Now with ansible/untested

.env

@@ -0,0 +1,51 @@
+# postfix/dovecot user management
+DATABASE_USER=mail
+DATABASE_PASSWORD=db_password
+DATABASE_NAME=postfix
+#postfix
+MYORIGIN=creditcards.bayern
+MYHOSTNAME=mail.creditcards.bayern
+#imap
+MAILDOMAIN=mial.creditcards.bayern
+#spam
+PORT=11334
+PASSWORD=nichtsicher
+#roundcube
+ROUNDCUBEMAIL_DEFAULT_HOST=imap
+ROUNDCUBEMAIL_SMTP_SERVER=smtp
+ROUNDCUBEMAIL_PLUGINS=archive,zipdownload,managesieve,password
+ROUNDCUBEMAIL_UPLOAD_MAX_FILESIZE=100M
+ROUNDCUBEMAIL_DB_TYPE=mysql
+ROUNDCUBEMAIL_DB_HOST=db
+ROUNDCUBEMAIL_DB_USER=mail
+ROUNDCUBEMAIL_DB_PASSWORD=BGun02otSchuj3z
+ROUNDCUBEMAIL_DB_NAME=postfix
+#postfixadmin
+DBTYPPE=mysql
+DBHOST=db
+DBUSER=mail
+DBNAME=postfix
+DBPASS=db_password
+SMTPHOST=smtp
+DOMAIN=creditcards.bayern
+#database
+MYSQL_ROOT_PASSWORD=root_password
+MYSQL_DATABASES="postfix mailman"
+MYSQL_USER=mail
+MYSQL_PASSWORD=db_password
+#mailman-core
+DATABASE_URL=mysql://mail:db_password@db/mailman
+DATABASE_TYPE=mysql
+DATABASE_CLASS=mailman.database.mysql.MySQLDatabase
+HYPERKITTY_API_KEY=someapikey
+#mailman-web
+DATABASE_URL=mysql://mail:db_password@db/mailman
+DATABASE_TYPE=mysql
+HYPERKITTY_API_KEY=someapikey
+SECRET_KEY=thisisaverysecretkey
+DYLD_LIBRARY_PATH=/usr/local/mysql/lib/
+SERVE_FROM_DOMAIN=lists.creditcards.bayern
+DJANGO_ALLOWED_HOSTS=mailman.creditcards.bayern
+MAILMAN_ADMIN_USER=admin
+MAILMAN_ADMIN_EMAIL=a3x@eris.cc
+UWSGI_STATIC_MAP=/static=/opt/mailman-web-data/static

deploy/ansible.cfg

@@ -0,0 +1,7 @@
+[defaults]
+roles_path = roles
+legacy_playbook_variable = no
+nocows = 1
+
+[ssh_connection]
+pipelining = yes

deploy/deploy

@@ -0,0 +1 @@
+/usr/bin/env ansible-playbook --ask-become -i inventory playbook.yml --vault-password-file vaultpass "$@"

deploy/playbook.yml

@@ -0,0 +1,5 @@
+---
+- hosts: servers
+  become: yes
+  roles:
+    - { role: mailserver }

