From e20337a972b248ef710539eb97bf63c300bcf368 Mon Sep 17 00:00:00 2001
From: Guido Schmitz <g.schmitz@gtrs.de>
Date: Wed, 26 Jul 2017 21:30:31 +0200
Subject: [PATCH] initial import

---
 host_vars/example_host.yml                    |  37 +
 roles/dovecot/handlers/main.yml               |   2 +
 roles/dovecot/tasks/main.yml                  |  51 ++
 .../dovecot/templates/conf.d/10-auth.conf.j2  | 130 +++
 .../templates/conf.d/10-director.conf.j2      |  61 ++
 .../templates/conf.d/10-logging.conf.j2       |  84 ++
 .../dovecot/templates/conf.d/10-mail.conf.j2  | 371 ++++++++
 .../templates/conf.d/10-master.conf.j2        | 128 +++
 roles/dovecot/templates/conf.d/10-ssl.conf.j2 |  64 ++
 .../templates/conf.d/10-tcpwrapper.conf.j2    |  14 +
 roles/dovecot/templates/conf.d/15-lda.conf.j2 |  48 ++
 .../templates/conf.d/15-mailboxes.conf.j2     |  53 ++
 .../dovecot/templates/conf.d/20-imap.conf.j2  |  61 ++
 .../dovecot/templates/conf.d/20-lmtp.conf.j2  |  27 +
 .../templates/conf.d/20-managesieve.conf.j2   |  76 ++
 roles/dovecot/templates/conf.d/90-acl.conf.j2 |  19 +
 .../templates/conf.d/90-plugin.conf.j2        | 191 +++++
 .../dovecot/templates/conf.d/90-quota.conf.j2 |  80 ++
 .../dovecot/templates/conf.d/90-sieve.conf.j2 | 138 +++
 .../conf.d/auth-checkpassword-ipa.conf.ext.j2 |  21 +
 .../conf.d/auth-ldap-ipa.conf.ext.j2          |  25 +
 .../dovecot-ldap-ipa-userdb.conf.ext.j2       | 104 +++
 roles/letsencrypt_common/defaults/main.yml    |   4 +
 .../files/renew-letsencrypt-certs             |  25 +
 roles/letsencrypt_common/tasks/main.yml       |  17 +
 roles/mailman/defaults/main.yml               |   2 +
 roles/mailman/files/__init__.py               |   0
 roles/mailman/handlers/main.yml               |   2 +
 roles/mailman/tasks/main.yml                  | 128 +++
 .../templates/mailman-hyperkitty.cfg.j2       |  11 +
 roles/mailman/templates/mailman.cfg.j2        |  65 ++
 roles/mailman/templates/mailman3.service.j2   |  28 +
 roles/mailman/templates/web/manage.py.j2      |  11 +
 roles/mailman/templates/web/my.cnf.j2         |   6 +
 .../templates/web/passenger_wsgi.py.j2        |   2 +
 roles/mailman/templates/web/settings.py.j2    | 447 ++++++++++
 roles/mailman/templates/web/urls.py.j2        |  34 +
 roles/mailman/templates/web/wsgi.py.j2        |   4 +
 roles/passenger_common/tasks/main.yml         |  12 +
 roles/postfix/handlers/main.yml               |   2 +
 roles/postfix/tasks/main.yml                  |  29 +
 .../templates/ldap/virtual_alias_maps.cf.j2   |   4 +
 .../ldap/virtual_mailbox_domains.cf.j2        |   5 +
 .../templates/ldap/virtual_mailbox_maps.cf.j2 |   4 +
 roles/postfix/templates/main.cf.j2            | 790 ++++++++++++++++++
 roles/postfix/templates/master.cf.j2          | 142 ++++
 roles/rspamd/handlers/main.yml                |   5 +
 roles/rspamd/tasks/main.yml                   |  42 +
 roles/rspamd/templates/antivirus.conf.j2      |   3 +
 roles/rspamd/templates/redis.conf.j2          |   1 +
 roles/rspamd/templates/rmilter.conf.local.j2  |  13 +
 .../rspamd/templates/rmilter_headers.conf.j2  |   7 +
 roles/rspamd/templates/spamassassin.conf.j2   |   1 +
 .../rspamd/templates/worker-controller.inc.j2 |   1 +
 roles/web_server/handlers/main.yml            |   5 +
 roles/web_server/meta/main.yml                |   3 +
 roles/web_server/tasks/main.yml               | 137 +++
 roles/web_server/templates/apache2.conf.j2    | 352 ++++++++
 .../templates/default-index.html.j2           |  48 ++
 roles/web_server/templates/http-body.j2       |  48 ++
 roles/web_server/templates/http.conf.j2       |   9 +
 roles/web_server/templates/https.conf.j2      |  15 +
 site-mail.yml                                 |  31 +
 63 files changed, 4280 insertions(+)
 create mode 100644 host_vars/example_host.yml
 create mode 100644 roles/dovecot/handlers/main.yml
 create mode 100644 roles/dovecot/tasks/main.yml
 create mode 100644 roles/dovecot/templates/conf.d/10-auth.conf.j2
 create mode 100644 roles/dovecot/templates/conf.d/10-director.conf.j2
 create mode 100644 roles/dovecot/templates/conf.d/10-logging.conf.j2
 create mode 100644 roles/dovecot/templates/conf.d/10-mail.conf.j2
 create mode 100644 roles/dovecot/templates/conf.d/10-master.conf.j2
 create mode 100644 roles/dovecot/templates/conf.d/10-ssl.conf.j2
 create mode 100644 roles/dovecot/templates/conf.d/10-tcpwrapper.conf.j2
 create mode 100644 roles/dovecot/templates/conf.d/15-lda.conf.j2
 create mode 100644 roles/dovecot/templates/conf.d/15-mailboxes.conf.j2
 create mode 100644 roles/dovecot/templates/conf.d/20-imap.conf.j2
 create mode 100644 roles/dovecot/templates/conf.d/20-lmtp.conf.j2
 create mode 100644 roles/dovecot/templates/conf.d/20-managesieve.conf.j2
 create mode 100644 roles/dovecot/templates/conf.d/90-acl.conf.j2
 create mode 100644 roles/dovecot/templates/conf.d/90-plugin.conf.j2
 create mode 100644 roles/dovecot/templates/conf.d/90-quota.conf.j2
 create mode 100644 roles/dovecot/templates/conf.d/90-sieve.conf.j2
 create mode 100644 roles/dovecot/templates/conf.d/auth-checkpassword-ipa.conf.ext.j2
 create mode 100644 roles/dovecot/templates/conf.d/auth-ldap-ipa.conf.ext.j2
 create mode 100644 roles/dovecot/templates/dovecot-ldap-ipa-userdb.conf.ext.j2
 create mode 100644 roles/letsencrypt_common/defaults/main.yml
 create mode 100644 roles/letsencrypt_common/files/renew-letsencrypt-certs
 create mode 100644 roles/letsencrypt_common/tasks/main.yml
 create mode 100644 roles/mailman/defaults/main.yml
 create mode 100644 roles/mailman/files/__init__.py
 create mode 100644 roles/mailman/handlers/main.yml
 create mode 100644 roles/mailman/tasks/main.yml
 create mode 100644 roles/mailman/templates/mailman-hyperkitty.cfg.j2
 create mode 100644 roles/mailman/templates/mailman.cfg.j2
 create mode 100644 roles/mailman/templates/mailman3.service.j2
 create mode 100644 roles/mailman/templates/web/manage.py.j2
 create mode 100644 roles/mailman/templates/web/my.cnf.j2
 create mode 100644 roles/mailman/templates/web/passenger_wsgi.py.j2
 create mode 100644 roles/mailman/templates/web/settings.py.j2
 create mode 100644 roles/mailman/templates/web/urls.py.j2
 create mode 100644 roles/mailman/templates/web/wsgi.py.j2
 create mode 100644 roles/passenger_common/tasks/main.yml
 create mode 100644 roles/postfix/handlers/main.yml
 create mode 100644 roles/postfix/tasks/main.yml
