot +- import_tasks: mda.yml + tags: + - mda + - mail + - postfix +## TODO spam filter +#- import_tasks: spam.yml +# tags: +# - spam +# - amavis +# - spamassassin diff --git a/roles/IMAP/tasks/mda.yml b/roles/IMAP/tasks/mda.yml index ac4b733..0e8690d 100644 --- a/roles/IMAP/tasks/mda.yml +++ b/roles/IMAP/tasks/mda.yml @@ -1,62 +1,51 @@ - name: Install Postfix - apt: pkg={{ item }} - with_items: + apt: pkg={{ packages }} + vars: + packages: - postfix - - postfix-ldap + - postfix-lmdb - name: Configure Postfix - template: src=etc/postfix/main.cf.j2 - dest=/etc/postfix-{{ postfix_instance[inst].name }}/main.cf + template: src=etc/postfix/{{ item }}.j2 + dest=/etc/postfix-{{ postfix_instance[inst].name }}/{{ item }} owner=root group=root mode=0644 + with_items: + - main.cf + - master.cf notify: - Reload Postfix - name: Copy the transport and recipient canonical maps copy: src=etc/postfix/{{ item }} dest=/etc/postfix-{{ postfix_instance[inst].name }}/{{ item }} owner=root group=root mode=0644 with_items: # no need to reload upon change, as cleanup(8) is short-running - recipient_canonical.pcre - transport -- name: Copy the Postfix relay clientcerts map - template: src=etc/postfix/relay_clientcerts.j2 - dest=/etc/postfix-{{ postfix_instance[inst].name }}/relay_clientcerts - owner=root group=root - mode=0644 - tags: - - tls_policy - -- name: Compile the Postfix relay clientcerts map - postmap: cmd=postmap src=/etc/postfix-{{ postfix_instance[inst].name }}/relay_clientcerts db=cdb - owner=root group=root - mode=0644 - tags: - - tls_policy - - name: Compile the Postfix transport maps # trivial-rewrite(8) is a long-running process, so it's safer to reload - postmap: cmd=postmap src=/etc/postfix-{{ postfix_instance[inst].name }}/transport db=cdb + postmap: cmd=postmap src=/etc/postfix-{{ postfix_instance[inst].name }}/transport db=lmdb owner=root group=root mode=0644 notify: - Reload Postfix - meta: flush_handlers - name: Start Postfix service: name=postfix state=started - name: Install 'postfix_mailqueue_' Munin wildcard plugin file: src=/usr/local/share/munin/plugins/postfix_mailqueue_ dest=/etc/munin/plugins/postfix_mailqueue_postfix-{{ postfix_instance[inst].name }} owner=root group=root state=link force=yes tags: - munin - munin-node notify: diff --git a/roles/IMAP/tasks/spam.yml b/roles/IMAP/tasks/spam.yml index 06624dd..d70ccc9 100644 --- a/roles/IMAP/tasks/spam.yml +++ b/roles/IMAP/tasks/spam.yml @@ -1,63 +1,83 @@ - name: Install spamassassin - apt: pkg={{ item }} - with_items: + apt: pkg={{ packages }} + vars: + packages: # The following two lines are for the policy lookup (made by amavis) - libnet-ldap-perl - libauthen-sasl-perl - razor - spamassassin - spamc - libdbi-perl - re2c - libc6-dev - gcc - make notify: - Compile Spamassassin rules - Restart Amavis - name: Create a 'spamassassin' database mysql_db: name=spamassassin state=present encoding=latin1 collation=latin1_general_ci notify: - Copy SQL tables for spamassassin - Create SQL tables for spamassassin - meta: flush_handlers + - name: Copy SpamAssassin's configuration copy: src=etc/{{ item }} dest=/etc/{{ item }} owner=root group=root mode=0644 with_items: - - spamassassin/local.cf - spamassassin/v310.pre - spamassassin/v320.pre + register: r1 + notify: + - Restart Amavis + +- name: Copy SpamAssassin's configuration (2) + template: src=etc/{{ item }}.j2 + dest=/etc/{{ item }} + owner=root group=root + mode=0644 + with_items: + - spamassassin/local.cf + register: r2 notify: - Restart Amavis - name: Provision /etc/default/spamassassin lineinfile: dest=/etc/default/spamassassin - regexp='^(\s*#)?\s*{{ item.var }}=' - "line={{ item.var }}={{ item.value }}" + regexp='^(\\s*#)?\\s*{{ item.var }}\\s*=' + line='{{ item.var }}={{ item.value }}' owner=root group=root mode=0644 with_items: - { var: ENABLED, value: 0 } - { var: CRON, value: 1 } - name: Create a 'amavis' SQL user # This *must* be the user we run spamd as # See https://svn.apache.org/repos/asf/spamassassin/trunk/sql/README.bayes - mysql_user2: > - name=amavis password= auth_plugin=auth_socket + mysql_user: > + name=amavis password= plugin=auth_socket priv="spamassassin.awl: SELECT,INSERT,UPDATE,DELETE /spamassassin.bayes_seen: SELECT,INSERT, DELETE /spamassassin.bayes_token: SELECT,INSERT,UPDATE,DELETE /spamassassin.bayes_global_vars: SELECT /spamassassin.bayes_vars: SELECT,INSERT,UPDATE,DELETE /spamassassin.bayes_expire: SELECT,INSERT, DELETE" state=present + register: r3 notify: - Restart Amavis + +- name: Start Amavis + service: name=amavis state=started + when: not (r1.changed or r2.changed or r3.changed) + +- meta: flush_handlers |