Merge branch 'master' of gitlab.com:ispmail/ispmail-buster-ansible

ansible/group_vars/all

@@ -2,9 +2,16 @@
 # Set this to true to create a john@example.org account with password 'summersun'
 ispmail_populate_test_data: true
 
+# Set the host name that will be used in the URL for webmail.
+# Make sure its properly set in your DNS zone.
+ispmail_fqdn: yoda.workaround.org
+
 # MySQL password for read-only user
 ispmail_mysql_mailserver_password: ChangeMeServer
 
+# MySQL password for read-write user
+ispmail_mysql_mailadmin_password: ChangeMeAdmin
+
 # MySQL password for administrative root user
 ispmail_mysql_root_password: ChangeMeRoot
 

ansible/hosts

@@ -1 +1,2 @@
-localhost ansible_connection=local
+localhost ansible_connection=local
+yoda.workaround.org

ansible/ispmail.yml

@@ -4,20 +4,27 @@
 
 - hosts: all
   tasks:
-  - name: "Checking operating system version"
-    assert:
-      that: ansible_distribution_release == 'buster'
-      fail_msg: 'This Ansible playbook is only supported on Debian Buster.'
-      success_msg: 'Debian Buster found - that makes me happy.'
+    - name: "Checking operating system version"
+      assert:
+        that: ansible_distribution_release == 'buster'
+        fail_msg: "This Ansible playbook is only supported on Debian Buster."
+        success_msg: "Debian Buster found - that makes me happy."
 
 - hosts: all
   roles:
-  #- dumpvars
-  - ispmail-packages
-  - ispmail-certificate
-  - ispmail-database
-  - ispmail-postfix
-  - ispmail-dovecot
-#  - ispmail-webmail
-  - ispmail-webmail-apache-horde
-  - ispmail-tests
+    #- dumpvars
+    - role: ispmail-packages
+      tags: packages
+    - role: ispmail-certificate
+      tags: certificate
+    - role: ispmail-database
+      tags: database
+    - role: ispmail-postfix
+      tags: postfix
+    - role: ispmail-dovecot
+      tags: dovecot
+    - role: ispmail-webmail-apache-roundcube
+      tags: roundcube
+    #  - ispmail-webmail-apache-horde
+    #- ispmail-tests
+

ansible/roles/ispmail-certificate/tasks/main.yml

@@ -12,4 +12,3 @@
     creates: /etc/ssl/certs/mailserver.pem
 - name: Restrict access permissions of the private key
   file: path=/etc/ssl/private/mailserver.pem mode=0640
-

ansible/roles/ispmail-database/files/schema.sql

@@ -9,6 +9,7 @@ CREATE TABLE IF NOT EXISTS `virtual_users` (
   `domain_id` int(11) NOT NULL,
   `password` varchar(150) NOT NULL,
   `email` varchar(100) NOT NULL,
+  `quota` int(11) NOT NULL DEFAULT 0,
   PRIMARY KEY (`id`),
   UNIQUE KEY `email` (`email`),
   FOREIGN KEY (domain_id) REFERENCES virtual_domains(id) ON DELETE CASCADE

ansible/roles/ispmail-database/files/test.sql

@@ -12,7 +12,7 @@ REPLACE INTO `mailserver`.`virtual_users` (
       `email`
 )
 VALUES (
-      '1', '1', CONCAT('{PLAIN-MD5}', MD5( 'summersun' )) , 'john@example.org'
+      '1', '1', '{BLF-CRYPT}$2y$05$m.GdQNMyUFNG0vPsaXxSB.0ZQqZhe1e9Un841oBcWi6U6HRF2Kmky', 'john@example.org'
 );
 REPLACE INTO `mailserver`.`virtual_aliases` (
       `id`,

ansible/roles/ispmail-database/tasks/main.yml

@@ -1,62 +1,64 @@
 ---
 - name: Installing required Python mysqldb module for Ansible to manage databases
-#  apt: name=python-mysqldb
+  #  apt: name=python-mysqldb
   apt: name=python-pymysql
 
-- name: Set a new root password
-  mysql_user:
-    check_implicit_admin: yes
-    user: root
-    password: "{{ ispmail_mysql_root_password }}"
-    login_unix_socket: /var/run/mysqld/mysqld.sock
-    host: "{{ item }}"
-  with_items:
-    - localhost
-    - 127.0.0.1
+# - name: Create .my.cnf
+#   template:
+#     src: "root-my-cnf.j2"
+#     dest: "/root/.my.cnf"
+#     owner: root
+#     group: root
+#     mode: 0600
 
-- name: Create .my.cnf
-  template:
-   src: "root-my-cnf.j2"
-   dest: "/root/.my.cnf"
-   owner: root
-   group: root
-   mode: 0600
+# - name: Set a new root password
+#   mysql_user:
+#     check_implicit_admin: yes
+#     user: root
+#     password: "{{ ispmail_mysql_root_password }}"
+#     login_unix_socket: /var/run/mysqld/mysqld.sock
+#     host: "{{ item }}"
+#   with_items:
+#     - localhost
+#     - 127.0.0.1
 
 - name: creating mailserver MySQL database
-  #become: true
   mysql_db:
+    login_unix_socket: /var/run/mysqld/mysqld.sock
     name: mailserver
-
-# - name: creating Roundcube MySQL database
-#   mysql_db: 
-#     name: roundcube
 - name: copying MySQL database schema to server
-  copy: 
-    src: schema.sql 
+  copy:
+    src: schema.sql
     dest: /tmp
 - name: setting up SQL schema of mailserver database
-  mysql_db: 
-    name: mailserver 
-    state: import 
+  mysql_db:
+    login_unix_socket: /var/run/mysqld/mysqld.sock
+    name: mailserver
+    state: import
     target: /tmp/schema.sql
-- name: creating MySQL user to read the mailserver database
-  mysql_user: 
-    name: mailuser 
-    password: "{{ispmail_mysql_mailuser_password}}"
+- name: creating MySQL user mailadmin
+  mysql_user:
+    login_unix_socket: /var/run/mysqld/mysqld.sock
+    name: mailadmin
+    password: "{{ispmail_mysql_mailadmin_password}}"
     priv: mailserver.*:SELECT,INSERT,UPDATE,DELETE
-# - name: creating MySQL user for roundcube
-#   mysql_user: 
-#     name: roundcube 
-#     password: "{{ispmail_mysql_roundcube_password}}"
-#     priv: roundcube.*:ALL
+    host: localhost
+- name: creating MySQL user to read the mailserver database
+  mysql_user:
+    login_unix_socket: /var/run/mysqld/mysqld.sock
+    name: mailserver
+    password: "{{ispmail_mysql_mailserver_password}}"
+    priv: mailserver.*:SELECT
+    host: 127.0.0.1
 - name: copying MySQL test data to server
-  copy: 
+  copy:
     src: test.sql
     dest: /tmp
   when: ispmail_populate_test_data == true
 - name: populating the database with test data
-  mysql_db: 
-    name: mailserver 
-    state: import 
+  mysql_db:
+    login_unix_socket: /var/run/mysqld/mysqld.sock
+    name: mailserver
+    state: import
     target: /tmp/test.sql
   when: ispmail_populate_test_data == true

