Merge branch 'packmail' into unstable
This commit is contained in:
commit
acf85bfffc
5
amavis/handlers/main.yml
Normal file
5
amavis/handlers/main.yml
Normal file
|
@ -0,0 +1,5 @@
|
||||||
|
---
|
||||||
|
- name: restart amavis
|
||||||
|
service:
|
||||||
|
name: amavis
|
||||||
|
state: restarted
|
19
amavis/tasks/main.yml
Normal file
19
amavis/tasks/main.yml
Normal file
|
@ -0,0 +1,19 @@
|
||||||
|
---
|
||||||
|
- name: install Amavis
|
||||||
|
apt:
|
||||||
|
name: "{{ item }}"
|
||||||
|
state: present
|
||||||
|
with_items:
|
||||||
|
- postgrey
|
||||||
|
- amavisd-new
|
||||||
|
tags:
|
||||||
|
- amavis
|
||||||
|
|
||||||
|
- name: configure Amavis
|
||||||
|
template:
|
||||||
|
src: amavis.conf.j2
|
||||||
|
dest: /etc/amavis/conf.d/49-evolinux-defaults.conf
|
||||||
|
mode: "0644"
|
||||||
|
notify: restart amavis
|
||||||
|
tags:
|
||||||
|
- amavis
|
57
amavis/templates/amavis.conf.j2
Normal file
57
amavis/templates/amavis.conf.j2
Normal file
|
@ -0,0 +1,57 @@
|
||||||
|
use strict;
|
||||||
|
|
||||||
|
## Liste des domaines considérés comme locaux
|
||||||
|
#@local_domains_acl = qw(.);
|
||||||
|
@local_domains_acl = (".example.net","example.com");
|
||||||
|
|
||||||
|
# On customise la ligne ajoutée dans les entêtes
|
||||||
|
$X_HEADER_LINE = "by Amavis at $mydomain";
|
||||||
|
|
||||||
|
# On precise les FROM pour etre (bugs dans certaines version d'Amavis)
|
||||||
|
$mailfrom_notify_admin = "postmaster\@$mydomain";
|
||||||
|
$mailfrom_notify_recip = "postmaster\@$mydomain";
|
||||||
|
$mailfrom_notify_spamadmin = "postmaster\@$mydomain";
|
||||||
|
|
||||||
|
# Notifications de fichiers bannis / virus
|
||||||
|
$virus_admin = "postmaster\@$mydomain";
|
||||||
|
# Ne pas recevoir des notifications pour les mails UNCHECKED
|
||||||
|
delete $admin_maps_by_ccat{&CC_UNCHECKED};
|
||||||
|
|
||||||
|
# Que faire avec les messages détectés
|
||||||
|
$final_virus_destiny = D_DISCARD;
|
||||||
|
$final_banned_destiny = D_BOUNCE;
|
||||||
|
$final_spam_destiny = D_BOUNCE;
|
||||||
|
$final_bad_header_destiny = D_PASS;
|
||||||
|
|
||||||
|
# Pour recevoir des bounces (mails originals) des fichiers bloqués / virus
|
||||||
|
#$banned_quarantine_to = "banned\@$mydomain";
|
||||||
|
#$virus_quarantine_to = "virus\@$mydomain";
|
||||||
|
|
||||||
|
# Note tueuse
|
||||||
|
$sa_tag2_level_deflt = 6.31;
|
||||||
|
# Pour un comportement "normal" de SA
|
||||||
|
$sa_tag_level_deflt = -1999;
|
||||||
|
$sa_kill_level_deflt = 1999;
|
||||||
|
$sa_dsn_cutoff_level = -99;
|
||||||
|
$sa_spam_subject_tag = '[SPAM]';
|
||||||
|
|
||||||
|
# log
|
||||||
|
$log_level = 2;
|
||||||
|
|
||||||
|
# En fonction besoin/ressources, on a juste le nbre de process
|
||||||
|
$max_servers = 2;
|
||||||
|
|
||||||
|
$enable_ldap = 1;
|
||||||
|
$default_ldap = {
|
||||||
|
hostname => '127.0.0.1', tls => 0,
|
||||||
|
base => '{{ ldap_suffix }}', scope => 'sub',
|
||||||
|
query_filter => '(&(mailacceptinggeneralid=%m)(isActive=TRUE))'
|
||||||
|
};
|
||||||
|
|
||||||
|
# Activer l'antivirus et antivirus
|
||||||
|
@bypass_virus_checks_maps = (
|
||||||
|
\%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re);
|
||||||
|
@bypass_spam_checks_maps = (
|
||||||
|
\%bypass_spam_checks, \@bypass_spam_checks_acl, \$bypass_spam_checks_re);
|
||||||
|
|
||||||
|
1; # ensure a defined return
|
|
@ -38,6 +38,10 @@
|
||||||
- expires
|
- expires
|
||||||
- headers
|
- headers
|
||||||
- cgi
|
- cgi
|
||||||
|
- ssl
|
||||||
|
- include
|
||||||
|
- negotiation
|
||||||
|
- alias
|
||||||
notify: reload apache
|
notify: reload apache
|
||||||
tags:
|
tags:
|
||||||
- apache
|
- apache
|
||||||
|
|
|
@ -1,19 +1,12 @@
|
||||||
---
|
---
|
||||||
- name: Get mount options for partitions
|
- name: update ansible_mounts facts
|
||||||
shell: "mount | grep 'on /usr type'"
|
setup:
|
||||||
args:
|
filter: ansible_mounts
|
||||||
warn: no
|
|
||||||
register: mount
|
|
||||||
changed_when: False
|
|
||||||
failed_when: False
|
|
||||||
when: not ansible_check_mode
|
|
||||||
|
|
||||||
- name: Remount /usr if it is a partition and it is not mounted in rw
|
- name: mount /usr in rw
|
||||||
command: "mount -o remount,rw /usr"
|
command: mount -o remount,rw /usr
|
||||||
when:
|
|
||||||
- not ansible_check_mode
|
|
||||||
- mount.rc == 0
|
|
||||||
- not mount.stdout_lines.0 | search("rw")
|
|
||||||
check_mode: yes
|
|
||||||
args:
|
args:
|
||||||
warn: no
|
warn: no
|
||||||
|
changed_when: false
|
||||||
|
when: item.mount == '/usr' and item.options | match(".*ro.*")
|
||||||
|
with_items: "{{ ansible_mounts }}"
|
||||||
|
|
5
clamav/handlers/main.yml
Normal file
5
clamav/handlers/main.yml
Normal file
|
@ -0,0 +1,5 @@
|
||||||
|
---
|
||||||
|
- name: restart clamav
|
||||||
|
service:
|
||||||
|
name: clamav-daemon
|
||||||
|
state: restarted
|
3
clamav/meta/main.yml
Normal file
3
clamav/meta/main.yml
Normal file
|
@ -0,0 +1,3 @@
|
||||||
|
---
|
||||||
|
dependencies:
|
||||||
|
- { role: amavis }
|
111
clamav/tasks/main.yml
Normal file
111
clamav/tasks/main.yml
Normal file
|
@ -0,0 +1,111 @@
|
||||||
|
---
|
||||||
|
- name: configure clamav-daemon
|
||||||
|
debconf:
|
||||||
|
name: clamav-daemon
|
||||||
|
question: "{{ item.key }}"
|
||||||
|
value: "{{ item.value }}"
|
||||||
|
vtype: "{{ item.type }}"
|
||||||
|
with_items:
|
||||||
|
- { key: 'clamav-daemon/debconf', type: 'boolean', value: 'true' }
|
||||||
|
- { key: 'clamav-daemon/MaxHTMLNormalize', type: 'string', value: '10M' }
|
||||||
|
- { key: 'clamav-daemon/StatsPEDisabled', type: 'boolean', value: 'true' }
|
||||||
|
- { key: 'clamav-daemon/FollowDirectorySymlinks', type: 'boolean', value: 'false' }
|
||||||
|
- { key: 'clamav-daemon/StreamMaxLength', type: 'string', value: '25' }
|
||||||
|
- { key: 'clamav-daemon/ReadTimeout', type: 'string', value: '180' }
|
||||||
|
- { key: 'clamav-daemon/StatsEnabled', type: 'boolean', value: 'false' }
|
||||||
|
- { key: 'clamav-daemon/MaxConnectionQueueLength', type: 'string', value: '15' }
|
||||||
|
- { key: 'clamav-daemon/LogRotate', type: 'boolean', value: 'true' }
|
||||||
|
- { key: 'clamav-daemon/AllowAllMatchScan', type: 'boolean', value: 'true' }
|
||||||
|
- { key: 'clamav-daemon/ScanOnAccess', type: 'boolean', value: 'false' }
|
||||||
|
- { key: 'clamav-daemon/LogFile', type: 'string', value: '/var/log/clamav/clamav.log' }
|
||||||
|
- { key: 'clamav-daemon/ScanMail', type: 'boolean', value: 'true' }
|
||||||
|
- { key: 'clamav-daemon/BytecodeTimeout', type: 'string', value: '60000' }
|
||||||
|
- { key: 'clamav-daemon/LogTime', type: 'boolean', value: 'true' }
|
||||||
|
- { key: 'clamav-daemon/OnAccessMaxFileSize', type: 'string', value: '5M' }
|
||||||
|
- { key: 'clamav-daemon/TcpOrLocal', type: 'select', value: 'UNIX' }
|
||||||
|
- { key: 'clamav-daemon/MaxEmbeddedPE', type: 'string', value: '10M' }
|
||||||
|
- { key: 'clamav-daemon/FixStaleSocket', type: 'boolean', value: 'true' }
|
||||||
|
- { key: 'clamav-daemon/User', type: 'string', value: 'clamav' }
|
||||||
|
- { key: 'clamav-daemon/BytecodeSecurity', type: 'select', value: 'TrustSigned' }
|
||||||
|
- { key: 'clamav-daemon/ScanSWF', type: 'boolean', value: 'true' }
|
||||||
|
- { key: 'clamav-daemon/MaxDirectoryRecursion', type: 'string', value: '0' }
|
||||||
|
- { key: 'clamav-daemon/MaxThreads', type: 'string', value: '12' }
|
||||||
|
- { key: 'clamav-daemon/LocalSocketGroup', type: 'string', value: 'clamav' }
|
||||||
|
- { key: 'clamav-daemon/MaxScriptNormalize', type: 'string', value: '5M' }
|
||||||
|
- { key: 'clamav-daemon/ForceToDisk', type: 'boolean', value: 'false' }
|
||||||
|
- { key: 'clamav-daemon/StatsHostID', type: 'string', value: 'auto' }
|
||||||
|
- { key: 'clamav-daemon/FollowFileSymlinks', type: 'boolean', value: 'false' }
|
||||||
|
- { key: 'clamav-daemon/TCPSocket', type: 'string', value: '3310' }
|
||||||
|
- { key: 'clamav-daemon/TCPAddr', type: 'string', value: 'any' }
|
||||||
|
- { key: 'clamav-daemon/DisableCertCheck', type: 'boolean', value: 'false' }
|
||||||
|
- { key: 'clamav-daemon/SelfCheck', type: 'string', value: '3600' }
|
||||||
|
- { key: 'clamav-daemon/LocalSocket', type: 'string', value: '/var/run/clamav/clamd.ctl' }
|
||||||
|
- { key: 'clamav-daemon/LocalSocketMode', type: 'string', value: '666' }
|
||||||
|
- { key: 'clamav-daemon/StatsTimeout', type: 'string', value: '10' }
|
||||||
|
- { key: 'clamav-daemon/MaxZipTypeRcg', type: 'string', value: '1M' }
|
||||||
|
- { key: 'clamav-daemon/MaxHTMLNoTags', type: 'string', value: '2M' }
|
||||||
|
- { key: 'clamav-daemon/LogSyslog', type: 'boolean', value: 'false' }
|
||||||
|
- { key: 'clamav-daemon/AddGroups', type: 'string', value: '' }
|
||||||
|
- { key: 'clamav-daemon/Bytecode', type: 'boolean', value: 'true' }
|
||||||
|
- { key: 'clamav-daemon/ScanArchive', type: 'boolean', value: 'true' }
|
||||||
|
tags:
|
||||||
|
- clamav
|
||||||
|
|
||||||
|
- name: configure clamav-freshclam
|
||||||
|
debconf:
|
||||||
|
name: clamav-freshclam
|
||||||
|
question: "{{ item.key }}"
|
||||||
|
value: "{{ item.value }}"
|
||||||
|
vtype: "{{ item.type }}"
|
||||||
|
with_items:
|
||||||
|
- { key: 'clamav-freshclam/autoupdate_freshclam', type: 'select', value: 'daemon' }
|
||||||
|
- { key: 'clamav-freshclam/proxy_user', type: 'string', value: '' }
|
||||||
|
- { key: 'clamav-freshclam/NotifyClamd', type: 'boolean', value: 'true' }
|
||||||
|
- { key: 'clamav-freshclam/local_mirror', type: 'select', value: 'db.fr.clamav.net' }
|
||||||
|
- { key: 'clamav-freshclam/http_proxy', type: 'string', value: '' }
|
||||||
|
- { key: 'clamav-freshclam/LogRotate', type: 'boolean', value: 'true' }
|
||||||
|
- { key: 'clamav-freshclam/Bytecode', type: 'boolean', value: 'true' }
|
||||||
|
- { key: 'clamav-freshclam/update_interval', type: 'string', value: '24' }
|
||||||
|
- { key: 'clamav-freshclam/SafeBrowsing', type: 'boolean', value: 'false' }
|
||||||
|
- { key: 'clamav-freshclam/PrivateMirror', type: 'string', value: '' }
|
||||||
|
- { key: 'clamav-freshclam/internet_interface', type: 'string', value: '' }
|
||||||
|
tags:
|
||||||
|
- clamav
|
||||||
|
|
||||||
|
- name: install ClamAV
|
||||||
|
apt:
|
||||||
|
name: "{{ item }}"
|
||||||
|
state: present
|
||||||
|
with_items:
|
||||||
|
- clamav-daemon
|
||||||
|
- clamav
|
||||||
|
- clamdscan
|
||||||
|
- clamav-freshclam
|
||||||
|
- arc
|
||||||
|
- arj
|
||||||
|
- zoo
|
||||||
|
- pax
|
||||||
|
- bzip2
|
||||||
|
- cabextract
|
||||||
|
- rpm
|
||||||
|
- lzop
|
||||||
|
- razor
|
||||||
|
tags:
|
||||||
|
- clamav
|
||||||
|
|
||||||
|
- name: add clamav user to amavis group
|
||||||
|
user:
|
||||||
|
name: clamav
|
||||||
|
groups: amavis
|
||||||
|
append: True
|
||||||
|
tags:
|
||||||
|
- clamav
|
||||||
|
|
||||||
|
- name: allow supplementary groups
|
||||||
|
replace:
|
||||||
|
dest: /etc/clamav/clamd.conf
|
||||||
|
regexp: 'AllowSupplementaryGroups false'
|
||||||
|
replace: 'AllowSupplementaryGroups true'
|
||||||
|
notify: restart clamav
|
||||||
|
tags:
|
||||||
|
- clamav
|
36
dovecot/.kitchen.yml
Normal file
36
dovecot/.kitchen.yml
Normal file
|
@ -0,0 +1,36 @@
|
||||||
|
---
|
||||||
|
driver:
|
||||||
|
name: docker
|
||||||
|
privileged: true
|
||||||
|
use_sudo: false
|
||||||
|
|
||||||
|
provisioner:
|
||||||
|
name: ansible_playbook
|
||||||
|
hosts: test-kitchen
|
||||||
|
roles_path: ../
|
||||||
|
ansible_verbose: true
|
||||||
|
require_ansible_source: false
|
||||||
|
require_chef_for_busser: false
|
||||||
|
idempotency_test: true
|
||||||
|
|
||||||
|
platforms:
|
||||||
|
- name: debian
|
||||||
|
driver_config:
|
||||||
|
image: evolix/ansible:2.2.1
|
||||||
|
|
||||||
|
verifier:
|
||||||
|
name: serverspec
|
||||||
|
|
||||||
|
suites:
|
||||||
|
- name: default
|
||||||
|
provisioner:
|
||||||
|
name: ansible_playbook
|
||||||
|
playbook: ./tests/test.yml
|
||||||
|
verifier:
|
||||||
|
patterns:
|
||||||
|
- nginx/tests/spec/memcached_spec.rb
|
||||||
|
bundler_path: '/usr/local/bin'
|
||||||
|
rspec_path: '/usr/local/bin'
|
||||||
|
|
||||||
|
transport:
|
||||||
|
max_ssh_sessions: 6
|
11
dovecot/README.md
Normal file
11
dovecot/README.md
Normal file
|
@ -0,0 +1,11 @@
|
||||||
|
# Dovecot
|
||||||
|
|
||||||
|
Installation and basic configuration of dovecot
|
||||||
|
|
||||||
|
## Tasks
|
||||||
|
|
||||||
|
Minimal configuration is in `tasks/main.yml`
|
||||||
|
|
||||||
|
## Available variables
|
||||||
|
|
||||||
|
The full list of variables (with default values) can be found in `defaults/main.yml`.
