From 4c6d399c0b3f2bf0637efa9ef1b3a9168840ee4d Mon Sep 17 00:00:00 2001 From: Christoph Haas Date: Mon, 9 Oct 2017 23:18:22 +0200 Subject: [PATCH] Builds for Stretch --- Vagrantfile | 11 +- ansible.cfg | 26 -- ansible/ansible.cfg | 26 ++ ansible/group_vars/all | 22 ++ ansible/hosts | 1 + ansible/ispmail.retry | 1 + ansible/ispmail.yml | 12 + ansible/roles/dumpvars/README.md | 4 + ansible/roles/dumpvars/tasks/main.yml | 3 + ansible/roles/dumpvars/templates/dumpall.j2 | 23 ++ ansible/roles/ispmail-certificate/tasks/main.yml | 15 + ansible/roles/ispmail-database/files/schema.sql | 24 ++ ansible/roles/ispmail-database/files/test.sql | 26 ++ ansible/roles/ispmail-database/tasks/main.yml | 29 ++ ansible/roles/ispmail-database/templates/my-cnf.j2 | 2 + ansible/roles/ispmail-dovecot/files/10-mail.conf | 382 +++++++++++++++++++++ ansible/roles/ispmail-dovecot/files/10-master.conf | 123 +++++++ ansible/roles/ispmail-dovecot/files/10-ssl.conf | 58 ++++ .../roles/ispmail-dovecot/files/15-mailboxes.conf | 50 +++ ansible/roles/ispmail-dovecot/files/20-lmtp.conf | 20 ++ ansible/roles/ispmail-dovecot/files/90-sieve.conf | 106 ++++++ .../roles/ispmail-dovecot/files/auth-sql.conf.ext | 31 ++ .../ispmail-dovecot/files/spam-to-folder.sieve | 6 + ansible/roles/ispmail-dovecot/handlers/main.yml | 6 + ansible/roles/ispmail-dovecot/tasks/main.yml | 52 +++ .../templates/dovecot-sql.conf.ext.j2 | 147 ++++++++ ansible/roles/ispmail-packages/tasks/main.yml | 29 ++ .../ispmail-postfix/files/etc-default-spamassassin | 35 ++ .../roles/ispmail-postfix/files/spamassassin.patch | 11 + ansible/roles/ispmail-postfix/handlers/main.yml | 7 + ansible/roles/ispmail-postfix/tasks/main.yml | 84 +++++ .../templates/mysql-email2email.cf.j2 | 5 + .../templates/mysql-virtual-alias-maps.cf.j2 | 5 + .../templates/mysql-virtual-mailbox-domains.cf.j2 | 5 + .../templates/mysql-virtual-mailbox-maps.cf.j2 | 5 + .../roles/ispmail-webmail-apache/handlers/main.yml | 4 + .../roles/ispmail-webmail-apache/tasks/main.yml | 18 + .../templates/webmail.conf-443.j2 | 139 ++++++++ .../templates/webmail.conf-80.j2 | 6 + .../roles/ispmail-webmail/files/ispmail-logo.png | Bin 0 -> 7202 bytes .../files/roundcube-managesieve-config.inc.php | 101 ++++++ ansible/roles/ispmail-webmail/tasks/main.yml | 21 ++ .../templates/roundcube-config.inc.php.j2 | 90 +++++ .../templates/roundcube-debian-db.php.j2 | 8 + .../templates/roundcube-password-config.inc.php.j2 | 103 ++++++ group_vars/all | 22 -- hosts | 1 - playbooks/ispmail.yml | 12 - roles/dumpvars/tasks/main.yml | 3 - roles/dumpvars/templates/dumpall.j2 | 23 -- roles/ispmail-certificate/tasks/main.yml | 15 - roles/ispmail-database/files/schema.sql | 24 -- roles/ispmail-database/files/test.sql | 26 -- roles/ispmail-database/tasks/main.yml | 29 -- roles/ispmail-database/templates/my-cnf.j2 | 2 - roles/ispmail-dovecot/files/10-mail.conf | 382 --------------------- roles/ispmail-dovecot/files/10-master.conf | 123 ------- roles/ispmail-dovecot/files/10-ssl.conf | 58 ---- roles/ispmail-dovecot/files/15-mailboxes.conf | 50 --- roles/ispmail-dovecot/files/20-lmtp.conf | 20 -- roles/ispmail-dovecot/files/90-sieve.conf | 106 ------ roles/ispmail-dovecot/files/auth-sql.conf.ext | 31 -- roles/ispmail-dovecot/files/spam-to-folder.sieve | 6 - roles/ispmail-dovecot/handlers/main.yml | 6 - roles/ispmail-dovecot/tasks/main.yml | 52 --- .../templates/dovecot-sql.conf.ext.j2 | 147 -------- roles/ispmail-packages/tasks/main.yml | 29 -- .../ispmail-postfix/files/etc-default-spamassassin | 35 -- roles/ispmail-postfix/files/spamassassin.patch | 11 - roles/ispmail-postfix/handlers/main.yml | 7 - roles/ispmail-postfix/tasks/main.yml | 90 ----- .../templates/mysql-email2email.cf.j2 | 5 - .../templates/mysql-virtual-alias-maps.cf.j2 | 5 - .../templates/mysql-virtual-mailbox-domains.cf.j2 | 5 - .../templates/mysql-virtual-mailbox-maps.cf.j2 | 5 - roles/ispmail-webmail-apache/handlers/main.yml | 4 - roles/ispmail-webmail-apache/tasks/main.yml | 18 - .../templates/webmail.conf-443.j2 | 139 -------- .../templates/webmail.conf-80.j2 | 6 - roles/ispmail-webmail/files/ispmail-logo.png | Bin 7202 -> 0 bytes .../files/roundcube-managesieve-config.inc.php | 101 ------ roles/ispmail-webmail/tasks/main.yml | 21 -- .../templates/roundcube-config.inc.php.j2 | 90 ----- .../templates/roundcube-debian-db.php.j2 | 8 - .../templates/roundcube-password-config.inc.php.j2 | 103 ------ 85 files changed, 1851 insertions(+), 1851 deletions(-) delete mode 100644 ansible.cfg create mode 100644 ansible/ansible.cfg create mode 100644 ansible/group_vars/all create mode 100644 ansible/hosts create mode 100644 ansible/ispmail.retry create mode 100644 ansible/ispmail.yml create mode 100644 ansible/roles/dumpvars/README.md create mode 100644 ansible/roles/dumpvars/tasks/main.yml create mode 100644 ansible/roles/dumpvars/templates/dumpall.j2 create mode 100644 ansible/roles/ispmail-certificate/tasks/main.yml create mode 100644 ansible/roles/ispmail-database/files/schema.sql create mode 100644 ansible/roles/ispmail-database/files/test.sql create mode 100644 ansible/roles/ispmail-database/tasks/main.yml create mode 100644 ansible/roles/ispmail-database/templates/my-cnf.j2 create mode 100644 ansible/roles/ispmail-dovecot/files/10-mail.conf create mode 100644 ansible/roles/ispmail-dovecot/files/10-master.conf create mode 100644 ansible/roles/ispmail-dovecot/files/10-ssl.conf create mode 100644 ansible/roles/ispmail-dovecot/files/15-mailboxes.conf create mode 100644 ansible/roles/ispmail-dovecot/files/20-lmtp.conf create mode 100644 ansible/roles/ispmail-dovecot/files/90-sieve.conf create mode 100644 ansible/roles/ispmail-dovecot/files/auth-sql.conf.ext create mode 100644 ansible/roles/ispmail-dovecot/files/spam-to-folder.sieve create mode 100644 ansible/roles/ispmail-dovecot/handlers/main.yml create mode 100644 ansible/roles/ispmail-dovecot/tasks/main.yml create mode 100644 ansible/roles/ispmail-dovecot/templates/dovecot-sql.conf.ext.j2 create mode 100644 ansible/roles/ispmail-packages/tasks/main.yml create mode 100644 ansible/roles/ispmail-postfix/files/etc-default-spamassassin create mode 100644 ansible/roles/ispmail-postfix/files/spamassassin.patch create mode 100644 ansible/roles/ispmail-postfix/handlers/main.yml create mode 100644 ansible/roles/ispmail-postfix/tasks/main.yml create mode 100644 ansible/roles/ispmail-postfix/templates/mysql-email2email.cf.j2 create mode 100644 ansible/roles/ispmail-postfix/templates/mysql-virtual-alias-maps.cf.j2 create mode 100644 ansible/roles/ispmail-postfix/templates/mysql-virtual-mailbox-domains.cf.j2 create mode 100644 ansible/roles/ispmail-postfix/templates/mysql-virtual-mailbox-maps.cf.j2 create mode 100644 ansible/roles/ispmail-webmail-apache/handlers/main.yml create mode 100644 ansible/roles/ispmail-webmail-apache/tasks/main.yml create mode 100644 ansible/roles/ispmail-webmail-apache/templates/webmail.conf-443.j2 create mode 100644 ansible/roles/ispmail-webmail-apache/templates/webmail.conf-80.j2 create mode 100644 ansible/roles/ispmail-webmail/files/ispmail-logo.png create mode 100644 ansible/roles/ispmail-webmail/files/roundcube-managesieve-config.inc.php create mode 100644 ansible/roles/ispmail-webmail/tasks/main.yml create mode 100644 ansible/roles/ispmail-webmail/templates/roundcube-config.inc.php.j2 create mode 100644 ansible/roles/ispmail-webmail/templates/roundcube-debian-db.php.j2 create mode 100644 ansible/roles/ispmail-webmail/templates/roundcube-password-config.inc.php.j2 delete mode 100644 group_vars/all delete mode 100644 hosts delete mode 100644 playbooks/ispmail.yml delete mode 100644 roles/dumpvars/tasks/main.yml delete mode 100644 roles/dumpvars/templates/dumpall.j2 delete mode 100644 roles/ispmail-certificate/tasks/main.yml delete mode 100644 roles/ispmail-database/files/schema.sql delete mode 100644 roles/ispmail-database/files/test.sql delete mode 100644 roles/ispmail-database/tasks/main.yml delete mode 100644 roles/ispmail-database/templates/my-cnf.j2 delete mode 100644 roles/ispmail-dovecot/files/10-mail.conf delete mode 100644 roles/ispmail-dovecot/files/10-master.conf delete mode 100644 roles/ispmail-dovecot/files/10-ssl.conf delete mode 100644 roles/ispmail-dovecot/files/15-mailboxes.conf delete mode 100644 roles/ispmail-dovecot/files/20-lmtp.conf delete mode 100644 roles/ispmail-dovecot/files/90-sieve.conf delete mode 100644 roles/ispmail-dovecot/files/auth-sql.conf.ext delete mode 100644 roles/ispmail-dovecot/files/spam-to-folder.sieve delete mode 100644 roles/ispmail-dovecot/handlers/main.yml delete mode 100644 roles/ispmail-dovecot/tasks/main.yml delete mode 100644 roles/ispmail-dovecot/templates/dovecot-sql.conf.ext.j2 delete mode 100644 roles/ispmail-packages/tasks/main.yml delete mode 100644 roles/ispmail-postfix/files/etc-default-spamassassin delete mode 100644 roles/ispmail-postfix/files/spamassassin.patch delete mode 100644 roles/ispmail-postfix/handlers/main.yml delete mode 100644 roles/ispmail-postfix/tasks/main.yml delete mode 100644 roles/ispmail-postfix/templates/mysql-email2email.cf.j2 delete mode 100644 roles/ispmail-postfix/templates/mysql-virtual-alias-maps.cf.j2 delete mode 100644 roles/ispmail-postfix/templates/mysql-virtual-mailbox-domains.cf.j2 delete mode 100644 roles/ispmail-postfix/templates/mysql-virtual-mailbox-maps.cf.j2 delete mode 100644 roles/ispmail-webmail-apache/handlers/main.yml delete mode 100644 roles/ispmail-webmail-apache/tasks/main.yml delete mode 100644 roles/ispmail-webmail-apache/templates/webmail.conf-443.j2 delete mode 100644 roles/ispmail-webmail-apache/templates/webmail.conf-80.j2 delete mode 100644 roles/ispmail-webmail/files/ispmail-logo.png delete mode 100644 roles/ispmail-webmail/files/roundcube-managesieve-config.inc.php delete mode 100644 roles/ispmail-webmail/tasks/main.yml delete mode 100644 roles/ispmail-webmail/templates/roundcube-config.inc.php.j2 delete mode 100644 roles/ispmail-webmail/templates/roundcube-debian-db.php.j2 delete mode 100644 roles/ispmail-webmail/templates/roundcube-password-config.inc.php.j2 diff --git a/Vagrantfile b/Vagrantfile index d6e6bb5..8e6ee70 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -39,7 +39,7 @@ Vagrant.configure(2) do |config| # the path on the guest to mount the folder. And the optional third # argument is a set of non-required options. # config.vm.synced_folder "../data", "/vagrant_data" - config.vm.synced_folder ".", "/root" + config.vm.synced_folder "ansible", "/root" # Provider-specific configuration so you can fine-tune various # backing providers for Vagrant. These expose provider-specific options. @@ -72,10 +72,11 @@ Vagrant.configure(2) do |config| # SHELL config.vm.provision "ansible" do |ansible| - ansible.playbook = "playbooks/ispmail.yml" - ansible.become = true - ansible.become_user = 'root' - ansible.compatibility_mode = '2.0' + ansible.playbook = "ansible/ispmail.yml" + ansible.sudo = true + #ansible.become = true + #ansible.become_user = 'root' + #ansible.compatibility_mode = '2.0' #ansible.verbose = 'vvv' end diff --git a/ansible.cfg b/ansible.cfg deleted file mode 100644 index ffd7210..0000000 --- a/ansible.cfg +++ /dev/null @@ -1,26 +0,0 @@ -# see http://docs.ansible.com/intro_configuration.html -[defaults] - -# Do not show skipped hosts -display_skipped_hosts = False - -# Look for the inventory of hosts in the current directory -hostfile = ./hosts - -# Connect as 'root' by default via SSH -remote_user = root - -# Do not use cowsay -nocows = 1 - -# Connect to up to 50 server in parallel -forks = 50 - -# Speed improvement, but may break sudo with requiretty -pipelining = True - -# Log actions -log_path = ./log - -# Path to roles -roles_path = ./roles diff --git a/ansible/ansible.cfg b/ansible/ansible.cfg new file mode 100644 index 0000000..423b554 --- /dev/null +++ b/ansible/ansible.cfg @@ -0,0 +1,26 @@ +# see http://docs.ansible.com/intro_configuration.html +[defaults] + +# Do not show skipped hosts +display_skipped_hosts = False + +# Look for the inventory of hosts in the current directory +inventory = ./hosts + +# Connect as 'root' by default via SSH +remote_user = root + +# Do not use cowsay +nocows = 1 + +# Connect to up to 50 server in parallel +forks = 50 + +# Speed improvement, but may break sudo with requiretty +pipelining = True + +# Log actions +log_path = ./log + +# Path to roles +roles_path = ansible/roles diff --git a/ansible/group_vars/all b/ansible/group_vars/all new file mode 100644 index 0000000..489009c --- /dev/null +++ b/ansible/group_vars/all @@ -0,0 +1,22 @@ +ispmail_populate_test_data: true + +ispmail_mysql_mailuser_password: ChangeMe +ispmail_mysql_root_password: ChangeMeRoot +ispmail_mysql_roundcube_password: ChangeMeRound + +ispmail_dovecot_auth_mechanisms: plain login + +ispmail_postmaster_address: postmaster@example.org + +#ispmail_webmail_hostname: mail.example.org +ispmail_webmail_hostname: 10.0.0.100 + +ispmail_certificate_country: DE +ispmail_certificate_state: Hamburg +ispmail_certificate_location: Hamburg +ispmail_certificate_organisation: workaround.org +ispmail_certificate_orgunit: IT-Crowd +ispmail_certificate_domains: + - example.org +ispmail_certificate_email: postmaster@example.org +ispmail_certificate_days_valid: 3650 diff --git a/ansible/hosts b/ansible/hosts new file mode 100644 index 0000000..05614f6 --- /dev/null +++ b/ansible/hosts @@ -0,0 +1 @@ +localhost ansible_connection=local \ No newline at end of file diff --git a/ansible/ispmail.retry b/ansible/ispmail.retry new file mode 100644 index 0000000..4ad96d5 --- /dev/null +++ b/ansible/ispmail.retry @@ -0,0 +1 @@ +default diff --git a/ansible/ispmail.yml b/ansible/ispmail.yml new file mode 100644 index 0000000..c8a2717 --- /dev/null +++ b/ansible/ispmail.yml @@ -0,0 +1,12 @@ +--- +# Requires Ansible >= 1.9 +- hosts: all + roles: + - dumpvars + - ispmail-packages + - ispmail-certificate + - ispmail-database + - ispmail-postfix + - ispmail-dovecot + - ispmail-webmail + - ispmail-webmail-apache diff --git a/ansible/roles/dumpvars/README.md b/ansible/roles/dumpvars/README.md new file mode 100644 index 0000000..3273a00 --- /dev/null +++ b/ansible/roles/dumpvars/README.md @@ -0,0 +1,4 @@ +# Purpose + +Create a file /tmp/ansible-vars on the target system containing all +Ansible variables. Useful for debugging. diff --git a/ansible/roles/dumpvars/tasks/main.yml b/ansible/roles/dumpvars/tasks/main.yml new file mode 100644 index 0000000..35d6006 --- /dev/null +++ b/ansible/roles/dumpvars/tasks/main.yml @@ -0,0 +1,3 @@ +--- +- name: Dump all vars + action: template src=dumpall.j2 dest=/tmp/ansible-vars diff --git a/ansible/roles/dumpvars/templates/dumpall.j2 b/ansible/roles/dumpvars/templates/dumpall.j2 new file mode 100644 index 0000000..9fe6aee --- /dev/null +++ b/ansible/roles/dumpvars/templates/dumpall.j2 @@ -0,0 +1,23 @@ +Module Variables ("vars"): +-------------------------------- +{{ vars | to_nice_json }} + +Environment Variables ("environment"): +-------------------------------- +{{ environment | to_nice_json }} + +GROUP NAMES Variables ("group_names"): +-------------------------------- +{{ group_names | to_nice_json }} + +GROUPS Variables ("groups"): +-------------------------------- +{{ groups | to_nice_json }} + +HOST Variables ("hostvars"): +-------------------------------- +{{ hostvars | to_nice_json }} + +HOST Variables for this host ({{inventory_hostname}}): +--------------------------------------- +{{ hostvars[inventory_hostname] | to_nice_json }} diff --git a/ansible/roles/ispmail-certificate/tasks/main.yml b/ansible/roles/ispmail-certificate/tasks/main.yml new file mode 100644 index 0000000..0ee1fb6 --- /dev/null +++ b/ansible/roles/ispmail-certificate/tasks/main.yml @@ -0,0 +1,15 @@ +--- +- name: Create a self-signed certificate + command: > + openssl req -newkey rsa:4096 + -nodes -sha512 -x509 + -days "{{ ispmail_certificate_days_valid }}" + -nodes + -subj "/C={{ ispmail_certificate_country }}/ST={{ ispmail_certificate_state }}/L={{ ispmail_certificate_location }}/O={{ ispmail_certificate_organisation }}/OU={{ ispmail_certificate_orgunit }}{% for domain in ispmail_certificate_domains %}/CN={{ domain }}{% endfor %}/emailAddress={{ ispmail_certificate_email }}" + -out /etc/ssl/certs/mailserver.pem + -keyout /etc/ssl/private/mailserver.pem + args: + creates: /etc/ssl/certs/mailserver.pem +- name: Restrict access permissions of the private key + file: path=/etc/ssl/private/mailserver.pem mode=0640 + diff --git a/ansible/roles/ispmail-database/files/schema.sql b/ansible/roles/ispmail-database/files/schema.sql new file mode 100644 index 0000000..7ba785c --- /dev/null +++ b/ansible/roles/ispmail-database/files/schema.sql @@ -0,0 +1,24 @@ +CREATE TABLE IF NOT EXISTS `virtual_domains` ( + `id` int(11) NOT NULL auto_increment, + `name` varchar(50) NOT NULL, + PRIMARY KEY (`id`) +) ENGINE=InnoDB DEFAULT CHARSET=utf8; + +CREATE TABLE IF NOT EXISTS `virtual_users` ( + `id` int(11) NOT NULL auto_increment, + `domain_id` int(11) NOT NULL, + `password` varchar(150) NOT NULL, + `email` varchar(100) NOT NULL, + PRIMARY KEY (`id`), + UNIQUE KEY `email` (`email`), + FOREIGN KEY (domain_id) REFERENCES virtual_domains(id) ON DELETE CASCADE +) ENGINE=InnoDB DEFAULT CHARSET=utf8; + +CREATE TABLE IF NOT EXISTS `virtual_aliases` ( + `id` int(11) NOT NULL auto_increment, + `domain_id` int(11) NOT NULL, + `source` varchar(100) NOT NULL, + `destination` varchar(100) NOT NULL, + PRIMARY KEY (`id`), + FOREIGN KEY (domain_id) REFERENCES virtual_domains(id) ON DELETE CASCADE +) ENGINE=InnoDB DEFAULT CHARSET=utf8; diff --git a/ansible/roles/ispmail-database/files/test.sql b/ansible/roles/ispmail-database/files/test.sql new file mode 100644 index 0000000..ded3208 --- /dev/null +++ b/ansible/roles/ispmail-database/files/test.sql @@ -0,0 +1,26 @@ +REPLACE INTO `mailserver`.`virtual_domains` ( + `id` , + `name` +) +VALUES ( + '1', 'example.org' +); +REPLACE INTO `mailserver`.`virtual_users` ( + `id` , + `domain_id` , + `password` , + `email` +) +VALUES ( + '1', '1', CONCAT('{PLAIN-MD5}', MD5( 'summersun' )) , 'john@example.org' +); +REPLACE INTO `mailserver`.`virtual_aliases` ( + `id`, + `domain_id`, + `source`, + `destination` +) +VALUES ( + '1', '1', 'jack@example.org', 'john@example.org' +); + diff --git a/ansible/roles/ispmail-database/tasks/main.yml b/ansible/roles/ispmail-database/tasks/main.yml new file mode 100644 index 0000000..4288ceb --- /dev/null +++ b/ansible/roles/ispmail-database/tasks/main.yml @@ -0,0 +1,29 @@ +--- +- name: Installing required Python mysqldb module for Ansible to manage databases + apt: pkg=python-mysqldb state=installed +# - name: Creating my-cnf for root user +# template: src=root-my-cnf.j2 dest=/root/.my.cnf mode=0600 +- name: creating mailserver MySQL database + mysql_db: name=mailserver state=present +- name: creating Roundcube MySQL database + mysql_db: name=roundcube state=present +- name: copying MySQL database schema to server + copy: src=schema.sql dest=/tmp +- name: setting up SQL schema of mailserver database + mysql_db: name=mailserver state=import target=/tmp/schema.sql +# - name: set the MySQL root user's password + # mysql_user: name=root password={{ispmail_mysql_root_password}} state=present +- name: creating MySQL user to read the mailserver database + mysql_user: name=mailuser password={{ispmail_mysql_mailuser_password}} priv=mailserver.