ansible/roles/ispmail-dovecot/files/10-auth.conf

@@ -0,0 +1,128 @@
+##
+## Authentication processes
+##
+
+# Disable LOGIN command and all other plaintext authentications unless
+# SSL/TLS is used (LOGINDISABLED capability). Note that if the remote IP
+# matches the local IP (ie. you're connecting from the same computer), the
+# connection is considered secure and plaintext authentication is allowed.
+# See also ssl=required setting.
+#disable_plaintext_auth = yes
+
+# Authentication cache size (e.g. 10M). 0 means it's disabled. Note that
+# bsdauth, PAM and vpopmail require cache_key to be set for caching to be used.
+#auth_cache_size = 0
+# Time to live for cached data. After TTL expires the cached record is no
+# longer used, *except* if the main database lookup returns internal failure.
+# We also try to handle password changes automatically: If user's previous
+# authentication was successful, but this one wasn't, the cache isn't used.
+# For now this works only with plaintext authentication.
+#auth_cache_ttl = 1 hour
+# TTL for negative hits (user not found, password mismatch).
+# 0 disables caching them completely.
+#auth_cache_negative_ttl = 1 hour
+
+# Space separated list of realms for SASL authentication mechanisms that need
+# them. You can leave it empty if you don't want to support multiple realms.
+# Many clients simply use the first one listed here, so keep the default realm
+# first.
+#auth_realms =
+
+# Default realm/domain to use if none was specified. This is used for both
+# SASL realms and appending @domain to username in plaintext logins.
+#auth_default_realm = 
+
+# List of allowed characters in username. If the user-given username contains
+# a character not listed in here, the login automatically fails. This is just
+# an extra check to make sure user can't exploit any potential quote escaping
+# vulnerabilities with SQL/LDAP databases. If you want to allow all characters,
+# set this value to empty.
+#auth_username_chars = abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@
+
+# Username character translations before it's looked up from databases. The
+# value contains series of from -> to characters. For example "#@/@" means
+# that '#' and '/' characters are translated to '@'.
+#auth_username_translation =
+
+# Username formatting before it's looked up from databases. You can use
+# the standard variables here, eg. %Lu would lowercase the username, %n would
+# drop away the domain if it was given, or "%n-AT-%d" would change the '@' into
+# "-AT-". This translation is done after auth_username_translation changes.
+#auth_username_format = %Lu
+
+# If you want to allow master users to log in by specifying the master
+# username within the normal username string (ie. not using SASL mechanism's
+# support for it), you can specify the separator character here. The format
+# is then <username><separator><master username>. UW-IMAP uses "*" as the
+# separator, so that could be a good choice.
+#auth_master_user_separator =
+
+# Username to use for users logging in with ANONYMOUS SASL mechanism
+#auth_anonymous_username = anonymous
+
+# Maximum number of dovecot-auth worker processes. They're used to execute
+# blocking passdb and userdb queries (eg. MySQL and PAM). They're
+# automatically created and destroyed as needed.
+#auth_worker_max_count = 30
+
+# Host name to use in GSSAPI principal names. The default is to use the
+# name returned by gethostname(). Use "$ALL" (with quotes) to allow all keytab
+# entries.
+#auth_gssapi_hostname =
+
+# Kerberos keytab to use for the GSSAPI mechanism. Will use the system
+# default (usually /etc/krb5.keytab) if not specified. You may need to change
+# the auth service to run as root to be able to read this file.
+#auth_krb5_keytab = 
+
+# Do NTLM and GSS-SPNEGO authentication using Samba's winbind daemon and
+# ntlm_auth helper. <doc/wiki/Authentication/Mechanisms/Winbind.txt>
+#auth_use_winbind = no
+
+# Path for Samba's ntlm_auth helper binary.
+#auth_winbind_helper_path = /usr/bin/ntlm_auth
+
+# Time to delay before replying to failed authentications.
+#auth_failure_delay = 2 secs
+
+# Require a valid SSL client certificate or the authentication fails.
+#auth_ssl_require_client_cert = no
+
+# Take the username from client's SSL certificate, using 
+# X509_NAME_get_text_by_NID() which returns the subject's DN's
+# CommonName. 
+#auth_ssl_username_from_cert = no
+
+# Space separated list of wanted authentication mechanisms:
+#   plain login digest-md5 cram-md5 ntlm rpa apop anonymous gssapi otp skey
+#   gss-spnego
+# NOTE: See also disable_plaintext_auth setting.
+auth_mechanisms = plain login
+
+##
+## Password and user databases
+##
+
+#
+# Password database is used to verify user's password (and nothing more).
+# You can have multiple passdbs and userdbs. This is useful if you want to
+# allow both system users (/etc/passwd) and virtual users to login without
+# duplicating the system users into virtual database.
+#
+# <doc/wiki/PasswordDatabase.txt>
+#
+# User database specifies where mails are located and what user/group IDs
+# own them. For single-UID configuration use "static" userdb.
+#
+# <doc/wiki/UserDatabase.txt>
+
+#!include auth-deny.conf.ext
+#!include auth-master.conf.ext
+
+#!include auth-system.conf.ext
+!include auth-sql.conf.ext
+#!include auth-ldap.conf.ext
+#!include auth-passwdfile.conf.ext
+#!include auth-checkpassword.conf.ext
+#!include auth-vpopmail.conf.ext
+#!include auth-static.conf.ext

ansible/roles/ispmail-dovecot/files/10-mail.conf

@@ -28,7 +28,7 @@
 # <doc/wiki/MailLocation.txt>
 #
 #mail_location = mbox:~/mail:INBOX=/var/mail/%u
-mail_location = maildir:/var/vmail/%d/%n/Maildir
+mail_location = maildir:~/Maildir
 
 # If you need to set multiple mailbox locations or want to change default
 # namespace settings, you can do it by defining namespace sections.
@@ -47,12 +47,11 @@ namespace inbox {
   # Hierarchy separator to use. You should use the same separator for all
   # namespaces or some clients get confused. '/' is usually a good one.
   # The default however depends on the underlying mail storage format.
-  #separator =
   separator = .
 
   # Prefix required to access this namespace. This needs to be different for
   # all namespaces. For example "Public/".
-  #prefix =
+  #prefix = 
 
   # Physical location of the mailbox. This is in same format as
   # mail_location, which is also the default for it.
@@ -78,14 +77,7 @@ namespace inbox {
   # namespace handles them (empty prefix should always have this as "yes")
   #subscriptions = yes
 
-#  mailbox INBOX.Junk {
-#    auto = subscribe # autocreate and autosubscribe the Junk mailbox
-#    special_use = \Junk
-#  }
-#  mailbox INBOX.Trash {
-#    auto = subscribe # autocreate and autosubscribe the Trash mailbox
-#    special_use = \Trash
-#  }
+  # See 15-mailboxes.conf for definitions of special mailboxes.
 }
 
 # Example shared namespace configuration
@@ -120,7 +112,7 @@ namespace inbox {
 # Group to enable temporarily for privileged operations. Currently this is
 # used only with INBOX when either its initial creation or dotlocking fails.
 # Typically this is set to "mail" to give access to /var/mail.
-#mail_privileged_group =
+mail_privileged_group = mail
 
 # Grant access to these supplementary groups for mail processes. Typically
 # these are used to set up access to shared mailboxes. Note that it may be
@@ -135,10 +127,22 @@ namespace inbox {
 # or ~user/.
 #mail_full_filesystem_access = no
 
-# Dictionary for key=value mailbox attributes. Currently used by URLAUTH, but
-# soon intended to be used by METADATA as well.
+# Dictionary for key=value mailbox attributes. This is used for example by
+# URLAUTH and METADATA extensions.
 #mail_attribute_dict =
 
+# A comment or note that is associated with the server. This value is
+# accessible for authenticated users through the IMAP METADATA server
+# entry "/shared/comment". 
+#mail_server_comment = ""
+
+# Indicates a method for contacting the server administrator. According to
+# RFC 5464, this value MUST be a URI (e.g., a mailto: or tel: URL), but that
+# is currently not enforced. Use for example mailto:admin@example.com. This
+# value is accessible for authenticated users through the IMAP METADATA server
+# entry "/shared/admin".
+#mail_server_admin = 
+
 ##
 ## Mail processes
 ##
@@ -162,7 +166,10 @@ namespace inbox {
 # methods. NFS users: flock doesn't work, remember to change mmap_disable.
 #lock_method = fcntl
 
-# Directory in which LDA/LMTP temporarily stores incoming mails >128 kB.
+# Directory where mails can be temporarily stored. Usually it's used only for
+# mails larger than >= 128 kB. It's used by various parts of Dovecot, for
+# example LDA/LMTP while delivering large mails or zlib plugin for keeping
+# uncompressed mails.
 #mail_temp_dir = /tmp
 
 # Valid UID range for users, defaults to 500 and above. This is mostly
@@ -190,7 +197,7 @@ namespace inbox {
 # WARNING: Never add directories here which local users can modify, that
 # may lead to root exploit. Usually this should be done only if you don't
 # allow shell access for users. <doc/wiki/Chrooting.txt>
-#valid_chroot_dirs =
+#valid_chroot_dirs = 
 
 # Default chroot directory for mail processes. This can be overridden for
 # specific users in user database by giving /./ in user's home directory
@@ -198,7 +205,7 @@ namespace inbox {
 # need to do chrooting, Dovecot doesn't allow users to access files outside
 # their mail directory anyway. If your home directories are prefixed with
 # the chroot directory, append "/." to mail_chroot. <doc/wiki/Chrooting.txt>
-#mail_chroot =
+#mail_chroot = 
 
 # UNIX socket path to master authentication server to find users.
 # This is used by imap (for shared users) and lda.
@@ -209,7 +216,7 @@ namespace inbox {
 
 # Space separated list of plugins to load for all services. Plugins specific to
 # IMAP, LDA, etc. are added to this list in their own .conf files.
-#mail_plugins =
+mail_plugins = quota
 
 ##
 ## Mailbox handling optimizations
@@ -217,7 +224,16 @@ namespace inbox {
 
 # Mailbox list indexes can be used to optimize IMAP STATUS commands. They are
 # also required for IMAP NOTIFY extension to be enabled.
-#mailbox_list_index = no
+#mailbox_list_index = yes
+
+# Trust mailbox list index to be up-to-date. This reduces disk I/O at the cost
+# of potentially returning out-of-date results after e.g. server crashes.
+# The results will be automatically fixed once the folders are opened.
+#mailbox_list_index_very_dirty_syncs = yes
+
+# Should INBOX be kept up-to-date in the mailbox list index? By default it's
+# not, because most of the mailbox accesses will open INBOX anyway.
+#mailbox_list_index_include_inbox = no
 
