Merge branch 'master' of git.workaround.org:ispmail/ispmail-buster-ansible

ansible/group_vars/all

@@ -34,6 +34,10 @@ ispmail_postmaster_address: postmaster@example.org
 # that points to your server.
 ispmail_webmail_hostname: 10.0.0.100
 
+# Password for rspamd web interface authentication at
+# https://…/rspamd
+ispmail_rspamd_web_password: ChangeMeRspamd
+
 # Information for self-signed certificate
 ispmail_certificate_country: DE
 ispmail_certificate_state: Schleswig-Holstein
@@ -44,5 +48,3 @@ ispmail_certificate_domains:
   - example.org
 ispmail_certificate_email: postmaster@example.org
 ispmail_certificate_days_valid: 3650
-
-# TODO: Let's Encrypt email address

ansible/ispmail.yml

@@ -25,5 +25,7 @@
       tags: dovecot
     - role: ispmail-webmail-apache-roundcube
       tags: roundcube
+    - role: ispmail-rspamd
+      tags: rspamd
     #  - ispmail-webmail-apache-horde
     #- ispmail-tests

ansible/roles/ispmail-dovecot/files/15-mailboxes.conf

@@ -0,0 +1,80 @@
+##
+## Mailbox definitions
+##
+
+# Each mailbox is specified in a separate mailbox section. The section name
+# specifies the mailbox name. If it has spaces, you can put the name
+# "in quotes". These sections can contain the following mailbox settings:
+#
+# auto:
+#   Indicates whether the mailbox with this name is automatically created
+#   implicitly when it is first accessed. The user can also be automatically
+#   subscribed to the mailbox after creation. The following values are
+#   defined for this setting:
+#
+#     no        - Never created automatically.
+#     create    - Automatically created, but no automatic subscription.
+#     subscribe - Automatically created and subscribed.
+#
+# special_use:
+#   A space-separated list of SPECIAL-USE flags (RFC 6154) to use for the
+#   mailbox. There are no validity checks, so you could specify anything
+#   you want in here, but it's not a good idea to use flags other than the
+#   standard ones specified in the RFC:
+#
+#     \All      - This (virtual) mailbox presents all messages in the
+#                 user's message store.
+#     \Archive  - This mailbox is used to archive messages.
+#     \Drafts   - This mailbox is used to hold draft messages.
+#     \Flagged  - This (virtual) mailbox presents all messages in the
+#                 user's message store marked with the IMAP \Flagged flag.
+#     \Junk     - This mailbox is where messages deemed to be junk mail
+#                 are held.
+#     \Sent     - This mailbox is used to hold copies of messages that
+#                 have been sent.
+#     \Trash    - This mailbox is used to hold messages that have been
+#                 deleted.
+#
+# comment:
+#   Defines a default comment or note associated with the mailbox. This
+#   value is accessible through the IMAP METADATA mailbox entries
+#   "/shared/comment" and "/private/comment". Users with sufficient
+#   privileges can override the default value for entries with a custom
+#   value.
+
+# NOTE: Assumes "namespace inbox" has been defined in 10-mail.conf.
+namespace inbox {
+  # These mailboxes are widely used and could perhaps be created automatically:
+  mailbox Drafts {
+    special_use = \Drafts
+  }
+  mailbox Junk {
+    special_use = \Junk
+    autoexpunge = 30d
+  }
+  mailbox Trash {
+    special_use = \Trash
+    autoexpunge = 30d
+  }
+
+  # For \Sent mailboxes there are two widely used names. We'll mark both of
+  # them as \Sent. User typically deletes one of them if duplicates are created.
+  mailbox Sent {
+    special_use = \Sent
+  }
+  mailbox "Sent Messages" {
+    special_use = \Sent
+  }
+
+  # If you have a virtual "All messages" mailbox:
+  #mailbox virtual/All {
+  #  special_use = \All
+  #  comment = All my messages
+  #}
+
+  # If you have a virtual "Flagged" mailbox:
+  #mailbox virtual/Flagged {
+  #  special_use = \Flagged
+  #  comment = All my flagged messages
+  #}
+}

ansible/roles/ispmail-dovecot/files/90-sieve.conf

@@ -16,7 +16,7 @@
 #
 # location = [<type>:]path[;<option>[=<value>][;...]]
 #
-# If the type prefix is omitted, the script location type is 'file' and the 
+# If the type prefix is omitted, the script location type is 'file' and the
 # location is interpreted as a local filesystem path pointing to a Sieve script
 # file or directory. Refer to Pigeonhole wiki or INSTALL file for more
 # information.
@@ -27,7 +27,7 @@ plugin {
   # delivery. The "include" extension uses this location for retrieving
   # :personal" scripts. This is also where the  ManageSieve service will store
   # the user's scripts, if supported.
-  # 
+  #
   # Currently only the 'file:' location type supports ManageSieve operation.
   # Other location types like 'dict:' and 'ldap:' can currently only
   # be used as a read-only script source ().
@@ -46,9 +46,9 @@ plugin {
   #     script.
   #sieve_default = /var/lib/dovecot/sieve/default.sieve
 