*:SELECT,INSERT,UPDATE,DELETE state=present +- name: creating MySQL user for roundcube + mysql_user: name=roundcube password={{ispmail_mysql_roundcube_password}} priv=roundcube.*:ALL state=present +- name: copying MySQL test data to server + copy: src=test.sql dest=/tmp + when: ispmail_populate_test_data == true +- name: populating the database with test data + mysql_db: name=mailserver state=import target=/tmp/test.sql + when: ispmail_populate_test_data == true +# - name: set the MySQL root user's password +# mysql_user: name=root password={{ispmail_mysql_root_password}} state=present +# - name: Create root's .my.cnf +# template: src=my-cnf.j2 dest=/root/.my.cnf mode=0600 diff --git a/ansible/roles/ispmail-database/templates/my-cnf.j2 b/ansible/roles/ispmail-database/templates/my-cnf.j2 new file mode 100644 index 0000000..0615332 --- /dev/null +++ b/ansible/roles/ispmail-database/templates/my-cnf.j2 @@ -0,0 +1,2 @@ +[client] +password={{ispmail_mysql_root_password}} diff --git a/ansible/roles/ispmail-dovecot/files/10-mail.conf b/ansible/roles/ispmail-dovecot/files/10-mail.conf new file mode 100644 index 0000000..3ef99fc --- /dev/null +++ b/ansible/roles/ispmail-dovecot/files/10-mail.conf @@ -0,0 +1,382 @@ +## +## Mailbox locations and namespaces +## + +# Location for users' mailboxes. The default is empty, which means that Dovecot +# tries to find the mailboxes automatically. This won't work if the user +# doesn't yet have any mail, so you should explicitly tell Dovecot the full +# location. +# +# If you're using mbox, giving a path to the INBOX file (eg. /var/mail/%u) +# isn't enough. You'll also need to tell Dovecot where the other mailboxes are +# kept. This is called the "root mail directory", and it must be the first +# path given in the mail_location setting. +# +# There are a few special variables you can use, eg.: +# +# %u - username +# %n - user part in user@domain, same as %u if there's no domain +# %d - domain part in user@domain, empty if there's no domain +# %h - home directory +# +# See doc/wiki/Variables.txt for full list. Some examples: +# +# mail_location = maildir:~/Maildir +# mail_location = mbox:~/mail:INBOX=/var/mail/%u +# mail_location = mbox:/var/mail/%d/%1n/%n:INDEX=/var/indexes/%d/%1n/%n +# +# +# +#mail_location = mbox:~/mail:INBOX=/var/mail/%u +mail_location = maildir:/var/vmail/%d/%n/Maildir + +# If you need to set multiple mailbox locations or want to change default +# namespace settings, you can do it by defining namespace sections. +# +# You can have private, shared and public namespaces. Private namespaces +# are for user's personal mails. Shared namespaces are for accessing other +# users' mailboxes that have been shared. Public namespaces are for shared +# mailboxes that are managed by sysadmin. If you create any shared or public +# namespaces you'll typically want to enable ACL plugin also, otherwise all +# users can access all the shared mailboxes, assuming they have permissions +# on filesystem level to do so. +namespace inbox { + # Namespace type: private, shared or public + #type = private + + # Hierarchy separator to use. You should use the same separator for all + # namespaces or some clients get confused. '/' is usually a good one. + # The default however depends on the underlying mail storage format. + #separator = + separator = . + + # Prefix required to access this namespace. This needs to be different for + # all namespaces. For example "Public/". + #prefix = + + # Physical location of the mailbox. This is in same format as + # mail_location, which is also the default for it. + #location = + + # There can be only one INBOX, and this setting defines which namespace + # has it. + inbox = yes + + # If namespace is hidden, it's not advertised to clients via NAMESPACE + # extension. You'll most likely also want to set list=no. This is mostly + # useful when converting from another server with different namespaces which + # you want to deprecate but still keep working. For example you can create + # hidden namespaces with prefixes "~/mail/", "~%u/mail/" and "mail/". + #hidden = no + + # Show the mailboxes under this namespace with LIST command. This makes the + # namespace visible for clients that don't support NAMESPACE extension. + # "children" value lists child mailboxes, but hides the namespace prefix. + #list = yes + + # Namespace handles its own subscriptions. If set to "no", the parent + # namespace handles them (empty prefix should always have this as "yes") + #subscriptions = yes + +# mailbox INBOX.Junk { +# auto = subscribe # autocreate and autosubscribe the Junk mailbox +# special_use = \Junk +# } +# mailbox INBOX.Trash { +# auto = subscribe # autocreate and autosubscribe the Trash mailbox +# special_use = \Trash +# } +} + +# Example shared namespace configuration +#namespace { + #type = shared + #separator = / + + # Mailboxes are visible under "shared/user@domain/" + # %%n, %%d and %%u are expanded to the destination user. + #prefix = shared/%%u/ + + # Mail location for other users' mailboxes. Note that %variables and ~/ + # expands to the logged in user's data. %%n, %%d, %%u and %%h expand to the + # destination user's data. + #location = maildir:%%h/Maildir:INDEX=~/Maildir/shared/%%u + + # Use the default namespace for saving subscriptions. + #subscriptions = no + + # List the shared/ namespace only if there are visible shared mailboxes. + #list = children +#} +# Should shared INBOX be visible as "shared/user" or "shared/user/INBOX"? +#mail_shared_explicit_inbox = no + +# System user and group used to access mails. If you use multiple, userdb +# can override these by returning uid or gid fields. You can use either numbers +# or names. +#mail_uid = +#mail_gid = + +# Group to enable temporarily for privileged operations. Currently this is +# used only with INBOX when either its initial creation or dotlocking fails. +# Typically this is set to "mail" to give access to /var/mail. +#mail_privileged_group = + +# Grant access to these supplementary groups for mail processes. Typically +# these are used to set up access to shared mailboxes. Note that it may be +# dangerous to set these if users can create symlinks (e.g. if "mail" group is +# set here, ln -s /var/mail ~/mail/var could allow a user to delete others' +# mailboxes, or ln -s /secret/shared/box ~/mail/mybox would allow reading it). +#mail_access_groups = + +# Allow full filesystem access to clients. There's no access checks other than +# what the operating system does for the active UID/GID. It works with both +# maildir and mboxes, allowing you to prefix mailboxes names with eg. /path/ +# or ~user/. +#mail_full_filesystem_access = no + +# Dictionary for key=value mailbox attributes. Currently used by URLAUTH, but +# soon intended to be used by METADATA as well. +#mail_attribute_dict = + +## +## Mail processes +## + +# Don't use mmap() at all. This is required if you store indexes to shared +# filesystems (NFS or clustered filesystem). +#mmap_disable = no + +# Rely on O_EXCL to work when creating dotlock files. NFS supports O_EXCL +# since version 3, so this should be safe to use nowadays by default. +#dotlock_use_excl = yes + +# When to use fsync() or fdatasync() calls: +# optimized (default): Whenever necessary to avoid losing important data +# always: Useful with e.g. NFS when write()s are delayed +# never: Never use it (best performance, but crashes can lose data) +#mail_fsync = optimized + +# Locking method for index files. Alternatives are fcntl, flock and dotlock. +# Dotlocking uses some tricks which may create more disk I/O than other locking +# methods. NFS users: flock doesn't work, remember to change mmap_disable. +#lock_method = fcntl + +# Directory in which LDA/LMTP temporarily stores incoming mails >128 kB. +#mail_temp_dir = /tmp + +# Valid UID range for users, defaults to 500 and above. This is mostly +# to make sure that users can't log in as daemons or other system users. +# Note that denying root logins is hardcoded to dovecot binary and can't +# be done even if first_valid_uid is set to 0. +#first_valid_uid = 500 +#last_valid_uid = 0 + +# Valid GID range for users, defaults to non-root/wheel. Users having +# non-valid GID as primary group ID aren't allowed to log in. If user +# belongs to supplementary groups with non-valid GIDs, those groups are +# not set. +#first_valid_gid = 1 +#last_valid_gid = 0 + +# Maximum allowed length for mail keyword name. It's only forced when trying +# to create new keywords. +#mail_max_keyword_length = 50 + +# ':' separated list of directories under which chrooting is allowed for mail +# processes (ie. /var/mail will allow chrooting to /var/mail/foo/bar too). +# This setting doesn't affect login_chroot, mail_chroot or auth chroot +# settings. If this setting is empty, "/./" in home dirs are ignored. +# WARNING: Never add directories here which local users can modify, that +# may lead to root exploit. Usually this should be done only if you don't +# allow shell access for users. +#valid_chroot_dirs = + +# Default chroot directory for mail processes. This can be overridden for +# specific users in user database by giving /./ in user's home directory +# (eg. /home/./user chroots into /home). Note that usually there is no real +# need to do chrooting, Dovecot doesn't allow users to access files outside +# their mail directory anyway. If your home directories are prefixed with +# the chroot directory, append "/." to mail_chroot. +#mail_chroot = + +# UNIX socket path to master authentication server to find users. +# This is used by imap (for shared users) and lda. +#auth_socket_path = /var/run/dovecot/auth-userdb + +# Directory where to look up mail plugins. +#mail_plugin_dir = /usr/lib/dovecot/modules + +# Space separated list of plugins to load for all services. Plugins specific to +# IMAP, LDA, etc. are added to this list in their own .conf files. +#mail_plugins = + +## +## Mailbox handling optimizations +## + +# Mailbox list indexes can be used to optimize IMAP STATUS commands. They are +# also required for IMAP NOTIFY extension to be enabled. +#mailbox_list_index = no + +# The minimum number of mails in a mailbox before updates are done to cache +# file. This allows optimizing Dovecot's behavior to do less disk writes at +# the cost of more disk reads. +#mail_cache_min_mail_count = 0 + +# When IDLE command is running, mailbox is checked once in a while to see if +# there are any new mails or other changes. This setting defines the minimum +# time to wait between those checks. Dovecot can also use dnotify, inotify and +# kqueue to find out immediately when changes occur. +#mailbox_idle_check_interval = 30 secs + +# Save mails with CR+LF instead of plain LF. This makes sending those mails +# take less CPU, especially with sendfile() syscall with Linux and FreeBSD. +# But it also creates a bit more disk I/O which may just make it slower. +# Also note that if other software reads the mboxes/maildirs, they may handle +# the extra CRs wrong and cause problems. +#mail_save_crlf = no + +# Max number of mails to keep open and prefetch to memory. This only works with +# some mailbox formats and/or operating systems. +#mail_prefetch_count = 0 + +# How often to scan for stale temporary files and delete them (0 = never). +# These should exist only after Dovecot dies in the middle of saving mails. +#mail_temp_scan_interval = 1w + +## +## Maildir-specific settings +## + +# By default LIST command returns all entries in maildir beginning with a dot. +# Enabling this option makes Dovecot return only entries which are directories. +# This is done by stat()ing each entry, so it causes more disk I/O. +# (For systems setting struct dirent->d_type, this check is free and it's +# done always regardless of this setting) +#maildir_stat_dirs = no + +# When copying a message, do it with hard links whenever possible. This makes +# the performance much better, and it's unlikely to have any side effects. +#maildir_copy_with_hardlinks = yes + +# Assume Dovecot is the only MUA accessing Maildir: Scan cur/ directory only +# when its mtime changes unexpectedly or when we can't find the mail otherwise. +#maildir_very_dirty_syncs = no + +# If enabled, Dovecot doesn't use the S= in the Maildir filenames for +# getting the mail's physical size, except when recalculating Maildir++ quota. +# This can be useful in systems where a lot of the Maildir filenames have a +# broken size. The performance hit for enabling this is very small. +#maildir_broken_filename_sizes = no + +# Always move mails from new/ directory to cur/, even when the \Recent flags +# aren't being reset. +#maildir_empty_new = no + +## +## mbox-specific settings +## + +# Which locking methods to use for locking mbox. There are four available: +# dotlock: Create .lock file. This is the oldest and most NFS-safe +# solution. If you want to use /var/mail/ like directory, the users +# will need write access to that directory. +# dotlock_try: Same as dotlock, but if it fails because of permissions or +# because there isn't enough disk space, just skip it. +# fcntl : Use this if possible. Works with NFS too if lockd is used. +# flock : May not exist in all systems. Doesn't work with NFS. +# lockf : May not exist in all systems. Doesn't work with NFS. +# +# You can use multiple locking methods; if you do the order they're declared +# in is important to avoid deadlocks if other MTAs/MUAs are using multiple +# locking methods as well. Some operating systems don't allow using some of +# them simultaneously. +# +# The Debian value for mbox_write_locks differs from upstream Dovecot. It is +# changed to be compliant with Debian Policy (section 11.6) for NFS safety. +# Dovecot: mbox_write_locks = dotlock fcntl +# Debian: mbox_write_locks = fcntl dotlock +# +#mbox_read_locks = fcntl +#mbox_write_locks = fcntl dotlock + +# Maximum time to wait for lock (all of them) before aborting. +#mbox_lock_timeout = 5 mins + +# If dotlock exists but the mailbox isn't modified in any way, override the +# lock file after this much time. +#mbox_dotlock_change_timeout = 2 mins + +# When mbox changes unexpectedly we have to fully read it to find out what +# changed. If the mbox is large this can take a long time. Since the change +# is usually just a newly appended mail, it'd be faster to simply read the +# new mails. If this setting is enabled, Dovecot does this but still safely +# fallbacks to re-reading the whole mbox file whenever something in mbox isn't +# how it's expected to be. The only real downside to this setting is that if +# some other MUA changes message flags, Dovecot doesn't notice it immediately. +# Note that a full sync is done with SELECT, EXAMINE, EXPUNGE and CHECK +# commands. +#mbox_dirty_syncs = yes + +# Like mbox_dirty_syncs, but don't do full syncs even with SELECT, EXAMINE, +# EXPUNGE or CHECK commands. If this is set, mbox_dirty_syncs is ignored. +#mbox_very_dirty_syncs = no + +# Delay writing mbox headers until doing a full write sync (EXPUNGE and CHECK +# commands and when closing the mailbox). This is especially useful for POP3 +# where clients often delete all mails. The downside is that our changes +# aren't immediately visible to other MUAs. +#mbox_lazy_writes = yes + +# If mbox size is smaller than this (e.g. 100k), don't write index files. +# If an index file already exists it's still read, just not updated. +#mbox_min_index_size = 0 + +# Mail header selection algorithm to use for MD5 POP3 UIDLs when +# pop3_uidl_format=%m. For backwards compatibility we use apop3d inspired +# algorithm, but it fails if the first Received: header isn't unique in all +# mails. An alternative algorithm is "all" that selects all headers. +#mbox_md5 = apop3d + +## +## mdbox-specific settings +## + +# Maximum dbox file size until it's rotated. +#mdbox_rotate_size = 2M + +# Maximum dbox file age until it's rotated. Typically in days. Day begins +# from midnight, so 1d = today, 2d = yesterday, etc. 0 = check disabled. +#mdbox_rotate_interval = 0 + +# When creating new mdbox files, immediately preallocate their size to +# mdbox_rotate_size. This setting currently works only in Linux with some +# filesystems (ext4, xfs). +#mdbox_preallocate_space = no + +## +## Mail attachments +## + +# sdbox and mdbox support saving mail attachments to external files, which +# also allows single instance storage for them. Other backends don't support +# this for now. + +# Directory root where to store mail attachments. Disabled, if empty. +#mail_attachment_dir = + +# Attachments smaller than this aren't saved externally. It's also possible to +# write a plugin to disable saving specific attachments externally. +#mail_attachment_min_size = 128k + +# Filesystem backend to use for saving attachments: +# posix : No SiS done by Dovecot (but this might help FS's own deduplication) +# sis posix : SiS with immediate byte-by-byte comparison during saving +# sis-queue posix : SiS with delayed comparison and deduplication +#mail_attachment_fs = sis posix + +# Hash format to use in attachment filenames. You can add any text and +# variables: %{md4}, %{md5}, %{sha1}, %{sha256}, %{sha512}, %{size}. +# Variables can be truncated, e.g. %{sha256:80} returns only first 80 bits +#mail_attachment_hash = %{sha1} diff --git a/ansible/roles/ispmail-dovecot/files/10-master.conf b/ansible/roles/ispmail-dovecot/files/10-master.conf new file mode 100644 index 0000000..ff5d9f8 --- /dev/null +++ b/ansible/roles/ispmail-dovecot/files/10-master.conf @@ -0,0 +1,123 @@ +#default_process_limit = 100 +#default_client_limit = 1000 + +# Default VSZ (virtual memory size) limit for service processes. This is mainly +# intended to catch and kill processes that leak memory before they eat up +# everything. +#default_vsz_limit = 256M + +# Login user is internally used by login processes. This is the most untrusted +# user in Dovecot system. It shouldn't have access to anything at all. +#default_login_user = dovenull + +# Internal user is used by unprivileged processes. It should be separate from +# login user, so that login processes can't disturb other processes. +#default_internal_user = dovecot + +service imap-login { + inet_listener imap { + #port = 143 + } + inet_listener imaps { + #port = 993 + #ssl = yes + } + + # Number of connections to handle before starting a new process. Typically + # the only useful values are 0 (unlimited) or 1. 