backend.yml 7.53 KB
Newer Older
ale's avatar
ale committed
1
2
3
4
---

# Set up the *mail-backend* service.

ale's avatar
ale committed
5
6
- include_tasks: keystore.yml

ale's avatar
ale committed
7
8
- apt:
    name: "{{ packages }}"
9
    state: present
ale's avatar
ale committed
10
11
12
13
  vars:
    packages:
      - dovecot-lmtpd
      - dovecot-sieve
ale's avatar
ale committed
14
      - dovecot-managesieved
15
      - dovecot-exporter
16
      - imapproxy
ale's avatar
ale committed
17
18
19
20
21
      - libpam-authclient
      - libpam-sso
      - spamassassin
      - spamass-milter
      - sa-compile
ale's avatar
ale committed
22
      - pyzor
23
      - auth-sasl-server
24
      - libdbd-mysql-perl
ale's avatar
ale committed
25
26

# Postfix setup
ale's avatar
ale committed
27

ale's avatar
ale committed
28
29
30
- name: Add postfix user to the sasl group
  user:
    name: postfix
31
    groups: auth-sasl-server
ale's avatar
ale committed
32
33
    append: yes

ale's avatar
ale committed
34
35
36
37
- set_fact:
    postfix_instances:
      - { name: "" }
      - { name: "delivery" }
ale's avatar
ale committed
38
      - { name: "webmail" }
ale's avatar
ale committed
39
40
41
42
43
44

- include_tasks: postfix_instance.yml
  with_items: "{{ postfix_instances }}"
  loop_control:
    loop_var: postfix_instance

45
46
47
48
# Set up policyd-rate-limit for the postfix-webmail instance.
- include_tasks: policyd_rate_limit.yml
  vars:
    postfix_instance: postfix-webmail
49
50
    limit_by_sasl: true
    limit_by_sender: false
51

ale's avatar
ale committed
52
53
# Dovecot setup

ale's avatar
ale committed
54
55
56
57
- user:
    name: dovecot
    groups: auth-server,dovecot-keylookupd
    append: yes
ale's avatar
ale committed
58

ale's avatar
ale committed
59
60
61
- include_tasks: dovecot.yml
  vars:
    dovecot_instance: backend
ale's avatar
ale committed
62

63
64
65
66
67
# TODO: remove once we have upgraded to 2.3
- file:
    path: "/etc/dovecot/conf.d/90-stats.conf"
    state: absent

68
69
70
71
72
73
74
- name: Configure auth-server dovecot service
  template:
    src: auth-server/dovecot.yml.j2
    dest: /etc/auth-server/services.d/dovecot.yml
    owner: root
    group: auth-server
    mode: 0750
75
  notify: restart auth-server
76

ale's avatar
ale committed
77
78
79
80
81
82
- name: Create dovecot sieve directory
  file:
    path: /var/lib/dovecot/sieve
    state: directory
    mode: 0755

ale's avatar
ale committed
83
84
85
86
87
88
89
- set_fact:
    sieve_filters:
      - default.sieve
      - report-spam.sieve
      - report-ham.sieve

- name: Install default sieve filters
ale's avatar
ale committed
90
  copy:
ale's avatar
ale committed
91
92
    src: "{{ item }}"
    dest: "/var/lib/dovecot/sieve/{{ item }}"
ale's avatar
ale committed
93
    mode: 0644
ale's avatar
ale committed
94
95
96
  loop: "{{ sieve_filters }}"
  register: dovecot_sieve_scripts

ale's avatar
ale committed
97
98
# This task will fail on the first installation, as Dovecot hasn't
# been reloaded yet, and it does not know about our sieve plugins.
ale's avatar
ale committed
99
100
101
- name: Compile the default sieve filters
  shell: "env HOME=/tmp sievec /var/lib/dovecot/sieve/{{ item.0 }}"
  when: "item.1.changed"
ale's avatar
ale committed
102
  loop: "{{ sieve_filters | zip(dovecot_sieve_scripts.results) | list }}"
ale's avatar
ale committed
103
  ignore_errors: true
ale's avatar
ale committed
104

ale's avatar
ale committed
105
106
107
108
109
110
111
112
113
114
115
116
117
118
- name: Create dovecot sieve scripts directory
  file:
    path: /usr/lib/dovecot/sieve
    state: directory
    mode: 0755