-  # The name by which the default Sieve script (as configured by the 
-  # sieve_default setting) is visible to the user through ManageSieve. 
-  #sieve_default_name = 
+  # The name by which the default Sieve script (as configured by the
+  # sieve_default setting) is visible to the user through ManageSieve.
+  #sieve_default_name =
 
   # Location for ":global" include scripts as used by the "include" extension.
   #sieve_global =
@@ -63,7 +63,7 @@ plugin {
   #sieve_discard =
 
   # Location Sieve of scripts that need to be executed before the user's
-  # personal script. If a 'file' location path points to a directory, all the 
+  # personal script. If a 'file' location path points to a directory, all the
   # Sieve scripts contained therein (with the proper `.sieve' extension) are
   # executed. The order of execution within that directory is determined by the
   # file names, using a normal 8bit per-character comparison.
@@ -113,6 +113,7 @@ plugin {
   # (http://pigeonhole.dovecot.org) for available plugins.
   # The sieve_extprograms plugin is included in this release.
   #sieve_plugins =
+  sieve_plugins = sieve_imapsieve sieve_extprograms
 
   # The separator that is expected between the :user and :detail
   # address parts introduced by the subaddress extension. This may
@@ -182,18 +183,18 @@ plugin {
   ## TRACE DEBUGGING
   # Trace debugging provides detailed insight in the operations performed by
   # the Sieve script. These settings apply to both the LDA Sieve plugin and the
-  # IMAPSIEVE plugin. 
+  # IMAPSIEVE plugin.
   #
   # WARNING: On a busy server, this functionality can quickly fill up the trace
   # directory with a lot of trace files. Enable this only temporarily and as
   # selective as possible.
-  
+
   # The directory where trace files are written. Trace debugging is disabled if
-  # this setting is not configured or if the directory does not exist. If the 
+  # this setting is not configured or if the directory does not exist. If the
   # path is relative or it starts with "~/" it is interpreted relative to the
   # current user's home directory.
   #sieve_trace_dir =
-  
+
   # The verbosity level of the trace messages. Trace debugging is disabled if
   # this setting is not configured. Possible values are:
   #
@@ -204,12 +205,27 @@ plugin {
   #   "matching"       - Print all executed commands, performed tests and the
   #                      values matched in those tests.
   #sieve_trace_level =
-  
+
   # Enables highly verbose debugging messages that are usually only useful for
   # developers.
   #sieve_trace_debug = no
-  
+
   # Enables showing byte code addresses in the trace output, rather than only
   # the source line numbers.
-  #sieve_trace_addresses = no 
+  #sieve_trace_addresses = no
+
+  # From elsewhere to Junk folder
+  imapsieve_mailbox1_name = INBOX.Junk
+  imapsieve_mailbox1_causes = COPY
+  imapsieve_mailbox1_before = file:/etc/dovecot/sieve/learn-spam.sieve
+
+  # From Junk folder to elsewhere
+  imapsieve_mailbox2_name = *
+  imapsieve_mailbox2_from = INBOX.Junk
+  imapsieve_mailbox2_causes = COPY
+  imapsieve_mailbox2_before = file:/etc/dovecot/sieve/learn-ham.sieve
+
+  sieve_pipe_bin_dir = /etc/dovecot/sieve
+
+  sieve_global_extensions = +vnd.dovecot.pipe
 }

ansible/roles/ispmail-dovecot/files/learn-ham.sieve

@@ -0,0 +1,3 @@
+require ["vnd.dovecot.pipe", "copy", "imapsieve"];
+
+pipe :copy "rspamd-learn-ham.sh";

ansible/roles/ispmail-dovecot/files/learn-spam.sieve

@@ -0,0 +1,3 @@
+require ["vnd.dovecot.pipe", "copy", "imapsieve"];
+
+pipe :copy "rspamd-learn-spam.sh";

ansible/roles/ispmail-dovecot/files/rspamd-learn-ham.sh

@@ -0,0 +1,2 @@
+#!/bin/sh
+exec /usr/bin/rspamc learn_ham

ansible/roles/ispmail-dovecot/files/rspamd-learn-spam.sh

@@ -0,0 +1,2 @@
+#!/bin/sh
+exec /usr/bin/rspamc learn_spam

ansible/roles/ispmail-dovecot/handlers/main.yml

@@ -1,5 +1,3 @@
 ---
 - name: restart dovecot
   service: name=dovecot state=restarted
-- name: recompile sieve script
-  command: sievec /etc/dovecot/sieve-after