1 is more secure, but 0 + # is faster. + #service_count = 1 + + # Number of processes to always keep waiting for more connections. + #process_min_avail = 0 + + # If you set service_count=0, you probably need to grow this. + #vsz_limit = $default_vsz_limit +} + +service pop3-login { + inet_listener pop3 { + #port = 110 + } + inet_listener pop3s { + #port = 995 + #ssl = yes + } +} + +service lmtp { + unix_listener /var/spool/postfix/private/dovecot-lmtp { + group = postfix + mode = 0600 + user = postfix + } + + # Create inet listener only if you can't use the above UNIX socket + #inet_listener lmtp { + # Avoid making LMTP visible for the entire internet + #address = + #port = + #} +} + +service imap { + # Most of the memory goes to mmap()ing files. You may need to increase this + # limit if you have huge mailboxes. + #vsz_limit = $default_vsz_limit + + # Max. number of IMAP processes (connections) + #process_limit = 1024 +} + +service pop3 { + # Max. number of POP3 processes (connections) + #process_limit = 1024 +} + +service auth { + # auth_socket_path points to this userdb socket by default. It's typically + # used by dovecot-lda, doveadm, possibly imap process, etc. Users that have + # full permissions to this socket are able to get a list of all usernames and + # get the results of everyone's userdb lookups. + # + # The default 0666 mode allows anyone to connect to the socket, but the + # userdb lookups will succeed only if the userdb returns an "uid" field that + # matches the caller process's UID. Also if caller's uid or gid matches the + # socket's uid or gid the lookup succeeds. Anything else causes a failure. + # + # To give the caller full permissions to lookup all users, set the mode to + # something else than 0666 and Dovecot lets the kernel enforce the + # permissions (e.g. 0777 allows everyone full permissions). + unix_listener auth-userdb { + #mode = 0666 + #user = + #group = + } + + # Postfix smtp-auth + unix_listener /var/spool/postfix/private/auth { + mode = 0666 + user = postfix + group = postfix + } + + # Auth process is run as this user. + #user = $default_internal_user +} + +service auth-worker { + # Auth worker process is run as root by default, so that it can access + # /etc/shadow. If this isn't necessary, the user should be changed to + # $default_internal_user. + #user = root +} + +service dict { + # If dict proxy is used, mail processes should have access to its socket. + # For example: mode=0660, group=vmail and global mail_access_groups=vmail + unix_listener dict { + #mode = 0600 + #user = + #group = + } +} diff --git a/ansible/roles/ispmail-dovecot/files/10-ssl.conf b/ansible/roles/ispmail-dovecot/files/10-ssl.conf new file mode 100644 index 0000000..47ca04c --- /dev/null +++ b/ansible/roles/ispmail-dovecot/files/10-ssl.conf @@ -0,0 +1,58 @@ +## +## SSL settings +## + +# SSL/TLS support: yes, no, required. +ssl = required + +# PEM encoded X.509 SSL/TLS certificate and private key. They're opened before +# dropping root privileges, so keep the key file unreadable by anyone but +# root. Included doc/mkcert.sh can be used to easily generate self-signed +# certificate, just make sure to update the domains in dovecot-openssl.cnf +ssl_cert = See sieve_before fore executing scripts before the user's personal + # script. + #sieve_default = /var/lib/dovecot/sieve/default.sieve + + # Directory for :personal include scripts for the include extension. This + # is also where the ManageSieve service stores the user's scripts. + sieve_dir = ~/sieve + + # Directory for :global include scripts for the include extension. + #sieve_global_dir = + + # Path to a script file or a directory containing script files that need to be + # executed before the user's script. If the path points to a directory, all + # the Sieve scripts contained therein (with the proper .sieve extension) are + # executed. The order of execution within a directory is determined by the + # file names, using a normal 8bit per-character comparison. Multiple script + # file or directory paths can be specified by appending an increasing number. + #sieve_before = + #sieve_before2 = + #sieve_before3 = (etc...) + + # Identical to sieve_before, only the specified scripts are executed after the + # user's script (only when keep is still in effect!). Multiple script file or + # directory paths can be specified by appending an increasing number. + #sieve_after = + #sieve_after2 = + #sieve_after2 = (etc...) + sieve_after = /etc/dovecot/sieve-after + + # Which Sieve language extensions are available to users. By default, all + # supported extensions are available, except for deprecated extensions or + # those that are still under development. Some system administrators may want + # to disable certain Sieve extensions or enable those that are not available + # by default. This setting can use '+' and '-' to specify differences relative + # to the default. For example `sieve_extensions = +imapflags' will enable the + # deprecated imapflags extension in addition to all extensions were already + # enabled by default. + #sieve_extensions = +notify +imapflags + + # Which Sieve language extensions are ONLY available in global scripts. This + # can be used to restrict the use of certain Sieve extensions to administrator + # control, for instance when these extensions can cause security concerns. + # This setting has higher precedence than the `sieve_extensions' setting + # (above), meaning that the extensions enabled with this setting are never + # available to the user's personal script no matter what is specified for the + # `sieve_extensions' setting. The syntax of this setting is similar to the + # `sieve_extensions' setting, with the difference that extensions are + # enabled or disabled for exclusive use in global scripts. Currently, no + # extensions are marked as such by default. + #sieve_global_extensions = + + # The Pigeonhole Sieve interpreter can have plugins of its own. Using this + # setting, the used plugins can be specified. Check the Dovecot wiki + # (wiki2.dovecot.org) or the pigeonhole website + # (http://pigeonhole.dovecot.org) for available plugins. + # The sieve_extprograms plugin is included in this release. + #sieve_plugins = + + # The separator that is expected between the :user and :detail + # address parts introduced by the subaddress extension. This may + # also be a sequence of characters (e.g. '--'). The current + # implementation looks for the separator from the left of the + # localpart and uses the first one encountered. The :user part is + # left of the separator and the :detail part is right. This setting + # is also used by Dovecot's LMTP service. + #recipient_delimiter = + + + # The maximum size of a Sieve script. The compiler will refuse to compile any + # script larger than this limit. If set to 0, no limit on the script size is + # enforced. + #sieve_max_script_size = 1M + + # The maximum number of actions that can be performed during a single script + # execution. If set to 0, no limit on the total number of actions is enforced. + #sieve_max_actions = 32 + + # The maximum number of redirect actions that can be performed during a single + # script execution. If set to 0, no redirect actions are allowed. + #sieve_max_redirects = 4 + + # The maximum number of personal Sieve scripts a single user can have. If set + # to 0, no limit on the number of scripts is enforced. + # (Currently only relevant for ManageSieve) + #sieve_quota_max_scripts = 0 + + # The maximum amount of disk storage a single user's scripts may occupy. If + # set to 0, no limit on the used amount of disk storage is enforced. + # (Currently only relevant for ManageSieve) + #sieve_quota_max_storage = 0 +} diff --git a/ansible/roles/ispmail-dovecot/files/auth-sql.conf.ext b/ansible/roles/ispmail-dovecot/files/auth-sql.conf.ext new file mode 100644 index 0000000..4a0537b --- /dev/null +++ b/ansible/roles/ispmail-dovecot/files/auth-sql.conf.ext @@ -0,0 +1,31 @@ +# Authentication for SQL users. Included from 10-auth.conf. +# +# + +passdb { + driver = sql + + # Path for SQL configuration file, see example-config/dovecot-sql.conf.ext + args = /etc/dovecot/dovecot-sql.conf.ext +} + +# "prefetch" user database means that the passdb already provided the +# needed information and there's no need to do a separate userdb lookup. +# +#userdb { +# driver = prefetch +#} + +userdb { + driver = static + args = uid=vmail gid=vmail home=/var/vmail/%d/%n +} + +# If you don't have any user-specific settings, you can avoid the user_query +# by using userdb static instead of userdb sql, for example: +# +#userdb { + #driver = static + #args = uid=vmail gid=vmail home=/var/vmail/%u +#} + diff --git a/ansible/roles/ispmail-dovecot/files/spam-to-folder.sieve b/ansible/roles/ispmail-dovecot/files/spam-to-folder.sieve new file mode 100644 index 0000000..83c050e --- /dev/null +++ b/ansible/roles/ispmail-dovecot/files/spam-to-folder.sieve @@ -0,0 +1,6 @@ +require ["fileinto","mailbox"]; + +if header :contains "X-Spam-Flag" "YES" { + fileinto :create "INBOX.Junk"; + stop; +} diff --git a/ansible/roles/ispmail-dovecot/handlers/main.yml b/ansible/roles/ispmail-dovecot/handlers/main.yml new file mode 100644 index 0000000..20efc03 --- /dev/null +++ b/ansible/roles/ispmail-dovecot/handlers/main.yml @@ -0,0 +1,6 @@ +--- +- name: restart dovecot + service: name=dovecot state=restarted +- name: recompile sieve script + command: sievec /etc/dovecot/sieve-after + diff --git a/ansible/roles/ispmail-dovecot/tasks/main.yml b/ansible/roles/ispmail-dovecot/tasks/main.yml new file mode 100644 index 0000000..41bd456 --- /dev/null +++ b/ansible/roles/ispmail-dovecot/tasks/main.yml @@ -0,0 +1,52 @@ +--- +- name: Create the vmail group + group: name=vmail gid=5000 +- name: Create the vmail user + user: name=vmail uid=5000 group=vmail home=/var/vmail +- name: Create mailbox directory + file: path=/var/vmail state=directory owner=vmail group=vmail +- name: Allow LOGIN authentication method for Outlook clients + lineinfile: dest=/etc/dovecot/conf.d/10-auth.conf regexp='^auth_mechanisms =' line='auth_mechanisms = {{ispmail_dovecot_auth_mechanisms}}' backrefs=yes + notify: restart dovecot +- name: Disabling system authentication + lineinfile: dest=/etc/dovecot/conf.d/10-auth.conf regexp='^!include auth-system.conf.ext' line='#!include auth-system.conf.ext' backrefs=yes + notify: restart dovecot +- name: Enabling SQL-based authentication + lineinfile: dest=/etc/dovecot/conf.d/10-auth.conf regexp='^\#!include auth-sql.conf.ext' line='!include auth-sql.conf.ext' backrefs=yes + notify: restart dovecot +- name: Copying SQL authentication configuration (auth-sql.conf.ext) + copy: src=auth-sql.conf.ext dest=/etc/dovecot/conf.d/auth-sql.conf.ext + notify: restart dovecot +- name: Copying mailbox and namespace configuration (10-mail.conf) + copy: src=10-mail.conf dest=/etc/dovecot/conf.d/10-mail.conf + notify: restart dovecot +- name: Copying service configuration (10-master.conf) + copy: src=10-master.conf dest=/etc/dovecot/conf.d/10-master.conf + notify: restart dovecot +- name: Copying SSL configuration (10-ssl.conf) + copy: src=10-ssl.conf dest=/etc/dovecot/conf.d/10-ssl.conf + notify: restart dovecot +- name: Copying LMTP configuration (20-lmtp.conf - enable sieve plugin) + copy: src=20-lmtp.conf dest=/etc/dovecot/conf.d/20-lmtp.conf + notify: restart dovecot +- name: Copying mailboxes configuration (15-mailboxes.conf - autocreate folders) + copy: src=15-mailboxes.conf dest=/etc/dovecot/conf.d/15-mailboxes.conf + notify: restart dovecot +- name: Copying SQL access configuration (dovecot-ssql.conf.ext) + template: src=dovecot-sql.conf.ext.j2 dest=/etc/dovecot/dovecot-sql.conf.ext + notify: restart dovecot +- name: Fixing ownership and mode of dovecot.conf + file: path=/etc/dovecot/dovecot.conf group=vmail mode=0644 + notify: restart dovecot +- name: Fixing ownership and mode of dovecot-sql.conf.ext + file: path=/etc/dovecot/dovecot-sql.conf.ext owner=root group=root mode=0640 + notify: restart dovecot +- name: Create directory for global sieve-after scripts + file: path=/etc/dovecot/sieve-after state=directory +- name: Create global sieve-after script to send spam to its mail folder + copy: src=spam-to-folder.sieve dest=/etc/dovecot/sieve-after/spam-to-folder.sieve + notify: recompile sieve script +- name: Copying Sieve plugin configuration (90-sieve.conf) + copy: src=90-sieve.conf dest=/etc/dovecot/conf.d/90-sieve.conf + notify: restart dovecot + diff --git a/ansible/roles/ispmail-dovecot/templates/dovecot-sql.conf.ext.j2 b/ansible/roles/ispmail-dovecot/templates/dovecot-sql.conf.ext.j2 new file mode 100644 index 0000000..9d044b7 --- /dev/null +++ b/ansible/roles/ispmail-dovecot/templates/dovecot-sql.conf.ext.j2 @@ -0,0 +1,147 @@ +# This file is commonly accessed via passdb {} or userdb {} section in +# conf.d/auth-sql.conf.ext + +# This file is opened as root, so it should be owned by root and mode 0600. +# +# http://wiki2.dovecot.org/AuthDatabase/SQL +# +# For the sql passdb module, you'll need a database with a table that +# contains fields for at least the username and password. If you want to +# use the user@domain syntax, you might want to have a separate domain +# field as well. +# +# If your users all have the same uig/gid, and have predictable home +# directories, you can use the static userdb module to generate the home +# dir based on the username and domain. In this case, you won't need fields +# for home, uid, or gid in the database. +# +# If you prefer to use the sql userdb module, you'll want to add fields +# for home, uid, and gid. Here is an example table: +# +# CREATE TABLE users ( +# username VARCHAR(128) NOT NULL, +# domain VARCHAR(128) NOT NULL, +# password VARCHAR(64) NOT NULL, +# home VARCHAR(255) NOT NULL, +# uid INTEGER NOT NULL, +# gid INTEGER NOT NULL, +# active CHAR(1) DEFAULT 'Y' NOT NULL +# ); + +# Database driver: mysql, pgsql, sqlite +#driver = + +# Database connection string. This is driver-specific setting. +# +# HA / round-robin load-balancing is supported by giving multiple host +# settings, like: host=sql1.host.org host=sql2.host.org +# +# pgsql: +# For available options, see the PostgreSQL documention for the +# PQconnectdb function of libpq. +# Use maxconns=n (default 5) to change how many connections Dovecot can +# create to pgsql. +# +# mysql: +# Basic options emulate PostgreSQL option names: +# host, port, user, password, dbname +# +# But also adds some new settings: +# client_flags - See MySQL manual +# ssl_ca, ssl_ca_path - Set either one or both to enable SSL +# ssl_cert, ssl_key - For sending client-side certificates to server +# ssl_cipher - Set minimum allowed cipher security (default: HIGH) +# ssl_verify_server_cert - Verify that the name in the server SSL certificate +# matches the host (default: no) +# option_file - Read options from the given file instead of +# the default my.cnf location +# option_group - Read options from the given group (default: client) +# +# You can connect to UNIX sockets by using host: host=/var/run/mysql.sock +# Note that currently you can't use spaces in parameters. +# +# sqlite: +# The path to the database file. +# +# Examples: +# connect = host=192.168.1.1 dbname=users +# connect = host=sql.example.com dbname=virtual user=virtual password=blarg +# connect = /etc/dovecot/authdb.sqlite +# +#connect = + +# Default password scheme. +# +# List of supported schemes is in +# http://wiki2.dovecot.org/Authentication/PasswordSchemes +# +#default_pass_scheme = MD5 + +# passdb query to retrieve the password. It can return fields: +# password - The user's password. This field must be returned. +# user - user@domain from the database. Needed with case-insensitive lookups. +# username and domain - An alternative way to represent the "user" field. +# +# The "user" field is often necessary with case-insensitive lookups to avoid +# e.g. "name" and "nAme" logins creating two different mail directories. If +# your user and domain names are in separate fields, you can return "username" +# and "domain" fields instead of "user". +# +# The query can also return other fields which have a special meaning, see +# http://wiki2.dovecot.org/PasswordDatabase/ExtraFields +# +# Commonly used available substitutions (see http://wiki2.dovecot.org/Variables +# for full list): +# %u = entire user@domain +# %n = user part of user@domain +# %d = domain part of user@domain +# +# Note that these can be used only as input to SQL query. If the query outputs +# any of these substitutions, they're not touched. Otherwise it would be +# difficult to have eg. usernames containing '%' characters. +# +# Example: +# password_query = SELECT userid AS user, pw AS password \ +# FROM users WHERE userid = '%u' AND active = 'Y' +# +#password_query = \ +# SELECT username, domain, password \ +# FROM users WHERE username = '%n' AND domain = '%d' + +# userdb query to retrieve the user information. It can return fields: +# uid - System UID (overrides mail_uid setting) +# gid - System GID (overrides mail_gid setting) +# home - Home directory +# mail - Mail location (overrides mail_location setting) +# +# None of these are strictly required. If you use a single UID and GID, and +# home or mail directory fits to a template string, you could use userdb static +# instead. For a list of all fields that can be returned, see +# http://wiki2.dovecot.org/UserDatabase/ExtraFields +# +# Examples: +# user_query = SELECT home, uid, gid FROM users WHERE userid = '%u' +# user_query = SELECT dir AS home, user AS uid, group AS gid FROM users where userid = '%u' +# user_query = SELECT home, 501 AS uid, 501 AS gid FROM users WHERE userid = '%u' +# +#user_query = \ +# SELECT home, uid, gid \ +# FROM users WHERE username = '%n' AND domain = '%d' + +# If you wish to avoid two SQL lookups (passdb + userdb), you can use +# userdb prefetch instead of userdb sql in dovecot.conf. In that case you'll +# also have to return userdb fields in password_query prefixed with "userdb_" +# string. For example: +#password_query = \ +# SELECT userid AS user, password, \ +# home AS userdb_home, uid AS userdb_uid, gid AS userdb_gid \ +# FROM users WHERE userid = '%u' + +# Query to get a list of all usernames. +#iterate_query = SELECT username AS user FROM users + +driver = mysql +connect = host=127.0.0.1 dbname=mailserver user=mailuser password={{ispmail_mysql_mailuser_password}} +default_pass_scheme = SHA256-CRYPT +password_query = SELECT email as user, password FROM virtual_users WHERE email='%u'; + diff --git a/ansible/roles/ispmail-packages/tasks/main.yml b/ansible/roles/ispmail-packages/tasks/main.yml new file mode 100644 index 0000000..e597603 --- /dev/null +++ b/ansible/roles/ispmail-packages/tasks/main.yml @@ -0,0 +1,29 @@ +--- +- name: install required binary packages + apt: name={{item}} state=installed update_cache=yes + with_items: + - mysql-server + - postfix + - postfix-mysql + - swaks + - dovecot-mysql + - dovecot-pop3d + - dovecot-imapd + - dovecot-lmtpd + - dovecot-managesieved + - phpmyadmin + - spamass-milter + - spamassassin + - pwgen + - patch +- name: purge Exim installation + apt: name={{item}} state=absent purge=yes + with_items: + - exim4 + - exim4-base + - exim4-config + - exim4-daemon-light + +- name: make sure mysql-server is started + service: name=mysql enabled=yes state=started + diff --git a/ansible/roles/ispmail-postfix/files/etc-default-spamassassin b/ansible/roles/ispmail-postfix/files/etc-default-spamassassin new file mode 100644 index 0000000..aa63eff --- /dev/null +++ b/ansible/roles/ispmail-postfix/files/etc-default-spamassassin @@ -0,0 +1,35 @@ +# /etc/default/spamassassin +# Duncan Findlay + +# WARNING: please read README.spamd before using. +# There may be security risks. + +# If you're using systemd (default for jessie), the ENABLED setting is +# not used. Instead, enable spamd by issuing: +# systemctl enable spamassassin.service +# Change to "1" to enable spamd on systems using sysvinit: +ENABLED=0 + +# Options +# See man spamd for possible options. The -d option is automatically added. + +# SpamAssassin uses a preforking model, so be careful! You need to +# make sure --max-children is not set to anything higher than 5, +# unless you know what you're doing. + +OPTIONS="--create-prefs --max-children 5 --helper-home-dir -x -u vmail" + +# Pid file +# Where should spamd write its PID to file? If you use the -u or +# --username option above, this needs to be writable by that user. +# Otherwise, the init script will not be able to shut spamd down. +PIDFILE="/var/run/spamd.pid" + +# Set nice level of spamd +#NICE="--nicelevel 15" + +# Cronjob +# Set to anything but 0 to enable the cron job to automatically update +# spamassassin's rules on a nightly basis +CRON=1 + diff --git a/ansible/roles/ispmail-postfix/files/spamassassin.patch b/ansible/roles/ispmail-postfix/files/spamassassin.patch new file mode 100644 index 0000000..825f989 --- /dev/null +++ b/ansible/roles/ispmail-postfix/files/spamassassin.patch @@ -0,0 +1,11 @@ +--- /usr/share/perl5/Mail/SpamAssassin/Util.pm.orig 2014-08-22 00:08:39.185602751 +0200 ++++ /usr/share/perl5/Mail/SpamAssassin/Util.pm 2014-08-22 00:09:18.330883723 +0200 +@@ -285,7 +285,7 @@ + my $r = ref $_[0]; + if (!