evolix
/
ansible-roles
22
2
Fork 2
Code Issues 61 Pull Requests 18 Releases 32 Wiki Activity

Merge branch 'packmail' into unstable

This commit is contained in:
Victor LABORIE 2017-10-31 15:34:13 +01:00
parent 78d57cf66f ce89d5c5a5
commit acf85bfffc
72 changed files with 2716 additions and 74 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
amavis/handlers/main.yml Normal file
View File

@ -0,0 +1,5 @@
---
- name: restart amavis
service:
name: amavis
state: restarted

19
amavis/tasks/main.yml Normal file
View File

@ -0,0 +1,19 @@
---
- name: install Amavis
apt:
name: "{{ item }}"
state: present
with_items:
- postgrey
- amavisd-new
tags:
- amavis
- name: configure Amavis
template:
src: amavis.conf.j2
dest: /etc/amavis/conf.d/49-evolinux-defaults.conf
mode: "0644"
notify: restart amavis
tags:
- amavis

57
amavis/templates/amavis.conf.j2 Normal file
View File

@ -0,0 +1,57 @@
use strict;
## Liste des domaines considérés comme locaux
#@local_domains_acl = qw(.);
@local_domains_acl = (".example.net","example.com");
# On customise la ligne ajoutée dans les entêtes
$X_HEADER_LINE = "by Amavis at $mydomain";
# On precise les FROM pour etre (bugs dans certaines version d'Amavis)
$mailfrom_notify_admin = "postmaster\@$mydomain";
$mailfrom_notify_recip = "postmaster\@$mydomain";
$mailfrom_notify_spamadmin = "postmaster\@$mydomain";
# Notifications de fichiers bannis / virus
$virus_admin = "postmaster\@$mydomain";
# Ne pas recevoir des notifications pour les mails UNCHECKED
delete $admin_maps_by_ccat{&CC_UNCHECKED};
# Que faire avec les messages détectés
$final_virus_destiny = D_DISCARD;
$final_banned_destiny = D_BOUNCE;
$final_spam_destiny = D_BOUNCE;
$final_bad_header_destiny = D_PASS;
# Pour recevoir des bounces (mails originals) des fichiers bloqués / virus
#$banned_quarantine_to = "banned\@$mydomain";
#$virus_quarantine_to = "virus\@$mydomain";
# Note tueuse
$sa_tag2_level_deflt = 6.31;
# Pour un comportement "normal" de SA
$sa_tag_level_deflt = -1999;
$sa_kill_level_deflt = 1999;
$sa_dsn_cutoff_level = -99;
$sa_spam_subject_tag = '[SPAM]';
# log
$log_level = 2;
# En fonction besoin/ressources, on a juste le nbre de process
$max_servers = 2;
$enable_ldap = 1;
$default_ldap = {
hostname => '127.0.0.1', tls => 0,
base => '{{ ldap_suffix }}', scope => 'sub',
query_filter => '(&(mailacceptinggeneralid=%m)(isActive=TRUE))'
};
# Activer l'antivirus et antivirus
@bypass_virus_checks_maps = (
\%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re);
@bypass_spam_checks_maps = (
\%bypass_spam_checks, \@bypass_spam_checks_acl, \$bypass_spam_checks_re);
1; # ensure a defined return

4
apache/tasks/main.yml
View File

@ -38,6 +38,10 @@
- expires
- headers
- cgi
- ssl
- include
- negotiation
- alias
notify: reload apache
tags:
- apache

23
apache/tasks/remount_usr_rw.yml
View File

@ -1,19 +1,12 @@
---
- name: Get mount options for partitions
shell: "mount | grep 'on /usr type'"
args:
warn: no
register: mount
changed_when: False
failed_when: False
when: not ansible_check_mode
- name: update ansible_mounts facts
setup:
filter: ansible_mounts
- name: Remount /usr if it is a partition and it is not mounted in rw
command: "mount -o remount,rw /usr"
when:
- not ansible_check_mode
- mount.rc == 0
- not mount.stdout_lines.0 | search("rw")
check_mode: yes
- name: mount /usr in rw
command: mount -o remount,rw /usr
args:
warn: no
changed_when: false
when: item.mount == '/usr' and item.options | match(".*ro.*")
with_items: "{{ ansible_mounts }}"

5
clamav/handlers/main.yml Normal file
View File

@ -0,0 +1,5 @@
---
- name: restart clamav
service:
name: clamav-daemon
state: restarted

3
clamav/meta/main.yml Normal file
View File

@ -0,0 +1,3 @@
---
dependencies:
- { role: amavis }

111
clamav/tasks/main.yml Normal file
View File

@ -0,0 +1,111 @@
---
- name: configure clamav-daemon
debconf:
name: clamav-daemon
question: "{{ item.key }}"
value: "{{ item.value }}"
vtype: "{{ item.type }}"
with_items:
- { key: 'clamav-daemon/debconf', type: 'boolean', value: 'true' }
- { key: 'clamav-daemon/MaxHTMLNormalize', type: 'string', value: '10M' }
- { key: 'clamav-daemon/StatsPEDisabled', type: 'boolean', value: 'true' }
- { key: 'clamav-daemon/FollowDirectorySymlinks', type: 'boolean', value: 'false' }
- { key: 'clamav-daemon/StreamMaxLength', type: 'string', value: '25' }
- { key: 'clamav-daemon/ReadTimeout', type: 'string', value: '180' }
- { key: 'clamav-daemon/StatsEnabled', type: 'boolean', value: 'false' }
- { key: 'clamav-daemon/MaxConnectionQueueLength', type: 'string', value: '15' }
- { key: 'clamav-daemon/LogRotate', type: 'boolean', value: 'true' }
- { key: 'clamav-daemon/AllowAllMatchScan', type: 'boolean', value: 'true' }
- { key: 'clamav-daemon/ScanOnAccess', type: 'boolean', value: 'false' }
- { key: 'clamav-daemon/LogFile', type: 'string', value: '/var/log/clamav/clamav.log' }
- { key: 'clamav-daemon/ScanMail', type: 'boolean', value: 'true' }
- { key: 'clamav-daemon/BytecodeTimeout', type: 'string', value: '60000' }
- { key: 'clamav-daemon/LogTime', type: 'boolean', value: 'true' }
- { key: 'clamav-daemon/OnAccessMaxFileSize', type: 'string', value: '5M' }
- { key: 'clamav-daemon/TcpOrLocal', type: 'select', value: 'UNIX' }
- { key: 'clamav-daemon/MaxEmbeddedPE', type: 'string', value: '10M' }
- { key: 'clamav-daemon/FixStaleSocket', type: 'boolean', value: 'true' }
- { key: 'clamav-daemon/User', type: 'string', value: 'clamav' }
- { key: 'clamav-daemon/BytecodeSecurity', type: 'select', value: 'TrustSigned' }
- { key: 'clamav-daemon/ScanSWF', type: 'boolean', value: 'true' }
- { key: 'clamav-daemon/MaxDirectoryRecursion', type: 'string', value: '0' }
- { key: 'clamav-daemon/MaxThreads', type: 'string', value: '12' }
- { key: 'clamav-daemon/LocalSocketGroup', type: 'string', value: 'clamav' }
- { key: 'clamav-daemon/MaxScriptNormalize', type: 'string', value: '5M' }
- { key: 'clamav-daemon/ForceToDisk', type: 'boolean', value: 'false' }
- { key: 'clamav-daemon/StatsHostID', type: 'string', value: 'auto' }
- { key: 'clamav-daemon/FollowFileSymlinks', type: 'boolean', value: 'false' }
- { key: 'clamav-daemon/TCPSocket', type: 'string', value: '3310' }
- { key: 'clamav-daemon/TCPAddr', type: 'string', value: 'any' }
- { key: 'clamav-daemon/DisableCertCheck', type: 'boolean', value: 'false' }
- { key: 'clamav-daemon/SelfCheck', type: 'string', value: '3600' }
- { key: 'clamav-daemon/LocalSocket', type: 'string', value: '/var/run/clamav/clamd.ctl' }
- { key: 'clamav-daemon/LocalSocketMode', type: 'string', value: '666' }
- { key: 'clamav-daemon/StatsTimeout', type: 'string', value: '10' }
- { key: 'clamav-daemon/MaxZipTypeRcg', type: 'string', value: '1M' }
- { key: 'clamav-daemon/MaxHTMLNoTags', type: 'string', value: '2M' }
- { key: 'clamav-daemon/LogSyslog', type: 'boolean', value: 'false' }
- { key: 'clamav-daemon/AddGroups', type: 'string', value: '' }
- { key: 'clamav-daemon/Bytecode', type: 'boolean', value: 'true' }
- { key: 'clamav-daemon/ScanArchive', type: 'boolean', value: 'true' }
tags:
- clamav
- name: configure clamav-freshclam
debconf:
name: clamav-freshclam
question: "{{ item.key }}"
value: "{{ item.value }}"
vtype: "{{ item.type }}"
with_items:
- { key: 'clamav-freshclam/autoupdate_freshclam', type: 'select', value: 'daemon' }
- { key: 'clamav-freshclam/proxy_user', type: 'string', value: '' }
- { key: 'clamav-freshclam/NotifyClamd', type: 'boolean', value: 'true' }
- { key: 'clamav-freshclam/local_mirror', type: 'select', value: 'db.fr.clamav.net' }
- { key: 'clamav-freshclam/http_proxy', type: 'string', value: '' }
- { key: 'clamav-freshclam/LogRotate', type: 'boolean', value: 'true' }
- { key: 'clamav-freshclam/Bytecode', type: 'boolean', value: 'true' }
- { key: 'clamav-freshclam/update_interval', type: 'string', value: '24' }
- { key: 'clamav-freshclam/SafeBrowsing', type: 'boolean', value: 'false' }
- { key: 'clamav-freshclam/PrivateMirror', type: 'string', value: '' }
- { key: 'clamav-freshclam/internet_interface', type: 'string', value: '' }
tags:
- clamav
- name: install ClamAV
apt:
name: "{{ item }}"
state: present
with_items:
- clamav-daemon
- clamav
- clamdscan
- clamav-freshclam
- arc
- arj
- zoo
- pax
- bzip2
- cabextract
- rpm
- lzop
- razor
tags:
- clamav
- name: add clamav user to amavis group
user:
name: clamav
groups: amavis
append: True
tags:
- clamav
- name: allow supplementary groups
replace:
dest: /etc/clamav/clamd.conf
regexp: 'AllowSupplementaryGroups false'
replace: 'AllowSupplementaryGroups true'
notify: restart clamav
tags:
- clamav

36
dovecot/.kitchen.yml Normal file
View File

@ -0,0 +1,36 @@
---
driver:
name: docker
privileged: true
use_sudo: false
provisioner:
name: ansible_playbook
hosts: test-kitchen
roles_path: ../
ansible_verbose: true
require_ansible_source: false
require_chef_for_busser: false
idempotency_test: true
platforms:
- name: debian
driver_config:
image: evolix/ansible:2.2.1
verifier:
name: serverspec
suites:
- name: default
provisioner:
name: ansible_playbook
playbook: ./tests/test.yml
verifier:
patterns:
- nginx/tests/spec/memcached_spec.rb
bundler_path: '/usr/local/bin'
rspec_path: '/usr/local/bin'
transport:
max_ssh_sessions: 6

11
dovecot/README.md Normal file
View File

@ -0,0 +1,11 @@
# Dovecot
Installation and basic configuration of dovecot
## Tasks
Minimal configuration is in `tasks/main.yml`
## Available variables
The full list of variables (with default values) can be found in `defaults/main.yml`.

