From 1204730924436ef9e1c7c49c9557837f9a5ed0e8 Mon Sep 17 00:00:00 2001 From: clarkzjw Date: Wed, 8 Feb 2023 00:40:09 -0800 Subject: fork https://github.com/mattsta/mailweb --- ansible/roles/postfix/files/postfix/master.cf | 113 ++++++++++++ ansible/roles/postfix/files/postfix/remap.sh | 9 + ansible/roles/postfix/handlers/main.yml | 13 ++ ansible/roles/postfix/tasks/main.yml | 50 ++++++ ansible/roles/postfix/templates/postfix/main.cf.j2 | 194 +++++++++++++++++++++ 5 files changed, 379 insertions(+) create mode 100644 ansible/roles/postfix/files/postfix/master.cf create mode 100755 ansible/roles/postfix/files/postfix/remap.sh create mode 100644 ansible/roles/postfix/handlers/main.yml create mode 100644 ansible/roles/postfix/tasks/main.yml create mode 100644 ansible/roles/postfix/templates/postfix/main.cf.j2 (limited to 'ansible/roles/postfix') diff --git a/ansible/roles/postfix/files/postfix/master.cf b/ansible/roles/postfix/files/postfix/master.cf new file mode 100644 index 0000000..d428c18 --- /dev/null +++ b/ansible/roles/postfix/files/postfix/master.cf @@ -0,0 +1,113 @@ +# +# Postfix master process configuration file. For details on the format +# of the file, see the master(5) manual page (command: "man 5 master" or +# on-line: http://www.postfix.org/master.5.html). +# +# Do not forget to execute "postfix reload" after editing this file. +# +# ========================================================================== +# service type private unpriv chroot wakeup maxproc command + args +# (yes) (yes) (no) (never) (100) +# ========================================================================== +smtp inet n - y - - smtpd + -o smtpd_sasl_auth_enable=no +# for verbose connection debugging, append -v to the above args +#smtp inet n - y - 1 postscreen +#smtpd pass - - y - - smtpd +#dnsblog unix - - y - 0 dnsblog +#tlsproxy unix - - y - 0 tlsproxy +submission inet n - n - - smtpd + -o smtpd_tls_security_level=encrypt + -o tls_preempt_cipherlist=yes +#submission inet n - y - - smtpd +# -o syslog_name=postfix/submission +# -o smtpd_tls_security_level=encrypt +# -o smtpd_sasl_auth_enable=yes +# -o smtpd_tls_auth_only=yes +# -o smtpd_reject_unlisted_recipient=no +# -o smtpd_client_restrictions=$mua_client_restrictions +# -o smtpd_helo_restrictions=$mua_helo_restrictions +# -o smtpd_sender_restrictions=$mua_sender_restrictions +# -o smtpd_recipient_restrictions= +# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject +# -o milter_macro_daemon_name=ORIGINATING +#smtps inet n - y - - smtpd +# -o syslog_name=postfix/smtps +# -o smtpd_tls_wrappermode=yes +# -o smtpd_sasl_auth_enable=yes +# -o smtpd_reject_unlisted_recipient=no +# -o smtpd_client_restrictions=$mua_client_restrictions +# -o smtpd_helo_restrictions=$mua_helo_restrictions +# -o smtpd_sender_restrictions=$mua_sender_restrictions +# -o smtpd_recipient_restrictions= +# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject +# -o milter_macro_daemon_name=ORIGINATING +#628 inet n - y - - qmqpd +pickup unix n - y 60 1 pickup +cleanup unix n - y - 0 cleanup +qmgr unix n - n 300 1 qmgr +#qmgr unix n - n 300 1 oqmgr +tlsmgr unix - - y 1000? 1 tlsmgr +rewrite unix - - y - - trivial-rewrite +bounce unix - - y - 0 bounce +defer unix - - y - 0 bounce +trace unix - - y - 0 bounce +verify unix - - y - 1 verify +flush unix n - y 1000? 