5 files changed, 379 insertions, 0 deletions

diff --git a/ansible/roles/postfix/files/postfix/master.cf b/ansible/roles/postfix/files/postfix/master.cf
new file mode 100644
index 0000000..d428c18
--- /dev/null
+++ b/ansible/roles/postfix/files/postfix/master.cf
@@ -0,0 +1,113 @@
+#
+# Postfix master process configuration file.  For details on the format
+# of the file, see the master(5) manual page (command: "man 5 master" or
+# on-line: http://www.postfix.org/master.5.html).
+#
+# Do not forget to execute "postfix reload" after editing this file.
+#
+# ==========================================================================
+# service type  private unpriv  chroot  wakeup  maxproc command + args
+#               (yes)   (yes)   (no)    (never) (100)
+# ==========================================================================
+smtp      inet  n       -       y       -       -       smtpd
+    -o smtpd_sasl_auth_enable=no
+# for verbose connection debugging, append -v to the above args
+#smtp      inet  n       -       y       -       1       postscreen
+#smtpd     pass  -       -       y       -       -       smtpd
+#dnsblog   unix  -       -       y       -       0       dnsblog
+#tlsproxy  unix  -       -       y       -       0       tlsproxy
+submission inet n       -       n       -       -       smtpd
+    -o smtpd_tls_security_level=encrypt
+    -o tls_preempt_cipherlist=yes
+#submission inet n       -       y       -       -       smtpd
+#  -o syslog_name=postfix/submission
+#  -o smtpd_tls_security_level=encrypt
+#  -o smtpd_sasl_auth_enable=yes
+#  -o smtpd_tls_auth_only=yes
+#  -o smtpd_reject_unlisted_recipient=no
+#  -o smtpd_client_restrictions=$mua_client_restrictions
+#  -o smtpd_helo_restrictions=$mua_helo_restrictions
+#  -o smtpd_sender_restrictions=$mua_sender_restrictions
+#  -o smtpd_recipient_restrictions=
+#  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
+#  -o milter_macro_daemon_name=ORIGINATING
+#smtps     inet  n       -       y       -       -       smtpd
+#  -o syslog_name=postfix/smtps
+#  -o smtpd_tls_wrappermode=yes
+#  -o smtpd_sasl_auth_enable=yes
+#  -o smtpd_reject_unlisted_recipient=no
+#  -o smtpd_client_restrictions=$mua_client_restrictions
+#  -o smtpd_helo_restrictions=$mua_helo_restrictions
+#  -o smtpd_sender_restrictions=$mua_sender_restrictions
+#  -o smtpd_recipient_restrictions=
+#  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
+#  -o milter_macro_daemon_name=ORIGINATING
+#628       inet  n       -       y       -       -       qmqpd
+pickup    unix  n       -       y       60      1       pickup
+cleanup   unix  n       -       y       -       0       cleanup
+qmgr      unix  n       -       n       300     1       qmgr
+#qmgr     unix  n       -       n       300     1       oqmgr
+tlsmgr    unix  -       -       y       1000?   1       tlsmgr
+rewrite   unix  -       -       y       -       -       trivial-rewrite
+bounce    unix  -       -       y       -       0       bounce
+defer     unix  -       -       y       -       0       bounce
+trace     unix  -       -       y       -       0       bounce
+verify    unix  -       -       y       -       1       verify
+flush     unix  n       -       y       1000?   0       flush
+proxymap  unix  -       -       n       -       -       proxymap
+proxywrite unix -       -       n       -       1       proxymap
+smtp      unix  -       -       y       -       -       smtp
+relay     unix  -       -       y       -       -       smtp
+        -o syslog_name=postfix/$service_name
+#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
+showq     unix  n       -       y       -       -       showq
+error     unix  -       -       y       -       -       error
+retry     unix  -       -       y       -       -       error
+discard   unix  -       -       y       -       -       discard
+local     unix  -       n       n       -       -       local
+virtual   unix  -       n       n       -       -       virtual
+lmtp      unix  -       -       y       -       -       lmtp
+anvil     unix  -       -       y       -       1       anvil
+scache    unix  -       -       y       -       1       scache
+#
+# ====================================================================
+# Interfaces to non-Postfix software. Be sure to examine the manual
+# pages of the non-Postfix software to find out what options it wants.