 # The minimum number of mails in a mailbox before updates are done to cache
 # file. This allows optimizing Dovecot's behavior to do less disk writes at
@@ -226,7 +242,7 @@ namespace inbox {
 
 # When IDLE command is running, mailbox is checked once in a while to see if
 # there are any new mails or other changes. This setting defines the minimum
-# time to wait between those checks. Dovecot can also use dnotify, inotify and
+# time to wait between those checks. Dovecot can also use inotify and
 # kqueue to find out immediately when changes occur.
 #mailbox_idle_check_interval = 30 secs
 
@@ -245,6 +261,19 @@ namespace inbox {
 # These should exist only after Dovecot dies in the middle of saving mails.
 #mail_temp_scan_interval = 1w
 
+# How many slow mail accesses sorting can perform before it returns failure.
+# With IMAP the reply is: NO [LIMIT] Requested sort would have taken too long.
+# The untagged SORT reply is still returned, but it's likely not correct.
+#mail_sort_max_read_count = 0
+
+protocol !indexer-worker {
+  # If folder vsize calculation requires opening more than this many mails from
+  # disk (i.e. mail sizes aren't in cache already), return failure and finish
+  # the calculation via indexer process. Disabled by default. This setting must
+  # be 0 for indexer-worker processes.
+  #mail_vsize_bg_after_count = 0
+}
+
 ##
 ## Maildir-specific settings
 ##
@@ -315,7 +344,7 @@ namespace inbox {
 # fallbacks to re-reading the whole mbox file whenever something in mbox isn't
 # how it's expected to be. The only real downside to this setting is that if
 # some other MUA changes message flags, Dovecot doesn't notice it immediately.
-# Note that a full sync is done with SELECT, EXAMINE, EXPUNGE and CHECK
+# Note that a full sync is done with SELECT, EXAMINE, EXPUNGE and CHECK 
 # commands.
 #mbox_dirty_syncs = yes
 
@@ -344,7 +373,7 @@ namespace inbox {
 ##
 
 # Maximum dbox file size until it's rotated.
-#mdbox_rotate_size = 2M
+#mdbox_rotate_size = 10M
 
 # Maximum dbox file age until it's rotated. Typically in days. Day begins
 # from midnight, so 1d = today, 2d = yesterday, etc. 0 = check disabled.
@@ -380,3 +409,13 @@ namespace inbox {
 # variables: %{md4}, %{md5}, %{sha1}, %{sha256}, %{sha512}, %{size}.
 # Variables can be truncated, e.g. %{sha256:80} returns only first 80 bits
 #mail_attachment_hash = %{sha1}
+
+# Settings to control adding $HasAttachment or $HasNoAttachment keywords.
+# By default, all MIME parts with Content-Disposition=attachment, or inlines
+# with filename parameter are consired attachments.
+#   add-flags-on-save - Add the keywords when saving new mails.
+#   content-type=type or !type - Include/exclude content type. Excluding will
+#     never consider the matched MIME part as attachment. Including will only
+#     negate an exclusion (e.g. content-type=!foo/* content-type=foo/bar).
+#   exclude-inlined - Exclude any Content-Disposition=inline MIME part.
+#mail_attachment_detection_options =

ansible/roles/ispmail-dovecot/files/10-master.conf

@@ -45,6 +45,12 @@ service pop3-login {
   }
 }
 
+service submission-login {
+  inet_listener submission {
+    #port = 587
+  }
+}
+
 service lmtp {
   unix_listener /var/spool/postfix/private/dovecot-lmtp {
     group = postfix
@@ -56,7 +62,7 @@ service lmtp {
   #inet_listener lmtp {
     # Avoid making LMTP visible for the entire internet
     #address =
-    #port =
+    #port = 
   #}
 }
 
@@ -74,6 +80,11 @@ service pop3 {
   #process_limit = 1024
 }
 
+service submission {
+  # Max. number of SMTP Submission processes (connections)
+  #process_limit = 1024
+}
+
 service auth {
   # auth_socket_path points to this userdb socket by default. It's typically
   # used by dovecot-lda, doveadm, possibly imap process, etc. Users that have
@@ -88,19 +99,17 @@ service auth {
   # To give the caller full permissions to lookup all users, set the mode to
   # something else than 0666 and Dovecot lets the kernel enforce the
   # permissions (e.g. 0777 allows everyone full permissions).
-  unix_listener auth-userdb {
-    #mode = 0666
-    #user =
-    #group =
-  }
-
-  # Postfix smtp-auth
   unix_listener /var/spool/postfix/private/auth {
-    mode = 0666
+    mode = 0660
     user = postfix
     group = postfix
   }
 
+  # Postfix smtp-auth
+  #unix_listener /var/spool/postfix/private/auth {
+  #  mode = 0666
+  #}
+
   # Auth process is run as this user.
   #user = $default_internal_user
 }
@@ -117,7 +126,7 @@ service dict {
   # For example: mode=0660, group=vmail and global mail_access_groups=vmail
   unix_listener dict {
     #mode = 0600
-    #user =
-    #group =
+    #user = 
+    #group = 
   }
 }

ansible/roles/ispmail-dovecot/files/15-mailboxes.conf

@@ -1,50 +0,0 @@
-##
-## Mailbox definitions
-##
-
-# NOTE: Assumes "namespace inbox" has been defined in 10-mail.conf.
-namespace inbox {
-
-  #mailbox name {
-    # auto=create will automatically create this mailbox.
-    # auto=subscribe will both create and subscribe to the mailbox.
-    #auto = no
-
-    # Space separated list of IMAP SPECIAL-USE attributes as specified by
-    # RFC 6154: \All \Archive \Drafts \Flagged \Junk \Sent \Trash
-    #special_use =
-  #}
-
-  # These mailboxes are widely used and could perhaps be created automatically:
-  #mailbox Drafts {
-  #  special_use = \Drafts
-  #}
-  mailbox INBOX.Junk {
-    auto = subscribe
-    special_use = \Junk
-  }
-  mailbox INBOX.Trash {
-    auto = subscribe
-    special_use = \Trash
-  }
-
-
-  # For \Sent mailboxes there are two widely used names. We'll mark both of
-  # them as \Sent. User typically deletes one of them if duplicates are created.
-  mailbox INBOX.Sent {
-    special_use = \Sent
-  }
-  #mailbox "Sent Messages" {
-  #  special_use = \Sent
-  #}
-
-  # If you have a virtual "All messages" mailbox:
-  #mailbox virtual/All {
-  #  special_use = \All
-  #}
-
-  # If you have a virtual "Flagged" mailbox:
-  #mailbox virtual/Flagged {
-  #  special_use = \Flagged
-  #}
-}

ansible/roles/ispmail-dovecot/files/20-lmtp.conf

@@ -13,8 +13,14 @@
 # Verify quota before replying to RCPT TO. This adds a small overhead.
 #lmtp_rcpt_check_quota = no
 
+# Which recipient address to use for Delivered-To: header and Received:
+# header. The default is "final", which is the same as the one given to
+# RCPT TO command. "original" uses the address given in RCPT TO's ORCPT
+# parameter, "none" uses nothing. Note that "none" is currently always used
+# when a mail has multiple recipients.
+#lmtp_hdr_delivery_address = final
+
 protocol lmtp {
   # Space separated list of plugins to load (default is global mail_plugins).
-  #mail_plugins = $mail_plugins
   mail_plugins = $mail_plugins sieve
 }