|
2
dovecot/defaults/main.yml
Normal file
2
dovecot/defaults/main.yml
Normal file
|
@ -0,0 +1,2 @@
|
||||||
|
---
|
||||||
|
dovecot_foo: bar
|
126
dovecot/files/munin_plugin
Executable file
126
dovecot/files/munin_plugin
Executable file
|
@ -0,0 +1,126 @@
|
||||||
|
#! /bin/bash
|
||||||
|
#
|
||||||
|
# Munin Plugin
|
||||||
|
# to count logins to your dovecot mailserver
|
||||||
|
#
|
||||||
|
# Created by Dominik Schulz <lkml@ds.gauner.org>
|
||||||
|
# http://developer.gauner.org/munin/
|
||||||
|
# Contributions by:
|
||||||
|
# - Stephane Enten <tuf@delyth.net>
|
||||||
|
# - Steve Schnepp <steve.schnepp@pwkf.org>
|
||||||
|
#
|
||||||
|
# Parameters understood:
|
||||||
|
#
|
||||||
|
# config (required)
|
||||||
|
# autoconf (optional - used by munin-config)
|
||||||
|
#
|
||||||
|
# Config variables:
|
||||||
|
#
|
||||||
|
# logfile - Where to find the syslog file
|
||||||
|
#
|
||||||
|
# Add the following line to a file in /etc/munin/plugin-conf.d:
|
||||||
|
# env.logfile /var/log/your/logfile.log
|
||||||
|
#
|
||||||
|
# Magic markers (optional - used by munin-config and installation scripts):
|
||||||
|
#
|
||||||
|
#%# family=auto
|
||||||
|
#%# capabilities=autoconf
|
||||||
|
|
||||||
|
######################
|
||||||
|
# Configuration
|
||||||
|
######################
|
||||||
|
EXPR_BIN=/usr/bin/expr
|
||||||
|
LOGFILE=${logfile:-/var/log/mail.log}
|
||||||
|
######################
|
||||||
|
|
||||||
|
if [ "$1" = "autoconf" ]; then
|
||||||
|
echo yes
|
||||||
|
exit 0
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ "$1" = "config" ]; then
|
||||||
|
echo 'graph_title Dovecot Logins'
|
||||||
|
echo 'graph_category Mail'
|
||||||
|
echo 'graph_args --base 1000 -l 0'
|
||||||
|
echo 'graph_vlabel Login Counters'
|
||||||
|
|
||||||
|
for t in Total TLS SSL IMAP POP3
|
||||||
|
do
|
||||||
|
field=$(echo $t | tr '[:upper:]' '[:lower:]')
|
||||||
|
echo "login_$field.label $t Logins"
|
||||||
|
echo "login_$field.type DERIVE"
|
||||||
|
echo "login_$field.min 0"
|
||||||
|
done
|
||||||
|
|
||||||
|
echo 'connected.label Connected Users'
|
||||||
|
|
||||||
|
exit 0
|
||||||
|
fi
|
||||||
|
|
||||||
|
######################
|
||||||
|
# Total Logins
|
||||||
|
######################
|
||||||
|
echo -en "login_total.value "
|
||||||
|
VALUE=$(egrep -c '[dovecot]?.*Login' $LOGFILE)
|
||||||
|
if [ ! -z "$VALUE" ]; then
|
||||||
|
echo "$VALUE"
|
||||||
|
else
|
||||||
|
echo "0"
|
||||||
|
fi
|
||||||
|
echo -n
|
||||||
|
######################
|
||||||
|
# Connected Users
|
||||||
|
######################
|
||||||
|
DISCONNECTS=$(egrep -c '[dovecot]?.*Disconnected' $LOGFILE)
|
||||||
|
CONNECTS=$(egrep -c '[dovecot]?.*Login' $LOGFILE)
|
||||||
|
VALUE=$($EXPR_BIN $CONNECTS - $DISCONNECTS)
|
||||||
|
if [ -z "$VALUE" ] || [ "$VALUE" -lt 0 ]; then
|
||||||
|
VALUE=0
|
||||||
|
fi
|
||||||
|
echo -en "connected.value "
|
||||||
|
echo $VALUE
|
||||||
|
echo -n
|
||||||
|
######################
|
||||||
|
# TLS Logins
|
||||||
|
######################
|
||||||
|
echo -en "login_tls.value "
|
||||||
|
VALUE=$(egrep -c '[dovecot]?.*Login.*TLS' $LOGFILE)
|
||||||
|
if [ ! -z "$VALUE" ]; then
|
||||||
|
echo "$VALUE"
|
||||||
|
else
|
||||||
|
echo "0"
|
||||||
|
fi
|
||||||
|
echo -n
|
||||||
|
######################
|
||||||
|
# SSL Logins
|
||||||
|
######################
|
||||||
|
echo -en "login_ssl.value "
|
||||||
|
VALUE=$(egrep -c '[dovecot]?.*Login.*SSL' $LOGFILE)
|
||||||
|
if [ ! -z "$VALUE" ]; then
|
||||||
|
echo "$VALUE"
|
||||||
|
else
|
||||||
|
echo "0"
|
||||||
|
fi
|
||||||
|
echo -n
|
||||||
|
######################
|
||||||
|
# IMAP Logins
|
||||||
|
######################
|
||||||
|
echo -en "login_imap.value "
|
||||||
|
VALUE=$(egrep -c '[dovecot]?.*imap.*Login' $LOGFILE)
|
||||||
|
if [ ! -z "$VALUE" ]; then
|
||||||
|
echo "$VALUE"
|
||||||
|
else
|
||||||
|
echo "0"
|
||||||
|
fi
|
||||||
|
echo -n
|
||||||
|
######################
|
||||||
|
# POP3 Logins
|
||||||
|
######################
|
||||||
|
echo -en "login_pop3.value "
|
||||||
|
VALUE=$(egrep -c '[dovecot]?.*pop3.*Login' $LOGFILE)
|
||||||
|
if [ ! -z "$VALUE" ]; then
|
||||||
|
echo "$VALUE"
|
||||||
|
else
|
||||||
|
echo "0"
|
||||||
|
fi
|
||||||
|
echo -n
|
10
dovecot/handlers/main.yml
Normal file
10
dovecot/handlers/main.yml
Normal file
|
@ -0,0 +1,10 @@
|
||||||
|
---
|
||||||
|
- name: restart dovecot
|
||||||
|
service:
|
||||||
|
name: dovecot
|
||||||
|
state: restarted
|
||||||
|
|
||||||
|
- name: reload dovecot
|
||||||
|
service:
|
||||||
|
name: dovecot
|
||||||
|
state: reloaded
|
68
dovecot/tasks/main.yml
Normal file
68
dovecot/tasks/main.yml
Normal file
|
@ -0,0 +1,68 @@
|
||||||
|
- name: ensure packages are installed
|
||||||
|
apt:
|
||||||
|
name: '{{ item }}'
|
||||||
|
state: present
|
||||||
|
with_items:
|
||||||
|
- dovecot-ldap
|
||||||
|
- dovecot-imapd
|
||||||
|
- dovecot-pop3d
|
||||||
|
- dovecot-sieve
|
||||||
|
- dovecot-managesieved
|
||||||
|
tags:
|
||||||
|
- dovecot
|
||||||
|
|
||||||
|
- name: disable pam auth
|
||||||
|
replace:
|
||||||
|
dest: /etc/dovecot/conf.d/10-auth.conf
|
||||||
|
regexp: "[^#]!include auth-system.conf.ext"
|
||||||
|
replace: "#!include auth-system.conf.ext"
|
||||||
|
tags:
|
||||||
|
- dovecot
|
||||||
|
|
||||||
|
- name: update ldap auth
|
||||||
|
lineinfile:
|
||||||
|
dest: /etc/dovecot/dovecot-ldap.conf.ext
|
||||||
|
line: "{{ item.key }} = {{ item.value }}"
|
||||||
|
regexp: "^#*{{ item.key }}"
|
||||||
|
state: present
|
||||||
|
with_items:
|
||||||
|
- { key: 'hosts', value: '127.0.0.1' }
|
||||||
|
- { key: 'auth_bind', value: 'yes' }
|
||||||
|
- { key: 'ldap_version', value: 3 }
|
||||||
|
- { key: 'base', value: "{{ ldap_suffix }}" }
|
||||||
|
- { key: 'user_attrs', value: 'homeDirectory=home' }
|
||||||
|
- { key: 'user_filter', value: '(&(isActive=TRUE)(uid=%u))' }
|
||||||
|
- { key: 'pass_attrs', value: 'uid=user,userPassword=password' }
|
||||||
|
when: ldap_suffix is defined
|
||||||
|
notify: reload dovecot
|
||||||
|
tags:
|
||||||
|
- dovecot
|
||||||
|
|
||||||
|
- name: create vmail group
|
||||||
|
group:
|
||||||
|
name: vmail
|
||||||
|
gid: 5000
|
||||||
|
tags:
|
||||||
|
- dovecot
|
||||||
|
|
||||||
|
- name: create vmail user
|
||||||
|
user:
|
||||||
|
name: vmail
|
||||||
|
group: vmail
|
||||||
|
uid: 5000
|
||||||
|
shell: /bin/false
|
||||||
|
tags:
|
||||||
|
- dovecot
|
||||||
|
|
||||||
|
- name: deploy evolix config
|
||||||
|
template:
|
||||||
|
src: z-evolinux-defaults.conf.j2
|
||||||
|
dest: /etc/dovecot/conf.d/z-evolinux-defaults.conf
|
||||||
|
mode: "0644"
|
||||||
|
notify: reload dovecot
|
||||||
|
tags:
|
||||||
|
- dovecot
|
||||||
|
|
||||||
|
- include: munin.yml
|
||||||
|
tags:
|
||||||
|
- dovecot
|
20
dovecot/tasks/munin.yml
Normal file
20
dovecot/tasks/munin.yml
Normal file
|
@ -0,0 +1,20 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
- name: is Munin present ?
|
||||||
|
stat:
|
||||||
|
path: /etc/munin/plugin-conf.d/munin-node
|
||||||
|
check_mode: no
|
||||||
|
register: munin_node_plugins_config
|
||||||
|
|
||||||
|
- block:
|
||||||
|
- name: Install munin plugin
|
||||||
|
copy:
|
||||||
|
src: munin_plugin
|
||||||
|
dest: /etc/munin/plugins/dovecot
|
||||||
|
mode: "0755"
|
||||||
|
|
||||||
|
# TODO : add in /etc/munin/plugin-conf.d/munin-node
|
||||||
|
# [dovecot]
|
||||||
|
# group adm
|
||||||
|
|
||||||
|
when: munin_node_plugins_config.stat.exists
|
36
dovecot/templates/z-evolinux-defaults.conf.j2
Normal file
36
dovecot/templates/z-evolinux-defaults.conf.j2
Normal file
|
@ -0,0 +1,36 @@
|
||||||
|
# {{ ansible_managed }}
|
||||||
|
|
||||||
|
# Autorise les mécanismes PLAIN/LOGIN même sans SSL/TLS
|
||||||
|
disable_plaintext_auth = no
|
||||||
|
auth_mechanisms = plain login
|
||||||
|
|
||||||
|
# Authentification LDAP + intégration avec Postfix pour l'auth SMTP
|
||||||
|
!include auth-ldap.conf.ext
|
||||||
|
service auth {
|
||||||
|
unix_listener auth-userdb {
|
||||||
|
mode = 0600
|
||||||
|
user = vmail
|
||||||
|
group = vmail
|
||||||
|
}
|
||||||
|
unix_listener /var/spool/postfix/private/auth-client {
|
||||||
|
mode = 0666
|
||||||
|
user = postfix
|
||||||
|
group = postfix
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
# Stockage des emails dans /home/mail avec UID/GID 5000/5000
|
||||||
|
mail_location = maildir:/home/vmail/%d/%n
|
||||||
|
mail_uid = 5000
|
||||||
|
mail_gid = 5000
|
||||||
|
|
||||||
|
# Activation Sieve
|
||||||
|
protocol lda {
|
||||||
|
mail_plugins = sieve
|
||||||
|
}
|
||||||
|
|
||||||
|
# Optimisations
|
||||||
|
service login {
|
||||||
|
process_limit = 256
|
||||||
|
}
|
||||||
|
mail_max_userip_connections = 42
|
|
@ -3,3 +3,4 @@ general_alert_email: "root@localhost"
|
||||||
fail2ban_alert_email: Null
|
fail2ban_alert_email: Null
|
||||||
fail2ban_ignore_ips: []
|
fail2ban_ignore_ips: []
|
||||||
fail2ban_wordpress: False
|
fail2ban_wordpress: False
|
||||||
|
fail2ban_roundcube: False
|
||||||
|
|
2
fail2ban/files/roundcube.conf
Normal file
2
fail2ban/files/roundcube.conf
Normal file
|
@ -0,0 +1,2 @@
|
||||||
|
[Definition]
|
||||||
|
failregex = Login failed for .*. from <HOST>
|
|
@ -22,14 +22,6 @@
|
||||||
tags:
|
tags:
|
||||||
- fail2ban
|
- fail2ban
|
||||||
|
|
||||||
- name: package is installed
|
|
||||||
apt:
|
|
||||||
name: fail2ban
|
|
||||||
state: present
|
|
||||||
tags:
|
|
||||||
- fail2ban
|
|
||||||
- packages
|
|
||||||
|
|
||||||
- name: custom filters are installed
|
- name: custom filters are installed
|
||||||
copy:
|
copy:
|
||||||
src: "{{ item }}"
|
src: "{{ item }}"
|
||||||
|
@ -40,6 +32,16 @@
|
||||||
- sasl-evolix.conf
|
- sasl-evolix.conf
|
||||||
- wordpress-soft.conf
|
- wordpress-soft.conf
|
||||||
- wordpress-hard.conf
|
- wordpress-hard.conf
|
||||||
|
- roundcube.conf
|
||||||
notify: restart fail2ban
|
notify: restart fail2ban
|
||||||
tags:
|
tags:
|
||||||
- fail2ban
|
- fail2ban
|
||||||
|
|
||||||
|
- name: package is installed
|
||||||
|
apt:
|
||||||
|
name: fail2ban
|
||||||
|
state: present
|
||||||
|
tags:
|
||||||
|
- fail2ban
|
||||||
|
- packages
|
||||||
|
|
||||||
|
|
|
@ -44,3 +44,12 @@ logpath = /var/log/auth.log
|
||||||
maxretry = 5
|
maxretry = 5
|
||||||
findtime = 300
|
findtime = 300
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
|
||||||
|
{% if fail2ban_roundcube %}
|
||||||
|
[roundcube]
|
||||||
|
enabled = true
|
||||||
|
port = http,https
|
||||||
|
filter = roundcube
|
||||||
|
logpath = /var/lib/roundcube/logs/errors
|
||||||
|
maxretry = 5
|
||||||
|
{% endif %}
|
||||||
|
|
|
@ -1,4 +1,5 @@
|
||||||
---
|
---
|
||||||
ldap_domain: "{{ ansible_fqdn }}"
|
ldap_domain: "{{ ansible_fqdn }}"
|
||||||
ldap_organization: "{{ ansible_domain }}"
|
ldap_organization: "{{ ansible_domain }}"
|
||||||
#ldap_password=$(apg -n1 -m 12 -c cl_seed)
|
ldap_suffix: "dc=example,dc=com"
|
||||||
|
ldap_suffix_dc: "example"
|
||||||
|
|
|
@ -6,8 +6,82 @@
|
||||||
- slapd
|
- slapd
|
||||||
- ldap-utils
|
- ldap-utils
|
||||||
- ldapvi
|
- ldapvi
|
||||||
|
- shelldap
|
||||||
|
|
||||||
|
- name: "Is /root/.ldapvirc present ?"
|
||||||
|
stat:
|
||||||
|
path: /root/.ldapvirc
|
||||||
|
check_mode: no
|
||||||
|
register: root_ldapvirc_path
|
||||||
|
|
||||||
- name: apg package is installed
|
- name: apg package is installed
|
||||||
apt:
|
apt:
|
||||||
name: apg
|
name: apg
|
||||||
state: present
|
state: present
|
||||||
|
when: not root_ldapvirc_path.stat.exists
|
||||||
|
|
||||||
|
- name: create a password for cn=admin
|
||||||
|
command: "apg -n 1 -m 16 -M lcN"
|
||||||
|
register: ldap_admin_password
|
||||||
|
changed_when: False
|
||||||
|
when: not root_ldapvirc_path.stat.exists
|
||||||
|
|
||||||
|
- name: create a password for cn=nagios
|
||||||
|
command: "apg -n 1 -m 16 -M lcN"
|
||||||
|
register: ldap_nagios_password
|
||||||
|
changed_when: False
|
||||||
|
when: not root_ldapvirc_path.stat.exists
|
||||||
|
|
||||||
|
- name: hash password for cn=admin
|
||||||
|
command: "slappasswd -s {{ ldap_admin_password.stdout }}"
|
||||||
|
register: ldap_admin_password_ssha
|
||||||
|
changed_when: False
|
||||||
|
when: not root_ldapvirc_path.stat.exists
|
||||||
|
|
||||||
|
- name: hash password for cn=nagios
|
||||||
|
command: "slappasswd -s {{ ldap_nagios_password.stdout }}"
|
||||||
|
register: ldap_nagios_password_ssha
|
||||||
|
changed_when: False
|
||||||
|
when: not root_ldapvirc_path.stat.exists
|
||||||
|
|
||||||
|
- name: create ldapvirc config
|
||||||
|
template:
|
||||||
|
src: ldapvirc.j2
|
||||||
|
dest: /root/.ldapvirc
|
||||||
|
mode: "0640"
|
||||||
|
when: not root_ldapvirc_path.stat.exists
|
||||||
|
|
||||||
|
- name: upload ldap initial config
|
||||||
|
template:
|
||||||
|
src: config_ldapvi.j2
|
||||||
|
dest: /root/evolinux_ldap_config.ldapvi
|
||||||
|
mode: "0640"
|
||||||
|
when: not root_ldapvirc_path.stat.exists
|
||||||
|
|
||||||
|
- name: upload ldap initial entries
|
||||||
|
template:
|
||||||
|
src: first-entries.ldif.j2
|
||||||
|
dest: /root/evolinux_ldap_first-entries.ldif
|
||||||
|
mode: "0640"
|
||||||
|
when: not root_ldapvirc_path.stat.exists
|
||||||
|
|
||||||
|
- name: inject config
|
||||||
|
command: ldapvi -Y EXTERNAL -h ldapi:// --ldapmodify /root/evolinux_ldap_config.ldapvi
|
||||||
|
environment:
|
||||||
|
TERM: xterm
|
||||||
|
when: not root_ldapvirc_path.stat.exists
|
||||||
|
|
||||||
|
- name: inject first entries
|
||||||
|
command: slapadd -l /root/evolinux_ldap_first-entries.ldif
|
||||||
|
when: not root_ldapvirc_path.stat.exists
|
||||||
|
|
||||||
|
- name: upload custom schema
|
||||||
|
copy:
|
||||||
|
src: "{{ ldap_schema }}"
|
||||||
|
dest: "/root/{{ ldap_schema }}"
|
||||||
|
mode: "0640"
|
||||||
|
when: not root_ldapvirc_path.stat.exists and ldap_schema is defined
|
||||||
|
|
||||||
|
- name: inject custom schema
|
||||||
|
command: "ldapadd -Y EXTERNAL -H ldapi:/// -f /root/{{ ldap_schema }}"
|
||||||
|
when: not root_ldapvirc_path.stat.exists and ldap_schema is defined
|
||||||
|
|
8
ldap/templates/config_ldapvi.j2
Normal file
8
ldap/templates/config_ldapvi.j2
Normal file
|
@ -0,0 +1,8 @@
|
||||||
|
modify: olcDatabase={1}mdb,cn=config
|
||||||
|
olcSuffix: {{ ldap_suffix }}
|
||||||
|
olcRootDN: cn=admin,{{ ldap_suffix }}
|
||||||
|
olcRootPW: {{ ldap_admin_password_ssha.stdout }}
|
||||||
|
olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break
|
||||||
|
olcAccess: {1}to attrs=userPassword by self write by anonymous auth by dn="cn=admin,{{ ldap_suffix }}" write by dn="cn=perl,ou=ldapusers,{{ ldap_suffix }}" write by * none
|
||||||
|
olcAccess: {2}to attrs=shadowLastChange by self write by dn="cn=admin,{{ ldap_suffix }}" write by dn="cn=perl,ou=ldapusers,{{ ldap_suffix }}" write by * read
|
||||||
|
olcAccess: {3}to * by self write by dn="cn=admin,{{ ldap_suffix }}" write by dn="cn=perl,ou=ldapusers,{{ ldap_suffix }}" write by * read
|
30
ldap/templates/first-entries.ldif.j2
Normal file
30
ldap/templates/first-entries.ldif.j2
Normal file
|
@ -0,0 +1,30 @@
|
||||||
|
dn: {{ ldap_suffix }}
|
||||||
|
objectClass: top
|
||||||
|
objectClass: dcObject
|
||||||
|
objectClass: organization
|
||||||
|
o: {{ ldap_suffix_dc }}
|
||||||
|
dc: {{ ldap_suffix_dc }}
|
||||||
|
|
||||||
|
dn: cn=admin,{{ ldap_suffix }}
|
||||||
|
objectClass: simpleSecurityObject
|
||||||
|
objectClass: organizationalRole
|
||||||
|
cn: admin
|
||||||
|
description: LDAP administrator
|
||||||
|
userPassword: {{ ldap_admin_password_ssha.stdout }}
|
||||||
|
|
||||||
|
dn: ou=ldapusers,{{ ldap_suffix }}
|
||||||
|
objectClass: top
|
||||||
|
objectClass: organizationalUnit
|
||||||
|
ou: ldapusers
|
||||||
|
|
||||||
|
dn: cn=perl,ou=ldapusers,{{ ldap_suffix }}
|
||||||
|
objectClass: simpleSecurityObject
|
||||||
|
objectClass: organizationalRole
|
||||||
|
cn: perl
|
||||||
|
userPassword: {{ ldap_admin_password_ssha.stdout }}
|
||||||
|
|
||||||
|
dn: cn=nagios,ou=ldapusers,{{ ldap_suffix }}
|
||||||
|
objectClass: simpleSecurityObject
|
||||||
|
objectClass: organizationalRole
|
||||||
|
cn: nagios
|
||||||
|
userPassword: {{ ldap_nagios_password_ssha.stdout }}
|
6
ldap/templates/ldapvirc.j2
Normal file
6
ldap/templates/ldapvirc.j2
Normal file
|
@ -0,0 +1,6 @@
|
||||||
|
profile default
|
||||||
|
host: ldap://127.0.0.1
|
||||||
|
base: {{ ldap_suffix }}
|
||||||
|
user: cn=admin,{{ ldap_suffix }}
|
||||||
|
bind: simple
|
||||||
|
password: {{ ldap_admin_password.stdout }}
|
|
@ -28,6 +28,7 @@ command[check_ldap]=/usr/lib/nagios/plugins/check_ldap -3 -H localhost -D cn=nag
|
||||||
command[check_ldaps]=/usr/lib/nagios/plugins/check_ldaps -3 -H localhost -b {{ nagios_nrpe_ldap_dc }}
|
command[check_ldaps]=/usr/lib/nagios/plugins/check_ldaps -3 -H localhost -b {{ nagios_nrpe_ldap_dc }}
|
||||||
command[check_imap]=/usr/lib/nagios/plugins/check_imap -H localhost
|
command[check_imap]=/usr/lib/nagios/plugins/check_imap -H localhost
|
||||||
command[check_imaps]=/usr/lib/nagios/plugins/check_imap -S -H localhost -p 993
|
command[check_imaps]=/usr/lib/nagios/plugins/check_imap -S -H localhost -p 993
|
||||||
|
command[check_imapproxy]=/usr/lib/nagios/plugins/check_imap -H localhost -p 1143
|
||||||
command[check_pop]=/usr/lib/nagios/plugins/check_pop -H localhost
|
command[check_pop]=/usr/lib/nagios/plugins/check_pop -H localhost
|
||||||
command[check_pops]=/usr/lib/nagios/plugins/check_pop -S -H localhost -p 995
|
command[check_pops]=/usr/lib/nagios/plugins/check_pop -S -H localhost -p 995
|
||||||
command[check_ftp]=/usr/lib/nagios/plugins/check_ftp -H localhost
|
command[check_ftp]=/usr/lib/nagios/plugins/check_ftp -H localhost
|
||||||
|
|
46
opendkim/files/opendkim-add.sh
Normal file
46
opendkim/files/opendkim-add.sh
Normal file
|
@ -0,0 +1,46 @@
|
||||||
|
#!/bin/sh
|
||||||
|
|
||||||
|
if [ "$#" -ne 1 ]; then
|
||||||
|
echo "Usage : $0 example.com" >&2
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
domain="$(echo "$1"|xargs)"
|
||||||
|
|
||||||
|
mkdir -pm 0750 "/etc/opendkim/keys/${domain}"
|
||||||
|
chown opendkim:opendkim "/etc/opendkim/keys/${domain}"
|
||||||
|
|
||||||
|
if [ ! -f "/etc/opendkim/keys/${domain}/default.private" ]; then
|
||||||
|
cd "/etc/opendkim/keys/${domain}"
|
||||||
|
echo "Generate DKIM keys ..."