0 flush +proxymap unix - - n - - proxymap +proxywrite unix - - n - 1 proxymap +smtp unix - - y - - smtp +relay unix - - y - - smtp + -o syslog_name=postfix/$service_name +# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5 +showq unix n - y - - showq +error unix - - y - - error +retry unix - - y - - error +discard unix - - y - - discard +local unix - n n - - local +virtual unix - n n - - virtual +lmtp unix - - y - - lmtp +anvil unix - - y - 1 anvil +scache unix - - y - 1 scache +# +# ==================================================================== +# Interfaces to non-Postfix software. Be sure to examine the manual +# pages of the non-Postfix software to find out what options it wants. +# +# Many of the following services use the Postfix pipe(8) delivery +# agent. See the pipe(8) man page for information about ${recipient} +# and other message envelope options. +# ==================================================================== +# +# maildrop. See the Postfix MAILDROP_README file for details. +# Also specify in main.cf: maildrop_destination_recipient_limit=1 +# +maildrop unix - n n - - pipe + flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient} +# +# ==================================================================== +# +# Recent Cyrus versions can use the existing "lmtp" master.cf entry. +# +# Specify in cyrus.conf: +# lmtp cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4 +# +# Specify in main.cf one or more of the following: +# mailbox_transport = lmtp:inet:localhost +# virtual_transport = lmtp:inet:localhost +# +# ==================================================================== +# +# Cyrus 2.1.5 (Amos Gouaux) +# Also specify in main.cf: cyrus_destination_recipient_limit=1 +# +#cyrus unix - n n - - pipe +# user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user} +# +# ==================================================================== +# Old example of delivery via Cyrus. +# +#old-cyrus unix - n n - - pipe +# flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user} +# +# ==================================================================== diff --git a/ansible/roles/postfix/files/postfix/remap.sh b/ansible/roles/postfix/files/postfix/remap.sh new file mode 100755 index 0000000..86e8d73 --- /dev/null +++ b/ansible/roles/postfix/files/postfix/remap.sh @@ -0,0 +1,9 @@ +#!/usr/bin/env bash + +here=$(dirname $0) + +MAPS="virtual" + +for map in $MAPS; do + postmap $here/$map +done diff --git a/ansible/roles/postfix/handlers/main.yml b/ansible/roles/postfix/handlers/main.yml new file mode 100644 index 0000000..aa41be4 --- /dev/null +++ b/ansible/roles/postfix/handlers/main.yml @@ -0,0 +1,13 @@ +--- +- name: restart postfix + service: + name: postfix + state: restarted + +- name: reload postfix + service: + name: postfix + state: reloaded + +- name: rehash postfix aliases + command: /etc/postfix/remap.sh diff --git a/ansible/roles/postfix/tasks/main.yml b/ansible/roles/postfix/tasks/main.yml new file mode 100644 index 0000000..57b0601 --- /dev/null +++ b/ansible/roles/postfix/tasks/main.yml @@ -0,0 +1,50 @@ +--- +# postfix install and configuration +# note: this postfix config requires open ports: 25 and 587 +- name: install postfix + apt: + state: latest + pkg: + - postfix + - postfix-doc + - postfix-pcre + +- name: give postfix user permission to read private keys + user: + name: postfix + groups: ssl-cert + append: yes + +- name: copy postfix config + copy: + src: postfix/ + dest: /etc/postfix/ + mode: preserve + notify: + - restart postfix # NB this could be a reload instead + - rehash postfix aliases + +- name: instantiate postfix main.cf template + template: + src: postfix/main.cf.j2 + dest: /etc/postfix/main.cf + notify: + - reload postfix + + +# verify everything is running +- name: verify services are running in dependency order + service: + name: "{{ item }}" + enabled: yes + state: started + loop: + - postfix + +- name: reload if certs newish + include_role: + name: certreload + vars: + certreload: + notifiers: + - reload postfix diff --git a/ansible/roles/postfix/templates/postfix/main.cf.j2 b/ansible/roles/postfix/templates/postfix/main.cf.j2 new file mode 100644 index 0000000..b3e8cc2 --- /dev/null +++ b/ansible/roles/postfix/templates/postfix/main.cf.j2 @@ -0,0 +1,194 @@ +# Modified from