deploy/roles/mailserver/files/docker-compose.yml

@@ -0,0 +1,184 @@
+version: '3'
+services:
+  smtp:
+    container_name: smtp
+    build: ./smtp
+    restart: always
+    depends_on: 
+      - imap
+      - db
+    ports:
+      - '25:25'
+      - '587:587'
+    links:
+      - imap:imap
+      - db:db
+      - spam:spam
+    volumes:
+      - ./smtp/main.cf:/etc/postfix/main.cf:ro
+      - ./smtp/master.cf:/etc/postfix/master.cf:ro
+      - /data/mailserver/mailman/data:/mailman
+      - mails:/home/vmail
+      - certs:/certs
+    labels:
+      - "traefik.enable=false"
+
+  imap:
+    container_name: imap
+    build: ./imap
+    restart: always
+    depends_on:
+     - extractor
+     - db
+    ports:
+     - '993:993'
+     - '4190:4190'
+    expose:
+     - '24'
+     - '8472'
+    links:
+      - db
+      - spam
+    volumes:
+      - mails:/home/vmail
+      - certs:/certs
+    labels:
+      - "traefik.enable=false"
+
+  spam:
+    container_name: spam
+    build: ./spam
+    restart: always
+    expose:
+      - 11334
+    volumes:
+      - spam:/data
+      - /etc/localtime:/etc/localtime:ro
+    labels:
+      - "traefik.frontend.rule=Host:spam.creditcards.bayern"
+      - "traefik.port=11334"
+
+  webmail:
+    container_name: webmail
+    image: roundcube/roundcubemail:latest-apache
+    depends_on:
+      - smtp
+      - imap
+      - db
+    restart: always
+    links:
+      - imap:imap
+      - smtp:smtp
+    labels:
+      - "traefik.frontend.rule=Host:mail.creditcards.bayern"
+      - "traefik.port=80"
+
+  admin:
+    container_name: admin
+    links:
+      - db:db
+    depends_on:
+      - db
+    image: hardware/postfixadmin:latest
+    expose:
+      - "8888"
+    restart: always
+    labels:
+      - "traefik.frontend.rule=Host:admin.creditcards.bayern"
+      - "traefik.port=8888"
+  
+  db:
+    container_name: mariadb
+    image: mariadb:10.3
+    restart: always
+    volumes:
+      - database:/var/lib/mysql
+      - ./docker-entrypoint.sh:/docker-entrypoint.sh
+    labels:
+      - "traefik.enable=false"
+
+  mailman-core:
+    image: maxking/mailman-core:latest
+    container_name: mailman-core
+    hostname: mailman-core
+    volumes:
+      - /data/mailserver/mailman/core:/opt/mailman/
+      - ./mailman-extra.cfg:/opt/mailman/core/mailman-extra.cfg
+    links:
+     - db
+     - smtp
+     - imap
+    depends_on:
+      - db
+    labels:
+      - "traefik.enable=false"
+
+  mailman-web:
+    image: maxking/mailman-web:latest
+    container_name: mailman-web
+    hostname: mailman-web
+    expose:
+      - 8000
+      - 8080
+    depends_on:
+      - db
+    links:
+      - mailman-core:mailman-core
+      - db:db
+    volumes:
+      - /data/mailserver/mailman/web:/opt/mailman-web-data
+    labels:
+      #- "traefik.frontend.rule=Host:mailman.creditcards.bayern"
+      #- "traefik.port=8000"
+      - "traefik.enable=false"
+  
+    
+  nginx:
+    container_name: nginx
+    image: nginx:mainline
+    restart: always
+    expose:
+      - 80
+    links:
+      - mailman-web:mailman-web
+    volumes:
+      - ./nginx/:/etc/nginx/conf.d/
+      - /data/mailserver/mailman/web:/opt/mailman/
+    labels:
+      - "traefik.frontend.rule=Host:mailman.creditcards.bayern"
+      - "traefik.port=80"
+
+
+
+
+  traefik:
+    container_name: traefik
+    image: traefik  # The official Traefik docker image
+    command: --api --docker  # Enables the web UI and tells Traefik to listen to docker
+    restart: always
+    ports:
+      - "80:80"      # The HTTP port
+      - "443:443"
+      - "8080:8080"  # The Web UI (enabled by --api)
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock  # So that Traefik can listen to the Docker events
+      - ./traefik/:/etc/traefik
+    labels:
+      - "traefik.frontend.rule=Host:traefik.creditcards.bayern"
+
+  extractor:
+    container_name: extractor
+    image: danielhuisman/traefik-certificate-extractor
+    volumes: 
+      - /data/mailserver/traefik:/app/data
+      - certs:/app/certs_flat
+    labels:
+      - "traefik.enable=false"
+
+
+
+volumes:
+  database:
+  mails:
+  certs:
+  spam:

deploy/roles/mailserver/files/docker-entrypoint.sh

@@ -0,0 +1,206 @@
+#!/bin/bash
+set -eo pipefail
+shopt -s nullglob
+
+# if command starts with an option, prepend mysqld
+if [ "${1:0:1}" = '-' ]; then
+	set -- mysqld "$@"
+fi
+
+# skip setup if they want an option that stops mysqld
+wantHelp=
+for arg; do
+	case "$arg" in
+		-'?'|--help|--print-defaults|-V|--version)
+			wantHelp=1
+			break
+			;;
+	esac
+done
+
+# usage: file_env VAR [DEFAULT]
+#    ie: file_env 'XYZ_DB_PASSWORD' 'example'
+# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of
+#  "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature)
+file_env() {
+	local var="$1"
+	local fileVar="${var}_FILE"
+	local def="${2:-}"
+	if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
+		echo >&2 "error: both $var and $fileVar are set (but are exclusive)"
+		exit 1
+	fi
+	local val="$def"
+	if [ "${!var:-}" ]; then
+		val="${!var}"
+	elif [ "${!fileVar:-}" ]; then
+		val="$(< "${!fileVar}")"
+	fi
+	export "$var"="$val"
+	unset "$fileVar"
+}
+
+_check_config() {
+	toRun=( "$@" --verbose --help --log-bin-index="$(mktemp -u)" )
+	if ! errors="$("${toRun[@]}" 2>&1 >/dev/null)"; then
+		cat >&2 <<-EOM
+			ERROR: mysqld failed while attempting to check config
+			command was: "${toRun[*]}"
+			$errors
+		EOM
+		exit 1
+	fi
+}
+
+# Fetch value from server config
+# We use mysqld --verbose --help instead of my_print_defaults because the
+# latter only show values present in config files, and not server defaults
+_get_config() {
+	local conf="$1"; shift
+	"$@" --verbose --help --log-bin-index="$(mktemp -u)" 2>/dev/null \
+		| awk '$1 == "'"$conf"'" && /^[^ \t]/ { sub(/^[^ \t]+[ \t]+/, ""); print; exit }'
+	# match "datadir      /some/path with/spaces in/it here" but not "--xyz=abc\n     datadir (xyz)"
+}
+
+# allow the container to be started with `--user`
+if [ "$1" = 'mysqld' -a -z "$wantHelp" -a "$(id -u)" = '0' ]; then
+	_check_config "$@"
+	DATADIR="$(_get_config 'datadir' "$@")"
+	mkdir -p "$DATADIR"
+	find "$DATADIR" \! -user mysql -exec chown mysql '{}' +
+	exec gosu mysql "$BASH_SOURCE" "$@"
+fi
+
+if [ "$1" = 'mysqld' -a -z "$wantHelp" ]; then
+	# still need to check config, container may have started with --user
+	_check_config "$@"
+	# Get config
+	DATADIR="$(_get_config 'datadir' "$@")"
+
+	if [ ! -d "$DATADIR/mysql" ]; then
+		file_env 'MYSQL_ROOT_PASSWORD'
+		if [ -z "$MYSQL_ROOT_PASSWORD" -a -z "$MYSQL_ALLOW_EMPTY_PASSWORD" -a -z "$MYSQL_RANDOM_ROOT_PASSWORD" ]; then
+			echo >&2 'error: database is uninitialized and password option is not specified '
+			echo >&2 '  You need to specify one of MYSQL_ROOT_PASSWORD, MYSQL_ALLOW_EMPTY_PASSWORD and MYSQL_RANDOM_ROOT_PASSWORD'
+			exit 1
+		fi
+
+		mkdir -p "$DATADIR"
+
+		echo 'Initializing database'
+		# "Other options are passed to mysqld." (so we pass all "mysqld" arguments directly here)
+		mysql_install_db --datadir="$DATADIR" --rpm "${@:2}"
+		echo 'Database initialized'
+
+		SOCKET="$(_get_config 'socket' "$@")"
+		"$@" --skip-networking --socket="${SOCKET}" &
+		pid="$!"
+
+		mysql=( mysql --protocol=socket -uroot -hlocalhost --socket="${SOCKET}" )
+
+		for i in {30..0}; do
+			if echo 'SELECT 1' | "${mysql[@]}" &> /dev/null; then
+				break
+			fi
+			echo 'MySQL init process in progress...'
+			sleep 1
+		done
+		if [ "$i" = 0 ]; then
+			echo >&2 'MySQL init process failed.'
+			exit 1
+		fi
+
+		if [ -z "$MYSQL_INITDB_SKIP_TZINFO" ]; then
+			# sed is for https://bugs.mysql.com/bug.php?id=20545
+			mysql_tzinfo_to_sql /usr/share/zoneinfo | sed 's/Local time zone must be set--see zic manual page/FCTY/' | "${mysql[@]}" mysql
+		fi
+
+		if [ ! -z "$MYSQL_RANDOM_ROOT_PASSWORD" ]; then
+			export MYSQL_ROOT_PASSWORD="$(pwgen -1 32)"
+			echo "GENERATED ROOT PASSWORD: $MYSQL_ROOT_PASSWORD"
+		fi
+
+		rootCreate=
+		# default root to listen for connections from anywhere
+		file_env 'MYSQL_ROOT_HOST' '%'
+		if [ ! -z "$MYSQL_ROOT_HOST" -a "$MYSQL_ROOT_HOST" != 'localhost' ]; then
+			# no, we don't care if read finds a terminating character in this heredoc
+			# https://unix.stackexchange.com/questions/265149/why-is-set-o-errexit-breaking-this-read-heredoc-expression/265151#265151
+			read -r -d '' rootCreate <<-EOSQL || true
+				CREATE USER 'root'@'${MYSQL_ROOT_HOST}' IDENTIFIED BY '${MYSQL_ROOT_PASSWORD}' ;
+				GRANT ALL ON *.* TO 'root'@'${MYSQL_ROOT_HOST}' WITH GRANT OPTION ;
+			EOSQL
+		fi
+
+		"${mysql[@]}" <<-EOSQL
+			-- What's done in this file shouldn't be replicated
+			--  or products like mysql-fabric won't work
+			SET @@SESSION.SQL_LOG_BIN=0;
+			DELETE FROM mysql.user WHERE user NOT IN ('mysql.sys', 'mysqlxsys', 'root') OR host NOT IN ('localhost') ;
+			SET PASSWORD FOR 'root'@'localhost'=PASSWORD('${MYSQL_ROOT_PASSWORD}') ;
+			GRANT ALL ON *.* TO 'root'@'localhost' WITH GRANT OPTION ;
+			${rootCreate}
+			DROP DATABASE IF EXISTS test ;
+			FLUSH PRIVILEGES ;
+		EOSQL
+
+		if [ ! -z "$MYSQL_ROOT_PASSWORD" ]; then
+			mysql+=( -p"${MYSQL_ROOT_PASSWORD}" )
+		fi
+
+		file_env 'MYSQL_DATABASE'
+		if [ "$MYSQL_DATABASE" ]; then
+			echo "CREATE DATABASE IF NOT EXISTS \`$MYSQL_DATABASE\` ;" | "${mysql[@]}"
+			mysql+=( "$MYSQL_DATABASE" )
+		fi
+		
+		# create several databases using the MYSQL DATABASES env
+		#example: export MYSQL_DATABASES = "one two three"
+		file_env 'MYSQL_DATABASES'
+		if [ "$MYSQL_DATABASES" ]; then
+			for databaseName in $MYSQL_DATABASES; do
+				echo "CREATE DATABASE IF NOT EXISTS \`$databaseName\` ;" | "${mysql[@]}"
+			done
+
+		fi
+
+		file_env 'MYSQL_USER'
+		file_env 'MYSQL_PASSWORD'
+		if [ "$MYSQL_USER" -a "$MYSQL_PASSWORD" ]; then
+			echo "CREATE USER '$MYSQL_USER'@'%' IDENTIFIED BY '$MYSQL_PASSWORD' ;" | "${mysql[@]}"
+
+			if [ "$MYSQL_DATABASE" ]; then
+				echo "GRANT ALL ON \`$MYSQL_DATABASE\`.* TO '$MYSQL_USER'@'%' ;" | "${mysql[@]}"
+			fi
+
+			#create the permissions for the different databases created with the db user
+			if [ "$MYSQL_DATABASES" ]; then
+				for databaseName in $MYSQL_DATABASES; do
+					echo "GRANT ALL ON \`$databaseName\`.* TO '$MYSQL_USER'@'%' ;" | "${mysql[@]}"
+				done
+			fi
+		fi
+
+		echo
+		for f in /docker-entrypoint-initdb.d/*; do
+			case "$f" in
+				*.sh)     echo "$0: running $f"; . "$f" ;;
+				*.sql)    echo "$0: running $f"; "${mysql[@]}" < "$f"; echo ;;
+				*.sql.gz) echo "$0: running $f"; gunzip -c "$f" | "${mysql[@]}"; echo ;;
+				*)        echo "$0: ignoring $f" ;;
+			esac
+			echo
+		done
+
+		if ! kill -s TERM "$pid" || ! wait "$pid"; then
+			echo >&2 'MySQL init process failed.'
+			exit 1
+		fi
+
+		echo
+		echo 'MySQL init process done. Ready for start up.'
+		echo
+	fi
+fi
+
+exec "$@"

