initial import

host_vars/example_host.yml

@@ -0,0 +1,37 @@
+ansible_host: 'some_ip_address'
+web_server:
+  - domains:
+      - 'some domain name for rspamd interface'
+    root: '/var/www/blank'
+    mode: plain
+    httpsonly: True
+    settings: |
+      Header set X-Content-Type-Options nosniff
+      Header set X-Frame-Options SAMEORIGIN
+      Header set X-XSS-Protection "1; mode=block"
+      <Location /rspamd/>
+        ProxyPass http://127.0.0.1:11334/
+        ProxyPassReverse http://127.0.0.1:11334/
+      </Location>
+  - domains:
+      - 'some domain name for mailing lists'
+    root: '/var/www/mailman_web/public'
+    mode: passenger
+    user: 'mailman'
+    group: 'mailman'
+    httpsonly: True
+    settings: |
+      PassengerPython /opt/mailman_web/bin/python
+public_hostname: 'hostname of this machine'
+mailname: 'fqdn of this machine'
+rspamd_password: 'some secret'
+mailman:
+  django_secret_key: 'some other secret'
+  domains:
+    - 'same domain name as above for mailing lists'
+  rest_user: 'mailman'
+  rest_password: 'yet another secret'
+  archiver_key: 'and one more secret'
+admin_mail: '[email protected]'
+ldap_host: 'ldaps://some.ldap.host'
+ldap_base: 'dc=ldap,dc=base'

roles/dovecot/handlers/main.yml

@@ -0,0 +1,2 @@
+- name: restart dovecot
+  service: name=dovecot state=restarted

roles/dovecot/tasks/main.yml

@@ -0,0 +1,51 @@
+- apt: name='{{ item }}' state=present
+  with_items:
+    - dovecot-core
+    - dovecot-imapd
+    - dovecot-managesieved
+    - dovecot-sieve
+    - dovecot-antispam
+    - dovecot-gssapi
+    - dovecot-ldap
+    - dovecot-lmtpd
+    - python-ldap
+
+- template: src='{{ item }}.j2' dest='/etc/dovecot/{{ item }}' owner='root' group='root' mode='0644'
+  with_items:
+    - 'conf.d/auth-ldap-ipa.conf.ext'
+    - 'conf.d/auth-checkpassword-ipa.conf.ext'
+    - 'conf.d/10-auth.conf'
+    - 'conf.d/10-director.conf'
+    - 'conf.d/10-logging.conf'
+    - 'conf.d/10-mail.conf'
+    - 'conf.d/10-master.conf'
+    - 'conf.d/10-ssl.conf'
+    - 'conf.d/10-tcpwrapper.conf'
+    - 'conf.d/15-lda.conf'
+    - 'conf.d/15-mailboxes.conf'
+    - 'conf.d/20-imap.conf'
+    - 'conf.d/20-lmtp.conf'
+    - 'conf.d/20-managesieve.conf'
+    - 'conf.d/90-acl.conf'
+    - 'conf.d/90-plugin.conf'
+    - 'conf.d/90-quota.conf'
+    - 'conf.d/90-sieve.conf'
+  notify: restart dovecot
+
+
+- template: src='{{ item }}.j2' dest='/etc/dovecot/{{ item }}' owner='root' group='root' mode='0600'
+  with_items:
+    - 'dovecot-ldap-ipa-userdb.conf.ext'
+  notify: restart dovecot
+
+- template: src='checkpassword.py.j2' dest='/usr/local/bin/checkpassword' owner='root' group='root' mode='0755'
+
+- file: path='/etc/dovecot/private' owner='root' group='root' mode='700' state=directory
+
+- group: name='vmail' system='yes' state=present
+  notify: restart dovecot
+
+- user: name='vmail' group='vmail' home='/home/vmail' shell='/bin/sh' system='yes' createhome='no' state=present
+  notify: restart dovecot
+
+- file: path='/home/vmail' owner='vmail' group='vmail' mode='700' state=directory