- name: Install dovecot sieve scripts
  copy:
    src: "{{ item }}"
    dest: "/usr/lib/dovecot/sieve/{{ item }}"
    mode: 0755
  loop:
    - "learn-spam.sh"
    - "learn-ham.sh"
ale's avatar
ale committed
119

ale's avatar
ale committed
120
121
122
# Copy some other various files, for instance because they are outside
# the /etc/dovecot tree, or because they need special permissions.

ale's avatar
ale committed
123
- template:
ale's avatar
ale committed
124
125
    src: templates/dovecot.pam
    dest: /etc/pam.d/dovecot
ale's avatar
ale committed
126

127
128
129
130
131
132
133
- name: Tweak inotify instances for dovecot backend
  copy:
    src: files/dovecot-backend.sysctl
    dest: /etc/sysctl.d/dovecot-backend.conf
    mode: 0444
  notify: reload sysctl

ale's avatar
ale committed
134
135
136
137
138
- name: Setup dovecot-purge cron job
  copy:
    src: dovecot-purge.cron
    dest: /etc/cron.d/dovecot-purge

139
140
141
142
143
144
145
146
# Set up imapproxy

- name: Configure imapproxy
  template:
    src: imapproxy.conf.j2
    dest: /etc/imapproxy.conf
  notify: restart imapproxy

147
148
149
150
151
152
# Set up the instance of auth-sasl-server for postfix-webmail, and the
# associated systemd units. Make the Docker webmail service depend on
# the authentication socket.
- file:
    path: /etc/systemd/system/docker-mail-backend-http.service.d
    state: directory
153

154
155
- copy:
    dest: /etc/systemd/system/docker-mail-backend-http.service.d/sasl.conf
ale's avatar
ale committed
156
    content: "[Unit]\nAfter=auth-sasl-server@webmail.socket\n"
157

158
159
160
- include_tasks: sasl-auth.yml
  vars:
    instance: webmail
161

162
163
164
165
166
167
168
169
170
# Set up the local 'mail' mysql instance, used to store Roundcube and
# Spamassassin user-specific data.

- include_role:
    name: mariadb
  vars:
    mariadb_instance: mail
    mariadb_port: 3308
    mariadb_metrics_port: 9308
171
172
    mariadb_settings:
      skip-log-bin: true
173

ale's avatar
ale committed
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
# Spamassassin setup

- name: Install Spamassassin config (dirs)
  file:
    path: "/etc/spamassassin/{{ item.path }}"
    state: directory
    owner: root
    group: debian-spamd
    mode: 0750
  with_filetree: "templates/spamassassin/"
  when: item.state == 'directory'

- name: Install Spamassassin config (files)
  template:
    src: "{{ item.src }}"
    dest: "/etc/spamassassin/{{ item.path }}"
    owner: root
    group: debian-spamd
    mode: 0640
  with_filetree: "templates/spamassassin/"
  when: item.state == 'file'
  notify: "reload spamassassin"

ale's avatar
ale committed
197
198
199
200
201
- copy:
    src: spamassassin.default
    dest: /etc/default/spamassassin
  notify: "reload spamassassin"

202
203
- template:
    src: spamassassin-openphish.cron.j2
ale's avatar
ale committed
204
205
    dest: /etc/cron.d/spamassassin-openphish

ale's avatar
ale committed
206
207
208
209
210
211
212
213
214
- template:
    src: spamassassin-cleanup-txrep.sh.j2
    dest: /usr/local/bin/spamassassin-cleanup-txrep.sh
    mode: 0755

- copy:
    src: spamassassin-cleanup-txrep.cron
    dest: /etc/cron.d/spamassassin-cleanup-txrep

ale's avatar
ale committed
215
216
217
218
- copy:
    src: spamass-milter.default
    dest: /etc/default/spamass-milter
  notify: "reload spamass-milter"
219