ansible/roles/ispmail-dovecot/files/90-quota.conf

@@ -0,0 +1,101 @@
+##
+## Quota configuration.
+##
+
+# Note that you also have to enable quota plugin in mail_plugins setting.
+# <doc/wiki/Quota.txt>
+
+##
+## Quota limits
+##
+
+# Quota limits are set using "quota_rule" parameters. To get per-user quota
+# limits, you can set/override them by returning "quota_rule" extra field
+# from userdb. It's also possible to give mailbox-specific limits, for example
+# to give additional 100 MB when saving to Trash:
+
+plugin {
+  #quota_rule = *:storage=1G
+  #quota_rule2 = Trash:storage=+100M
+
+  # LDA/LMTP allows saving the last mail to bring user from under quota to
+  # over quota, if the quota doesn't grow too high. Default is to allow as
+  # long as quota will stay under 10% above the limit. Also allowed e.g. 10M.
+  #quota_grace = 10%%
+
+  # Quota plugin can also limit the maximum accepted mail size.
+  #quota_max_mail_size = 100M
+}
+
+##
+## Quota warnings
+##
+
+# You can execute a given command when user exceeds a specified quota limit.
+# Each quota root has separate limits. Only the command for the first
+# exceeded limit is executed, so put the highest limit first.
+# The commands are executed via script service by connecting to the named
+# UNIX socket (quota-warning below).
+# Note that % needs to be escaped as %%, otherwise "% " expands to empty.
+
+plugin {
+  #quota_warning = storage=95%% quota-warning 95 %u
+  #quota_warning2 = storage=80%% quota-warning 80 %u
+}
+
+# Example quota-warning service. The unix listener's permissions should be
+# set in a way that mail processes can connect to it. Below example assumes
+# that mail processes run as vmail user. If you use mode=0666, all system users
+# can generate quota warnings to anyone.
+service quota-status {
+  executable = /usr/lib/dovecot/quota-status -p postfix
+  unix_listener /var/spool/postfix/private/quota-status {
+    user = postfix
+  }
+}
+
+plugin {
+ quota_status_success = DUNNO
+ quota_status_nouser = DUNNO
+ quota_status_overquota = "552 5.2.2 Mailbox is over quota / Mailbox ist voll"
+}
+
+##
+## Quota backends
+##
+
+# Multiple backends are supported:
+#   dirsize: Find and sum all the files found from mail directory.
+#            Extremely SLOW with Maildir. It'll eat your CPU and disk I/O.
+#   dict: Keep quota stored in dictionary (eg. SQL)
+#   maildir: Maildir++ quota
+#   fs: Read-only support for filesystem quota
+
+plugin {
+  #quota = dirsize:User quota
+  quota = maildir:User quota
+  #quota_rule = *:bytes=1000
+  #quota = dict:User quota::proxy::quota
+  #quota = fs:User quota
+}
+
+# Multiple quota roots are also possible, for example this gives each user
+# their own 100MB quota and one shared 1GB quota within the domain:
+plugin {
+  #quota = dict:user::proxy::quota
+  #quota2 = dict:domain:%d:proxy::quota_domain
+  #quota_rule = *:storage=102400
+  #quota2_rule = *:storage=1048576
+}
+
+plugin {
+   quota_warning = storage=95%% quota-warning 95 %u
+   quota_warning2 = storage=80%% quota-warning 80 %u
+}
+service quota-warning {
+  executable = script /usr/local/bin/quota-warning.sh
+  unix_listener quota-warning {
+    group = dovecot
+    mode = 0660
+  }
+}

ansible/roles/ispmail-dovecot/files/90-sieve.conf

@@ -5,39 +5,81 @@
 # Do not forget to enable the Sieve plugin in 15-lda.conf and 20-lmtp.conf
 # by adding it to the respective mail_plugins= settings.
 
+# The Sieve interpreter can retrieve Sieve scripts from several types of
+# locations. The default `file' location type is a local filesystem path
+# pointing to a Sieve script file or a directory containing multiple Sieve
+# script files. More complex setups can use other location types such as
+# `ldap' or `dict' to fetch Sieve scripts from remote databases.
+#
+# All settings that specify the location of one ore more Sieve scripts accept
+# the following syntax:
+#
+# location = [<type>:]path[;<option>[=<value>][;...]]
+#
+# If the type prefix is omitted, the script location type is 'file' and the 
+# location is interpreted as a local filesystem path pointing to a Sieve script
+# file or directory. Refer to Pigeonhole wiki or INSTALL file for more
+# information.
+
 plugin {
-  # The path to the user's main active script. If ManageSieve is used, this the
-  # location of the symbolic link controlled by ManageSieve.
-  sieve = ~/.dovecot.sieve
-
-  # The default Sieve script when the user has none. This is a path to a global
-  # sieve script file, which gets executed ONLY if user's private Sieve script
-  # doesn't exist. Be sure to pre-compile this script manually using the sievec
-  # command line tool.
-  # --> See sieve_before fore executing scripts before the user's personal
+  # The location of the user's main Sieve script or script storage. The LDA
+  # Sieve plugin uses this to find the active script for Sieve filtering at
+  # delivery. The "include" extension uses this location for retrieving
+  # :personal" scripts. This is also where the  ManageSieve service will store
+  # the user's scripts, if supported.
+  # 
+  # Currently only the 'file:' location type supports ManageSieve operation.
+  # Other location types like 'dict:' and 'ldap:' can currently only
+  # be used as a read-only script source ().
+  #
+  # For the 'file:' type: use the ';active=' parameter to specify where the
+  # active script symlink is located.
+  # For other types: use the ';name=' parameter to specify the name of the
+  # default/active script.
+  sieve = file:~/sieve;active=~/.dovecot.sieve
+
+  # The default Sieve script when the user has none. This is the location of a
+  # global sieve script file, which gets executed ONLY if user's personal Sieve
+  # script doesn't exist. Be sure to pre-compile this script manually using the
+  # sievec command line tool if the binary is not stored in a global location.
+  # --> See sieve_before for executing scripts before the user's personal
   #     script.
   #sieve_default = /var/lib/dovecot/sieve/default.sieve
 
-  # Directory for :personal include scripts for the include extension. This
-  # is also where the ManageSieve service stores the user's scripts.
-  sieve_dir = ~/sieve
-
-  # Directory for :global include scripts for the include extension.
-  #sieve_global_dir =
-
-  # Path to a script file or a directory containing script files that need to be
-  # executed before the user's script. If the path points to a directory, all
-  # the Sieve scripts contained therein (with the proper .sieve extension) are
-  # executed. The order of execution within a directory is determined by the
-  # file names, using a normal 8bit per-character comparison. Multiple script
-  # file or directory paths can be specified by appending an increasing number.
-  #sieve_before =
-  #sieve_before2 =
+  # The name by which the default Sieve script (as configured by the 
+  # sieve_default setting) is visible to the user through ManageSieve. 
+  #sieve_default_name = 
+
+  # Location for ":global" include scripts as used by the "include" extension.
+  #sieve_global =
+
+  # The location of a Sieve script that is run for any message that is about to
+  # be discarded; i.e., it is not delivered anywhere by the normal Sieve
+  # execution. This only happens when the "implicit keep" is canceled, by e.g.
+  # the "discard" action, and no actions that deliver the message are executed.
+  # This "discard script" can prevent discarding the message, by executing
+  # alternative actions. If the discard script does nothing, the message is
+	# still discarded as it would be when no discard script is configured.
+  #sieve_discard =
+
+  # Location Sieve of scripts that need to be executed before the user's
+  # personal script. If a 'file' location path points to a directory, all the 
+  # Sieve scripts contained therein (with the proper `.sieve' extension) are
+  # executed. The order of execution within that directory is determined by the
+  # file names, using a normal 8bit per-character comparison.
+  #
+  # Multiple script locations can be specified by appending an increasing number
+  # to the setting name. The Sieve scripts found from these locations are added
+  # to the script execution sequence in the specified order. Reading the
+  # numbered sieve_before settings stops at the first missing setting, so no
+  # numbers may be skipped.
+  #sieve_before = /var/lib/dovecot/sieve.d/
+  #sieve_before2 = ldap:/etc/sieve-ldap.conf;name=ldap-domain
   #sieve_before3 = (etc...)
 
   # Identical to sieve_before, only the specified scripts are executed after the
-  # user's script (only when keep is still in effect!). Multiple script file or
-  # directory paths can be specified by appending an increasing number.
+  # user's script (only when keep is still in effect!). Multiple script
+  # locations can be specified by appending an increasing number.
   #sieve_after =
   #sieve_after2 =
   #sieve_after2 = (etc...)
@@ -49,7 +91,7 @@ plugin {
   # to disable certain Sieve extensions or enable those that are not available
   # by default. This setting can use '+' and '-' to specify differences relative
   # to the default. For example `sieve_extensions = +imapflags' will enable the
-	# deprecated imapflags extension in addition to all extensions were already
+  # deprecated imapflags extension in addition to all extensions were already
   # enabled by default.
   #sieve_extensions = +notify +imapflags
 
@@ -69,7 +111,7 @@ plugin {
   # setting, the used plugins can be specified. Check the Dovecot wiki
   # (wiki2.dovecot.org) or the pigeonhole website
   # (http://pigeonhole.dovecot.org) for available plugins.
-	# The sieve_extprograms plugin is included in this release.
+  # The sieve_extprograms plugin is included in this release.
   #sieve_plugins =
 
