From 211fdbfea6e3faf71a4f4e11e76f25d46948d528 Mon Sep 17 00:00:00 2001 From: neutron <neutron@systemli.org> Date: Wed, 18 Jul 2018 11:41:15 +0200 Subject: [PATCH] [trees] - created external reachable mailserver * mailserver accessable via ssl * domain: trees.testing * SSL cert needs to be accepted when used with thunderbird * changed vbox box name --- vagrant/Vagrantfile | 2 +- .../ansible/roles/dovecot/tasks/install.yml | 2 + .../dovecot/conf.d/10-master.conf.j2 | 6 +- .../templates/dovecot/conf.d/10-ssl.conf.j2 | 56 +++++++++++++++++++ .../dovecot/conf.d/15-mailboxes.conf.j2 | 53 ++++++++++++++++++ vagrant/ansible/roles/postfix/tasks/main.yml | 2 +- .../roles/postfix/templates/main.cf.j2 | 2 +- .../templates/mysql-virtual-mailbox-maps.cf | 2 +- 8 files changed, 118 insertions(+), 7 deletions(-) create mode 100644 vagrant/ansible/roles/dovecot/templates/dovecot/conf.d/10-ssl.conf.j2 create mode 100644 vagrant/ansible/roles/dovecot/templates/dovecot/conf.d/15-mailboxes.conf.j2 diff --git a/vagrant/Vagrantfile b/vagrant/Vagrantfile index be2837c..e2443b2 100644 --- a/vagrant/Vagrantfile +++ b/vagrant/Vagrantfile @@ -11,7 +11,7 @@ Vagrant.configure("2") do |config| config.vm.provider "virtualbox" do |v| v.memory = 1024 v.cpus = 2 - v.name = "trees-debian-testing" + v.name = "trees-debian-stretch" end config.ssh.forward_agent = true diff --git a/vagrant/ansible/roles/dovecot/tasks/install.yml b/vagrant/ansible/roles/dovecot/tasks/install.yml index 09a001e..e498851 100644 --- a/vagrant/ansible/roles/dovecot/tasks/install.yml +++ b/vagrant/ansible/roles/dovecot/tasks/install.yml @@ -62,6 +62,8 @@ - 10-master.conf - 10-mail.conf - 10-auth.conf + - 10-ssl.conf + - 15-mailboxes.conf - auth-sql.conf.ext notify: restart dovecot diff --git a/vagrant/ansible/roles/dovecot/templates/dovecot/conf.d/10-master.conf.j2 b/vagrant/ansible/roles/dovecot/templates/dovecot/conf.d/10-master.conf.j2 index d7a7df6..1e914d2 100644 --- a/vagrant/ansible/roles/dovecot/templates/dovecot/conf.d/10-master.conf.j2 +++ b/vagrant/ansible/roles/dovecot/templates/dovecot/conf.d/10-master.conf.j2 @@ -13,11 +13,11 @@ service imap-login { inet_listener imap { - #port = 143 + port = 143 } inet_listener imaps { - #port = 993 - #ssl = yes + port = 993 + ssl = yes } # Number of connections to handle before starting a new process. Typically diff --git a/vagrant/ansible/roles/dovecot/templates/dovecot/conf.d/10-ssl.conf.j2 b/vagrant/ansible/roles/dovecot/templates/dovecot/conf.d/10-ssl.conf.j2 new file mode 100644 index 0000000..1650226 --- /dev/null +++ b/vagrant/ansible/roles/dovecot/templates/dovecot/conf.d/10-ssl.conf.j2 @@ -0,0 +1,56 @@ +## +## SSL settings +## + +# SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt> +ssl = required + +# PEM encoded X.509 SSL/TLS certificate and private key. They're opened before +# dropping root privileges, so keep the key file unreadable by anyone but +# root. Included doc/mkcert.sh can be used to easily generate self-signed +# certificate, just make sure to update the domains in dovecot-openssl.cnf +ssl_cert = </etc/ssl/certs/ssl-cert-snakeoil.pem +ssl_key = </etc/ssl/private/ssl-cert-snakeoil.key + +# If key file is password protected, give the password here. Alternatively +# give it when starting dovecot with -p parameter. Since this file is often +# world-readable, you may want to place this setting instead to a different +# root owned 0600 file by using ssl_key_password = <path. +#ssl_key_password = + +# PEM encoded trusted certificate authority. Set this only if you intend to use +# ssl_verify_client_cert=yes. The file should contain the CA certificate(s) +# followed by the matching CRL(s). (e.g. ssl_ca = </etc/ssl/certs/ca.pem) +#ssl_ca = </etc/ssl/certs/gandi_intermediate_cert.pem + +# Require that CRL check succeeds for client certificates. +#ssl_require_crl = yes + +# Request client to send a certificate. If you also want to require