2
dovecot/defaults/main.yml Normal file
View File

@ -0,0 +1,2 @@
---
dovecot_foo: bar

126
dovecot/files/munin_plugin Executable file
View File

@ -0,0 +1,126 @@
#! /bin/bash
#
# Munin Plugin
# to count logins to your dovecot mailserver
#
# Created by Dominik Schulz <lkml@ds.gauner.org>
# http://developer.gauner.org/munin/
# Contributions by:
# - Stephane Enten <tuf@delyth.net>
# - Steve Schnepp <steve.schnepp@pwkf.org>
#
# Parameters understood:
#
# config (required)
# autoconf (optional - used by munin-config)
#
# Config variables:
#
# logfile - Where to find the syslog file
#
# Add the following line to a file in /etc/munin/plugin-conf.d:
# env.logfile /var/log/your/logfile.log
#
# Magic markers (optional - used by munin-config and installation scripts):
#
#%# family=auto
#%# capabilities=autoconf
######################
# Configuration
######################
EXPR_BIN=/usr/bin/expr
LOGFILE=${logfile:-/var/log/mail.log}
######################
if [ "$1" = "autoconf" ]; then
echo yes
exit 0
fi
if [ "$1" = "config" ]; then
echo 'graph_title Dovecot Logins'
echo 'graph_category Mail'
echo 'graph_args --base 1000 -l 0'
echo 'graph_vlabel Login Counters'
for t in Total TLS SSL IMAP POP3
do
field=$(echo $t | tr '[:upper:]' '[:lower:]')
echo "login_$field.label $t Logins"
echo "login_$field.type DERIVE"
echo "login_$field.min 0"
done
echo 'connected.label Connected Users'
exit 0
fi
######################
# Total Logins
######################
echo -en "login_total.value "
VALUE=$(egrep -c '[dovecot]?.*Login' $LOGFILE)
if [ ! -z "$VALUE" ]; then
echo "$VALUE"
else
echo "0"
fi
echo -n
######################
# Connected Users
######################
DISCONNECTS=$(egrep -c '[dovecot]?.*Disconnected' $LOGFILE)
CONNECTS=$(egrep -c '[dovecot]?.*Login' $LOGFILE)
VALUE=$($EXPR_BIN $CONNECTS - $DISCONNECTS)
if [ -z "$VALUE" ] || [ "$VALUE" -lt 0 ]; then
VALUE=0
fi
echo -en "connected.value "
echo $VALUE
echo -n
######################
# TLS Logins
######################
echo -en "login_tls.value "
VALUE=$(egrep -c '[dovecot]?.*Login.*TLS' $LOGFILE)
if [ ! -z "$VALUE" ]; then
echo "$VALUE"
else
echo "0"
fi
echo -n
######################
# SSL Logins
######################
echo -en "login_ssl.value "
VALUE=$(egrep -c '[dovecot]?.*Login.*SSL' $LOGFILE)
if [ ! -z "$VALUE" ]; then
echo "$VALUE"
else
echo "0"
fi
echo -n
######################
# IMAP Logins
######################
echo -en "login_imap.value "
VALUE=$(egrep -c '[dovecot]?.*imap.*Login' $LOGFILE)
if [ ! -z "$VALUE" ]; then
echo "$VALUE"
else
echo "0"
fi
echo -n
######################
# POP3 Logins
######################
echo -en "login_pop3.value "
VALUE=$(egrep -c '[dovecot]?.*pop3.*Login' $LOGFILE)
if [ ! -z "$VALUE" ]; then
echo "$VALUE"
else
echo "0"
fi
echo -n

10
dovecot/handlers/main.yml Normal file
View File

@ -0,0 +1,10 @@
---
- name: restart dovecot
service:
name: dovecot
state: restarted
- name: reload dovecot
service:
name: dovecot
state: reloaded

68
dovecot/tasks/main.yml Normal file
View File

@ -0,0 +1,68 @@
- name: ensure packages are installed
apt:
name: '{{ item }}'
state: present
with_items:
- dovecot-ldap
- dovecot-imapd
- dovecot-pop3d
- dovecot-sieve
- dovecot-managesieved
tags:
- dovecot
- name: disable pam auth
replace:
dest: /etc/dovecot/conf.d/10-auth.conf
regexp: "[^#]!include auth-system.conf.ext"
replace: "#!include auth-system.conf.ext"
tags:
- dovecot
- name: update ldap auth
lineinfile:
dest: /etc/dovecot/dovecot-ldap.conf.ext
line: "{{ item.key }} = {{ item.value }}"
regexp: "^#*{{ item.key }}"
state: present
with_items:
- { key: 'hosts', value: '127.0.0.1' }
- { key: 'auth_bind', value: 'yes' }
- { key: 'ldap_version', value: 3 }
- { key: 'base', value: "{{ ldap_suffix }}" }
- { key: 'user_attrs', value: 'homeDirectory=home' }
- { key: 'user_filter', value: '(&(isActive=TRUE)(uid=%u))' }
- { key: 'pass_attrs', value: 'uid=user,userPassword=password' }
when: ldap_suffix is defined
notify: reload dovecot
tags:
- dovecot
- name: create vmail group
group:
name: vmail
gid: 5000
tags:
- dovecot
- name: create vmail user
user:
name: vmail
group: vmail
uid: 5000
shell: /bin/false
tags:
- dovecot
- name: deploy evolix config
template:
src: z-evolinux-defaults.conf.j2
dest: /etc/dovecot/conf.d/z-evolinux-defaults.conf
mode: "0644"
notify: reload dovecot
tags:
- dovecot
- include: munin.yml
tags:
- dovecot

20
dovecot/tasks/munin.yml Normal file
View File

@ -0,0 +1,20 @@
---
- name: is Munin present ?
stat:
path: /etc/munin/plugin-conf.d/munin-node
check_mode: no
register: munin_node_plugins_config
- block:
- name: Install munin plugin
copy:
src: munin_plugin
dest: /etc/munin/plugins/dovecot
mode: "0755"
# TODO : add in /etc/munin/plugin-conf.d/munin-node
# [dovecot]
# group adm
when: munin_node_plugins_config.stat.exists

36
dovecot/templates/z-evolinux-defaults.conf.j2 Normal file
View File

@ -0,0 +1,36 @@
# {{ ansible_managed }}
# Autorise les mécanismes PLAIN/LOGIN même sans SSL/TLS
disable_plaintext_auth = no
auth_mechanisms = plain login
# Authentification LDAP + intégration avec Postfix pour l'auth SMTP
!include auth-ldap.conf.ext
service auth {
unix_listener auth-userdb {
mode = 0600
user = vmail
group = vmail
}
unix_listener /var/spool/postfix/private/auth-client {
mode = 0666
user = postfix
group = postfix
}
}
# Stockage des emails dans /home/mail avec UID/GID 5000/5000
mail_location = maildir:/home/vmail/%d/%n
mail_uid = 5000
mail_gid = 5000
# Activation Sieve
protocol lda {
mail_plugins = sieve
}
# Optimisations
service login {
process_limit = 256
}
mail_max_userip_connections = 42

1
fail2ban/defaults/main.yml
View File

@ -3,3 +3,4 @@ general_alert_email: "root@localhost"
fail2ban_alert_email: Null
fail2ban_ignore_ips: []
fail2ban_wordpress: False
fail2ban_roundcube: False

2
fail2ban/files/roundcube.conf Normal file
View File

@ -0,0 +1,2 @@
[Definition]
failregex = Login failed for .*. from <HOST>

18
fail2ban/tasks/main.yml
View File

@ -22,14 +22,6 @@
tags:
- fail2ban
- name: package is installed
apt:
name: fail2ban
state: present
tags:
- fail2ban
- packages
- name: custom filters are installed
copy:
src: "{{ item }}"
@ -40,6 +32,16 @@
- sasl-evolix.conf
- wordpress-soft.conf
- wordpress-hard.conf
- roundcube.conf
notify: restart fail2ban
tags:
- fail2ban
- name: package is installed
apt:
name: fail2ban
state: present
tags:
- fail2ban
- packages

9
fail2ban/templates/jail.local.j2
View File

@ -44,3 +44,12 @@ logpath = /var/log/auth.log
maxretry = 5
findtime = 300
{% endif %}
{% if fail2ban_roundcube %}
[roundcube]
enabled = true
port = http,https
filter = roundcube
logpath = /var/lib/roundcube/logs/errors
maxretry = 5
{% endif %}

3
ldap/defaults/main.yml
View File

@ -1,4 +1,5 @@
---
ldap_domain: "{{ ansible_fqdn }}"
ldap_organization: "{{ ansible_domain }}"
#ldap_password=$(apg -n1 -m 12 -c cl_seed)
ldap_suffix: "dc=example,dc=com"
ldap_suffix_dc: "example"

74
ldap/tasks/main.yml
View File

@ -6,8 +6,82 @@
- slapd
- ldap-utils
- ldapvi
- shelldap
- name: "Is /root/.ldapvirc present ?"
stat:
path: /root/.ldapvirc
check_mode: no
register: root_ldapvirc_path
- name: apg package is installed
apt:
name: apg
state: present
when: not root_ldapvirc_path.stat.exists
- name: create a password for cn=admin
command: "apg -n 1 -m 16 -M lcN"
register: ldap_admin_password
changed_when: False
when: not root_ldapvirc_path.stat.exists
- name: create a password for cn=nagios
command: "apg -n 1 -m 16 -M lcN"
register: ldap_nagios_password
changed_when: False
when: not root_ldapvirc_path.stat.exists
- name: hash password for cn=admin
command: "slappasswd -s {{ ldap_admin_password.stdout }}"
register: ldap_admin_password_ssha
changed_when: False
when: not root_ldapvirc_path.stat.exists
- name: hash password for cn=nagios
command: "slappasswd -s {{ ldap_nagios_password.stdout }}"
register: ldap_nagios_password_ssha
changed_when: False
when: not root_ldapvirc_path.stat.exists
- name: create ldapvirc config
template:
src: ldapvirc.j2
dest: /root/.ldapvirc
mode: "0640"
when: not root_ldapvirc_path.stat.exists
- name: upload ldap initial config
template:
src: config_ldapvi.j2
dest: /root/evolinux_ldap_config.ldapvi
mode: "0640"
when: not root_ldapvirc_path.stat.exists
- name: upload ldap initial entries
template:
src: first-entries.ldif.j2
dest: /root/evolinux_ldap_first-entries.ldif
mode: "0640"
when: not root_ldapvirc_path.stat.exists
- name: inject config
command: ldapvi -Y EXTERNAL -h ldapi:// --ldapmodify /root/evolinux_ldap_config.ldapvi
environment:
TERM: xterm
when: not root_ldapvirc_path.stat.exists
- name: inject first entries
command: slapadd -l /root/evolinux_ldap_first-entries.ldif
when: not root_ldapvirc_path.stat.exists
- name: upload custom schema
copy:
src: "{{ ldap_schema }}"
dest: "/root/{{ ldap_schema }}"
mode: "0640"
when: not root_ldapvirc_path.stat.exists and ldap_schema is defined
- name: inject custom schema
command: "ldapadd -Y EXTERNAL -H ldapi:/// -f /root/{{ ldap_schema }}"
when: not root_ldapvirc_path.stat.exists and ldap_schema is defined

8
ldap/templates/config_ldapvi.j2 Normal file
View File

@ -0,0 +1,8 @@
modify: olcDatabase={1}mdb,cn=config
olcSuffix: {{ ldap_suffix }}
olcRootDN: cn=admin,{{ ldap_suffix }}
olcRootPW: {{ ldap_admin_password_ssha.stdout }}
olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break
olcAccess: {1}to attrs=userPassword by self write by anonymous auth by dn="cn=admin,{{ ldap_suffix }}" write by dn="cn=perl,ou=ldapusers,{{ ldap_suffix }}" write by * none
olcAccess: {2}to attrs=shadowLastChange by self write by dn="cn=admin,{{ ldap_suffix }}" write by dn="cn=perl,ou=ldapusers,{{ ldap_suffix }}" write by * read
olcAccess: {3}to * by self write by dn="cn=admin,{{ ldap_suffix }}" write by dn="cn=perl,ou=ldapusers,{{ ldap_suffix }}" write by * read

30
ldap/templates/first-entries.ldif.j2 Normal file
View File

@ -0,0 +1,30 @@
dn: {{ ldap_suffix }}
objectClass: top
objectClass: dcObject
objectClass: organization
o: {{ ldap_suffix_dc }}
dc: {{ ldap_suffix_dc }}
dn: cn=admin,{{ ldap_suffix }}
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword: {{ ldap_admin_password_ssha.stdout }}
dn: ou=ldapusers,{{ ldap_suffix }}
objectClass: top
objectClass: organizationalUnit
ou: ldapusers
dn: cn=perl,ou=ldapusers,{{ ldap_suffix }}
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: perl
userPassword: {{ ldap_admin_password_ssha.stdout }}
dn: cn=nagios,ou=ldapusers,{{ ldap_suffix }}
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: nagios
userPassword: {{ ldap_nagios_password_ssha.stdout }}

6
ldap/templates/ldapvirc.j2 Normal file
View File

@ -0,0 +1,6 @@
profile default
host: ldap://127.0.0.1
base: {{ ldap_suffix }}
user: cn=admin,{{ ldap_suffix }}
bind: simple
password: {{ ldap_admin_password.stdout }}