deploy/roles/mailserver/files/imap/10-auth.conf

@@ -0,0 +1,12 @@
+disable_plaintext_auth = yes
+
+auth_mechanisms = plain login
+
+passdb {
+  driver = sql
+  args = /etc/dovecot/sql.conf.ext
+}
+userdb {
+  driver = static
+  args = uid=vmail gid=vmail mail_home=/home/vmail/%d/%n mail_location=mbox:~/mail:INBOX=/home/vmail/%u
+}

deploy/roles/mailserver/files/imap/10-master.conf

@@ -0,0 +1,59 @@
+service imap-login {
+  inet_listener imap {
+    #port = 143
+  }
+  inet_listener imaps {
+    #port = 993
+    #ssl = yes
+  }
+}
+
+service pop3-login {
+  inet_listener pop3 {
+    #port = 110
+  }
+  inet_listener pop3s {
+    #port = 995
+    #ssl = yes
+  }
+}
+
+service imap {
+}
+
+service pop3 {
+}
+
+service auth {
+  inet_listener {
+    address = * ::
+    port = 8472
+  }
+
+  unix_listener auth-userdb {
+    mode = 0600
+    user = vmail
+  }
+  user = dovecot
+}
+
+service auth-worker {
+  user = vmail
+}
+
+
+service dict {
+  unix_listener dict {
+  }
+}
+
+service lmtp {
+  inet_listener lmtp {
+    address = * ::
+    port = 24
+  }
+}
+
+plugin {
+  sieve = file:~/sieve;active=~/.dovecot.sieve
+}

deploy/roles/mailserver/files/imap/20-lmtp.conf

@@ -0,0 +1,3 @@
+protocol lmtp {
+  mail_plugins = $mail_plugins sieve
+}

deploy/roles/mailserver/files/imap/20-managesieve.conf

@@ -0,0 +1,8 @@
+service managesieve-login {
+}
+
+service managesieve {
+}
+
+protocol sieve {
+}

deploy/roles/mailserver/files/imap/90-sieve.conf

@@ -0,0 +1,10 @@
+plugin {
+  sieve_extensions = +spamtest +spamtestplus
+
+  sieve_spamtest_status_type = score
+  sieve_spamtest_status_header = \
+    X-Spam-Score: (-?[[:digit:]]+\.[[:digit:]]).*
+  sieve_spamtest_max_value = 5.0
+
+  sieve_before = /var/lib/dovecot/sieve/global_sieves/move_to_spam_folder.sieve
+}

deploy/roles/mailserver/files/imap/Dockerfile

@@ -0,0 +1,26 @@
+FROM alpine:latest
+RUN apk add --no-cache dovecot dovecot-pigeonhole-plugin
+
+RUN adduser -u 5000 -g vmail -s /usr/bin/nologin -h /home/vmail -S vmail
+
+RUN mkdir /etc/dovecot/sieve-filter
+RUN ln -s /usr/bin/vendor_perl/spamc /etc/dovecot/sieve-filter/spamc
+
+ADD dovecot.conf /etc/dovecot/dovecot.conf
+ADD 10-auth.conf /etc/dovecot/conf.d/10-auth.conf
+ADD 10-master.conf /etc/dovecot/conf.d/10-master.conf
+
+
+ADD 20-lmtp.conf /etc/dovecot/conf.d/20-lmtp.conf
+ADD 90-sieve.conf /etc/dovecot/conf.d/90-sieve.conf
+
+
+ADD move_to_spam_folder.sieve /var/lib/dovecot/sieve/global_sieves/move_to_spam_folder.sieve
+
+ADD ./start.sh /start.sh
+
+RUN sievec /var/lib/dovecot/sieve/global_sieves
+
+EXPOSE 993
+
+ENTRYPOINT ["/start.sh"]