   # The separator that is expected between the :user and :detail
@@ -103,4 +145,71 @@ plugin {
   # set to 0, no limit on the used amount of disk storage is enforced.
   # (Currently only relevant for ManageSieve)
   #sieve_quota_max_storage = 0
+
+  # The primary e-mail address for the user. This is used as a default when no
+  # other appropriate address is available for sending messages. If this setting
+  # is not configured, either the postmaster or null "<>" address is used as a
+  # sender, depending on the action involved. This setting is important when
+  # there is no message envelope to extract addresses from, such as when the
+  # script is executed in IMAP.
+  #sieve_user_email =
+
+  # The path to the file where the user log is written. If not configured, a
+  # default location is used. If the main user's personal Sieve (as configured
+  # with sieve=) is a file, the logfile is set to <filename>.log by default. If
+  # it is not a file, the default user log file is ~/.dovecot.sieve.log.
+  #sieve_user_log =
+
+  # Specifies what envelope sender address is used for redirected messages.
+  # The following values are supported for this setting:
+  #
+  #   "sender"         - The sender address is used (default).
+  #   "recipient"      - The final recipient address is used.
+  #   "orig_recipient" - The original recipient is used.
+  #   "user_email"     - The user's primary address is used. This is
+  #                      configured with the "sieve_user_email" setting. If
+  #                      that setting is unconfigured, "user_mail" is equal to
+  #                      "recipient".
+  #   "postmaster"     - The postmaster_address configured for the LDA.
+  #   "<user@domain>"  - Redirected messages are always sent from user@domain.
+  #                      The angle brackets are mandatory. The null "<>" address
+  #                      is also supported.
+  #
+  # This setting is ignored when the envelope sender is "<>". In that case the
+  # sender of the redirected message is also always "<>".
+  #sieve_redirect_envelope_from = sender
+
+  ## TRACE DEBUGGING
+  # Trace debugging provides detailed insight in the operations performed by
+  # the Sieve script. These settings apply to both the LDA Sieve plugin and the
+  # IMAPSIEVE plugin. 
+  #
+  # WARNING: On a busy server, this functionality can quickly fill up the trace
+  # directory with a lot of trace files. Enable this only temporarily and as
+  # selective as possible.
+  
+  # The directory where trace files are written. Trace debugging is disabled if
+  # this setting is not configured or if the directory does not exist. If the 
+  # path is relative or it starts with "~/" it is interpreted relative to the
+  # current user's home directory.
+  #sieve_trace_dir =
+  
+  # The verbosity level of the trace messages. Trace debugging is disabled if
+  # this setting is not configured. Possible values are:
+  #
+  #   "actions"        - Only print executed action commands, like keep,
+  #                      fileinto, reject and redirect.
+  #   "commands"       - Print any executed command, excluding test commands.
+  #   "tests"          - Print all executed commands and performed tests.
+  #   "matching"       - Print all executed commands, performed tests and the
+  #                      values matched in those tests.
+  #sieve_trace_level =
+  
+  # Enables highly verbose debugging messages that are usually only useful for
+  # developers.
+  #sieve_trace_debug = no
+  
+  # Enables showing byte code addresses in the trace output, rather than only
+  # the source line numbers.
+  #sieve_trace_addresses = no 
 }

ansible/roles/ispmail-dovecot/files/auth-sql.conf.ext

@@ -17,8 +17,8 @@ passdb {
 #}
 
 userdb {
-  driver = static
-  args = uid=vmail gid=vmail home=/var/vmail/%d/%n
+  driver = sql
+  args = /etc/dovecot/dovecot-sql.conf.ext
 }
 
 # If you don't have any user-specific settings, you can avoid the user_query
@@ -28,4 +28,3 @@ userdb {
   #driver = static
   #args = uid=vmail gid=vmail home=/var/vmail/%u
 #}
-

ansible/roles/ispmail-dovecot/handlers/main.yml

@@ -3,4 +3,3 @@
   service: name=dovecot state=restarted
 - name: recompile sieve script
   command: sievec /etc/dovecot/sieve-after
-

ansible/roles/ispmail-dovecot/tasks/main.yml

@@ -5,14 +5,8 @@
   user: name=vmail uid=5000 group=vmail home=/var/vmail
 - name: Create mailbox directory
   file: path=/var/vmail state=directory owner=vmail group=vmail
-- name: Allow LOGIN authentication method for Outlook clients
-  lineinfile: dest=/etc/dovecot/conf.d/10-auth.conf regexp='^auth_mechanisms =' line='auth_mechanisms = {{ispmail_dovecot_auth_mechanisms}}' backrefs=yes
-  notify: restart dovecot
-- name: Disabling system authentication
-  lineinfile: dest=/etc/dovecot/conf.d/10-auth.conf regexp='^!include auth-system.conf.ext' line='#!include auth-system.conf.ext' backrefs=yes
-  notify: restart dovecot
-- name: Enabling SQL-based authentication
-  lineinfile: dest=/etc/dovecot/conf.d/10-auth.conf regexp='^\#!include auth-sql.conf.ext' line='!include auth-sql.conf.ext' backrefs=yes
+- name: Copying SQL authentication configuration (auth-sql.conf.ext)
+  copy: src=10-auth.conf dest=/etc/dovecot/conf.d/10-auth.conf
   notify: restart dovecot
 - name: Copying SQL authentication configuration (auth-sql.conf.ext)
   copy: src=auth-sql.conf.ext dest=/etc/dovecot/conf.d/auth-sql.conf.ext
@@ -24,15 +18,12 @@
   copy: src=10-master.conf dest=/etc/dovecot/conf.d/10-master.conf
   notify: restart dovecot
 - name: Copying SSL configuration (10-ssl.conf)
-  copy: src=10-ssl.conf dest=/etc/dovecot/conf.d/10-ssl.conf
+  template: src=10-ssl.conf dest=/etc/dovecot/conf.d/10-ssl.conf
   notify: restart dovecot
 - name: Copying LMTP configuration (20-lmtp.conf - enable sieve plugin)
   copy: src=20-lmtp.conf dest=/etc/dovecot/conf.d/20-lmtp.conf
   notify: restart dovecot
-- name: Copying mailboxes configuration (15-mailboxes.conf - autocreate folders)
-  copy: src=15-mailboxes.conf dest=/etc/dovecot/conf.d/15-mailboxes.conf
-  notify: restart dovecot
-- name: Copying SQL access configuration (dovecot-ssql.conf.ext)
+- name: Copying SQL access configuration (dovecot-sql.conf.ext)
   template: src=dovecot-sql.conf.ext.j2 dest=/etc/dovecot/dovecot-sql.conf.ext
   notify: restart dovecot
 - name: Fixing ownership and mode of dovecot.conf
@@ -49,4 +40,12 @@
 - name: Copying Sieve plugin configuration (90-sieve.conf)
   copy: src=90-sieve.conf dest=/etc/dovecot/conf.d/90-sieve.conf
   notify: restart dovecot
-
+- name: Copying Quota plugin configuration (90-quota.conf)
+  copy: src=90-quota.conf dest=/etc/dovecot/conf.d/90-quota.conf
+  notify: restart dovecot
+- name: Copying quota warning shell script to /usr/local/bin
+  template:
+    src: quota-warning.sh.j2
+    dest: /usr/local/bin/quota-warning.sh
+    mode: 0750
+  notify: restart dovecot

ansible/roles/ispmail-dovecot/files/10-ssl.conf → ansible/roles/ispmail-dovecot/templates/10-ssl.conf

@@ -3,6 +3,7 @@
 ##
 
 # SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt>
+#ssl = yes
 ssl = required
 
 # PEM encoded X.509 SSL/TLS certificate and private key. They're opened before
@@ -12,6 +13,10 @@ ssl = required
 ssl_cert = </etc/ssl/certs/mailserver.pem
 ssl_key = </etc/ssl/private/mailserver.pem
 
+# When using Let's Encrypt use these lines instead:
+# ssl_cert = </etc/letsencrypt/live/webmail.example.org/fullchain.pem
+# ssl_key = </etc/letsencrypt/live/webmail.example.org/privkey.pem
+
 # If key file is password protected, give the password here. Alternatively
 # give it when starting dovecot with -p parameter. Since this file is often
 # world-readable, you may want to place this setting instead to a different
@@ -27,10 +32,11 @@ ssl_key = </etc/ssl/private/mailserver.pem
 #ssl_require_crl = yes
 
 # Directory and/or file for trusted SSL CA certificates. These are used only
-# when Dovecot needs to act as an SSL client (e.g. imapc backend). The
-# directory is usually /etc/ssl/certs in Debian-based systems and the file is
-# /etc/pki/tls/cert.pem in RedHat-based systems.
-#ssl_client_ca_dir =
+# when Dovecot needs to act as an SSL client (e.g. imapc backend or
+# submission service). The directory is usually /etc/ssl/certs in
+# Debian-based systems and the file is /etc/pki/tls/cert.pem in
+# RedHat-based systems.
+ssl_client_ca_dir = /etc/ssl/certs
 #ssl_client_ca_file =
 
 # Request client to send a certificate. If you also want to require it, set
@@ -42,17 +48,33 @@ ssl_key = </etc/ssl/private/mailserver.pem
 # auth_ssl_username_from_cert=yes.
 #ssl_cert_username_field = commonName
 
-# DH parameters length to use.
-#ssl_dh_parameters_length = 1024
+# SSL DH parameters
+# Generate new params with `openssl dhparam -out /etc/dovecot/dh.pem 4096`
+# Or migrate from old ssl-parameters.dat file with the command dovecot
+# gives on startup when ssl_dh is unset.
+ssl_dh = </usr/share/dovecot/dh.pem
+
+# Minimum SSL protocol version to use. Potentially recognized values are SSLv3,
+# TLSv1, TLSv1.1, and TLSv1.2, depending on the OpenSSL version used.
+#ssl_min_protocol = TLSv1
 
-# SSL protocols to use
-#ssl_protocols = !SSLv2
+# SSL ciphers to use, the default is:
+#ssl_cipher_list = ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH
+# To disable non-EC DH, use:
+#ssl_cipher_list = ALL:!DH:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH
 
