# # # aia_mailserver # mandatory params: # # vimb_domain: domain where vimbadmin is accessable # webmail_domain: domain where roundcube is # smtp_domain: domain to use for smtp # imap_domain: domain for imap # rspamd_domain: domain for rspamd web interface # vimb_server_email_address: email adress vimbadmin uses to send mails # vimb_security_salt: security sallt to install vimbadmin installer # backup_dir: a directory where backups are store, it has to exist # vmail_dir: where to store mails for virtual domains # dkim_selector: the dkim-selector used for all mails # dkim_private_key_file: path to dkim key # bundle agent aia_mailserver(param_cfg) { vars: any:: "default_cfg" data => '{ "pam_auth":true, "vimb_auth":true, "imap":true, "submission":true, "smtp":true, "pop3":false, "sieve":false, "ssl":false, "opendkim":false, "myhostname":"$(sys.host)", "mynetworks":"", "myorigin":"$myhostname", "mydestination":"$myhostname, localhost", "mail_location" : "mbox:~/mail:LAYOUT=maildir++:INBOX=/var/mail/%u:INDEX=~/mail/index:CONTROL=~/mail/control" "vmail_location" : "maildir:~/Maildir:LAYOUT=maildir++:INBOX=~/Maildir/.INBOX:CONTROL=~/Mail/control:INDEX=~/Mail/index", "alias_maps":"$(postfix.default_alias_maps)", "db_host":"127.0.0.1", "vimb_db_pass":"vimbdb-secret", "vimb_server_email_name":"Vimbadmin $(param_cfg[vimb_domain])", "roundcube_db_pass":"roundcube-secret", "roundcube_version":"1.6.4", "roundcube_password_recovery":false, "vimb_rememberme_salt":"Xa])o3GwVe-$8>-vz}y~+&D\C!2Ni+_AeocxD^ZhGQz-H/8", "rspamd_bind_socket":"127.0.0.1:11332", "vmail_user":"vmail", "vmail_uid":"5000", "vmail_gid":"5000", "vmail_dir":"/var/vmail", "vimb_src_tgz":"$(sys.workdir)/data/public/vimbadmin-3.4.1.tar.gz", "php_handler":"$(apache.default_php_handler)", "postmaster_mail":"postmaster@$(sys.host)", "webmaster_mail":"webmaster@$(sys.host)" }'; "cfg" data => mergedata(@(default_cfg),@(param_cfg)); "roundcube_plugins" string => ifelse(strcmp("$(cfg[roundcube_password_recovery])","true"), "['acl', 'archive', 'attachment_reminder', 'emoticons', 'enigma', 'hide_blockquote', 'identicon', 'jqueryui', 'managesieve', 'markasjunk', 'newmail_notifier', 'password', 'password_recovery', 'vcard_attachments', 'zipdownload']", "['acl', 'archive', 'attachment_reminder', 'emoticons', 'enigma', 'hide_blockquote', 'identicon', 'jqueryui', 'managesieve', 'markasjunk', 'newmail_notifier', 'password', 'vcard_attachments', 'zipdownload']"); "mysql_cfg" data => '{ "settings":{ "mysqld":{ "bind-address":"$(cfg[db_host])", "lower_case_table_names":"1", "default-authentication-plugin":"mysql_native_password" } }, "mariadb":false, "bind_address":"$(cfg[db_host])", "backup_dir":"/tank/backups/mysql_backups" }'; "vimb_db" data => '{ "db_name":"vimbadmin", "db_user":"vimbadmin", "db_host":"$(cfg[db_host])", "db_pass":"$(cfg[vimb_db_pass])", "db_user_host":"%" }'; "vimb_site" data => '{ "domain":"$(cfg[vimb_domain])", "aliases":[ ], "email":"$(cfg[webmaster_mail])", "disable":false, "doc_root":"$(apache.www_dir)/$(cfg[vimb_domain])/public", "php_handler":"$(cfg[php_handler])", "ssl":true, "raw":" Alias /vimbadmin $(apache.www_dir)/$(cfg[vimb_domain])/public " }'; "vimb_cfg" data => '{ "src_tgz":"$(cfg[vimb_src_tgz])", "install_dir":"$(apache.www_dir)/$(cfg[vimb_domain])", "restore_db_file":"$(cfg[backup_dir])/vimbdb.sql", "db_driver":"pdo_mysql", "db_user":"$(vimb_db[db_user])", "db_pass":"$(vimb_db[db_pass])", "db_host":"$(vimb_db[db_host])", "db_name":"$(vimb_db[db_name])", "server_email_name":"$(cfg[vimb_server_email_name])", "server_email_address":"$(cfg[vimb_server_email_address])", "security_salt":"$(cfg[vimb_security_salt])", "rememberme_salt":"$(cfg[vimb_rememberme_salt])", "password_salt":"$(cfg[vimb_password_salt])", }'; "roundcube_site" data => '{ "domain":"$(cfg[webmail_domain])", "aliases":[ ], "email":"$(cfg[webmaster_mail])", "disable":false, "php_handler":"$(cfg[php_handler])", "doc_root":"$(apache.www_dir)/$(cfg[webmail_domain])/public/", "ssl":true, "raw":" " }'; "roundcube_cfg" data =>'{ "db_host":"$(cfg[db_host])", "db_user":"roundcube", "db_pass":"$(cfg[roundcube_db_pass])", "db_user_host":"%", "db_name":"roundcube", "www_user":"$(apache.www_user)", "www_group":"$(apache.www_group)", "install_dir":"$(apache.www_dir)/$(cfg[webmail_domain])", "version":"$(cfg[roundcube_version])", "backup_dir":"$(cfg[backup_dir])/roundcube", "settings":{ "imap_host":"\'tls://$(cfg[imap_domain]):143\'", "smtp_host":"\'tls://$(cfg[smtp_domain]):587\'", "plugins":"$(roundcube_plugins)" }, "keep_installer":true }'; "roundcube_password_recover_cfg" data => '{ "db_host":"$(vimb_cfg[db_host])", "db_user":"$(vimb_cfg[db_user])", "db_pass":"$(vimb_cfg[db_pass])", "db_name":"$(vimb_cfg[db_name])", "settings":{ "pr_admin_email":"\'$(cfg[postmaster_mail])\'", "pr_replyto_email":"\'$(cfg[postmaster_mail])\'" } }'; "rspamd_site" data => '{ "domain" : "$(cfg[rspamd_domain])", "aliases" : [ ], "email": "$(cfg[webmaster_mail])", "disable": false, "ssl": true, "doc_root":"$(apache.www_dir)/$(cfg[rspamd_domain])", "php_handler":"proxy:unix:$(php.fpm_socket)|fcgi://localhost/", "raw": " ProxyPass http://localhost:11334/ ProxyPassReverse http://localhost:11334/ " }'; "rspamd_cfg" data => '{ "worker_normal":" #bind_socket = \\"localhost:12222\\" " , "worker_proxy":" upstream \\"local\\" { self_scan = yes } bind_socket = \\"$(cfg[rspamd_bind_socket])\\" ", "password":"hallorspamd", "enable-password":"hallorspamd-enable" }'; "opendkim_cfg" data => '{ "mynetworks":[ "127.0.0.1", ], "keyfile":"$(cfg[dkim_private_key_file])", "selector":"$(cfg[dkim_selector])", "uid":"$(postfix.user)", "gid":"$(postfix.group)", "milter_sock":"$(postfix.queue_dir)/private/opendkim" }'; "dbs" string => string_mustache(' "userdbs":[ {{#cfg.vimb_auth}} { "driver":"sql", "args":"$(dovecot_vimbadmin_sql.cfg_file)" }, {{/cfg.vimb_auth}} {{#cfg.pam_auth}} { "driver":"passwd", "args":"" }, {{/cfg.pam_auth}} ], "passdbs":[ {{#cfg.vimb_auth}} { "driver":"sql", "args":"$(dovecot_vimbadmin_sql.cfg_file)" } , {{/cfg.vimb_auth}} {{#cfg.pam_auth}} { "driver":"pam", "args":"dovecot" }, {{/cfg.pam_auth}} ],', bundlestate("$(this.bundle)")); "dovecot_cfg" data => '{ "protocols":["imap","sieve","lmtp"], "ssl":true, "imap_cert":"$(certbot.certbot_dir)/live/$(cfg[imap_domain])/fullchain.pem", "imap_key":"$(certbot.certbot_dir)/live/$(cfg[imap_domain])/privkey.pem", "submission_cert":"$(certbot.certbot_dir)/live/$(cfg[imap_domain])/fullchain.pem", "submission_key":"$(certbot.certbot_dir)/live/$(cfg[imap_domain])/privkey.pem", "rspamd_scripts":true, "global_sieve_after":true, "default_imap_folders":true, "vmail_dir":"$(cfg[vmail_dir])", "vmail_uid":"$(cfg[vmail_uid])", "vmail_gid":"$(cfg[vmail_gid])", "raw":" mail_location = $(cfg[mail_location]) mail_privileged_group=mail log_path = /var/log/dovecot.log mail_debug=yes auth_debug=yes protocol sieve { managesieve_max_line_length = 65536 } ", $(dbs) "services":{ "imap-login":{ "raw":" inet_listener imap { port = 143 } inet_listener imaps { port = 993 ssl = yes } " } , "pop3-login":{ "raw":" inet_listener pop3 { port = 110 } inet_listener pop3s { port = 995 ssl = yes } " } , "auth":{ "raw":" unix_listener $(postfix.queue_dir)/private/auth { user = postfix group = postfix mode = 0666 } " } , "lmtp":{ "raw":" unix_listener $(postfix.queue_dir)/private/dovecot-lmtp { group = postfix mode = 0600 user = postfix } " } } }'; "postfix_cfg" data => '{ "non_smtpd_milters":[ "unix:$ (postfix.queue_dir)/private/opendkim" ] , "services" : [ { "name":"submission" "comment": "Submission service" "enable":$(cfg[submission]), "type":"inet", "private":"n", "unpriv":"-", "chroot":"n", "wakeup":"-", "maxproc":"-", "command":"smtpd", "args":[ "{ -o smtpd_sender_restrictions = permit_sasl_authenticated reject }", "{ -o smtpd_recipient_restrictions = reject_unknown_recipient_domain permit_sasl_authenticated reject }", "{ -o smtpd_client_restrictions = permit_sasl_authenticated reject }", "{ -o smtpd_helo_restrictions = permit_sasl_authenticated reject }", "{ -o smtpd_relay_restrictions = permit_sasl_authenticated reject }", "{ -o smtpd_sasl_auth_enable = yes }", "{ -o smtpd_sasl_type = dovecot }", "{ -o smtpd_sasl_path = $(postfix.queue_dir)/private/auth }", "{ -o smtpd_tls_security_level = encrypt }", "{ -o smtpd_tls_key_file = $(certbot.certbot_dir)/live/$(cfg[imap_domain])/privkey.pem }", "{ -o smtpd_tls_cert_file = $(certbot.certbot_dir)/live/$(cfg[imap_domain])/fullchain.pem }", "{ -o smtpd_tls_loglevel = 1 }", "{ -o smtpd_tls_received_header = yes }", "{ -o smtpd_tls_session_cache_timeout = 3600s }", "{ -o smtpd_tls_mandatory_ciphers = high}", "{ -o tls_ssl_options = 0x40000000}", "{ -o tls_preempt_cipherlist = yes}", "{ -o smtpd_tls_eecdh_grade = ultra}", "{ -o smtpd_tls_auth_only = yes }", "{ -o smtp_tls_note_starttls_offer = yes }", "{ -o smtpd_milters = unix:/var/spool/postfix/private/opendkim }", ], } , { "name":"smtp", "comment": "SMTP service", "enable":$(cfg[smtp]), "type":"inet", "private":"n", "unpriv":"-", "chroot":"n", "wakeup":"-", "maxproc":"-", "command":"smtpd", "args":[ "{ -o smtpd_relay_restrictions = permit_mynetworks reject_unauth_destination }", "{ -o smtpd_recipient_restrictions = permit_mynetworks reject_unauth_destination }" "{ -o smtpd_recipient_restrictions = permit_mynetworks reject_unlisted_recipient reject_unauth_destination reject_unknown_recipient_domain reject_rbl_client ix.dnsbl.manitu.net reject_rbl_client zen.spamhaus.org }", "{ -o smtpd_client_restrictions = permit_mynetworks reject_unknown_reverse_client_hostname reject_unauth_pipelining }", "{ -o smtpd_helo_restrictions = permit_mynetworks reject_invalid_hostname reject_unknown_hostname reject_non_fqdn_hostname }", "{ -o smtpd_relay_restrictions = permit_mynetworks defer_unauth_destination }", "{ -o smtpd_milters = inet:$(cfg[rspamd_bind_socket]) }", "{ -o smtpd_use_tls = yes }", "{ -o smtpd_tls_mandatory_ciphers = high }", "{ -o tls_preempt_cipherlist = yes }", "{ -o smtpd_tls_eecdh_grade = ultra }", "{ -o smtpd_tls_security_level = may }", "{ -o smtp_tls_note_starttls_offer = yes }", "{ -o smtpd_sasl_auth_enable = no }", "{ -o smtpd_tls_loglevel = 1 }", "{ -o smtpd_tls_received_header = yes }", "{ -o smtpd_tls_session_cache_timeout = 3600s }", "{ -o smtpd_tls_key_file = $(certbot.certbot_dir)/live/$(cfg[imap_domain])/privkey.pem }", "{ -o smtpd_tls_cert_file = $(certbot.certbot_dir)/live/$(cfg[imap_domain])/fullchain.pem }", ], } ] , "main_raw":" debug_peer_level=4 debug_peer_list=128.140.41.19 #compatibility_level = 3.8 myhostname=$(cfg[myhostname]) mydestination=$(cfg[mydestination]) alias_maps=$(cfg[alias_maps]) myorigin=$(cfg[myorigin]) mynetworks=$(cfg[mynetworks]) local_recipient_maps = unix:passwd.byname $alias_maps virtual_transport = lmtp:unix:private/dovecot-lmtp virtual_alias_maps = mysql:$(postfix_vimbadmin_sql.virtual_alias_maps) virtual_mailbox_domains = mysql:$(postfix_vimbadmin_sql.virtual_domains_maps) virtual_mailbox_maps = mysql:$(postfix_vimbadmin_sql.virtual_mailbox_maps) " , "master_raw":"" } '; reports: users: "$(cfg[vmail_user])" policy => "present", description => "Vmail user", uid => "$(cfg[vmail_uid])"; reports: methods: "any" usebundle => install_system_repos; "any" usebundle => aia_install_dbs, handle => "aia_dbs_installed"; "any" usebundle => aia_install_apache, handle=> "aia_apache_installed"; "any" usebundle => aia_install_sites, handle => "aia_sites_installed", depends_on => {"aia_apache_installed"}; "any" usebundle => vimbadmin(@(vimb_cfg)), depends_on => {"aia_sites_installed"}; "any" usebundle => roundcube(@(roundcube_cfg)), handle => "aia_roundcube_installed", depends_on => { "aia_sites_installed", "aia_roundcube_backup_dir_created" }; "any" usebundle => configure_roundcube(@(roundcube_cfg)), depends_on => {"aia_roundcube_installed"}; "any" usebundle => configure_roundcube_password_plugin(@(vimb_cfg)); "any" usebundle => roundcube_install_password_recovery_plugin(@(roundcube_password_recover_cfg)); "any" usebundle => install_postfix_pkgs; "any" usebundle => install_dovecot_pkgs; "any" usebundle => install_redis; "any" usebundle => install_rspamd_pkgs; "any" usebundle => dovecot(@(dovecot_cfg)); "any" usebundle => postfix(@(postfix_cfg)); "any" usebundle => rspamd(@(rspamd_cfg)); "any" usebundle => dovecot_vimbadmin_sql(@(vimb_cfg),@(dovecot_cfg)); "any" usebundle => postfix_vimbadmin_sql(@(vimb_db)); "any" usebundle => opendkim(@(opendkim_cfg)); files: "$(roundcube_cfg[backup_dir])/." create=>"true", handle => "aia_roundcube_backup_dir_created"; } bundle agent aia_install_dbs { methods: "any" usebundle => install_mysql_server(@(aia_mailserver.mysql_cfg)), handle => "aia_mysql_installed"; "any" usebundle => create_mysql_db(@(aia_mailserver.vimb_db)), depends_on => {"aia_mysql_installed"}; "any" usebundle => create_mysql_db(@(aia_mailserver.roundcube_cfg)), depends_on => {"aia_mysql_installed"}; } bundle agent aia_install_apache { methods: "any" usebundle => apache; "any" usebundle => install_apache, depends_on => {"aia_php_installed"}; "any" usebundle => install_php_fpm,handle=>"aia_php_installed"; } bundle agent aia_install_sites { vars: "mail_site" data => '{ "domain":"$(aia_mailserver.cfg[imap_domain])", "aliases":[ "$(aia_mailserver.cfg[smtp_domain])" ], "email":"$(aia_mailserver.cfg[webmaster_mail])", "disable":false, }'; methods: "any" usebundle => apache_vhost(@(aia_mailserver.vimb_site)); "any" usebundle => apache_vhost(@(aia_mailserver.roundcube_site)); "any" usebundle => apache_vhost(@(aia_mailserver.rspamd_site)); "any" usebundle => certbot_cert(@(mail_site),"$(apache.web_root)"); }