deploy/roles/mailserver/files/imap/dovecot.conf

@@ -0,0 +1,12 @@
+#auth_verbose = yes
+#auth_debug = yes
+#auth_debug_passwords = yes
+#auth_verbose_passwords = yes
+#mail_debug = yes
+
+
+log_path = /dev/stdout
+
+!include_try /usr/share/dovecot/protocols.d/*.protocol
+!include conf.d/*.conf
+protocols = imap lmtp sieve

deploy/roles/mailserver/files/imap/move_to_spam_folder.sieve

@@ -0,0 +1,8 @@
+require "spamtestplus";
+require "fileinto";
+require "relational";
+require "comparator-i;ascii-numeric";
+
+if header :contains "X-Spam-Flag" "YES" {
+  fileinto "Spam";
+}

deploy/roles/mailserver/files/imap/start.sh

@@ -0,0 +1,16 @@
+#!/bin/sh
+
+#if [ -n "${DATABASE_NAME}" -a -n "${DATABASE_USER}" -a -n "${DATABASE_PASSWORD}" ] ; then
+	echo -e "driver = mysql\n \
+	     	connect = host=db dbname=${DATABASE_NAME} user=${DATABASE_USER} password=${DATABASE_PASSWORD}\n \
+	     	default_pass_scheme = SHA512-CRYPT\n \
+	     	password_query = SELECT username as user, password FROM mailbox WHERE username='%u';" > /etc/dovecot/sql.conf.ext
+#fi
+
+#if [ -n "${MAILDOMAIN}" ]; then
+	echo -e "ssl = yes\n \
+		ssl_cert = </certs/${MAILDOMAIN}.crt\n \
+		ssl_key = </certs/${MAILDOMAIN}.key" > /etc/dovecot/conf.d/10-ssl.conf
+#fi
+
+dovecot -F

deploy/roles/mailserver/files/mailman-extra.cfg

@@ -0,0 +1,10 @@
+# mailman-extra.cfg
+
+[mta]
+incoming: mailman.mta.postfix.LMTP
+outgoing: mailman.mta.deliver.deliver
+lmtp_host: imap
+lmtp_port: 8472
+smtp_host: smtp
+smtp_port: 25
+configuration: /etc/postfix-mailman.cfg

deploy/roles/mailserver/files/smtp/Dockerfile

@@ -0,0 +1,11 @@
+FROM alpine:latest
+
+RUN adduser -u 5000 -g vmail -s /usr/bin/nologin -h /home/vmail -S vmail
+RUN apk add --no-cache postfix ca-certificates
+
+ADD ./main.cf /etc/postfix/main.cf
+ADD ./master.cf /etc/postfix/master.cf
+
+ADD ./start.sh /start.sh
+
+ENTRYPOINT ["/start.sh"]

deploy/roles/mailserver/files/smtp/main.cf

@@ -0,0 +1,90 @@
+compatibility_level = 2
+smtpd_banner = $myhostname ESMTP $mail_name (Hail Eris!)
+biff = no
+
+append_dot_mydomain = no
+
+readme_directory = no
+
+smtpd_helo_required = yes
+strict_rfc821_envelopes = yes
+disable_vrfy_command = yes
+unknown_address_reject_code = 554
+unknown_hostname_reject_code = 554
+unknown_client_reject_code = 554
+
+#smtpd_tls_key_file=/certs/privkey.pem
+#smtpd_tls_cert_file=/certs/cert.pem
+smtpd_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
+
+smtpd_use_tls=yes
+smtpd_tls_auth_only = yes
+
+smtp_tls_security_level = may
+
+smtpd_sasl_path = inet:imap:8472
+smtpd_sasl_type = dovecot
+smtpd_sasl_auth_enable = yes
+
+smtputf8_enable = no
+smtputf8_autodetect_classes = bounce
+
+#smtpd_recipient_restrictions =
+#        permit_sasl_authenticated,
+#        permit_mynetworks,
+#        reject_unauth_destination
+
+# Let's try ze new config stuff!
+smtpd_recipient_restrictions =
+        permit_mynetworks,
+        permit_sasl_authenticated,
+        reject_rbl_client ix.dnsbl.manitu.net,
+        reject_rbl_client bl.spamcop.net,
+        reject_rbl_client multi.surbl.org,
+        reject_rbl_client dnsbl-1.uceprotect.net,
+        reject_rbl_client cbl.abuseat.org,
+        reject_rbl_client combined.rbl.msrbl.net,
+        reject_rbl_client b.barracudacentral.org,
+        reject_invalid_hostname,
+        reject_non_fqdn_hostname,
+        reject_non_fqdn_sender,
+        reject_non_fqdn_recipient,
+        reject_unknown_sender_domain,
+        reject_unknown_recipient_domain,
+        reject_unauth_pipelining,
+        reject_unauth_destination,
+        reject_unlisted_recipient
+
+
+smtpd_sender_restrictions =
+#	reject_sender_login_mismatch #too harsh
+	permit_sasl_authenticated
+
+smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
+alias_maps = hash:/etc/aliases
+alias_database = hash:/etc/aliases
+mydestination = localhost
+relayhost =
+mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 172.16.0.0/12
+mailbox_size_limit = 0
+recipient_delimiter = +
+inet_interfaces = all
+
+virtual_transport = lmtp:inet:imap:24
+
+virtual_mailbox_domains = mysql:/etc/postfix/virtual_mailbox_domains.cf
+virtual_mailbox_maps = mysql:/etc/postfix/virtual_mailbox_maps.cf
+virtual_alias_maps = mysql:/etc/postfix/virtual_alias_maps.cf
+
+message_size_limit = 20480000
+
+# Milter setup
+smtpd_milters = inet:spam:11332
+milter_default_action = accept
+milter_protocol = 6
+
+unknown_local_recipient_reject_code = 550
+owner_request_special = no
+transport_maps = hash:/mailman/var/data/postfix_lmtp
+local_recipient_maps = hash:/mailman/var/data/postfix_lmtp
+relay_domains = hash:/mailman/var/data/postfix_domains