 create mode 100644 roles/postfix/templates/ldap/virtual_alias_maps.cf.j2
 create mode 100644 roles/postfix/templates/ldap/virtual_mailbox_domains.cf.j2
 create mode 100644 roles/postfix/templates/ldap/virtual_mailbox_maps.cf.j2
 create mode 100644 roles/postfix/templates/main.cf.j2
 create mode 100644 roles/postfix/templates/master.cf.j2
 create mode 100644 roles/rspamd/handlers/main.yml
 create mode 100644 roles/rspamd/tasks/main.yml
 create mode 100644 roles/rspamd/templates/antivirus.conf.j2
 create mode 100644 roles/rspamd/templates/redis.conf.j2
 create mode 100644 roles/rspamd/templates/rmilter.conf.local.j2
 create mode 100644 roles/rspamd/templates/rmilter_headers.conf.j2
 create mode 100644 roles/rspamd/templates/spamassassin.conf.j2
 create mode 100644 roles/rspamd/templates/worker-controller.inc.j2
 create mode 100644 roles/web_server/handlers/main.yml
 create mode 100644 roles/web_server/meta/main.yml
 create mode 100644 roles/web_server/tasks/main.yml
 create mode 100644 roles/web_server/templates/apache2.conf.j2
 create mode 100644 roles/web_server/templates/default-index.html.j2
 create mode 100644 roles/web_server/templates/http-body.j2
 create mode 100644 roles/web_server/templates/http.conf.j2
 create mode 100644 roles/web_server/templates/https.conf.j2
 create mode 100755 site-mail.yml

diff --git a/host_vars/example_host.yml b/host_vars/example_host.yml
new file mode 100644
index 0000000..f7c14f5
--- /dev/null
+++ b/host_vars/example_host.yml
@@ -0,0 +1,37 @@
+ansible_host: 'some_ip_address'
+web_server:
+  - domains:
+      - 'some domain name for rspamd interface'
+    root: '/var/www/blank'
+    mode: plain
+    httpsonly: True
+    settings: |
+      Header set X-Content-Type-Options nosniff
+      Header set X-Frame-Options SAMEORIGIN
+      Header set X-XSS-Protection "1; mode=block"
+      <Location /rspamd/>
+        ProxyPass http://127.0.0.1:11334/
+        ProxyPassReverse http://127.0.0.1:11334/
+      </Location>
+  - domains:
+      - 'some domain name for mailing lists'
+    root: '/var/www/mailman_web/public'
+    mode: passenger
+    user: 'mailman'
+    group: 'mailman'
+    httpsonly: True
+    settings: |
+      PassengerPython /opt/mailman_web/bin/python
+public_hostname: 'hostname of this machine'
+mailname: 'fqdn of this machine'
+rspamd_password: 'some secret'
+mailman:
+  django_secret_key: 'some other secret'
+  domains:
+    - 'same domain name as above for mailing lists'
+  rest_user: 'mailman'
+  rest_password: 'yet another secret'
+  archiver_key: 'and one more secret'
+admin_mail: 'root@maschinendeck.org'
+ldap_host: 'ldaps://some.ldap.host'
+ldap_base: 'dc=ldap,dc=base'
diff --git a/roles/dovecot/handlers/main.yml b/roles/dovecot/handlers/main.yml
new file mode 100644
index 0000000..253af73
--- /dev/null
+++ b/roles/dovecot/handlers/main.yml
@@ -0,0 +1,2 @@
+- name: restart dovecot
+  service: name=dovecot state=restarted
diff --git a/roles/dovecot/tasks/main.yml b/roles/dovecot/tasks/main.yml
new file mode 100644
index 0000000..5301b8d
--- /dev/null
+++ b/roles/dovecot/tasks/main.yml
@@ -0,0 +1,51 @@
+- apt: name='{{ item }}' state=present
+  with_items:
+    - dovecot-core
+    - dovecot-imapd
+    - dovecot-managesieved
+    - dovecot-sieve
+    - dovecot-antispam
+    - dovecot-gssapi
+    - dovecot-ldap
+    - dovecot-lmtpd
+    - python-ldap
+
+- template: src='{{ item }}.j2' dest='/etc/dovecot/{{ item }}' owner='root' group='root' mode='0644'
+  with_items:
+    - 'conf.d/auth-ldap-ipa.conf.ext'
+    - 'conf.d/auth-checkpassword-ipa.conf.ext'
+    - 'conf.d/10-auth.conf'
+    - 'conf.d/10-director.conf'
+    - 'conf.d/10-logging.conf'
+    - 'conf.d/10-mail.conf'
+    - 'conf.d/10-master.conf'
+    - 'conf.d/10-ssl.conf'
+    - 'conf.d/10-tcpwrapper.conf'
+    - 'conf.d/15-lda.conf'
+    - 'conf.d/15-mailboxes.conf'
+    - 'conf.d/20-imap.conf'
+    - 'conf.d/20-lmtp.conf'
+    - 'conf.d/20-managesieve.conf'
+    - 'conf.d/90-acl.conf'
+    - 'conf.d/90-plugin.conf'
+    - 'conf.d/90-quota.conf'
+    - 'conf.d/90-sieve.conf'
+  notify: restart dovecot
+
+
+- template: src='{{ item }}.j2' dest='/etc/dovecot/{{ item }}' owner='root' group='root' mode='0600'
+  with_items:
+    - 'dovecot-ldap-ipa-userdb.conf.ext'
+  notify: restart dovecot
+
+- template: src='checkpassword.py.j2' dest='/usr/local/bin/checkpassword' owner='root' group='root' mode='0755'
+  
+- file: path='/etc/dovecot/private' owner='root' group='root' mode='700' state=directory
+
+- group: name='vmail' system='yes' state=present
+  notify: restart dovecot
+  
+- user: name='vmail' group='vmail' home='/home/vmail' shell='/bin/sh' system='yes' createhome='no' state=present
+  notify: restart dovecot
+
+- file: path='/home/vmail' owner='vmail' group='vmail' mode='700' state=directory
diff --git a/roles/dovecot/templates/conf.d/10-auth.conf.j2 b/roles/dovecot/templates/conf.d/10-auth.conf.j2
new file mode 100644
index 0000000..ed13ab0
--- /dev/null
+++ b/roles/dovecot/templates/conf.d/10-auth.conf.j2
@@ -0,0 +1,130 @@
+##
+## Authentication processes
+##
+
+# Disable LOGIN command and all other plaintext authentications unless
+# SSL/TLS is used (LOGINDISABLED capability). Note that if the remote IP
+# matches the local IP (ie. you're connecting from the same computer), the
+# connection is considered secure and plaintext authentication is allowed.
+# See also ssl=required setting.
+disable_plaintext_auth = yes
+
+# Authentication cache size (e.g. 10M). 0 means it's disabled. Note that
+# bsdauth, PAM and vpopmail require cache_key to be set for caching to be used.
+#auth_cache_size = 0
+# Time to live for cached data. After TTL expires the cached record is no
+# longer used, *except* if the main database lookup returns internal failure.
+# We also try to handle password changes automatically: If user's previous
+# authentication was successful, but this one wasn't, the cache isn't used.
+# For now this works only with plaintext authentication.
+#auth_cache_ttl = 1 hour
+# TTL for negative hits (user not found, password mismatch).
+# 0 disables caching them completely.
+#auth_cache_negative_ttl = 1 hour
+
+# Space separated list of realms for SASL authentication mechanisms that need
+# them. You can leave it empty if you don't want to support multiple realms.
+# Many clients simply use the first one listed here, so keep the default realm
+# first.