1
nagios-nrpe/templates/evolix.cfg.j2
View File

@ -28,6 +28,7 @@ command[check_ldap]=/usr/lib/nagios/plugins/check_ldap -3 -H localhost -D cn=nag
command[check_ldaps]=/usr/lib/nagios/plugins/check_ldaps -3 -H localhost -b {{ nagios_nrpe_ldap_dc }}
command[check_imap]=/usr/lib/nagios/plugins/check_imap -H localhost
command[check_imaps]=/usr/lib/nagios/plugins/check_imap -S -H localhost -p 993
command[check_imapproxy]=/usr/lib/nagios/plugins/check_imap -H localhost -p 1143
command[check_pop]=/usr/lib/nagios/plugins/check_pop -H localhost
command[check_pops]=/usr/lib/nagios/plugins/check_pop -S -H localhost -p 995
command[check_ftp]=/usr/lib/nagios/plugins/check_ftp -H localhost

46
opendkim/files/opendkim-add.sh Normal file
View File

@ -0,0 +1,46 @@
#!/bin/sh
if [ "$#" -ne 1 ]; then
echo "Usage : $0 example.com" >&2
exit 1
fi
domain="$(echo "$1"|xargs)"
mkdir -pm 0750 "/etc/opendkim/keys/${domain}"
chown opendkim:opendkim "/etc/opendkim/keys/${domain}"
if [ ! -f "/etc/opendkim/keys/${domain}/default.private" ]; then
cd "/etc/opendkim/keys/${domain}"
echo "Generate DKIM keys ..."
sudo -u opendkim opendkim-genkey -r -d "${domain}"
chmod 640 /etc/opendkim/keys/${domain}/*
fi
grep -q "${domain}" /etc/opendkim/TrustedHosts
if [ "$?" -ne 0 ]; then
echo "Add ${domain} to TrustedHosts ..."
echo "${domain}" >> /etc/opendkim/TrustedHosts
fi
grep -q "${domain}" /etc/opendkim/KeyTable
if [ "$?" -ne 0 ]; then
echo "Add ${domain} to KeyTable ..."
echo "default._domainkey.${domain} ${domain}:default:/etc/opendkim/keys/${domain}/default.private" >> /etc/opendkim/KeyTable
fi
grep -q "${domain}" /etc/opendkim/SigningTable
if [ "$?" -ne 0 ]; then
echo "Add ${domain} to SigningTable ..."
echo "*@${domain} default._domainkey.${domain}" >> /etc/opendkim/SigningTable
fi
systemctl reload opendkim
if [ "$?" -eq 0 ]; then
echo "OpenDKIM successfully reloaded"
echo "Public key is in : /etc/opendkim/keys/${domain}/default.txt"
exit 0
else
echo "An error has occurred while opendkim reload, please FIX configuration !" >&2
exit 1
fi

18
opendkim/files/opendkim.conf Normal file
View File

@ -0,0 +1,18 @@
UserID opendkim:opendkim
Socket inet:54321@127.0.0.1
PidFile /var/run/opendkim/opendkim.pid
OversignHeaders From
TrustAnchorFile /usr/share/dns/root.key
Selector default
Canonicalization relaxed/relaxed
ExternalIgnoreList refile:/etc/opendkim/TrustedHosts
InternalHosts refile:/etc/opendkim/TrustedHosts
KeyTable refile:/etc/opendkim/KeyTable
LogResults Yes
LogWhy Yes
Mode sv
SigningTable refile:/etc/opendkim/SigningTable
Syslog Yes
SyslogSuccess Yes
TemporaryDirectory /var/tmp
UMask 007

10
opendkim/handlers/main.yml Normal file
View File

@ -0,0 +1,10 @@
---
- name: reload opendkim
systemd:
name: opendkim
state: reloaded
- name: restart opendkim
systemd:
name: opendkim
state: restarted

95
opendkim/tasks/main.yml Normal file
View File

@ -0,0 +1,95 @@
---
- name: install OpenDKIM
apt:
name: "{{ item }}"
state: present
with_items:
- opendkim
- opendkim-tools
tags:
- opendkim
- name: create keys directory
file:
name: "{{ item }}"
state: directory
owner: opendkim
group: opendkim
mode: "0750"
with_items:
- '/etc/opendkim'
- '/etc/opendkim/keys'
tags:
- opendkim
- name: add 127.0.0.1 to TrustedHosts
lineinfile:
dest: '/etc/opendkim/TrustedHosts'
line: '127.0.0.1'
create: True
owner: opendkim
group: opendkim
mode: "0640"
notify: reload opendkim
tags:
- opendkim
- name: create config files
file:
name: "/etc/opendkim/{{ item }}"
state: touch
owner: opendkim
group: opendkim
mode: "0640"
with_items:
- 'KeyTable'
- 'SigningTable'
changed_when: False
tags:
- opendkim
- name: copy OpenDKIM config
copy:
src: opendkim.conf
dest: /etc/opendkim.conf
mode: "0644"
force: yes
notify: restart opendkim
tags:
- opendkim
- name: ensure opendkim is started and enabled
systemd:
name: opendkim
state: started
enabled: True
tags:
- opendkim
- name: check if /usr is a partition
shell: "mount | grep 'on /usr type'"
args:
warn: no
changed_when: False
failed_when: False
register: usr_partition
check_mode: no
tags:
- opendkim
- name: mount /usr in rw
command: mount -o remount,rw /usr
args:
warn: no
changed_when: False
when: usr_partition.rc == 0
tags:
- opendkim
- name: deploy opendkim-add.sh script
copy:
src: opendkim-add.sh
dest: /usr/share/scripts/opendkim-add.sh
mode: "0750"
tags:
- opendkim

5
postfix/README.md
View File

@ -4,9 +4,10 @@ Installation and basic configuration of Postfix.
## Tasks
Minimal configuration is in `tasks/main.yml` and optional customization in :
Minimal configuration is in `tasks/minimal.yml` and optional customization in :
* `slow_transport.yml` : slow transport to specific destination.
* `packmail.yml` : config for virtual mail accounts with OpenLDAP
## Available variables
@ -14,5 +15,7 @@ Main variables are :
* `postfix_hostname` : hostname for Postfix ;
* `postfix_slow_transport` : enable customization for delivrability.
* `postfix_force_main_cf` : force copy of main.cf
* `postfix_packmail` : install an Evolix Packmail instead of lite postfix config
The full list of variables (with default values) can be found in `defaults/main.yml`.

4
postfix/defaults/main.yml
View File

@ -1,3 +1,5 @@
---
postfix_hostname: "{{ ansible_fqdn }}"
postfix_slow_transport_include: False
postfix_force_main_cf: False
postfix_packmail: False
postfix_slow_transport_include: "{{ postfix_packmail }}"

63
postfix/files/cn4evolix.ldif Normal file
View File

@ -0,0 +1,63 @@
dn: cn={4}evolix,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: {4}evolix
olcAttributeTypes: {0}( 1.3.6.1.4.1.24331.22.1.1 NAME 'maildrop' DESC 'mail fo
rward' SUP mail )
olcAttributeTypes: {1}( 1.3.6.1.4.1.24331.22.1.2 NAME 'mailacceptinggeneralid'
DESC 'mail alias' SUP mail )
olcAttributeTypes: {2}( 1.3.6.1.4.1.24331.22.1.3 NAME 'isActive' DESC 'boolean
to verify an global account is active or not' EQUALITY booleanMatch SYNTAX 1
.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
olcAttributeTypes: {3}( 1.3.6.1.4.1.24331.22.1.4 NAME 'accountActive' DESC 'bo
olean to verify if an mail account is active' EQUALITY booleanMatch SYNTAX 1.
3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
olcAttributeTypes: {4}( 1.3.6.1.4.1.24331.22.1.5 NAME 'authsmtpActive' DESC 'b
oolean to verify if SMTP-AUTH is enabled for entry' EQUALITY booleanMatch SYN
TAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
olcAttributeTypes: {5}( 1.3.6.1.4.1.24331.22.1.6 NAME 'courierActive' DESC 'bo
olean to verify if Courier POP/IMAP is enabled for entry' EQUALITY booleanMat
ch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
olcAttributeTypes: {6}( 1.3.6.1.4.1.24331.22.1.7 NAME 'webmailActive' DESC 'bo
olean to verify if webmail is enabled for entry' EQUALITY booleanMatch SYNTAX
1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
olcAttributeTypes: {7}( 1.3.6.1.4.1.24331.22.1.8 NAME 'isAdmin' DESC 'boolean
to verify if entry is admin for entry' EQUALITY booleanMatch SYNTAX 1.3.6.1.4
.1.1466.115.121.1.7 SINGLE-VALUE )
olcAttributeTypes: {8}( 1.3.6.1.4.1.24331.22.1.9 NAME 'postfixTransport' DESC
'transport for Postfix' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.11
5.121.1.26{20} SINGLE-VALUE )
olcAttributeTypes: {9}( 1.3.6.1.4.1.24331.22.1.10 NAME 'domain' DESC 'Postfix
domain' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTA
X 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
olcAttributeTypes: {10}( 1.3.6.1.4.1.24331.22.1.11 NAME 'quota' DESC 'Courier
maildir quota' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.
26 SINGLE-VALUE )
olcAttributeTypes: {11}( 1.3.6.1.4.1.24331.22.1.16 NAME 'vacationActive' DESC
'A flag, for marking the user as being away' EQUALITY booleanMatch SYNTAX 1.3
.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
olcAttributeTypes: {12}( 1.3.6.1.4.1.24331.22.1.17 NAME 'vacationInfo' DESC 'A
bsentee note to leave behind, while on vacation' EQUALITY octetStringMatch SY
NTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE )
olcAttributeTypes: {13}( 1.3.6.1.4.1.24331.22.1.18 NAME 'vacationStart' DESC '
Beginning of vacation' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.
121.1.40 SINGLE-VALUE )
olcAttributeTypes: {14}( 1.3.6.1.4.1.24331.22.1.19 NAME 'vacationEnd' DESC 'En
d of vacation' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40
SINGLE-VALUE )
olcAttributeTypes: {15}( 1.3.6.1.4.1.24331.22.1.20 NAME 'vacationForward' DESC
'Where to forward mails to, while on vacation' EQUALITY caseIgnoreIA5Match S
UBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256}
)
olcAttributeTypes: {16}( 1.3.6.1.4.1.24331.22.1.21 NAME 'smbActive' DESC 'bool
ean to verify if an Samba account is active' EQUALITY booleanMatch SYNTAX 1.3
.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
olcObjectClasses: {0}( 1.3.6.1.4.1.24331.22.2.1 NAME 'mailAccount' DESC 'LDAP/
Unix mail account or virtual account' SUP top AUXILIARY MUST ( uid $ mailacce
ptinggeneralid ) MAY ( accountActive $ authsmtpActive $ quota $ isActive $ co
urierActive $ webmailActive $ isAdmin $ vacationActive $ vacationInfo $ vacat
ionStart $ vacationEnd $ vacationForward $ maildrop ) )
olcObjectClasses: {1}( 1.3.6.1.4.1.24331.22.2.2 NAME 'mailAlias' DESC 'Mail al
iasing/forwarding entry' SUP top STRUCTURAL MUST ( mailacceptinggeneralid $ m
aildrop ) MAY ( cn $ isActive ) )
olcObjectClasses: {2}( 1.3.6.1.4.1.24331.22.2.4 NAME 'postfixDomain' DESC 'Pos
tfix domain' SUP posixGroup STRUCTURAL MAY ( postfixTransport $ isActive ) )