|
||||||
|
sudo -u opendkim opendkim-genkey -r -d "${domain}"
|
||||||
|
chmod 640 /etc/opendkim/keys/${domain}/*
|
||||||
|
fi
|
||||||
|
|
||||||
|
grep -q "${domain}" /etc/opendkim/TrustedHosts
|
||||||
|
if [ "$?" -ne 0 ]; then
|
||||||
|
echo "Add ${domain} to TrustedHosts ..."
|
||||||
|
echo "${domain}" >> /etc/opendkim/TrustedHosts
|
||||||
|
fi
|
||||||
|
|
||||||
|
grep -q "${domain}" /etc/opendkim/KeyTable
|
||||||
|
if [ "$?" -ne 0 ]; then
|
||||||
|
echo "Add ${domain} to KeyTable ..."
|
||||||
|
echo "default._domainkey.${domain} ${domain}:default:/etc/opendkim/keys/${domain}/default.private" >> /etc/opendkim/KeyTable
|
||||||
|
fi
|
||||||
|
|
||||||
|
grep -q "${domain}" /etc/opendkim/SigningTable
|
||||||
|
if [ "$?" -ne 0 ]; then
|
||||||
|
echo "Add ${domain} to SigningTable ..."
|
||||||
|
echo "*@${domain} default._domainkey.${domain}" >> /etc/opendkim/SigningTable
|
||||||
|
fi
|
||||||
|
|
||||||
|
systemctl reload opendkim
|
||||||
|
if [ "$?" -eq 0 ]; then
|
||||||
|
echo "OpenDKIM successfully reloaded"
|
||||||
|
echo "Public key is in : /etc/opendkim/keys/${domain}/default.txt"
|
||||||
|
exit 0
|
||||||
|
else
|
||||||
|
echo "An error has occurred while opendkim reload, please FIX configuration !" >&2
|
||||||
|
exit 1
|
||||||
|
fi
|
18
opendkim/files/opendkim.conf
Normal file
18
opendkim/files/opendkim.conf
Normal file
|
@ -0,0 +1,18 @@
|
||||||
|
UserID opendkim:opendkim
|
||||||
|
Socket inet:54321@127.0.0.1
|
||||||
|
PidFile /var/run/opendkim/opendkim.pid
|
||||||
|
OversignHeaders From
|
||||||
|
TrustAnchorFile /usr/share/dns/root.key
|
||||||
|
Selector default
|
||||||
|
Canonicalization relaxed/relaxed
|
||||||
|
ExternalIgnoreList refile:/etc/opendkim/TrustedHosts
|
||||||
|
InternalHosts refile:/etc/opendkim/TrustedHosts
|
||||||
|
KeyTable refile:/etc/opendkim/KeyTable
|
||||||
|
LogResults Yes
|
||||||
|
LogWhy Yes
|
||||||
|
Mode sv
|
||||||
|
SigningTable refile:/etc/opendkim/SigningTable
|
||||||
|
Syslog Yes
|
||||||
|
SyslogSuccess Yes
|
||||||
|
TemporaryDirectory /var/tmp
|
||||||
|
UMask 007
|
10
opendkim/handlers/main.yml
Normal file
10
opendkim/handlers/main.yml
Normal file
|
@ -0,0 +1,10 @@
|
||||||
|
---
|
||||||
|
- name: reload opendkim
|
||||||
|
systemd:
|
||||||
|
name: opendkim
|
||||||
|
state: reloaded
|
||||||
|
|
||||||
|
- name: restart opendkim
|
||||||
|
systemd:
|
||||||
|
name: opendkim
|
||||||
|
state: restarted
|
95
opendkim/tasks/main.yml
Normal file
95
opendkim/tasks/main.yml
Normal file
|
@ -0,0 +1,95 @@
|
||||||
|
---
|
||||||
|
- name: install OpenDKIM
|
||||||
|
apt:
|
||||||
|
name: "{{ item }}"
|
||||||
|
state: present
|
||||||
|
with_items:
|
||||||
|
- opendkim
|
||||||
|
- opendkim-tools
|
||||||
|
tags:
|
||||||
|
- opendkim
|
||||||
|
|
||||||
|
- name: create keys directory
|
||||||
|
file:
|
||||||
|
name: "{{ item }}"
|
||||||
|
state: directory
|
||||||
|
owner: opendkim
|
||||||
|
group: opendkim
|
||||||
|
mode: "0750"
|
||||||
|
with_items:
|
||||||
|
- '/etc/opendkim'
|
||||||
|
- '/etc/opendkim/keys'
|
||||||
|
tags:
|
||||||
|
- opendkim
|
||||||
|
|
||||||
|
- name: add 127.0.0.1 to TrustedHosts
|
||||||
|
lineinfile:
|
||||||
|
dest: '/etc/opendkim/TrustedHosts'
|
||||||
|
line: '127.0.0.1'
|
||||||
|
create: True
|
||||||
|
owner: opendkim
|
||||||
|
group: opendkim
|
||||||
|
mode: "0640"
|
||||||
|
notify: reload opendkim
|
||||||
|
tags:
|
||||||
|
- opendkim
|
||||||
|
|
||||||
|
- name: create config files
|
||||||
|
file:
|
||||||
|
name: "/etc/opendkim/{{ item }}"
|
||||||
|
state: touch
|
||||||
|
owner: opendkim
|
||||||
|
group: opendkim
|
||||||
|
mode: "0640"
|
||||||
|
with_items:
|
||||||
|
- 'KeyTable'
|
||||||
|
- 'SigningTable'
|
||||||
|
changed_when: False
|
||||||
|
tags:
|
||||||
|
- opendkim
|
||||||
|
|
||||||
|
- name: copy OpenDKIM config
|
||||||
|
copy:
|
||||||
|
src: opendkim.conf
|
||||||
|
dest: /etc/opendkim.conf
|
||||||
|
mode: "0644"
|
||||||
|
force: yes
|
||||||
|
notify: restart opendkim
|
||||||
|
tags:
|
||||||
|
- opendkim
|
||||||
|
|
||||||
|
- name: ensure opendkim is started and enabled
|
||||||
|
systemd:
|
||||||
|
name: opendkim
|
||||||
|
state: started
|
||||||
|
enabled: True
|
||||||
|
tags:
|
||||||
|
- opendkim
|
||||||
|
|
||||||
|
- name: check if /usr is a partition
|
||||||
|
shell: "mount | grep 'on /usr type'"
|
||||||
|
args:
|
||||||
|
warn: no
|
||||||
|
changed_when: False
|
||||||
|
failed_when: False
|
||||||
|
register: usr_partition
|
||||||
|
check_mode: no
|
||||||
|
tags:
|
||||||
|
- opendkim
|
||||||
|
|
||||||
|
- name: mount /usr in rw
|
||||||
|
command: mount -o remount,rw /usr
|
||||||
|
args:
|
||||||
|
warn: no
|
||||||
|
changed_when: False
|
||||||
|
when: usr_partition.rc == 0
|
||||||
|
tags:
|
||||||
|
- opendkim
|
||||||
|
|
||||||
|
- name: deploy opendkim-add.sh script
|
||||||
|
copy:
|
||||||
|
src: opendkim-add.sh
|
||||||
|
dest: /usr/share/scripts/opendkim-add.sh
|
||||||
|
mode: "0750"
|
||||||
|
tags:
|
||||||
|
- opendkim
|
|
@ -4,9 +4,10 @@ Installation and basic configuration of Postfix.
|
||||||
|
|
||||||
## Tasks
|
## Tasks
|
||||||
|
|
||||||
Minimal configuration is in `tasks/main.yml` and optional customization in :
|
Minimal configuration is in `tasks/minimal.yml` and optional customization in :
|
||||||
|
|
||||||
* `slow_transport.yml` : slow transport to specific destination.
|
* `slow_transport.yml` : slow transport to specific destination.
|
||||||
|
* `packmail.yml` : config for virtual mail accounts with OpenLDAP
|
||||||
|
|
||||||
## Available variables
|
## Available variables
|
||||||
|
|
||||||
|
@ -14,5 +15,7 @@ Main variables are :
|
||||||
|
|
||||||
* `postfix_hostname` : hostname for Postfix ;
|
* `postfix_hostname` : hostname for Postfix ;
|
||||||
* `postfix_slow_transport` : enable customization for delivrability.
|
* `postfix_slow_transport` : enable customization for delivrability.
|
||||||
|
* `postfix_force_main_cf` : force copy of main.cf
|
||||||
|
* `postfix_packmail` : install an Evolix Packmail instead of lite postfix config
|
||||||
|
|
||||||
The full list of variables (with default values) can be found in `defaults/main.yml`.
|
The full list of variables (with default values) can be found in `defaults/main.yml`.
|
||||||
|
|
|
@ -1,3 +1,5 @@
|
||||||
---
|
---
|
||||||
postfix_hostname: "{{ ansible_fqdn }}"
|
postfix_hostname: "{{ ansible_fqdn }}"
|
||||||
postfix_slow_transport_include: False
|
postfix_force_main_cf: False
|
||||||
|
postfix_packmail: False
|
||||||
|
postfix_slow_transport_include: "{{ postfix_packmail }}"
|
||||||
|
|
63
postfix/files/cn4evolix.ldif
Normal file
63
postfix/files/cn4evolix.ldif
Normal file
|
@ -0,0 +1,63 @@
|
||||||
|
dn: cn={4}evolix,cn=schema,cn=config
|
||||||
|
objectClass: olcSchemaConfig
|
||||||
|
cn: {4}evolix
|
||||||
|
olcAttributeTypes: {0}( 1.3.6.1.4.1.24331.22.1.1 NAME 'maildrop' DESC 'mail fo
|
||||||
|
rward' SUP mail )
|
||||||
|
olcAttributeTypes: {1}( 1.3.6.1.4.1.24331.22.1.2 NAME 'mailacceptinggeneralid'
|
||||||
|
DESC 'mail alias' SUP mail )
|
||||||
|
olcAttributeTypes: {2}( 1.3.6.1.4.1.24331.22.1.3 NAME 'isActive' DESC 'boolean
|
||||||
|
to verify an global account is active or not' EQUALITY booleanMatch SYNTAX 1
|
||||||
|
.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
|
||||||
|
olcAttributeTypes: {3}( 1.3.6.1.4.1.24331.22.1.4 NAME 'accountActive' DESC 'bo
|
||||||
|
olean to verify if an mail account is active' EQUALITY booleanMatch SYNTAX 1.
|
||||||
|
3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
|
||||||
|
olcAttributeTypes: {4}( 1.3.6.1.4.1.24331.22.1.5 NAME 'authsmtpActive' DESC 'b
|
||||||
|
oolean to verify if SMTP-AUTH is enabled for entry' EQUALITY booleanMatch SYN
|
||||||
|
TAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
|
||||||
|
olcAttributeTypes: {5}( 1.3.6.1.4.1.24331.22.1.6 NAME 'courierActive' DESC 'bo
|
||||||
|
olean to verify if Courier POP/IMAP is enabled for entry' EQUALITY booleanMat
|
||||||
|
ch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
|
||||||
|
olcAttributeTypes: {6}( 1.3.6.1.4.1.24331.22.1.7 NAME 'webmailActive' DESC 'bo
|
||||||
|
olean to verify if webmail is enabled for entry' EQUALITY booleanMatch SYNTAX
|
||||||
|
1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
|
||||||
|
olcAttributeTypes: {7}( 1.3.6.1.4.1.24331.22.1.8 NAME 'isAdmin' DESC 'boolean
|
||||||
|
to verify if entry is admin for entry' EQUALITY booleanMatch SYNTAX 1.3.6.1.4
|
||||||
|
.1.1466.115.121.1.7 SINGLE-VALUE )
|
||||||
|
olcAttributeTypes: {8}( 1.3.6.1.4.1.24331.22.1.9 NAME 'postfixTransport' DESC
|
||||||
|
'transport for Postfix' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.11
|
||||||
|
5.121.1.26{20} SINGLE-VALUE )
|
||||||
|
olcAttributeTypes: {9}( 1.3.6.1.4.1.24331.22.1.10 NAME 'domain' DESC 'Postfix
|
||||||
|
domain' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTA
|
||||||
|
X 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
|
||||||
|
olcAttributeTypes: {10}( 1.3.6.1.4.1.24331.22.1.11 NAME 'quota' DESC 'Courier
|
||||||
|
maildir quota' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.
|
||||||
|
26 SINGLE-VALUE )
|
||||||
|
olcAttributeTypes: {11}( 1.3.6.1.4.1.24331.22.1.16 NAME 'vacationActive' DESC
|
||||||
|
'A flag, for marking the user as being away' EQUALITY booleanMatch SYNTAX 1.3
|
||||||
|
.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
|
||||||
|
olcAttributeTypes: {12}( 1.3.6.1.4.1.24331.22.1.17 NAME 'vacationInfo' DESC 'A
|
||||||
|
bsentee note to leave behind, while on vacation' EQUALITY octetStringMatch SY
|
||||||
|
NTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE )
|
||||||
|
olcAttributeTypes: {13}( 1.3.6.1.4.1.24331.22.1.18 NAME 'vacationStart' DESC '
|
||||||
|
Beginning of vacation' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.
|
||||||
|
121.1.40 SINGLE-VALUE )
|
||||||
|
olcAttributeTypes: {14}( 1.3.6.1.4.1.24331.22.1.19 NAME 'vacationEnd' DESC 'En
|
||||||
|
d of vacation' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40
|
||||||
|
SINGLE-VALUE )
|
||||||
|
olcAttributeTypes: {15}( 1.3.6.1.4.1.24331.22.1.20 NAME 'vacationForward' DESC
|
||||||
|
'Where to forward mails to, while on vacation' EQUALITY caseIgnoreIA5Match S
|
||||||
|
UBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256}
|
||||||
|
)
|
||||||
|
olcAttributeTypes: {16}( 1.3.6.1.4.1.24331.22.1.21 NAME 'smbActive' DESC 'bool
|
||||||
|
ean to verify if an Samba account is active' EQUALITY booleanMatch SYNTAX 1.3
|
||||||
|
.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
|
||||||
|
olcObjectClasses: {0}( 1.3.6.1.4.1.24331.22.2.1 NAME 'mailAccount' DESC 'LDAP/
|
||||||
|
Unix mail account or virtual account' SUP top AUXILIARY MUST ( uid $ mailacce
|
||||||
|
ptinggeneralid ) MAY ( accountActive $ authsmtpActive $ quota $ isActive $ co
|
||||||
|
urierActive $ webmailActive $ isAdmin $ vacationActive $ vacationInfo $ vacat
|
||||||
|
ionStart $ vacationEnd $ vacationForward $ maildrop ) )
|
||||||
|
olcObjectClasses: {1}( 1.3.6.1.4.1.24331.22.2.2 NAME 'mailAlias' DESC 'Mail al
|
||||||
|
iasing/forwarding entry' SUP top STRUCTURAL MUST ( mailacceptinggeneralid $ m
|
||||||
|
aildrop ) MAY ( cn $ isActive ) )
|
||||||
|
olcObjectClasses: {2}( 1.3.6.1.4.1.24331.22.2.4 NAME 'postfixDomain' DESC 'Pos
|
||||||
|
tfix domain' SUP posixGroup STRUCTURAL MAY ( postfixTransport $ isActive ) )
|
1
postfix/files/filter
Normal file
1
postfix/files/filter
Normal file
|
@ -0,0 +1 @@
|
||||||
|
# Default empty file
|
87
postfix/files/spam.sh
Normal file
87
postfix/files/spam.sh
Normal file
|
@ -0,0 +1,87 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
#set -x
|
||||||
|
|
||||||
|
umask 022
|
||||||
|
|
||||||
|
tmp_file=$(mktemp)
|
||||||
|
|
||||||
|
tmp=$(mktemp -d)
|
||||||
|
|
||||||
|
if [ -f $tmp_file ] ;
|
||||||
|
then rm $tmp_file ;
|
||||||
|
fi
|
||||||
|
|
||||||
|
sleep $[ $RANDOM / 1024 ]
|
||||||
|
|
||||||
|
# Postfix
|
||||||
|
cd $tmp
|
||||||
|
|
||||||
|
wget -q -t 3 http://antispam00.evolix.org/spam/client.access -O $tmp_file
|
||||||
|
cp $tmp_file /etc/postfix/client.access
|
||||||
|
rm $tmp_file
|
||||||
|
|
||||||
|
wget -q -t 3 http://antispam00.evolix.org/spam/sender.access -O $tmp_file
|
||||||
|
cp $tmp_file /etc/postfix/sender.access
|
||||||
|
rm $tmp_file
|
||||||
|
|
||||||
|
wget -q -t 3 http://antispam00.evolix.org/spam/recipient.access -O $tmp_file
|
||||||
|
cp $tmp_file /etc/postfix/recipient.access
|
||||||
|
rm $tmp_file
|
||||||
|
|
||||||
|
wget -q -t 3 http://antispam00.evolix.org/spam/header_kill -O $tmp_file
|
||||||
|
cp $tmp_file /etc/postfix/header_kill
|
||||||
|
rm $tmp_file
|
||||||
|
|
||||||
|
wget -q -t 3 http://antispam00.evolix.org/spam/sa-blacklist.access -O sa-blacklist.access
|
||||||
|
wget -q -t 3 http://antispam00.evolix.org/spam/sa-blacklist.access.md5 -O $tmp_file
|
||||||
|
if md5sum -c $tmp_file > /dev/null && [ -s sa-blacklist.access ] ; then
|
||||||
|
cp sa-blacklist.access /etc/postfix/sa-blacklist.access
|
||||||
|
fi
|
||||||
|
rm sa-blacklist.access
|
||||||
|
rm $tmp_file
|
||||||
|
|
||||||
|
/usr/sbin/postmap hash:/etc/postfix/client.access
|
||||||
|
/usr/sbin/postmap hash:/etc/postfix/sender.access
|
||||||
|
/usr/sbin/postmap hash:/etc/postfix/recipient.access
|
||||||
|
/usr/sbin/postmap -r hash:/etc/postfix/sa-blacklist.access
|
||||||
|
|
||||||
|
wget -q -t 3 http://antispam00.evolix.org/spam/spamd.cidr -O spamd.cidr
|
||||||
|
wget -q -t 3 http://antispam00.evolix.org/spam/spamd.cidr.md5 -O $tmp_file
|
||||||
|
if md5sum -c $tmp_file > /dev/null && [ -s spamd.cidr ] ; then
|
||||||
|
cp spamd.cidr /etc/postfix/spamd.cidr
|
||||||
|
fi
|
||||||
|
rm spamd.cidr
|
||||||
|
rm $tmp_file
|
||||||
|
|
||||||
|
|
||||||
|
# SpamAssassin
|
||||||
|
cd $tmp
|
||||||
|
wget -q -t 3 http://antispam00.evolix.org/spam/evolix_rules.cf -O evolix_rules.cf
|
||||||
|
wget -q -t 3 http://antispam00.evolix.org/spam/evolix_rules.cf.md5 -O $tmp_file
|
||||||
|
if md5sum -c $tmp_file > /dev/null && [ -s evolix_rules.cf ] ; then
|
||||||
|
dpkg -l spamassassin 2>&1 | grep -v "no packages found matching" | grep -q ^ii && cp evolix_rules.cf /etc/spamassassin
|
||||||
|
dpkg -l spamassassin 2>&1 | grep -v "no packages found matching" | grep -q ^ii && /etc/init.d/spamassassin reload > /dev/null
|
||||||
|
if [ -d /etc/spamassassin/sa-update-hooks.d ]; then
|
||||||
|
run-parts --lsbsysinit /etc/spamassassin/sa-update-hooks.d
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
# ClamAV
|
||||||
|
cd $tmp
|
||||||
|
wget -q -t 3 http://antispam00.evolix.org/spam/evolix.ndb -O evolix.ndb
|
||||||
|
wget -q -t 3 http://antispam00.evolix.org/spam/evolix.ndb.md5 -O $tmp_file
|
||||||
|
dpkg -l clamav-daemon 2>&1 | grep -v "no packages found matching" | grep -q ^ii && chown clamav: evolix.ndb
|
||||||
|
if md5sum -c $tmp_file > /dev/null && [ -s evolix.ndb ] ; then
|
||||||
|
dpkg -l clamav-daemon 2>&1 | grep -v "no packages found matching" | grep -q ^ii && cp -a evolix.ndb /var/lib/clamav/
|
||||||
|
fi
|
||||||
|
wget -q -t 3 http://antispam00.evolix.org/spam/evolix.hsb -O evolix.hsb
|
||||||
|
wget -q -t 3 http://antispam00.evolix.org/spam/evolix.hsb.md5 -O $tmp_file
|
||||||
|
dpkg -l clamav-daemon 2>&1 | grep -v "no packages found matching" | grep -q ^ii && chown clamav: evolix.hsb
|
||||||
|
if md5sum -c $tmp_file > /dev/null && [ -s evolix.hsb ] ; then
|
||||||
|
dpkg -l clamav-daemon 2>&1 | grep -v "no packages found matching" | grep -q ^ii && cp -a evolix.hsb /var/lib/clamav/
|
||||||
|
fi
|
||||||
|
dpkg -l clamav-daemon 2>&1 | grep -v "no packages found matching" | grep -q ^ii && /etc/init.d/clamav-daemon reload-database > /dev/null
|
||||||
|
rm $tmp_file
|
||||||
|
|
||||||
|
rm -rf $tmp
|
|
@ -13,7 +13,9 @@ galaxy_info:
|
||||||
versions:
|
versions:
|
||||||
- jessie
|
- jessie
|
||||||
|
|
||||||
dependencies: []
|
dependencies:
|
||||||
# List your role dependencies here, one per line.
|
- { role: ldap, ldap_schema: 'cn4evolix.ldif', when: postfix_packmail == True }
|
||||||
# Be sure to remove the '[]' above if you add dependencies
|
- { role: spamassasin, when: postfix_packmail == True }
|
||||||
# to this list.
|
- { role: clamav, when: postfix_packmail == True }
|
||||||
|
- { role: opendkim, when: postfix_packmail == True }
|
||||||
|
- { role: dovecot, when: postfix_packmail == True }
|
||||||
|
|
|
@ -1,30 +1,17 @@
|
||||||
- name: ensure packages are installed
|
---
|
||||||
apt:
|
|
||||||
name: '{{ item }}'
|
|
||||||
state: present
|
|
||||||
with_items:
|
|
||||||
- postfix
|
|
||||||
- mailgraph
|
|
||||||
|
|
||||||
- name: check if main.cf is default
|
- name: check if main.cf is default
|
||||||
shell: grep -v -E "^(myhostname|mydestination|mailbox_command)" /etc/postfix/main.cf | md5sum -
|
shell: grep -v -E "^(myhostname|mydestination|mailbox_command)" /etc/postfix/main.cf | md5sum -
|
||||||
changed_when: False
|
changed_when: False
|
||||||
check_mode: no
|
check_mode: no
|
||||||
register: default_main_cf
|
register: default_main_cf
|
||||||
|
tags:
|
||||||
|
- postfix
|
||||||
|
|
||||||
- name: create minimal main.cf
|
- include: minimal.yml
|
||||||
template:
|
when: postfix_packmail == False
|
||||||
src: evolinux_main.cf.j2
|
|
||||||
dest: /etc/postfix/main.cf
|
|
||||||
owner: root
|
|
||||||
group: root
|
|
||||||
mode: "0644"
|
|
||||||
force: yes
|
|
||||||
when: default_main_cf.stdout == "5450c05d65878e99dad696c7c722e511 -" or
|
|
||||||
default_main_cf.stdout == "30022953f1f61f002bfb72e163ecb27e -"
|
|
||||||
notify: restart postfix
|
|
||||||
|
|
||||||
- meta: flush_handlers
|
- include: packmail.yml
|
||||||
|
when: postfix_packmail == True
|
||||||
|
|
||||||
- include: slow_transport.yml
|
- include: slow_transport.yml
|
||||||
when: postfix_slow_transport_include
|
when: postfix_slow_transport_include
|
||||||
|
|
24
postfix/tasks/minimal.yml
Normal file
24
postfix/tasks/minimal.yml
Normal file
|
@ -0,0 +1,24 @@
|
||||||
|
---
|
||||||
|
- name: ensure packages are installed
|
||||||
|
apt:
|
||||||
|
name: '{{ item }}'
|
||||||
|
state: present
|
||||||
|
with_items:
|
||||||
|
- postfix
|
||||||
|
tags:
|
||||||
|
- postfix
|
||||||
|
|
||||||
|
- name: create minimal main.cf
|
||||||
|
template:
|
||||||
|
src: evolinux_main.cf.j2
|
||||||
|
dest: /etc/postfix/main.cf
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: "0644"
|
||||||
|
force: yes
|
||||||
|
notify: restart postfix
|
||||||
|
when: postfix_force_main_cf == True or
|
||||||
|
default_main_cf.stdout == "5450c05d65878e99dad696c7c722e511 -" or
|
||||||
|
default_main_cf.stdout == "30022953f1f61f002bfb72e163ecb27e -"
|
||||||
|
tags:
|
||||||
|
- postfix
|
128
postfix/tasks/packmail.yml
Normal file
128
postfix/tasks/packmail.yml
Normal file
|
@ -0,0 +1,128 @@
|
||||||
|
---
|
||||||
|
- name: ensure packages are installed
|
||||||
|
apt:
|
||||||
|
name: '{{ item }}'
|
||||||
|
state: present
|
||||||
|
with_items:
|
||||||
|
- postfix
|
||||||
|
- postfix-ldap
|
||||||
|
- postfix-policyd-spf-python
|
||||||
|
- mailgraph
|
||||||
|
tags:
|
||||||
|
- postfix
|
||||||
|
|
||||||
|
- name: create packmail main.cf
|
||||||
|
template:
|
||||||
|
src: packmail_main.cf.j2
|
||||||
|
dest: /etc/postfix/main.cf
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: "0644"
|
||||||
|
force: yes
|
||||||
|
notify: restart postfix
|
||||||
|
when: postfix_force_main_cf == True or
|
||||||
|
default_main_cf.stdout == "5450c05d65878e99dad696c7c722e511 -" or
|
||||||
|
default_main_cf.stdout == "30022953f1f61f002bfb72e163ecb27e -"
|
||||||
|
tags:
|
||||||
|
- postfix
|
||||||
|
|
||||||
|
- name: deploy packmail master.cf
|
||||||
|
template:
|
||||||
|
src: packmail_master.cf.j2
|
||||||
|
dest: /etc/postfix/master.cf
|
||||||
|
mode: "0644"
|
||||||
|
notify: restart postfix
|
||||||
|
tags:
|
||||||
|
- postfix
|
||||||
|
|
||||||
|
- name: copy default filter files
|
||||||
|
copy:
|
||||||
|
src: filter
|
||||||
|
dest: "/etc/postfix/{{ item }}"
|
||||||
|
force: no
|
||||||
|
with_items:
|
||||||
|
- virtual
|
||||||
|
- client.access
|
||||||
|
- client.access_local
|
||||||
|
- header_kill
|
||||||
|
- header_kill_local
|
||||||
|
- recipient.access
|
||||||
|
- recipient.access_local
|
||||||
|
- sa-blacklist.access
|
||||||
|
- sender.access
|
||||||
|
- sender.access_local
|
||||||
|
- spamd.cidr
|
||||||
|
register: postfix_copy_filter
|
||||||
|
tags:
|
||||||
|
- postfix
|
||||||
|
|
||||||
|
- name: postmap filter files
|
||||||
|
command: "postmap /etc/postfix/{{ item }}"
|
||||||
|
with_items:
|
||||||
|
- virtual
|
||||||
|
- client.access
|
||||||
|
- client.access_local
|
||||||
|
- header_kill
|
||||||
|
- header_kill_local
|
||||||
|
- recipient.access
|
||||||
|
- recipient.access_local
|
||||||
|
- sa-blacklist.access
|
||||||
|
- sender.access
|
||||||
|
- sender.access_local
|
||||||
|
- spamd.cidr
|
||||||
|
when: postfix_copy_filter.changed
|
||||||
|
tags:
|
||||||
|
- postfix
|
||||||
|
|
||||||
|
- name: deploy ldap postfix config
|
||||||
|
template:
|
||||||
|
src: "{{ item }}.j2"
|
||||||
|
dest: "/etc/postfix/{{ item }}"
|
||||||
|
mode: "0644"
|
||||||
|
with_items:
|
||||||
|
- virtual_aliases.cf
|
||||||
|
- virtual_domains.cf
|
||||||
|
- virtual_mailboxes.cf
|
||||||
|
notify: restart postfix
|
||||||
|
tags:
|
||||||
|
- postfix
|
||||||
|
|
||||||
|
- name: update ansible_mounts facts
|
||||||
|
setup:
|
||||||
|
filter: ansible_mounts
|
||||||
|
tags:
|
||||||
|
- postfix
|
||||||
|
|
||||||
|
- name: mount /usr in rw
|
||||||
|
command: mount -o remount,rw /usr
|
||||||
|
args:
|
||||||
|
warn: no
|
||||||
|
changed_when: false
|
||||||
|
when: item.mount == '/usr' and item.options | match(".*ro.*")
|
||||||
|
with_items: "{{ ansible_mounts }}"
|
||||||
|
tags:
|
||||||
|
- postfix
|
||||||
|
|
||||||
|
- name: copy spam.sh script
|
||||||
|
copy:
|
||||||
|
src: spam.sh
|
||||||
|
dest: /usr/share/scripts/spam.sh
|
||||||
|
mode: "0700"
|
||||||
|
tags:
|
||||||
|
- postfix
|
||||||
|
|
||||||
|
- name: enable spam.sh cron
|
||||||
|
lineinfile:
|
||||||
|
dest: /etc/cron.d/spam
|
||||||
|
line: "42 * * * * /usr/share/scripts/spam.sh"
|
||||||
|
create: yes
|
||||||
|
state: present
|
||||||
|
mode: "0640"
|
||||||
|
tags:
|
||||||
|
- postfix
|
||||||
|
|
||||||
|
- name: update antispam list
|
||||||
|
command: /usr/share/scripts/spam.sh
|
||||||
|
changed_when: false
|
||||||
|
tags:
|
||||||
|
- postfix
|
|
@ -1,10 +1,12 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
- name: slow transport is defined in master.cf
|
- name: slow transport is defined in master.cf
|
||||||
lineinfile:
|
lineinfile:
|
||||||
dest: /etc/postfix/master.cf
|
dest: /etc/postfix/master.cf
|
||||||
regexp: "^slow "
|
regexp: "^slow "
|
||||||
line: "slow unix - - n - - smtp"
|
line: "slow unix - - n - - smtp"
|
||||||
|
notify: restart postfix
|
||||||
|
tags:
|
||||||
|
- postfix
|
||||||
|
|
||||||
- name: list of providers for slow transport
|
- name: list of providers for slow transport
|
||||||
lineinfile:
|
lineinfile:
|
||||||
|
@ -21,24 +23,5 @@
|
||||||
- "hotmail.fr slow:"
|
- "hotmail.fr slow:"
|
||||||
- "hotmail.com slow:"
|
- "hotmail.com slow:"
|
||||||
notify: postmap transport
|
notify: postmap transport
|
||||||
|
tags:
|
||||||
- name: main.cf is configured for slow transports
|
- postfix
|
||||||
blockinfile:
|
|
||||||
dest: /etc/postfix/main.cf
|
|
||||||
marker: "# {mark} Slow transports configuration (installed by Ansible)"
|
|
||||||
block: |
|
|
||||||
minimal_backoff_time = 2h
|
|
||||||
maximal_backoff_time = 6h
|
|
||||||
maximal_queue_lifetime = 4d
|
|
||||||
queue_run_delay = 100s
|
|
||||||
bounce_queue_lifetime = 1d
|
|
||||||
initial_destination_concurrency = 5
|
|
||||||
default_destination_concurrency_limit = 20
|
|
||||||
slow_destination_rate_delay = 0
|
|
||||||
slow_destination_concurrency_limit = 1
|
|
||||||
slow_destination_concurrency_failed_cohort_limit = 100
|
|
||||||
slow_destination_recipient_limit = 25
|
|
||||||
transport_maps = hash:$config_directory/transport
|
|
||||||
notify: restart postfix
|
|
||||||
|
|
||||||
- meta: flush_handlers
|
|
||||||
|
|
|
@ -13,3 +13,19 @@ recipient_delimiter = +
|
||||||
inet_interfaces = all
|
inet_interfaces = all
|
||||||
inet_protocols = ipv4
|
inet_protocols = ipv4
|
||||||
disable_vrfy_command = yes
|
disable_vrfy_command = yes
|
||||||
|
|
||||||
|
{% if postfix_slow_transport_include == True %}
|
||||||
|
# Slow transports configuration
|
||||||
|
minimal_backoff_time = 2h
|
||||||
|
maximal_backoff_time = 6h
|
||||||
|
maximal_queue_lifetime = 4d
|
||||||
|
queue_run_delay = 100s
|
||||||
|
bounce_queue_lifetime = 1d
|
||||||
|
initial_destination_concurrency = 5
|
||||||
|
default_destination_concurrency_limit = 20
|
||||||
|
slow_destination_rate_delay = 0
|
||||||
|
slow_destination_concurrency_limit = 1
|
||||||
|
slow_destination_concurrency_failed_cohort_limit = 100
|
||||||
|
slow_destination_recipient_limit = 25
|
||||||
|
transport_maps = hash:$config_directory/transport
|
||||||
|
{% endif %}
|
||||||
|
|
423
postfix/templates/packmail_main.cf.j2
Normal file
423
postfix/templates/packmail_main.cf.j2
Normal file
|
@ -0,0 +1,423 @@
|
||||||
|
## fichier principal de configuration de Postfix
|
||||||
|
## commentaires de Gregory Colpart reg AT evolix DOT fr
|
||||||
|
## version 1.0 : 1ere version publique (05.04.2010)
|
||||||
|
|
||||||
|
########################
|
||||||
|
# Section : Emplacements
|
||||||
|
########################
|
||||||
|
|
||||||
|
# Repertoire ou se trouvent les commandes de postfix [OBLIGATOIRE]
|
||||||
|
#par defaut, = $program_directory
|
||||||
|
command_directory = /usr/sbin
|
||||||
|
|
||||||
|
# Repertoire ou se trouvent les demons de postfix [OBLIGATOIRE]
|
||||||
|
#par defaut, = $program_directory
|
||||||
|
daemon_directory = /usr/lib/postfix/sbin
|
||||||
|
|
||||||
|
# Variable pour indiquer les emplacements des commandes et demons de postfix
|
||||||
|
#program_directory = /usr/lib/postfix
|
||||||
|
|
||||||
|
# Repertoire contenant les fichiers de boites aux lettres
|
||||||
|
#par defaut, = /var/mail
|
||||||
|
#mail_spool_directory =
|
||||||
|
|
||||||
|
# Repertoire de la file d'attente de postfix
|
||||||
|
#par defaut, = /var/spool/postfix
|
||||||
|
#queue_directory =
|
||||||
|
|
||||||
|
# Boites aux lettres
|
||||||
|
#par defaut, =
|
||||||
|
home_mailbox = Maildir/
|
||||||
|
|
||||||
|
# Transmettre les mails a un MDA
|
||||||
|
#par defaut, =
|
||||||
|
#mailbox_command = /usr/bin/procmail
|
||||||
|
|
||||||
|
# Separateur entre noms d'utilisateur et extensions d'adresse
|
||||||
|
# mettre + pour integration avec amavis
|
||||||
|
#par defaut, =
|
||||||
|
recipient_delimiter = +
|
||||||
|
|
||||||
|
# Controle si le repertoire existe (souvent pour les systemes de fichiers montes)
|
||||||
|
#par defaut, = no
|
||||||
|
#require_home_directory =
|
||||||
|
|
||||||
|
# Commande pour transmettre le courrier a un MDA
|
||||||
|
#par defaut, =
|
||||||
|
#mailbox_command = /usr/bin/procmail
|
||||||
|
|
||||||
|
# Banniere SMTP affichee
|
||||||
|
#par default, = $myhostname ESMTP $mail_name
|
||||||
|
smtpd_banner = $myhostname ESMTP mail server
|
||||||
|
|
||||||
|
# Groupe des commandes set-gid ayant des acces en ecriture
|
||||||
|
#par defaut, = postdrop
|
||||||
|
# setgid_group = postdrop
|
||||||
|
|
||||||
|
# Produire des "biff notifications" aux utilisateurs pour
|
||||||
|
# prevenir de l'arrivee de nouveaux mails
|
||||||
|
# par default, = yes
|
||||||
|
#biff = no
|
||||||
|
|
||||||
|
|
||||||
|
####################
|
||||||
|
# Section : domaines
|
||||||
|
####################
|
||||||
|
|
||||||
|
# Indique le nom d'hote pleinement qualifie ou se trouve postfix [OBLIGATOIRE]
|
||||||
|
#par defaut, = [retour de la commande Unix hostname]
|
||||||
|
myhostname = {{ ansible_fqdn }}
|
||||||
|
|
||||||
|
# Variable indiquant le domaine dans lequel se trouve la machine
|
||||||
|
#par defaut, = [partie domain de la variable $myhostname]
|
||||||
|
#mydomain =
|
||||||
|
|
||||||
|
# Liste des noms de domaine (ou IP) consideres comme local
|
||||||
|
#par defaut, = $myhostname, localhost.$mydomain, localhost
|
||||||
|
mydestination = $myhostname
|
||||||
|
|
||||||
|
# Indique le domaine apparaissant dans le courrier envoye
|
||||||
|
#par defaut, = $myhostname
|
||||||
|
myorigin = {{ ansible_fqdn }}
|
||||||
|
|
||||||
|
# Liste de domaine fonctionnant UNIQUEMENT avec des alias virtuels
|
||||||
|
#par defaut, = $virtual_alias_maps
|
||||||
|
#virtual_alias_domains = [ domaines avec alias virtuels ]
|
||||||
|
|
||||||
|
# Liste de domaine fonctionnant avec des comptes virtuels
|
||||||
|
#par defaut, = $virtual_mailbox_maps
|
||||||
|
virtual_mailbox_domains = ldap:$config_directory/virtual_domains.cf
|
||||||
|
|
||||||
|
# Repertoire de base de l'espace de stockage
|
||||||
|
#par defaut, =
|
||||||
|
virtual_mailbox_base = /
|
||||||
|
|
||||||
|
# Ajoute $mydomain aux adresse ne compoirtant que la partie hote sans le domaine
|
||||||
|
#par defaut, = yes
|
||||||
|
#append_dot_mydomain = no
|
||||||
|
|
||||||
|
# Ajoute $myorigin aux adresses ne comportant pas de composante de domaine
|
||||||
|
#par defaut, = yes
|
||||||
|
#append_at_myorigin = no
|
||||||
|
|
||||||
|
# Liste de domaines cachant des sous-domaines internes
|
||||||
|
#par defaut, =
|
||||||
|
#masquerade_domains =
|
||||||
|
|
||||||
|
# A l'exception de certains comptes :
|
||||||
|
#par defaut, =
|
||||||
|
#masquerade_exceptions = root, admin
|
||||||
|
|
||||||
|
# Champs d'application de la reecriture des sous-domaines caches
|
||||||
|
#par defaut, = envelope_sender, header_sender, header_recipient
|
||||||
|
#masquerade_classes =
|
||||||
|
|
||||||
|
# Sites eligibles pour un vidage rapide (postqueue -s [domain.tld])
|
||||||
|
#par defaut, = $relay_domains
|
||||||
|
#fast_flush_domains =
|
||||||
|
|
||||||
|
# Interfaces sur lesquelles ecoutent postfix
|
||||||
|
#par defaut, = all
|
||||||
|
#inet_interfaces = all
|
||||||
|
|
||||||
|
# Adresse IP externe du firewall/proxy si derriere NAT ou proxy
|
||||||
|
# evite principalement les boucles si MX secondaire et MX primaire indisponible
|
||||||
|
#par defaut, =
|
||||||
|
#proxy_interfaces = [adresse IP]
|
||||||
|
|
||||||
|
# Domaines acceptes pour faire relai (MX 2aire)
|
||||||
|
#relay_domains = [domaine a relayer]
|
||||||
|
|
||||||
|
|
||||||
|
###########################
|
||||||
|
# Section : base de donnees
|
||||||
|
###########################
|
||||||
|
|
||||||
|
# Liste des bases de donnees utilisees par l'agent de distribution locale
|
||||||
|
# Pour regenerer une base de donnees : postalias /etc/aliases (par ex)
|
||||||
|
#par defaut, = hash:/etc/aliases, nis:mail.aliases
|
||||||
|
alias_maps = hash:/etc/aliases
|
||||||
|
|
||||||
|
# Liste des bases de donnees locales
|
||||||
|
# Pour regenerer avec newaliases
|
||||||
|
#par defaut, = hash:/etc/aliases
|
||||||
|
alias_database = hash:/etc/aliases
|
||||||
|
|
||||||
|
# Chemin vers la commande newaliases
|
||||||
|
#par defaut, = /usr/bin/newaliases
|
||||||
|
#newaliases_path =
|
||||||
|
|
||||||
|
# Base de donnes d'alias virtuels
|
||||||
|
# ne pas oublier : postmap /etc/postfix/virtual
|
||||||
|
#par defaut, = $virtual_maps
|
||||||
|
virtual_alias_maps = hash:$config_directory/virtual, ldap:$config_directory/virtual_aliases.cf