+#auth_realms =
+
+# Default realm/domain to use if none was specified. This is used for both
+# SASL realms and appending @domain to username in plaintext logins.
+#auth_default_realm = 
+
+# List of allowed characters in username. If the user-given username contains
+# a character not listed in here, the login automatically fails. This is just
+# an extra check to make sure user can't exploit any potential quote escaping
+# vulnerabilities with SQL/LDAP databases. If you want to allow all characters,
+# set this value to empty.
+#auth_username_chars = abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@
+
+# Username character translations before it's looked up from databases. The
+# value contains series of from -> to characters. For example "#@/@" means
+# that '#' and '/' characters are translated to '@'.
+#auth_username_translation =
+
+# Username formatting before it's looked up from databases. You can use
+# the standard variables here, eg. %Lu would lowercase the username, %n would
+# drop away the domain if it was given, or "%n-AT-%d" would change the '@' into
+# "-AT-". This translation is done after auth_username_translation changes.
+#auth_username_format = %Lu
+
+# If you want to allow master users to log in by specifying the master
+# username within the normal username string (ie. not using SASL mechanism's
+# support for it), you can specify the separator character here. The format
+# is then <username><separator><master username>. UW-IMAP uses "*" as the
+# separator, so that could be a good choice.
+#auth_master_user_separator =
+
+# Username to use for users logging in with ANONYMOUS SASL mechanism
+#auth_anonymous_username = anonymous
+
+# Maximum number of dovecot-auth worker processes. They're used to execute
+# blocking passdb and userdb queries (eg. MySQL and PAM). They're
+# automatically created and destroyed as needed.
+#auth_worker_max_count = 30
+
+# Host name to use in GSSAPI principal names. The default is to use the
+# name returned by gethostname(). Use "$ALL" (with quotes) to allow all keytab
+# entries.
+#auth_gssapi_hostname =
+
+# Kerberos keytab to use for the GSSAPI mechanism. Will use the system
+# default (usually /etc/krb5.keytab) if not specified. You may need to change
+# the auth service to run as root to be able to read this file.
+#auth_krb5_keytab = 
+
+# Do NTLM and GSS-SPNEGO authentication using Samba's winbind daemon and
+# ntlm_auth helper. <doc/wiki/Authentication/Mechanisms/Winbind.txt>
+#auth_use_winbind = no
+
+# Path for Samba's ntlm_auth helper binary.
+#auth_winbind_helper_path = /usr/bin/ntlm_auth
+
+# Time to delay before replying to failed authentications.
+#auth_failure_delay = 2 secs
+
+# Require a valid SSL client certificate or the authentication fails.
+#auth_ssl_require_client_cert = no
+
+# Take the username from client's SSL certificate, using 
+# X509_NAME_get_text_by_NID() which returns the subject's DN's
+# CommonName. 
+#auth_ssl_username_from_cert = no
+
+# Space separated list of wanted authentication mechanisms:
+#   plain login digest-md5 cram-md5 ntlm rpa apop anonymous gssapi otp skey
+#   gss-spnego
+# NOTE: See also disable_plaintext_auth setting.
+auth_mechanisms = plain
+
+##
+## Password and user databases
+##
+
+#
+# Password database is used to verify user's password (and nothing more).
+# You can have multiple passdbs and userdbs. This is useful if you want to
+# allow both system users (/etc/passwd) and virtual users to login without
+# duplicating the system users into virtual database.
+#
+# <doc/wiki/PasswordDatabase.txt>
+#
+# User database specifies where mails are located and what user/group IDs
+# own them. For single-UID configuration use "static" userdb.
+#
+# <doc/wiki/UserDatabase.txt>
+
+#!include auth-deny.conf.ext
+#!include auth-master.conf.ext
+
+#!include auth-system.conf.ext
+#!include auth-sql.conf.ext
+#!include auth-ldap.conf.ext
+!include auth-ldap-ipa.conf.ext
+#!include auth-passwdfile.conf.ext
+#!include auth-checkpassword.conf.ext
+!include auth-checkpassword-ipa.conf.ext
+#!include auth-vpopmail.conf.ext
+#!include auth-static.conf.ext
diff --git a/roles/dovecot/templates/conf.d/10-director.conf.j2 b/roles/dovecot/templates/conf.d/10-director.conf.j2
new file mode 100644
index 0000000..31e97e9
--- /dev/null
+++ b/roles/dovecot/templates/conf.d/10-director.conf.j2
@@ -0,0 +1,61 @@
+##
+## Director-specific settings.
+##
+
+# Director can be used by Dovecot proxy to keep a temporary user -> mail server
+# mapping. As long as user has simultaneous connections, the user is always
+# redirected to the same server. Each proxy server is running its own director
+# process, and the directors are communicating the state to each others.
+# Directors are mainly useful with NFS-like setups.
+
+# List of IPs or hostnames to all director servers, including ourself.
+# Ports can be specified as ip:port. The default port is the same as
+# what director service's inet_listener is using.
+#director_servers = 
+
+# List of IPs or hostnames to all backend mail servers. Ranges are allowed
+# too, like 10.0.0.10-10.0.0.30.
+#director_mail_servers = 
+
+# How long to redirect users to a specific server after it no longer has
+# any connections.
+#director_user_expire = 15 min
+
+# TCP/IP port that accepts doveadm connections (instead of director connections)
+# If you enable this, you'll also need to add inet_listener for the port.
+#director_doveadm_port = 0
+
+# How the username is translated before being hashed. Useful values include
+# %Ln if user can log in with or without @domain, %Ld if mailboxes are shared
+# within domain.
+#director_username_hash = %Lu
+
+# To enable director service, uncomment the modes and assign a port.
+service director {
+  unix_listener login/director {
+    #mode = 0666
+  }
+  fifo_listener login/proxy-notify {
+    #mode = 0666
+  }
+  unix_listener director-userdb {
+    #mode = 0600
+  }
+  inet_listener {
+    #port = 
+  }
+}
+
+# Enable director for the wanted login services by telling them to
+# connect to director socket instead of the default login socket:
+service imap-login {
+  #executable = imap-login director
+}
+service pop3-login {
+  #executable = pop3-login director
+}
+
+# Enable director for LMTP proxying:
+protocol lmtp {
+  #auth_socket_path = director-userdb
+}
diff --git a/roles/dovecot/templates/conf.d/10-logging.conf.j2 b/roles/dovecot/templates/conf.d/10-logging.conf.j2
new file mode 100644
index 0000000..5f2c25c
--- /dev/null
+++ b/roles/dovecot/templates/conf.d/10-logging.conf.j2
@@ -0,0 +1,84 @@
+##
+## Log destination.
+##
+
+# Log file to use for error messages. "syslog" logs to syslog,
+# /dev/stderr logs to stderr.
+#log_path = syslog
+
+# Log file to use for informational messages. Defaults to log_path.
+#info_log_path = 
+# Log file to use for debug messages. Defaults to info_log_path.
+#debug_log_path = 
+
+# Syslog facility to use if you're logging to syslog. Usually if you don't
+# want to use "mail", you'll use local0..local7. Also other standard
+# facilities are supported.
+#syslog_facility = mail
+
+##
+## Logging verbosity and debugging.
+##
+
+# Log unsuccessful authentication attempts and the reasons why they failed.
+#auth_verbose = no
+
+# In case of password mismatches, log the attempted password. Valid values are
+# no, plain and sha1. sha1 can be useful for detecting brute force password
+# attempts vs. user simply trying the same password over and over again.
+# You can also truncate the value to n chars by appending ":n" (e.g. sha1:6).
+#auth_verbose_passwords = no
+
+# Even more verbose logging for debugging purposes. Shows for example SQL
+# queries.
+#auth_debug = no
+
+# In case of password mismatches, log the passwords and used scheme so the
+# problem can be debugged. Enabling this also enables auth_debug.