it, set +# auth_ssl_require_client_cert=yes in auth section. +#ssl_verify_client_cert = no + +# Which field from certificate to use for username. commonName and +# x500UniqueIdentifier are the usual choices. You'll also need to set +# auth_ssl_username_from_cert=yes. +#ssl_cert_username_field = commonName + +# How often to regenerate the SSL parameters file. Generation is quite CPU +# intensive operation. The value is in hours, 0 disables regeneration +# entirely. +#ssl_parameters_regenerate = 168 + +# SSL protocols to use +ssl_protocols = !SSLv3 + +# SSL ciphers to use +ssl_cipher_list = ALL:!LOW:!RC4:!EXP:!aNULL + +# SSL crypto device to use, for valid values run "openssl engine" +#ssl_crypto_device = + +# disallow small DH parameters +ssl_dh_parameters_length = 2048 + +# prefer our order +ssl_prefer_server_ciphers = yes \ No newline at end of file diff --git a/vagrant/ansible/roles/dovecot/templates/dovecot/conf.d/15-mailboxes.conf.j2 b/vagrant/ansible/roles/dovecot/templates/dovecot/conf.d/15-mailboxes.conf.j2 new file mode 100644 index 0000000..bdd9f16 --- /dev/null +++ b/vagrant/ansible/roles/dovecot/templates/dovecot/conf.d/15-mailboxes.conf.j2 @@ -0,0 +1,53 @@ +## +## Mailbox definitions +## + +# NOTE: Assumes "namespace inbox" has been defined in 10-mail.conf. +namespace inbox { + + #mailbox name { + # auto=create will automatically create this mailbox. + # auto=subscribe will both create and subscribe to the mailbox. + #auto = no + + # Space separated list of IMAP SPECIAL-USE attributes as specified by + # RFC 6154: \All \Archive \Drafts \Flagged \Junk \Sent \Trash + #special_use = + #} + + # These mailboxes are widely used and could perhaps be created automatically: + mailbox Drafts { + auto = subscribe + special_use = \Drafts + } + mailbox Junk { + auto = subscribe + special_use = \Junk + autoexpunge = 30d + } + mailbox Trash { + auto = subscribe + special_use = \Trash + autoexpunge = 30d + } + + # For \Sent mailboxes there are two widely used names. We'll mark both of + # them as \Sent. User typically deletes one of them if duplicates are created. + mailbox Sent { + auto = subscribe + special_use = \Sent + } + mailbox "Sent Messages" { + special_use = \Sent + } + + # If you have a virtual "All messages" mailbox: + #mailbox virtual/All { + # special_use = \All + #} + + # If you have a virtual "Flagged" mailbox: + #mailbox virtual/Flagged { + # special_use = \Flagged + #} +} diff --git a/vagrant/ansible/roles/postfix/tasks/main.yml b/vagrant/ansible/roles/postfix/tasks/main.yml index 85b222f..58fc705 100644 --- a/vagrant/ansible/roles/postfix/tasks/main.yml +++ b/vagrant/ansible/roles/postfix/tasks/main.yml @@ -1,6 +1,6 @@ --- -- name: ensure posftix is installed +- name: ensure postfix is installed apt: pkg: "{{ item }}" state: present diff --git a/vagrant/ansible/roles/postfix/templates/main.cf.j2 b/vagrant/ansible/roles/postfix/templates/main.cf.j2 index 8d9449a..e0407af 100644 --- a/vagrant/ansible/roles/postfix/templates/main.cf.j2 +++ b/vagrant/ansible/roles/postfix/templates/main.cf.j2 @@ -30,7 +30,7 @@ smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination -myhostname = trees.testing +myhostname = {{ postfix_mail_name | default(ansible_hostname)}} alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases myorigin = /etc/mailname diff --git a/vagrant/ansible/roles/postfix/templates/mysql-virtual-mailbox-maps.cf b/vagrant/ansible/roles/postfix/templates/mysql-virtual-mailbox-maps.cf index 9e4046d..2cd6e74 100644 --- a/vagrant/ansible/roles/postfix/templates/mysql-virtual-mailbox-maps.cf +++ b/vagrant/ansible/roles/postfix/templates/mysql-virtual-mailbox-maps.cf @@ -2,4 +2,4 @@ user = {{ mysql.user }} password = {{ mysql.user_password }} hosts = 127.0.0.1 dbname = {{ mysql.database }} -query = SELECT 1 FROM virtual_users WHERE email='%s' AND deleted=0 +query = SELECT 1 FROM virtual_users WHERE email='%s' -- GitLab