deploy/roles/mailserver/files/smtp/master.cf

@@ -0,0 +1,55 @@
+#
+# Postfix master process configuration file.  For details on the format
+# of the file, see the master(5) manual page (command: "man 5 master" or
+# on-line: http://www.postfix.org/master.5.html).
+#
+# Do not forget to execute "postfix reload" after editing this file.
+#
+# ==========================================================================
+# service type  private unpriv  chroot  wakeup  maxproc command + args
+#               (yes)   (yes)   (yes)   (never) (100)
+# ==========================================================================
+smtp      inet  n       -       -       -       -       smtpd
+  -o content_filter=spamassassin
+submission inet n       -       -       -       -       smtpd
+  -o syslog_name=postfix/submission
+  -o smtpd_sasl_auth_enable=yes
+pickup    unix  n       -       -       60      1       pickup
+cleanup   unix  n       -       -       -       0       cleanup
+qmgr      unix  n       -       n       300     1       qmgr
+tlsmgr    unix  -       -       -       1000?   1       tlsmgr
+rewrite   unix  -       -       -       -       -       trivial-rewrite
+bounce    unix  -       -       -       -       0       bounce
+defer     unix  -       -       -       -       0       bounce
+trace     unix  -       -       -       -       0       bounce
+verify    unix  -       -       -       -       1       verify
+flush     unix  n       -       -       1000?   0       flush
+proxymap  unix  -       -       n       -       -       proxymap
+proxywrite unix -       -       n       -       1       proxymap
+smtp      unix  -       -       -       -       -       smtp
+relay     unix  -       -       -       -       -       smtp
+showq     unix  n       -       -       -       -       showq
+error     unix  -       -       -       -       -       error
+retry     unix  -       -       -       -       -       error
+discard   unix  -       -       -       -       -       discard
+local     unix  -       n       n       -       -       local
+virtual   unix  -       n       n       -       -       virtual
+lmtp      unix  -       -       -       -       -       lmtp
+anvil     unix  -       -       -       -       1       anvil
+scache    unix  -       -       -       -       1       scache
+
+maildrop  unix  -       n       n       -       -       pipe
+  flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
+
+uucp      unix  -       n       n       -       -       pipe
+  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
+
+#
+# Other external delivery methods.
+#
+ifmail    unix  -       n       n       -       -       pipe
+  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
+bsmtp     unix  -       n       n       -       -       pipe
+  flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
+scalemail-backend unix	-	n	n	-	2	pipe
+  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}

deploy/roles/mailserver/files/smtp/start.sh

@@ -0,0 +1,36 @@
+#!/bin/sh
+
+#if [ -n "${MYORIGIN}" -a -n "${MYHOSTNAME}" ]; then
+	echo -e "myorigin = ${MYORIGIN}\n \
+	     	myhostname = ${MYHOSTNAME} \
+	     	smtpd_tls_key_file = /certs/${MYHOSTNAME}.key \
+	    	smtpd_tls_cert_file=/certs/${MYHOSTNAME}.crt" >> /etc/postfix/main_addendum.cf
+#fi
+
+#if [ -n "${DATABASE_USER}" -a -n "${DATBASE_PASSWORD}" -a -n "${DATABASE_NAME}" ]; then
+	echo -e "user = ${DATABASE_USER}\n \
+	     	password = ${DATABASE_PASSWORD}\n \
+		hosts = db\n \
+		dbname = ${DATABASE_NAME}\n \
+		table = alias\n \
+		select_field = goto\n \
+		where_field = address" > /etc/postfix/virtual_alias_maps.cf;
+
+	echo -e "user = ${DATABASE_USER}\n \
+		password = ${DATABASE_PASSWORD}\n \
+		hosts = db\n \
+		dbname = ${DATABASE_NAME}\n \
+		table = domain\n \
+		select_field = domain\n \
+		where_field = domain" > /etc/postfix/virtual_mailbox_domains.cf;
+
+	echo -e "user = ${DATABASE_USER}\n \
+		password = ${DATABASE_PASSWORD}\n \
+		hosts = db\n \
+		dbname = ${DATABASE_NAME}\n \
+		table = mailbox\n \
+		select_field = maildir\n \
+		where_field = username" > /etc/postfix/virtual_mailbox_maps.cf;
+#fi
+
+postfix start-fg