+#auth_debug_passwords = no
+
+# Enable mail process debugging. This can help you figure out why Dovecot
+# isn't finding your mails.
+#mail_debug = no
+
+# Show protocol level SSL errors.
+#verbose_ssl = no
+
+# mail_log plugin provides more event logging for mail processes.
+plugin {
+  # Events to log. Also available: flag_change append
+  #mail_log_events = delete undelete expunge copy mailbox_delete mailbox_rename
+  # Available fields: uid, box, msgid, from, subject, size, vsize, flags
+  # size and vsize are available only for expunge and copy events.
+  #mail_log_fields = uid box msgid size
+}
+
+##
+## Log formatting.
+##
+
+# Prefix for each line written to log file. % codes are in strftime(3)
+# format.
+#log_timestamp = "%b %d %H:%M:%S "
+
+# Space-separated list of elements we want to log. The elements which have
+# a non-empty variable value are joined together to form a comma-separated
+# string.
+#login_log_format_elements = user=<%u> method=%m rip=%r lip=%l mpid=%e %c
+
+# Login log format. %s contains login_log_format_elements string, %$ contains
+# the data we want to log.
+#login_log_format = %$: %s
+ 
+# Log prefix for mail processes. See doc/wiki/Variables.txt for list of
+# possible variables you can use.
+#mail_log_prefix = "%s(%u): "
+
+# Format to use for logging mail deliveries. You can use variables:
+#  %$ - Delivery status message (e.g. "saved to INBOX")
+#  %m - Message-ID
+#  %s - Subject
+#  %f - From address
+#  %p - Physical size
+#  %w - Virtual size
+#deliver_log_format = msgid=%m: %$
diff --git a/roles/dovecot/templates/conf.d/10-mail.conf.j2 b/roles/dovecot/templates/conf.d/10-mail.conf.j2
new file mode 100644
index 0000000..52e98a5
--- /dev/null
+++ b/roles/dovecot/templates/conf.d/10-mail.conf.j2
@@ -0,0 +1,371 @@
+##
+## Mailbox locations and namespaces
+##
+
+# Location for users' mailboxes. The default is empty, which means that Dovecot
+# tries to find the mailboxes automatically. This won't work if the user
+# doesn't yet have any mail, so you should explicitly tell Dovecot the full
+# location.
+#
+# If you're using mbox, giving a path to the INBOX file (eg. /var/mail/%u)
+# isn't enough. You'll also need to tell Dovecot where the other mailboxes are
+# kept. This is called the "root mail directory", and it must be the first
+# path given in the mail_location setting.
+#
+# There are a few special variables you can use, eg.:
+#
+#   %u - username
+#   %n - user part in user@domain, same as %u if there's no domain
+#   %d - domain part in user@domain, empty if there's no domain
+#   %h - home directory
+#
+# See doc/wiki/Variables.txt for full list. Some examples:
+#
+#   mail_location = maildir:~/Maildir
+#   mail_location = mbox:~/mail:INBOX=/var/mail/%u
+#   mail_location = mbox:/var/mail/%d/%1n/%n:INDEX=/var/indexes/%d/%1n/%n
+#
+# <doc/wiki/MailLocation.txt>
+#
+mail_location = maildir:~/Maildir
+
+# If you need to set multiple mailbox locations or want to change default
+# namespace settings, you can do it by defining namespace sections.
+#
+# You can have private, shared and public namespaces. Private namespaces
+# are for user's personal mails. Shared namespaces are for accessing other
+# users' mailboxes that have been shared. Public namespaces are for shared
+# mailboxes that are managed by sysadmin. If you create any shared or public
+# namespaces you'll typically want to enable ACL plugin also, otherwise all
+# users can access all the shared mailboxes, assuming they have permissions
+# on filesystem level to do so.
+namespace inbox {
+  # Namespace type: private, shared or public
+  #type = private
+
+  # Hierarchy separator to use. You should use the same separator for all
+  # namespaces or some clients get confused. '/' is usually a good one.
+  # The default however depends on the underlying mail storage format.
+  #separator = 
+
+  # Prefix required to access this namespace. This needs to be different for
+  # all namespaces. For example "Public/".
+  #prefix = 
+
+  # Physical location of the mailbox. This is in same format as
+  # mail_location, which is also the default for it.
+  #location =
+
+  # There can be only one INBOX, and this setting defines which namespace
+  # has it.
+  inbox = yes
+
+  # If namespace is hidden, it's not advertised to clients via NAMESPACE
+  # extension. You'll most likely also want to set list=no. This is mostly
+  # useful when converting from another server with different namespaces which
+  # you want to deprecate but still keep working. For example you can create
+  # hidden namespaces with prefixes "~/mail/", "~%u/mail/" and "mail/".
+  #hidden = no
+
+  # Show the mailboxes under this namespace with LIST command. This makes the
+  # namespace visible for clients that don't support NAMESPACE extension.
+  # "children" value lists child mailboxes, but hides the namespace prefix.
+  #list = yes
+
+  # Namespace handles its own subscriptions. If set to "no", the parent
+  # namespace handles them (empty prefix should always have this as "yes")
+  #subscriptions = yes
+}
+
+# Example shared namespace configuration
+#namespace {
+  #type = shared
+  #separator = /
+
+  # Mailboxes are visible under "shared/user@domain/"
+  # %%n, %%d and %%u are expanded to the destination user.
+  #prefix = shared/%%u/
+
+  # Mail location for other users' mailboxes. Note that %variables and ~/
+  # expands to the logged in user's data. %%n, %%d, %%u and %%h expand to the
+  # destination user's data.
+  #location = maildir:%%h/Maildir:INDEX=~/Maildir/shared/%%u
+
+  # Use the default namespace for saving subscriptions.
+  #subscriptions = no
+
+  # List the shared/ namespace only if there are visible shared mailboxes.
+  #list = children
+#}
+# Should shared INBOX be visible as "shared/user" or "shared/user/INBOX"?
+#mail_shared_explicit_inbox = no
+
+# System user and group used to access mails. If you use multiple, userdb
+# can override these by returning uid or gid fields. You can use either numbers
+# or names. <doc/wiki/UserIds.txt>
+#mail_uid =
+#mail_gid =
+
+# Group to enable temporarily for privileged operations. Currently this is
+# used only with INBOX when either its initial creation or dotlocking fails.
+# Typically this is set to "mail" to give access to /var/mail.
+#mail_privileged_group =
+
+# Grant access to these supplementary groups for mail processes. Typically
+# these are used to set up access to shared mailboxes. Note that it may be
+# dangerous to set these if users can create symlinks (e.g. if "mail" group is
+# set here, ln -s /var/mail ~/mail/var could allow a user to delete others'
+# mailboxes, or ln -s /secret/shared/box ~/mail/mybox would allow reading it).
+#mail_access_groups =
+
+# Allow full filesystem access to clients. There's no access checks other than
+# what the operating system does for the active UID/GID. It works with both
+# maildir and mboxes, allowing you to prefix mailboxes names with eg. /path/
+# or ~user/.
+#mail_full_filesystem_access = no
+
+# Dictionary for key=value mailbox attributes. Currently used by URLAUTH, but
+# soon intended to be used by METADATA as well.
+#mail_attribute_dict =
+
+##
+## Mail processes
+##
+
+# Don't use mmap() at all. This is required if you store indexes to shared
+# filesystems (NFS or clustered filesystem).
+#mmap_disable = no
+
+# Rely on O_EXCL to work when creating dotlock files. NFS supports O_EXCL
+# since version 3, so this should be safe to use nowadays by default.
+#dotlock_use_excl = yes
+
+# When to use fsync() or fdatasync() calls:
+#   optimized (default): Whenever necessary to avoid losing important data
+#   always: Useful with e.g. NFS when write()s are delayed
+#   never: Never use it (best performance, but crashes can lose data)
+#mail_fsync = optimized
+
+# Locking method for index files. Alternatives are fcntl, flock and dotlock.
