From 211fdbfea6e3faf71a4f4e11e76f25d46948d528 Mon Sep 17 00:00:00 2001
From: neutron <neutron@systemli.org>
Date: Wed, 18 Jul 2018 11:41:15 +0200
Subject: [PATCH] [trees] - created external reachable mailserver

  * mailserver accessable via ssl
  * domain: trees.testing
  * SSL cert needs to be accepted when used with thunderbird
  * changed vbox box name
---
 vagrant/Vagrantfile                           |  2 +-
 .../ansible/roles/dovecot/tasks/install.yml   |  2 +
 .../dovecot/conf.d/10-master.conf.j2          |  6 +-
 .../templates/dovecot/conf.d/10-ssl.conf.j2   | 56 +++++++++++++++++++
 .../dovecot/conf.d/15-mailboxes.conf.j2       | 53 ++++++++++++++++++
 vagrant/ansible/roles/postfix/tasks/main.yml  |  2 +-
 .../roles/postfix/templates/main.cf.j2        |  2 +-
 .../templates/mysql-virtual-mailbox-maps.cf   |  2 +-
 8 files changed, 118 insertions(+), 7 deletions(-)
 create mode 100644 vagrant/ansible/roles/dovecot/templates/dovecot/conf.d/10-ssl.conf.j2
 create mode 100644 vagrant/ansible/roles/dovecot/templates/dovecot/conf.d/15-mailboxes.conf.j2

diff --git a/vagrant/Vagrantfile b/vagrant/Vagrantfile
index be2837c..e2443b2 100644
--- a/vagrant/Vagrantfile
+++ b/vagrant/Vagrantfile
@@ -11,7 +11,7 @@ Vagrant.configure("2") do |config|
     config.vm.provider "virtualbox" do |v|
       v.memory = 1024
       v.cpus = 2
-      v.name = "trees-debian-testing"
+      v.name = "trees-debian-stretch"
     end
 
     config.ssh.forward_agent = true
diff --git a/vagrant/ansible/roles/dovecot/tasks/install.yml b/vagrant/ansible/roles/dovecot/tasks/install.yml
index 09a001e..e498851 100644
--- a/vagrant/ansible/roles/dovecot/tasks/install.yml
+++ b/vagrant/ansible/roles/dovecot/tasks/install.yml
@@ -62,6 +62,8 @@
    - 10-master.conf
    - 10-mail.conf
    - 10-auth.conf
+   - 10-ssl.conf
+   - 15-mailboxes.conf
    - auth-sql.conf.ext
   notify: restart dovecot
 
diff --git a/vagrant/ansible/roles/dovecot/templates/dovecot/conf.d/10-master.conf.j2 b/vagrant/ansible/roles/dovecot/templates/dovecot/conf.d/10-master.conf.j2
index d7a7df6..1e914d2 100644
--- a/vagrant/ansible/roles/dovecot/templates/dovecot/conf.d/10-master.conf.j2
+++ b/vagrant/ansible/roles/dovecot/templates/dovecot/conf.d/10-master.conf.j2
@@ -13,11 +13,11 @@
 
 service imap-login {
   inet_listener imap {
-    #port = 143
+    port = 143
   }
   inet_listener imaps {
-    #port = 993
-    #ssl = yes
+    port = 993
+    ssl = yes
   }
 
