freebsd_mailserver

Ansible role. FreeBSD. Install and configure Postfix and Dovecot2.

Feel free to share your feedback and report issues.

Contributions are welcome.

Requirements and dependencies

Roles

The roles are not listed in the meta file. Install them manually.

• vbotka.ansible_lib Library of Ansible tasks.

Collections

The below collections should be part of standard Ansible installation. If necessary install them manually.

• community.crypto
• community.general

Recommended

• vbotka.freebsd_mailserver_spamassassin
• vbotka.freebsd-mailserver_sieve
• vbotka.freebsd_mailserver_roundcube

Variables

See the defaults and examples in vars.

Workflow

1. Change shell to /bin/sh if necessary

shell> ansible mailserver -e 'ansible_shell_type=csh ansible_shell_executable=/bin/csh' -a 'sudo pw usermod freebsd -s /bin/sh'

2. Install roles

shell> ansible-galaxy role install vbotka.freebsd_mailserver
shell> ansible-galaxy role install vbotka.ansible_lib

Optionally, install roles

shell> ansible-galaxy role install vbotka.freebsd_mailserver_sieve
shell> ansible-galaxy role install vbotka.freebsd_mailserver_spamassassin

3. If necessary install collections

shell> ansible-galaxy collection install community.crypto
shell> ansible-galaxy collection install community.general

4. Fit variables to your needs.

5. Generate OpenSSL Diffie-Hellman parameters

By default the file dovecot_ssl_dh is created by the Ansible module openssl_dhparam

dovecot_ssl_dh_generate: true
dovecot_ssl_dh_cmd_generate: false

It is possible to use custom command dovecot_ssl_dh_cmd to create dovecot_ssl_dh

dovecot_ssl_dh_generate: false
dovecot_ssl_dh_cmd_generate: true
dovecot_ssl_dh_cmd: "openssl dhparam -out {{ dovecot_ssl_dh }} {{dovecot_ssl_dh_bits }}"

The options dovecot_ssl_dh_generate (default: true) and dovecot_ssl_dh_cmd_generate (default: false) are mutually exclusive. If both options are false the file dovecot_ssl_dh_path (default: files/dh.pem) is used. This file is provided by the role for testing only. Never use it in production.

The generation of the file with Diffie-Hellman parameters may take a long time. For example 4096 bit parameters take ~40min with Intel(R) Core(TM) i5-8200Y CPU @ 1.30GHz. It's a good idea to generate the file separately to speedup the configuration.

dovecot_ssl_dh_generate: false
dovecot_ssl_dh_cmd_generate: false
dovecot_ssl_dh_path: <path-to-generated-Diffie-Hellman-file>

6. Create playbook and inventory

shell> cat freebsd-mailserver.yml

- hosts: mailserver
  roles:
    - vbotka.freebsd_mailserver

shell> cat hosts
[mailserver]
<mailserver-ip-or-fqdn>
[mailserver:vars]
ansible_connection=ssh
ansible_user=freebsd
ansible_become=true
ansible_become_method=sudo
ansible_python_interpreter=/usr/local/bin/python3.9
ansible_perl_interpreter=/usr/local/bin/perl

7. Check the syntax

shell> ansible-playbook freebsd-mailserver.yml --syntax-check

8. Install packages

• Install packages from the role vbotka.freebsd_mailserver

shell> ansible-playbook freebsd-mailserver.yml -t fm-packages -e fm_install=true

• If you enable sieve

freebsd_mailserver_dovecot_protocols: imap pop3 lmtp sieve

install packages from the role vbotka.freebsd_mailserver_sieve

shell> ansible-playbook freebsd-mailserver-sieve.yml -t fm_ds_packages -e fm_ds_install=true

• If you enable spamassassin

postfix_master_cf_service_def: "inet  n       -       -       -       -       smtpd -o content_filter=spamfilter"

install packages from the role vbotka.freebsd_mailserver_spamassassin

shell> ansible-playbook freebsd-mailserver-spamassassin.yml -t fm_sa_packages -e fm_sa_install=true

9. Create default configuration for Dovecot

shell> ansible-playbook freebsd-mailserver.yml -t dovecot_example_conf

10. Dry-run and display changes

shell> ansible-playbook freebsd-mailserver.yml --check --diff

11. Install and configure the mailserver

shell> ansible-playbook freebsd-mailserver.yml

12. Consider to test the mailserver in http://mxtoolbox.com/

Check mode

Create default configuration files of Dovecot to avoid error missing files

shell> ansible-playbook freebsd-mailserver.yml -t dovecot_example_conf

Then, run the check-mode

shell> ansible-playbook freebsd-mailserver.yml --check

Ansible lint

Use the configuration file .ansible-lint.local when running ansible-lint. Some rules might be disabled and some warnings might be ignored. See the notes in the configuration file.

shell> ansible-lint -c .ansible-lint.local

References

• FreeBSD handbook: 31.5. Changing the Mail Transfer Agent
• FreeBSD handbook: 31.7.4. SMTP Authentication
• SMTP Email Server With Postfix
• FreeBSD-Postfix-MySQL-SpamAssassin-Maia-Virtual Setup
• Setting up a mail server with OpenSMTPD, Dovecot and Rspamd
• Postfix Documentation
• Postfix SMTP relay and access control
• Postfix SASL Howto
• SASL Authentication in the Postfix SMTP/LMTP client
• postfix-logwatch - A Postfix log parser and analysis utility
• Dovecot manual
• OpenDKIM + SPF FreeBSD Forum
• OpenDKIM Debian Wiki
• OpenDKIM ArchLinux Wiki

License

Author Information

Vladimir Botka