+# Dotlocking uses some tricks which may create more disk I/O than other locking
+# methods. NFS users: flock doesn't work, remember to change mmap_disable.
+#lock_method = fcntl
+
+# Directory in which LDA/LMTP temporarily stores incoming mails >128 kB.
+#mail_temp_dir = /tmp
+
+# Valid UID range for users, defaults to 500 and above. This is mostly
+# to make sure that users can't log in as daemons or other system users.
+# Note that denying root logins is hardcoded to dovecot binary and can't
+# be done even if first_valid_uid is set to 0.
+#first_valid_uid = 500
+#last_valid_uid = 0
+
+# Valid GID range for users, defaults to non-root/wheel. Users having
+# non-valid GID as primary group ID aren't allowed to log in. If user
+# belongs to supplementary groups with non-valid GIDs, those groups are
+# not set.
+#first_valid_gid = 1
+#last_valid_gid = 0
+
+# Maximum allowed length for mail keyword name. It's only forced when trying
+# to create new keywords.
+#mail_max_keyword_length = 50
+
+# ':' separated list of directories under which chrooting is allowed for mail
+# processes (ie. /var/mail will allow chrooting to /var/mail/foo/bar too).
+# This setting doesn't affect login_chroot, mail_chroot or auth chroot
+# settings. If this setting is empty, "/./" in home dirs are ignored.
+# WARNING: Never add directories here which local users can modify, that
+# may lead to root exploit. Usually this should be done only if you don't
+# allow shell access for users. <doc/wiki/Chrooting.txt>
+#valid_chroot_dirs = 
+
+# Default chroot directory for mail processes. This can be overridden for
+# specific users in user database by giving /./ in user's home directory
+# (eg. /home/./user chroots into /home). Note that usually there is no real
+# need to do chrooting, Dovecot doesn't allow users to access files outside
+# their mail directory anyway. If your home directories are prefixed with
+# the chroot directory, append "/." to mail_chroot. <doc/wiki/Chrooting.txt>
+#mail_chroot = 
+
+# UNIX socket path to master authentication server to find users.
+# This is used by imap (for shared users) and lda.
+#auth_socket_path = /var/run/dovecot/auth-userdb
+
+# Directory where to look up mail plugins.
+#mail_plugin_dir = /usr/lib/dovecot/modules
+
+# Space separated list of plugins to load for all services. Plugins specific to
+# IMAP, LDA, etc. are added to this list in their own .conf files.
+#mail_plugins = 
+
+##
+## Mailbox handling optimizations
+##
+
+# Mailbox list indexes can be used to optimize IMAP STATUS commands. They are
+# also required for IMAP NOTIFY extension to be enabled.
+#mailbox_list_index = no
+
+# The minimum number of mails in a mailbox before updates are done to cache
+# file. This allows optimizing Dovecot's behavior to do less disk writes at
+# the cost of more disk reads.
+#mail_cache_min_mail_count = 0
+
+# When IDLE command is running, mailbox is checked once in a while to see if
+# there are any new mails or other changes. This setting defines the minimum
+# time to wait between those checks. Dovecot can also use dnotify, inotify and
+# kqueue to find out immediately when changes occur.
+#mailbox_idle_check_interval = 30 secs
+
+# Save mails with CR+LF instead of plain LF. This makes sending those mails
+# take less CPU, especially with sendfile() syscall with Linux and FreeBSD.
+# But it also creates a bit more disk I/O which may just make it slower.
+# Also note that if other software reads the mboxes/maildirs, they may handle
+# the extra CRs wrong and cause problems.
+#mail_save_crlf = no
+
+# Max number of mails to keep open and prefetch to memory. This only works with
+# some mailbox formats and/or operating systems.
+#mail_prefetch_count = 0
+
+# How often to scan for stale temporary files and delete them (0 = never).
+# These should exist only after Dovecot dies in the middle of saving mails.
+#mail_temp_scan_interval = 1w
+
+##
+## Maildir-specific settings
+##
+
+# By default LIST command returns all entries in maildir beginning with a dot.
+# Enabling this option makes Dovecot return only entries which are directories.
+# This is done by stat()ing each entry, so it causes more disk I/O.
+# (For systems setting struct dirent->d_type, this check is free and it's
+# done always regardless of this setting)
+#maildir_stat_dirs = no
+
+# When copying a message, do it with hard links whenever possible. This makes
+# the performance much better, and it's unlikely to have any side effects.
+#maildir_copy_with_hardlinks = yes
+
+# Assume Dovecot is the only MUA accessing Maildir: Scan cur/ directory only
+# when its mtime changes unexpectedly or when we can't find the mail otherwise.
+#maildir_very_dirty_syncs = no
+
+# If enabled, Dovecot doesn't use the S=<size> in the Maildir filenames for
+# getting the mail's physical size, except when recalculating Maildir++ quota.
+# This can be useful in systems where a lot of the Maildir filenames have a
+# broken size. The performance hit for enabling this is very small.
+#maildir_broken_filename_sizes = no
+
+# Always move mails from new/ directory to cur/, even when the \Recent flags
+# aren't being reset.
+#maildir_empty_new = no
+
+##
+## mbox-specific settings
+##
+
+# Which locking methods to use for locking mbox. There are four available:
+#  dotlock: Create <mailbox>.lock file. This is the oldest and most NFS-safe
+#           solution. If you want to use /var/mail/ like directory, the users
+#           will need write access to that directory.
+#  dotlock_try: Same as dotlock, but if it fails because of permissions or
+#               because there isn't enough disk space, just skip it.
+#  fcntl  : Use this if possible. Works with NFS too if lockd is used.
+#  flock  : May not exist in all systems. Doesn't work with NFS.
+#  lockf  : May not exist in all systems. Doesn't work with NFS.
+#
+# You can use multiple locking methods; if you do the order they're declared
+# in is important to avoid deadlocks if other MTAs/MUAs are using multiple
+# locking methods as well. Some operating systems don't allow using some of
+# them simultaneously.
+#
+# The Debian value for mbox_write_locks differs from upstream Dovecot. It is
+# changed to be compliant with Debian Policy (section 11.6) for NFS safety.
+#       Dovecot: mbox_write_locks = dotlock fcntl
+#       Debian:  mbox_write_locks = fcntl dotlock
+#
+#mbox_read_locks = fcntl
+#mbox_write_locks = fcntl dotlock
+
+# Maximum time to wait for lock (all of them) before aborting.
+#mbox_lock_timeout = 5 mins
+
+# If dotlock exists but the mailbox isn't modified in any way, override the
+# lock file after this much time.
+#mbox_dotlock_change_timeout = 2 mins
+
+# When mbox changes unexpectedly we have to fully read it to find out what
+# changed. If the mbox is large this can take a long time. Since the change
+# is usually just a newly appended mail, it'd be faster to simply read the
+# new mails. If this setting is enabled, Dovecot does this but still safely
+# fallbacks to re-reading the whole mbox file whenever something in mbox isn't
+# how it's expected to be. The only real downside to this setting is that if
+# some other MUA changes message flags, Dovecot doesn't notice it immediately.
+# Note that a full sync is done with SELECT, EXAMINE, EXPUNGE and CHECK 
+# commands.
+#mbox_dirty_syncs = yes
+
+# Like mbox_dirty_syncs, but don't do full syncs even with SELECT, EXAMINE,
+# EXPUNGE or CHECK commands. If this is set, mbox_dirty_syncs is ignored.
+#mbox_very_dirty_syncs = no
+
+# Delay writing mbox headers until doing a full write sync (EXPUNGE and CHECK
+# commands and when closing the mailbox). This is especially useful for POP3
+# where clients often delete all mails. The downside is that our changes
+# aren't immediately visible to other MUAs.