1
postfix/files/filter Normal file
View File

@ -0,0 +1 @@
# Default empty file

87
postfix/files/spam.sh Normal file
View File

@ -0,0 +1,87 @@
#!/bin/bash
#set -x
umask 022
tmp_file=$(mktemp)
tmp=$(mktemp -d)
if [ -f $tmp_file ] ;
then rm $tmp_file ;
fi
sleep $[ $RANDOM / 1024 ]
# Postfix
cd $tmp
wget -q -t 3 http://antispam00.evolix.org/spam/client.access -O $tmp_file
cp $tmp_file /etc/postfix/client.access
rm $tmp_file
wget -q -t 3 http://antispam00.evolix.org/spam/sender.access -O $tmp_file
cp $tmp_file /etc/postfix/sender.access
rm $tmp_file
wget -q -t 3 http://antispam00.evolix.org/spam/recipient.access -O $tmp_file
cp $tmp_file /etc/postfix/recipient.access
rm $tmp_file
wget -q -t 3 http://antispam00.evolix.org/spam/header_kill -O $tmp_file
cp $tmp_file /etc/postfix/header_kill
rm $tmp_file
wget -q -t 3 http://antispam00.evolix.org/spam/sa-blacklist.access -O sa-blacklist.access
wget -q -t 3 http://antispam00.evolix.org/spam/sa-blacklist.access.md5 -O $tmp_file
if md5sum -c $tmp_file > /dev/null && [ -s sa-blacklist.access ] ; then
cp sa-blacklist.access /etc/postfix/sa-blacklist.access
fi
rm sa-blacklist.access
rm $tmp_file
/usr/sbin/postmap hash:/etc/postfix/client.access
/usr/sbin/postmap hash:/etc/postfix/sender.access
/usr/sbin/postmap hash:/etc/postfix/recipient.access
/usr/sbin/postmap -r hash:/etc/postfix/sa-blacklist.access
wget -q -t 3 http://antispam00.evolix.org/spam/spamd.cidr -O spamd.cidr
wget -q -t 3 http://antispam00.evolix.org/spam/spamd.cidr.md5 -O $tmp_file
if md5sum -c $tmp_file > /dev/null && [ -s spamd.cidr ] ; then
cp spamd.cidr /etc/postfix/spamd.cidr
fi
rm spamd.cidr
rm $tmp_file
# SpamAssassin
cd $tmp
wget -q -t 3 http://antispam00.evolix.org/spam/evolix_rules.cf -O evolix_rules.cf
wget -q -t 3 http://antispam00.evolix.org/spam/evolix_rules.cf.md5 -O $tmp_file
if md5sum -c $tmp_file > /dev/null && [ -s evolix_rules.cf ] ; then
dpkg -l spamassassin 2>&1 | grep -v "no packages found matching" | grep -q ^ii && cp evolix_rules.cf /etc/spamassassin
dpkg -l spamassassin 2>&1 | grep -v "no packages found matching" | grep -q ^ii && /etc/init.d/spamassassin reload > /dev/null
if [ -d /etc/spamassassin/sa-update-hooks.d ]; then
run-parts --lsbsysinit /etc/spamassassin/sa-update-hooks.d
fi
fi
# ClamAV
cd $tmp
wget -q -t 3 http://antispam00.evolix.org/spam/evolix.ndb -O evolix.ndb
wget -q -t 3 http://antispam00.evolix.org/spam/evolix.ndb.md5 -O $tmp_file
dpkg -l clamav-daemon 2>&1 | grep -v "no packages found matching" | grep -q ^ii && chown clamav: evolix.ndb
if md5sum -c $tmp_file > /dev/null && [ -s evolix.ndb ] ; then
dpkg -l clamav-daemon 2>&1 | grep -v "no packages found matching" | grep -q ^ii && cp -a evolix.ndb /var/lib/clamav/
fi
wget -q -t 3 http://antispam00.evolix.org/spam/evolix.hsb -O evolix.hsb
wget -q -t 3 http://antispam00.evolix.org/spam/evolix.hsb.md5 -O $tmp_file
dpkg -l clamav-daemon 2>&1 | grep -v "no packages found matching" | grep -q ^ii && chown clamav: evolix.hsb
if md5sum -c $tmp_file > /dev/null && [ -s evolix.hsb ] ; then
dpkg -l clamav-daemon 2>&1 | grep -v "no packages found matching" | grep -q ^ii && cp -a evolix.hsb /var/lib/clamav/
fi
dpkg -l clamav-daemon 2>&1 | grep -v "no packages found matching" | grep -q ^ii && /etc/init.d/clamav-daemon reload-database > /dev/null
rm $tmp_file
rm -rf $tmp

10
postfix/meta/main.yml
View File

@ -13,7 +13,9 @@ galaxy_info:
versions:
- jessie
dependencies: []
# List your role dependencies here, one per line.
# Be sure to remove the '[]' above if you add dependencies
# to this list.
dependencies:
- { role: ldap, ldap_schema: 'cn4evolix.ldif', when: postfix_packmail == True }
- { role: spamassasin, when: postfix_packmail == True }
- { role: clamav, when: postfix_packmail == True }
- { role: opendkim, when: postfix_packmail == True }
- { role: dovecot, when: postfix_packmail == True }

27
postfix/tasks/main.yml
View File

@ -1,30 +1,17 @@
- name: ensure packages are installed
apt:
name: '{{ item }}'
state: present
with_items:
- postfix
- mailgraph
---
- name: check if main.cf is default
shell: grep -v -E "^(myhostname|mydestination|mailbox_command)" /etc/postfix/main.cf | md5sum -
changed_when: False
check_mode: no
register: default_main_cf
tags:
- postfix
- name: create minimal main.cf
template:
src: evolinux_main.cf.j2
dest: /etc/postfix/main.cf
owner: root
group: root
mode: "0644"
force: yes
when: default_main_cf.stdout == "5450c05d65878e99dad696c7c722e511 -" or
default_main_cf.stdout == "30022953f1f61f002bfb72e163ecb27e -"
notify: restart postfix
- include: minimal.yml
when: postfix_packmail == False
- meta: flush_handlers
- include: packmail.yml
when: postfix_packmail == True
- include: slow_transport.yml
when: postfix_slow_transport_include

24
postfix/tasks/minimal.yml Normal file
View File

@ -0,0 +1,24 @@
---
- name: ensure packages are installed
apt:
name: '{{ item }}'
state: present
with_items:
- postfix
tags:
- postfix
- name: create minimal main.cf
template:
src: evolinux_main.cf.j2
dest: /etc/postfix/main.cf
owner: root
group: root
mode: "0644"
force: yes
notify: restart postfix
when: postfix_force_main_cf == True or
default_main_cf.stdout == "5450c05d65878e99dad696c7c722e511 -" or
default_main_cf.stdout == "30022953f1f61f002bfb72e163ecb27e -"
tags:
- postfix

128
postfix/tasks/packmail.yml Normal file
View File

@ -0,0 +1,128 @@
---
- name: ensure packages are installed
apt:
name: '{{ item }}'
state: present
with_items:
- postfix
- postfix-ldap
- postfix-policyd-spf-python
- mailgraph
tags:
- postfix
- name: create packmail main.cf
template:
src: packmail_main.cf.j2
dest: /etc/postfix/main.cf
owner: root
group: root
mode: "0644"
force: yes
notify: restart postfix
when: postfix_force_main_cf == True or
default_main_cf.stdout == "5450c05d65878e99dad696c7c722e511 -" or
default_main_cf.stdout == "30022953f1f61f002bfb72e163ecb27e -"
tags:
- postfix
- name: deploy packmail master.cf
template:
src: packmail_master.cf.j2
dest: /etc/postfix/master.cf
mode: "0644"
notify: restart postfix
tags:
- postfix
- name: copy default filter files
copy:
src: filter
dest: "/etc/postfix/{{ item }}"
force: no
with_items:
- virtual
- client.access
- client.access_local
- header_kill
- header_kill_local
- recipient.access
- recipient.access_local
- sa-blacklist.access
- sender.access
- sender.access_local
- spamd.cidr
register: postfix_copy_filter
tags:
- postfix
- name: postmap filter files
command: "postmap /etc/postfix/{{ item }}"
with_items:
- virtual
- client.access
- client.access_local
- header_kill
- header_kill_local
- recipient.access
- recipient.access_local
- sa-blacklist.access
- sender.access
- sender.access_local
- spamd.cidr
when: postfix_copy_filter.changed
tags:
- postfix
- name: deploy ldap postfix config
template:
src: "{{ item }}.j2"
dest: "/etc/postfix/{{ item }}"
mode: "0644"
with_items:
- virtual_aliases.cf
- virtual_domains.cf
- virtual_mailboxes.cf
notify: restart postfix
tags:
- postfix
- name: update ansible_mounts facts
setup:
filter: ansible_mounts
tags:
- postfix
- name: mount /usr in rw
command: mount -o remount,rw /usr
args:
warn: no
changed_when: false
when: item.mount == '/usr' and item.options | match(".*ro.*")
with_items: "{{ ansible_mounts }}"
tags:
- postfix
- name: copy spam.sh script
copy:
src: spam.sh
dest: /usr/share/scripts/spam.sh
mode: "0700"
tags:
- postfix
- name: enable spam.sh cron
lineinfile:
dest: /etc/cron.d/spam
line: "42 * * * * /usr/share/scripts/spam.sh"
create: yes
state: present
mode: "0640"
tags:
- postfix
- name: update antispam list
command: /usr/share/scripts/spam.sh
changed_when: false
tags:
- postfix

27
postfix/tasks/slow_transport.yml
View File

@ -1,10 +1,12 @@
---
- name: slow transport is defined in master.cf
lineinfile:
dest: /etc/postfix/master.cf
regexp: "^slow "
line: "slow unix - - n - - smtp"
notify: restart postfix
tags:
- postfix
- name: list of providers for slow transport
lineinfile:
@ -21,24 +23,5 @@
- "hotmail.fr slow:"
- "hotmail.com slow:"
notify: postmap transport
- name: main.cf is configured for slow transports
blockinfile:
dest: /etc/postfix/main.cf
marker: "# {mark} Slow transports configuration (installed by Ansible)"
block: |
minimal_backoff_time = 2h
maximal_backoff_time = 6h
maximal_queue_lifetime = 4d
queue_run_delay = 100s
bounce_queue_lifetime = 1d
initial_destination_concurrency = 5
default_destination_concurrency_limit = 20
slow_destination_rate_delay = 0
slow_destination_concurrency_limit = 1
slow_destination_concurrency_failed_cohort_limit = 100
slow_destination_recipient_limit = 25
transport_maps = hash:$config_directory/transport
notify: restart postfix
- meta: flush_handlers
tags:
- postfix

16
postfix/templates/evolinux_main.cf.j2
View File

@ -13,3 +13,19 @@ recipient_delimiter = +
inet_interfaces = all
inet_protocols = ipv4
disable_vrfy_command = yes
{% if postfix_slow_transport_include == True %}
# Slow transports configuration
minimal_backoff_time = 2h
maximal_backoff_time = 6h
maximal_queue_lifetime = 4d
queue_run_delay = 100s
bounce_queue_lifetime = 1d
initial_destination_concurrency = 5
default_destination_concurrency_limit = 20
slow_destination_rate_delay = 0
slow_destination_concurrency_limit = 1
slow_destination_concurrency_failed_cohort_limit = 100
slow_destination_recipient_limit = 25
transport_maps = hash:$config_directory/transport
{% endif %}