220
221
222
- name: Create Spamassassin MySQL user
  mysql_user:
    name: spamassassin
ale's avatar
ale committed
223
    host: "{{ item }}"
224
225
226
227
    password: "{{ spamassassin_db_password }}"
    login_unix_socket: "/var/run/mariadb-mail/server.sock"
    priv: "ai_spam.*:ALL"
    state: present
ale's avatar
ale committed
228
229
230
  loop:
    - localhost
    - "%"
ale's avatar
ale committed
231

232
233
234
235
236
237
238
239
240
241
242
- name: Create Spamassassin MySQL database
  mysql_db:
    name: ai_spam
    state: present
    login_unix_socket: "/var/run/mariadb-mail/server.sock"
  register: spamassassin_mysql_db

- name: Initialize Spamassassin MySQL database
  shell: "/usr/local/bin/mysql-mail ai_spam < /etc/spamassassin/schema.sql"
  when: spamassassin_mysql_db.changed

ale's avatar
ale committed
243
244
245
246
247
- name: Create .pyzor dir
  file:
    path: "/var/lib/spamassassin/.pyzor"
    state: directory

ale's avatar
ale committed
248
249
250
251
252
- name: Configure Pyzor
  copy:
    dest: "/var/lib/spamassassin/.pyzor/servers"
    content: "public.pyzor.org:24441\n"

253
# Roundcube
ale's avatar
ale committed
254
255
256
257

- name: Create Roundcube MySQL user
  mysql_user:
    name: roundcube
ale's avatar
ale committed
258
    host: "{{ item }}"
ale's avatar
ale committed
259
260
261
262
    password: "{{ roundcube_db_password }}"
    login_unix_socket: "/var/run/mariadb-mail/server.sock"
    priv: "ai_roundcube.*:ALL"
    state: present
ale's avatar
ale committed
263
264
265
  loop:
    - localhost
    - "%"
ale's avatar
ale committed
266
267
268
269
270
271
272
273
274
275
276

- name: Create Roundcube MySQL database
  mysql_db:
    name: ai_roundcube
    state: present
    login_unix_socket: "/var/run/mariadb-mail/server.sock"

- name: Create /etc/roundcube
  file:
    path: "/etc/roundcube"
    state: directory
ale's avatar
ale committed
277
278
279
    owner: root
    group: docker-mail-backend
    mode: 0750
ale's avatar
ale committed
280
281
282
283
284
285

- name: Install Roundcube config
  template:
    src: "{{ item.src }}"
    dest: "/etc/roundcube/{{ item.path }}"
    owner: root
ale's avatar
ale committed
286
287
    group: docker-mail-backend
    mode: 0640
ale's avatar
ale committed
288
289
  with_filetree: "templates/roundcube/"
  when: item.state == 'file'
ale's avatar
ale committed
290

291
292
293
294
295
296
- name: Install default sieve filter for Roundcube
  copy:
    src: default.sieve
    dest: /etc/roundcube/default.sieve
    mode: 0644

ale's avatar
ale committed
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
- name: Create Roundcube cache dir
  file:
    path: "/var/lib/roundcube/{{ item }}"
    state: directory
    owner: docker-mail-backend
    group: docker-mail-backend
    mode: 0700
  with_items:
    - ""
    - logs
    - temp

- name: Create .htaccess files in Roundcube cache dirs
  copy:
    dest: "/var/lib/roundcube/{{ item }}/.htaccess"
    content: "Require all denied"
  with_items:
    - logs
    - temp
ale's avatar
ale committed
316

ale's avatar
ale committed
317
318
319
320
- name: Create Roundcube SSO session key
  shell: "dd if=/dev/urandom of=/etc/roundcube/sso_session.key bs=32 count=1"
  args:
    creates: /etc/roundcube/sso_session.key
321

322
323
324
325
326
- name: Install roundcube maintenance cron job
  copy:
    src: roundcube.cron
    dest: "/etc/cron.d/roundcube"

327
328
- include_role:
    name: account-automation-backend-mail