+#mbox_lazy_writes = yes
+
+# If mbox size is smaller than this (e.g. 100k), don't write index files.
+# If an index file already exists it's still read, just not updated.
+#mbox_min_index_size = 0
+
+# Mail header selection algorithm to use for MD5 POP3 UIDLs when
+# pop3_uidl_format=%m. For backwards compatibility we use apop3d inspired
+# algorithm, but it fails if the first Received: header isn't unique in all
+# mails. An alternative algorithm is "all" that selects all headers.
+#mbox_md5 = apop3d
+
+##
+## mdbox-specific settings
+##
+
+# Maximum dbox file size until it's rotated.
+#mdbox_rotate_size = 2M
+
+# Maximum dbox file age until it's rotated. Typically in days. Day begins
+# from midnight, so 1d = today, 2d = yesterday, etc. 0 = check disabled.
+#mdbox_rotate_interval = 0
+
+# When creating new mdbox files, immediately preallocate their size to
+# mdbox_rotate_size. This setting currently works only in Linux with some
+# filesystems (ext4, xfs).
+#mdbox_preallocate_space = no
+
+##
+## Mail attachments
+##
+
+# sdbox and mdbox support saving mail attachments to external files, which
+# also allows single instance storage for them. Other backends don't support
+# this for now.
+
+# Directory root where to store mail attachments. Disabled, if empty.
+#mail_attachment_dir =
+
+# Attachments smaller than this aren't saved externally. It's also possible to
+# write a plugin to disable saving specific attachments externally.
+#mail_attachment_min_size = 128k
+
+# Filesystem backend to use for saving attachments:
+#  posix : No SiS done by Dovecot (but this might help FS's own deduplication)
+#  sis posix : SiS with immediate byte-by-byte comparison during saving
+#  sis-queue posix : SiS with delayed comparison and deduplication
+#mail_attachment_fs = sis posix
+
+# Hash format to use in attachment filenames. You can add any text and
+# variables: %{md4}, %{md5}, %{sha1}, %{sha256}, %{sha512}, %{size}.
+# Variables can be truncated, e.g. %{sha256:80} returns only first 80 bits
+#mail_attachment_hash = %{sha1}
diff --git a/roles/dovecot/templates/conf.d/10-master.conf.j2 b/roles/dovecot/templates/conf.d/10-master.conf.j2
new file mode 100644
index 0000000..3e05750
--- /dev/null
+++ b/roles/dovecot/templates/conf.d/10-master.conf.j2
@@ -0,0 +1,128 @@
+#default_process_limit = 100
+#default_client_limit = 1000
+
+# Default VSZ (virtual memory size) limit for service processes. This is mainly
+# intended to catch and kill processes that leak memory before they eat up
+# everything.
+#default_vsz_limit = 256M
+
+# Login user is internally used by login processes. This is the most untrusted
+# user in Dovecot system. It shouldn't have access to anything at all.
+#default_login_user = dovenull
+
+# Internal user is used by unprivileged processes. It should be separate from
+# login user, so that login processes can't disturb other processes.
+#default_internal_user = dovecot
+
+service imap-login {
+  inet_listener imap {
+    #port = 143
+  }
+  inet_listener imaps {
+    #port = 993
+    #ssl = yes
+  }
+
+  # Number of connections to handle before starting a new process. Typically
+  # the only useful values are 0 (unlimited) or 1. 1 is more secure, but 0
+  # is faster. <doc/wiki/LoginProcess.txt>
+  #service_count = 1
+
+  # Number of processes to always keep waiting for more connections.
+  #process_min_avail = 0
+
+  # If you set service_count=0, you probably need to grow this.
+  #vsz_limit = $default_vsz_limit
+}
+
+#service pop3-login {
+#  inet_listener pop3 {
+#    #port = 110
+#  }
+#  inet_listener pop3s {
+#    #port = 995
+#    #ssl = yes
+#  }
+#}
+
+service lmtp {
+
+  unix_listener /var/spool/postfix/private/dovecot-lmtp {
+    user = postfix
+    group = postfix
+    mode = 0660
+  }
+
+  unix_listener lmtp {
+    #mode = 0666
+  }
+
+  # Create inet listener only if you can't use the above UNIX socket
+  #inet_listener lmtp {
+    # Avoid making LMTP visible for the entire internet
+    #address =
+    #port = 
+  #}
+}
+
+service imap {
+  # Most of the memory goes to mmap()ing files. You may need to increase this
+  # limit if you have huge mailboxes.
+  #vsz_limit = $default_vsz_limit
+
+  # Max. number of IMAP processes (connections)
+  #process_limit = 1024
+}
+
+service pop3 {
+  # Max. number of POP3 processes (connections)
+  #process_limit = 1024
+}
+
+service auth {
+  # auth_socket_path points to this userdb socket by default. It's typically
+  # used by dovecot-lda, doveadm, possibly imap process, etc. Users that have
+  # full permissions to this socket are able to get a list of all usernames and
+  # get the results of everyone's userdb lookups.
+  #
+  # The default 0666 mode allows anyone to connect to the socket, but the
+  # userdb lookups will succeed only if the userdb returns an "uid" field that
+  # matches the caller process's UID. Also if caller's uid or gid matches the
+  # socket's uid or gid the lookup succeeds. Anything else causes a failure.
+  #
+  # To give the caller full permissions to lookup all users, set the mode to
+  # something else than 0666 and Dovecot lets the kernel enforce the
+  # permissions (e.g. 0777 allows everyone full permissions).
+  unix_listener auth-userdb {
+    #mode = 0666
+    #user = 
+    #group = 
+  }
+
+  # Postfix smtp-auth
+  unix_listener /var/spool/postfix/private/auth {
+    mode = 0660
+    user = postfix
+    group = postfix
+  }
+
+  # Auth process is run as this user.
+  #user = $default_internal_user
+}
+
+service auth-worker {
+  # Auth worker process is run as root by default, so that it can access
+  # /etc/shadow. If this isn't necessary, the user should be changed to
+  # $default_internal_user.
+  #user = root
+}
+
+service dict {
+  # If dict proxy is used, mail processes should have access to its socket.
+  # For example: mode=0660, group=vmail and global mail_access_groups=vmail
+  unix_listener dict {
+    #mode = 0600
+    #user = 
+    #group = 
+  }
+}
diff --git a/roles/dovecot/templates/conf.d/10-ssl.conf.j2 b/roles/dovecot/templates/conf.d/10-ssl.conf.j2
new file mode 100644
index 0000000..b9e7b90
--- /dev/null
+++ b/roles/dovecot/templates/conf.d/10-ssl.conf.j2
@@ -0,0 +1,64 @@
+##
+## SSL settings
+##
+
+# SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt>
+ssl = yes
+
+# PEM encoded X.509 SSL/TLS certificate and private key. They're opened before
+# dropping root privileges, so keep the key file unreadable by anyone but
+# root. Included doc/mkcert.sh can be used to easily generate self-signed
+# certificate, just make sure to update the domains in dovecot-openssl.cnf
+#ssl_cert = </etc/dovecot/dovecot.pem
+#ssl_key = </etc/dovecot/private/dovecot.pem
+ssl_cert = </etc/letsencrypt/live/{{ mailname }}/cert.pem
+ssl_key = </etc/letsencrypt/live/{{ mailname }}/privkey.pem
+
+# If key file is password protected, give the password here. Alternatively
+# give it when starting dovecot with -p parameter. Since this file is often
+# world-readable, you may want to place this setting instead to a different
+# root owned 0600 file by using ssl_key_password = <path.
+#ssl_key_password =
+
+# PEM encoded trusted certificate authority. Set this only if you intend to use
+# ssl_verify_client_cert=yes. The file should contain the CA certificate(s)
+# followed by the matching CRL(s). (e.g. ssl_ca = </etc/ssl/certs/ca.pem)
+#ssl_ca = 
+
+# Require that CRL check succeeds for client certificates.