$r) { + no re 'taint'; # override a "use re 'taint'" from outer scope +- return if !defined $_[0]; ++ return undef if !defined $_[0]; + local($1); # avoid Perl taint bug: tainted global $1 propagates taintedness + $_[0] =~ /^(.*)\z/s; + return $1; diff --git a/ansible/roles/ispmail-postfix/handlers/main.yml b/ansible/roles/ispmail-postfix/handlers/main.yml new file mode 100644 index 0000000..fd520ac --- /dev/null +++ b/ansible/roles/ispmail-postfix/handlers/main.yml @@ -0,0 +1,7 @@ +--- +- name: restart postfix + service: name=postfix state=restarted + +- name: restart spamassassin + service: name=spamassassin state=restarted + diff --git a/ansible/roles/ispmail-postfix/tasks/main.yml b/ansible/roles/ispmail-postfix/tasks/main.yml new file mode 100644 index 0000000..88b6ff3 --- /dev/null +++ b/ansible/roles/ispmail-postfix/tasks/main.yml @@ -0,0 +1,84 @@ +--- +- name: define Postfix virtual mailbox domain mapping + template: src=mysql-virtual-mailbox-domains.cf.j2 dest=/etc/postfix/mysql-virtual-mailbox-domains.cf + notify: restart postfix +- name: tell Postfix to use the virtual mailbox domain mapping + command: postconf virtual_mailbox_domains=mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf + +- name: define Postfix virtual mailbox mapping + template: src=mysql-virtual-mailbox-maps.cf.j2 dest=/etc/postfix/mysql-virtual-mailbox-maps.cf + notify: restart postfix +- name: tell Postfix to use the virtual mailbox mapping + command: postconf virtual_mailbox_maps=mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf + +- name: define Postfix virtual alias mapping + template: src=mysql-virtual-alias-maps.cf.j2 dest=/etc/postfix/mysql-virtual-alias-maps.cf + notify: restart postfix +- name: tell Postfix to use the virtual alias mapping + command: postconf virtual_alias_maps=mysql:/etc/postfix/mysql-virtual-alias-maps.cf + +- name: define Postfix email-to-email mapping (required for catchall domains) + template: src=mysql-email2email.cf.j2 dest=/etc/postfix/mysql-email2email.cf + notify: restart postfix +- name: tell Postfix to use the email-to-email mapping + command: postconf virtual_alias_maps=mysql:/etc/postfix/mysql-virtual-alias-maps.cf,mysql:/etc/postfix/mysql-email2email.cf + +- name: Restricting access to database mapping files that contain a password + file: path=/etc/postfix/mysql-{{item}}.cf mode=0640 + with_items: + - virtual-mailbox-domains + - virtual-mailbox-maps + - virtual-alias-maps + +- name: Make Postfix use LMTP to send emails to Dovecot + command: postconf virtual_transport=lmtp:unix:private/dovecot-lmtp + +- name: Restricting delivery to Dovecot to one email at a time + command: postconf dovecot_destination_recipient_limit=1 + +- name: Setting SMTP authentication type to dovecot + command: postconf smtpd_sasl_type=dovecot + +- name: Setting SMTP authentication path/socket + command: postconf smtpd_sasl_path=private/auth + +- name: Enabling SMTP authentication + command: postconf smtpd_sasl_auth_enable=yes + +- name: Setting SMTP encryption security level + command: postconf smtpd_tls_security_level=may + +- name: Setting SMTP encryption security level + command: postconf smtpd_tls_security_level=may + +- name: Enforce SMTP encryption + command: postconf smtpd_tls_auth_only=yes + +- name: Set TLS encryption certificate + command: postconf smtpd_tls_cert_file=/etc/ssl/certs/mailserver.pem + +- name: Set TLS encryption key + command: postconf smtpd_tls_key_file=/etc/ssl/private/mailserver.pem + +# - name: Enabling Spamassassin milter +# command: postconf smtpd_milters=unix:/spamass/spamass.sock + +# - name: Configuring Spamassassin milter +# command: postconf milter_connect_macros="i j {daemon_name} v {if_name} _" + +# - name: Setting spamd options +# copy: src=etc-default-spamassassin dest=/etc/default/spamassassin +# notify: restart spamassassin + +# - name: Adding user spamass-milter to debian-spamd group +# user: name=spamass-milter groups=debian-spamd +# notify: restart spamassassin + +# - name: Enabling spamd at startup +# command: systemctl enable spamassassin + +- name: Allow emails up to 40 MB large + command: postconf message_size_limit=41943040 + +- name: Make Postfix listen on all interfaces + command: postconf inet_interfaces=all diff --git a/ansible/roles/ispmail-postfix/templates/mysql-email2email.cf.j2 b/ansible/roles/ispmail-postfix/templates/mysql-email2email.cf.j2 new file mode 100644 index 0000000..0d6ea98 --- /dev/null +++ b/ansible/roles/ispmail-postfix/templates/mysql-email2email.cf.j2 @@ -0,0 +1,5 @@ +user = mailuser +password = {{ispmail_mysql_mailuser_password}} +hosts = 127.0.0.1 +dbname = mailserver +query = SELECT email FROM virtual_users WHERE email='%s' diff --git a/ansible/roles/ispmail-postfix/templates/mysql-virtual-alias-maps.cf.j2 b/ansible/roles/ispmail-postfix/templates/mysql-virtual-alias-maps.cf.j2 new file mode 100644 index 0000000..ba49b2f --- /dev/null +++ b/ansible/roles/ispmail-postfix/templates/mysql-virtual-alias-maps.cf.j2 @@ -0,0 +1,5 @@ +user = mailuser +password = {{ispmail_mysql_mailuser_password}} +hosts = 127.0.0.1 +dbname = mailserver +query = SELECT destination FROM virtual_aliases WHERE source='%s' diff --git a/ansible/roles/ispmail-postfix/templates/mysql-virtual-mailbox-domains.cf.j2 b/ansible/roles/ispmail-postfix/templates/mysql-virtual-mailbox-domains.cf.j2 new file mode 100644 index 0000000..443f77c --- /dev/null +++ b/ansible/roles/ispmail-postfix/templates/mysql-virtual-mailbox-domains.cf.j2 @@ -0,0 +1,5 @@ +user = mailuser +password = {{ispmail_mysql_mailuser_password}} +hosts = 127.0.0.1 +dbname = mailserver +query = SELECT 1 FROM virtual_domains WHERE name='%s' diff --git a/ansible/roles/ispmail-postfix/templates/mysql-virtual-mailbox-maps.cf.j2 b/ansible/roles/ispmail-postfix/templates/mysql-virtual-mailbox-maps.cf.j2 new file mode 100644 index 0000000..0207bbb --- /dev/null +++ b/ansible/roles/ispmail-postfix/templates/mysql-virtual-mailbox-maps.cf.j2 @@ -0,0 +1,5 @@ +user = mailuser +password = {{ispmail_mysql_mailuser_password}} +hosts = 127.0.0.1 +dbname = mailserver +query = SELECT 1 FROM virtual_users WHERE email='%s' diff --git a/ansible/roles/ispmail-webmail-apache/handlers/main.yml b/ansible/roles/ispmail-webmail-apache/handlers/main.yml new file mode 100644 index 0000000..3a5124c --- /dev/null +++ b/ansible/roles/ispmail-webmail-apache/handlers/main.yml @@ -0,0 +1,4 @@ +--- +- name: restart apache + service: name=apache2 state=restarted + diff --git a/ansible/roles/ispmail-webmail-apache/tasks/main.yml b/ansible/roles/ispmail-webmail-apache/tasks/main.yml new file mode 100644 index 0000000..b33cd17 --- /dev/null +++ b/ansible/roles/ispmail-webmail-apache/tasks/main.yml @@ -0,0 +1,18 @@ +- name: Install required binary packages + apt: name={{item}} state=installed + with_items: + - apache2 + - libapache2-mod-php + notify: restart apache +- name: Create Apache vhost configuration for HTTPS (RoundCube and PHPmyadmin) + template: src=webmail.conf-443.j2 dest=/etc/apache2/sites-available/default-ssl.conf + notify: restart apache +- name: Enable Apache vhost for HTTPS + command: /usr/sbin/a2ensite default-ssl creates=/etc/apache2/sites-enabled/default-ssl.conf + notify: restart apache +- name: Create Apache vhost configuration for HTTP (redirect to HTTPS) + template: src=webmail.conf-80.j2 dest=/etc/apache2/sites-available/000-default.conf + notify: restart apache +- name: Enable Apache SSL module + command: /usr/sbin/a2enmod ssl creates=/etc/apache2/mods-enabled/ssl.conf + notify: restart apache diff --git a/ansible/roles/ispmail-webmail-apache/templates/webmail.conf-443.j2 b/ansible/roles/ispmail-webmail-apache/templates/webmail.conf-443.j2 new file mode 100644 index 0000000..6019705 --- /dev/null +++ b/ansible/roles/ispmail-webmail-apache/templates/webmail.conf-443.j2 @@ -0,0 +1,139 @@ + + + ServerAdmin {{ ispmail_postmaster_address }} + ServerName {{ ispmail_webmail_hostname }} + + Include /etc/roundcube/apache.conf + Alias / /var/lib/roundcube/ + + # Available loglevels: trace8, ..., trace1, debug, info, notice, warn, + # error, crit, alert, emerg. + # It is also possible to configure the loglevel for particular + # modules, e.g. + #LogLevel info ssl:warn + + ErrorLog ${APACHE_LOG_DIR}/webmail.error.log + CustomLog ${APACHE_LOG_DIR}/webmail.access.log combined + + # For most configuration files from conf-available/, which are + # enabled or disabled at a global level, it is possible to + # include a line for only one particular virtual host. For example the + # following line enables the CGI configuration for this host only + # after it has been globally disabled with "a2disconf". + #Include conf-available/serve-cgi-bin.conf + + # SSL Engine Switch: + # Enable/Disable SSL for this virtual host. + SSLEngine on + + # A self-signed (snakeoil) certificate can be created by installing + # the ssl-cert package. See + # /usr/share/doc/apache2/README.Debian.gz for more info. + # If both key and certificate are stored in the same file, only the + # SSLCertificateFile directive is needed. + SSLCertificateFile /etc/ssl/certs/mailserver.pem + SSLCertificateKeyFile /etc/ssl/private/mailserver.pem + + # Server Certificate Chain: + # Point SSLCertificateChainFile at a file containing the + # concatenation of PEM encoded CA certificates which form the + # certificate chain for the server certificate. Alternatively + # the referenced file can be the same as SSLCertificateFile + # when the CA certificates are directly appended to the server + # certificate for convinience. + #SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt + + # Certificate Authority (CA): + # Set the CA certificate verification path where to find CA + # certificates for client authentication or alternatively one + # huge file containing all of them (file must be PEM encoded) + # Note: Inside SSLCACertificatePath you need hash symlinks + # to point to the certificate files. Use the provided + # Makefile to update the hash symlinks after changes. + #SSLCACertificatePath /etc/ssl/certs/ + #SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt + + # Certificate Revocation Lists (CRL): + # Set the CA revocation path where to find CA CRLs for client + # authentication or alternatively one huge file containing all + # of them (file must be PEM encoded) + # Note: Inside SSLCARevocationPath you need hash symlinks + # to point to the certificate files. Use the provided + # Makefile to update the hash symlinks after changes. + #SSLCARevocationPath /etc/apache2/ssl.crl/ + #SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl + + # Client Authentication (Type): + # Client certificate verification type and depth. Types are + # none, optional, require and optional_no_ca. Depth is a + # number which specifies how deeply to verify the certificate + # issuer chain before deciding the certificate is not valid. + #SSLVerifyClient require + #SSLVerifyDepth 10 + + # SSL Engine Options: + # Set various options for the SSL engine. + # o FakeBasicAuth: + # Translate the client X.509 into a Basic Authorisation. This means that + # the standard Auth/DBMAuth methods can be used for access control. The + # user name is the `one line' version of the client's X.509 certificate. + # Note that no password is obtained from the user. Every entry in the user + # file needs this password: `xxj31ZMTZzkVA'. + # o ExportCertData: + # This exports two additional environment variables: SSL_CLIENT_CERT and + # SSL_SERVER_CERT. These contain the PEM-encoded certificates of the + # server (always existing) and the client (only existing when client + # authentication is used). This can be used to import the certificates + # into CGI scripts. + # o StdEnvVars: + # This exports the standard SSL/TLS related `SSL_*' environment variables. + # Per default this exportation is switched off for performance reasons, + # because the extraction step is an expensive operation and is usually + # useless for serving static content. So one usually enables the + # exportation for CGI and SSI requests only. + # o OptRenegotiate: + # This enables optimized SSL connection renegotiation handling when SSL + # directives are used in per-directory context. + #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire + + SSLOptions +StdEnvVars + + + SSLOptions +StdEnvVars + + + # SSL Protocol Adjustments: + # The safe and default but still SSL/TLS standard compliant shutdown + # approach is that mod_ssl sends the close notify alert but doesn't wait for + # the close notify alert from client. When you need a different shutdown + # approach you can use one of the following variables: + # o ssl-unclean-shutdown: + # This forces an unclean shutdown when the connection is closed, i.e. no + # SSL close notify alert is send or allowed to received. This violates + # the SSL/TLS standard but is needed for some brain-dead browsers. Use + # this when you receive I/O errors because of the standard approach where + # mod_ssl sends the close notify alert. + # o ssl-accurate-shutdown: + # This forces an accurate shutdown when the connection is closed, i.e. a + # SSL close notify alert is send and mod_ssl waits for the close notify + # alert of the client. This is 100% SSL/TLS standard compliant, but in + # practice often causes hanging connections with brain-dead browsers. Use + # this only for browsers where you know that their SSL implementation + # works correctly. + # Notice: Most problems of broken clients are also related to the HTTP + # keep-alive facility, so you usually additionally want to disable + # keep-alive for those clients, too. Use variable "nokeepalive" for this. + # Similarly, one has to force some clients to use HTTP/1.0 to workaround + # their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and + # "force-response-1.0" for this. + BrowserMatch "MSIE [2-6]" \ + nokeepalive ssl-unclean-shutdown \ + downgrade-1.0 force-response-1.0 + # MSIE 7 and newer should be able to use keepalive + BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown + + + + +# vim: syntax=apache ts=4 sw=4 sts=4 sr noet + diff --git a/ansible/roles/ispmail-webmail-apache/templates/webmail.conf-80.j2 b/ansible/roles/ispmail-webmail-apache/templates/webmail.conf-80.j2 new file mode 100644 index 0000000..59589bc --- /dev/null +++ b/ansible/roles/ispmail-webmail-apache/templates/webmail.conf-80.j2 @@ -0,0 +1,6 @@ + + ServerAdmin {{ ispmail_postmaster_address }} + ServerName {{ ispmail_webmail_hostname }} + + Redirect permanent / https://{{ ispmail_webmail_hostname}}/ + diff --git a/ansible/roles/ispmail-webmail/files/ispmail-logo.png b/ansible/roles/ispmail-webmail/files/ispmail-logo.png new file mode 100644 index 0000000000000000000000000000000000000000..062946db20523bbe678b56a54fc52c8c3db3567b GIT binary patch literal 7202 zcmYjWbx<5nu-@Zv2u^Sb8r*|RkPw1~1a}MW?niKU3GM`!!#%hJ4GzIwFSzsWSMUAt zdTVy3W@~3^X1c%rx+h#kN%j>wDLMcEujD>TtHSGAc;P}thQE`4e58O^$j0)r(!k4q zPi{v^BD@F9;iHx_0AS$%S3p2|CNaDd#YIk024xK$371r0p2U0<0LZH4q~Cw_SUS=5 z)J)X4_QS`Mlw3eWlKwt|<%&WiEu>bejZ~r2U~;r%Wo=DSueR)X@RMRnh+Sys(o`v9Adwcd3NUB9c8{?%ks^t^MvO_2T@Ig zT7@xTxn@7JdhP!;fC(rFa6q62PnuGYmWxz7{4AlpTuQ(Oael}~ z21-B`$T;BKi!;YK5B1DP_5f>C1yap{Zh3i~)?zwL2swlTQjYsYOx(c0QCZdJqA*ld zTNvp6_^Ao#Rs%GK)@*>0wO&YGwASx>DCU2^G8o^qPs4BYqjEKuu(11`;zQQZRRri0t5qnJ>(r(enoi4*WY4pLuE>F zR_vp@i~$LIR7Y8-gdEK{BSCh>Yjqu8b@!=&e`y-B?Z22{c7L;=AjTMdFFbN@0OF*A z0FXG%5A2}gbWIVq1D;qP4(c3|^DI0_gpXaLp$|ET_xCf5gQ@nN-=v4^W2krui+UBYJ^ZBvZ{ST=$(=+2miufp3jnKE@lFfD4VkZMd2>jaXUKrP{|% zcN)Vva2&!RF65vqC3MOqTaXf55hJZs)f=W*! zEsCTsMxr~1hl-gZt}>b)BEoE}$UBo@AvJ=dYWDBdh|ybEompvVoke8tBT--)1qKnI zC;o5@{e0GOvr5j-&mWtfo*q%D)Aal_%F!hvtKUuu`9oyj!}WcpjqiZn)*Z#$OLHo~Zeo%#OTXHi zx}1Z9qsv+D88(0xy0n?85;FD2ObwwKah)4<%{RU4hMi6J<4SJ`Ku47z1w?3gbd(^* zQk_I#2Wt6v@DIQZaY%P00V+=|KhKM6{p;OVi4g~SS7989i?@*qU`?4Nnj%WUQrTrC zao7#ru@xQiIxZ0rk>mbk9)+8mTVus{)zYv1eSJO-*T;)GrXsDJn9l997&{IFpk`&( zobOSQOn1MO-X6Ncj-}8j_6>v*eJuWrxR)TyC_NZW9_1+IKA!I3mMT@UTKr`G$=2c8 zc=ukttgXG4J82!*e)@)g6X<)Y)1$Nib}%R2{T>err&*th55NZ;7`okK!^6?CxJ(8{ z0|Ej>;nId0EGZly(XCNFtDXF*sH(KIl!cj@dGz=1_FCKJ#*3?~tNx_m*~C`ilHy`^ zg2?{PEFsr(7gtwT+;C}0_>X)4JanT!{Hahc=ZlVxo<2W6FU!o#e9RJd*Z(~>=KGOB zi|q$_#0xGpMu}3EP!cjH0H3jqf6d2vXc1~ol_1ud26MDE^2DNUU(4M<0=%YQNCdg< zHg}wvN`D-nFkX{$o?4j8ouN@o%A#aTEObGY?Om=9qMuD(5IGf+wO2j5is>}8-S*n` zrlP;BTFGolqBFW8=XQRKn*Wj_fGR=V%Q+YYxpkE+oxwE}0PmAhQ2h1Z8i;njzdXRV zu{=^^PG;ukzu5}_qg2s!TQhLvGxlE{aFfe<2d)qNzZP103`@Mn~of&4d z^vj3ybsfEeuzK_L%rJeoGvd1MdUpVJiDJgPUKon^_3_={N{cggyuX_{@we1?_jefG zig+L8#%d5xfwJd%FIlIV^2AMTzPPE>vG9|N=Gwe*>!l?F^jid@1$)jP8CUnaK9;tY zmOCAou8yZ9dxt3Vfg~N-J3sk=X;4%?N~|k(RCro5nj0MimL}?b%_1i!XT1bA1ZtpA zD1NxK-rJWS%E`-OP8ow+A7o@+3ArB57?_xtpd_YlNN7>VfSycE=pZ{JXbLUJFN09( zect}-wDMHz^#^{i3YD18Em4E^6TxlLr=t7r0I){*QD2(o>R3a3N&tW}&EKColQuSV>P`M zgq#cr=UJ!_c?k)~OR-|cYe4}4)SM#M@bK`#QtBwFDd`D1xOO=$wK(q?=c()~s-p>` zzqNre(Va9gN|;k|?TkX72vh=!7uJmemBsk%$Z3Jy&+n_lBB;oJ-oCe>3!6<;lg`e} z^l_gpQ`7k*FVFIoIk~a9x!LCKd?#Z9u9G=^#6lQpSdqGDfYAJSw&;>7PB=w@y1k%} z?y3q&!u3i1Q5XFSMs7Pyd!+Lz=h9!U{PS-dVF3f0@=;f*oHP?-b*MrR4n$s3vWL#x z+#E$auekU_i|f(csQGwiOLA(eMjqU{_4W1L-oJm(E)|M(6%!GGzQ5MxAE(P+yx z@z&C=BJT*Cd-wq=seq7g0v0&urHxYoMboIG2!U(puO#gMe26Q{7tm`|Bn8fcf`Wd- z3yo?Fo&+CZ-;!(G8rA9g0#i=!Mo^mSA;s&f4=%@4vDr#@dq@3(CH}Aj3ef|kKn*Pe zx4n`?g9)_RpN00zXeVdB={5EShSe~3`*s@KCM09$nOFcKz{*;Ylh>nT-{HEuJ)HQX z52YNO%gW3=O+-kzm?_}+9i@9NVtyQZ@18MEuP zZnwktjEsmw--n-uMpE+VgS2!ISU{3BCk2=d&@@LGIsf+)ZM2RNojJU_2=A37v-Uh* z$6!!Hp4MwOGo!)bfErQuJ~cc%L+7_~%tL2n!?d(76MP#H#9Ny=sdE_Eu~D4})HAx1 zch7ZQuf|72-06MSHq)5Or^it#bY(kHFRch-CrVB|bk;Q01b+1H%ykIb--$DJJxy^s z2-p+-?YiKYKD7>^ZlsIs15-P=y4n)r?rm@Ls?KQO6DriSbHg?3c_^ONiaEm+twcxG zqwf;}fq931EPUUchlhuGEM>x_r;|6^GC&KmA3h+%@m?AcE}q`r?#^)ZbaZsY#Xv;R zp^P;zP%WK-_q@{5(sG}#&`QkC%F-L%yRc1R)tYu+X?8Svets5HQc}Va%Bs?0NMxcE z^U+L7PxrdJm=G72L69RukRUub>hfGYS#FBOMn@;z+}PMSIy_uj{PpXXJ~a-Ek2G3| zJ(VRQGE$yHx7ooJZVaWQ(Zx|Utg(wQ5G2hgjrPO$MlR&?g^Q2aKvm!iEWPM7U@u0B zw#7#f(Yq6mD{8jpUuATO{Oo!g=`G{hh5m|O4SoHmapAKHWktmf zNp&VRrrsQ*G&))n?&KLud6&+2`8=uZ+s52nO9%&F0hAlcF5mH~e%t0ElVtCw>G5PL zrOdtKjR*Oa!NKp@T)5Lcko}CazXB~=O5;EN767RCul#ma82uFq7SV#FFkQtx_Zq$+ zHC20qJcc=Icx1t~odvDM#l>pr4ww5=V!^?|7&pg@JO%D&s~f;0a0|fbgk<^pP>c)cEyKc2%utNVTm|y_Hj>(zuS@Lp=pgL$B>P)#Iz@|_$uHlmQ`g{wXHRGFS9c3MzWy*j5{#6q* zza}C|-8>*D|7;-6%X|4VG4ankc+VL8W66$_CrepbMTNrMlq^-z!|m-cZxInbKF{xN zJZRgH>3o%58>|;woIH)kd^`mPgCWYw4!YXe*%^#wi$2)E?Z3POBo%^rpq$*#6K`vc zjbf7!i8Lwhv+xrgOFOT@v5Wnf8 zA~#lpndcgnwqOM}o8tzV4`u4h!M(5C+OtbrxxHb|FayIW{(O0TO~PdxVVLJ@ZDV>M zT7iLuMA+>(eS3R*$Is7Cj6rsIAmk66??C*X?vZ}yi2JWh7s64ZlZAYnXBEMbiju8%Awz{94nsB~Z%yLb~7Jr0^K$hvigQ~XYaIh2&?X6vd znok&ln|cE4dUhGyWi>Z&fNLhs#plJu>ysf&-UPHz zm_5Os@y_q|6> z*x1`^;(7DtP4GE%`S%$QCQom|I3XcnGMip2Z?ZAELJM949cKbqGy)X&-EgJL)k}I(`oVy8UCY)a0WcdrhK zi(c;K`FNX8keg$#sfJj7OE04m7$PfwKu81RgI8l{!