|
||||||
|
|
||||||
|
# Base de donners des boites virtuelles
|
||||||
|
# ne pas oublier : postmap /etc/postfix/vmailbox
|
||||||
|
#par defaut, =
|
||||||
|
virtual_mailbox_maps = ldap:$config_directory/virtual_mailboxes.cf
|
||||||
|
|
||||||
|
virtual_uid_maps = static:5000
|
||||||
|
virtual_gid_maps = static:5000
|
||||||
|
virtual_transport = dovecot
|
||||||
|
dovecot_destination_recipient_limit = 1
|
||||||
|
|
||||||
|
# Reecriture des adresses
|
||||||
|
#par defaut, =
|
||||||
|
#canonical_maps = hash:/etc/postfix/canonical
|
||||||
|
|
||||||
|
# Reecriture des adresses a l'arrivee (ecrase $canonical_maps)
|
||||||
|
#par defaut, =
|
||||||
|
#recipient_canonical_maps = hash:/etc/postfix/canonical
|
||||||
|
|
||||||
|
# Reecriture des adresses au depart
|
||||||
|
#par defaut, =
|
||||||
|
#sender_canonical_maps = hash:/etc/postfix/canonical
|
||||||
|
|
||||||
|
# Adresses changees
|
||||||
|
#relocated_maps = hash:/etc/postfix/relocated
|
||||||
|
|
||||||
|
# Boite pour receptionner tous les utilisateurs inconnus
|
||||||
|
#luser_relay = spam
|
||||||
|
|
||||||
|
# Liste de base de donnees contenant les adresses locales permettant de rejeter les messages aux utilisateurs inconnus
|
||||||
|
# (sera nulle pour recuperer les courriels vers les utilisateurs inconnus)
|
||||||
|
#par defaut, = proxy:unix:passwd.byname $alias_maps
|
||||||
|
#local_recipient_maps =
|
||||||
|
|
||||||
|
# MAILING-LIST nommee xx
|
||||||
|
# dans le fichier /etc/aliases :
|
||||||
|
# xx: user1@domain1 user2@domain2 etc.
|
||||||
|
# owner-xx: admin@domain
|
||||||
|
# Utiliser ou non l'alias xx-owner comme adresse d'enveloppe d'expedition
|
||||||
|
#par defaut, = yes
|
||||||
|
#owner_request_special =
|
||||||
|
|
||||||
|
# Utiliser l'adresse relle de l'admin au lieu de xx-owner
|
||||||
|
#par defaut, = no
|
||||||
|
#expand_owner_alias =
|
||||||
|
|
||||||
|
|
||||||
|
###########################################
|
||||||
|
# Section : parametres de la file d'attente
|
||||||
|
###########################################
|
||||||
|
|
||||||
|
# Lorsqu'un message n'a pas ete delivre, Postfix adjoint une marque indiquant le moment ou la prochaine tentaive pourra avoir lieu
|
||||||
|
|
||||||
|
# Delai au-dela duquel les messages non delivres seront renvoyes a l'expediteur
|
||||||
|
#par defaut, = 5d
|
||||||
|
#maximal_queue_lifetime =
|
||||||
|
|
||||||
|
# Delai au-dela duquel les *bounces* non delivres ne seront plus envoyes
|
||||||
|
#par defaut, = 5d
|
||||||
|
bounce_queue_lifetime = 1d
|
||||||
|
|
||||||
|
# Intervalle de temps ou postfix examinera la file
|
||||||
|
# Il examine notamment la file deferred pour voir si de NOUVEAUX messages sont arrives
|
||||||
|
# Il faut aussi que la marque indique qu'ils soient prets
|
||||||
|
#par defaut, = 1000s
|
||||||
|
#queue_run_delay =
|
||||||
|
|
||||||
|
# A chaque echec, le delai de la prochaine distribution double, avec les restrictions suivantes :
|
||||||
|
# Delai minimal
|
||||||
|
#par defaut, = 1000s
|
||||||
|
#minimal_backoff_time =
|
||||||
|
# Delai maximal
|
||||||
|
#par defaut, = 4000s
|
||||||
|
#maximal_backoff_time =
|
||||||
|
|
||||||
|
# Si maxproc est vide (master.cf), nombre maximal est :
|
||||||
|
#par defaut, = 100
|
||||||
|
#default_process_limit =
|
||||||
|
|
||||||
|
# Nombre maximal de destinataires stockes en memoire par qmgr pour un transport particulier
|
||||||
|
#par defaut, = 10000
|
||||||
|
#default_recipient_limit =
|
||||||
|
|
||||||
|
# Nombre limitant de messages envoyes simultanement INITIALEMENT pour une destination particuliere
|
||||||
|
# (forcement majoree par maxproc du master.cf ou $default_process_limit)
|
||||||
|
#par defaut, = 5
|
||||||
|
#initial_destination_concurrency =
|
||||||
|
|
||||||
|
# Une fois ces messages distribues, si il reste des messages dans la file d'attente pour cette destination
|
||||||
|
# particuliere, postfix augmente le nombre de tentative tant qu'il ne detecte pas de probleme avec
|
||||||
|
# la destination, avec la limite suivante :
|
||||||
|
#par defaut, = 20
|
||||||
|
#default_destination_concurrency_limit =
|
||||||
|
|
||||||
|
# Cette limite peut etre differente selon le type de transport utilise :
|
||||||
|
#par defaut, = $default_destination_concurrency_limit
|
||||||
|
#lmtp_destination_concurrency_limit =
|
||||||
|
#par defaut, = 2
|
||||||
|
#local_destination_concurrency_limit =
|
||||||
|
#par defaut, = $default_destination_concurrency_limit
|
||||||
|
#relay_destination_concurrency_limit =
|
||||||
|
#par defaut, = $default_destination_concurrency_limit
|
||||||
|
#smtp_destination_concurrency_limit =
|
||||||
|
#par defaut, = $default_destination_concurrency_limit
|
||||||
|
#virtual_destination_concurrency_limit =
|
||||||
|
|
||||||
|
# On peut aussi limiter le nombre maximum de destinataire pour un meme message
|
||||||
|
# Si le nombre de destinataire depasse la limite, postfix divise en groupe d'adresses plus petites et envoie des copies distinctes du message