+#ssl_require_crl = yes
+
+# Directory and/or file for trusted SSL CA certificates. These are used only
+# when Dovecot needs to act as an SSL client (e.g. imapc backend). The
+# directory is usually /etc/ssl/certs in Debian-based systems and the file is
+# /etc/pki/tls/cert.pem in RedHat-based systems.
+#ssl_client_ca_dir =
+#ssl_client_ca_file =
+
+# Request client to send a certificate. If you also want to require it, set
+# auth_ssl_require_client_cert=yes in auth section.
+#ssl_verify_client_cert = no
+
+# Which field from certificate to use for username. commonName and
+# x500UniqueIdentifier are the usual choices. You'll also need to set
+# auth_ssl_username_from_cert=yes.
+#ssl_cert_username_field = commonName
+
+# DH parameters length to use.
+#ssl_dh_parameters_length = 1024
+
+# SSL protocols to use
+#ssl_protocols = !SSLv2
+
+# SSL ciphers to use
+#ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL
+
+# Prefer the server's order of ciphers over client's.
+#ssl_prefer_server_ciphers = no
+
+# SSL crypto device to use, for valid values run "openssl engine"
+#ssl_crypto_device =
+
+# SSL extra options. Currently supported options are:
+# no_compression - Disable compression.
+#ssl_options =
\ No newline at end of file
diff --git a/roles/dovecot/templates/conf.d/10-tcpwrapper.conf.j2 b/roles/dovecot/templates/conf.d/10-tcpwrapper.conf.j2
new file mode 100644
index 0000000..b237d96
--- /dev/null
+++ b/roles/dovecot/templates/conf.d/10-tcpwrapper.conf.j2
@@ -0,0 +1,14 @@
+# 10-tcpwrapper.conf
+#
+# service name for hosts.{allow|deny} are those defined as
+# inet_listener in master.conf
+#
+#login_access_sockets = tcpwrap
+#
+#service tcpwrap {
+#  unix_listener login/tcpwrap {
+#    group = $default_login_user
+#    mode = 0600
+#    user = $default_login_user
+#  }
+#}
diff --git a/roles/dovecot/templates/conf.d/15-lda.conf.j2 b/roles/dovecot/templates/conf.d/15-lda.conf.j2
new file mode 100644
index 0000000..e009ae6
--- /dev/null
+++ b/roles/dovecot/templates/conf.d/15-lda.conf.j2
@@ -0,0 +1,48 @@
+##
+## LDA specific settings (also used by LMTP)
+##
+
+# Address to use when sending rejection mails.
+# Default is postmaster@<your domain>. %d expands to recipient domain.
+#postmaster_address =
+
+# Hostname to use in various parts of sent mails (e.g. in Message-Id) and
+# in LMTP replies. Default is the system's real hostname@domain.
+hostname = {{ mailname }}
+
+# If user is over quota, return with temporary failure instead of
+# bouncing the mail.
+#quota_full_tempfail = no
+
+# Binary to use for sending mails.
+#sendmail_path = /usr/sbin/sendmail
+
+# If non-empty, send mails via this SMTP host[:port] instead of sendmail.
+#submission_host =
+
+# Subject: header to use for rejection mails. You can use the same variables
+# as for rejection_reason below.
+#rejection_subject = Rejected: %s
+
+# Human readable error message for rejection mails. You can use variables:
+#  %n = CRLF, %r = reason, %s = original subject, %t = recipient
+#rejection_reason = Your message to <%t> was automatically rejected:%n%r
+
+# Delimiter character between local-part and detail in email address.
+#recipient_delimiter = +
+
+# Header where the original recipient address (SMTP's RCPT TO: address) is taken
+# from if not available elsewhere. With dovecot-lda -a parameter overrides this. 
+# A commonly used header for this is X-Original-To.
+#lda_original_recipient_header =
+
+# Should saving a mail to a nonexistent mailbox automatically create it?
+#lda_mailbox_autocreate = no
+
+# Should automatically created mailboxes be also automatically subscribed?
+#lda_mailbox_autosubscribe = no
+
+protocol lda {
+  # Space separated list of plugins to load (default is global mail_plugins).
+  mail_plugins = $mail_plugins quota sieve
+}
diff --git a/roles/dovecot/templates/conf.d/15-mailboxes.conf.j2 b/roles/dovecot/templates/conf.d/15-mailboxes.conf.j2
new file mode 100644
index 0000000..dcfe674
--- /dev/null
+++ b/roles/dovecot/templates/conf.d/15-mailboxes.conf.j2
@@ -0,0 +1,53 @@
+##
+## Mailbox definitions
+##
+
+# NOTE: Assumes "namespace inbox" has been defined in 10-mail.conf.
+namespace inbox {
+
+  #mailbox name {
+    # auto=create will automatically create this mailbox.
+    # auto=subscribe will both create and subscribe to the mailbox.
+    #auto = no
+
+    # Space separated list of IMAP SPECIAL-USE attributes as specified by
+    # RFC 6154: \All \Archive \Drafts \Flagged \Junk \Sent \Trash
+    #special_use =
+  #}
+
+  # These mailboxes are widely used and could perhaps be created automatically:
+  mailbox Drafts {
+    special_use = \Drafts
+    auto = subscribe
+  }
+  mailbox SPAM {
+    special_use = \Junk
+    auto = subscribe
+  }
+  mailbox Trash {
+    special_use = \Trash
+    auto = subscribe
+    autoexpunge = 30d
+    mailbox_list_index = yes
+  }
+
+  # For \Sent mailboxes there are two widely used names. We'll mark both of
+  # them as \Sent. User typically deletes one of them if duplicates are created.
+  mailbox Sent {
+    special_use = \Sent
+    auto = subscribe
+  }
+  mailbox "Sent Messages" {
+    special_use = \Sent
+  }
+
+  # If you have a virtual "All messages" mailbox:
+  #mailbox virtual/All {
+  #  special_use = \All
+  #}
+
+  # If you have a virtual "Flagged" mailbox:
+  #mailbox virtual/Flagged {
+  #  special_use = \Flagged
+  #}
+}
diff --git a/roles/dovecot/templates/conf.d/20-imap.conf.j2 b/roles/dovecot/templates/conf.d/20-imap.conf.j2
new file mode 100644
index 0000000..c0e5f8e
--- /dev/null
+++ b/roles/dovecot/templates/conf.d/20-imap.conf.j2
@@ -0,0 +1,61 @@
+##
+## IMAP specific settings
+##
+
+# Maximum IMAP command line length. Some clients generate very long command
+# lines with huge mailboxes, so you may need to raise this if you get
+# "Too long argument" or "IMAP command line too large" errors often.
+#imap_max_line_length = 64k
+
+# IMAP logout format string:
+#  %i - total number of bytes read from client
+#  %o - total number of bytes sent to client
+#imap_logout_format = in=%i out=%o
+
+# Override the IMAP CAPABILITY response. If the value begins with '+',
+# add the given capabilities on top of the defaults (e.g. +XFOO XBAR).
+#imap_capability = 
+
+# How long to wait between "OK Still here" notifications when client is
+# IDLEing.
+#imap_idle_notify_interval = 2 mins
+
+# ID field names and values to send to clients. Using * as the value makes
+# Dovecot use the default value. The following fields have default values
+# currently: name, version, os, os-version, support-url, support-email.
+#imap_id_send = 
+
+# ID fields sent by client to log. * means everything.
+#imap_id_log =
+
+# Workarounds for various client bugs:
+#   delay-newmail:
+#     Send EXISTS/RECENT new mail notifications only when replying to NOOP
+#     and CHECK commands. Some clients ignore them otherwise, for example OSX
+#     Mail (<v2.1). Outlook Express breaks more badly though, without this it
+#     may show user "Message no longer in server" errors. Note that OE6 still
+#     breaks even with this workaround if synchronization is set to
+#     "Headers Only".