-# SSL ciphers to use
-#ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL
+# Colon separated list of elliptic curves to use. Empty value (the default)
+# means use the defaults from the SSL library. P-521:P-384:P-256 would be an
+# example of a valid value.
+#ssl_curve_list =
 
 # Prefer the server's order of ciphers over client's.
 #ssl_prefer_server_ciphers = no
 
 # SSL crypto device to use, for valid values run "openssl engine"
 #ssl_crypto_device =
+
+# SSL extra options. Currently supported options are:
+#   compression - Enable compression.
+#   no_ticket - Disable SSL session tickets.
+#ssl_options =

ansible/roles/ispmail-dovecot/templates/dovecot-sql.conf.ext.j2

@@ -37,7 +37,7 @@
 # settings, like: host=sql1.host.org host=sql2.host.org
 #
 # pgsql:
-#   For available options, see the PostgreSQL documention for the
+#   For available options, see the PostgreSQL documentation for the
 #   PQconnectdb function of libpq.
 #   Use maxconns=n (default 5) to change how many connections Dovecot can
 #   create to pgsql.
@@ -48,6 +48,9 @@
 #
 #   But also adds some new settings:
 #     client_flags           - See MySQL manual
+#     connect_timeout        - Connect timeout in seconds (default: 5)
+#     read_timeout           - Read timeout in seconds (default: 30)
+#     write_timeout          - Write timeout in seconds (default: 30)
 #     ssl_ca, ssl_ca_path    - Set either one or both to enable SSL
 #     ssl_cert, ssl_key      - For sending client-side certificates to server
 #     ssl_cipher             - Set minimum allowed cipher security (default: HIGH)
@@ -141,7 +144,10 @@
 #iterate_query = SELECT username AS user FROM users
 
 driver = mysql
-connect = host=127.0.0.1 dbname=mailserver user=mailuser password={{ispmail_mysql_mailuser_password}}
-default_pass_scheme = SHA256-CRYPT
-password_query = SELECT email as user, password FROM virtual_users WHERE email='%u';
-
+connect = host=127.0.0.1 dbname=mailserver user=mailserver password={{ispmail_mysql_mailserver_password}}
+user_query = SELECT email as user, \
+  concat('*:bytes=', quota) AS quota_rule, \
+  '/var/vmail/%d/%n' AS home, \
+  5000 AS uid, 5000 AS gid \
+  FROM virtual_users WHERE email='%u';
+password_query = SELECT password FROM virtual_users WHERE email='%u';

ansible/roles/ispmail-dovecot/templates/quota-warning.sh.j2

@@ -0,0 +1,11 @@
+#!/bin/sh
+PERCENT=$1
+USER=$2
+cat << EOF | /usr/lib/dovecot/dovecot-lda -d $USER -o "plugin/quota=maildir:User quota:noenforcing"
+From: postmaster@{{ispmail_fqdn}}
+Subject: Quota warning - $PERCENT% reached
+
+Your mailbox can only store a limited amount of emails.
+Currently it is $PERCENT% full. If you reach 100% then
+new emails cannot be stored. Thanks for your understanding.
+EOF

ansible/roles/ispmail-packages/tasks/main.yml

@@ -5,23 +5,27 @@
     update_cache: yes
   vars:
     packages:
-    - etckeeper
-    - certbot
-    - pwgen
-    - mariadb-server
-    - postfix
-    - postfix-mysql
-    # - roundcube
-    # - roundcube-mysql
-    # - roundcube-plugins
-    # - roundcube-plugins-extra
-    - swaks
-    - dovecot-mysql
-    - dovecot-pop3d
-    - dovecot-imapd
-    - dovecot-lmtpd
-    - dovecot-managesieved
-    - adminer
-    - rspamd
-    - fail2ban
+      - etckeeper
+      - certbot
+      - pwgen
+      - mariadb-server
+      - postfix
+      - postfix-mysql
+      # - roundcube
+      # - roundcube-mysql
+      # - roundcube-plugins
+      # - roundcube-plugins-extra
+      - swaks
+      - dovecot-mysql
+      - dovecot-pop3d
+      - dovecot-imapd
+      - dovecot-lmtpd
+      - dovecot-managesieved
+      - apache2
+      - php
+      - adminer
+      - rspamd
+      - fail2ban
+      - ca-certificates
+      - mutt
 # TODO: shorewall

ansible/roles/ispmail-postfix/files/master.cf

@@ -20,9 +20,6 @@ submission inet n       -       y       -       -       smtpd
   -o smtpd_sasl_auth_enable=yes
   -o smtpd_tls_auth_only=yes
   -o smtpd_reject_unlisted_recipient=no
-#  -o smtpd_client_restrictions=$mua_client_restrictions
-#  -o smtpd_helo_restrictions=$mua_helo_restrictions
-#  -o smtpd_sender_restrictions=$mua_sender_restrictions
   -o smtpd_recipient_restrictions=
   -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
   -o milter_macro_daemon_name=ORIGINATING

ansible/roles/ispmail-postfix/handlers/main.yml

@@ -1,6 +1,3 @@
 ---
 - name: restart postfix
   service: name=postfix state=restarted
-
-- name: restart spamassassin
-  service: name=spamassassin state=restarted

ansible/roles/ispmail-postfix/tasks/main.yml

@@ -18,40 +18,37 @@
     mode: 0644
   notify: restart postfix
 
-# - name: tell Postfix to use the virtual mailbox domain mapping
-#   command: postconf virtual_mailbox_domains=mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf
-
-# - name: define Postfix virtual mailbox mapping
-#   template: src=mysql-virtual-mailbox-maps.cf.j2 dest=/etc/postfix/mysql-virtual-mailbox-maps.cf
-#   notify: restart postfix
-# - name: tell Postfix to use the virtual mailbox mapping
-#   command: postconf virtual_mailbox_maps=mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf
-
-# - name: define Postfix virtual alias mapping
-#   template: src=mysql-virtual-alias-maps.cf.j2 dest=/etc/postfix/mysql-virtual-alias-maps.cf
-#   notify: restart postfix
-# - name: tell Postfix to use the virtual alias mapping
-#   command: postconf virtual_alias_maps=mysql:/etc/postfix/mysql-virtual-alias-maps.cf
-
-# - name: define Postfix email-to-email mapping (required for catchall domains)
-#   template: src=mysql-email2email.cf.j2 dest=/etc/postfix/mysql-email2email.cf
-#   notify: restart postfix
-# - name: tell Postfix to use the email-to-email mapping
-#   command: postconf virtual_alias_maps=mysql:/etc/postfix/mysql-virtual-alias-maps.cf,mysql:/etc/postfix/mysql-email2email.cf
-
-# - name: Restricting access to database mapping files that contain a password
-#   file: path=/etc/postfix/mysql-{{item}}.cf mode=0640
-#   with_items:
-#   - virtual-mailbox-domains
-#   - virtual-mailbox-maps
-#   - virtual-alias-maps
+- name: tell Postfix to use the virtual mailbox domain mapping
+  command: postconf virtual_mailbox_domains=mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf
+
+- name: define Postfix virtual mailbox mapping
+  template: src=mysql-virtual-mailbox-maps.cf.j2 dest=/etc/postfix/mysql-virtual-mailbox-maps.cf
+  notify: restart postfix
+- name: tell Postfix to use the virtual mailbox mapping
+  command: postconf virtual_mailbox_maps=mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf
+
+- name: define Postfix virtual alias mapping
+  template: src=mysql-virtual-alias-maps.cf.j2 dest=/etc/postfix/mysql-virtual-alias-maps.cf
+  notify: restart postfix
+- name: tell Postfix to use the virtual alias mapping
+  command: postconf virtual_alias_maps=mysql:/etc/postfix/mysql-virtual-alias-maps.cf
+
+- name: define Postfix email-to-email mapping (required for catchall domains)
+  template: src=mysql-email2email.cf.j2 dest=/etc/postfix/mysql-email2email.cf
+  notify: restart postfix
+- name: tell Postfix to use the email-to-email mapping
+  command: postconf virtual_alias_maps=mysql:/etc/postfix/mysql-virtual-alias-maps.cf,mysql:/etc/postfix/mysql-email2email.cf
+
+- name: Restricting access to database mapping files that contain a password
+  file: path=/etc/postfix/mysql-{{item}}.cf mode=0640
+  with_items:
+  - virtual-mailbox-domains
+  - virtual-mailbox-maps
+  - virtual-alias-maps
 
 - name: Make Postfix use LMTP to send emails to Dovecot
   command: postconf virtual_transport=lmtp:unix:private/dovecot-lmtp
 
-- name: Restricting delivery to Dovecot to one email at a time
-  command: postconf dovecot_destination_recipient_limit=1
-
 - name: Setting SMTP authentication type to dovecot
   command: postconf smtpd_sasl_type=dovecot
 