https://www.c0ffee.net/blog/mail-server-guide + +smtpd_banner = $myhostname ESMTP dx Independence + +# "2" is current for postfix 3.2 configs +compatibility_level = 2 + +# disable "new mail" notifications for local unix users +biff = no + +# directory to store mail for local unix users +mail_spool_directory = /var/mail/local + +# Name of this mail server, used in the SMTP HELO for outgoing mail. Make +# sure this resolves to the same IP as your reverse DNS hostname. +myhostname = {{ network.hostname.public }} + +# Domains for which postfix will deliver local mail. Does not apply to +# virtual domains, which are configured below. Make sure to specify the FQDN +# of your sever, as well as localhost. +# Note: NEVER specify any virtual domains here!!! Those come later. +mydestination = localhost + +# Domain appended to mail sent locally from this machine - such as mail sent +# via the `sendmail` command. +myorigin = $myhostname + +# prevent spammers from searching for valid users +disable_vrfy_command = yes + +# require properly formatted email addresses - prevents a lot of spam +strict_rfc821_envelopes = yes + +# don't give any helpful info when a mailbox doesn't exist +show_user_unknown_table_name = no + +# limit maximum e-mail size to 256 MB. mailbox size must be at least as big as +# the message size for the mail to be accepted, but has no meaning after +# that since we are using Dovecot for delivery. +message_size_limit = 268435456 +mailbox_size_limit = 0 + +# require addresses of the form "user@domain.tld" +allow_percent_hack = no +swap_bangpath = no + +# allow plus-aliasing: "user+tag@domain.tld" delivers to "user" mailbox +recipient_delimiter = + + +# path to the SSL certificate for the mail server +smtpd_tls_cert_file = /etc/ssl/{{ network.hostname.public }}-cert-combined.rsa2048.pem +smtpd_tls_key_file = /etc/ssl/private/{{ network.hostname.public }}-key.rsa2048.pem + +# You can also specify an EC cert to try first if the clients support it. +smtpd_tls_eccert_file = /etc/ssl/{{ network.hostname.public }}-cert-combined.prime256v1.pem +smtpd_tls_eckey_file = /etc/ssl/private/{{ network.hostname.public }}-key.prime256v1.pem + +# Path to your trusted certificates file. Usually provided by a +# ca-certificates package or similar. +smtp_tls_CAfile=/etc/ssl/certs/ca-certificates.crt + +# These two lines define how postfix will connect to other mail servers. +# "may" allows opportunistic TLS and "enabled" allows hostname lookups +# http://www.postfix.org/TLS_README.html +smtp_tls_security_level = may +smtp_dns_support_level = enabled + +# IP address used by postfix to send outgoing mail. You only need this if +# your machine has multiple IP addresses - set it to your MX address to +# satisfy your SPF record. +smtp_bind_address = {{ hostvars[inventory_hostname]['ansible_' + network.interface.public]['ipv4']['address'] }} +smtp_bind_address6 = +inet_interfaces = 127.0.0.1,$smtp_bind_address +inet_protocols = ipv4 + +# Here we define the options for "mandatory" TLS. In our setup, TLS is only +# "mandatory" for authenticating users. I got these settings from Mozilla's +# SSL reccomentations page. +# +# NOTE: do not attempt to make TLS mandatory for all incoming/outgoing +# connections. Do not attempt to change the default cipherlist for non- +# mandatory connections either. There are still a lot of mail servers out +# there that do not use TLS, and many that do only support old ciphers. +# Forcing TLS for everyone *will* cause you to lose mail. +smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1, TLSv1.2 +smtpd_tls_mandatory_ciphers = high +tls_high_cipherlist = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 + +# allow other mail servers to connect using TLS, but don't require it +smtpd_tls_security_level = may + +# tickets and compression have known vulnerabilities +tls_ssl_options = no_ticket, no_compression + +# yes, using 2048 with "dh1024" is the right thing to do +smtpd_tls_dh1024_param_file = /etc/ssl/ffdhe2048.pem + +# cache incoming and outgoing TLS sessions +smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_tlscache +smtp_tls_session_cache_database = btree:${data_directory}/smtp_tlscache + +# enable SMTPD auth. Dovecot will place an `auth` socket in postfix's +# runtime directory that we will use for authentication. +# TODO: can also replace this with a network inet connection if dovecot opens it +smtpd_sasl_auth_enable = yes +smtpd_sasl_path = private/auth +smtpd_sasl_type = dovecot + +# only allow authentication over TLS +smtpd_tls_auth_only = yes + +# don't allow plaintext auth methods on unencrypted connections +smtpd_sasl_security_options = noanonymous, noplaintext +# but plaintext auth is fine when using TLS +smtpd_sasl_tls_security_options = noanonymous + +# add a message header when email was recieved over TLS +smtpd_tls_received_header = yes + +# require that connecting mail servers identify themselves - this greatly +# reduces spam +smtpd_helo_required = yes + +# The following block specifies some security restrictions for incoming +# mail. The gist of it is, authenticated users and connections from +# localhost can do anything they want. Random people connecting over the +# internet are treated with more suspicion: they must have a reverse DNS +# entry and present a valid, FQDN HELO hostname. In addition, they can only +# send mail to valid mailboxes on the server, and the sender's domain must +# actually exist. +smtpd_client_restrictions = + permit_mynetworks, + permit_sasl_authenticated, + #reject_unknown_reverse_client_hostname, + # you might want to consider: + # reject_unknown_client_hostname, + # here. This will reject all incoming connections without a reverse DNS + # entry that resolves back to the client's IP address. This is a very + # restrictive check and may reject legitimate mail. + reject_unauth_pipelining +smtpd_helo_restrictions = + permit_mynetworks, + permit_sasl_authenticated, + reject_invalid_helo_hostname, + reject_non_fqdn_helo_hostname, + # you might want to consider: + # reject_unknown_helo_hostname, + # here. This will reject all incoming mail without a HELO hostname that + # properly resolves in DNS. This is a somewhat restrictive check and may + # reject legitimate mail. + reject_unauth_pipelining +smtpd_sender_restrictions = + permit_mynetworks, + permit_sasl_authenticated, + reject_non_fqdn_sender, +# reject_unknown_sender_domain, + reject_unauth_pipelining +smtpd_relay_restrictions = + permit_mynetworks, + permit_sasl_authenticated, + # !!! THIS SETTING PREVENTS YOU FROM BEING AN OPEN RELAY !!! + reject_unauth_destination + # !!! DO NOT REMOVE IT UNDER ANY CIRCUMSTANCES !!! +#smtpd_recipient_restrictions = +# permit_mynetworks, +# permit_sasl_authenticated, +# reject_non_fqdn_recipient, +# reject_unknown_recipient_domain, +# reject_unauth_pipelining, +smtpd_data_restrictions = + permit_mynetworks, + permit_sasl_authenticated, + reject_multi_recipient_bounce, + reject_unauth_pipelining + +smtpd_recipient_restrictions = + permit_mynetworks, + permit_sasl_authenticated, + reject_unauth_destination + +# deliver mail for virtual users to Dovecot's LMTP socket +# TODO: convert this to network with dovecot opening a local inet port +virtual_transport = lmtp:unix:private/dovecot-lmtp +virtual_mailbox_domains = /etc/postfix/domains + +virtual_alias_maps = hash:/etc/postfix/virtual +#virtual_alias_domains = /etc/postfix/domains + +# We'll uncomment these when we set up rspamd later: +milter_protocol = 6 +milter_default_action = accept +#smtpd_milters = unix:/var/run/rspamd/milter.sock +smtpd_milters = inet:localhost:11332 +milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen} -- cgit v1.2.3