ansible/roles/ispmail-dovecot/tasks/main.yml

@@ -20,6 +20,9 @@
 - name: Copying SSL configuration (10-ssl.conf)
   template: src=10-ssl.conf dest=/etc/dovecot/conf.d/10-ssl.conf
   notify: restart dovecot
+- name: Set autoexpunge for Trash and Junk folders (15-mailboxes.conf)
+  copy: src=15-mailboxes.conf dest=/etc/dovecot/conf.d/15-mailboxes.conf
+  notify: restart dovecot
 - name: Copying LMTP configuration (20-lmtp.conf - enable sieve plugin)
   copy: src=20-lmtp.conf dest=/etc/dovecot/conf.d/20-lmtp.conf
   notify: restart dovecot
@@ -36,7 +39,12 @@
   file: path=/etc/dovecot/sieve-after state=directory
 - name: Create global sieve-after script to send spam to its mail folder
   copy: src=spam-to-folder.sieve dest=/etc/dovecot/sieve-after/spam-to-folder.sieve
-  notify: recompile sieve script
+  notify: recompile sieve scripts
+- name: Create sieve directory
+  file:
+    path: /etc/dovecot/sieve
+    state: directory
+
 - name: Copying Sieve plugin configuration (90-sieve.conf)
   copy: src=90-sieve.conf dest=/etc/dovecot/conf.d/90-sieve.conf
   notify: restart dovecot
@@ -49,3 +57,28 @@
     dest: /usr/local/bin/quota-warning.sh
     mode: 0750
   notify: restart dovecot
+- name: Copy learn sieve scripts
+  copy:
+    src: "{{item}}"
+    dest: "/etc/dovecot/sieve/{{item}}"
+  with_items:
+    - learn-ham.sieve
+    - learn-spam.sieve
+
+- name: Copy ham/spam learning scripts
+  copy:
+    src: "rspamd-learn-{{item}}.sh"
+    dest: "/etc/dovecot/sieve/rspamd-learn-{{item}}.sh"
+    mode: 0700
+  with_items:
+    - ham
+    - spam
+
+- name: recompile sieve scripts
+  command:
+    cmd: "sievec /etc/dovecot/{{item}}.sieve"
+    creates: "/etc/dovecot/{{item}}.svbin"
+  with_items:
+    - sieve-after/spam-to-folder
+    - sieve/learn-ham
+    - sieve/learn-spam

ansible/roles/ispmail-packages/tasks/main.yml

@@ -28,4 +28,5 @@
       - fail2ban
       - ca-certificates
       - mutt
+      - redis
 # TODO: shorewall

ansible/roles/ispmail-postfix/tasks/main.yml

@@ -79,6 +79,15 @@
 - name: Make Postfix listen on all interfaces
   command: postconf inet_interfaces=all
 
+- name: Set rspamd milter for smtpd
+  command: postconf smtpd_milters=inet:127.0.0.1:11332
+
+- name: Set rspamd milter for local mails
+  command: postconf non_smtpd_milters=inet:127.0.0.1:11332
+
+- name: Set rspamd milter macros
+  command: postconf milter_mail_macros="i {mail_addr} {client_addr} {client_name} {auth_authen}'"
+
 - name: Enable user quota checking
   command: "postconf 'smtpd_recipient_restrictions = reject_unauth_destination check_policy_service unix:private/quota-status'"
 

ansible/roles/ispmail-rspamd/files/classifier-bayes.conf

@@ -0,0 +1,5 @@
+classifier "bayes" {
+   users_enabled = true;
+   backend = "redis";
+   autolearn = true;
+ }

ansible/roles/ispmail-rspamd/files/milter_headers.conf

@@ -0,0 +1 @@
+extended_spam_headers = true;

ansible/roles/ispmail-rspamd/files/redis.conf

@@ -0,0 +1 @@
+servers = "127.0.0.1";

ansible/roles/ispmail-rspamd/files/statistic.conf

@@ -0,0 +1,3 @@
+classifier "bayes" {
+   users_enabled = true;
+ }

ansible/roles/ispmail-rspamd/handlers/site.yml

@@ -0,0 +1,5 @@
+---
+- name: restart rspamd
+  service:
+    name: rspamd
+    state: restarted