roles/dovecot/templates/conf.d/10-auth.conf.j2

@@ -0,0 +1,130 @@
+##
+## Authentication processes
+##
+
+# Disable LOGIN command and all other plaintext authentications unless
+# SSL/TLS is used (LOGINDISABLED capability). Note that if the remote IP
+# matches the local IP (ie. you're connecting from the same computer), the
+# connection is considered secure and plaintext authentication is allowed.
+# See also ssl=required setting.
+disable_plaintext_auth = yes
+
+# Authentication cache size (e.g. 10M). 0 means it's disabled. Note that
+# bsdauth, PAM and vpopmail require cache_key to be set for caching to be used.
+#auth_cache_size = 0
+# Time to live for cached data. After TTL expires the cached record is no
+# longer used, *except* if the main database lookup returns internal failure.
+# We also try to handle password changes automatically: If user's previous
+# authentication was successful, but this one wasn't, the cache isn't used.
+# For now this works only with plaintext authentication.
+#auth_cache_ttl = 1 hour
+# TTL for negative hits (user not found, password mismatch).
+# 0 disables caching them completely.
+#auth_cache_negative_ttl = 1 hour
+
+# Space separated list of realms for SASL authentication mechanisms that need
+# them. You can leave it empty if you don't want to support multiple realms.
+# Many clients simply use the first one listed here, so keep the default realm
+# first.
+#auth_realms =
+
+# Default realm/domain to use if none was specified. This is used for both
+# SASL realms and appending @domain to username in plaintext logins.
+#auth_default_realm = 
+
+# List of allowed characters in username. If the user-given username contains
+# a character not listed in here, the login automatically fails. This is just
+# an extra check to make sure user can't exploit any potential quote escaping
+# vulnerabilities with SQL/LDAP databases. If you want to allow all characters,
+# set this value to empty.
+#auth_username_chars = abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@
+
+# Username character translations before it's looked up from databases. The
+# value contains series of from -> to characters. For example "#@/@" means
+# that '#' and '/' characters are translated to '@'.
+#auth_username_translation =
+
+# Username formatting before it's looked up from databases. You can use
+# the standard variables here, eg. %Lu would lowercase the username, %n would
+# drop away the domain if it was given, or "%n-AT-%d" would change the '@' into
+# "-AT-". This translation is done after auth_username_translation changes.
+#auth_username_format = %Lu
+
+# If you want to allow master users to log in by specifying the master
+# username within the normal username string (ie. not using SASL mechanism's
+# support for it), you can specify the separator character here. The format
+# is then <username><separator><master username>. UW-IMAP uses "*" as the
+# separator, so that could be a good choice.
+#auth_master_user_separator =
+
+# Username to use for users logging in with ANONYMOUS SASL mechanism
+#auth_anonymous_username = anonymous
+
+# Maximum number of dovecot-auth worker processes. They're used to execute
+# blocking passdb and userdb queries (eg. MySQL and PAM). They're
+# automatically created and destroyed as needed.
+#auth_worker_max_count = 30
+
+# Host name to use in GSSAPI principal names. The default is to use the
+# name returned by gethostname(). Use "$ALL" (with quotes) to allow all keytab
+# entries.
+#auth_gssapi_hostname =
+
+# Kerberos keytab to use for the GSSAPI mechanism. Will use the system
+# default (usually /etc/krb5.keytab) if not specified. You may need to change
+# the auth service to run as root to be able to read this file.
+#auth_krb5_keytab = 
+
+# Do NTLM and GSS-SPNEGO authentication using Samba's winbind daemon and
+# ntlm_auth helper. <doc/wiki/Authentication/Mechanisms/Winbind.txt>
+#auth_use_winbind = no
+
+# Path for Samba's ntlm_auth helper binary.
+#auth_winbind_helper_path = /usr/bin/ntlm_auth
+
+# Time to delay before replying to failed authentications.
+#auth_failure_delay = 2 secs
+
+# Require a valid SSL client certificate or the authentication fails.
+#auth_ssl_require_client_cert = no
+
+# Take the username from client's SSL certificate, using 
+# X509_NAME_get_text_by_NID() which returns the subject's DN's
+# CommonName. 
+#auth_ssl_username_from_cert = no
+
+# Space separated list of wanted authentication mechanisms:
+#   plain login digest-md5 cram-md5 ntlm rpa apop anonymous gssapi otp skey
+#   gss-spnego
+# NOTE: See also disable_plaintext_auth setting.
+auth_mechanisms = plain
+
+##
+## Password and user databases
+##
+
+#
+# Password database is used to verify user's password (and nothing more).
+# You can have multiple passdbs and userdbs. This is useful if you want to
+# allow both system users (/etc/passwd) and virtual users to login without
+# duplicating the system users into virtual database.
+#
+# <doc/wiki/PasswordDatabase.txt>
+#
+# User database specifies where mails are located and what user/group IDs
+# own them. For single-UID configuration use "static" userdb.
+#
+# <doc/wiki/UserDatabase.txt>
+
+#!include auth-deny.conf.ext
+#!include auth-master.conf.ext
+
+#!include auth-system.conf.ext
+#!include auth-sql.conf.ext
+#!include auth-ldap.conf.ext
+!include auth-ldap-ipa.conf.ext
+#!include auth-passwdfile.conf.ext
+#!include auth-checkpassword.conf.ext
+!include auth-checkpassword-ipa.conf.ext
+#!include auth-vpopmail.conf.ext
+#!include auth-static.conf.ext