|
||||||
|
#par defaut, = 10000
|
||||||
|
#default_destination_recipient_limit =
|
||||||
|
#par defaut, = $default_destination_recipient_limit
|
||||||
|
#lmtp_destination_recipient_limit =
|
||||||
|
#par defaut, = 1
|
||||||
|
#local_destination_recipient_limit =
|
||||||
|
#par defaut, = 20000
|
||||||
|
#qmgr_message_recipient_limit =
|
||||||
|
#par defaut, = $default_destination_recipient_limit
|
||||||
|
#relay_destination_recipient_limit =
|
||||||
|
#par defaut, = $default_destination_recipient_limit
|
||||||
|
#smtp_destination_recipient_limit =
|
||||||
|
#par defaut, = 1000
|
||||||
|
#smtpd_recipient_limit =
|
||||||
|
#par defaut, = $default_destination_recipient_limit
|
||||||
|
#virtual_destination_recipient_limit =
|
||||||
|
|
||||||
|
# Nombre maximum de destinataires pour un transport lorsque priorite superieure de transport
|
||||||
|
#par defaut, = 1000
|
||||||
|
#default_extra_recipient_limit =
|
||||||
|
|
||||||
|
slow_destination_rate_delay = 0
|
||||||
|
slow_destination_concurrency_limit = 1
|
||||||
|
slow_destination_recipient_limit = 25
|
||||||
|
slow_destination_concurrency_failed_cohort_limit = 100
|
||||||
|
|
||||||
|
# Types d'incidents a rapporter
|
||||||
|
# resource : message non delivre pour probleme de ressource
|
||||||
|
# software : message non delivre pour probleme de logiciels
|
||||||
|
# policy : envoie le transcription smtp d'un message rejete par restrictions
|
||||||
|
# protocol : envoie toute transcription smtp erronee
|
||||||
|
# delay : envoie les entetes de messages differes
|
||||||
|
# bounce : envoie les entetes de tous les message renvoyes
|
||||||
|
# 2bounce : envoie les entetes de tous les messages renvoyes non delivres
|
||||||
|
#par defaut, = resource, software
|
||||||
|
notify_classes = resource, software, bounce, 2bounce, delay, policy, protocol
|
||||||
|
|
||||||
|
# A qui les reporter ?
|
||||||
|
#Pour delay
|
||||||
|
#par defaut, = postmaster
|
||||||
|
delay_notice_recipient = delay
|
||||||
|
#Pour policy, protocol, resource, software
|
||||||
|
#par defaut, = postmaster
|
||||||
|
error_notice_recipient = error
|
||||||
|
#Pour bounce
|
||||||
|
#par defaut, = postmaster
|
||||||
|
bounce_notice_recipient = bounce
|
||||||
|
#Pour 2bounce
|
||||||
|
#par defaut, = postmaster
|
||||||
|
2bounce_notice_recipient = bounce
|
||||||
|
|
||||||
|
|
||||||
|
########################
|
||||||
|
# Section : restrictions
|
||||||
|
########################
|
||||||
|
|
||||||
|
# Restrictions au depart de la conversation
|
||||||
|
#par defaut, =
|
||||||
|
smtpd_client_restrictions =
|
||||||
|
permit_mynetworks,
|
||||||
|
permit_sasl_authenticated,
|
||||||
|
cidr:$config_directory/spamd.cidr,
|
||||||
|
|
||||||
|
# Restrictions au niveau de la commande HELO/EHLO
|
||||||
|
#par defaut, =
|
||||||
|
smtpd_helo_restrictions =
|
||||||
|
reject_invalid_hostname
|
||||||
|
|
||||||
|
# Restrictions au niveau de la commande MAIL FROM
|
||||||
|
#par defaut, =
|
||||||
|
smtpd_sender_restrictions =
|
||||||
|
permit_mynetworks,
|
||||||
|
check_sender_access hash:$config_directory/sa-blacklist.access
|
||||||
|
|
||||||
|
# Restrictions au niveau de la commande MAIL FROM
|
||||||
|
#par defaut, = permit_mynetworks, reject_unauth_destination
|
||||||
|
smtpd_recipient_restrictions =
|
||||||
|
permit_mynetworks,
|
||||||
|
permit_sasl_authenticated,
|
||||||
|
reject_unauth_destination,
|
||||||
|
check_policy_service unix:private/policyd-spf,
|
||||||
|
check_client_access hash:$config_directory/client.access_local,
|
||||||
|
check_client_access hash:$config_directory/client.access,
|
||||||
|
check_sender_access hash:$config_directory/sender.access_local,
|
||||||
|
check_sender_access hash:$config_directory/sender.access,
|
||||||
|
check_recipient_access hash:$config_directory/recipient.access_local,
|
||||||
|
check_recipient_access hash:$config_directory/recipient.access,
|
||||||
|
reject_unlisted_recipient,
|
||||||
|
reject_unknown_sender_domain,
|
||||||
|
reject_non_fqdn_sender,
|
||||||
|
reject_unauth_pipelining,
|
||||||
|
|
||||||
|
policyd-spf_time_limit = 3600
|
||||||
|
|
||||||
|
header_checks =
|
||||||
|
regexp:$config_directory/header_kill_local,
|
||||||
|
regexp:$config_directory/header_kill
|
||||||
|
|
||||||
|
transport_maps = hash:$config_directory/transport
|
||||||
|
|
||||||
|
# Attendre la commande 'RCPT TO' avant d'evaluer les restrictions ?
|
||||||
|
# (peut poser pb avec certains clients et permet d'avoir renseignements suppl)
|
||||||
|
#par defaut, = yes
|
||||||
|
#smtpd_delay_reject =
|
||||||
|
|
||||||
|
# Definition des plages IP appartenant a mynetworks
|
||||||
|
#par defaut, toutes les plages d'adresses IPv4 (et IPv6) des interfaces
|
||||||
|
mynetworks = 127.0.0.0/8,[::1]/128,10.0.0.0/16
|
||||||
|
|
||||||
|
# Exiger la commande HELO/EHLO
|
||||||
|
#par defaut, = no
|
||||||
|
smtpd_helo_required = yes
|
||||||
|
|
||||||
|
# Exiger syntaxe conforme dans les commandes MAIL FROM ou RCPT TO
|
||||||
|
#par defaut, = no
|
||||||
|
strict_rfc821_envelopes = yes
|
||||||
|
|
||||||
|
# Rejeter le courrier provenant d'une adresse inexistante ?
|
||||||
|
#par defaut, = no
|
||||||
|
#smtpd_reject_unlisted_sender =
|
||||||
|
|
||||||
|
# Rejeter le courrier a destination d'une adresse inexistante ?
|
||||||
|
#par defaut, = yes
|
||||||
|
#smtpd_reject_unlisted_recipient =
|
||||||
|
|
||||||
|
|
||||||
|
#######################
|
||||||
|
# Section : Chiffrement
|
||||||
|
#######################
|
||||||
|
|
||||||
|
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
|
||||||
|
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
|
||||||
|
smtpd_use_tls=yes
|
||||||
|
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
|
||||||
|
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
|
||||||
|
|
||||||
|
# SASL
|
||||||
|
smtpd_sasl_auth_enable = yes
|
||||||
|
broken_sasl_auth_clients = yes
|
||||||
|
smtpd_sasl_type = dovecot
|
||||||
|
smtpd_sasl_path = private/auth-client
|
||||||
|
|
||||||
|
# Amavis and OpenDKIM
|
||||||
|
content_filter = smtp-amavis:[127.0.0.1]:10024
|
||||||
|
smtpd_milters = inet:[127.0.0.1]:54321
|
||||||
|
non_smtpd_milters = inet:[127.0.0.1]:54321
|
||||||
|
|
||||||
|
{% if postfix_slow_transport_include == True %}
|
||||||
|
# Slow transports configuration
|
||||||
|
minimal_backoff_time = 2h
|
||||||
|
maximal_backoff_time = 6h
|
||||||
|
maximal_queue_lifetime = 4d
|
||||||
|
queue_run_delay = 100s
|
||||||
|
bounce_queue_lifetime = 1d
|
||||||
|
initial_destination_concurrency = 5
|
||||||
|
default_destination_concurrency_limit = 20
|
||||||
|
slow_destination_rate_delay = 0
|
||||||
|
slow_destination_concurrency_limit = 1
|
||||||
|
slow_destination_concurrency_failed_cohort_limit = 100
|
||||||
|
slow_destination_recipient_limit = 25
|
||||||
|
transport_maps = hash:$config_directory/transport
|
||||||
|
{% endif %}
|
171
postfix/templates/packmail_master.cf.j2
Normal file
171
postfix/templates/packmail_master.cf.j2
Normal file
|
@ -0,0 +1,171 @@
|
||||||
|
#
|
||||||
|
# Postfix master process configuration file. For details on the format
|
||||||
|
# of the file, see the master(5) manual page (command: "man 5 master" or
|
||||||
|
# on-line: http://www.postfix.org/master.5.html).
|
||||||
|
#
|
||||||
|
# Do not forget to execute "postfix reload" after editing this file.
|
||||||
|
#
|
||||||
|
# ==========================================================================
|
||||||
|
# service type private unpriv chroot wakeup maxproc command + args
|
||||||
|
# (yes) (yes) (no) (never) (100)
|
||||||
|
# ==========================================================================
|
||||||
|
smtp inet n - y - - smtpd
|
||||||
|
#smtp inet n - y - 1 postscreen
|
||||||
|
#smtpd pass - - y - - smtpd
|
||||||
|
#dnsblog unix - - y - 0 dnsblog
|
||||||
|
#tlsproxy unix - - y - 0 tlsproxy
|
||||||
|
submission inet n - y - - smtpd
|
||||||
|
-o syslog_name=postfix/submission
|
||||||
|
-o smtpd_tls_security_level=encrypt
|
||||||
|
-o smtpd_sasl_auth_enable=yes
|
||||||
|
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
|
||||||
|
-o milter_macro_daemon_name=ORIGINATING
|
||||||
|
smtps inet n - y - - smtpd
|
||||||
|
-o syslog_name=postfix/smtps
|
||||||
|
-o smtpd_tls_wrappermode=yes
|
||||||
|
-o smtpd_sasl_auth_enable=yes
|
||||||
|
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
|
||||||
|
-o milter_macro_daemon_name=ORIGINATING
|
||||||
|
#628 inet n - y - - qmqpd
|
||||||
|
pickup unix n - y 60 1 pickup
|
||||||
|
cleanup unix n - y - 0 cleanup
|
||||||
|
qmgr unix n - n 300 1 qmgr
|
||||||
|
#qmgr unix n - n 300 1 oqmgr
|
||||||
|
tlsmgr unix - - y 1000? 1 tlsmgr
|
||||||
|
rewrite unix - - y - - trivial-rewrite
|
||||||
|
bounce unix - - y - 0 bounce
|
||||||
|
defer unix - - y - 0 bounce
|
||||||
|
trace unix - - y - 0 bounce
|
||||||
|
verify unix - - y - 1 verify
|
||||||
|
flush unix n - y 1000? 0 flush
|
||||||
|
proxymap unix - - n - - proxymap
|
||||||
|
proxywrite unix - - n - 1 proxymap
|
||||||
|
smtp unix - - y - - smtp
|
||||||
|
# When relaying mail as backup MX, disable fallback_relay to avoid MX loops
|
||||||
|
relay unix - - y - - smtp
|
||||||
|
-o smtp_fallback_relay=
|
||||||
|
# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
|
||||||
|
showq unix n - y - - showq
|
||||||
|
error unix - - y - - error
|
||||||
|
retry unix - - y - - error
|
||||||
|
discard unix - - y - - discard
|
||||||
|
local unix - n n - - local
|
||||||
|
virtual unix - n n - - virtual
|
||||||
|
lmtp unix - - y - - lmtp
|
||||||
|
anvil unix - - y - 1 anvil
|
||||||
|
scache unix - - y - 1 scache
|
||||||
|
#
|
||||||
|
# ====================================================================
|
||||||
|
# Interfaces to non-Postfix software. Be sure to examine the manual
|
||||||
|
# pages of the non-Postfix software to find out what options it wants.
|
||||||
|
#
|
||||||
|
# Many of the following services use the Postfix pipe(8) delivery
|
||||||
|
# agent. See the pipe(8) man page for information about ${recipient}
|
||||||
|
# and other message envelope options.
|
||||||
|
# ====================================================================
|
||||||
|
#
|
||||||
|
# maildrop. See the Postfix MAILDROP_README file for details.
|
||||||
|
# Also specify in main.cf: maildrop_destination_recipient_limit=1
|
||||||
|
#
|
||||||
|
maildrop unix - n n - - pipe
|
||||||
|
flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
|
||||||
|
#
|
||||||
|
# ====================================================================
|
||||||
|
#
|
||||||
|
# Recent Cyrus versions can use the existing "lmtp" master.cf entry.
|
||||||
|
#
|
||||||
|
# Specify in cyrus.conf:
|
||||||
|
# lmtp cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
|
||||||
|
#
|
||||||
|
# Specify in main.cf one or more of the following:
|
||||||
|
# mailbox_transport = lmtp:inet:localhost
|
||||||
|
# virtual_transport = lmtp:inet:localhost
|
||||||
|
#
|
||||||
|
# ====================================================================
|
||||||
|
#
|
||||||
|
# Cyrus 2.1.5 (Amos Gouaux)
|
||||||
|
# Also specify in main.cf: cyrus_destination_recipient_limit=1
|
||||||
|
#
|
||||||
|
#cyrus unix - n n - - pipe
|
||||||
|
# user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
|
||||||
|
#
|
||||||
|
# ====================================================================
|
||||||
|
# Old example of delivery via Cyrus.
|
||||||
|
#
|
||||||
|
#old-cyrus unix - n n - - pipe
|
||||||
|
# flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
|
||||||
|
#
|
||||||
|
# ====================================================================
|
||||||
|
#
|
||||||
|
# See the Postfix UUCP_README file for configuration details.
|
||||||
|
#
|
||||||
|
uucp unix - n n - - pipe
|
||||||
|
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
|
||||||
|
#
|
||||||
|
# Other external delivery methods.
|
||||||
|
#
|
||||||
|
ifmail unix - n n - - pipe
|
||||||
|
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
|
||||||
|
bsmtp unix - n n - - pipe
|
||||||
|
flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
|
||||||
|
scalemail-backend unix - n n - 2 pipe
|
||||||
|
flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
|
||||||
|
mailman unix - n n - - pipe
|
||||||
|
flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
|
||||||
|
${nexthop} ${user}
|
||||||
|
|
||||||
|
slow unix - - n - - smtp
|
||||||
|
|
||||||
|
policyd-spf unix - n n - 0 spawn
|
||||||
|
user=policyd-spf argv=/usr/bin/policyd-spf
|
||||||
|
|
||||||
|
dovecot unix - n n - - pipe
|
||||||
|
flags=DRhu user=vmail:vmail argv=/usr/lib/dovecot/deliver -f ${sender} -d ${recipient}
|
||||||
|
|
||||||
|
scan unix - - y - 10 smtp
|
||||||
|
localhost:10026 inet n - y - 10 smtpd
|
||||||
|
-o content_filter=
|
||||||
|
-o local_recipient_maps=
|
||||||
|
-o relay_recipient_maps=
|
||||||
|
-o myhostname=filter.mynetwork.local
|
||||||
|
-o smtpd_helo_restrictions=
|
||||||
|
-o smtpd_client_restrictions=
|
||||||
|
-o smtpd_sender_restrictions=
|
||||||
|
-o smtpd_recipient_restrictions=permit_mynetworks,reject
|
||||||
|
-o mynetworks=127.0.0.0/8
|
||||||
|
|
||||||
|
smtp-amavis unix - - y - 2 lmtp
|
||||||
|
-o lmtp_data_done_timeout=1200
|
||||||
|
-o lmtp_send_xforward_command=yes
|
||||||
|
|
||||||
|
127.0.0.1:10025 inet n - y - - smtpd
|
||||||
|
-o content_filter=
|
||||||
|
-o smtpd_milters=
|
||||||
|
-o local_recipient_maps=
|
||||||
|
-o relay_recipient_maps=
|
||||||
|
-o smtpd_restriction_classes=
|
||||||
|
-o smtpd_delay_reject=no
|
||||||
|
-o smtpd_client_restrictions=permit_mynetworks,reject
|
||||||
|
-o smtpd_helo_restrictions=
|
||||||
|
-o smtpd_sender_restrictions=
|
||||||
|
-o smtpd_recipient_restrictions=permit_mynetworks,reject
|
||||||
|
-o smtpd_data_restrictions=reject_unauth_pipelining
|
||||||
|
-o smtpd_end_of_data_restrictions=
|
||||||
|
-o mynetworks=127.0.0.0/8
|
||||||
|
-o strict_rfc821_envelopes=yes
|
||||||
|
-o smtpd_error_sleep_time=0
|
||||||
|
-o smtpd_soft_error_limit=1001
|
||||||
|
-o smtpd_hard_error_limit=1000
|
||||||
|
-o smtpd_client_connection_count_limit=0
|
||||||
|
-o smtpd_client_connection_rate_limit=0
|
||||||
|
-o receive_override_options=no_header_body_checks,no_unknown_recipient_checks
|
||||||
|
|
||||||
|
pre-cleanup unix n - n - 0 cleanup
|
||||||
|
-o virtual_alias_maps=
|
||||||
|
-o canonical_maps=
|
||||||
|
-o sender_canonical_maps=
|
||||||
|
-o recipient_canonical_maps=
|
||||||
|
-o masquerade_domains=
|
||||||
|
-o always_bcc=
|
||||||
|
-o sender_bcc_maps=
|
||||||
|
-o recipient_bcc_maps=
|
5
postfix/templates/virtual_aliases.cf.j2
Normal file
5
postfix/templates/virtual_aliases.cf.j2
Normal file
|
@ -0,0 +1,5 @@
|
||||||
|
search_base = {{ ldap_suffix }}
|
||||||
|
query_filter = (&(mailacceptinggeneralid=%u@%d)(isActive=TRUE))
|
||||||
|
result_attribute = maildrop
|
||||||
|
version = 3
|
||||||
|
aliases_scope = sub
|
5
postfix/templates/virtual_domains.cf.j2
Normal file
5
postfix/templates/virtual_domains.cf.j2
Normal file
|
@ -0,0 +1,5 @@
|
||||||
|
search_base = {{ ldap_suffix }}
|
||||||
|
query_filter = (&(cn=%s)(objectClass=postfixDomain)(isActive=TRUE))
|
||||||
|
result_attribute = cn
|
||||||
|
scope = sub
|
||||||
|
version = 3
|
5
postfix/templates/virtual_mailboxes.cf.j2
Normal file
5
postfix/templates/virtual_mailboxes.cf.j2
Normal file
|
@ -0,0 +1,5 @@
|
||||||
|
search_base = {{ ldap_suffix }}
|
||||||
|
query_filter = (&(mailacceptinggeneralid=%s)(objectClass=mailAccount)(isActive=TRUE)(accountActive=TRUE))
|
||||||
|
result_attribute = homeDirectory
|
||||||
|
scope = sub
|
||||||
|
version = 3
|
68
spamassasin/files/sa-update.sh
Normal file
68
spamassasin/files/sa-update.sh
Normal file
|
@ -0,0 +1,68 @@
|
||||||
|
#!/bin/sh
|
||||||
|
|
||||||
|
# Evolix sa-update, based on:
|
||||||
|
# Duncan Findlay
|
||||||
|
# duncf@debian.org
|
||||||
|
|
||||||
|
mail=$(grep EVOMAINTMAIL /etc/evomaintenance.cf | cut -d'=' -f2)
|
||||||
|
test -x /usr/bin/sa-update || exit 0
|
||||||
|
test -x /etc/init.d/spamassassin || exit 0
|
||||||
|
|
||||||
|
# If there's a problem with the ruleset or configs, print the output
|
||||||
|
# of spamassassin --lint (which will typically get emailed to root)
|
||||||
|
# and abort.
|
||||||
|
die_with_lint() {
|
||||||
|
su debian-spamd -c "spamassassin --lint -D 2>&1"
|
||||||
|
exit 1
|
||||||
|
}
|
||||||
|
|
||||||
|
do_compile() {
|
||||||
|
# Compile, if rules have previously been compiled, and it's possible
|
||||||
|
if [ -x /usr/bin/re2c -a -x /usr/bin/sa-compile \
|
||||||
|
-a -d /var/lib/spamassassin/compiled ]; then
|
||||||
|
su debian-spamd -c "sa-compile --quiet"
|
||||||
|
# Fixup perms -- group and other should be able to
|
||||||
|
# read and execute, but never write. Works around
|
||||||
|
# sa-compile's failure to obey umask.
|
||||||
|
chmod -R go-w,go+rX /var/lib/spamassassin/compiled
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# Tell a running spamd to reload its configs and rules.
|
||||||
|
reload() {
|
||||||
|
# Reload
|
||||||
|
if which invoke-rc.d >/dev/null 2>&1; then
|
||||||
|
invoke-rc.d spamassassin reload > /dev/null
|
||||||
|
else
|
||||||
|
/etc/init.d/spamassassin reload > /dev/null
|
||||||
|
fi
|
||||||
|
if [ -d /etc/spamassassin/sa-update-hooks.d ]; then
|
||||||
|
run-parts --lsbsysinit /etc/spamassassin/sa-update-hooks.d
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# Update
|
||||||
|
umask 022
|
||||||
|
su debian-spamd -c "sa-update --gpghomedir /var/lib/spamassassin/sa-update-keys"
|
||||||
|
|
||||||
|
case $? in
|
||||||
|
0)
|
||||||
|
# got updates!
|
||||||
|
su debian-spamd -c "spamassassin --lint" || die_with_lint
|
||||||
|
do_compile
|
||||||
|
reload
|
||||||
|
echo -e "Les règles SpamAsassin ont été mises à jour. Merci de reporter toute anomalie." | \
|
||||||
|
mail -s "SpamAsassin's rules updated." $mail
|
||||||
|
;;
|
||||||
|
1)
|
||||||
|
# no updates
|
||||||
|
exit 0
|
||||||
|
;;
|
||||||
|
2)
|
||||||
|
# lint failed!
|
||||||
|
die_with_lint
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
echo "sa-update failed for unknown reasons" 1>&2
|
||||||
|
;;