@@ -89,5 +86,8 @@
   command: postconf non_smtpd_milters=inet:127.0.0.1:11332
 
 - name: Set rspamd milter macros
-  command: postconf milter_mail_macros="i {mail_addr} {client_addr} {client_name} {auth_authen}"
+  command: postconf milter_mail_macros="i {mail_addr} {client_addr} {client_name} {auth_authen}'"
+
+- name: Enable user quota checking
+  command: "postconf 'smtpd_recipient_restrictions = reject_unauth_destination check_policy_service unix:private/quota-status'"
 

ansible/roles/ispmail-postfix/templates/mysql-email2email.cf.j2

@@ -1,5 +1,5 @@
-user = mailuser
-password = {{ispmail_mysql_mailuser_password}}
+user = mailserver
+password = {{ispmail_mysql_mailserver_password}}
 hosts = 127.0.0.1
 dbname = mailserver
 query = SELECT email FROM virtual_users WHERE email='%s'

ansible/roles/ispmail-postfix/templates/mysql-virtual-alias-maps.cf.j2

@@ -1,5 +1,5 @@
-user = mailuser
-password = {{ispmail_mysql_mailuser_password}}
+user = mailserver
+password = {{ispmail_mysql_mailserver_password}}
 hosts = 127.0.0.1
 dbname = mailserver
 query = SELECT destination FROM virtual_aliases WHERE source='%s'

ansible/roles/ispmail-postfix/templates/mysql-virtual-mailbox-domains.cf.j2

@@ -1,5 +1,5 @@
-user = mailuser
-password = {{ispmail_mysql_mailuser_password}}
+user = mailserver
+password = {{ispmail_mysql_mailserver_password}}
 hosts = 127.0.0.1
 dbname = mailserver
 query = SELECT 1 FROM virtual_domains WHERE name='%s'

ansible/roles/ispmail-postfix/templates/mysql-virtual-mailbox-maps.cf.j2

@@ -1,5 +1,5 @@
-user = mailuser
-password = {{ispmail_mysql_mailuser_password}}
+user = mailserver
+password = {{ispmail_mysql_mailserver_password}}
 hosts = 127.0.0.1
 dbname = mailserver
 query = SELECT 1 FROM virtual_users WHERE email='%s'

ansible/roles/ispmail-webmail-apache-roundcube/files/roundcube-managesieve-config.inc.php

@@ -1,101 +0,0 @@
-// Taken from /usr/share/roundcube/plugins/managesieve/config.inc.php.dist
-<?php
-
-// managesieve server port. When empty the port will be determined automatically
-// using getservbyname() function, with 4190 as a fallback.
-$config['managesieve_port'] = 4190;
-
-// managesieve server address, default is localhost.
-// Replacement variables supported in host name:
-// %h - user's IMAP hostname
-// %n - http hostname ($_SERVER['SERVER_NAME'])
-// %d - domain (http hostname without the first part)
-// For example %n = mail.domain.tld, %d = domain.tld
-$config['managesieve_host'] = 'localhost';
-
-// authentication method. Can be CRAM-MD5, DIGEST-MD5, PLAIN, LOGIN, EXTERNAL
-// or none. Optional, defaults to best method supported by server.
-$config['managesieve_auth_type'] = null;
-
-// Optional managesieve authentication identifier to be used as authorization proxy.
-// Authenticate as a different user but act on behalf of the logged in user.
-// Works with PLAIN and DIGEST-MD5 auth.
-$config['managesieve_auth_cid'] = null;
-
-// Optional managesieve authentication password to be used for imap_auth_cid
-$config['managesieve_auth_pw'] = null;
-
-// use or not TLS for managesieve server connection
-// Note: tls:// prefix in managesieve_host is also supported
-$config['managesieve_usetls'] = false;
-
-// Connection scket context options
-// See http://php.net/manual/en/context.ssl.php
-// The example below enables server certificate validation
-//$config['managesieve_conn_options'] = array(
-//  'ssl'         => array(
-//     'verify_peer'  => true,
-//     'verify_depth' => 3,
-//     'cafile'       => '/etc/openssl/certs/ca.crt',
-//   ),
-// );
-$config['managesieve_conn_options'] = null;
-
-// default contents of filters script (eg. default spam filter)
-$config['managesieve_default'] = '/etc/dovecot/sieve/global';
-
-// The name of the script which will be used when there's no user script
-$config['managesieve_script_name'] = 'managesieve';
-
-// Sieve RFC says that we should use UTF-8 endcoding for mailbox names,
-// but some implementations does not covert UTF-8 to modified UTF-7.
-// Defaults to UTF7-IMAP
-$config['managesieve_mbox_encoding'] = 'UTF-8';
-
-// I need this because my dovecot (with listescape plugin) uses
-// ':' delimiter, but creates folders with dot delimiter
-$config['managesieve_replace_delimiter'] = '';
-
-// disabled sieve extensions (body, copy, date, editheader, encoded-character,
-// envelope, environment, ereject, fileinto, ihave, imap4flags, index,
-// mailbox, mboxmetadata, regex, reject, relational, servermetadata,
-// spamtest, spamtestplus, subaddress, vacation, variables, virustest, etc.
-// Note: not all extensions are implemented
-$config['managesieve_disabled_extensions'] = array();
-
-// Enables debugging of conversation with sieve server. Logs it into <log_dir>/sieve
-$config['managesieve_debug'] = false;
-
-// Enables features described in http://wiki.kolab.org/KEP:14
-$config['managesieve_kolab_master'] = false;
-
-// Script name extension used for scripts including. Dovecot uses '.sieve',
-// Cyrus uses '.siv'. Doesn't matter if you have managesieve_kolab_master disabled.
-$config['managesieve_filename_extension'] = '.sieve';
-
-// List of reserved script names (without extension).
-// Scripts listed here will be not presented to the user.
-$config['managesieve_filename_exceptions'] = array();
-
-// List of domains limiting destination emails in redirect action
-// If not empty, user will need to select domain from a list
-$config['managesieve_domains'] = array();
-
-// Enables separate management interface for vacation responses (out-of-office)
-// 0 - no separate section (default),
-// 1 - add Vacation section,
-// 2 - add Vacation section, but hide Filters section
-$config['managesieve_vacation'] = 0;
-
-// Default vacation interval (in days).
-// Note: If server supports vacation-seconds extension it is possible
-// to define interval in seconds here (as a string), e.g. "3600s".
-$config['managesieve_vacation_interval'] = 0;
-
-// Some servers require vacation :addresses to be filled with all
-// user addresses (aliases). This option enables automatic filling
-// of these on initial vacation form creation.
-$config['managesieve_vacation_addresses_init'] = false;
-
-// Supported methods of notify extension. Default: 'mailto'
-$config['managesieve_notify_methods'] = array('mailto');

ansible/roles/ispmail-webmail-apache-roundcube/handlers/main.yml

@@ -0,0 +1,5 @@
+---
+- name: restart apache
+  service:
+    name: apache2
+    state: restarted

ansible/roles/ispmail-webmail-apache-roundcube/tasks/main.yml

@@ -5,40 +5,74 @@
     update_cache: yes
   vars:
     packages:
-      #- roundcube 
-      #- roundcube-plugins
-      - php-horde-imp
-      - php-horde-ingo
-      - php-horde-kronolith
-      - php-horde-turba
-# - name: Creating random des_key for Roundcube
-#   shell: pwgen 24
-#   register: roundcube_random_des_key
-# - name: Deploying Roundcube configuration
-#   template:
-#     src: roundcube-config.inc.php.j2
-#     dest: /etc/roundcube/config.inc.php
-#     owner: root
-#     group: www-data
-#     mode: 0640
-# - name: Deploying Roundcube managesieve plugin configuration
-#   copy:
-#     src: roundcube-managesieve-config.inc.php 
-#     dest: /etc/roundcube/plugins/managesieve/config.inc.php 
-#     mode: 0640
-# - name: Deploying Roundcube password plugin configuration
-#   template: 
-#     src: roundcube-password-config.inc.php.j2 
-#     dest: /etc/roundcube/plugins/password/config.inc.php 
-#     owner: root 
-#     group: www-data 
-#     mode: 0640
-# - name: Copy ISPmail logo
-#   copy: 
-#     src: ispmail-logo.png 
-#     dest: /var/lib/roundcube/
-# - name: Copy Roundcube database config file
-#   template: 
-#     src: roundcube-debian-db.php.j2 
-#     dest: /etc/roundcube/debian-db.php 
-#     mode: 0640
+      - roundcube
+      - roundcube-plugins
+      - roundcube-plugins-extra
+      - roundcube-mysql
+- name: Creating random des_key for Roundcube
+  shell: pwgen 24 1
+  register: roundcube_random_des_key
+- name: Deploying Roundcube configuration
+  template:
+    src: config.inc.php.j2
+    dest: /etc/roundcube/config.inc.php
+    owner: root
+    group: www-data
+    mode: 0640
+- name: Deploying Roundcube managesieve plugin configuration
+  template:
+    src: plugins/managesieve/config.inc.php.j2
+    dest: /etc/roundcube/plugins/managesieve/config.inc.php 
+    owner: root
+    group: www-data
+    mode: 0640
+- name: Deploying Roundcube password plugin configuration
+  template: 
+    src: plugins/password/config.inc.php.j2 
+    dest: /etc/roundcube/plugins/password/config.inc.php 
+    owner: root 
+    group: www-data 
+    mode: 0640
+- name: Copy ISPmail logo
+  copy: 
+    src: ispmail-logo.png 
+    dest: /var/lib/roundcube/skins/larry/
+- name: Enable Apache rewrite and ssl module
+  shell: a2enmod {{item}}
+  args:
+    creates: /etc/apache2/mods-enabled/{{item}}.load
+  with_items:
+    - rewrite
+    - ssl
+  notify: restart apache
+- name: Create DocumentRoot for HTTP vhost
+  file:
+    path: /var/www/{{ispmail_fqdn}}
+    state: directory
+    owner: www-data
+    group: www-data
+- name: Remove Apache default vhost pointing to dummy page
+  file:
+    path: /etc/apache2/sites-enabled/000-default.conf
+    state: absent
+  notify: restart apache
+- name: Configure HTTP vhost
+  template:
+    src: vhosts/http.j2
+    dest: /etc/apache2/sites-available/{{ispmail_fqdn}}-http.conf
+  notify: restart apache
+- name: Enable HTTP vhost
+  shell: a2ensite {{ispmail_fqdn}}-http.conf
+  args:
+    creates: /etc/apache2/sites-enabled/{{ispmail_fqdn}}-http.conf
+  notify: restart apache
+- name: Configure HTTPS vhost
+  template:
+    src: vhosts/https.j2
+    dest: /etc/apache2/sites-available/{{ispmail_fqdn}}-https.conf
+  notify: restart apache
+- name: Enable HTTPS vhost
+  shell: a2ensite {{ispmail_fqdn}}-https.conf
+  args:
+    creates: /etc/apache2/sites-enabled/{{ispmail_fqdn}}-https.conf
+  notify: restart apache