+#
+# Many of the following services use the Postfix pipe(8) delivery
+# agent.  See the pipe(8) man page for information about ${recipient}
+# and other message envelope options.
+# ====================================================================
+#
+# maildrop. See the Postfix MAILDROP_README file for details.
+# Also specify in main.cf: maildrop_destination_recipient_limit=1
+#
+maildrop  unix  -       n       n       -       -       pipe
+  flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
+#
+# ====================================================================
+#
+# Recent Cyrus versions can use the existing "lmtp" master.cf entry.
+#
+# Specify in cyrus.conf:
+#   lmtp    cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
+#
+# Specify in main.cf one or more of the following:
+#  mailbox_transport = lmtp:inet:localhost
+#  virtual_transport = lmtp:inet:localhost
+#
+# ====================================================================
+#
+# Cyrus 2.1.5 (Amos Gouaux)
+# Also specify in main.cf: cyrus_destination_recipient_limit=1
+#
+#cyrus     unix  -       n       n       -       -       pipe
+#  user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
+#
+# ====================================================================
+# Old example of delivery via Cyrus.
+#
+#old-cyrus unix  -       n       n       -       -       pipe
+#  flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
+#
+# ====================================================================
diff --git a/ansible/roles/postfix/files/postfix/remap.sh b/ansible/roles/postfix/files/postfix/remap.sh
new file mode 100755
index 0000000..86e8d73
--- /dev/null
+++ b/ansible/roles/postfix/files/postfix/remap.sh
@@ -0,0 +1,9 @@
+#!/usr/bin/env bash
+
+here=$(dirname $0)
+
+MAPS="virtual"
+
+for map in $MAPS; do
+  postmap $here/$map
+done
diff --git a/ansible/roles/postfix/handlers/main.yml b/ansible/roles/postfix/handlers/main.yml
new file mode 100644
index 0000000..aa41be4
--- /dev/null
+++ b/ansible/roles/postfix/handlers/main.yml
@@ -0,0 +1,13 @@
+---
+- name: restart postfix
+  service:
+    name: postfix
+    state: restarted
+
+- name: reload postfix
+  service:
+    name: postfix
+    state: reloaded
+
+- name: rehash postfix aliases
+  command: /etc/postfix/remap.sh
diff --git a/ansible/roles/postfix/tasks/main.yml b/ansible/roles/postfix/tasks/main.yml
new file mode 100644
index 0000000..57b0601
--- /dev/null
+++ b/ansible/roles/postfix/tasks/main.yml
@@ -0,0 +1,50 @@
+---
+# postfix install and configuration
+# note: this postfix config requires open ports: 25 and 587
+- name: install postfix
+  apt:
+    state: latest
+    pkg:
+      - postfix
+      - postfix-doc
+      - postfix-pcre
+
+- name: give postfix user permission to read private keys
+  user:
+    name: postfix
+    groups: ssl-cert
+    append: yes
+
+- name: copy postfix config
+  copy:
+    src: postfix/
+    dest: /etc/postfix/
+    mode: preserve
+  notify:
+  - restart postfix # NB this could be a reload instead
+  - rehash postfix aliases
+
+- name: instantiate postfix main.cf template
+  template:
+    src: postfix/main.cf.j2
+    dest: /etc/postfix/main.cf
+  notify:
+  - reload postfix
+
+
+# verify everything is running
+- name: verify services are running in dependency order
+  service:
+    name: "{{ item }}"
+    enabled: yes
+    state: started
+  loop:
+    - postfix
+
+- name: reload if certs newish
+  include_role:
+    name: certreload
+  vars:
+    certreload:
+      notifiers:
+        - reload postfix
diff --git a/ansible/roles/postfix/templates/postfix/main.cf.j2 b/ansible/roles/postfix/templates/postfix/main.cf.j2
new file mode 100644
index 0000000..b3e8cc2
--- /dev/null
+++ b/ansible/roles/postfix/templates/postfix/main.cf.j2
@@ -0,0 +1,194 @@
+# Modified from https://www.c0ffee.net/blog/mail-server-guide
+
+smtpd_banner = $myhostname ESMTP dx Independence
+
+# "2" is current for postfix 3.2 configs
+compatibility_level = 2
+
+# disable "new mail" notifications for local unix users
+biff = no
+
+# directory to store mail for local unix users
+mail_spool_directory = /var/mail/local
+
+# Name of this mail server, used in the SMTP HELO for outgoing mail. Make
+# sure this resolves to the same IP as your reverse DNS hostname.