=bgYIOI*8|(P*j#`qxV3ZMYUSgv2-?X%F{^BtYS&DZK`|_j>pWaa~e7TsSD)6~}&eRy+ zaA;?>sm@<_Q^$eu40P6CMrCE^k1R+i&#kQJHd+2Dj)2qrEH@{oLvH)k_V=~5wSm38 zy-&lDo}Ypw^G?dt${Auvcy`6i!k2A5c}W$WwY9Yedf=$P+UCxYV+t)ylCi<)JAVGg z2dLTFR?eX2E+i6Ye^QJdsYt?K|fa z$Mp?nYQECtK8SW4q%Zv9ce~L31Aox}<|Q+Hnz%H8K z{OP?gLjk>(l(W|*14F7zVe3G4*$n)%Z4o3Em z1`Ro!p|JUa7O=v?=EUVL-*Ue^u6pPhJ&(yr#`}JruH})H^t#G`5VlV?JPpKSeSJ=q%oZkv5Axm_6-<I=SAwht+}Nm+QfyKC628H}a!--QF0Cp?BXLl4g9 z=I3v!03VtyX*;g0tO&&?E6s$+kfQ=wqOD8`*vAXPwjQzi!FT*9%D&ci=M8OyD{=Zy z3|mMBWhT8_NXNnnUhl7)-@r0nQJJTE+ow(xyMP?Z*+?g*JMe8_oAqX+DI0L&du3^9 zshG4jbU&h7SJ(#N#FFq7&th6zSs8!H8zbnl;uRW5{AwepJzX-!>AQcaRk;K`obnF! zl+2qPA1Z7J*h$Uc{N_R&aXn+noBpkL!32)IdGIx}^(0<)B{X~22Z6dDz97p2FgMpD zCwitU)$lgidAY8gUe8tPxQ7*~XMnhlgocKsbacMRiC_q{IbR*l zI%O#hI=j1{S@pnOpsz`wQZhVhAXCjenyVz+Iz6pYfK%U<4sQ*t+~33<$hpfk8XxRd z8_q1qyGg><^qURrUgpjumr6(Ip#~=n99MQ|siVon%)^xYyBovd$K|^c75pY7w}AA2 z<1xLC%mS!6Icv-f4Gkx*>$NM@t@-U%JfbvF=$V>YDsu_g$U+uM*bE(6wXC8QzVFSN zD7%z{hS1T`PeVgP#T)ean3+c|9`7#fH919Ce@xWYh*^IA{JFNg+?pe>FI);9@kS-H zXei-C_7_AaO?AgC_Sf_HqhGtdMMXQw5HUK`nHG;CW;YtcK8*`(yzf)hpZ%MPR!_%55TN|nu8T`f1+znu1k zWc}T>$xYrKK=Vp zpkK`|L!0+hK=X?DJKT@Za zhYD5Sk=;x7&5Q3h4BL+jWjnIdH&SyP8HB7Eh`4^02n*CHmZ;!LK{Bco)K=np3s;FJ z>n~rv_OB-R}|+UDc)kHuV*w~W;G0oPL>+1bF?e%8k!37^Ye*qsphK@VYJzu zZznOj2>@XhmJutg)2FWY(Bfz^3d&7E&IO&{eNm`gohG9O%4;LTO0yRA8mR0-bOO&l zPmLha@_y8Z51nOS6wWq5QfGTpV!Hd7{YZM~z z;OV)uv-7X0h{y^#1qB5n0w`y6$7#sXR}C(Da3whSw>4Pp^K>=e#f|wzai9C$`ug|d zE=?7dM0eNAs-v=kn`S=|#ZXnzUhwS%bpjylxx>GAPVy+V`Ats4UB5D^h+ zU07a@w6V3dbrH(aFP}X$<^E9zpSl!oaIJ-fh1BrGtaWe5s{>P~i+|hb!7e;k|2_gI zT&6>D>+n3>yrh&ASVUA*I8vIXtw1*RG!35GYVvS0JA$H8Nl^8C!=&qU!6B2lxNGbO zhf41ZDy8M4Qi&++Pc>w0d#=QdMAUuhML~*2MSUflRrBCM0L1IBWr}ju9mxZ32%4to zeZ}m`M(+oajgATBV}k7PHx9tD#|cVQPey;*RqJh1=5c+!5n9JB9yVW-B!jpI@fK8h zb4#Bs!m8xST$^NLU84m|@oIHsvnHK*M^cQH7o_7ixQZCKwH7ZMGQ#gQstK_KVdSg}XGzqLf1clQUQymN&1z%%Bt~hH4<1w}9T&UTRIsao#$YtXgr^EjsAQsv$NpVmzz7!50;dMh+(V2G^+|{| z_4L#>T3){XTI6ARnelD&z4|J$nCds7OVgWxfpidwc?-QsSj<1@jJd~ED%NgwtrzYzVYdnp-=}@Uh>!P9 zMBl`s+Rr_IuuomKQ)Ifh#2~J%lC6tF7(_;PIDvh@MqJl%G0uR`{nZgvm&ID{_1N^YOCe=oOiS6d=Mm3<(Mw72b+uOH*!_Ie!mka# z?NM5)53%82g0N!<{O|fB5|Ro7p~KP&V4T0JsV}S=#~EJw(tjzmzR4anxclgv`gWN+ zBErxiML+_~lm#SJDRjKYVMtj1NEFVvQ9X|!AcL@oJ7@HNmt+6$o($gXvcK~WY>7@z UqxNEl-{t{wGD^}_l7`>^2Ur;a>i_@% literal 0 HcmV?d00001 diff --git a/ansible/roles/ispmail-webmail/files/roundcube-managesieve-config.inc.php b/ansible/roles/ispmail-webmail/files/roundcube-managesieve-config.inc.php new file mode 100644 index 0000000..cc53cb0 --- /dev/null +++ b/ansible/roles/ispmail-webmail/files/roundcube-managesieve-config.inc.php @@ -0,0 +1,101 @@ +// Taken from /usr/share/roundcube/plugins/managesieve/config.inc.php.dist + array( +// 'verify_peer' => true, +// 'verify_depth' => 3, +// 'cafile' => '/etc/openssl/certs/ca.crt', +// ), +// ); +$config['managesieve_conn_options'] = null; + +// default contents of filters script (eg. default spam filter) +$config['managesieve_default'] = '/etc/dovecot/sieve/global'; + +// The name of the script which will be used when there's no user script +$config['managesieve_script_name'] = 'managesieve'; + +// Sieve RFC says that we should use UTF-8 endcoding for mailbox names, +// but some implementations does not covert UTF-8 to modified UTF-7. +// Defaults to UTF7-IMAP +$config['managesieve_mbox_encoding'] = 'UTF-8'; + +// I need this because my dovecot (with listescape plugin) uses +// ':' delimiter, but creates folders with dot delimiter +$config['managesieve_replace_delimiter'] = ''; + +// disabled sieve extensions (body, copy, date, editheader, encoded-character, +// envelope, environment, ereject, fileinto, ihave, imap4flags, index, +// mailbox, mboxmetadata, regex, reject, relational, servermetadata, +// spamtest, spamtestplus, subaddress, vacation, variables, virustest, etc. +// Note: not all extensions are implemented +$config['managesieve_disabled_extensions'] = array(); + +// Enables debugging of conversation with sieve server. Logs it into /sieve +$config['managesieve_debug'] = false; + +// Enables features described in http://wiki.kolab.org/KEP:14 +$config['managesieve_kolab_master'] = false; + +// Script name extension used for scripts including. Dovecot uses '.sieve', +// Cyrus uses '.siv'. Doesn't matter if you have managesieve_kolab_master disabled. +$config['managesieve_filename_extension'] = '.sieve'; + +// List of reserved script names (without extension). +// Scripts listed here will be not presented to the user. +$config['managesieve_filename_exceptions'] = array(); + +// List of domains limiting destination emails in redirect action +// If not empty, user will need to select domain from a list +$config['managesieve_domains'] = array(); + +// Enables separate management interface for vacation responses (out-of-office) +// 0 - no separate section (default), +// 1 - add Vacation section, +// 2 - add Vacation section, but hide Filters section +$config['managesieve_vacation'] = 0; + +// Default vacation interval (in days). +// Note: If server supports vacation-seconds extension it is possible +// to define interval in seconds here (as a string), e.g. "3600s". +$config['managesieve_vacation_interval'] = 0; + +// Some servers require vacation :addresses to be filled with all +// user addresses (aliases). This option enables automatic filling +// of these on initial vacation form creation. +$config['managesieve_vacation_addresses_init'] = false; + +// Supported methods of notify extension. Default: 'mailto' +$config['managesieve_notify_methods'] = array('mailto'); diff --git a/ansible/roles/ispmail-webmail/tasks/main.yml b/ansible/roles/ispmail-webmail/tasks/main.yml new file mode 100644 index 0000000..277c942 --- /dev/null +++ b/ansible/roles/ispmail-webmail/tasks/main.yml @@ -0,0 +1,21 @@ +--- +- name: adding Jessie backports repository (for Roundcube) + apt_repository: repo='deb http://http.debian.net/debian jessie-backports main' state=present +- name: install required binary packages + apt: name={{item}} state=installed + with_items: + - roundcube + - roundcube-plugins +- name: Creating random des_key for Roundcube + shell: pwgen 24 + register: roundcube_random_des_key +- name: Deploying Roundcube configuration + template: src=roundcube-config.inc.php.j2 dest=/etc/roundcube/config.inc.php owner=root group=www-data mode=640 +- name: Deploying Roundcube managesieve plugin configuration + copy: src=roundcube-managesieve-config.inc.php dest=/etc/roundcube/plugins/managesieve/config.inc.php mode=0640 +- name: Deploying Roundcube password plugin configuration + template: src=roundcube-password-config.inc.php.j2 dest=/etc/roundcube/plugins/password/config.inc.php owner=root group=www-data mode=640 +- name: Copy ISPmail logo + copy: src=ispmail-logo.png dest=/var/lib/roundcube/ +- name: Copy Roundcube database config file + template: src=roundcube-debian-db.php.j2 dest=/etc/roundcube/debian-db.php mode=0640 diff --git a/ansible/roles/ispmail-webmail/templates/roundcube-config.inc.php.j2 b/ansible/roles/ispmail-webmail/templates/roundcube-config.inc.php.j2 new file mode 100644 index 0000000..0fae756 --- /dev/null +++ b/ansible/roles/ispmail-webmail/templates/roundcube-config.inc.php.j2 @@ -0,0 +1,90 @@ += 1.9 -- hosts: all - roles: - #- dumpvars - - ispmail-packages - - ispmail-certificate - - ispmail-database - - ispmail-postfix - - ispmail-dovecot - - ispmail-webmail - - ispmail-webmail-apache diff --git a/roles/dumpvars/tasks/main.yml b/roles/dumpvars/tasks/main.yml deleted file mode 100644 index 35d6006..0000000 --- a/roles/dumpvars/tasks/main.yml +++ /dev/null @@ -1,3 +0,0 @@ ---- -- name: Dump all vars - action: template src=dumpall.j2 dest=/tmp/ansible-vars diff --git a/roles/dumpvars/templates/dumpall.j2 b/roles/dumpvars/templates/dumpall.j2 deleted file mode 100644 index 9fe6aee..0000000 --- a/roles/dumpvars/templates/dumpall.j2 +++ /dev/null @@ -1,23 +0,0 @@ -Module Variables ("vars"): --------------------------------- -{{ vars | to_nice_json }} - -Environment Variables ("environment"): --------------------------------- -{{ environment | to_nice_json }} - -GROUP NAMES Variables ("group_names"): --------------------------------- -{{ group_names | to_nice_json }} - -GROUPS Variables ("groups"): --------------------------------- -{{ groups | to_nice_json }} - -HOST Variables ("hostvars"): --------------------------------- -{{ hostvars | to_nice_json }} - -HOST Variables for this host ({{inventory_hostname}}): ---------------------------------------- -{{ hostvars[inventory_hostname] | to_nice_json }} diff --git a/roles/ispmail-certificate/tasks/main.yml b/roles/ispmail-certificate/tasks/main.yml deleted file mode 100644 index 0ee1fb6..0000000 --- a/roles/ispmail-certificate/tasks/main.yml +++ /dev/null @@ -1,15 +0,0 @@ ---- -- name: Create a self-signed certificate - command: > - openssl req -newkey rsa:4096 - -nodes -sha512 -x509 - -days "{{ ispmail_certificate_days_valid }}" - -nodes - -subj "/C={{ ispmail_certificate_country }}/ST={{ ispmail_certificate_state }}/L={{ ispmail_certificate_location }}/O={{ ispmail_certificate_organisation }}/OU={{ ispmail_certificate_orgunit }}{% for domain in ispmail_certificate_domains %}/CN={{ domain }}{% endfor %}/emailAddress={{ ispmail_certificate_email }}" - -out /etc/ssl/certs/mailserver.pem - -keyout /etc/ssl/private/mailserver.pem - args: - creates: /etc/ssl/certs/mailserver.pem -- name: Restrict access permissions of the private key - file: path=/etc/ssl/private/mailserver.pem mode=0640 - diff --git a/roles/ispmail-database/files/schema.sql b/roles/ispmail-database/files/schema.sql deleted file mode 100644 index 7ba785c..0000000 --- a/roles/ispmail-database/files/schema.sql +++ /dev/null @@ -1,24 +0,0 @@ -CREATE TABLE IF NOT EXISTS `virtual_domains` ( - `id` int(11) NOT NULL auto_increment, - `name` varchar(50) NOT NULL, - PRIMARY KEY (`id`) -) ENGINE=InnoDB DEFAULT CHARSET=utf8; - -CREATE TABLE IF NOT EXISTS `virtual_users` ( - `id` int(11) NOT NULL auto_increment, - `domain_id` int(11) NOT NULL, - `password` varchar(150) NOT NULL, - `email` varchar(100) NOT NULL, - PRIMARY KEY (`id`), - UNIQUE KEY `email` (`email`), - FOREIGN KEY (domain_id) REFERENCES virtual_domains(id) ON DELETE CASCADE -) ENGINE=InnoDB DEFAULT CHARSET=utf8; - -CREATE TABLE IF NOT EXISTS `virtual_aliases` ( - `id` int(11) NOT NULL auto_increment, - `domain_id` int(11) NOT NULL, - `source` varchar(100) NOT NULL, - `destination` varchar(100) NOT NULL, - PRIMARY KEY (`id`), - FOREIGN KEY (domain_id) REFERENCES virtual_domains(id) ON DELETE CASCADE -) ENGINE=InnoDB DEFAULT CHARSET=utf8; diff --git a/roles/ispmail-database/files/test.sql b/roles/ispmail-database/files/test.sql deleted file mode 100644 index ded3208..0000000 --- a/roles/ispmail-database/files/test.sql +++ /dev/null @@ -1,26 +0,0 @@ -REPLACE INTO `mailserver`.`virtual_domains` ( - `id` , - `name` -) -VALUES ( - '1', 'example.org' -); -REPLACE INTO `mailserver`.`virtual_users` ( - `id` , - `domain_id` , - `password` , - `email` -) -VALUES ( - '1', '1', CONCAT('{PLAIN-MD5}', MD5( 'summersun' )) , 'john@example.org' -); -REPLACE INTO `mailserver`.`virtual_aliases` ( - `id`, - `domain_id`, - `source`, - `destination` -) -VALUES ( - '1', '1', 'jack@example.org', 'john@example.org' -); - diff --git a/roles/ispmail-database/tasks/main.yml b/roles/ispmail-database/tasks/main.yml deleted file mode 100644 index 4288ceb..0000000 --- a/roles/ispmail-database/tasks/main.yml +++ /dev/null @@ -1,29 +0,0 @@ ---- -- name: Installing required Python mysqldb module for Ansible to manage databases - apt: pkg=python-mysqldb state=installed -# - name: Creating my-cnf for root user -# template: src=root-my-cnf.j2 dest=/root/.my.cnf mode=0600 -- name: creating mailserver MySQL database - mysql_db: name=mailserver state=present -- name: creating Roundcube MySQL database - mysql_db: name=roundcube state=present -- name: copying MySQL database schema to server - copy: src=schema.sql dest=/tmp -- name: setting up SQL schema of mailserver database - mysql_db: name=mailserver state=import target=/tmp/schema.sql -# - name: set the MySQL root user's password - # mysql_user: name=root password={{ispmail_mysql_root_password}} state=present -- name: creating MySQL user to read the mailserver database - mysql_user: name=mailuser password={{ispmail_mysql_mailuser_password}} priv=mailserver.*:SELECT,INSERT,UPDATE,DELETE state=present -- name: creating MySQL user for roundcube - mysql_user: name=roundcube password={{ispmail_mysql_roundcube_password}} priv=roundcube.*:ALL state=present -- name: copying MySQL test data to server - copy: src=test.sql dest=/tmp - when: ispmail_populate_test_data == true -- name: populating the database with test data - mysql_db: name=mailserver state=import target=/tmp/test.sql - when: ispmail_populate_test_data == true -# - name: set the MySQL root user's password -# mysql_user: name=root password={{ispmail_mysql_root_password}} state=present -# - name: Create root's .my.cnf -# template: src=my-cnf.j2 dest=/root/.my.cnf mode=0600 diff --git a/roles/ispmail-database/templates/my-cnf.j2 b/roles/ispmail-database/templates/my-cnf.j2 deleted file mode 100644 index 0615332..0000000 --- a/roles/ispmail-database/templates/my-cnf.j2 +++ /dev/null @@ -1,2 +0,0 @@ -[client] -password={{ispmail_mysql_root_password}} diff --git a/roles/ispmail-dovecot/files/10-mail.conf b/roles/ispmail-dovecot/files/10-mail.conf deleted file mode 100644 index 3ef99fc..0000000 --- a/roles/ispmail-dovecot/files/10-mail.conf +++ /dev/null @@ -1,382 +0,0 @@ -## -## Mailbox locations and namespaces -## - -# Location for users' mailboxes. The default is empty, which means that Dovecot -# tries to find the mailboxes automatically. This won't work if the user -# doesn't yet have any mail, so you should explicitly tell Dovecot the full -# location. -# -# If you're using mbox, giving a path to the INBOX file (eg. /var/mail/%u) -# isn't enough. You'll also need to tell Dovecot where the other mailboxes are -# kept. This is called the "root mail directory", and it must be the first -# path given in the mail_location setting. -# -# There are a few special variables you can use, eg.: -# -# %u - username -# %n - user part in user@domain, same as %u if there's no domain -# %d - domain part in user@domain, empty if there's no domain -# %h - home directory -# -# See doc/wiki/Variables.txt for full list. Some examples: -# -# mail_location = maildir:~/Maildir -# mail_location = mbox:~/mail:INBOX=/var/mail/%u -# mail_location = mbox:/var/mail/%d/%1n/%n:INDEX=/var/indexes/%d/%1n/%n -# -# -# -#mail_location = mbox:~/mail:INBOX=/var/mail/%u -mail_location = maildir:/var/vmail/%d/%n/Maildir - -# If you need to set multiple mailbox locations or want to change default -# namespace settings, you can do it by defining namespace sections. -# -# You can have private, shared and public namespaces. Private namespaces -# are for user's personal mails. Shared namespaces are for accessing other -# users' mailboxes that have been shared. Public namespaces are for shared -# mailboxes that are managed by sysadmin. If you create any shared or public -# namespaces you'll typically want to enable ACL plugin also, otherwise all -# users can access all the shared mailboxes, assuming they have permissions -# on filesystem level to do so. -namespace inbox { - # Namespace type: private, shared or public - #type = private - - # Hierarchy separator to use. You should use the same separator for all - # namespaces or some clients get confused. '/' is usually a good one. - # The default however depends on the underlying mail storage format. - #separator = - separator = . - - # Prefix required to access this namespace. This needs to be different for - # all namespaces. For example "Public/". - #prefix = - - # Physical location of the mailbox. This is in same format as - # mail_location, which is also the default for it. - #location = - - # There can be only one INBOX, and this setting defines which namespace - # has it. - inbox = yes - - # If namespace is hidden, it's not advertised to clients via NAMESPACE - # extension. You'll most likely also want to set list=no. This is mostly - # useful when converting from another server with different namespaces which - # you want to deprecate but still keep working. For example you can create - # hidden namespaces with prefixes "~/mail/", "~%u/mail/" and "mail/". - #hidden = no - - # Show the mailboxes under this namespace with LIST command. This makes the - # namespace visible for clients that don't support NAMESPACE extension. - # "children" value lists child mailboxes, but hides the namespace prefix. - #list = yes - - # Namespace handles its own subscriptions. If set to "no", the parent - # namespace handles them (empty prefix should always have this as "yes") - #subscriptions = yes - -# mailbox INBOX.Junk { -# auto = subscribe # autocreate and autosubscribe the Junk mailbox -# special_use = \Junk -# } -# mailbox INBOX.Trash { -# auto = subscribe # autocreate and autosubscribe the Trash mailbox -# special_use = \Trash -# } -} - -# Example shared namespace configuration -#namespace { - #type = shared - #separator = / - - # Mailboxes are visible under "shared/user@domain/" - # %%n, %%d and %%u are expanded to the destination user. - #prefix = shared/%%u/ - - # Mail location for other users' mailboxes. Note that %variables and ~/ - # expands to the logged in user's data. %%n, %%d, %%u and %%h expand to the - # destination user's data. - #location = maildir:%%h/Maildir:INDEX=~/Maildir/shared/%%u - - # Use the default namespace for saving subscriptions. - #subscriptions = no - - # List the shared/ namespace only if there are visible shared mailboxes. - #list = children -#} -# Should shared INBOX be visible as "shared/user" or "shared/user/INBOX"? -#mail_shared_explicit_inbox = no - -# System user and group used to access mails. If you use multiple, userdb -# can override these by returning uid or gid fields. You can use either numbers -# or names. -#mail_uid = -#mail_gid = - -# Group to enable temporarily for privileged operations. Currently this is -# used only with INBOX when either its initial creation or dotlocking fails. -# Typically this is set to "mail" to give access to /var/mail. -#mail_privileged_group = - -# Grant access to these supplementary groups for mail processes. Typically -# these are used to set up access to shared mailboxes. Note that it may be -# dangerous to set these if users can create symlinks (e.g. if "mail" group is -# set here, ln -s /var/mail ~/mail/var could allow a user to delete others' -# mailboxes, or ln -s /secret/shared/box ~/mail/mybox would allow reading it). -#mail_access_groups = - -# Allow full filesystem access to clients. There's no access checks other than -# what the operating system does for the active UID/GID. It works with both -# maildir and mboxes, allowing you to prefix mailboxes names with eg. /path/ -# or ~user/. -#mail_full_filesystem_access = no - -# Dictionary for key=value mailbox attributes. Currently used by URLAUTH, but -# soon intended to be used by METADATA as well. -#mail_attribute_dict = - -## -## Mail processes -## - -# Don't use mmap() at all. This is required if you store indexes to shared -# filesystems (NFS or clustered filesystem). -#mmap_disable = no - -# Rely on O_EXCL to work when creating