ROCK5GmbH.mailserver
Ansible Role for Setting Up a Mail Server
This Ansible role installs a mail server based on the instructions provided here by Thomas Leistner.
SSL
SSL certificates and keys should be placed in the directory /etc/myssl/$FQDN.crt and /etc/myssl/$FQDN.key on the mail server, where $FQDN is the fully qualified domain name of the host. You can change this path by updating the {{ ssl_directory }} variable. If the certificate files are missing, a self-signed certificate will be generated for initial use, but this is not recommended for production. For a trusted certificate, consider using Let's Encrypt.
Variables
You need to define the following variables to use this role:
| Variable | Description |
|---|---|
| dbserver_root_pw | Root password for the database |
| mailserver_sql_vmail_password | Password for the vmail user in the database |
| milter_sql_spamass_password | Password for the spamassassin user in the database |
| mailserver_hostname | Hostname for the mail server (e.g., mail) |
| mailserver_domain | Domain for the mail server (e.g., example.com) |
There are more variables you can customize for the mail server installation, which you can find in defaults/main.yml of this role and its dependencies.
Passwords
Instead of storing passwords in plain-text in vars/vars.yml, it's better to use Ansible Vault.
To quickly create a vault, run ansible-vault create vars/vault.yml and add the following:
mailserver_sql_vmail_password: foo
milter_sql_spamass_password: bar
dbserver_root_pw: baz
(Replace foo, bar, and baz with strong passwords)
Whenever you run a playbook that uses this role, remember to use --ask-vault-pass with ansible-playbook.
Deployment
Before you deploy, you must set the passwords for the database users (as mentioned earlier). This playbook is designed for a default installation of Ubuntu Server 16.04 and has not been tested on other distributions.
A sample playbook might look like this:
---
- hosts: all
become: yes
roles:
- ROCK5GmbH.mailserver
vars:
- vault.yml
To get this role and all its dependencies, use ansible galaxy:
ansible-galaxy install ROCK5GmbH.mailserver
To deploy on a single host, run:
ansible-playbook --ask-vault-pass -i $HOST, playbook.yml
where $HOST is the IP address or URL of the server.
If deploying to multiple hosts, it's better to use inventories, allowing you to set variable values for each host while keeping shared variables.
After deployment, the mail server will be close to ready. You will need to add actual domains and users to your SQL database. Start by generating a password hash using doveadm pw -s SHA512-CRYPT. To add a user, log into your server and connect to the database using:
mysql -u root -p
Enter the root password for the SQL database. Add a domain (e.g., mysystems.tld) and a user (user1) using these commands:
use vmail;
insert into domains (domain) values ('mysystems.tld');
insert into accounts (username, domain, password, quota, enabled, sendonly) values ('user1', 'mysystems.tld', '{SHA512-CRYPT}$kgid87hdenss', 2048, true, false);
Further Customization
You can also set TLS policies in the SQL database, allowing specific TLS rules for certain domains. Add a policy using:
insert into tlspolicies (domain, policy, params) values ('gmx.de', 'secure', 'match=.gmx.net');
Different TLS policies are detailed here. The match=.gmx.net ensures Postfix checks the certificate for gmx.net, since gmx.de does not have a valid certificate.
Finally, don't forget to add your new mail server's DNS (A(AAA) and MX records), and include entries for SPF and DKIM.
This role installs a mailserver with Postfix, Dovecot, Spamassassin, Amavis, ClamAV and a database backend.
ansible-galaxy install ROCK5GmbH.mailserver