+myhostname = {{ network.hostname.public }}
+
+# Domains for which postfix will deliver local mail. Does not apply to
+# virtual domains, which are configured below. Make sure to specify the FQDN
+# of your sever, as well as localhost.
+# Note: NEVER specify any virtual domains here!!! Those come later.
+mydestination = localhost
+
+# Domain appended to mail sent locally from this machine - such as mail sent
+# via the `sendmail` command.
+myorigin = $myhostname
+
+# prevent spammers from searching for valid users
+disable_vrfy_command = yes
+
+# require properly formatted email addresses - prevents a lot of spam
+strict_rfc821_envelopes = yes
+
+# don't give any helpful info when a mailbox doesn't exist
+show_user_unknown_table_name = no
+
+# limit maximum e-mail size to 256 MB. mailbox size must be at least as big as
+# the message size for the mail to be accepted, but has no meaning after
+# that since we are using Dovecot for delivery.
+message_size_limit = 268435456
+mailbox_size_limit = 0
+
+# require addresses of the form "[email protected]"
+allow_percent_hack = no
+swap_bangpath = no
+
+# allow plus-aliasing: "[email protected]" delivers to "user" mailbox
+recipient_delimiter = +
+
+# path to the SSL certificate for the mail server
+smtpd_tls_cert_file = /etc/ssl/{{ network.hostname.public }}-cert-combined.rsa2048.pem
+smtpd_tls_key_file = /etc/ssl/private/{{ network.hostname.public }}-key.rsa2048.pem
+
+# You can also specify an EC cert to try first if the clients support it.
+smtpd_tls_eccert_file = /etc/ssl/{{ network.hostname.public }}-cert-combined.prime256v1.pem
+smtpd_tls_eckey_file = /etc/ssl/private/{{ network.hostname.public }}-key.prime256v1.pem
+
+# Path to your trusted certificates file. Usually provided by a
+# ca-certificates package or similar.
+smtp_tls_CAfile=/etc/ssl/certs/ca-certificates.crt
+
+# These two lines define how postfix will connect to other mail servers.
+# "may" allows opportunistic TLS and "enabled" allows hostname lookups
+# http://www.postfix.org/TLS_README.html
+smtp_tls_security_level = may
+smtp_dns_support_level = enabled
+
+# IP address used by postfix to send outgoing mail. You only need this if
+# your machine has multiple IP addresses - set it to your MX address to
+# satisfy your SPF record.
+smtp_bind_address = {{ hostvars[inventory_hostname]['ansible_' + network.interface.public]['ipv4']['address'] }}
+smtp_bind_address6 =
+inet_interfaces = 127.0.0.1,$smtp_bind_address
+inet_protocols = ipv4
+
+# Here we define the options for "mandatory" TLS. In our setup, TLS is only
+# "mandatory" for authenticating users. I got these settings from Mozilla's
+# SSL reccomentations page.
+#
+# NOTE: do not attempt to make TLS mandatory for all incoming/outgoing
+# connections. Do not attempt to change the default cipherlist for non-
+# mandatory connections either. There are still a lot of mail servers out
+# there that do not use TLS, and many that do only support old ciphers.
+# Forcing TLS for everyone *will* cause you to lose mail.
+smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1, TLSv1.2
+smtpd_tls_mandatory_ciphers = high
+tls_high_cipherlist = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
+
+# allow other mail servers to connect using TLS, but don't require it
+smtpd_tls_security_level = may
+
+# tickets and compression have known vulnerabilities
+tls_ssl_options = no_ticket, no_compression
+
+# yes, using 2048 with "dh1024" is the right thing to do
+smtpd_tls_dh1024_param_file = /etc/ssl/ffdhe2048.pem
+
+# cache incoming and outgoing TLS sessions
+smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_tlscache
+smtp_tls_session_cache_database  = btree:${data_directory}/smtp_tlscache
+
+# enable SMTPD auth. Dovecot will place an `auth` socket in postfix's
+# runtime directory that we will use for authentication.