423
postfix/templates/packmail_main.cf.j2 Normal file
View File

@ -0,0 +1,423 @@
## fichier principal de configuration de Postfix
## commentaires de Gregory Colpart reg AT evolix DOT fr
## version 1.0 : 1ere version publique (05.04.2010)
########################
# Section : Emplacements
########################
# Repertoire ou se trouvent les commandes de postfix [OBLIGATOIRE]
#par defaut, = $program_directory
command_directory = /usr/sbin
# Repertoire ou se trouvent les demons de postfix [OBLIGATOIRE]
#par defaut, = $program_directory
daemon_directory = /usr/lib/postfix/sbin
# Variable pour indiquer les emplacements des commandes et demons de postfix
#program_directory = /usr/lib/postfix
# Repertoire contenant les fichiers de boites aux lettres
#par defaut, = /var/mail
#mail_spool_directory =
# Repertoire de la file d'attente de postfix
#par defaut, = /var/spool/postfix
#queue_directory =
# Boites aux lettres
#par defaut, =
home_mailbox = Maildir/
# Transmettre les mails a un MDA
#par defaut, =
#mailbox_command = /usr/bin/procmail
# Separateur entre noms d'utilisateur et extensions d'adresse
# mettre + pour integration avec amavis
#par defaut, =
recipient_delimiter = +
# Controle si le repertoire existe (souvent pour les systemes de fichiers montes)
#par defaut, = no
#require_home_directory =
# Commande pour transmettre le courrier a un MDA
#par defaut, =
#mailbox_command = /usr/bin/procmail
# Banniere SMTP affichee
#par default, = $myhostname ESMTP $mail_name
smtpd_banner = $myhostname ESMTP mail server
# Groupe des commandes set-gid ayant des acces en ecriture
#par defaut, = postdrop
# setgid_group = postdrop
# Produire des "biff notifications" aux utilisateurs pour
# prevenir de l'arrivee de nouveaux mails
# par default, = yes
#biff = no
####################
# Section : domaines
####################
# Indique le nom d'hote pleinement qualifie ou se trouve postfix [OBLIGATOIRE]
#par defaut, = [retour de la commande Unix hostname]
myhostname = {{ ansible_fqdn }}
# Variable indiquant le domaine dans lequel se trouve la machine
#par defaut, = [partie domain de la variable $myhostname]
#mydomain =
# Liste des noms de domaine (ou IP) consideres comme local
#par defaut, = $myhostname, localhost.$mydomain, localhost
mydestination = $myhostname
# Indique le domaine apparaissant dans le courrier envoye
#par defaut, = $myhostname
myorigin = {{ ansible_fqdn }}
# Liste de domaine fonctionnant UNIQUEMENT avec des alias virtuels
#par defaut, = $virtual_alias_maps
#virtual_alias_domains = [ domaines avec alias virtuels ]
# Liste de domaine fonctionnant avec des comptes virtuels
#par defaut, = $virtual_mailbox_maps
virtual_mailbox_domains = ldap:$config_directory/virtual_domains.cf
# Repertoire de base de l'espace de stockage
#par defaut, =
virtual_mailbox_base = /
# Ajoute $mydomain aux adresse ne compoirtant que la partie hote sans le domaine
#par defaut, = yes
#append_dot_mydomain = no
# Ajoute $myorigin aux adresses ne comportant pas de composante de domaine
#par defaut, = yes
#append_at_myorigin = no
# Liste de domaines cachant des sous-domaines internes
#par defaut, =
#masquerade_domains =
# A l'exception de certains comptes :
#par defaut, =
#masquerade_exceptions = root, admin
# Champs d'application de la reecriture des sous-domaines caches
#par defaut, = envelope_sender, header_sender, header_recipient
#masquerade_classes =
# Sites eligibles pour un vidage rapide (postqueue -s [domain.tld])
#par defaut, = $relay_domains
#fast_flush_domains =
# Interfaces sur lesquelles ecoutent postfix
#par defaut, = all
#inet_interfaces = all
# Adresse IP externe du firewall/proxy si derriere NAT ou proxy
# evite principalement les boucles si MX secondaire et MX primaire indisponible
#par defaut, =
#proxy_interfaces = [adresse IP]
# Domaines acceptes pour faire relai (MX 2aire)
#relay_domains = [domaine a relayer]
###########################
# Section : base de donnees
###########################
# Liste des bases de donnees utilisees par l'agent de distribution locale
# Pour regenerer une base de donnees : postalias /etc/aliases (par ex)
#par defaut, = hash:/etc/aliases, nis:mail.aliases
alias_maps = hash:/etc/aliases
# Liste des bases de donnees locales
# Pour regenerer avec newaliases
#par defaut, = hash:/etc/aliases
alias_database = hash:/etc/aliases
# Chemin vers la commande newaliases
#par defaut, = /usr/bin/newaliases
#newaliases_path =
# Base de donnes d'alias virtuels
# ne pas oublier : postmap /etc/postfix/virtual
#par defaut, = $virtual_maps
virtual_alias_maps = hash:$config_directory/virtual, ldap:$config_directory/virtual_aliases.cf
# Base de donners des boites virtuelles
# ne pas oublier : postmap /etc/postfix/vmailbox
#par defaut, =
virtual_mailbox_maps = ldap:$config_directory/virtual_mailboxes.cf
virtual_uid_maps = static:5000
virtual_gid_maps = static:5000
virtual_transport = dovecot
dovecot_destination_recipient_limit = 1
# Reecriture des adresses
#par defaut, =
#canonical_maps = hash:/etc/postfix/canonical
# Reecriture des adresses a l'arrivee (ecrase $canonical_maps)
#par defaut, =
#recipient_canonical_maps = hash:/etc/postfix/canonical
# Reecriture des adresses au depart
#par defaut, =
#sender_canonical_maps = hash:/etc/postfix/canonical
# Adresses changees
#relocated_maps = hash:/etc/postfix/relocated
# Boite pour receptionner tous les utilisateurs inconnus
#luser_relay = spam
# Liste de base de donnees contenant les adresses locales permettant de rejeter les messages aux utilisateurs inconnus
# (sera nulle pour recuperer les courriels vers les utilisateurs inconnus)
#par defaut, = proxy:unix:passwd.byname $alias_maps
#local_recipient_maps =
# MAILING-LIST nommee xx
# dans le fichier /etc/aliases :
# xx: user1@domain1 user2@domain2 etc.
# owner-xx: admin@domain
# Utiliser ou non l'alias xx-owner comme adresse d'enveloppe d'expedition
#par defaut, = yes
#owner_request_special =
# Utiliser l'adresse relle de l'admin au lieu de xx-owner
#par defaut, = no
#expand_owner_alias =
###########################################
# Section : parametres de la file d'attente
###########################################
# Lorsqu'un message n'a pas ete delivre, Postfix adjoint une marque indiquant le moment ou la prochaine tentaive pourra avoir lieu
# Delai au-dela duquel les messages non delivres seront renvoyes a l'expediteur
#par defaut, = 5d
#maximal_queue_lifetime =
# Delai au-dela duquel les *bounces* non delivres ne seront plus envoyes
#par defaut, = 5d
bounce_queue_lifetime = 1d
# Intervalle de temps ou postfix examinera la file
# Il examine notamment la file deferred pour voir si de NOUVEAUX messages sont arrives
# Il faut aussi que la marque indique qu'ils soient prets
#par defaut, = 1000s
#queue_run_delay =
# A chaque echec, le delai de la prochaine distribution double, avec les restrictions suivantes :
# Delai minimal
#par defaut, = 1000s
#minimal_backoff_time =
# Delai maximal
#par defaut, = 4000s
#maximal_backoff_time =
# Si maxproc est vide (master.cf), nombre maximal est :
#par defaut, = 100
#default_process_limit =
# Nombre maximal de destinataires stockes en memoire par qmgr pour un transport particulier
#par defaut, = 10000
#default_recipient_limit =
# Nombre limitant de messages envoyes simultanement INITIALEMENT pour une destination particuliere
# (forcement majoree par maxproc du master.cf ou $default_process_limit)
#par defaut, = 5
#initial_destination_concurrency =
# Une fois ces messages distribues, si il reste des messages dans la file d'attente pour cette destination
# particuliere, postfix augmente le nombre de tentative tant qu'il ne detecte pas de probleme avec
# la destination, avec la limite suivante :
#par defaut, = 20
#default_destination_concurrency_limit =
# Cette limite peut etre differente selon le type de transport utilise :
#par defaut, = $default_destination_concurrency_limit
#lmtp_destination_concurrency_limit =
#par defaut, = 2
#local_destination_concurrency_limit =
#par defaut, = $default_destination_concurrency_limit
#relay_destination_concurrency_limit =
#par defaut, = $default_destination_concurrency_limit
#smtp_destination_concurrency_limit =
#par defaut, = $default_destination_concurrency_limit
#virtual_destination_concurrency_limit =
# On peut aussi limiter le nombre maximum de destinataire pour un meme message
# Si le nombre de destinataire depasse la limite, postfix divise en groupe d'adresses plus petites et envoie des copies distinctes du message
#par defaut, = 10000
#default_destination_recipient_limit =
#par defaut, = $default_destination_recipient_limit
#lmtp_destination_recipient_limit =
#par defaut, = 1
#local_destination_recipient_limit =
#par defaut, = 20000
#qmgr_message_recipient_limit =
#par defaut, = $default_destination_recipient_limit
#relay_destination_recipient_limit =
#par defaut, = $default_destination_recipient_limit
#smtp_destination_recipient_limit =
#par defaut, = 1000
#smtpd_recipient_limit =
#par defaut, = $default_destination_recipient_limit
#virtual_destination_recipient_limit =
# Nombre maximum de destinataires pour un transport lorsque priorite superieure de transport
#par defaut, = 1000
#default_extra_recipient_limit =
slow_destination_rate_delay = 0
slow_destination_concurrency_limit = 1
slow_destination_recipient_limit = 25
slow_destination_concurrency_failed_cohort_limit = 100
# Types d'incidents a rapporter
# resource : message non delivre pour probleme de ressource
# software : message non delivre pour probleme de logiciels
# policy : envoie le transcription smtp d'un message rejete par restrictions
# protocol : envoie toute transcription smtp erronee
# delay : envoie les entetes de messages differes
# bounce : envoie les entetes de tous les message renvoyes
# 2bounce : envoie les entetes de tous les messages renvoyes non delivres
#par defaut, = resource, software
notify_classes = resource, software, bounce, 2bounce, delay, policy, protocol
# A qui les reporter ?
#Pour delay
#par defaut, = postmaster
delay_notice_recipient = delay
#Pour policy, protocol, resource, software
#par defaut, = postmaster
error_notice_recipient = error
#Pour bounce
#par defaut, = postmaster
bounce_notice_recipient = bounce
#Pour 2bounce
#par defaut, = postmaster
2bounce_notice_recipient = bounce
########################
# Section : restrictions
########################
# Restrictions au depart de la conversation
#par defaut, =
smtpd_client_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
cidr:$config_directory/spamd.cidr,
# Restrictions au niveau de la commande HELO/EHLO
#par defaut, =
smtpd_helo_restrictions =
reject_invalid_hostname
# Restrictions au niveau de la commande MAIL FROM
#par defaut, =
smtpd_sender_restrictions =
permit_mynetworks,
check_sender_access hash:$config_directory/sa-blacklist.access
# Restrictions au niveau de la commande MAIL FROM
#par defaut, = permit_mynetworks, reject_unauth_destination
smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
check_policy_service unix:private/policyd-spf,
check_client_access hash:$config_directory/client.access_local,
check_client_access hash:$config_directory/client.access,
check_sender_access hash:$config_directory/sender.access_local,
check_sender_access hash:$config_directory/sender.access,
check_recipient_access hash:$config_directory/recipient.access_local,
check_recipient_access hash:$config_directory/recipient.access,
reject_unlisted_recipient,
reject_unknown_sender_domain,
reject_non_fqdn_sender,
reject_unauth_pipelining,
policyd-spf_time_limit = 3600
header_checks =
regexp:$config_directory/header_kill_local,
regexp:$config_directory/header_kill
transport_maps = hash:$config_directory/transport
# Attendre la commande 'RCPT TO' avant d'evaluer les restrictions ?
# (peut poser pb avec certains clients et permet d'avoir renseignements suppl)
#par defaut, = yes
#smtpd_delay_reject =
# Definition des plages IP appartenant a mynetworks
#par defaut, toutes les plages d'adresses IPv4 (et IPv6) des interfaces
mynetworks = 127.0.0.0/8,[::1]/128,10.0.0.0/16
# Exiger la commande HELO/EHLO
#par defaut, = no
smtpd_helo_required = yes
# Exiger syntaxe conforme dans les commandes MAIL FROM ou RCPT TO
#par defaut, = no
strict_rfc821_envelopes = yes
# Rejeter le courrier provenant d'une adresse inexistante ?
#par defaut, = no
#smtpd_reject_unlisted_sender =
# Rejeter le courrier a destination d'une adresse inexistante ?
#par defaut, = yes
#smtpd_reject_unlisted_recipient =
#######################
# Section : Chiffrement
#######################
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
# SASL
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth-client
# Amavis and OpenDKIM
content_filter = smtp-amavis:[127.0.0.1]:10024
smtpd_milters = inet:[127.0.0.1]:54321
non_smtpd_milters = inet:[127.0.0.1]:54321
{% if postfix_slow_transport_include == True %}
# Slow transports configuration
minimal_backoff_time = 2h
maximal_backoff_time = 6h
maximal_queue_lifetime = 4d
queue_run_delay = 100s
bounce_queue_lifetime = 1d
initial_destination_concurrency = 5
default_destination_concurrency_limit = 20
slow_destination_rate_delay = 0
slow_destination_concurrency_limit = 1
slow_destination_concurrency_failed_cohort_limit = 100
slow_destination_recipient_limit = 25
transport_maps = hash:$config_directory/transport
{% endif %}

171
postfix/templates/packmail_master.cf.j2 Normal file
View File

@ -0,0 +1,171 @@
#
# Postfix master process configuration file. For details on the format
# of the file, see the master(5) manual page (command: "man 5 master" or
# on-line: http://www.postfix.org/master.5.html).
#
# Do not forget to execute "postfix reload" after editing this file.
#
# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (no) (never) (100)
# ==========================================================================
smtp inet n - y - - smtpd
#smtp inet n - y - 1 postscreen
#smtpd pass - - y - - smtpd
#dnsblog unix - - y - 0 dnsblog
#tlsproxy unix - - y - 0 tlsproxy
submission inet n - y - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
smtps inet n - y - - smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
#628 inet n - y - - qmqpd
pickup unix n - y 60 1 pickup
cleanup unix n - y - 0 cleanup
qmgr unix n - n 300 1 qmgr
#qmgr unix n - n 300 1 oqmgr
tlsmgr unix - - y 1000? 1 tlsmgr
rewrite unix - - y - - trivial-rewrite
bounce unix - - y - 0 bounce
defer unix - - y - 0 bounce
trace unix - - y - 0 bounce
verify unix - - y - 1 verify
flush unix n - y 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - y - - smtp
# When relaying mail as backup MX, disable fallback_relay to avoid MX loops
relay unix - - y - - smtp
-o smtp_fallback_relay=
# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq unix n - y - - showq
error unix - - y - - error
retry unix - - y - - error
discard unix - - y - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - y - - lmtp
anvil unix - - y - 1 anvil
scache unix - - y - 1 scache
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent. See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
maildrop unix - n n - - pipe
flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
#
# ====================================================================
#
# Recent Cyrus versions can use the existing "lmtp" master.cf entry.
#
# Specify in cyrus.conf:
# lmtp cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
#
# Specify in main.cf one or more of the following:
# mailbox_transport = lmtp:inet:localhost
# virtual_transport = lmtp:inet:localhost
#
# ====================================================================
#
# Cyrus 2.1.5 (Amos Gouaux)
# Also specify in main.cf: cyrus_destination_recipient_limit=1
#
#cyrus unix - n n - - pipe
# user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
#
# ====================================================================
# Old example of delivery via Cyrus.
#
#old-cyrus unix - n n - - pipe
# flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
#
# ====================================================================
#
# See the Postfix UUCP_README file for configuration details.
#
uucp unix - n n - - pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# Other external delivery methods.
#
ifmail unix - n n - - pipe
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe
flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix - n n - 2 pipe
flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman unix - n n - - pipe
flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
${nexthop} ${user}
slow unix - - n - - smtp
policyd-spf unix - n n - 0 spawn
user=policyd-spf argv=/usr/bin/policyd-spf
dovecot unix - n n - - pipe
flags=DRhu user=vmail:vmail argv=/usr/lib/dovecot/deliver -f ${sender} -d ${recipient}
scan unix - - y - 10 smtp
localhost:10026 inet n - y - 10 smtpd
-o content_filter=
-o local_recipient_maps=
-o relay_recipient_maps=
-o myhostname=filter.mynetwork.local
-o smtpd_helo_restrictions=
-o smtpd_client_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks=127.0.0.0/8
smtp-amavis unix - - y - 2 lmtp
-o lmtp_data_done_timeout=1200
-o lmtp_send_xforward_command=yes
127.0.0.1:10025 inet n - y - - smtpd
-o content_filter=
-o smtpd_milters=
-o local_recipient_maps=
-o relay_recipient_maps=
-o smtpd_restriction_classes=
-o smtpd_delay_reject=no
-o smtpd_client_restrictions=permit_mynetworks,reject
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o smtpd_data_restrictions=reject_unauth_pipelining
-o smtpd_end_of_data_restrictions=
-o mynetworks=127.0.0.0/8
-o strict_rfc821_envelopes=yes
-o smtpd_error_sleep_time=0
-o smtpd_soft_error_limit=1001
-o smtpd_hard_error_limit=1000
-o smtpd_client_connection_count_limit=0
-o smtpd_client_connection_rate_limit=0
-o receive_override_options=no_header_body_checks,no_unknown_recipient_checks
pre-cleanup unix n - n - 0 cleanup
-o virtual_alias_maps=
-o canonical_maps=
-o sender_canonical_maps=
-o recipient_canonical_maps=
-o masquerade_domains=
-o always_bcc=
-o sender_bcc_maps=
-o recipient_bcc_maps=

5
postfix/templates/virtual_aliases.cf.j2 Normal file
View File

@ -0,0 +1,5 @@
search_base = {{ ldap_suffix }}
query_filter = (&(mailacceptinggeneralid=%u@%d)(isActive=TRUE))
result_attribute = maildrop
version = 3
aliases_scope = sub

5
postfix/templates/virtual_domains.cf.j2 Normal file
View File

@ -0,0 +1,5 @@
search_base = {{ ldap_suffix }}
query_filter = (&(cn=%s)(objectClass=postfixDomain)(isActive=TRUE))
result_attribute = cn
scope = sub
version = 3

5
postfix/templates/virtual_mailboxes.cf.j2 Normal file
View File

@ -0,0 +1,5 @@
search_base = {{ ldap_suffix }}
query_filter = (&(mailacceptinggeneralid=%s)(objectClass=mailAccount)(isActive=TRUE)(accountActive=TRUE))
result_attribute = homeDirectory
scope = sub
version = 3

68
spamassasin/files/sa-update.sh Normal file
View File

@ -0,0 +1,68 @@
#!/bin/sh
# Evolix sa-update, based on:
# Duncan Findlay
# duncf@debian.org
mail=$(grep EVOMAINTMAIL /etc/evomaintenance.cf | cut -d'=' -f2)
test -x /usr/bin/sa-update || exit 0
test -x /etc/init.d/spamassassin || exit 0
# If there's a problem with the ruleset or configs, print the output
# of spamassassin --lint (which will typically get emailed to root)
# and abort.
die_with_lint() {
su debian-spamd -c "spamassassin --lint -D 2>&1"
exit 1
}
do_compile() {
# Compile, if rules have previously been compiled, and it's possible
if [ -x /usr/bin/re2c -a -x /usr/bin/sa-compile \
-a -d /var/lib/spamassassin/compiled ]; then
su debian-spamd -c "sa-compile --quiet"
# Fixup perms -- group and other should be able to
# read and execute, but never write. Works around
# sa-compile's failure to obey umask.
chmod -R go-w,go+rX /var/lib/spamassassin/compiled
fi
}
# Tell a running spamd to reload its configs and rules.
reload() {
# Reload
if which invoke-rc.d >/dev/null 2>&1; then
invoke-rc.d spamassassin reload > /dev/null
else
/etc/init.d/spamassassin reload > /dev/null
fi
if [ -d /etc/spamassassin/sa-update-hooks.d ]; then
run-parts --lsbsysinit /etc/spamassassin/sa-update-hooks.d
fi
}
# Update
umask 022
su debian-spamd -c "sa-update --gpghomedir /var/lib/spamassassin/sa-update-keys"
case $? in
0)
# got updates!
su debian-spamd -c "spamassassin --lint" || die_with_lint
do_compile
reload
echo -e "Les règles SpamAsassin ont été mises à jour. Merci de reporter toute anomalie." | \
mail -s "SpamAsassin's rules updated." $mail
;;
1)
# no updates
exit 0
;;
2)
# lint failed!
die_with_lint
;;
*)
echo "sa-update failed for unknown reasons" 1>&2
;;
esac

117
spamassasin/files/spamassassin.cf Normal file
View File

@ -0,0 +1,117 @@
#required_score 5 -> assure par Amavis
report_safe 0
#rewrite_header Subject [SPAM] -> assure par Amavis
add_header all Report _REPORT_
# filtre bayesien
# mkdir -p /var/spool/spam/ && chown amavis /var/spool/spam/
use_bayes 1
bayes_auto_learn 1
bayes_path /var/spool/spam/bayes
bayes_file_mode 0777
# AWL : AutoWhitelist
# mkdir -p /var/spool/spam/ && chown amavis /var/spool/spam/
loadplugin Mail::SpamAssassin::Plugin::AWL
use_auto_whitelist 1
auto_whitelist_path /var/spool/spam/auto_whitelist
auto_whitelist_file_mode 0666
# LANG TESTS
loadplugin Mail::SpamAssassin::Plugin::TextCat
ok_languages en fr es it
ok_locales en fr es it
score BODY_8BITS 1.500
score CHARSET_FARAWAY 3.200
score CHARSET_FARAWAY_HEADER 3.200
score HTML_CHARSET_FARAWAY 0.500
score MIME_CHARSET_FARAWAY 2.450
score UNWANTED_LANGUAGE_BODY 2.800
# DCC
# use_dcc 1 => un plugin maintenant...
score DCC_CHECK 2.9
# RAZOR : http://razor.sourceforge.net
use_razor2 1
score RAZOR2_CHECK 2.9
score RAZOR2_CF_RANGE_51_100 1.3
# pyzor : http://pyzor.sourceforge.net/
use_pyzor 0
# RBL (Realtime Blackhole List)
skip_rbl_checks 0
score RCVD_IN_BL_SPAMCOP_NET 3
# misc
score HELO_DYNAMIC_IPADDR 0.3
score BIZ_TLD 0.1
score PRIORITY_NO_NAME 0.2
# disable HTML tests
score HTML_MESSAGE 0
score HTML_00_10 0
score HTML_10_20 0
score HTML_20_30 0
score HTML_30_40 0
score HTML_40_50 0
score HTML_50_60 0
score HTML_60_70 0
score HTML_70_80 0
score HTML_80_90 0
score HTML_90_100 0
#score HTML_COMMENT_8BITS 0
score UPPERCASE_25_50 0
score UPPERCASE_50_75 0
score UPPERCASE_75_100 0
score MIME_HTML_ONLY 0.1
# From http://maxime.ritter.eu.org/Spam/user_prefs
# Trop de faux negatifs avec BAYES_(0|1|2|3|4)*
score BAYES_00 0 0 -0.01 -0.01
score BAYES_01 0 0 -0.01 -0.01
score BAYES_10 0 0 -0.01 -0.01
score BAYES_20 0 0 -0.01 -0.01
score BAYES_30 0 0 -0.01 -0.01
score BAYES_40 0 0 -0.01 -0.01
score BAYES_44 0 0 -0.01 -0.01
score BAYES_50 0 0 0.1 0.1
score BAYES_56 0 0 0.5 0.5
score BAYES_60 0 0 1.0 1.0
score BAYES_70 0 0 2.5 2.5
score BAYES_80 0 0 3.5 3.5
score BAYES_90 0 0 4.5 4.5
score BAYES_99 0 0 8.0 8.0
score RCVD_IN_SORBS_DUL 0.3
score SUBJ_ILLEGAL_CHARS 0
score RCVD_IN_NJABL_DUL 0.3
score ADDRESS_IN_SUBJECT 0.1
score HELO_LH_HOME 1.0
#internal_networks 192.168.XXX/24
trusted_networks 62.212.111.216 88.179.18.233 85.118.59.50 31.170.8.0/21
#score ALL_TRUSTED 0.3
score HELO_DYNAMIC_IPADDR 0.3
score FORGED_MUA_OUTLOOK 0.5
# Eudora sucks
score EXTRA_MPART_TYPE 0.1
score MIME_BOUND_EQ_REL 0.1
score MIME_QP_LONG_LINE 0.1
# SMTP senders *have* dynamic IP addresses
# A.B.C.D.dnsbl.sorbs.net -> 127.0.0.10
score RCVD_IN_DYNABLOCK 0
score HELO_DYNAMIC_IPADDR 0.3
score RCVD_IN_SORBS 0.1
score RCVD_IN_PBL 0.1
score RCVD_IN_SORBS_DUL 0
# old bug...
score FH_DATE_PAST_20XX 0.0

5
spamassasin/handlers/main.yml Normal file
View File

@ -0,0 +1,5 @@
---
- name: restart spamassassin
service:
name: spamassassin
state: restarted

3
spamassasin/meta/main.yml Normal file
View File

@ -0,0 +1,3 @@
---
dependencies:
- { role: amavis }

68
spamassasin/tasks/main.yml Normal file
View File

@ -0,0 +1,68 @@
---
- name: install SpamAssasin
apt:
name: "{{ item }}"
state: present
with_items:
- spamassassin
- evomaintenance
tags:
- spamassassin
- name: configure SpamAssasin
copy:
src: spamassassin.cf
dest: /etc/spamassassin/local_evolix.cf
mode: "0644"
notify: restart spamassassin
tags:
- spamassassin
- name: enable SpamAssasin
replace:
dest: /etc/default/spamassassin
regexp: 'ENABLED=0'
replace: 'ENABLED=1'
notify: restart spamassassin
tags:
- spamassassin
- name: update ansible_mounts facts
setup:
filter: ansible_mounts
tags:
- spamassassin
- name: mount /usr in rw
command: mount -o remount,rw /usr
args:
warn: no
changed_when: false
when: item.mount == '/usr' and item.options | match(".*ro.*")
with_items: "{{ ansible_mounts }}"
tags:
- spamassassin
- name: copy sa-update.sh script
copy:
src: sa-update.sh
dest: /usr/share/scripts/sa-update.sh
mode: "0750"
tags:
- spamassassin
- name: enable sa-update.sh cron
lineinfile:
dest: /etc/cron.d/sa-update
line: "42 6 5 1,4,7,10 * /usr/share/scripts/sa-update.sh"
create: yes
state: present
mode: "0640"
tags:
- spamassassin
- name: update SpamAssasin's rules
command: /usr/share/scripts/sa-update.sh
changed_when: false
tags:
- spamassassin

23
webapps/evoadmin-mail/defaults/main.yml Normal file
View File

@ -0,0 +1,23 @@
---
general_alert_email: "root@localhost"
evoadminmail_contact_email: Null
evoadminmail_bounce_email: "{{ evoadminmail_contact_email }}"
evoadminmail_username: evoadmin-mail
evoadminmail_home_dir: "/home/{{ evoadminmail_username }}"
evoadminmail_document_root: "{{ evoadminmail_home_dir }}/www"
evoadminmail_log_dir: "{{ evoadminmail_home_dir }}/log"
evoadminmail_scripts_dir: /usr/share/scripts/
evoadminmail_host: "evoadminmail.{{ ansible_fqdn }}"
evoadminmail_enable_vhost: True
evoadminmail_tpl_servername: "{{ ansible_fqdn }}"
evoadminmail_tpl_address: "{{ ansible_default_ipv4.address }}"
evoadminmail_tpl_phpmyadmin_url: Null
evoadminmail_tpl_cgi_suffix: Null
evoadminmail_tpl_signature: evoadmin
evoadminmail_tpl_mail_from: root@localhost
evoadminmail_tpl_mail_bcc: Null
evoadminmail_tpl_mail_standard: "{{ general_alert_email }}"
evoadminmail_tpl_mail_urgent: "{{ general_alert_email }}"

6
webapps/evoadmin-mail/handlers/main.yml Normal file
View File

@ -0,0 +1,6 @@
---
- name: reload apache2
service:
name: apache2
state: reloaded

17
webapps/evoadmin-mail/tasks/config.yml Normal file
View File

@ -0,0 +1,17 @@
---
- name: "Create /etc/evolinux"
file:
dest: "/etc/evolinux"
recurse: yes
state: directory
#- name: Configure web-add config file
# template:
# src: web-add.conf.j2
# dest: /etc/evolinux/web-add.conf
#
#- name: Configure web-add template file for mail
# template:
# src: web-mail.tpl.j2
# dest: "{{ evoadminmail_scripts_dir }}/web-mail.tpl"

19
webapps/evoadmin-mail/tasks/main.yml Normal file
View File

@ -0,0 +1,19 @@
---
- include: packages.yml
- include: user.yml
- include: config.yml
- include: ssl.yml
- include: web.yml
- name: enable evoadmin-mail link in default site index
lineinfile:
dest: /var/www/index.html
state: present
regexp: "EvoAdmin-mail"
line: ' <li><a href="https://{{ evoadminmail_host }}">Interface admin mail (EvoAdmin-mail)</a></li>'
insertbefore: "</ul>"

16
webapps/evoadmin-mail/tasks/packages.yml Normal file
View File

@ -0,0 +1,16 @@
---
- include_role:
name: apt
tasks_from: evolix_public.yml
- meta: flush_handlers
- name: Install PHP packages
apt:
name: '{{ item }}'
state: present
with_items:
- php-pear
- php-log
- php-crypt-chap

15
webapps/evoadmin-mail/tasks/remount_usr_rw.yml Normal file
View File

@ -0,0 +1,15 @@
---
- name: Get mount options for partitions
shell: "mount | grep 'on /usr type'"
args:
warn: no
register: mount
changed_when: False
failed_when: False
when: not ansible_check_mode
- name: Remount /usr if it is a partition and it is not mounted in rw
command: "mount -o remount,rw /usr"
when: mount.rc == 0 and not mount.stdout_lines.0 | search("rw")
args:
warn: no

24
webapps/evoadmin-mail/tasks/ssl.yml Normal file
View File

@ -0,0 +1,24 @@
---
- name: ssl-cert package is installed
apt:
name: ssl-cert
state: present
- name: Create private key and csr for default site ({{ ansible_fqdn }})
command: openssl req -newkey rsa:2048 -sha256 -nodes -keyout /etc/ssl/private/{{ evoadminmail_host }}.key -out /etc/ssl/{{ evoadminmail_host }}.csr -batch -subj "/CN={{ evoadminmail_host }}"
args:
creates: "/etc/ssl/private/{{ evoadminmail_host }}.key"
- name: Adjust rights on private key
file:
path: /etc/ssl/private/{{ evoadminmail_host }}.key
owner: root
group: ssl-cert
mode: "0640"
- name: Create certificate for default site
command: openssl x509 -req -days 3650 -sha256 -in /etc/ssl/{{ evoadminmail_host }}.csr -signkey /etc/ssl/private/{{ evoadminmail_host }}.key -out /etc/ssl/certs/{{ evoadminmail_host }}.crt
args:
creates: "/etc/ssl/certs/{{ evoadminmail_host }}.crt"

113
webapps/evoadmin-mail/tasks/user.yml Normal file
View File

@ -0,0 +1,113 @@
---
- name: Create evoadmin account
user:
name: "{{ evoadminmail_username }}"
comment: "Evoadmin Web Account"
home: "{{ evoadminmail_home_dir}}"
shell: /bin/bash
password: "!"
- name: Create log/ directory
file:
path: "{{ evoadminmail_home_dir}}/log"
state: directory
owner: "{{ evoadminmail_username }}"
group: "{{ evoadminmail_username }}"
mode: "0750"
- name: Create www-evoadminmail group
group:
name: "www-{{ evoadminmail_username }}"
state: present
- name: "Create www-evoadmin (Debian 9 or later)"
user:
name: "www-{{ evoadminmail_username }}"
home: "{{ evoadminmail_home_dir}}/www"
shell: /bin/bash
createhome: no
when: ansible_distribution_major_version | version_compare('9', '>=')
- name: Install Git
apt:
name: git
state: present
- name: "Clone evoadmin repository (Debian 9 or later)"
git:
repo: https://forge.evolix.org/evoadmin-mail.git
dest: "{{ evoadminmail_document_root}}"
version: master
update: yes
when: ansible_distribution_major_version | version_compare('9', '>=')
- name: "Change perms on evoadminmail document root"
file:
dest: "{{ evoadminmail_document_root }}"
owner: "www-{{ evoadminmail_username }}"
group: "{{ evoadminmail_username }}"
recurse: yes
- name: "Copy connect.php"
template:
src: connect.php.j2
dest: "{{ evoadminmail_document_root }}/htdocs/config/connect.php"
owner: "www-{{ evoadminmail_username }}"
group: "{{ evoadminmail_username }}"
when: ldap_admin_password is defined
- name: "Copy conf.php"
template:
src: conf.php.j2
dest: "{{ evoadminmail_document_root }}/htdocs/config/conf.php"
owner: "www-{{ evoadminmail_username }}"
group: "{{ evoadminmail_username }}"
- name: create a password for evoadmin user
command: "apg -n 1 -m 16 -M lcN"
register: evoadminmail_admin_password
changed_when: False
- name: upload ldif for evoadmin user
template:
src: evoadmin.ldif.j2
dest: /root/evolinux_evoadminmail_admin.ldif
mode: "0640"
- name: inject config
command: slapadd -l /root/evolinux_evoadminmail_admin.ldif
- name: create log file
file:
dest: /var/log/evoadmin-mail.log
state: touch
owner: "www-{{ evoadminmail_username }}"
group: "adm"
mode: "0640"
- include: remount_usr_rw.yml
when: evoadminmail_scripts_dir | search ("/usr")
- name: "Create {{ evoadminmail_scripts_dir }}"
file:
dest: "{{ evoadminmail_scripts_dir }}"
# recurse: yes
mode: "0700"
state: directory
# we use a shell command to have a "changed" thet really reflects the result.
- name: Fix permissions
shell: "chmod -R --verbose u=rwX,g=rX,o= {{ item }}"
register: command_result
changed_when: "'changed' in command_result.stdout"
# failed_when: False
with_items:
- "{{ evoadminmail_home_dir}}/www"
#- name: Add evoadmin sudoers file
# template:
# src: sudoers.j2
# dest: /etc/sudoers.d/evoadmin
# mode: "0600"
# validate: "visudo -cf %s"

30
webapps/evoadmin-mail/tasks/web.yml Normal file
View File

@ -0,0 +1,30 @@
---
- name: "Set custom values for PHP config (Debian 9 or later)"
ini_file:
dest: /etc/php/7.0/apache2/conf.d/zzz-evolinux-custom.ini
section: PHP
option: "disable_functions"
value: "shell-exec,system,passthru,putenv,popen,pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority"
notify: reload apache2
when: ansible_distribution_major_version | version_compare('9', '>=')
- name: Install evoadminmail VHost
template:
src: evoadminmail.conf.j2
dest: /etc/apache2/sites-available/evoadminmail.conf
notify: reload apache2
- name: Enable evoadminmail vhost
command: "a2ensite evoadminmail.conf"
register: cmd_a2ensite
changed_when: "'Enabling site' in cmd_a2ensite.stdout"
notify: reload apache2
when: evoadminmail_enable_vhost
- name: Disable evoadminmail vhost
command: "a2dissite evoadminmail.conf"
register: cmd_a2dissite
changed_when: "'Disabling site' in cmd_a2dissite.stdout"
notify: reload apache2
when: not evoadminmail_enable_vhost

56
webapps/evoadmin-mail/templates/conf.php.j2 Normal file
View File

@ -0,0 +1,56 @@
<?php
// Email pour les notifications
$conf['admin']['mail'] = '{{ evoadminmail_contact_email or general_alert_email | mandatory }}';
// login des superadmins
// Note: utile uniquement si domaines/driver=ldap, laisser vide sinon...
$conf['admin']['logins'] = array('evoadmin');
// What do you want?
// 0 = nothing...
// 1 = only mail accounts
// 2 = only samba accounts
// 3 = mail and samba accounts
$conf['admin']['what'] = 1;
// use hook.php instead of hook-dist.php
$conf['admin']['use_hook'] = false;
// enable quota
$conf['admin']['quota'] = true;
// compatibilite LDAP
$conf['evoadmin']['version'] = 3;
$conf['url']['webroot'] = '/';
$conf['domaines']['onlyone'] = false;
$conf['domaines']['driver'] = 'ldap';
$conf['domaines']['file']['all'] = array('example.com');
$conf['domaines']['file']['gid'] = 1000;
// Pack Mail "virtuel"... attention
// uniquement possible si $conf['admin']['what']=1 !!
$conf['domaines']['ldap']['virtual'] = true;
// Mode cluster
// Uniquement en mode mail seul et des utilisateurs virtuels
$conf['evoadmin']['cluster'] = false;
// auth SMTP by default ?
$conf['evoadmin']['useauthsmtp'] = false;
// Si comptes virtuels
$conf['unix']['uid'] = 5000;
// Si pas virtuel
$conf['unix']['minuid'] = 1000;
$conf['unix']['mingid'] = 1000;
$conf['html']['title'] = "Evoadmin Mail";
// gestion des logs
$conf['log']['priority'] = PEAR_LOG_DEBUG;
$conf['log']['name'] = '/var/log/evoadmin-mail.log';
$conf['log']['software'] = 'evoadminmail';
$conf['log']['enabled'] = true;
// samba
$conf['samba']['dn'] = 'DOMAINNAME';
$conf['samba']['sid'] = 'S-1-5-21-XXX-XXX-XXX';
$conf['samba']['admin_default'] = false;

28
webapps/evoadmin-mail/templates/connect.php.j2 Normal file
View File

@ -0,0 +1,28 @@
<?php
/**
* Secrete parameters
*
* $Id: connect-dist.php,v 1.3 2007-05-22 21:12:23 reg Exp $
*
* @author Gregory Colpart <reg@evolix.fr>
* @version 1.0
*/
define("LDAP_URI","ldap://127.0.0.1");
$ldap_servers = array('ldap://127.0.0.1');
define("LDAP_BASE","{{ ldap_suffix }}");
define("LDAP_ADMIN_DN","cn=admin,{{ ldap_suffix }}");
define("LDAP_ADMIN_PASS","{{ ldap_admin_password.stdout }}");
define("SUDOBIN","/usr/bin/sudo");
define("SUDOSCRIPT","/usr/share/scripts/evoadmin.sh");
define("SUDOPASS","xxxxxx");
define('SERVEUR','localhost');
define('SERVEURPORT',3306);
define('BASE','horde');
define('NOM', 'horde');
define('PASSE', 'xxxx');
?>

12
webapps/evoadmin-mail/templates/evoadmin.ldif.j2 Normal file
View File

@ -0,0 +1,12 @@
dn: uid=evoadmin,{{ ldap_suffix }}
uid: evoadmin
cn: Evoadmin ADM
uidNumber: 4242
gidNumber: 4242
homeDirectory: /dev/null
isAdmin: TRUE
mailacceptinggeneralid: evoadmin@{{ ansible_fqdn }}
objectClass: mailAccount
objectClass: organizationalRole
objectClass: posixAccount
userPassword: {{ evoadminmail_admin_password.stdout }}

58
webapps/evoadmin-mail/templates/evoadminmail.conf.j2 Normal file
View File

@ -0,0 +1,58 @@
<VirtualHost *:80>
ServerName {{ evoadminmail_host }}
Redirect permanent / https://{{ evoadminmail_host }}/
</VirtualHost>
<VirtualHost *:443>
# FQDN principal
ServerName {{ evoadminmail_host }}
#ServerAlias {{ evoadminmail_host }}
# Repertoire principal
DocumentRoot {{ evoadminmail_document_root }}/htdocs/
# SSL
SSLEngine on
SSLCertificateFile /etc/ssl/certs/{{ evoadminmail_host }}.crt
SSLCertificateKeyFile /etc/ssl/private/{{ evoadminmail_host }}.key
SSLProtocol all -SSLv2 -SSLv3
# Propriete du repertoire
<Directory {{ evoadminmail_document_root }}/htdocs/>
#Options Indexes SymLinksIfOwnerMatch
Options SymLinksIfOwnerMatch
AllowOverride AuthConfig Limit FileInfo
Require all granted
</Directory>
# user - group (thanks to sesse@debian.org)
AssignUserID www-{{ evoadminmail_username }} {{ evoadminmail_username }}
# LOG
CustomLog /var/log/apache2/access.log combined
CustomLog {{ evoadminmail_log_dir }}/access.log combined
ErrorLog {{ evoadminmail_log_dir }}/error.log
# AWSTATS
SetEnv AWSTATS_FORCE_CONFIG {{ evoadminmail_username }}
# REWRITE
UseCanonicalName On
RewriteEngine On
RewriteCond %{HTTP_HOST} !^{{ evoadminmail_host }}$
RewriteRule ^/(.*) https://%{SERVER_NAME}/$1 [L,R]
# PHP
#php_admin_flag engine off
#AddType text/html .html
#php_admin_flag display_errors On
#php_flag short_open_tag On
#php_flag register_globals On
#php_admin_value memory_limit 256M
#php_admin_value max_execution_time 60
#php_admin_value upload_max_filesize 8M
#php_admin_flag allow_url_fopen Off
php_admin_value sendmail_path "/usr/sbin/sendmail -t -i -f www-{{ evoadminmail_username }}"
php_admin_value open_basedir "none"
</VirtualHost>

3
webapps/evoadmin-mail/templates/sudoers.j2 Normal file
View File

@ -0,0 +1,3 @@
User_Alias EVOADMIN = www-evoadmin
Cmnd_Alias EVOADMIN_WEB = {{ evoadmin_scripts_dir | mandatory }}/web-*.sh, {{ evoadmin_scripts_dir | mandatory }}/ftpadmin.sh
EVOADMIN ALL=NOPASSWD: EVOADMIN_WEB

2
webapps/evoadmin-mail/templates/web-add.conf.j2 Normal file
View File

@ -0,0 +1,2 @@
CONTACT_MAIL="{{ evoadmin_contact_email or general_alert_email | mandatory }}"
WWWBOUNCE_MAIL="{{ evoadmin_bounce_email or general_alert_email | mandatory }}"

86
webapps/evoadmin-mail/templates/web-mail.tpl.j2 Normal file
View File

@ -0,0 +1,86 @@
From: {{ evoadmin_tpl_mail_from }}
To: RCPTTO
Bcc: {{ evoadmin_tpl_mail_bcc }}
Subject: Parametres hebergement web : LOGIN
Bonjour,
Votre compte d'hebergement web a ete cree.
**********************************
* CONNEXION SFTP/SSH
**********************************
NOM DU SERVEUR : {{ evoadmin_tpl_servername }}
USER : LOGIN
PASSWORD : PASSE1
*****************************************
* Details sur l'environnement Apache/PHP
*****************************************
URL du site :
http://{{ evoadmin_tpl_servername }}
URL des stats :
http://{{ evoadmin_tpl_servername }}/cgi-RANDOM/awstats.pl
(acces par IP ou login a demander !)
Repertoire de connexion : HOME_DIR/LOGIN/
Repertoire pour site web : HOME_DIR/LOGIN/www/
Apache/PHP tourne en www-LOGIN:LOGIN c'est-a-dire qu'il a acces
uniquement *en lecture* aux differents fichiers/repertoires
(a condition d'avoir 'g=rx' sur les repertoires et 'g=r' sur les
fichiers ce qui est le comportement par defaut).
Lorsqu'on a besoin d'autoriser *l'ecriture* pour certains
fichiers/repertoires, il suffit d'ajouter le droit 'g+w'.
***********************************
* MySQL
***********************************
SERVEUR : 127.0.0.1
PORT DU SERVEUR : 3306
USER : LOGIN
PASSWORD : PASSE2
NOM BASE : DBNAME
URL interface d'admin :
{{ evoadmin_tpl_phpmyadmin_url }}
***********************************
* Rappels divers
***********************************
Votre nom de domaine doit etre configure pour pointer
sur l'adresse IP {{ evoadmin_tpl_address }} (enregistrement DNS A)
ou etre un alias de {{ evoadmin_tpl_servername }} (enregistrement DNS CNAME).
Si vous avez besoin de faire des tests, vous devez
ajouter la ligne suivante au fichier "/etc/hosts" sous Linux/Unix
ou au fichier "system32\drivers\etc\hosts" sous Windows NT/XP :
{{ evoadmin_tpl_address }} {{ evoadmin_tpl_servername }}
Attention, par defaut, toutes les connexions vers l'exterieur
sont bloquees. Si vous avez besoin de recuperer des donnees
a l'exterieur (flux RSS, BDD externe, etc.), contactez nous
afin de mettre en oeuvre les autorisations necessaires.
Afin de securiser au maximum le serveur, certaines URL
particulieres sont non autorisees pour eviter diverses
attaques (XSS, robots, trojans, injections, etc.).
Exemple d'URL refusee :
http://{{ evoadmin_tpl_servername }}/cmd32.exe
En cas de soucis avec votre application, prevenez-nous.
Si vous desirez mettre en place des parametres particuliers
pour votre site (PHP, etc.) ou pour tout autre demande (scripts en crontab,
etc.), n'hesitez pas a nous contacter a l'adresse
{{ evoadmin_tpl_mail_standard }} (ou {{ evoadmin_tpl_mail_urgent }} si votre demande est
urgente).
Cordialement,
--
{{ evoadmin_tpl_signature }}

4
webapps/evoadmin-web/tasks/web.yml
View File

@ -6,7 +6,7 @@
section: PHP
option: "disable_functions"
value: "shell-exec,system,passthru,putenv,popen"
notify: reload apache
notify: reload apache2
when: ansible_distribution_release == "jessie"
- name: "Set custom values for PHP config (Debian 9 or later)"
@ -15,7 +15,7 @@
section: PHP
option: "disable_functions"
value: "shell-exec,system,passthru,putenv,popen"
notify: reload apache
notify: reload apache2
when: ansible_distribution_major_version | version_compare('9', '>=')
- name: Install evoadmin VHost

4
webapps/roundcube/defaults/main.yml Normal file
View File

@ -0,0 +1,4 @@
---
roundcube_host: "roundcube.{{ ansible_fqdn }}"
roundcube_imap_host: "localhost"
roundcube_imap_port: 143

5
webapps/roundcube/handlers/main.yml Normal file
View File

@ -0,0 +1,5 @@
---
- name: restart imapproxy
systemd:
name: imapproxy
state: restarted

104
webapps/roundcube/tasks/main.yml Normal file
View File

@ -0,0 +1,104 @@
---
- name: configure roundcube-core
debconf:
name: roundcube-core
question: "{{ item.key }}"
value: "{{ item.value }}"
vtype: "{{ item.type }}"
with_items:
- { key: 'roundcube/database-type', type: 'select', value: 'sqlite3' }
- { key: 'roundcube/db/basepath', type: 'string', value: '/var/lib/roundcube/' }
tags:
- roundcube
- name: install Roundcube
apt:
name: "{{ item }}"
state: present
with_items:
- imapproxy
- roundcube
- roundcube-sqlite3
- roundcube-plugins
- php-net-sieve
- php-zip
tags:
- roundcube
- name: configure imapproxy imap host
lineinfile:
dest: /etc/imapproxy.conf
regexp: "^server_hostname"
line: "server_hostname {{ roundcube_imap_host }}"
notify: restart imapproxy
tags:
- roundcube
- name: configure imapproxy imap port
lineinfile:
dest: /etc/imapproxy.conf
regexp: "^server_port"
line: "server_port {{ roundcube_imap_port }}"
notify: reload imapproxy
tags:
- roundcube
- name: enable and start imapproxy
service:
name: imapproxy
state: started
enabled: True
tags:
- roundcube
- name: configure roundcube imap host
lineinfile:
dest: /etc/roundcube/config.inc.php
regexp: "\\$config\\['default_host'\\]"
line: "$config['default_host'] = array('127.0.0.1');"
tags:
- roundcube
- name: configure roudcube imap port
lineinfile:
dest: /etc/roundcube/config.inc.php
regexp: "\\$config\\['default_port'\\]"
insertafter: "\\$config\\['default_host'\\]"
line: "$config['default_port'] = 1143;"
tags:
- roundcube
- name: configure managesieve plugin
copy:
src: /usr/share/roundcube/plugins/managesieve/config.inc.php.dist
dest: /etc/roundcube/plugins/managesieve/config.inc.php
mode: "0644"
remote_src: True
tags:
- roundcube
- name: enable default plugins
replace:
dest: /etc/roundcube/config.inc.php
regexp: "^\\$config\\['plugins'\\] = array\\($"
replace: "$config['plugins'] = array('zipdownload','managesieve'"
tags:
- roundcube
- name: deploy roundcube vhost
template:
src: apache2.conf.j2
dest: /etc/apache2/sites-available/rouncube.conf
mode: "0640"
notify: reload apache2
tags:
- roundcube
- name: enable roundcube vhost
file:
src: /etc/apache2/sites-available/rouncube.conf
dest: /etc/apache2/sites-enabled/rouncube.conf
state: link
notify: reload apache2
tags:
- roundcube

46
webapps/roundcube/templates/apache2.conf.j2 Normal file
View File

@ -0,0 +1,46 @@
<VirtualHost *:80>
ServerName {{ roundcube_host }}
Redirect permanent / https://{{ roundcube_host }}
</VirtualHost>
<VirtualHost *:443>
# FQDN principal
ServerName {{ roundcube_host }}
# Repertoire principal
DocumentRoot /var/lib/roundcube/
# Return 503 if imapproxy doesn't run
<If "! -f '/run/imapproxy.pid'">
Redirect 503 /
</If>
Include /etc/roundcube/apache.conf
# LOG
CustomLog /var/log/apache2/access.log vhost_combined
CustomLog /var/lib/roundcube/logs/access.log combined
ErrorLog /var/lib/roundcube/logs/error.log
# REWRITE
UseCanonicalName On
RewriteEngine On
RewriteCond %{HTTP_HOST} !^{{ roundcube_host }}$
RewriteRule ^/(.*) http://%{SERVER_NAME}/$1 [L,R]
# PHP
#php_admin_flag engine off
#AddType text/html .html
#php_admin_flag display_errors On
#php_flag short_open_tag On
#php_flag register_globals On
#php_admin_value memory_limit 256M
#php_admin_value max_execution_time 60
#php_admin_value upload_max_filesize 8M
#php_admin_flag allow_url_fopen Off
php_admin_value sendmail_path "/usr/sbin/sendmail -t -i -f www-roundcube"
php_admin_value error_log "/home/roundcube/log/php.log"
#php_admin_value open_basedir "/usr/share/php:/home/roundcube:/tmp"
</VirtualHost>