dotlock files. NFS supports O_EXCL -# since version 3, so this should be safe to use nowadays by default. -#dotlock_use_excl = yes - -# When to use fsync() or fdatasync() calls: -# optimized (default): Whenever necessary to avoid losing important data -# always: Useful with e.g. NFS when write()s are delayed -# never: Never use it (best performance, but crashes can lose data) -#mail_fsync = optimized - -# Locking method for index files. Alternatives are fcntl, flock and dotlock. -# Dotlocking uses some tricks which may create more disk I/O than other locking -# methods. NFS users: flock doesn't work, remember to change mmap_disable. -#lock_method = fcntl - -# Directory in which LDA/LMTP temporarily stores incoming mails >128 kB. -#mail_temp_dir = /tmp - -# Valid UID range for users, defaults to 500 and above. This is mostly -# to make sure that users can't log in as daemons or other system users. -# Note that denying root logins is hardcoded to dovecot binary and can't -# be done even if first_valid_uid is set to 0. -#first_valid_uid = 500 -#last_valid_uid = 0 - -# Valid GID range for users, defaults to non-root/wheel. Users having -# non-valid GID as primary group ID aren't allowed to log in. If user -# belongs to supplementary groups with non-valid GIDs, those groups are -# not set. -#first_valid_gid = 1 -#last_valid_gid = 0 - -# Maximum allowed length for mail keyword name. It's only forced when trying -# to create new keywords. -#mail_max_keyword_length = 50 - -# ':' separated list of directories under which chrooting is allowed for mail -# processes (ie. /var/mail will allow chrooting to /var/mail/foo/bar too). -# This setting doesn't affect login_chroot, mail_chroot or auth chroot -# settings. If this setting is empty, "/./" in home dirs are ignored. -# WARNING: Never add directories here which local users can modify, that -# may lead to root exploit. Usually this should be done only if you don't -# allow shell access for users. -#valid_chroot_dirs = - -# Default chroot directory for mail processes. This can be overridden for -# specific users in user database by giving /./ in user's home directory -# (eg. /home/./user chroots into /home). Note that usually there is no real -# need to do chrooting, Dovecot doesn't allow users to access files outside -# their mail directory anyway. If your home directories are prefixed with -# the chroot directory, append "/." to mail_chroot. -#mail_chroot = - -# UNIX socket path to master authentication server to find users. -# This is used by imap (for shared users) and lda. -#auth_socket_path = /var/run/dovecot/auth-userdb - -# Directory where to look up mail plugins. -#mail_plugin_dir = /usr/lib/dovecot/modules - -# Space separated list of plugins to load for all services. Plugins specific to -# IMAP, LDA, etc. are added to this list in their own .conf files. -#mail_plugins = - -## -## Mailbox handling optimizations -## - -# Mailbox list indexes can be used to optimize IMAP STATUS commands. They are -# also required for IMAP NOTIFY extension to be enabled. -#mailbox_list_index = no - -# The minimum number of mails in a mailbox before updates are done to cache -# file. This allows optimizing Dovecot's behavior to do less disk writes at -# the cost of more disk reads. -#mail_cache_min_mail_count = 0 - -# When IDLE command is running, mailbox is checked once in a while to see if -# there are any new mails or other changes. This setting defines the minimum -# time to wait between those checks. Dovecot can also use dnotify, inotify and -# kqueue to find out immediately when changes occur. -#mailbox_idle_check_interval = 30 secs - -# Save mails with CR+LF instead of plain LF. This makes sending those mails -# take less CPU, especially with sendfile() syscall with Linux and FreeBSD. -# But it also creates a bit more disk I/O which may just make it slower. -# Also note that if other software reads the mboxes/maildirs, they may handle -# the extra CRs wrong and cause problems. -#mail_save_crlf = no - -# Max number of mails to keep open and prefetch to memory. This only works with -# some mailbox formats and/or operating systems. -#mail_prefetch_count = 0 - -# How often to scan for stale temporary files and delete them (0 = never). -# These should exist only after Dovecot dies in the middle of saving mails. -#mail_temp_scan_interval = 1w - -## -## Maildir-specific settings -## - -# By default LIST command returns all entries in maildir beginning with a dot. -# Enabling this option makes Dovecot return only entries which are directories. -# This is done by stat()ing each entry, so it causes more disk I/O. -# (For systems setting struct dirent->d_type, this check is free and it's -# done always regardless of this setting) -#maildir_stat_dirs = no - -# When copying a message, do it with hard links whenever possible. This makes -# the performance much better, and it's unlikely to have any side effects. -#maildir_copy_with_hardlinks = yes - -# Assume Dovecot is the only MUA accessing Maildir: Scan cur/ directory only -# when its mtime changes unexpectedly or when we can't find the mail otherwise. -#maildir_very_dirty_syncs = no - -# If enabled, Dovecot doesn't use the S= in the Maildir filenames for -# getting the mail's physical size, except when recalculating Maildir++ quota. -# This can be useful in systems where a lot of the Maildir filenames have a -# broken size. The performance hit for enabling this is very small. -#maildir_broken_filename_sizes = no - -# Always move mails from new/ directory to cur/, even when the \Recent flags -# aren't being reset. -#maildir_empty_new = no - -## -## mbox-specific settings -## - -# Which locking methods to use for locking mbox. There are four available: -# dotlock: Create .lock file. This is the oldest and most NFS-safe -# solution. If you want to use /var/mail/ like directory, the users -# will need write access to that directory. -# dotlock_try: Same as dotlock, but if it fails because of permissions or -# because there isn't enough disk space, just skip it. -# fcntl : Use this if possible. Works with NFS too if lockd is used. -# flock : May not exist in all systems. Doesn't work with NFS. -# lockf : May not exist in all systems. Doesn't work with NFS. -# -# You can use multiple locking methods; if you do the order they're declared -# in is important to avoid deadlocks if other MTAs/MUAs are using multiple -# locking methods as well. Some operating systems don't allow using some of -# them simultaneously. -# -# The Debian value for mbox_write_locks differs from upstream Dovecot. It is -# changed to be compliant with Debian Policy (section 11.6) for NFS safety. -# Dovecot: mbox_write_locks = dotlock fcntl -# Debian: mbox_write_locks = fcntl dotlock -# -#mbox_read_locks = fcntl -#mbox_write_locks = fcntl dotlock - -# Maximum time to wait for lock (all of them) before aborting. -#mbox_lock_timeout = 5 mins - -# If dotlock exists but the mailbox isn't modified in any way, override the -# lock file after this much time. -#mbox_dotlock_change_timeout = 2 mins - -# When mbox changes unexpectedly we have to fully read it to find out what -# changed. If the mbox is large this can take a long time. Since the change -# is usually just a newly appended mail, it'd be faster to simply read the -# new mails. If this setting is enabled, Dovecot does this but still safely -# fallbacks to re-reading the whole mbox file whenever something in mbox isn't -# how it's expected to be. The only real downside to this setting is that if -# some other MUA changes message flags, Dovecot doesn't notice it immediately. -# Note that a full sync is done with SELECT, EXAMINE, EXPUNGE and CHECK -# commands. -#mbox_dirty_syncs = yes - -# Like mbox_dirty_syncs, but don't do full syncs even with SELECT, EXAMINE, -# EXPUNGE or CHECK commands. If this is set, mbox_dirty_syncs is ignored. -#mbox_very_dirty_syncs = no - -# Delay writing mbox headers until doing a full write sync (EXPUNGE and CHECK -# commands and when closing the mailbox). This is especially useful for POP3 -# where clients often delete all mails. The downside is that our changes -# aren't immediately visible to other MUAs. -#mbox_lazy_writes = yes - -# If mbox size is smaller than this (e.g. 100k), don't write index files. -# If an index file already exists it's still read, just not updated. -#mbox_min_index_size = 0 - -# Mail header selection algorithm to use for MD5 POP3 UIDLs when -# pop3_uidl_format=%m. For backwards compatibility we use apop3d inspired -# algorithm, but it fails if the first Received: header isn't unique in all -# mails. An alternative algorithm is "all" that selects all headers. -#mbox_md5 = apop3d - -## -## mdbox-specific settings -## - -# Maximum dbox file size until it's rotated. -#mdbox_rotate_size = 2M - -# Maximum dbox file age until it's rotated. Typically in days. Day begins -# from midnight, so 1d = today, 2d = yesterday, etc. 0 = check disabled. -#mdbox_rotate_interval = 0 - -# When creating new mdbox files, immediately preallocate their size to -# mdbox_rotate_size. This setting currently works only in Linux with some -# filesystems (ext4, xfs). -#mdbox_preallocate_space = no - -## -## Mail attachments -## - -# sdbox and mdbox support saving mail attachments to external files, which -# also allows single instance storage for them. Other backends don't support -# this for now. - -# Directory root where to store mail attachments. Disabled, if empty. -#mail_attachment_dir = - -# Attachments smaller than this aren't saved externally. It's also possible to -# write a plugin to disable saving specific attachments externally. -#mail_attachment_min_size = 128k - -# Filesystem backend to use for saving attachments: -# posix : No SiS done by Dovecot (but this might help FS's own deduplication) -# sis posix : SiS with immediate byte-by-byte comparison during saving -# sis-queue posix : SiS with delayed comparison and deduplication -#mail_attachment_fs = sis posix - -# Hash format to use in attachment filenames. You can add any text and -# variables: %{md4}, %{md5}, %{sha1}, %{sha256}, %{sha512}, %{size}. -# Variables can be truncated, e.g. %{sha256:80} returns only first 80 bits -#mail_attachment_hash = %{sha1} diff --git a/roles/ispmail-dovecot/files/10-master.conf b/roles/ispmail-dovecot/files/10-master.conf deleted file mode 100644 index ff5d9f8..0000000 --- a/roles/ispmail-dovecot/files/10-master.conf +++ /dev/null @@ -1,123 +0,0 @@ -#default_process_limit = 100 -#default_client_limit = 1000 - -# Default VSZ (virtual memory size) limit for service processes. This is mainly -# intended to catch and kill processes that leak memory before they eat up -# everything. -#default_vsz_limit = 256M - -# Login user is internally used by login processes. This is the most untrusted -# user in Dovecot system. It shouldn't have access to anything at all. -#default_login_user = dovenull - -# Internal user is used by unprivileged processes. It should be separate from -# login user, so that login processes can't disturb other processes. -#default_internal_user = dovecot - -service imap-login { - inet_listener imap { - #port = 143 - } - inet_listener imaps { - #port = 993 - #ssl = yes - } - - # Number of connections to handle before starting a new process. Typically - # the only useful values are 0 (unlimited) or 1. 1 is more secure, but 0 - # is faster. - #service_count = 1 - - # Number of processes to always keep waiting for more connections. - #process_min_avail = 0 - - # If you set service_count=0, you probably need to grow this. - #vsz_limit = $default_vsz_limit -} - -service pop3-login { - inet_listener pop3 { - #port = 110 - } - inet_listener pop3s { - #port = 995 - #ssl = yes - } -} - -service lmtp { - unix_listener /var/spool/postfix/private/dovecot-lmtp { - group = postfix - mode = 0600 - user = postfix - } - - # Create inet listener only if you can't use the above UNIX socket - #inet_listener lmtp { - # Avoid making LMTP visible for the entire internet - #address = - #port = - #} -} - -service imap { - # Most of the memory goes to mmap()ing files. You may need to increase this - # limit if you have huge mailboxes. - #vsz_limit = $default_vsz_limit - - # Max. number of IMAP processes (connections) - #process_limit = 1024 -} - -service pop3 { - # Max. number of POP3 processes (connections) - #process_limit = 1024 -} - -service auth { - # auth_socket_path points to this userdb socket by default. It's typically - # used by dovecot-lda, doveadm, possibly imap process, etc. Users that have - # full permissions to this socket are able to get a list of all usernames and - # get the results of everyone's userdb lookups. - # - # The default 0666 mode allows anyone to connect to the socket, but the - # userdb lookups will succeed only if the userdb returns an "uid" field that - # matches the caller process's UID. Also if caller's uid or gid matches the - # socket's uid or gid the lookup succeeds. Anything else causes a failure. - # - # To give the caller full permissions to lookup all users, set the mode to - # something else than 0666 and Dovecot lets the kernel enforce the - # permissions (e.g. 0777 allows everyone full permissions). - unix_listener auth-userdb { - #mode = 0666 - #user = - #group = - } - - # Postfix smtp-auth - unix_listener /var/spool/postfix/private/auth { - mode = 0666 - user = postfix - group = postfix - } - - # Auth process is run as this user. - #user = $default_internal_user -} - -service auth-worker { - # Auth worker process is run as root by default, so that it can access - # /etc/shadow. If this isn't necessary, the user should be changed to - # $default_internal_user. - #user = root -} - -service dict { - # If dict proxy is used, mail processes should have access to its socket. - # For example: mode=0660, group=vmail and global mail_access_groups=vmail - unix_listener dict { - #mode = 0600 - #user = - #group = - } -} diff --git a/roles/ispmail-dovecot/files/10-ssl.conf b/roles/ispmail-dovecot/files/10-ssl.conf deleted file mode 100644 index 47ca04c..0000000 --- a/roles/ispmail-dovecot/files/10-ssl.conf +++ /dev/null @@ -1,58 +0,0 @@ -## -## SSL settings -## - -# SSL/TLS support: yes, no, required. -ssl = required - -# PEM encoded X.509 SSL/TLS certificate and private key. They're opened before -# dropping root privileges, so keep the key file unreadable by anyone but -# root. Included doc/mkcert.sh can be used to easily generate self-signed -# certificate, just make sure to update the domains in dovecot-openssl.cnf -ssl_cert = See sieve_before fore executing scripts before the user's personal - # script. - #sieve_default = /var/lib/dovecot/sieve/default.sieve - - # Directory for :personal include scripts for the include extension. This - # is also where the ManageSieve service stores the user's scripts. - sieve_dir = ~/sieve - - # Directory for :global include scripts for the include extension. - #sieve_global_dir = - - # Path to a script file or a directory containing script files that need to be - # executed before the user's script. If the path points to a directory, all - # the Sieve scripts contained therein (with the proper .sieve extension) are - # executed. The order of execution within a directory is determined by the - # file names, using a normal 8bit per-character comparison. Multiple script - # file or directory paths can be specified by appending an increasing number. - #sieve_before = - #sieve_before2 = - #sieve_before3 = (etc...) - - # Identical to sieve_before, only the specified scripts are executed after the - # user's script (only when keep is still in effect!). Multiple script file or - # directory paths can be specified by appending an increasing number. - #sieve_after = - #sieve_after2 = - #sieve_after2 = (etc...) - sieve_after = /etc/dovecot/sieve-after - - # Which Sieve language extensions are available to users. By default, all - # supported extensions are available, except for deprecated extensions or - # those that are still under development. Some system administrators may want - # to disable certain Sieve extensions or enable those that are not available - # by default. This setting can use '+' and '-' to specify differences relative - # to the default. For example `sieve_extensions = +imapflags' will enable the - # deprecated imapflags extension in addition to all extensions were already - # enabled by default. - #sieve_extensions = +notify +imapflags - - # Which Sieve language extensions are ONLY available in global scripts. This - # can be used to restrict the use of certain Sieve extensions to administrator - # control, for instance when these extensions can cause security concerns. - # This setting has higher precedence than the `sieve_extensions' setting - # (above), meaning that the extensions enabled with this setting are never - # available to the user's personal script no matter what is specified for the - # `sieve_extensions' setting. The syntax of this setting is similar to the - # `sieve_extensions' setting, with the difference that extensions are - # enabled or disabled for exclusive use in global scripts. Currently, no - # extensions are marked as such by default. - #sieve_global_extensions = - - # The Pigeonhole Sieve interpreter can have plugins of its own. Using this - # setting, the used plugins can be specified. Check the Dovecot wiki - # (wiki2.dovecot.org) or the pigeonhole website - # (http://pigeonhole.dovecot.org) for available plugins. - # The sieve_extprograms plugin is included in this release. - #sieve_plugins = - - # The separator that is expected between the :user and :detail - # address parts introduced by the subaddress extension. This may - # also be a sequence of characters (e.g. '--'). The current - # implementation looks for the separator from the left of the - # localpart and uses the first one encountered. The :user part is - # left of the separator and the :detail part is right. This setting - # is also used by Dovecot's LMTP service. - #recipient_delimiter = + - - # The maximum size of a Sieve script. The compiler will refuse to compile any - # script larger than this limit. If set to 0, no limit on the script size is - # enforced. - #sieve_max_script_size = 1M - - # The maximum number of actions that can be performed during a single script - # execution. If set to 0, no limit on the total number of actions is enforced. - #sieve_max_actions = 32 - - # The maximum number of redirect actions that can be performed during a single - # script execution. If set to 0, no redirect actions are allowed. - #sieve_max_redirects = 4 - - # The maximum number of personal Sieve scripts a single user can have. If set - # to 0, no limit on the number of scripts is enforced. - # (Currently only relevant for ManageSieve) - #sieve_quota_max_scripts = 0 - - # The maximum amount of disk storage a single user's scripts may occupy. If - # set to 0, no limit on the used amount of disk storage is enforced. - # (Currently only relevant for ManageSieve) - #sieve_quota_max_storage = 0 -} diff --git a/roles/ispmail-dovecot/files/auth-sql.conf.ext b/roles/ispmail-dovecot/files/auth-sql.conf.ext deleted file mode 100644 index 4a0537b..0000000 --- a/roles/ispmail-dovecot/files/auth-sql.conf.ext +++ /dev/null @@ -1,31 +0,0 @@ -# Authentication for SQL users. Included from 10-auth.conf. -# -# - -passdb { - driver = sql - - # Path for SQL configuration file, see example-config/dovecot-sql.conf.ext - args = /etc/dovecot/dovecot-sql.conf.ext -} - -# "prefetch" user database means that the passdb already provided the -# needed information and there's no need to do a separate userdb lookup. -# -#userdb { -# driver = prefetch -#} - -userdb { - driver = static - args = uid=vmail gid=vmail home=/var/vmail/%d/%n -} - -# If you don't have any user-specific settings, you can avoid the user_query -# by using userdb static instead of userdb sql, for example: -# -#userdb { - #driver = static - #args = uid=vmail gid=vmail home=/var/vmail/%u -#} - diff --git a/roles/ispmail-dovecot/files/spam-to-folder.sieve b/roles/ispmail-dovecot/files/spam-to-folder.sieve deleted file mode 100644 index 83c050e..0000000 --- a/roles/ispmail-dovecot/files/spam-to-folder.sieve +++ /dev/null @@ -1,6 +0,0 @@ -require ["fileinto","mailbox"]; - -if header :contains "X-Spam-Flag" "YES" { - fileinto :create "INBOX.Junk"; - stop; -} diff --git a/roles/ispmail-dovecot/handlers/main.yml b/roles/ispmail-dovecot/handlers/main.yml deleted file mode 100644 index 20efc03..0000000 --- a/roles/ispmail-dovecot/handlers/main.