+# TODO: can also replace this with a network inet connection if dovecot opens it
+smtpd_sasl_auth_enable = yes
+smtpd_sasl_path = private/auth
+smtpd_sasl_type = dovecot
+
+# only allow authentication over TLS
+smtpd_tls_auth_only = yes
+
+# don't allow plaintext auth methods on unencrypted connections
+smtpd_sasl_security_options = noanonymous, noplaintext
+# but plaintext auth is fine when using TLS
+smtpd_sasl_tls_security_options = noanonymous
+
+# add a message header when email was recieved over TLS
+smtpd_tls_received_header = yes
+
+# require that connecting mail servers identify themselves - this greatly
+# reduces spam
+smtpd_helo_required = yes
+
+# The following block specifies some security restrictions for incoming
+# mail. The gist of it is, authenticated users and connections from
+# localhost can do anything they want. Random people connecting over the
+# internet are treated with more suspicion: they must have a reverse DNS
+# entry and present a valid, FQDN HELO hostname. In addition, they can only
+# send mail to valid mailboxes on the server, and the sender's domain must
+# actually exist.
+smtpd_client_restrictions =
+  permit_mynetworks,
+  permit_sasl_authenticated,
+  #reject_unknown_reverse_client_hostname,
+  # you might want to consider:
+  #  reject_unknown_client_hostname,
+  # here. This will reject all incoming connections without a reverse DNS
+  # entry that resolves back to the client's IP address. This is a very
+  # restrictive check and may reject legitimate mail.
+  reject_unauth_pipelining
+smtpd_helo_restrictions =
+  permit_mynetworks,
+  permit_sasl_authenticated,
+  reject_invalid_helo_hostname,
+  reject_non_fqdn_helo_hostname,
+  # you might want to consider:
+  #  reject_unknown_helo_hostname,
+  # here. This will reject all incoming mail without a HELO hostname that
+  # properly resolves in DNS. This is a somewhat restrictive check and may
+  # reject legitimate mail.
+  reject_unauth_pipelining
+smtpd_sender_restrictions =
+  permit_mynetworks,
+  permit_sasl_authenticated,
+  reject_non_fqdn_sender,
+#  reject_unknown_sender_domain,
+  reject_unauth_pipelining
+smtpd_relay_restrictions =
+  permit_mynetworks,
+  permit_sasl_authenticated,
+  # !!! THIS SETTING PREVENTS YOU FROM BEING AN OPEN RELAY !!!
+  reject_unauth_destination
+  # !!!      DO NOT REMOVE IT UNDER ANY CIRCUMSTANCES      !!!
+#smtpd_recipient_restrictions =
+#  permit_mynetworks,
+#  permit_sasl_authenticated,
+#  reject_non_fqdn_recipient,
+#  reject_unknown_recipient_domain,
+#  reject_unauth_pipelining,
+smtpd_data_restrictions =
+  permit_mynetworks,
+  permit_sasl_authenticated,
+  reject_multi_recipient_bounce,
+  reject_unauth_pipelining
+
+smtpd_recipient_restrictions =
+    permit_mynetworks,
+    permit_sasl_authenticated,
+    reject_unauth_destination
+
+# deliver mail for virtual users to Dovecot's LMTP socket
+# TODO: convert this to network with dovecot opening a local inet port
+virtual_transport = lmtp:unix:private/dovecot-lmtp
+virtual_mailbox_domains = /etc/postfix/domains
+
+virtual_alias_maps = hash:/etc/postfix/virtual
+#virtual_alias_domains = /etc/postfix/domains
+
+# We'll uncomment these when we set up rspamd later:
+milter_protocol = 6
+milter_default_action = accept
+#smtpd_milters = unix:/var/run/rspamd/milter.sock
+smtpd_milters = inet:localhost:11332
+milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen}