freebsd_mailserver

This is an Ansible role for FreeBSD to install and set up Postfix and Dovecot2.

Feel free to give your feedback and report any issues.

Contributions are welcome.

Requirements and Dependencies

Roles

The roles are not listed in the meta file. Please install them manually.

• vbotka.ansible_lib - A library of Ansible tasks.

Collections

These collections should be part of the standard Ansible installation. If they are not, please install them manually.

• community.crypto
• community.general

Recommended

• vbotka.freebsd_mailserver_spamassassin
• vbotka.freebsd-mailserver_sieve
• vbotka.freebsd_mailserver_roundcube

Variables

Check the defaults and examples in the vars.

Workflow

1. Change the shell to /bin/sh if needed.

shell> ansible mailserver -e 'ansible_shell_type=csh ansible_shell_executable=/bin/csh' -a 'sudo pw usermod freebsd -s /bin/sh'

2. Install roles.

shell> ansible-galaxy role install vbotka.freebsd_mailserver
shell> ansible-galaxy role install vbotka.ansible_lib

Optionally, you can install these roles too.

shell> ansible-galaxy role install vbotka.freebsd_mailserver_sieve
shell> ansible-galaxy role install vbotka.freebsd_mailserver_spamassassin

3. If needed, install the required collections.

shell> ansible-galaxy collection install community.crypto
shell> ansible-galaxy collection install community.general

4. Adjust the variables according to your needs.

5. Generate OpenSSL Diffie-Hellman parameters.

By default, the file dovecot_ssl_dh is created using the Ansible module openssl_dhparam.

dovecot_ssl_dh_generate: true
dovecot_ssl_dh_cmd_generate: false

You can also use a custom command dovecot_ssl_dh_cmd to create dovecot_ssl_dh.

dovecot_ssl_dh_generate: false
dovecot_ssl_dh_cmd_generate: true
dovecot_ssl_dh_cmd: "openssl dhparam -out {{ dovecot_ssl_dh }} {{dovecot_ssl_dh_bits }}"

The options dovecot_ssl_dh_generate (default: true) and dovecot_ssl_dh_cmd_generate (default: false) cannot both be true at the same time. If both are false, the file dovecot_ssl_dh_path (default: files/dh.pem) is used. This file is only for testing and should never be used in production.

Generating the Diffie-Hellman parameters can take a long time; for example, 4096-bit parameters may take about 40 minutes with an Intel i5-8200Y CPU. It’s better to generate the file separately to speed up the configuration.

dovecot_ssl_dh_generate: false
dovecot_ssl_dh_cmd_generate: false
dovecot_ssl_dh_path: <path-to-generated-Diffie-Hellman-file>

6. Create a playbook and inventory file.

shell> cat freebsd-mailserver.yml

- hosts: mailserver
  roles:
    - vbotka.freebsd_mailserver

shell> cat hosts
[mailserver]
<mailserver-ip-or-fqdn>
[mailserver:vars]
ansible_connection=ssh
ansible_user=freebsd
ansible_become=true
ansible_become_method=sudo
ansible_python_interpreter=/usr/local/bin/python3.9
ansible_perl_interpreter=/usr/local/bin/perl

7. Check the syntax of your playbook.

shell> ansible-playbook freebsd-mailserver.yml --syntax-check

8. Install the packages.

• Install packages using the role vbotka.freebsd_mailserver.

shell> ansible-playbook freebsd-mailserver.yml -t fm-packages -e fm_install=true

• If you enable sieve.

freebsd_mailserver_dovecot_protocols: imap pop3 lmtp sieve

Then install packages from the role vbotka.freebsd_mailserver_sieve.

shell> ansible-playbook freebsd-mailserver-sieve.yml -t fm_ds_packages -e fm_ds_install=true

• If you enable spamassassin.

postfix_master_cf_service_def: "inet  n       -       -       -       -       smtpd -o content_filter=spamfilter"

Then install packages from the role vbotka.freebsd_mailserver_spamassassin.

shell> ansible-playbook freebsd-mailserver-spamassassin.yml -t fm_sa_packages -e fm_sa_install=true

9. Create a default configuration for Dovecot.

shell> ansible-playbook freebsd-mailserver.yml -t dovecot_example_conf

10. Perform a dry-run to see the changes that would be made.

shell> ansible-playbook freebsd-mailserver.yml --check --diff

11. Install and configure the mail server.

shell> ansible-playbook freebsd-mailserver.yml

12. Consider testing your mail server at http://mxtoolbox.com/.

Check Mode

Create default configuration files for Dovecot to avoid errors due to missing files.

shell> ansible-playbook freebsd-mailserver.yml -t dovecot_example_conf

Then, run the check mode.

shell> ansible-playbook freebsd-mailserver.yml --check

Ansible Lint

Use the configuration file .ansible-lint.local when running ansible-lint. Some rules may be turned off and some warnings ignored. Please check the notes in the configuration file.

shell> ansible-lint -c .ansible-lint.local

References

• FreeBSD handbook: Changing the Mail Transfer Agent
• FreeBSD handbook: SMTP Authentication
• Setting up an SMTP Email Server with Postfix
• FreeBSD-Postfix-MySQL-SpamAssassin Setup
• Setting up a mail server with OpenSMTPD, Dovecot, and Rspamd
• Postfix Documentation
• Postfix SMTP relay and access control
• Postfix SASL Howto
• SASL Authentication in the Postfix SMTP/LMTP client
• Postfix logwatch
• Dovecot manual
• OpenDKIM + SPF FreeBSD Forum
• OpenDKIM on Debian Wiki
• OpenDKIM on ArchLinux Wiki

License

Author Information

Vladimir Botka