   # Number of connections to handle before starting a new process. Typically
diff --git a/vagrant/ansible/roles/dovecot/templates/dovecot/conf.d/10-ssl.conf.j2 b/vagrant/ansible/roles/dovecot/templates/dovecot/conf.d/10-ssl.conf.j2
new file mode 100644
index 0000000..1650226
--- /dev/null
+++ b/vagrant/ansible/roles/dovecot/templates/dovecot/conf.d/10-ssl.conf.j2
@@ -0,0 +1,56 @@
+##
+## SSL settings
+##
+
+# SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt>
+ssl = required
+
+# PEM encoded X.509 SSL/TLS certificate and private key. They're opened before
+# dropping root privileges, so keep the key file unreadable by anyone but
+# root. Included doc/mkcert.sh can be used to easily generate self-signed
+# certificate, just make sure to update the domains in dovecot-openssl.cnf
+ssl_cert = </etc/ssl/certs/ssl-cert-snakeoil.pem
+ssl_key  = </etc/ssl/private/ssl-cert-snakeoil.key
+
+# If key file is password protected, give the password here. Alternatively
+# give it when starting dovecot with -p parameter. Since this file is often
+# world-readable, you may want to place this setting instead to a different
+# root owned 0600 file by using ssl_key_password = <path.
+#ssl_key_password =
+
+# PEM encoded trusted certificate authority. Set this only if you intend to use
+# ssl_verify_client_cert=yes. The file should contain the CA certificate(s)
+# followed by the matching CRL(s). (e.g. ssl_ca = </etc/ssl/certs/ca.pem)
+#ssl_ca = </etc/ssl/certs/gandi_intermediate_cert.pem
+
+# Require that CRL check succeeds for client certificates.
+#ssl_require_crl = yes
+
+# Request client to send a certificate. If you also want to require it, set
+# auth_ssl_require_client_cert=yes in auth section.
+#ssl_verify_client_cert = no
+
+# Which field from certificate to use for username. commonName and
+# x500UniqueIdentifier are the usual choices. You'll also need to set
+# auth_ssl_username_from_cert=yes.
+#ssl_cert_username_field = commonName
+
+# How often to regenerate the SSL parameters file. Generation is quite CPU
+# intensive operation. The value is in hours, 0 disables regeneration
+# entirely.
+#ssl_parameters_regenerate = 168
+
+# SSL protocols to use
+ssl_protocols = !SSLv3
+
+# SSL ciphers to use
+ssl_cipher_list = ALL:!LOW:!RC4:!EXP:!aNULL
+
+# SSL crypto device to use, for valid values run "openssl engine"
+#ssl_crypto_device =
+
+# disallow small DH parameters
+ssl_dh_parameters_length = 2048
+
+# prefer our order
+ssl_prefer_server_ciphers = yes
\ No newline at end of file
diff --git a/vagrant/ansible/roles/dovecot/templates/dovecot/conf.d/15-mailboxes.conf.j2 b/vagrant/ansible/roles/dovecot/templates/dovecot/conf.d/15-mailboxes.conf.j2
new file mode 100644
index 0000000..bdd9f16
--- /dev/null
+++ b/vagrant/ansible/roles/dovecot/templates/dovecot/conf.d/15-mailboxes.conf.j2
@@ -0,0 +1,53 @@
+##
+## Mailbox definitions
+##
+
+# NOTE: Assumes "namespace inbox" has been defined in 10-mail.conf.
+namespace inbox {
+
+  #mailbox name {
+    # auto=create will automatically create this mailbox.
+    # auto=subscribe will both create and subscribe to the mailbox.
+    #auto = no
+
+    # Space separated list of IMAP SPECIAL-USE attributes as specified by
+    # RFC 6154: \All \Archive \Drafts \Flagged \Junk \Sent \Trash
+    #special_use =
+  #}
+
+  # These mailboxes are widely used and could perhaps be created automatically:
+  mailbox Drafts {
+	auto = subscribe
+    special_use = \Drafts
+  }
+  mailbox Junk {
+    auto = subscribe
+    special_use = \Junk
+    autoexpunge = 30d
+  }
+  mailbox Trash {
+	auto = subscribe
+    special_use = \Trash
+    autoexpunge = 30d
+  }
+
+  # For \Sent mailboxes there are two widely used names. We'll mark both of
+  # them as \Sent. User typically deletes one of them if duplicates are created.
+  mailbox Sent {
+	auto = subscribe
+    special_use = \Sent
+  }
+  mailbox "Sent Messages" {
+    special_use = \Sent
+  }
+
+  # If you have a virtual "All messages" mailbox:
+  #mailbox virtual/All {
+  #  special_use = \All
+  #}
+
+  # If you have a virtual "Flagged" mailbox:
+  #mailbox virtual/Flagged {
+  #  special_use = \Flagged
+  #}
+}
diff --git a/vagrant/ansible/roles/postfix/tasks/main.yml b/vagrant/ansible/roles/postfix/tasks/main.yml
index 85b222f..58fc705 100644
--- a/vagrant/ansible/roles/postfix/tasks/main.yml
+++ b/vagrant/ansible/roles/postfix/tasks/main.yml
@@ -1,6 +1,6 @@
 ---
 
-- name: ensure posftix is installed
+- name: ensure postfix is installed
   apt:
     pkg: "{{ item }}"
     state: present
diff --git a/vagrant/ansible/roles/postfix/templates/main.cf.j2 b/vagrant/ansible/roles/postfix/templates/main.cf.j2
index 8d9449a..e0407af 100644
--- a/vagrant/ansible/roles/postfix/templates/main.cf.j2
+++ b/vagrant/ansible/roles/postfix/templates/main.cf.j2
@@ -30,7 +30,7 @@ smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
 
 
 smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
-myhostname = trees.testing
+myhostname = {{ postfix_mail_name | default(ansible_hostname)}}
 alias_maps = hash:/etc/aliases
 alias_database = hash:/etc/aliases
 myorigin = /etc/mailname
diff --git a/vagrant/ansible/roles/postfix/templates/mysql-virtual-mailbox-maps.cf b/vagrant/ansible/roles/postfix/templates/mysql-virtual-mailbox-maps.cf
index 9e4046d..2cd6e74 100644
--- a/vagrant/ansible/roles/postfix/templates/mysql-virtual-mailbox-maps.cf
+++ b/vagrant/ansible/roles/postfix/templates/mysql-virtual-mailbox-maps.cf
@@ -2,4 +2,4 @@ user = {{ mysql.user }}
 password = {{ mysql.user_password }}
 hosts = 127.0.0.1
 dbname = {{ mysql.database }}
-query = SELECT 1 FROM virtual_users WHERE email='%s' AND deleted=0
+query = SELECT 1 FROM virtual_users WHERE email='%s'
-- 
GitLab