deploy/roles/mailserver/files/spam/Dockerfile

@@ -0,0 +1,15 @@
+FROM alpine:edge
+
+# We have to upgrade musl, or rspamd will not work.
+RUN echo 'http://dl-cdn.alpinelinux.org/alpine/edge/testing' >> /etc/apk/repositories \
+ && apk add --no-cache rspamd rspamd-controller rsyslog ca-certificates
+
+RUN mkdir /run/rspamd
+
+RUN	echo 'type = "console";' > /etc/rspamd/override.d/logging.inc \
+	&& echo 'pidfile = false;' > /etc/rspamd/override.d/options.inc
+
+
+COPY start.sh /start.sh
+
+CMD ["/start.sh"]

deploy/roles/mailserver/files/spam/start.sh

@@ -0,0 +1,14 @@
+#!/bin/sh
+
+SECURE_IP=${SECURE_IP:-"127.0.0.1"}
+PASSWORD=${PASSWORD:-"mailu"}
+ENABLE_PASSWORD=${ENABLE_PASSWORD:-$PASSWORD}
+
+cat << EOF > /etc/rspamd/override.d/worker-controller.inc
+    bind_socket = "0.0.0.0:${PORT}";
+    secure_ip = "${SECURE_IP}";
+    password = "${PASSWORD}";
+    enable_password = "${PASSWORD}";
+EOF
+
+/usr/sbin/rspamd -f --insecure

deploy/roles/mailserver/files/traefik/traefik.toml

@@ -0,0 +1,41 @@
+debug = false
+
+logLevel = "ERROR"
+defaultEntryPoints = ["https","http"]
+
+[entryPoints]
+  [entryPoints.http]
+  address = ":80"
+    [entryPoints.http.redirect]
+    entryPoint = "https"
+  [entryPoints.https]
+  address = ":443"
+  [entryPoints.https.tls]
+  minVersion = "VersionTLS11"
+  cipherSuites = [
+      "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
+      "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
+      "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
+      "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
+      "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA"
+    ]
+
+[api]
+
+[retry]
+
+[docker]
+endpoint = "unix:///var/run/docker.sock"
+domain = "creditcards.bayern"
+watch = true
+exposedByDefault = false
+
+[acme]
+email = "noc@creditcards.bayern"
+storage = "/etc/traefik/acme.json"
+entryPoint = "https"
+onHostRule = true
+KeyType = "EC256"
+keyType = "EC256"
+[acme.httpChallenge]
+entryPoint = "http"

deploy/roles/mailserver/tasks/main.yml

@@ -0,0 +1,66 @@
+---
+- name: Create project folder
+  file:
+    name: "{{ docker_project_folder }}/mailserver"
+    state: directory
+
+- name: Create data folder
+  file:
+    name: "{{ docker_data_folder }}/mailserver"
+    state: directory
+
+- name: Create nginx include folder
+  file:
+    name: "{{ docker_data_folder }}/mailserver/nginx"
+    state: directory
+
+- name: Copy nginx config \#1
+  template:
+    src: mailman-web.conf.j2
+    dest: "{{ docker_project_folder }}/mailserver/nginx/mailman-web.conf"
+
+- name: Copy env
+  template:
+    src: env.j2
+    dest: "{{ docker_project_folder }}/mailserver/.env"
+
+- name: Copy smtp
+  copy:
+    src: smtp
+    dest: "{{ docker_project_folder }}/mailserver/smtp"
+
+- name: Copy imap
+  copy:
+    src: imap
+    dest: "{{ docker_project_folder }}/mailserver/imap"
+
+- name: Copy spam
+  copy:
+    src: spam
+    dest: "{{ docker_project_folder }}/mailserver/spam"
+
+- name: Copy traefik
+  copy:
+    src: traefik
+    dest: "{{ docker_project_folder }}/mailserver/traefik" 
+
+- name: Copy mailman-conf
+  copy:
+    src: mailman-extra.cfg
+    dest: "{{ docker_project_folder }}/mailserver/mailman-extra.cfg"
+
+- name: New Mysql EntryPoint
+  copy:
+    src: docker-entrypoint.sh
+    dest: "{{ docker_project_folder }}/mailserver/docker-entrypoint.sh"
+
+- name: Copy docker-compose
+  copy:
+    src: docker-compose.yml
+    dest: "{{ docker_project_folder }}/mailserver/docker-compose.yml"
+
+- name: Start mailserver
+  docker_service:
+    project_src: "{{ docker_project_folder }}/mailserver"
+    pull: yes
+