|
||||||
|
esac
|
117
spamassasin/files/spamassassin.cf
Normal file
117
spamassasin/files/spamassassin.cf
Normal file
|
@ -0,0 +1,117 @@
|
||||||
|
#required_score 5 -> assure par Amavis
|
||||||
|
report_safe 0
|
||||||
|
#rewrite_header Subject [SPAM] -> assure par Amavis
|
||||||
|
add_header all Report _REPORT_
|
||||||
|
|
||||||
|
# filtre bayesien
|
||||||
|
# mkdir -p /var/spool/spam/ && chown amavis /var/spool/spam/
|
||||||
|
use_bayes 1
|
||||||
|
bayes_auto_learn 1
|
||||||
|
bayes_path /var/spool/spam/bayes
|
||||||
|
bayes_file_mode 0777
|
||||||
|
|
||||||
|
# AWL : AutoWhitelist
|
||||||
|
# mkdir -p /var/spool/spam/ && chown amavis /var/spool/spam/
|
||||||
|
loadplugin Mail::SpamAssassin::Plugin::AWL
|
||||||
|
use_auto_whitelist 1
|
||||||
|
auto_whitelist_path /var/spool/spam/auto_whitelist
|
||||||
|
auto_whitelist_file_mode 0666
|
||||||
|
|
||||||
|
# LANG TESTS
|
||||||
|
loadplugin Mail::SpamAssassin::Plugin::TextCat
|
||||||
|
ok_languages en fr es it
|
||||||
|
ok_locales en fr es it
|
||||||
|
|
||||||
|
score BODY_8BITS 1.500
|
||||||
|
score CHARSET_FARAWAY 3.200
|
||||||
|
score CHARSET_FARAWAY_HEADER 3.200
|
||||||
|
score HTML_CHARSET_FARAWAY 0.500
|
||||||
|
score MIME_CHARSET_FARAWAY 2.450
|
||||||
|
score UNWANTED_LANGUAGE_BODY 2.800
|
||||||
|
|
||||||
|
# DCC
|
||||||
|
# use_dcc 1 => un plugin maintenant...
|
||||||
|
score DCC_CHECK 2.9
|
||||||
|
|
||||||
|
# RAZOR : http://razor.sourceforge.net
|
||||||
|
use_razor2 1
|
||||||
|
score RAZOR2_CHECK 2.9
|
||||||
|
score RAZOR2_CF_RANGE_51_100 1.3
|
||||||
|
|
||||||
|
# pyzor : http://pyzor.sourceforge.net/
|
||||||
|
use_pyzor 0
|
||||||
|
|
||||||
|
# RBL (Realtime Blackhole List)
|
||||||
|
skip_rbl_checks 0
|
||||||
|
score RCVD_IN_BL_SPAMCOP_NET 3
|
||||||
|
|
||||||
|
# misc
|
||||||
|
score HELO_DYNAMIC_IPADDR 0.3
|
||||||
|
score BIZ_TLD 0.1
|
||||||
|
score PRIORITY_NO_NAME 0.2
|
||||||
|
|
||||||
|
# disable HTML tests
|
||||||
|
|
||||||
|
score HTML_MESSAGE 0
|
||||||
|
score HTML_00_10 0
|
||||||
|
score HTML_10_20 0
|
||||||
|
score HTML_20_30 0
|
||||||
|
score HTML_30_40 0
|
||||||
|
score HTML_40_50 0
|
||||||
|
score HTML_50_60 0
|
||||||
|
score HTML_60_70 0
|
||||||
|
score HTML_70_80 0
|
||||||
|
score HTML_80_90 0
|
||||||
|
score HTML_90_100 0
|
||||||
|
#score HTML_COMMENT_8BITS 0
|
||||||
|
score UPPERCASE_25_50 0
|
||||||
|
score UPPERCASE_50_75 0
|
||||||
|
score UPPERCASE_75_100 0
|
||||||
|
score MIME_HTML_ONLY 0.1
|
||||||
|
# From http://maxime.ritter.eu.org/Spam/user_prefs
|
||||||
|
# Trop de faux negatifs avec BAYES_(0|1|2|3|4)*
|
||||||
|
score BAYES_00 0 0 -0.01 -0.01
|
||||||
|
score BAYES_01 0 0 -0.01 -0.01
|
||||||
|
score BAYES_10 0 0 -0.01 -0.01
|
||||||
|
score BAYES_20 0 0 -0.01 -0.01
|
||||||
|
score BAYES_30 0 0 -0.01 -0.01
|
||||||
|
score BAYES_40 0 0 -0.01 -0.01
|
||||||
|
score BAYES_44 0 0 -0.01 -0.01
|
||||||
|
score BAYES_50 0 0 0.1 0.1
|
||||||
|
score BAYES_56 0 0 0.5 0.5
|
||||||
|
score BAYES_60 0 0 1.0 1.0
|
||||||
|
score BAYES_70 0 0 2.5 2.5
|
||||||
|
score BAYES_80 0 0 3.5 3.5
|
||||||
|
score BAYES_90 0 0 4.5 4.5
|
||||||
|
score BAYES_99 0 0 8.0 8.0
|
||||||
|
|
||||||
|
score RCVD_IN_SORBS_DUL 0.3
|
||||||
|
score SUBJ_ILLEGAL_CHARS 0
|
||||||
|
score RCVD_IN_NJABL_DUL 0.3
|
||||||
|
|
||||||
|
score ADDRESS_IN_SUBJECT 0.1
|
||||||
|
|
||||||
|
score HELO_LH_HOME 1.0
|
||||||
|
|
||||||
|
#internal_networks 192.168.XXX/24
|
||||||
|
trusted_networks 62.212.111.216 88.179.18.233 85.118.59.50 31.170.8.0/21
|
||||||
|
#score ALL_TRUSTED 0.3
|
||||||
|
score HELO_DYNAMIC_IPADDR 0.3
|
||||||
|
|
||||||
|
score FORGED_MUA_OUTLOOK 0.5
|
||||||
|
|
||||||
|
# Eudora sucks
|
||||||
|
score EXTRA_MPART_TYPE 0.1
|
||||||
|
score MIME_BOUND_EQ_REL 0.1
|
||||||
|
score MIME_QP_LONG_LINE 0.1
|
||||||
|
|
||||||
|
# SMTP senders *have* dynamic IP addresses
|
||||||
|
# A.B.C.D.dnsbl.sorbs.net -> 127.0.0.10
|
||||||
|
score RCVD_IN_DYNABLOCK 0
|
||||||
|
score HELO_DYNAMIC_IPADDR 0.3
|
||||||
|
score RCVD_IN_SORBS 0.1
|
||||||
|
score RCVD_IN_PBL 0.1
|
||||||
|
score RCVD_IN_SORBS_DUL 0
|
||||||
|
|
||||||
|
# old bug...
|
||||||
|
score FH_DATE_PAST_20XX 0.0
|
5
spamassasin/handlers/main.yml
Normal file
5
spamassasin/handlers/main.yml
Normal file
|
@ -0,0 +1,5 @@
|
||||||
|
---
|
||||||
|
- name: restart spamassassin
|
||||||
|
service:
|
||||||
|
name: spamassassin
|
||||||
|
state: restarted
|
3
spamassasin/meta/main.yml
Normal file
3
spamassasin/meta/main.yml
Normal file
|
@ -0,0 +1,3 @@
|
||||||
|
---
|
||||||
|
dependencies:
|
||||||
|
- { role: amavis }
|
68
spamassasin/tasks/main.yml
Normal file
68
spamassasin/tasks/main.yml
Normal file
|
@ -0,0 +1,68 @@
|
||||||
|
---
|
||||||
|
- name: install SpamAssasin
|
||||||
|
apt:
|
||||||
|
name: "{{ item }}"
|
||||||
|
state: present
|
||||||
|
with_items:
|
||||||
|
- spamassassin
|
||||||
|
- evomaintenance
|
||||||
|
tags:
|
||||||
|
- spamassassin
|
||||||
|
|
||||||
|
- name: configure SpamAssasin
|
||||||
|
copy:
|
||||||
|
src: spamassassin.cf
|
||||||
|
dest: /etc/spamassassin/local_evolix.cf
|
||||||
|
mode: "0644"
|
||||||
|
notify: restart spamassassin
|
||||||
|
tags:
|
||||||
|
- spamassassin
|
||||||
|
|
||||||
|
- name: enable SpamAssasin
|
||||||
|
replace:
|
||||||
|
dest: /etc/default/spamassassin
|
||||||
|
regexp: 'ENABLED=0'
|
||||||
|
replace: 'ENABLED=1'
|
||||||
|
notify: restart spamassassin
|
||||||
|
tags:
|
||||||
|
- spamassassin
|
||||||
|
|
||||||
|
- name: update ansible_mounts facts
|
||||||
|
setup:
|
||||||
|
filter: ansible_mounts
|
||||||
|
tags:
|
||||||
|
- spamassassin
|
||||||
|
|
||||||
|
- name: mount /usr in rw
|
||||||
|
command: mount -o remount,rw /usr
|
||||||
|
args:
|
||||||
|
warn: no
|
||||||
|
changed_when: false
|
||||||
|
when: item.mount == '/usr' and item.options | match(".*ro.*")
|
||||||
|
with_items: "{{ ansible_mounts }}"
|
||||||
|
tags:
|
||||||
|
- spamassassin
|
||||||
|
|
||||||
|
- name: copy sa-update.sh script
|
||||||
|
copy:
|
||||||
|
src: sa-update.sh
|
||||||
|
dest: /usr/share/scripts/sa-update.sh
|
||||||
|
mode: "0750"
|
||||||
|
tags:
|
||||||
|
- spamassassin
|
||||||
|
|
||||||
|
- name: enable sa-update.sh cron
|
||||||
|
lineinfile:
|
||||||
|
dest: /etc/cron.d/sa-update
|
||||||
|
line: "42 6 5 1,4,7,10 * /usr/share/scripts/sa-update.sh"
|
||||||
|
create: yes
|
||||||
|
state: present
|
||||||
|
mode: "0640"
|
||||||
|
tags:
|
||||||
|
- spamassassin
|
||||||
|
|
||||||
|
- name: update SpamAssasin's rules
|
||||||
|
command: /usr/share/scripts/sa-update.sh
|
||||||
|
changed_when: false
|
||||||
|
tags:
|
||||||
|
- spamassassin
|
23
webapps/evoadmin-mail/defaults/main.yml
Normal file
23
webapps/evoadmin-mail/defaults/main.yml
Normal file
|
@ -0,0 +1,23 @@
|
||||||
|
---
|
||||||
|
general_alert_email: "root@localhost"
|
||||||
|
evoadminmail_contact_email: Null
|
||||||
|
evoadminmail_bounce_email: "{{ evoadminmail_contact_email }}"
|
||||||
|
|
||||||
|
evoadminmail_username: evoadmin-mail
|
||||||
|
evoadminmail_home_dir: "/home/{{ evoadminmail_username }}"
|
||||||
|
evoadminmail_document_root: "{{ evoadminmail_home_dir }}/www"
|
||||||
|
evoadminmail_log_dir: "{{ evoadminmail_home_dir }}/log"
|
||||||
|
evoadminmail_scripts_dir: /usr/share/scripts/
|
||||||
|
evoadminmail_host: "evoadminmail.{{ ansible_fqdn }}"
|
||||||
|
|
||||||
|
evoadminmail_enable_vhost: True
|
||||||
|
|
||||||
|
evoadminmail_tpl_servername: "{{ ansible_fqdn }}"
|
||||||
|
evoadminmail_tpl_address: "{{ ansible_default_ipv4.address }}"
|
||||||
|
evoadminmail_tpl_phpmyadmin_url: Null
|
||||||
|
evoadminmail_tpl_cgi_suffix: Null
|
||||||
|
evoadminmail_tpl_signature: evoadmin
|
||||||
|
evoadminmail_tpl_mail_from: root@localhost
|
||||||
|
evoadminmail_tpl_mail_bcc: Null
|
||||||
|
evoadminmail_tpl_mail_standard: "{{ general_alert_email }}"
|
||||||
|
evoadminmail_tpl_mail_urgent: "{{ general_alert_email }}"
|
6
webapps/evoadmin-mail/handlers/main.yml
Normal file
6
webapps/evoadmin-mail/handlers/main.yml
Normal file
|
@ -0,0 +1,6 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
- name: reload apache2
|
||||||
|
service:
|
||||||
|
name: apache2
|
||||||
|
state: reloaded
|
17
webapps/evoadmin-mail/tasks/config.yml
Normal file
17
webapps/evoadmin-mail/tasks/config.yml
Normal file
|
@ -0,0 +1,17 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
- name: "Create /etc/evolinux"
|
||||||
|
file:
|
||||||
|
dest: "/etc/evolinux"
|
||||||
|
recurse: yes
|
||||||
|
state: directory
|
||||||
|
|
||||||
|
#- name: Configure web-add config file
|
||||||
|
# template:
|
||||||
|
# src: web-add.conf.j2
|
||||||
|
# dest: /etc/evolinux/web-add.conf
|
||||||
|
#
|
||||||
|
#- name: Configure web-add template file for mail
|
||||||
|
# template:
|
||||||
|
# src: web-mail.tpl.j2
|
||||||
|
# dest: "{{ evoadminmail_scripts_dir }}/web-mail.tpl"
|
19
webapps/evoadmin-mail/tasks/main.yml
Normal file
19
webapps/evoadmin-mail/tasks/main.yml
Normal file
|
@ -0,0 +1,19 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
- include: packages.yml
|
||||||
|
|
||||||
|
- include: user.yml
|
||||||
|
|
||||||
|
- include: config.yml
|
||||||
|
|
||||||
|
- include: ssl.yml
|
||||||
|
|
||||||
|
- include: web.yml
|
||||||
|
|
||||||
|
- name: enable evoadmin-mail link in default site index
|
||||||
|
lineinfile:
|
||||||
|
dest: /var/www/index.html
|
||||||
|
state: present
|
||||||
|
regexp: "EvoAdmin-mail"
|
||||||
|
line: ' <li><a href="https://{{ evoadminmail_host }}">Interface admin mail (EvoAdmin-mail)</a></li>'
|
||||||
|
insertbefore: "</ul>"
|
16
webapps/evoadmin-mail/tasks/packages.yml
Normal file
16
webapps/evoadmin-mail/tasks/packages.yml
Normal file
|
@ -0,0 +1,16 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
- include_role:
|
||||||
|
name: apt
|
||||||
|
tasks_from: evolix_public.yml
|
||||||
|
|
||||||
|
- meta: flush_handlers
|
||||||
|
|
||||||
|
- name: Install PHP packages
|
||||||
|
apt:
|
||||||
|
name: '{{ item }}'
|
||||||
|
state: present
|
||||||
|
with_items:
|
||||||
|
- php-pear
|
||||||
|
- php-log
|
||||||
|
- php-crypt-chap
|
15
webapps/evoadmin-mail/tasks/remount_usr_rw.yml
Normal file
15
webapps/evoadmin-mail/tasks/remount_usr_rw.yml
Normal file
|
@ -0,0 +1,15 @@
|
||||||
|
---
|
||||||
|
- name: Get mount options for partitions
|
||||||
|
shell: "mount | grep 'on /usr type'"
|
||||||
|
args:
|
||||||
|
warn: no
|
||||||
|
register: mount
|
||||||
|
changed_when: False
|
||||||
|
failed_when: False
|
||||||
|
when: not ansible_check_mode
|
||||||
|
|
||||||
|
- name: Remount /usr if it is a partition and it is not mounted in rw
|
||||||
|
command: "mount -o remount,rw /usr"
|
||||||
|
when: mount.rc == 0 and not mount.stdout_lines.0 | search("rw")
|
||||||
|
args:
|
||||||
|
warn: no
|
24
webapps/evoadmin-mail/tasks/ssl.yml
Normal file
24
webapps/evoadmin-mail/tasks/ssl.yml
Normal file
|
@ -0,0 +1,24 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
|
||||||
|
- name: ssl-cert package is installed
|
||||||
|
apt:
|
||||||
|
name: ssl-cert
|
||||||
|
state: present
|
||||||
|
|
||||||
|
- name: Create private key and csr for default site ({{ ansible_fqdn }})
|
||||||
|
command: openssl req -newkey rsa:2048 -sha256 -nodes -keyout /etc/ssl/private/{{ evoadminmail_host }}.key -out /etc/ssl/{{ evoadminmail_host }}.csr -batch -subj "/CN={{ evoadminmail_host }}"
|
||||||
|
args:
|
||||||
|
creates: "/etc/ssl/private/{{ evoadminmail_host }}.key"
|
||||||
|
|
||||||
|
- name: Adjust rights on private key
|
||||||
|
file:
|
||||||
|
path: /etc/ssl/private/{{ evoadminmail_host }}.key
|
||||||
|
owner: root
|
||||||
|
group: ssl-cert
|
||||||
|
mode: "0640"
|
||||||
|
|
||||||
|
- name: Create certificate for default site
|
||||||
|
command: openssl x509 -req -days 3650 -sha256 -in /etc/ssl/{{ evoadminmail_host }}.csr -signkey /etc/ssl/private/{{ evoadminmail_host }}.key -out /etc/ssl/certs/{{ evoadminmail_host }}.crt
|
||||||
|
args:
|
||||||
|
creates: "/etc/ssl/certs/{{ evoadminmail_host }}.crt"
|
113
webapps/evoadmin-mail/tasks/user.yml
Normal file
113
webapps/evoadmin-mail/tasks/user.yml
Normal file
|
@ -0,0 +1,113 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
- name: Create evoadmin account
|
||||||
|
user:
|
||||||
|
name: "{{ evoadminmail_username }}"
|
||||||
|
comment: "Evoadmin Web Account"
|
||||||
|
home: "{{ evoadminmail_home_dir}}"
|
||||||
|
shell: /bin/bash
|
||||||
|
password: "!"
|
||||||
|
|
||||||
|
- name: Create log/ directory
|
||||||
|
file:
|
||||||
|
path: "{{ evoadminmail_home_dir}}/log"
|
||||||
|
state: directory
|
||||||
|
owner: "{{ evoadminmail_username }}"
|
||||||
|
group: "{{ evoadminmail_username }}"
|
||||||
|
mode: "0750"
|
||||||
|
|
||||||
|
- name: Create www-evoadminmail group
|
||||||
|
group:
|
||||||
|
name: "www-{{ evoadminmail_username }}"
|
||||||
|
state: present
|
||||||
|
|
||||||
|
- name: "Create www-evoadmin (Debian 9 or later)"
|
||||||
|
user:
|
||||||
|
name: "www-{{ evoadminmail_username }}"
|
||||||
|
home: "{{ evoadminmail_home_dir}}/www"
|
||||||
|
shell: /bin/bash
|
||||||
|
createhome: no
|
||||||
|
when: ansible_distribution_major_version | version_compare('9', '>=')
|
||||||
|
|
||||||
|
- name: Install Git
|
||||||
|
apt:
|
||||||
|
name: git
|
||||||
|
state: present
|
||||||
|
|
||||||
|
- name: "Clone evoadmin repository (Debian 9 or later)"
|
||||||
|
git:
|
||||||
|
repo: https://forge.evolix.org/evoadmin-mail.git
|
||||||
|
dest: "{{ evoadminmail_document_root}}"
|
||||||
|
version: master
|
||||||
|
update: yes
|
||||||
|
when: ansible_distribution_major_version | version_compare('9', '>=')
|
||||||
|
|
||||||
|
- name: "Change perms on evoadminmail document root"
|
||||||
|
file:
|
||||||
|
dest: "{{ evoadminmail_document_root }}"
|
||||||
|
owner: "www-{{ evoadminmail_username }}"
|
||||||
|
group: "{{ evoadminmail_username }}"
|
||||||
|
recurse: yes
|
||||||
|
|
||||||
|
- name: "Copy connect.php"
|
||||||
|
template:
|
||||||
|
src: connect.php.j2
|
||||||
|
dest: "{{ evoadminmail_document_root }}/htdocs/config/connect.php"
|
||||||
|
owner: "www-{{ evoadminmail_username }}"
|
||||||
|
group: "{{ evoadminmail_username }}"
|
||||||
|
when: ldap_admin_password is defined
|
||||||
|
|
||||||
|
- name: "Copy conf.php"
|
||||||
|
template:
|
||||||
|
src: conf.php.j2
|
||||||
|
dest: "{{ evoadminmail_document_root }}/htdocs/config/conf.php"
|
||||||
|
owner: "www-{{ evoadminmail_username }}"
|
||||||
|
group: "{{ evoadminmail_username }}"
|
||||||
|
|
||||||
|
- name: create a password for evoadmin user
|
||||||
|
command: "apg -n 1 -m 16 -M lcN"
|
||||||
|
register: evoadminmail_admin_password
|
||||||
|
changed_when: False
|
||||||
|
|
||||||
|
- name: upload ldif for evoadmin user
|
||||||
|
template:
|
||||||
|
src: evoadmin.ldif.j2
|
||||||
|
dest: /root/evolinux_evoadminmail_admin.ldif
|
||||||
|
mode: "0640"
|
||||||
|
|
||||||
|
- name: inject config
|
||||||
|
command: slapadd -l /root/evolinux_evoadminmail_admin.ldif
|
||||||
|
|
||||||
|
- name: create log file
|
||||||
|
file:
|
||||||
|
dest: /var/log/evoadmin-mail.log
|
||||||
|
state: touch
|
||||||
|
owner: "www-{{ evoadminmail_username }}"
|
||||||
|
group: "adm"
|
||||||
|
mode: "0640"
|
||||||
|
|
||||||
|
- include: remount_usr_rw.yml
|
||||||
|
when: evoadminmail_scripts_dir | search ("/usr")
|
||||||
|
|
||||||
|
- name: "Create {{ evoadminmail_scripts_dir }}"
|
||||||
|
file:
|
||||||
|
dest: "{{ evoadminmail_scripts_dir }}"
|
||||||
|
# recurse: yes
|
||||||
|
mode: "0700"
|
||||||
|
state: directory
|
||||||
|
|
||||||
|
# we use a shell command to have a "changed" thet really reflects the result.
|
||||||
|
- name: Fix permissions
|
||||||
|
shell: "chmod -R --verbose u=rwX,g=rX,o= {{ item }}"
|
||||||
|
register: command_result
|
||||||
|
changed_when: "'changed' in command_result.stdout"
|
||||||
|
# failed_when: False
|
||||||
|
with_items:
|
||||||
|
- "{{ evoadminmail_home_dir}}/www"
|
||||||
|
|
||||||
|
#- name: Add evoadmin sudoers file
|
||||||
|
# template:
|
||||||
|
# src: sudoers.j2
|
||||||
|
# dest: /etc/sudoers.d/evoadmin
|
||||||
|
# mode: "0600"
|
||||||
|
# validate: "visudo -cf %s"
|
30
webapps/evoadmin-mail/tasks/web.yml
Normal file
30
webapps/evoadmin-mail/tasks/web.yml
Normal file
|
@ -0,0 +1,30 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
- name: "Set custom values for PHP config (Debian 9 or later)"
|
||||||
|
ini_file:
|
||||||
|
dest: /etc/php/7.0/apache2/conf.d/zzz-evolinux-custom.ini
|
||||||
|
section: PHP
|
||||||
|
option: "disable_functions"
|
||||||
|
value: "shell-exec,system,passthru,putenv,popen,pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority"
|
||||||
|
notify: reload apache2
|
||||||
|
when: ansible_distribution_major_version | version_compare('9', '>=')
|
||||||
|
|
||||||
|
- name: Install evoadminmail VHost
|
||||||
|
template:
|
||||||
|
src: evoadminmail.conf.j2
|
||||||
|
dest: /etc/apache2/sites-available/evoadminmail.conf
|
||||||
|
notify: reload apache2
|
||||||
|
|
||||||
|
- name: Enable evoadminmail vhost
|
||||||
|
command: "a2ensite evoadminmail.conf"
|
||||||
|
register: cmd_a2ensite
|
||||||
|
changed_when: "'Enabling site' in cmd_a2ensite.stdout"
|
||||||
|
notify: reload apache2
|
||||||
|
when: evoadminmail_enable_vhost
|
||||||
|
|
||||||
|
- name: Disable evoadminmail vhost
|
||||||
|
command: "a2dissite evoadminmail.conf"
|
||||||
|
register: cmd_a2dissite
|
||||||
|
changed_when: "'Disabling site' in cmd_a2dissite.stdout"
|
||||||
|
notify: reload apache2
|
||||||
|
when: not evoadminmail_enable_vhost
|
56
webapps/evoadmin-mail/templates/conf.php.j2
Normal file
56
webapps/evoadmin-mail/templates/conf.php.j2
Normal file
|
@ -0,0 +1,56 @@
|
||||||
|
<?php
|
||||||
|
|
||||||
|
// Email pour les notifications
|
||||||
|
$conf['admin']['mail'] = '{{ evoadminmail_contact_email or general_alert_email | mandatory }}';
|
||||||
|
// login des superadmins
|
||||||
|
// Note: utile uniquement si domaines/driver=ldap, laisser vide sinon...
|
||||||
|
$conf['admin']['logins'] = array('evoadmin');
|
||||||
|
// What do you want?
|
||||||
|
// 0 = nothing...
|
||||||
|
// 1 = only mail accounts
|
||||||
|
// 2 = only samba accounts
|
||||||
|
// 3 = mail and samba accounts
|
||||||
|
$conf['admin']['what'] = 1;
|
||||||
|
// use hook.php instead of hook-dist.php
|
||||||
|
$conf['admin']['use_hook'] = false;
|
||||||
|
// enable quota
|
||||||
|
$conf['admin']['quota'] = true;
|
||||||
|
|
||||||
|
// compatibilite LDAP
|
||||||
|
$conf['evoadmin']['version'] = 3;
|
||||||
|
$conf['url']['webroot'] = '/';
|
||||||
|
|
||||||
|
$conf['domaines']['onlyone'] = false;
|
||||||
|
$conf['domaines']['driver'] = 'ldap';
|
||||||
|
$conf['domaines']['file']['all'] = array('example.com');
|
||||||
|
$conf['domaines']['file']['gid'] = 1000;
|
||||||
|
// Pack Mail "virtuel"... attention
|
||||||
|
// uniquement possible si $conf['admin']['what']=1 !!
|
||||||
|
$conf['domaines']['ldap']['virtual'] = true;
|
||||||
|
|
||||||
|
// Mode cluster
|
||||||
|
// Uniquement en mode mail seul et des utilisateurs virtuels
|
||||||
|
$conf['evoadmin']['cluster'] = false;
|
||||||
|
|
||||||
|
// auth SMTP by default ?