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -- name: restart dovecot - service: name=dovecot state=restarted -- name: recompile sieve script - command: sievec /etc/dovecot/sieve-after - diff --git a/roles/ispmail-dovecot/tasks/main.yml b/roles/ispmail-dovecot/tasks/main.yml deleted file mode 100644 index 41bd456..0000000 --- a/roles/ispmail-dovecot/tasks/main.yml +++ /dev/null @@ -1,52 +0,0 @@ ---- -- name: Create the vmail group - group: name=vmail gid=5000 -- name: Create the vmail user - user: name=vmail uid=5000 group=vmail home=/var/vmail -- name: Create mailbox directory - file: path=/var/vmail state=directory owner=vmail group=vmail -- name: Allow LOGIN authentication method for Outlook clients - lineinfile: dest=/etc/dovecot/conf.d/10-auth.conf regexp='^auth_mechanisms =' line='auth_mechanisms = {{ispmail_dovecot_auth_mechanisms}}' backrefs=yes - notify: restart dovecot -- name: Disabling system authentication - lineinfile: dest=/etc/dovecot/conf.d/10-auth.conf regexp='^!include auth-system.conf.ext' line='#!include auth-system.conf.ext' backrefs=yes - notify: restart dovecot -- name: Enabling SQL-based authentication - lineinfile: dest=/etc/dovecot/conf.d/10-auth.conf regexp='^\#!include auth-sql.conf.ext' line='!include auth-sql.conf.ext' backrefs=yes - notify: restart dovecot -- name: Copying SQL authentication configuration (auth-sql.conf.ext) - copy: src=auth-sql.conf.ext dest=/etc/dovecot/conf.d/auth-sql.conf.ext - notify: restart dovecot -- name: Copying mailbox and namespace configuration (10-mail.conf) - copy: src=10-mail.conf dest=/etc/dovecot/conf.d/10-mail.conf - notify: restart dovecot -- name: Copying service configuration (10-master.conf) - copy: src=10-master.conf dest=/etc/dovecot/conf.d/10-master.conf - notify: restart dovecot -- name: Copying SSL configuration (10-ssl.conf) - copy: src=10-ssl.conf dest=/etc/dovecot/conf.d/10-ssl.conf - notify: restart dovecot -- name: Copying LMTP configuration (20-lmtp.conf - enable sieve plugin) - copy: src=20-lmtp.conf dest=/etc/dovecot/conf.d/20-lmtp.conf - notify: restart dovecot -- name: Copying mailboxes configuration (15-mailboxes.conf - autocreate folders) - copy: src=15-mailboxes.conf dest=/etc/dovecot/conf.d/15-mailboxes.conf - notify: restart dovecot -- name: Copying SQL access configuration (dovecot-ssql.conf.ext) - template: src=dovecot-sql.conf.ext.j2 dest=/etc/dovecot/dovecot-sql.conf.ext - notify: restart dovecot -- name: Fixing ownership and mode of dovecot.conf - file: path=/etc/dovecot/dovecot.conf group=vmail mode=0644 - notify: restart dovecot -- name: Fixing ownership and mode of dovecot-sql.conf.ext - file: path=/etc/dovecot/dovecot-sql.conf.ext owner=root group=root mode=0640 - notify: restart dovecot -- name: Create directory for global sieve-after scripts - file: path=/etc/dovecot/sieve-after state=directory -- name: Create global sieve-after script to send spam to its mail folder - copy: src=spam-to-folder.sieve dest=/etc/dovecot/sieve-after/spam-to-folder.sieve - notify: recompile sieve script -- name: Copying Sieve plugin configuration (90-sieve.conf) - copy: src=90-sieve.conf dest=/etc/dovecot/conf.d/90-sieve.conf - notify: restart dovecot - diff --git a/roles/ispmail-dovecot/templates/dovecot-sql.conf.ext.j2 b/roles/ispmail-dovecot/templates/dovecot-sql.conf.ext.j2 deleted file mode 100644 index 9d044b7..0000000 --- a/roles/ispmail-dovecot/templates/dovecot-sql.conf.ext.j2 +++ /dev/null @@ -1,147 +0,0 @@ -# This file is commonly accessed via passdb {} or userdb {} section in -# conf.d/auth-sql.conf.ext - -# This file is opened as root, so it should be owned by root and mode 0600. -# -# http://wiki2.dovecot.org/AuthDatabase/SQL -# -# For the sql passdb module, you'll need a database with a table that -# contains fields for at least the username and password. If you want to -# use the user@domain syntax, you might want to have a separate domain -# field as well. -# -# If your users all have the same uig/gid, and have predictable home -# directories, you can use the static userdb module to generate the home -# dir based on the username and domain. In this case, you won't need fields -# for home, uid, or gid in the database. -# -# If you prefer to use the sql userdb module, you'll want to add fields -# for home, uid, and gid. Here is an example table: -# -# CREATE TABLE users ( -# username VARCHAR(128) NOT NULL, -# domain VARCHAR(128) NOT NULL, -# password VARCHAR(64) NOT NULL, -# home VARCHAR(255) NOT NULL, -# uid INTEGER NOT NULL, -# gid INTEGER NOT NULL, -# active CHAR(1) DEFAULT 'Y' NOT NULL -# ); - -# Database driver: mysql, pgsql, sqlite -#driver = - -# Database connection string. This is driver-specific setting. -# -# HA / round-robin load-balancing is supported by giving multiple host -# settings, like: host=sql1.host.org host=sql2.host.org -# -# pgsql: -# For available options, see the PostgreSQL documention for the -# PQconnectdb function of libpq. -# Use maxconns=n (default 5) to change how many connections Dovecot can -# create to pgsql. -# -# mysql: -# Basic options emulate PostgreSQL option names: -# host, port, user, password, dbname -# -# But also adds some new settings: -# client_flags - See MySQL manual -# ssl_ca, ssl_ca_path - Set either one or both to enable SSL -# ssl_cert, ssl_key - For sending client-side certificates to server -# ssl_cipher - Set minimum allowed cipher security (default: HIGH) -# ssl_verify_server_cert - Verify that the name in the server SSL certificate -# matches the host (default: no) -# option_file - Read options from the given file instead of -# the default my.cnf location -# option_group - Read options from the given group (default: client) -# -# You can connect to UNIX sockets by using host: host=/var/run/mysql.sock -# Note that currently you can't use spaces in parameters. -# -# sqlite: -# The path to the database file. -# -# Examples: -# connect = host=192.168.1.1 dbname=users -# connect = host=sql.example.com dbname=virtual user=virtual password=blarg -# connect = /etc/dovecot/authdb.sqlite -# -#connect = - -# Default password scheme. -# -# List of supported schemes is in -# http://wiki2.dovecot.org/Authentication/PasswordSchemes -# -#default_pass_scheme = MD5 - -# passdb query to retrieve the password. It can return fields: -# password - The user's password. This field must be returned. -# user - user@domain from the database. Needed with case-insensitive lookups. -# username and domain - An alternative way to represent the "user" field. -# -# The "user" field is often necessary with case-insensitive lookups to avoid -# e.g. "name" and "nAme" logins creating two different mail directories. If -# your user and domain names are in separate fields, you can return "username" -# and "domain" fields instead of "user". -# -# The query can also return other fields which have a special meaning, see -# http://wiki2.dovecot.org/PasswordDatabase/ExtraFields -# -# Commonly used available substitutions (see http://wiki2.dovecot.org/Variables -# for full list): -# %u = entire user@domain -# %n = user part of user@domain -# %d = domain part of user@domain -# -# Note that these can be used only as input to SQL query. If the query outputs -# any of these substitutions, they're not touched. Otherwise it would be -# difficult to have eg. usernames containing '%' characters. -# -# Example: -# password_query = SELECT userid AS user, pw AS password \ -# FROM users WHERE userid = '%u' AND active = 'Y' -# -#password_query = \ -# SELECT username, domain, password \ -# FROM users WHERE username = '%n' AND domain = '%d' - -# userdb query to retrieve the user information. It can return fields: -# uid - System UID (overrides mail_uid setting) -# gid - System GID (overrides mail_gid setting) -# home - Home directory -# mail - Mail location (overrides mail_location setting) -# -# None of these are strictly required. If you use a single UID and GID, and -# home or mail directory fits to a template string, you could use userdb static -# instead. For a list of all fields that can be returned, see -# http://wiki2.dovecot.org/UserDatabase/ExtraFields -# -# Examples: -# user_query = SELECT home, uid, gid FROM users WHERE userid = '%u' -# user_query = SELECT dir AS home, user AS uid, group AS gid FROM users where userid = '%u' -# user_query = SELECT home, 501 AS uid, 501 AS gid FROM users WHERE userid = '%u' -# -#user_query = \ -# SELECT home, uid, gid \ -# FROM users WHERE username = '%n' AND domain = '%d' - -# If you wish to avoid two SQL lookups (passdb + userdb), you can use -# userdb prefetch instead of userdb sql in dovecot.conf. In that case you'll -# also have to return userdb fields in password_query prefixed with "userdb_" -# string. For example: -#password_query = \ -# SELECT userid AS user, password, \ -# home AS userdb_home, uid AS userdb_uid, gid AS userdb_gid \ -# FROM users WHERE userid = '%u' - -# Query to get a list of all usernames. -#iterate_query = SELECT username AS user FROM users - -driver = mysql -connect = host=127.0.0.1 dbname=mailserver user=mailuser password={{ispmail_mysql_mailuser_password}} -default_pass_scheme = SHA256-CRYPT -password_query = SELECT email as user, password FROM virtual_users WHERE email='%u'; - diff --git a/roles/ispmail-packages/tasks/main.yml b/roles/ispmail-packages/tasks/main.yml deleted file mode 100644 index e597603..0000000 --- a/roles/ispmail-packages/tasks/main.yml +++ /dev/null @@ -1,29 +0,0 @@ ---- -- name: install required binary packages - apt: name={{item}} state=installed update_cache=yes - with_items: - - mysql-server - - postfix - - postfix-mysql - - swaks - - dovecot-mysql - - dovecot-pop3d - - dovecot-imapd - - dovecot-lmtpd - - dovecot-managesieved - - phpmyadmin - - spamass-milter - - spamassassin - - pwgen - - patch -- name: purge Exim installation - apt: name={{item}} state=absent purge=yes - with_items: - - exim4 - - exim4-base - - exim4-config - - exim4-daemon-light - -- name: make sure mysql-server is started - service: name=mysql enabled=yes state=started - diff --git a/roles/ispmail-postfix/files/etc-default-spamassassin b/roles/ispmail-postfix/files/etc-default-spamassassin deleted file mode 100644 index aa63eff..0000000 --- a/roles/ispmail-postfix/files/etc-default-spamassassin +++ /dev/null @@ -1,35 +0,0 @@ -# /etc/default/spamassassin -# Duncan Findlay - -# WARNING: please read README.spamd before using. -# There may be security risks. - -# If you're using systemd (default for jessie), the ENABLED setting is -# not used. Instead, enable spamd by issuing: -# systemctl enable spamassassin.service -# Change to "1" to enable spamd on systems using sysvinit: -ENABLED=0 - -# Options -# See man spamd for possible options. The -d option is automatically added. - -# SpamAssassin uses a preforking model, so be careful! You need to -# make sure --max-children is not set to anything higher than 5, -# unless you know what you're doing. - -OPTIONS="--create-prefs --max-children 5 --helper-home-dir -x -u vmail" - -# Pid file -# Where should spamd write its PID to file? If you use the -u or -# --username option above, this needs to be writable by that user. -# Otherwise, the init script will not be able to shut spamd down. -PIDFILE="/var/run/spamd.pid" - -# Set nice level of spamd -#NICE="--nicelevel 15" - -# Cronjob -# Set to anything but 0 to enable the cron job to automatically update -# spamassassin's rules on a nightly basis -CRON=1 - diff --git a/roles/ispmail-postfix/files/spamassassin.patch b/roles/ispmail-postfix/files/spamassassin.patch deleted file mode 100644 index 825f989..0000000 --- a/roles/ispmail-postfix/files/spamassassin.patch +++ /dev/null @@ -1,11 +0,0 @@ ---- /usr/share/perl5/Mail/SpamAssassin/Util.pm.orig 2014-08-22 00:08:39.185602751 +0200 -+++ /usr/share/perl5/Mail/SpamAssassin/Util.pm 2014-08-22 00:09:18.330883723 +0200 -@@ -285,7 +285,7 @@ - my $r = ref $_[0]; - if (!$r) { - no re 'taint'; # override a "use re 'taint'" from outer scope -- return if !defined $_[0]; -+ return undef if !defined $_[0]; - local($1); # avoid Perl taint bug: tainted global $1 propagates taintedness - $_[0] =~ /^(.*)\z/s; - return $1; diff --git a/roles/ispmail-postfix/handlers/main.yml b/roles/ispmail-postfix/handlers/main.yml deleted file mode 100644 index fd520ac..0000000 --- a/roles/ispmail-postfix/handlers/main.yml +++ /dev/null @@ -1,7 +0,0 @@ ---- -- name: restart postfix - service: name=postfix state=restarted - -- name: restart spamassassin - service: name=spamassassin state=restarted - diff --git a/roles/ispmail-postfix/tasks/main.yml b/roles/ispmail-postfix/tasks/main.yml deleted file mode 100644 index 5b7c357..0000000 --- a/roles/ispmail-postfix/tasks/main.yml +++ /dev/null @@ -1,90 +0,0 @@ ---- -- name: define Postfix virtual mailbox domain mapping - template: src=mysql-virtual-mailbox-domains.cf.j2 dest=/etc/postfix/mysql-virtual-mailbox-domains.cf - notify: restart postfix -- name: tell Postfix to use the virtual mailbox domain mapping - command: postconf virtual_mailbox_domains=mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf - -- name: define Postfix virtual mailbox mapping - template: src=mysql-virtual-mailbox-maps.cf.j2 dest=/etc/postfix/mysql-virtual-mailbox-maps.cf - notify: restart postfix -- name: tell Postfix to use the virtual mailbox mapping - command: postconf virtual_mailbox_maps=mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf - -- name: define Postfix virtual alias mapping - template: src=mysql-virtual-alias-maps.cf.j2 dest=/etc/postfix/mysql-virtual-alias-maps.cf - notify: restart postfix -- name: tell Postfix to use the virtual alias mapping - command: postconf virtual_alias_maps=mysql:/etc/postfix/mysql-virtual-alias-maps.cf - -- name: define Postfix email-to-email mapping (required for catchall domains) - template: src=mysql-email2email.cf.j2 dest=/etc/postfix/mysql-email2email.cf - notify: restart postfix -- name: tell Postfix to use the email-to-email mapping - command: postconf virtual_alias_maps=mysql:/etc/postfix/mysql-virtual-alias-maps.cf,mysql:/etc/postfix/mysql-email2email.cf - -- name: Restricting access to database mapping files that contain a password - file: path=/etc/postfix/mysql-{{item}}.cf mode=0640 - with_items: - - virtual-mailbox-domains - - virtual-mailbox-maps - - virtual-alias-maps - -- name: Make Postfix use LMTP to send emails to Dovecot - command: postconf virtual_transport=lmtp:unix:private/dovecot-lmtp - -- name: Restricting delivery to Dovecot to one email at a time - command: postconf dovecot_destination_recipient_limit=1 - -- name: Setting SMTP authentication type to dovecot - command: postconf smtpd_sasl_type=dovecot - -- name: Setting SMTP authentication path/socket - command: postconf smtpd_sasl_path=private/auth - -- name: Enabling SMTP authentication - command: postconf smtpd_sasl_auth_enable=yes - -- name: Setting SMTP encryption security level - command: postconf smtpd_tls_security_level=may - -- name: Setting SMTP encryption security level - command: postconf smtpd_tls_security_level=may - -- name: Enforce SMTP encryption - command: postconf smtpd_tls_auth_only=yes - -- name: Set TLS encryption certificate - command: postconf smtpd_tls_cert_file=/etc/ssl/certs/mailserver.pem - -- name: Set TLS encryption key - command: postconf smtpd_tls_key_file=/etc/ssl/private/mailserver.pem - -- name: Copying patch for Debian bug 739738 - copy: src=spamassassin.patch dest=/tmp/spamassassin.patch - -- name: Patching Debian bug 739738 - patch: src=/tmp/spamassassin.patch strip=0 basedir=/ remote_src=True - -- name: Enabling Spamassassin milter - command: postconf smtpd_milters=unix:/spamass/spamass.sock - -- name: Configuring Spamassassin milter - command: postconf milter_connect_macros="i j {daemon_name} v {if_name} _" - -- name: Setting spamd options - copy: src=etc-default-spamassassin dest=/etc/default/spamassassin - notify: restart spamassassin - -- name: Adding user spamass-milter to debian-spamd group - user: name=spamass-milter groups=debian-spamd - notify: restart spamassassin - -- name: Enabling spamd at startup - command: systemctl enable spamassassin - -- name: Allow emails up to 40 MB large - command: postconf message_size_limit=41943040 - -- name: Make Postfix listen on all interfaces - command: postconf inet_interfaces=all diff --git a/roles/ispmail-postfix/templates/mysql-email2email.cf.j2 b/roles/ispmail-postfix/templates/mysql-email2email.cf.j2 deleted file mode 100644 index 0d6ea98..0000000 --- a/roles/ispmail-postfix/templates/mysql-email2email.cf.j2 +++ /dev/null @@ -1,5 +0,0 @@ -user = mailuser -password = {{ispmail_mysql_mailuser_password}} -hosts = 127.0.0.1 -dbname = mailserver -query = SELECT email FROM virtual_users WHERE email='%s' diff --git a/roles/ispmail-postfix/templates/mysql-virtual-alias-maps.cf.j2 b/roles/ispmail-postfix/templates/mysql-virtual-alias-maps.cf.j2 deleted file mode 100644 index ba49b2f..0000000 --- a/roles/ispmail-postfix/templates/mysql-virtual-alias-maps.cf.j2 +++ /dev/null @@ -1,5 +0,0 @@ -user = mailuser -password = {{ispmail_mysql_mailuser_password}} -hosts = 127.0.0.1 -dbname = mailserver -query = SELECT destination FROM virtual_aliases WHERE source='%s' diff --git a/roles/ispmail-postfix/templates/mysql-virtual-mailbox-domains.cf.j2 b/roles/ispmail-postfix/templates/mysql-virtual-mailbox-domains.cf.j2 deleted file mode 100644 index 443f77c..0000000 --- a/roles/ispmail-postfix/templates/mysql-virtual-mailbox-domains.cf.j2 +++ /dev/null @@ -1,5 +0,0 @@ -user = mailuser -password = {{ispmail_mysql_mailuser_password}} -hosts = 127.0.0.1 -dbname = mailserver -query = SELECT 1 FROM virtual_domains WHERE name='%s' diff --git a/roles/ispmail-postfix/templates/mysql-virtual-mailbox-maps.cf.j2 b/roles/ispmail-postfix/templates/mysql-virtual-mailbox-maps.cf.j2 deleted file mode 100644 index 0207bbb..0000000 --- a/roles/ispmail-postfix/templates/mysql-virtual-mailbox-maps.cf.j2 +++ /dev/null @@ -1,5 +0,0 @@ -user = mailuser -password = {{ispmail_mysql_mailuser_password}} -hosts = 127.0.0.1 -dbname = mailserver -query = SELECT 1 FROM virtual_users WHERE email='%s' diff --git a/roles/ispmail-webmail-apache/handlers/main.yml b/roles/ispmail-webmail-apache/handlers/main.yml deleted file mode 100644 index 3a5124c..0000000 --- a/roles/ispmail-webmail-apache/handlers/main.yml +++ /dev/null @@ -1,4 +0,0 @@ ---- -- name: restart apache - service: name=apache2 state=restarted - diff --git a/roles/ispmail-webmail-apache/tasks/main.yml b/roles/ispmail-webmail-apache/tasks/main.yml deleted file mode 100644 index 8d3bd1a..0000000 --- a/roles/ispmail-webmail-apache/tasks/main.yml +++ /dev/null @@ -1,18 +0,0 @@ -- name: Install required binary packages - apt: name={{item}} state=installed - with_items: - - apache2 - - libapache2-mod-php5 - notify: restart apache -- name: Create Apache vhost configuration for HTTPS (RoundCube and PHPmyadmin) - template: src=webmail.conf-443.j2 dest=/etc/apache2/sites-available/default-ssl.conf - notify: restart apache -- name: Enable Apache vhost for HTTPS - command: /usr/sbin/a2ensite default-ssl creates=/etc/apache2/sites-enabled/default-ssl.conf - notify: restart apache -- name: Create Apache vhost configuration for HTTP (redirect to HTTPS) - template: src=webmail.conf-80.j2 dest=/etc/apache2/sites-available/000-default.conf - notify: restart apache -- name: Enable Apache SSL module - command: /usr/sbin/a2enmod ssl creates=/etc/apache2/mods-enabled/ssl.conf - notify: restart apache diff --git a/roles/ispmail-webmail-apache/templates/webmail.conf-443.j2 b/roles/ispmail-webmail-apache/templates/webmail.conf-443.j2 deleted file mode 100644 index 6019705..0000000 --- a/roles/ispmail-webmail-apache/templates/webmail.conf-443.j2 +++ /dev/null @@ -1,139 +0,0 @@ - - - ServerAdmin {{ ispmail_postmaster_address }} - ServerName {{ ispmail_webmail_hostname }} - - Include /etc/roundcube/apache.conf - Alias / /var/lib/roundcube/ - - # Available loglevels: trace8, ..., trace1, debug, info, notice, warn, - # error, crit, alert, emerg. - # It is also possible to configure the loglevel for particular - # modules, e.g. - #LogLevel info ssl:warn - - ErrorLog ${APACHE_LOG_DIR}/webmail.error.log - CustomLog ${APACHE_LOG_DIR}/webmail.access.log combined - - # For most configuration files from conf-available/, which are - # enabled or disabled at a global level, it is possible to - # include a line for only one particular virtual host. For example the - # following line enables the CGI configuration for this host only - # after it has been globally disabled with "a2disconf". - #Include conf-available/serve-cgi-bin.conf - - # SSL Engine Switch: - # Enable/Disable SSL for this virtual host. - SSLEngine on - - # A self-signed (snakeoil) certificate can be created by installing - # the ssl-cert package. See - # /usr/share/doc/apache2/README.Debian.gz for more info. - # If both key and certificate are stored in the same file, only the - # SSLCertificateFile directive is needed. - SSLCertificateFile /etc/ssl/certs/mailserver.pem - SSLCertificateKeyFile /etc/ssl/private/mailserver.pem - - # Server Certificate Chain: - # Point SSLCertificateChainFile at a file containing the - # concatenation of PEM encoded CA certificates which form the - # certificate chain for the server certificate. Alternatively - # the referenced file can be the same as SSLCertificateFile - # when the CA certificates are directly appended to the server - # certificate for convinience. - #SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt - - # Certificate Authority (CA): - # Set the CA certificate verification path where to find CA - # certificates for client authentication or alternatively one - # huge file containing all of them (file must be PEM encoded) - # Note: Inside SSLCACertificatePath you need hash symlinks - # to point to the certificate files. Use the provided - # Makefile to update the hash symlinks after changes. - #SSLCACertificatePath /etc/ssl/certs/ - #SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt - - # Certificate Revocation Lists (CRL): - # Set the CA revocation path where to find CA CRLs for client - # authentication or alternatively one huge file containing all - # of them (file must be PEM encoded) - # Note: Inside SSLCARevocationPath you need hash symlinks - # to point to the certificate files. Use the provided - # Makefile to update the hash symlinks after changes. - #SSLCARevocationPath /etc/apache2/ssl.crl/ - #SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl - - # Client Authentication (Type): - # Client certificate verification type and depth. Types are - # none, optional, require and optional_no_ca. Depth is a - # number which specifies how deeply to verify the certificate - # issuer chain before deciding the certificate is not valid. - #SSLVerifyClient require - #SSLVerifyDepth 10 - - # SSL Engine Options: - # Set various options for the SSL engine. - # o FakeBasicAuth: - # Translate the client X.509 into a Basic Authorisation. This means that - # the standard Auth/DBMAuth methods can be used for access control. The - # user name is the `one line' version of the client's X.509 certificate. - # Note that no password is obtained from the user. Every entry in the user - # file needs this password: `xxj31ZMTZzkVA'. - # o ExportCertData: - # This exports two additional environment variables: SSL_CLIENT_CERT and - # SSL_SERVER_CERT. These contain the PEM-encoded certificates of the - # server (always existing) and the client (only existing when client - # authentication is used). This can be used to import the certificates - # into CGI scripts. - # o StdEnvVars: - # This exports the standard SSL/TLS related `SSL_*' environment variables. - # Per default this exportation is switched off for performance reasons, - # because the extraction step is an expensive operation and is usually - # useless for serving static content. So one usually enables the - # exportation for CGI and SSI requests only. - # o OptRenegotiate: - # This enables optimized SSL connection renegotiation handling when SSL - # directives are used in per-directory context. - #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire - - SSLOptions +StdEnvVars - - - SSLOptions +StdEnvVars - - - # SSL Protocol Adjustments: - # The safe and default but still SSL/TLS standard compliant shutdown - # approach is that mod_ssl sends the close notify alert but doesn't wait for - # the close notify alert from client. When you need a different shutdown - # approach you can use one of the following variables: - # o ssl-unclean-shutdown: - # This forces an unclean shutdown when the connection is closed, i.e. no - # SSL close notify alert is send or allowed to received. This violates - # the SSL/TLS standard but is needed for some brain-dead browsers. Use - # this when you receive I/O errors because of the standard approach where - # mod_ssl sends the close notify alert. - # o ssl-accurate-shutdown: - # This forces an accurate shutdown when the connection is closed, i.e. a - # SSL close notify alert is send and mod_ssl waits for the close notify - # alert of the client. This is 100% SSL/TLS standard compliant, but in - # practice often causes hanging connections with brain-dead browsers. Use - # this only for browsers where you know that their SSL implementation - # works correctly. - # Notice: Most problems of broken clients are also related to the HTTP - # keep-alive facility, so you usually additionally want to disable - # keep-alive for those clients, too. Use variable "nokeepalive" for this. - # Similarly, one has to force some clients to use HTTP/1.0 to workaround - # their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and - # "force-response-1.0" for this. - BrowserMatch "MSIE [2-6]" \ - nokeepalive ssl-unclean-shutdown \ - downgrade-1.0 force-response-1.0 - # MSIE 7 and newer should be able to use keepalive - BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown - - - - -# vim: syntax=apache ts=4 sw=4 sts=4 sr noet - diff --git a/roles/ispmail-webmail-apache/templates/webmail.conf-80.j2 b/roles/ispmail-webmail-apache/templates/webmail.conf-80.j2 deleted file mode 100644 index 59589bc..0000000 --- a/roles/ispmail-webmail-apache/templates/webmail.conf-80.j2 +++ /dev/null @@ -1,6 +0,0 @@ - - ServerAdmin {{ ispmail_postmaster_address }} - ServerName {{ ispmail_webmail_hostname }} - - Redirect permanent / https://{{ ispmail_webmail_hostname}}/ - diff --git a/roles/ispmail-webmail/files/ispmail-logo.png b/roles/ispmail-webmail/files/ispmail-logo.png deleted file mode 100644 index 062946db20523bbe678b56a54fc52c8c3db3567b..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 7202 zcmYjWbx<5nu-@Zv2u^Sb8r*|RkPw1~1a}MW?niKU3GM`!!#%hJ4GzIwFSzsWSMUAt zdTVy3W@~3^X1c%rx+h#kN%j>wDLMcEujD>TtHSGAc;P}thQE`4e58O^$j0)r(!k4q zPi{v^BD@F9;iHx_0AS$%S3p2|CNaDd#YIk024xK$371r0p2U0<0LZH4q~Cw_SUS=5 z)J)X4_QS`Mlw3eWlKwt|<%&WiEu>bejZ~r2U~;r%Wo=DSueR)X@RMRnh+Sys(o`v9Adwcd3NUB9c8{?%ks^t^MvO_2T@Ig zT7@xTxn@7JdhP!;fC(rFa6q62PnuGYmWxz7{4AlpTuQ(Oael}~ z21-B`$T;BKi!;YK5B1DP_5f>C1yap{Zh3i~)?zwL2swlTQjYsYOx(c0QCZdJqA*ld zTNvp6_^Ao#Rs%GK)@*>0wO&YGwASx>DCU2^G8o^qPs4BYqjEKuu(11`;zQQZRRri0t5qnJ>(r(enoi4*WY4pLuE>F zR_vp@i~$LIR7Y8-gdEK{BSCh>Yjqu8b@!=&e`y-B?Z22{c7L;=AjTMdFFbN@0OF*A z0FXG%5A2}gbWIVq1D;qP4(c3|^DI0_gpXaLp$|ET_xCf5gQ@nN-=v4^W2krui+UBYJ^ZBvZ{ST=$(=+2miufp3jnKE@lFfD4VkZMd2>jaXUKrP{|% zcN)Vva2&!RF65vqC3MOqTaXf55hJZs)f=W*! zEsCTsMxr~1hl-gZt}>b)BEoE}$UBo@AvJ=dYWDBdh|ybEompvVoke8tBT--)1qKnI zC;o5@{e0GOvr5j-&mWtfo*q%D)Aal_%F!hvtKUuu`9oyj!}WcpjqiZn)*Z#$OLHo~Zeo%#OTXHi zx}1Z9qsv+D88(0xy0n?85;FD2ObwwKah)4<%{RU4hMi6J<4SJ`Ku47z1w?3gbd(^* zQk_I#2Wt6v@DIQZaY%P00V+=|KhKM6{p;OVi4g~SS7989i?@*qU`?4Nnj%WUQrTrC zao7#ru@xQiIxZ0rk>mbk9)+8mTVus{)zYv1eSJO-*T;)GrXsDJn9l997&{IFpk`&( zobOSQOn1MO-X6Ncj-}8j_6>v*eJuWrxR)TyC_NZW9_1+IKA!I3mMT@UTKr`G$=2c8 zc=ukttgXG4J82!*e)@)g6X<)Y)1$Nib}%R2{T>err&*th55NZ;7`okK!^6?CxJ(8{ z0|Ej>;nId0EGZly(XCNFtDXF*sH(KIl!cj@dGz=1_FCKJ#*3?~tNx_m*~C`ilHy`^ zg2?{PEFsr(7gtwT+;C}0_>X)4JanT!{Hahc=ZlVxo<2W6FU!o#e9RJd*Z(~>=KGOB zi|q$_#0xGpMu}3EP!cjH0H3jqf6d2vXc1~ol_1ud26MDE^2DNUU(4M<0=%YQNCdg< zHg}wvN`D-nFkX{$o?4j8ouN@o%A#aTEObGY?Om=9qMuD(5IGf+wO2j5is>}8-S*n` zrlP;BTFGolqBFW8=XQRKn*Wj_fGR=V%Q+YYxpkE+oxwE}0PmAhQ2h1Z8i;njzdXRV zu{=^^PG;ukzu5}_qg2s!TQhLvGxlE{aFfe<2d)qNzZP103`@Mn~of&4d z^vj3ybsfEeuzK_L%rJeoGvd1MdUpVJiDJgPUKon^_3_={N{cggyuX_{@we1?_jefG zig+L8#%d5xfwJd%FIlIV^2AMTzPPE>vG9|N=Gwe*>!l?F^jid@1$)jP8CUnaK9;tY zmOCAou8yZ9dxt3Vfg~N-J3sk=X;4%?N~|k(RCro5nj0MimL}?b%_1i!XT1bA1ZtpA zD1NxK-rJWS%E`-OP8ow+A7o@+3ArB57?_xtpd_YlNN7>VfSycE=pZ{JXbLUJFN09( zect}-wDMHz^#^{i3YD18Em4E^6TxlLr=t7r0I){*QD2(o>R3a3N&tW}&EKColQuSV>P`M zgq#cr=UJ!_c?k)~OR-|cYe4}4)SM#M@bK`#QtBwFDd`D1xOO=$wK(q?=c()~s-p>` zzqNre(Va9gN|;k|?TkX72vh=!7uJmemBsk%$Z3Jy&+n_lBB;oJ-oCe>3!6<;lg`e} z^l_gpQ`7k*FVFIoIk~a9x!LCKd?#Z9u9G=^#6lQpSdqGDfYAJSw&;>7PB=w@y1k%} z?y3q&!u3i1Q5XFSMs7Pyd!+Lz=h9!U{PS-dVF3f0@=;f*oHP?-b*MrR4n$s3vWL#x z+#E$auekU_i|f(csQGwiOLA(eMjqU{_4W1L-oJm(E)|M(6%!GGzQ5MxAE(P+yx z@z&C=BJT*Cd-wq=seq7g0v0&urHxYoMboIG2!U(puO#gMe26Q{7tm`|Bn8fcf`Wd- z3yo?Fo&+CZ-;!(G8rA9g0#i=!Mo^mSA;s&f4=%@4vDr#@dq@3(CH}Aj3ef|kKn*Pe zx4n`?g9)_RpN00zXeVdB={5EShSe~3`*s@KCM09$nOFcKz{*;Ylh>nT-{HEuJ)HQX z52YNO%gW3=O+-kzm?_}+9i@9NVtyQZ@18MEuP zZnwktjEsmw--n-uMpE+VgS2!ISU{3BCk2=d&@@LGIsf+)ZM2RNojJU_2=A37v-Uh* z$6!!Hp4MwOGo!)bfErQuJ~cc%L+7_~%tL2n!?d(76MP#H#9Ny=sdE_Eu~D4})HAx1 zch7ZQuf|72-06MSHq)5Or^it#bY(kHFRch-CrVB|bk;Q01b+1H%ykIb--$DJJxy^s z2-p+-?YiKYKD7>^ZlsIs15-P=y4n)r?rm@Ls?KQO6DriSbHg?3c_^ONiaEm+twcxG zqwf;}fq931EPUUchlhuGEM>x_r;|6^GC&KmA3h+%@m?AcE}q`r?#^)ZbaZsY#Xv;R zp^P;zP%WK-_q@{5(sG}#&`QkC%F-L%yRc1R)tYu+X?8Svets5HQc}Va%Bs?0NMxcE z^U+L7PxrdJm=G72L69RukRUub>hfGYS#FBOMn@;z+}PMSIy_uj{PpXXJ~a-Ek2G3| zJ(VRQGE$yHx7ooJZVaWQ(Zx|Utg(wQ5G2hgjrPO$MlR&?g^Q2aKvm!iEWPM7U@u0B zw#7#f(Yq6mD{8jpUuATO{Oo!g=`G{hh5m|O4SoHmapAKHWktmf zNp&VRrrsQ*G&))n?&KLud6&+2`8=uZ+s52nO9%&F0hAlcF5mH~e%t0ElVtCw>G5PL zrOdtKjR*Oa!NKp@T)5Lcko}CazXB~=O5;EN767RCul#ma82uFq7SV#FFkQtx_Zq$+ zHC20qJcc=Icx1t~odvDM#l>pr4ww5=V!^?|7&pg@JO%D&s~f;0a0|fbgk<^pP>c)cEyKc2%utNVTm|y_Hj>(zuS@Lp=pgL$B>P)#Iz@|_$uHlmQ`g{wXHRGFS9c3MzWy*j5{#6q* zza}C|-8>*D|7;-6%X|4VG4ankc+VL8W66$_CrepbMTNrMlq^-z!|m-cZxInbKF{xN zJZRgH>3o%58>|;woIH)kd^`mPgCWYw4!YXe*%^#wi$2)E?Z3POBo%^rpq$*#6K`vc zjbf7!i8Lwhv+xrgOFOT@v5Wnf8 zA~#lpndcgnwqOM}o8tzV4`u4h!M(5C+OtbrxxHb|FayIW{(O0TO~PdxVVLJ@ZDV>M zT7iLuMA+>(eS3R*$Is7Cj6rsIAmk66??C*X?vZ}yi2JWh7s64ZlZAYnXBEMbiju8%Awz{94nsB~Z%yLb~7Jr0^K$hvigQ~XYaIh2&?X6vd znok&ln|cE4dUhGyWi>Z&fNLhs#plJu>ysf&-UPHz zm_5Os@y_q|6> z*x1`^;(7DtP4GE%`S%$QCQom|I3XcnGMip2Z?ZAELJM949cKbqGy)X&-EgJL)k}I(`oVy8UCY)a0WcdrhK zi(c;K`FNX8keg$#sfJj7OE04m7$PfwKu81RgI8l{!=bgYIOI*8|(P*j#`qxV3ZMYUSgv2-?X%F{^BtYS&DZK`|_j>pWaa~e7TsSD)6~}&eRy+ zaA;?>sm@<_Q^$eu40P6CMrCE^k1R+i&#kQJHd+2Dj)2qrEH@{oLvH)k_V=~5wSm38 zy-&lDo}Ypw^G?dt${Auvcy`6i!k2A5c}W$WwY9Yedf=$P+UCxYV+t)ylCi<)JAVGg z2dLTFR?eX2E+i6Ye^QJdsYt?K|fa z$Mp?nYQECtK8SW4q%Zv9ce~L31Aox}<|Q+Hnz%H8K z{OP?gLjk>(l(W|*14F7zVe3G4*$n)%Z4o3Em z1`Ro!p|JUa7O=v?=EUVL-*Ue^u6pPhJ&(yr#`}JruH})H^t#G`5VlV?JPpKSeSJ=q%oZkv5Axm_6-<I=SAwht+}Nm+QfyKC628H}a!--QF0Cp?BXLl4g9 z=I3v!03VtyX*;g0tO&&?E6s$+kfQ=wqOD8`*vAXPwjQzi!FT*9%D&ci=M8OyD{=Zy z3|mMBWhT8_NXNnnUhl7)-@r0nQJJTE+ow(xyMP?Z*+?g*JMe8_oAqX+DI0L&du3^9 zshG4jbU&h7SJ(#N#FFq7&th6zSs8!H8zbnl;uRW5{AwepJzX-!>AQcaRk;K`obnF! zl+2qPA1Z7J*h$Uc{N_R&aXn+noBpkL!32)IdGIx}^(0<)B{X~22Z6dDz97p2FgMpD zCwitU)$lgidAY8gUe8tPxQ7*~XMnhlgocKsbacMRiC_q{IbR*l zI%O#hI=j1{S@pnOpsz`wQZhVhAXCjenyVz+Iz6pYfK%U<4sQ*t+~33<$hpfk8XxRd z8_q1qyGg><^qURrUgpjumr6(Ip#~=n99MQ|siVon%)^xYyBovd$K|^c75pY7w}AA2 z<1xLC%mS!6Icv-f4Gkx*>$NM@t@-U%JfbvF=$V>YDsu_g$U+uM*bE(6wXC8QzVFSN zD7%z{hS1T`PeVgP#T)ean3+c|9`7#fH919Ce@xWYh*^IA{JFNg+?pe>FI);9@kS-H zXei-C_7_AaO?AgC_Sf_HqhGtdMMXQw5HUK`nHG;CW;YtcK8*`(yzf)hpZ%MPR!_%55TN|nu8T`f1+znu1k zWc}T>$xYrKK=Vp zpkK`|L!0+hK=X?DJKT@Za zhYD5Sk=;x7&5Q3h4BL+jWjnIdH&SyP8HB7Eh`4^02n*CHmZ;!LK{Bco)K=np3s;FJ z>n~rv_OB-R}|+UDc)kHuV*w~W;G0oPL>+1bF?e%8k!37^Ye*qsphK@VYJzu zZznOj2>@XhmJutg)2FWY(Bfz^3d&7E&IO&{eNm`gohG9O%4;LTO0yRA8mR0-bOO&l zPmLha@_y8Z51nOS6wWq5QfGTpV!Hd7{YZM~z z;OV)uv-7X0h{y^#1qB5n0w`y6$7#sXR}C(Da3whSw>4Pp^K>=e#f|wzai9C$`ug|d zE=?7dM0eNAs-v=kn`S=|#ZXnzUhwS%bpjylxx>GAPVy+V`Ats4UB5D^h+ zU07a@w6V3dbrH(aFP}X$<^E9zpSl!oaIJ-fh1BrGtaWe5s{>P~i+|hb!7e;k|2_gI zT&6>D>+n3>yrh&ASVUA*I8vIXtw1*RG!35GYVvS0JA$H8Nl^8C!=&qU!6B2lxNGbO zhf41ZDy8M4Qi&++Pc>w0d#=QdMAUuhML~*2MSUflRrBCM0L1IBWr}ju9mxZ32%4to zeZ}m`M(+oajgATBV}k7PHx9tD#|cVQPey;*RqJh1=5c+!5n9JB9yVW-B!jpI@fK8h zb4#Bs!m8xST$^NLU84m|@oIHsvnHK*M^cQH7o_7ixQZCKwH7ZMGQ#gQstK_KVdSg}XGzqLf1clQUQymN&1z%%Bt~hH4<1w}9T&UTRIsao#$YtXgr^EjsAQsv$NpVmzz7!50;dMh+(V2G^+|{| z_4L#>T3){XTI6ARnelD&z4|J$nCds7OVgWxfpidwc?-QsSj<1@jJd~ED%NgwtrzYzVYdnp-=}@Uh>!P9 zMBl`s+Rr_IuuomKQ)Ifh#2~J%lC6tF7(_;PIDvh@MqJl%G0uR`{nZgvm&ID{_1N^YOCe=oOiS6d=Mm3<(Mw72b+uOH*!_Ie!mka# z?NM5)53%82g0N!<{O|fB5|Ro7p~KP&V4T0JsV}S=#~EJw(tjzmzR4anxclgv`gWN+ zBErxiML+_~lm#SJDRjKYVMtj1NEFVvQ9X|!AcL@oJ7@HNmt+6$o($gXvcK~WY>7@z UqxNEl-{t{wGD^}_l7`>^2Ur;a>i_@% diff --git a/roles/ispmail-webmail/files/roundcube-managesieve-config.inc.php b/roles/ispmail-webmail/files/roundcube-managesieve-config.inc.php deleted file mode 100644 index cc53cb0..0000000 --- a/roles/ispmail-webmail/files/roundcube-managesieve-config.inc.php +++ /dev/null @@ -1,101 +0,0 @@ -// Taken from /usr/share/roundcube/plugins/managesieve/config.inc.php.dist - array( -// 'verify_peer' => true, -// 'verify_depth' => 3, -// 'cafile' => '/etc/openssl/certs/ca.crt', -// ), -// ); -$config['managesieve_conn_options'] = null; - -// default contents of filters script (eg. default spam filter) -$config['managesieve_default'] = '/etc/dovecot/sieve/global'; - -// The name of the script which will be used when there's no user script -$config['managesieve_script_name'] = 'managesieve'; - -// Sieve RFC says that we should use UTF-8 endcoding for mailbox names, -// but some implementations does not covert UTF-8 to modified UTF-7. -// Defaults to UTF7-IMAP -$config['managesieve_mbox_encoding'] = 'UTF-8'; - -// I need this because my dovecot (with listescape plugin) uses -// ':' delimiter, but creates folders with dot delimiter -$config['managesieve_replace_delimiter'] = ''; - -// disabled sieve extensions (body, copy, date, editheader, encoded-character, -// envelope, environment, ereject, fileinto, ihave, imap4flags, index, -// mailbox, mboxmetadata, regex, reject, relational, servermetadata, -// spamtest, spamtestplus, subaddress, vacation, variables, virustest, etc. -// Note: not all extensions are implemented -$config['managesieve_disabled_extensions'] = array(); - -// Enables debugging of conversation with sieve server. Logs it into /sieve -$config['managesieve_debug'] = false; - -// Enables features described in http://wiki.kolab.org/KEP:14 -$config['managesieve_kolab_master'] = false; - -// Script name extension used for scripts including. Dovecot uses '.sieve', -// Cyrus uses '.siv'. Doesn't matter if you have managesieve_kolab_master disabled. -$config['managesieve_filename_extension'] = '.sieve'; - -// List of reserved script names (without extension). -// Scripts listed here will be not presented to the user. -$config['managesieve_filename_exceptions'] = array(); - -// List of domains limiting destination emails in redirect action -// If not empty, user will need to select domain from a list -$config['managesieve_domains'] = array(); - -// Enables separate management interface for vacation responses (out-of-office) -// 0 - no separate section (default), -// 1 - add Vacation section, -// 2 - add Vacation section, but hide Filters section -$config['managesieve_vacation'] = 0; - -// Default vacation interval (in days). -// Note: If server supports vacation-seconds extension it is possible -// to define interval in seconds here (as a string), e.g. "3600s". -$config['managesieve_vacation_interval'] = 0; - -// Some servers require vacation :addresses to be filled with all -// user addresses (aliases). This option enables automatic filling -// of these on initial vacation form creation. -$config['managesieve_vacation_addresses_init'] = false; - -// Supported methods of notify extension. Default: 'mailto' -$config['managesieve_notify_methods'] = array('mailto'); diff --git a/roles/ispmail-webmail/tasks/main.yml b/roles/ispmail-webmail/tasks/main.yml deleted file mode 100644 index 277c942..0000000 --- a/roles/ispmail-webmail/tasks/main.yml +++ /dev/null @@ -1,21 +0,0 @@ ---- -- name: adding Jessie backports repository (for Roundcube) - apt_repository: repo='deb http://http.debian.net/debian jessie-backports main' state=present -- name: install required binary packages - apt: name={{item}} state=installed - with_items: - - roundcube - - roundcube-plugins -- name: Creating random des_key for Roundcube - shell: pwgen 24 - register: roundcube_random_des_key -- name: Deploying Roundcube configuration - template: src=roundcube-config.inc.php.j2 dest=/etc/roundcube/config.inc.php owner=root group=www-data mode=640 -- name: Deploying Roundcube managesieve plugin configuration - copy: src=roundcube-managesieve-config.inc.php dest=/etc/roundcube/plugins/managesieve/config.inc.php mode=0640 -- name: Deploying Roundcube password plugin configuration - template: src=roundcube-password-config.inc.php.j2 dest=/etc/roundcube/plugins/password/config.inc.php owner=root group=www-data mode=640 -- name: Copy ISPmail logo - copy: src=ispmail-logo.png dest=/var/lib/roundcube/ -- name: Copy Roundcube database config file - template: src=roundcube-debian-db.php.j2 dest=/etc/roundcube/debian-db.php mode=0640 diff --git a/roles/ispmail-webmail/templates/roundcube-config.inc.php.j2 b/roles/ispmail-webmail/templates/roundcube-config.inc.php.j2 deleted file mode 100644 index 0fae756..0000000 --- a/roles/ispmail-webmail/templates/roundcube-config.inc.php.j2 +++ /dev/null @@ -1,90 +0,0 @@ -