ansible/roles/ispmail-rspamd/tasks/main.yml

@@ -0,0 +1,41 @@
+---
+- name: Enable rspamd autolearning
+  copy:
+    src: classifier-bayes.conf
+    dest: /etc/rspamd/override.d/classifier-bayes.conf
+  notify: restart rspamd
+
+- name: Enable rspamd extended headers
+  copy:
+    src: milter_headers.conf
+    dest: /etc/rspamd/override.d/milter_headers.conf
+  notify: restart rspamd
+
+- name: Enable rspamd per-user bayes training
+  copy:
+    src: statistic.conf
+    dest: /etc/rspamd/override.d/statistic.conf
+  notify: restart rspamd
+
+- name: Enable rspamd redis backend
+  copy:
+    src: redis.conf
+    dest: /etc/rspamd/override.d/redis.conf
+  notify: restart rspamd
+
+- name: Hash the rspamd web interface password
+  shell: "rspamadm pw -p {{ispmail_rspamd_web_password}}"
+  register: ispmail_rspamd_web_password_hashed
+  notify: restart rspamd
+
+- name: Set rspamd admin web interface password
+  template:
+    src: worker-controller.conf.j2
+    dest: /etc/rspamd/local.d/worker-controller.inc
+  notify: restart rspamd
+
+- name: Enable redis module in rspamd
+  copy:
+    src: redis.conf
+    dest: /etc/rspamd/override.d/redis.conf
+  notify: restart rspamd

ansible/roles/ispmail-rspamd/templates/worker-controller.conf.j2

@@ -0,0 +1 @@
+password = "{{ispmail_rspamd_web_password_hashed.stdout}}";

ansible/roles/ispmail-webmail-apache-roundcube/handlers/main.yml

@@ -3,3 +3,8 @@
   service:
     name: apache2
     state: restarted
+
+- name: restart rspamd
+  service:
+    name: rspamd
+    state: restarted

ansible/roles/ispmail-webmail-apache-roundcube/tasks/main.yml

@@ -22,20 +22,20 @@
 - name: Deploying Roundcube managesieve plugin configuration
   template:
     src: plugins/managesieve/config.inc.php.j2
-    dest: /etc/roundcube/plugins/managesieve/config.inc.php 
+    dest: /etc/roundcube/plugins/managesieve/config.inc.php
     owner: root
     group: www-data
     mode: 0640
 - name: Deploying Roundcube password plugin configuration
-  template: 
-    src: plugins/password/config.inc.php.j2 
-    dest: /etc/roundcube/plugins/password/config.inc.php 
-    owner: root 
-    group: www-data 
+  template:
+    src: plugins/password/config.inc.php.j2
+    dest: /etc/roundcube/plugins/password/config.inc.php
+    owner: root
+    group: www-data
     mode: 0640
 - name: Copy ISPmail logo
-  copy: 
-    src: ispmail-logo.png 
+  copy:
+    src: ispmail-logo.png
     dest: /var/lib/roundcube/skins/larry/
 - name: Enable Apache rewrite and ssl module
   shell: a2enmod {{item}}
@@ -76,3 +76,9 @@
   args:
     creates: /etc/apache2/sites-enabled/{{ispmail_fqdn}}-https.conf
   notify: restart apache
+
+- name: Enable Apache mod_proxy for rspamd admin web interface
+  command:
+    cmd: a2enmod proxy_http
+    creates: /etc/apache2/mods-enabled/proxy_http.load
+  notify: restart apache

ansible/roles/ispmail-webmail-apache-roundcube/templates/config.inc.php.j2

@@ -32,7 +32,7 @@ include_once("/etc/roundcube/debian-db-roundcube.php");
 // %d - domain (http hostname $_SERVER['HTTP_HOST'] without the first part)
 // %s - domain name after the '@' from e-mail address provided at login screen
 // For example %n = mail.domain.tld, %t = domain.tld
-$config['default_host'] = 'localhost';
+$config['default_host'] = 'tls://{{ispmail_fqdn}}';
 
 // SMTP server host (for sending mails).
 // Enter hostname with prefix tls:// to use STARTTLS, or use
@@ -44,7 +44,7 @@ $config['default_host'] = 'localhost';
 // %d - domain (http hostname $_SERVER['HTTP_HOST'] without the first part)
 // %z - IMAP domain (IMAP hostname without the first part)
 // For example %n = mail.domain.tld, %t = domain.tld
-$config['smtp_server'] = 'localhost';
+$config['smtp_server'] = 'tls://{{ispmail_fqdn}}';
 
 // SMTP port (default is 25; use 587 for STARTTLS or 465 for the
 // deprecated SSL over SMTP (aka SMTPS))

ansible/roles/ispmail-webmail-apache-roundcube/templates/vhosts/https.j2

@@ -2,9 +2,16 @@
   ServerName {{ispmail_fqdn}}
   DocumentRoot /var/lib/roundcube
 
+  # Adminer
   Alias /adminer /usr/share/adminer/adminer
+
+  # Roundcube
   Include /etc/roundcube/apache.conf
 
+  # Rspamd admin interface
+  ProxyPass "/rspamd" "http://localhost:11334"
+  ProxyPassReverse "/rspamd" "http://localhost:11334"
+
   SSLEngine on
   SSLCertificateKeyFile /etc/ssl/private/mailserver.pem
   SSLCertificateFile /etc/ssl/certs/mailserver.pem