|
||||||
|
$conf['evoadmin']['useauthsmtp'] = false;
|
||||||
|
|
||||||
|
// Si comptes virtuels
|
||||||
|
$conf['unix']['uid'] = 5000;
|
||||||
|
|
||||||
|
// Si pas virtuel
|
||||||
|
$conf['unix']['minuid'] = 1000;
|
||||||
|
$conf['unix']['mingid'] = 1000;
|
||||||
|
|
||||||
|
$conf['html']['title'] = "Evoadmin Mail";
|
||||||
|
|
||||||
|
// gestion des logs
|
||||||
|
$conf['log']['priority'] = PEAR_LOG_DEBUG;
|
||||||
|
$conf['log']['name'] = '/var/log/evoadmin-mail.log';
|
||||||
|
$conf['log']['software'] = 'evoadminmail';
|
||||||
|
$conf['log']['enabled'] = true;
|
||||||
|
|
||||||
|
// samba
|
||||||
|
$conf['samba']['dn'] = 'DOMAINNAME';
|
||||||
|
$conf['samba']['sid'] = 'S-1-5-21-XXX-XXX-XXX';
|
||||||
|
$conf['samba']['admin_default'] = false;
|
28
webapps/evoadmin-mail/templates/connect.php.j2
Normal file
28
webapps/evoadmin-mail/templates/connect.php.j2
Normal file
|
@ -0,0 +1,28 @@
|
||||||
|
<?php
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Secrete parameters
|
||||||
|
*
|
||||||
|
* $Id: connect-dist.php,v 1.3 2007-05-22 21:12:23 reg Exp $
|
||||||
|
*
|
||||||
|
* @author Gregory Colpart <reg@evolix.fr>
|
||||||
|
* @version 1.0
|
||||||
|
*/
|
||||||
|
|
||||||
|
define("LDAP_URI","ldap://127.0.0.1");
|
||||||
|
$ldap_servers = array('ldap://127.0.0.1');
|
||||||
|
define("LDAP_BASE","{{ ldap_suffix }}");
|
||||||
|
define("LDAP_ADMIN_DN","cn=admin,{{ ldap_suffix }}");
|
||||||
|
define("LDAP_ADMIN_PASS","{{ ldap_admin_password.stdout }}");
|
||||||
|
|
||||||
|
define("SUDOBIN","/usr/bin/sudo");
|
||||||
|
define("SUDOSCRIPT","/usr/share/scripts/evoadmin.sh");
|
||||||
|
define("SUDOPASS","xxxxxx");
|
||||||
|
|
||||||
|
define('SERVEUR','localhost');
|
||||||
|
define('SERVEURPORT',3306);
|
||||||
|
define('BASE','horde');
|
||||||
|
define('NOM', 'horde');
|
||||||
|
define('PASSE', 'xxxx');
|
||||||
|
|
||||||
|
?>
|
12
webapps/evoadmin-mail/templates/evoadmin.ldif.j2
Normal file
12
webapps/evoadmin-mail/templates/evoadmin.ldif.j2
Normal file
|
@ -0,0 +1,12 @@
|
||||||
|
dn: uid=evoadmin,{{ ldap_suffix }}
|
||||||
|
uid: evoadmin
|
||||||
|
cn: Evoadmin ADM
|
||||||
|
uidNumber: 4242
|
||||||
|
gidNumber: 4242
|
||||||
|
homeDirectory: /dev/null
|
||||||
|
isAdmin: TRUE
|
||||||
|
mailacceptinggeneralid: evoadmin@{{ ansible_fqdn }}
|
||||||
|
objectClass: mailAccount
|
||||||
|
objectClass: organizationalRole
|
||||||
|
objectClass: posixAccount
|
||||||
|
userPassword: {{ evoadminmail_admin_password.stdout }}
|
58
webapps/evoadmin-mail/templates/evoadminmail.conf.j2
Normal file
58
webapps/evoadmin-mail/templates/evoadminmail.conf.j2
Normal file
|
@ -0,0 +1,58 @@
|
||||||
|
<VirtualHost *:80>
|
||||||
|
ServerName {{ evoadminmail_host }}
|
||||||
|
Redirect permanent / https://{{ evoadminmail_host }}/
|
||||||
|
</VirtualHost>
|
||||||
|
|
||||||
|
<VirtualHost *:443>
|
||||||
|
|
||||||
|
# FQDN principal
|
||||||
|
ServerName {{ evoadminmail_host }}
|
||||||
|
#ServerAlias {{ evoadminmail_host }}
|
||||||
|
|
||||||
|
# Repertoire principal
|
||||||
|
DocumentRoot {{ evoadminmail_document_root }}/htdocs/
|
||||||
|
|
||||||
|
# SSL
|
||||||
|
SSLEngine on
|
||||||
|
SSLCertificateFile /etc/ssl/certs/{{ evoadminmail_host }}.crt
|
||||||
|
SSLCertificateKeyFile /etc/ssl/private/{{ evoadminmail_host }}.key
|
||||||
|
SSLProtocol all -SSLv2 -SSLv3
|
||||||
|
|
||||||
|
# Propriete du repertoire
|
||||||
|
<Directory {{ evoadminmail_document_root }}/htdocs/>
|
||||||
|
#Options Indexes SymLinksIfOwnerMatch
|
||||||
|
Options SymLinksIfOwnerMatch
|
||||||
|
AllowOverride AuthConfig Limit FileInfo
|
||||||
|
Require all granted
|
||||||
|
</Directory>
|
||||||
|
|
||||||
|
# user - group (thanks to sesse@debian.org)
|
||||||
|
AssignUserID www-{{ evoadminmail_username }} {{ evoadminmail_username }}
|
||||||
|
|
||||||
|
# LOG
|
||||||
|
CustomLog /var/log/apache2/access.log combined
|
||||||
|
CustomLog {{ evoadminmail_log_dir }}/access.log combined
|
||||||
|
ErrorLog {{ evoadminmail_log_dir }}/error.log
|
||||||
|
|
||||||
|
# AWSTATS
|
||||||
|
SetEnv AWSTATS_FORCE_CONFIG {{ evoadminmail_username }}
|
||||||
|
|
||||||
|
# REWRITE
|
||||||
|
UseCanonicalName On
|
||||||
|
RewriteEngine On
|
||||||
|
RewriteCond %{HTTP_HOST} !^{{ evoadminmail_host }}$
|
||||||
|
RewriteRule ^/(.*) https://%{SERVER_NAME}/$1 [L,R]
|
||||||
|
|
||||||
|
# PHP
|
||||||
|
#php_admin_flag engine off
|
||||||
|
#AddType text/html .html
|
||||||
|
#php_admin_flag display_errors On
|
||||||
|
#php_flag short_open_tag On
|
||||||
|
#php_flag register_globals On
|
||||||
|
#php_admin_value memory_limit 256M
|
||||||
|
#php_admin_value max_execution_time 60
|
||||||
|
#php_admin_value upload_max_filesize 8M
|
||||||
|
#php_admin_flag allow_url_fopen Off
|
||||||
|
php_admin_value sendmail_path "/usr/sbin/sendmail -t -i -f www-{{ evoadminmail_username }}"
|
||||||
|
php_admin_value open_basedir "none"
|
||||||
|
</VirtualHost>
|
3
webapps/evoadmin-mail/templates/sudoers.j2
Normal file
3
webapps/evoadmin-mail/templates/sudoers.j2
Normal file
|
@ -0,0 +1,3 @@
|
||||||
|
User_Alias EVOADMIN = www-evoadmin
|
||||||
|
Cmnd_Alias EVOADMIN_WEB = {{ evoadmin_scripts_dir | mandatory }}/web-*.sh, {{ evoadmin_scripts_dir | mandatory }}/ftpadmin.sh
|
||||||
|
EVOADMIN ALL=NOPASSWD: EVOADMIN_WEB
|
2
webapps/evoadmin-mail/templates/web-add.conf.j2
Normal file
2
webapps/evoadmin-mail/templates/web-add.conf.j2
Normal file
|
@ -0,0 +1,2 @@
|
||||||
|
CONTACT_MAIL="{{ evoadmin_contact_email or general_alert_email | mandatory }}"
|
||||||
|
WWWBOUNCE_MAIL="{{ evoadmin_bounce_email or general_alert_email | mandatory }}"
|
86
webapps/evoadmin-mail/templates/web-mail.tpl.j2
Normal file
86
webapps/evoadmin-mail/templates/web-mail.tpl.j2
Normal file
|
@ -0,0 +1,86 @@
|
||||||
|
From: {{ evoadmin_tpl_mail_from }}
|
||||||
|
To: RCPTTO
|
||||||
|
Bcc: {{ evoadmin_tpl_mail_bcc }}
|
||||||
|
Subject: Parametres hebergement web : LOGIN
|
||||||
|
|
||||||
|
Bonjour,
|
||||||
|
|
||||||
|
Votre compte d'hebergement web a ete cree.
|
||||||
|
|
||||||
|
**********************************
|
||||||
|
* CONNEXION SFTP/SSH
|
||||||
|
**********************************
|
||||||
|
|
||||||
|
NOM DU SERVEUR : {{ evoadmin_tpl_servername }}
|
||||||
|
USER : LOGIN
|
||||||
|
PASSWORD : PASSE1
|
||||||
|
|
||||||
|
*****************************************
|
||||||
|
* Details sur l'environnement Apache/PHP
|
||||||
|
*****************************************
|
||||||
|
|
||||||
|
URL du site :
|
||||||
|
http://{{ evoadmin_tpl_servername }}
|
||||||
|
|
||||||
|
URL des stats :
|
||||||
|
http://{{ evoadmin_tpl_servername }}/cgi-RANDOM/awstats.pl
|
||||||
|
(acces par IP ou login a demander !)
|
||||||
|
|
||||||
|
Repertoire de connexion : HOME_DIR/LOGIN/
|
||||||
|
Repertoire pour site web : HOME_DIR/LOGIN/www/
|
||||||
|
|
||||||
|
Apache/PHP tourne en www-LOGIN:LOGIN c'est-a-dire qu'il a acces
|
||||||
|
uniquement *en lecture* aux differents fichiers/repertoires
|
||||||
|
(a condition d'avoir 'g=rx' sur les repertoires et 'g=r' sur les
|
||||||
|
fichiers ce qui est le comportement par defaut).
|
||||||
|
|
||||||
|
Lorsqu'on a besoin d'autoriser *l'ecriture* pour certains
|
||||||
|
fichiers/repertoires, il suffit d'ajouter le droit 'g+w'.
|
||||||
|
|
||||||
|
***********************************
|
||||||
|
* MySQL
|
||||||
|
***********************************
|
||||||
|
|
||||||
|
SERVEUR : 127.0.0.1
|
||||||
|
PORT DU SERVEUR : 3306
|
||||||
|
USER : LOGIN
|
||||||
|
PASSWORD : PASSE2
|
||||||
|
NOM BASE : DBNAME
|
||||||
|
URL interface d'admin :
|
||||||
|
{{ evoadmin_tpl_phpmyadmin_url }}
|
||||||
|
|
||||||
|
***********************************
|
||||||
|
* Rappels divers
|
||||||
|
***********************************
|
||||||
|
|
||||||
|
Votre nom de domaine doit etre configure pour pointer
|
||||||
|
sur l'adresse IP {{ evoadmin_tpl_address }} (enregistrement DNS A)
|
||||||
|
ou etre un alias de {{ evoadmin_tpl_servername }} (enregistrement DNS CNAME).
|
||||||
|
|
||||||
|
Si vous avez besoin de faire des tests, vous devez
|
||||||
|
ajouter la ligne suivante au fichier "/etc/hosts" sous Linux/Unix
|
||||||
|
ou au fichier "system32\drivers\etc\hosts" sous Windows NT/XP :
|
||||||
|
{{ evoadmin_tpl_address }} {{ evoadmin_tpl_servername }}
|
||||||
|
|
||||||
|
Attention, par defaut, toutes les connexions vers l'exterieur
|
||||||
|
sont bloquees. Si vous avez besoin de recuperer des donnees
|
||||||
|
a l'exterieur (flux RSS, BDD externe, etc.), contactez nous
|
||||||
|
afin de mettre en oeuvre les autorisations necessaires.
|
||||||
|
|
||||||
|
Afin de securiser au maximum le serveur, certaines URL
|
||||||
|
particulieres sont non autorisees pour eviter diverses
|
||||||
|
attaques (XSS, robots, trojans, injections, etc.).
|
||||||
|
Exemple d'URL refusee :
|
||||||
|
http://{{ evoadmin_tpl_servername }}/cmd32.exe
|
||||||
|
En cas de soucis avec votre application, prevenez-nous.
|
||||||
|
|
||||||
|
Si vous desirez mettre en place des parametres particuliers
|
||||||
|
pour votre site (PHP, etc.) ou pour tout autre demande (scripts en crontab,
|
||||||
|
etc.), n'hesitez pas a nous contacter a l'adresse
|
||||||
|
{{ evoadmin_tpl_mail_standard }} (ou {{ evoadmin_tpl_mail_urgent }} si votre demande est
|
||||||
|
urgente).
|
||||||
|
|
||||||
|
|
||||||
|
Cordialement,
|
||||||
|
--
|
||||||
|
{{ evoadmin_tpl_signature }}
|
|
@ -6,7 +6,7 @@
|
||||||
section: PHP
|
section: PHP
|
||||||
option: "disable_functions"
|
option: "disable_functions"
|
||||||
value: "shell-exec,system,passthru,putenv,popen"
|
value: "shell-exec,system,passthru,putenv,popen"
|
||||||
notify: reload apache
|
notify: reload apache2
|
||||||
when: ansible_distribution_release == "jessie"
|
when: ansible_distribution_release == "jessie"
|
||||||
|
|
||||||
- name: "Set custom values for PHP config (Debian 9 or later)"
|
- name: "Set custom values for PHP config (Debian 9 or later)"
|
||||||
|
@ -15,7 +15,7 @@
|
||||||
section: PHP
|
section: PHP
|
||||||
option: "disable_functions"
|
option: "disable_functions"
|
||||||
value: "shell-exec,system,passthru,putenv,popen"
|
value: "shell-exec,system,passthru,putenv,popen"
|
||||||
notify: reload apache
|
notify: reload apache2
|
||||||
when: ansible_distribution_major_version | version_compare('9', '>=')
|
when: ansible_distribution_major_version | version_compare('9', '>=')
|
||||||
|
|
||||||
- name: Install evoadmin VHost
|
- name: Install evoadmin VHost
|
||||||
|
|
4
webapps/roundcube/defaults/main.yml
Normal file
4
webapps/roundcube/defaults/main.yml
Normal file
|
@ -0,0 +1,4 @@
|
||||||
|
---
|
||||||
|
roundcube_host: "roundcube.{{ ansible_fqdn }}"
|
||||||
|
roundcube_imap_host: "localhost"
|
||||||
|
roundcube_imap_port: 143
|
5
webapps/roundcube/handlers/main.yml
Normal file
5
webapps/roundcube/handlers/main.yml
Normal file
|
@ -0,0 +1,5 @@
|
||||||
|
---
|
||||||
|
- name: restart imapproxy
|
||||||
|
systemd:
|
||||||
|
name: imapproxy
|
||||||
|
state: restarted
|
104
webapps/roundcube/tasks/main.yml
Normal file
104
webapps/roundcube/tasks/main.yml
Normal file
|
@ -0,0 +1,104 @@
|
||||||
|
---
|
||||||
|
- name: configure roundcube-core
|
||||||
|
debconf:
|
||||||
|
name: roundcube-core
|
||||||
|
question: "{{ item.key }}"
|
||||||
|
value: "{{ item.value }}"
|
||||||
|
vtype: "{{ item.type }}"
|
||||||
|
with_items:
|
||||||
|
- { key: 'roundcube/database-type', type: 'select', value: 'sqlite3' }
|
||||||
|
- { key: 'roundcube/db/basepath', type: 'string', value: '/var/lib/roundcube/' }
|
||||||
|
tags:
|
||||||
|
- roundcube
|
||||||
|
|
||||||
|
- name: install Roundcube
|
||||||
|
apt:
|
||||||
|
name: "{{ item }}"
|
||||||
|
state: present
|
||||||
|
with_items:
|
||||||
|
- imapproxy
|
||||||
|
- roundcube
|
||||||
|
- roundcube-sqlite3
|
||||||
|
- roundcube-plugins
|
||||||
|
- php-net-sieve
|
||||||
|
- php-zip
|
||||||
|
tags:
|
||||||
|
- roundcube
|
||||||
|
|
||||||
|
- name: configure imapproxy imap host
|
||||||
|
lineinfile:
|
||||||
|
dest: /etc/imapproxy.conf
|
||||||
|
regexp: "^server_hostname"
|
||||||
|
line: "server_hostname {{ roundcube_imap_host }}"
|
||||||
|
notify: restart imapproxy
|
||||||
|
tags:
|
||||||
|
- roundcube
|
||||||
|
|
||||||
|
- name: configure imapproxy imap port
|
||||||
|
lineinfile:
|
||||||
|
dest: /etc/imapproxy.conf
|
||||||
|
regexp: "^server_port"
|
||||||
|
line: "server_port {{ roundcube_imap_port }}"
|
||||||
|
notify: reload imapproxy
|
||||||
|
tags:
|
||||||
|
- roundcube
|
||||||
|
|
||||||
|
- name: enable and start imapproxy
|
||||||
|
service:
|
||||||
|
name: imapproxy
|
||||||
|
state: started
|
||||||
|
enabled: True
|
||||||
|
tags:
|
||||||
|
- roundcube
|
||||||
|
|
||||||
|
- name: configure roundcube imap host
|
||||||
|
lineinfile:
|
||||||
|
dest: /etc/roundcube/config.inc.php
|
||||||
|
regexp: "\\$config\\['default_host'\\]"
|
||||||
|
line: "$config['default_host'] = array('127.0.0.1');"
|
||||||
|
tags:
|
||||||
|
- roundcube
|
||||||
|
|
||||||
|
- name: configure roudcube imap port
|
||||||
|
lineinfile:
|
||||||
|
dest: /etc/roundcube/config.inc.php
|
||||||
|
regexp: "\\$config\\['default_port'\\]"
|
||||||
|
insertafter: "\\$config\\['default_host'\\]"
|
||||||
|
line: "$config['default_port'] = 1143;"
|
||||||
|
tags:
|
||||||
|
- roundcube
|
||||||
|
|
||||||
|
- name: configure managesieve plugin
|
||||||
|
copy:
|
||||||
|
src: /usr/share/roundcube/plugins/managesieve/config.inc.php.dist
|
||||||
|
dest: /etc/roundcube/plugins/managesieve/config.inc.php
|
||||||
|
mode: "0644"
|
||||||
|
remote_src: True
|
||||||
|
tags:
|
||||||
|
- roundcube
|
||||||
|
|
||||||
|
- name: enable default plugins
|
||||||
|
replace:
|
||||||
|
dest: /etc/roundcube/config.inc.php
|
||||||
|
regexp: "^\\$config\\['plugins'\\] = array\\($"
|
||||||
|
replace: "$config['plugins'] = array('zipdownload','managesieve'"
|
||||||
|
tags:
|
||||||
|
- roundcube
|
||||||
|
|
||||||
|
- name: deploy roundcube vhost
|
||||||
|
template:
|
||||||
|
src: apache2.conf.j2
|
||||||
|
dest: /etc/apache2/sites-available/rouncube.conf
|
||||||
|
mode: "0640"
|
||||||
|
notify: reload apache2
|
||||||
|
tags:
|
||||||
|
- roundcube
|
||||||
|
|
||||||
|
- name: enable roundcube vhost
|
||||||
|
file:
|
||||||
|
src: /etc/apache2/sites-available/rouncube.conf
|
||||||
|
dest: /etc/apache2/sites-enabled/rouncube.conf
|
||||||
|
state: link
|
||||||
|
notify: reload apache2
|
||||||
|
tags:
|
||||||
|
- roundcube
|
46
webapps/roundcube/templates/apache2.conf.j2
Normal file
46
webapps/roundcube/templates/apache2.conf.j2
Normal file
|
@ -0,0 +1,46 @@
|
||||||
|
<VirtualHost *:80>
|
||||||
|
ServerName {{ roundcube_host }}
|
||||||
|
Redirect permanent / https://{{ roundcube_host }}
|
||||||
|
</VirtualHost>
|
||||||
|
|
||||||
|
<VirtualHost *:443>
|
||||||
|
|
||||||
|
# FQDN principal
|
||||||
|
ServerName {{ roundcube_host }}
|
||||||
|
|
||||||
|
# Repertoire principal
|
||||||
|
DocumentRoot /var/lib/roundcube/
|
||||||
|
|
||||||
|
# Return 503 if imapproxy doesn't run
|
||||||
|
<If "! -f '/run/imapproxy.pid'">
|
||||||
|
Redirect 503 /
|
||||||
|
</If>
|
||||||
|
|
||||||
|
Include /etc/roundcube/apache.conf
|
||||||
|
|
||||||
|
# LOG
|
||||||
|
CustomLog /var/log/apache2/access.log vhost_combined
|
||||||
|
CustomLog /var/lib/roundcube/logs/access.log combined
|
||||||
|
ErrorLog /var/lib/roundcube/logs/error.log
|
||||||
|
|
||||||
|
# REWRITE
|
||||||
|
UseCanonicalName On
|
||||||
|
RewriteEngine On
|
||||||
|
RewriteCond %{HTTP_HOST} !^{{ roundcube_host }}$
|
||||||
|
RewriteRule ^/(.*) http://%{SERVER_NAME}/$1 [L,R]
|
||||||
|
|
||||||
|
# PHP
|
||||||
|
#php_admin_flag engine off
|
||||||
|
#AddType text/html .html
|
||||||
|
#php_admin_flag display_errors On
|
||||||
|
#php_flag short_open_tag On
|
||||||
|
#php_flag register_globals On
|
||||||
|
#php_admin_value memory_limit 256M
|
||||||
|
#php_admin_value max_execution_time 60
|
||||||
|
#php_admin_value upload_max_filesize 8M
|
||||||
|
#php_admin_flag allow_url_fopen Off
|
||||||
|
php_admin_value sendmail_path "/usr/sbin/sendmail -t -i -f www-roundcube"
|
||||||
|
php_admin_value error_log "/home/roundcube/log/php.log"
|
||||||
|
#php_admin_value open_basedir "/usr/share/php:/home/roundcube:/tmp"
|
||||||
|
|
||||||
|
</VirtualHost>
|
Loading…
Reference in a new issue