ansible/roles/ispmail-webmail-apache-roundcube/templates/config.inc.php.j2

@@ -0,0 +1,90 @@
+<?php
+
+/*
++-----------------------------------------------------------------------+
+| Local configuration for the Roundcube Webmail installation.           |
+|                                                                       |
+| This is a sample configuration file only containing the minimum       |
+| setup required for a functional installation. Copy more options       |
+| from defaults.inc.php to this file to override the defaults.          |
+|                                                                       |
+| This file is part of the Roundcube Webmail client                     |
+| Copyright (C) 2005-2013, The Roundcube Dev Team                       |
+|                                                                       |
+| Licensed under the GNU General Public License version 3 or            |
+| any later version with exceptions for skins & plugins.                |
+| See the README file for a full license statement.                     |
++-----------------------------------------------------------------------+
+*/
+
+$config = array();
+
+/* Do not set db_dsnw here, use dpkg-reconfigure roundcube-core to configure database ! */
+include_once("/etc/roundcube/debian-db-roundcube.php");
+
+// The IMAP host chosen to perform the log-in.
+// Leave blank to show a textbox at login, give a list of hosts
+// to display a pulldown menu or set one host as string.
+// To use SSL/TLS connection, enter hostname with prefix ssl:// or tls://
+// Supported replacement variables:
+// %n - hostname ($_SERVER['SERVER_NAME'])
+// %t - hostname without the first part
+// %d - domain (http hostname $_SERVER['HTTP_HOST'] without the first part)
+// %s - domain name after the '@' from e-mail address provided at login screen
+// For example %n = mail.domain.tld, %t = domain.tld
+$config['default_host'] = 'localhost';
+
+// SMTP server host (for sending mails).
+// Enter hostname with prefix tls:// to use STARTTLS, or use
+// prefix ssl:// to use the deprecated SSL over SMTP (aka SMTPS)
+// Supported replacement variables:
+// %h - user's IMAP hostname
+// %n - hostname ($_SERVER['SERVER_NAME'])
+// %t - hostname without the first part
+// %d - domain (http hostname $_SERVER['HTTP_HOST'] without the first part)
+// %z - IMAP domain (IMAP hostname without the first part)
+// For example %n = mail.domain.tld, %t = domain.tld
+$config['smtp_server'] = 'localhost';
+
+// SMTP port (default is 25; use 587 for STARTTLS or 465 for the
+// deprecated SSL over SMTP (aka SMTPS))
+$config['smtp_port'] = 25;
+
+// SMTP username (if required) if you use %u as the username Roundcube
+// will use the current username for login
+$config['smtp_user'] = '%u';
+
+// SMTP password (if required) if you use %p as the password Roundcube
+// will use the current user's password for login
+$config['smtp_pass'] = '%p';
+
+// provide an URL where a user can get support for this Roundcube installation
+// PLEASE DO NOT LINK TO THE ROUNDCUBE.NET WEBSITE HERE!
+$config['support_url'] = '';
+
+// Name your service. This is displayed on the login screen and in the window title
+$config['product_name'] = 'ISPmail – your mail server';
+
+// this key is used to encrypt the users imap password which is stored
+// in the session record (and the client cookie if remember password is enabled).
+// please provide a string of exactly 24 chars.
+// YOUR KEY MUST BE DIFFERENT THAN THE SAMPLE VALUE FOR SECURITY REASONS
+$config['des_key'] = '{{roundcube_random_des_key.stdout}}';
+
+// List of active plugins (in plugins/ directory)
+// Debian: install roundcube-plugins first to have any
+$config['plugins'] = array(
+  'managesieve',
+  'password',
+);
+
+// skin name: folder from skins/
+$config['skin'] = 'larry';
+
+// Disable spellchecking
+// Debian: spellshecking needs additional packages to be installed, or calling external APIs
+//         see defaults.inc.php for additional informations
+$config['enable_spellcheck'] = false;
+
+// Set a nice ISPmail logo :)
+$config['skin_logo'] = '/ispmail-logo.png';

ansible/roles/ispmail-webmail-apache-roundcube/templates/plugins/managesieve/config.inc.php.j2

@@ -0,0 +1 @@
+$config['managesieve_host'] = 'localhost';

ansible/roles/ispmail-webmail-apache-roundcube/templates/plugins/password/config.inc.php.j2

@@ -0,0 +1,13 @@
+<?php
+// Plugin configuration for password
+// See /usr/share/roundcube/plugins/password/config.inc.php.dist for instructions
+// Check the access right of the file if you put sensitive information in it.
+$config['password_driver'] = 'sql';
+$config['password_minimum_length'] = 12;
+$config['password_force_save'] = true;
+$config['password_algorithm'] = 'dovecot';
+$config['password_dovecotpw'] = '/usr/bin/doveadm pw -s BLF-CRYPT';
+$config['password_dovecotpw_method'] = 'BLF-CRYPT';
+$config['password_dovecotpw_with_method'] = true;
+$config['password_db_dsn'] = 'mysql://mailadmin:{{ispmail_mysql_mailadmin_password}}@localhost/mailserver';
+$config['password_query'] = "UPDATE virtual_users SET password=%D WHERE email=%u";

ansible/roles/ispmail-webmail-apache-roundcube/templates/roundcube-password-config.inc.php.j2

@@ -43,7 +43,7 @@ $config['password_force_new_user'] = false;
 // ------------------
 // PEAR database DSN for performing the query. By default
 // Roundcube DB settings are used.
-$config['password_db_dsn'] = 'mysql://mailuser:{{ispmail_mysql_mailuser_password}}@127.0.0.1/mailserver';
+$config['password_db_dsn'] = 'mysql://mailserver:{{ispmail_mysql_mailserver_password}}@127.0.0.1/mailserver';
 
 // The SQL query used to change the password.
 // The query can contain the following macros that will be expanded as follows:

ansible/roles/ispmail-webmail-apache-roundcube/templates/vhosts/http.j2

@@ -0,0 +1,8 @@
+<VirtualHost *:80>
+  ServerName {{ispmail_fqdn}}
+  DocumentRoot /var/www/{{ispmail_fqdn}}
+
+  RewriteEngine On
+  RewriteCond %{REQUEST_URI} !\.well-known/acme-challenge
+  RewriteRule ^(.*)$ https://%{SERVER_NAME}/ [R=301,L]
+</VirtualHost>

ansible/roles/ispmail-webmail-apache-roundcube/templates/vhosts/https.j2

@@ -0,0 +1,15 @@
+<VirtualHost *:443>
+  ServerName {{ispmail_fqdn}}
+  DocumentRoot /var/lib/roundcube
+
+  Alias /adminer /usr/share/adminer/adminer
+  Include /etc/roundcube/apache.conf
+
+  SSLEngine on
+  SSLCertificateKeyFile /etc/ssl/private/mailserver.pem
+  SSLCertificateFile /etc/ssl/certs/mailserver.pem
+
+  # When using Let's Encrypt use these line instead:
+  # SSLCertificateKeyFile /etc/letsencrypt/live/{{ispmail_fqdn}}/privkey.pem
+  # SSLCertificateFile /etc/letsencrypt/live/{{ispmail_fqdn}}/fullchain.pem
+  </VirtualHost>