roles/dovecot/templates/conf.d/10-director.conf.j2

@@ -0,0 +1,61 @@
+##
+## Director-specific settings.
+##
+
+# Director can be used by Dovecot proxy to keep a temporary user -> mail server
+# mapping. As long as user has simultaneous connections, the user is always
+# redirected to the same server. Each proxy server is running its own director
+# process, and the directors are communicating the state to each others.
+# Directors are mainly useful with NFS-like setups.
+
+# List of IPs or hostnames to all director servers, including ourself.
+# Ports can be specified as ip:port. The default port is the same as
+# what director service's inet_listener is using.
+#director_servers = 
+
+# List of IPs or hostnames to all backend mail servers. Ranges are allowed
+# too, like 10.0.0.10-10.0.0.30.
+#director_mail_servers = 
+
+# How long to redirect users to a specific server after it no longer has
+# any connections.
+#director_user_expire = 15 min
+
+# TCP/IP port that accepts doveadm connections (instead of director connections)
+# If you enable this, you'll also need to add inet_listener for the port.
+#director_doveadm_port = 0
+
+# How the username is translated before being hashed. Useful values include
+# %Ln if user can log in with or without @domain, %Ld if mailboxes are shared
+# within domain.
+#director_username_hash = %Lu
+
+# To enable director service, uncomment the modes and assign a port.
+service director {
+  unix_listener login/director {
+    #mode = 0666
+  }
+  fifo_listener login/proxy-notify {
+    #mode = 0666
+  }
+  unix_listener director-userdb {
+    #mode = 0600
+  }
+  inet_listener {
+    #port = 
+  }
+}
+
+# Enable director for the wanted login services by telling them to
+# connect to director socket instead of the default login socket:
+service imap-login {
+  #executable = imap-login director
+}
+service pop3-login {
+  #executable = pop3-login director
+}
+
+# Enable director for LMTP proxying:
+protocol lmtp {
+  #auth_socket_path = director-userdb
+}

roles/dovecot/templates/conf.d/10-logging.conf.j2

@@ -0,0 +1,84 @@
+##
+## Log destination.
+##
+
+# Log file to use for error messages. "syslog" logs to syslog,
+# /dev/stderr logs to stderr.
+#log_path = syslog
+
+# Log file to use for informational messages. Defaults to log_path.
+#info_log_path = 
+# Log file to use for debug messages. Defaults to info_log_path.
+#debug_log_path = 
+
+# Syslog facility to use if you're logging to syslog. Usually if you don't
+# want to use "mail", you'll use local0..local7. Also other standard
+# facilities are supported.
+#syslog_facility = mail
+
+##
+## Logging verbosity and debugging.
+##
+
+# Log unsuccessful authentication attempts and the reasons why they failed.
+#auth_verbose = no
+
+# In case of password mismatches, log the attempted password. Valid values are
+# no, plain and sha1. sha1 can be useful for detecting brute force password
+# attempts vs. user simply trying the same password over and over again.
+# You can also truncate the value to n chars by appending ":n" (e.g. sha1:6).
+#auth_verbose_passwords = no
+
+# Even more verbose logging for debugging purposes. Shows for example SQL
+# queries.
+#auth_debug = no
+
+# In case of password mismatches, log the passwords and used scheme so the
+# problem can be debugged. Enabling this also enables auth_debug.
+#auth_debug_passwords = no
+
+# Enable mail process debugging. This can help you figure out why Dovecot
+# isn't finding your mails.
+#mail_debug = no
+
+# Show protocol level SSL errors.
+#verbose_ssl = no
+
+# mail_log plugin provides more event logging for mail processes.
+plugin {
+  # Events to log. Also available: flag_change append
+  #mail_log_events = delete undelete expunge copy mailbox_delete mailbox_rename
+  # Available fields: uid, box, msgid, from, subject, size, vsize, flags
+  # size and vsize are available only for expunge and copy events.
+  #mail_log_fields = uid box msgid size
+}
+
+##
+## Log formatting.
+##
+
+# Prefix for each line written to log file. % codes are in strftime(3)
+# format.
+#log_timestamp = "%b %d %H:%M:%S "
+
+# Space-separated list of elements we want to log. The elements which have
+# a non-empty variable value are joined together to form a comma-separated
+# string.
+#login_log_format_elements = user=<%u> method=%m rip=%r lip=%l mpid=%e %c
+
+# Login log format. %s contains login_log_format_elements string, %$ contains
+# the data we want to log.
+#login_log_format = %$: %s
+
+# Log prefix for mail processes. See doc/wiki/Variables.txt for list of
+# possible variables you can use.
+#mail_log_prefix = "%s(%u): "
+
+# Format to use for logging mail deliveries. You can use variables:
+#  %$ - Delivery status message (e.g. "saved to INBOX")
+#  %m - Message-ID
+#  %s - Subject
+#  %f - From address
+#  %p - Physical size
+#  %w - Virtual size
+#deliver_log_format = msgid=%m: %$