deploy/roles/mailserver/templates/env.j2

@@ -0,0 +1,51 @@
+# postfix/dovecot user management
+DATABASE_USER=mail
+DATABASE_PASSWORD={{ DB_PASSWORD }}
+DATABASE_NAME=postfix
+#postfix
+MYORIGIN={{ DOMAIN }}
+MYHOSTNAME=mail.{{ DOMAIN }}
+#imap
+MAILDOMAIN=mail.{{ DOMAIN }}
+#spam
+PORT=11334
+PASSWORD= {{ WEB_PASSWORD }}
+#roundcube
+ROUNDCUBEMAIL_DEFAULT_HOST=imap
+ROUNDCUBEMAIL_SMTP_SERVER=smtp
+ROUNDCUBEMAIL_PLUGINS=archive,zipdownload,managesieve,password
+ROUNDCUBEMAIL_UPLOAD_MAX_FILESIZE=100M
+ROUNDCUBEMAIL_DB_TYPE=mysql
+ROUNDCUBEMAIL_DB_HOST=db
+ROUNDCUBEMAIL_DB_USER=mail
+ROUNDCUBEMAIL_DB_PASSWORD={{ DB_PASSWORD }}
+ROUNDCUBEMAIL_DB_NAME=postfix
+#postfixadmin
+DBTYPPE=mysql
+DBHOST=db
+DBUSER=mail
+DBNAME=postfix
+DBPASS={{ DB_PASSWORD }}
+SMTPHOST=smtp
+DOMAIN={{ DOMAIN }}
+#database
+MYSQL_ROOT_PASSWORD={{ DB_ROOT_PASSWORD }}
+MYSQL_DATABASES="postfix mailman"
+MYSQL_USER=mail
+MYSQL_PASSWORD={{ DB_PASSWORD }}
+#mailman-core
+DATABASE_URL=mysql://mail:{{ DB_PASSWORD }}@db/mailman
+DATABASE_TYPE=mysql
+DATABASE_CLASS=mailman.database.mysql.MySQLDatabase
+HYPERKITTY_API_KEY=someapikey
+#mailman-web
+DATABASE_URL=mysql://mail:{{ DB_PASSWORD }}@db/mailman
+DATABASE_TYPE=mysql
+HYPERKITTY_API_KEY=someapikey
+SECRET_KEY={{ WEB_PASSWORD }}
+DYLD_LIBRARY_PATH=/usr/local/mysql/lib/
+SERVE_FROM_DOMAIN=mail.{{ DOMAIN }}
+DJANGO_ALLOWED_HOSTS=mailman.{{ DOMAIN }}
+MAILMAN_ADMIN_USER=admin
+MAILMAN_ADMIN_EMAIL=a3x@eris.cc
+UWSGI_STATIC_MAP=/static=/opt/mailman-web-data/static

deploy/roles/mailserver/templates/mailman-web.conf.j2

@@ -0,0 +1,15 @@
+
+
+server {
+    listen 80;
+    server_name mailman.{{ DOMAIN }};
+
+    location / {
+		 # First attempt to serve request as file, then
+
+		  uwsgi_pass mailman-web:8080;
+		  include uwsgi_params;
+		  uwsgi_read_timeout 300;
+    }
+}
+

deploy/roles/mailserver/vars/all.yml

@@ -0,0 +1,13 @@
+---
+become_method: sudo
+ansible_ask_become_pass: yes
+docker_data_folder: /data
+docker_project_folder: /var/docker
+DOMAIN: creditcards.bayern
+
+# vault
+
+DB_PASSWORD: "{{ vault_db_password }}"
+DB_ROOT_PASSWORD: "{{ vault_db_root_password }}"
+WEB_PASSWORD: "{{ vault_web_password }}"
+

deploy/roles/mailserver/vars/vault.yml

@@ -0,0 +1,11 @@
+$ANSIBLE_VAULT;1.1;AES256
+61343433613065613963336562373266343631613831386333316564393132373861383730383131
+6136663533343330363131623433333535616230343433650a373438373732636461386362656638
+32653463663136353363666230323930633866323239636238323831316235303432636332383732
+6563333066313533360a353639353935316531353763663434613463303439346162373431343134
+37383761616466333938393165653935653565336434303835373239643962336161613363626534
+34303037363634666332396635616231383462383230656530343036346164333265636637303237
+31633839383031376137376136383738656639616666326637303532613735653734396630333838
+36643465636439323364646362323164333563333131333666666564646466633736633137363430
+66363765376364306366353664356131623136646134613532623532346362646661346365323135
+6431643536393461313632613335626532306561333836643534

docker-compose.yml

@@ -91,7 +91,7 @@ services:
       ROUNDCUBEMAIL_DB_TYPE: mysql
       ROUNDCUBEMAIL_DB_HOST: db
       ROUNDCUBEMAIL_DB_USER: mail
-      ROUNDCUBEMAIL_DB_PASSWORD: BGun02otSchuj3z
+      ROUNDCUBEMAIL_DB_PASSWORD: db_password
       ROUNDCUBEMAIL_DB_NAME: postfix
     labels:
       - "traefik.frontend.rule=Host:mail.creditcards.bayern"
@@ -112,7 +112,7 @@ services:
       DBHOST: db
       DBUSER: mail
       DBNAME: postfix
-      DBPASS: BGun02otSchuj3z
+      DBPASS: db_password
       SMTPHOST: smtp
       DOMAIN: creditcards.bayern
     labels:
@@ -206,15 +206,15 @@ services:
 
   traefik:
     container_name: traefik
-    image: traefik  # The official Traefik docker image
+    image: traefik  
     command: --api --docker  # Enables the web UI and tells Traefik to listen to docker
     restart: always
     ports:
-      - "80:80"      # The HTTP port
+      - "80:80"      
       - "443:443"
-      - "8080:8080"  # The Web UI (enabled by --api)
+      - "8080:8080"  
     volumes:
-      - /var/run/docker.sock:/var/run/docker.sock  # So that Traefik can listen to the Docker events
+      - /var/run/docker.sock:/var/run/docker.sock  
       - ./traefik/:/etc/traefik
     labels:
       - "traefik.frontend.rule=Host:traefik.creditcards.bayern"