+#   tb-extra-mailbox-sep:
+#     Thunderbird gets somehow confused with LAYOUT=fs (mbox and dbox) and
+#     adds extra '/' suffixes to mailbox names. This option causes Dovecot to
+#     ignore the extra '/' instead of treating it as invalid mailbox name.
+#   tb-lsub-flags:
+#     Show \Noselect flags for LSUB replies with LAYOUT=fs (e.g. mbox).
+#     This makes Thunderbird realize they aren't selectable and show them
+#     greyed out, instead of only later giving "not selectable" popup error.
+#
+# The list is space-separated.
+#imap_client_workarounds = 
+
+# Host allowed in URLAUTH URLs sent by client. "*" allows all.
+#imap_urlauth_host =
+
+protocol imap {
+  # Space separated list of plugins to load (default is global mail_plugins).
+  mail_plugins = $mail_plugins antispam
+
+  # Maximum number of IMAP connections allowed for a user from each IP address.
+  # NOTE: The username is compared case-sensitively.
+  #mail_max_userip_connections = 10
+}
diff --git a/roles/dovecot/templates/conf.d/20-lmtp.conf.j2 b/roles/dovecot/templates/conf.d/20-lmtp.conf.j2
new file mode 100644
index 0000000..3669917
--- /dev/null
+++ b/roles/dovecot/templates/conf.d/20-lmtp.conf.j2
@@ -0,0 +1,27 @@
+##
+## LMTP specific settings
+##
+
+# Support proxying to other LMTP/SMTP servers by performing passdb lookups.
+#lmtp_proxy = no
+
+# When recipient address includes the detail (e.g. user+detail), try to save
+# the mail to the detail mailbox. See also recipient_delimiter and
+# lda_mailbox_autocreate settings.
+#lmtp_save_to_detail_mailbox = no
+
+# Verify quota before replying to RCPT TO. This adds a small overhead.
+#lmtp_rcpt_check_quota = no
+
+# Which recipient address to use for Delivered-To: header and Received:
+# header. The default is "final", which is the same as the one given to
+# RCPT TO command. "original" uses the address given in RCPT TO's ORCPT
+# parameter, "none" uses nothing. Note that "none" is currently always used
+# when a mail has multiple recipients.
+#lmtp_hdr_delivery_address = final
+
+protocol lmtp {
+  # Space separated list of plugins to load (default is global mail_plugins).
+  mail_plugins = $mail_plugins quota sieve
+}
+			  
\ No newline at end of file
diff --git a/roles/dovecot/templates/conf.d/20-managesieve.conf.j2 b/roles/dovecot/templates/conf.d/20-managesieve.conf.j2
new file mode 100644
index 0000000..bc476ea
--- /dev/null
+++ b/roles/dovecot/templates/conf.d/20-managesieve.conf.j2
@@ -0,0 +1,76 @@
+##
+## ManageSieve specific settings
+##
+
+# Uncomment to enable managesieve protocol:
+#protocols = $protocols sieve
+
+# Service definitions
+
+service managesieve-login {
+  inet_listener sieve {
+    port = 4190
+  }
+
+  #inet_listener sieve_deprecated {
+  #  port = 2000
+  #}
+
+  # Number of connections to handle before starting a new process. Typically
+  # the only useful values are 0 (unlimited) or 1. 1 is more secure, but 0
+  # is faster. <doc/wiki/LoginProcess.txt>
+  #service_count = 1
+
+  # Number of processes to always keep waiting for more connections.
+  #process_min_avail = 0
+
+  # If you set service_count=0, you probably need to grow this.
+  #vsz_limit = 64M
+}
+
+service managesieve {
+  # Max. number of ManageSieve processes (connections)
+  #process_limit = 1024
+}
+
+# Service configuration
+
+protocol sieve {
+  # Maximum ManageSieve command line length in bytes. ManageSieve usually does
+  # not involve overly long command lines, so this setting will not normally
+  # need adjustment
+  #managesieve_max_line_length = 65536
+
+  # Maximum number of ManageSieve connections allowed for a user from each IP
+  # address.
+  # NOTE: The username is compared case-sensitively.
+  #mail_max_userip_connections = 10
+
+  # Space separated list of plugins to load (none known to be useful so far).
+  # Do NOT try to load IMAP plugins here.
+  #mail_plugins =
+
+  # MANAGESIEVE logout format string:
+  #  %i - total number of bytes read from client
+  #  %o - total number of bytes sent to client
+  #managesieve_logout_format = bytes=%i/%o
+
+  # To fool ManageSieve clients that are focused on CMU's timesieved you can
+  # specify the IMPLEMENTATION capability that Dovecot reports to clients.
+  # For example: 'Cyrus timsieved v2.2.13'
+  #managesieve_implementation_string = Dovecot Pigeonhole
+
+  # Explicitly specify the SIEVE and NOTIFY capability reported by the server
+  # before login. If left unassigned these will be reported dynamically
+  # according to what the Sieve interpreter supports by default (after login
+  # this may differ depending on the user).
+  #managesieve_sieve_capability =
+  #managesieve_notify_capability =
+
+  # The maximum number of compile errors that are returned to the client upon
+  # script upload or script verification.
+  #managesieve_max_compile_errors = 5
+
+  # Refer to 90-sieve.conf for script quota configuration and configuration of
+  # Sieve execution limits.
+}
diff --git a/roles/dovecot/templates/conf.d/90-acl.conf.j2 b/roles/dovecot/templates/conf.d/90-acl.conf.j2
new file mode 100644
index 0000000..f0c0e7a
--- /dev/null
+++ b/roles/dovecot/templates/conf.d/90-acl.conf.j2
@@ -0,0 +1,19 @@
+##
+## Mailbox access control lists.
+##
+
+# vfile backend reads ACLs from "dovecot-acl" file from mail directory.
+# You can also optionally give a global ACL directory path where ACLs are
+# applied to all users' mailboxes. The global ACL directory contains
+# one file for each mailbox, eg. INBOX or sub.mailbox. cache_secs parameter
+# specifies how many seconds to wait between stat()ing dovecot-acl file
+# to see if it changed.
+plugin {
+  #acl = vfile:/etc/dovecot/global-acls:cache_secs=300
+}
+
+# To let users LIST mailboxes shared by other users, Dovecot needs a
+# shared mailbox dictionary. For example:
+plugin {
+  #acl_shared_dict = file:/var/lib/dovecot/shared-mailboxes
+}
diff --git a/roles/dovecot/templates/conf.d/90-plugin.conf.j2 b/roles/dovecot/templates/conf.d/90-plugin.conf.j2
new file mode 100644
index 0000000..0d83f15
--- /dev/null
+++ b/roles/dovecot/templates/conf.d/90-plugin.conf.j2
@@ -0,0 +1,191 @@
+##
+## Plugin settings
+##
+
+# All wanted plugins must be listed in mail_plugins setting before any of the
+# settings take effect. See <doc/wiki/Plugins.txt> for list of plugins and
+# their configuration. Note that %variable expansion is done for all values.
+
+plugin {
+  #setting_name = value
+
+
+           ##################
+           # GENERIC OPTIONS
+
+           # Debugging options
+           # Uncomment to get the desired debugging behaviour.
+           # Note that in some cases stderr debugging will not be as
+           # verbose as syslog debugging due to internal limitations.
+           #
+           # antispam_debug_target = syslog
+           # antispam_debug_target = stderr
+           # antispam_verbose_debug = 1
+
+           # backend selection, MUST be configured first,
+           # there's no default so you need to set one of
+           # these options:
+           # antispam_backend = crm114
+           # antispam_backend = dspam
+           antispam_backend = pipe
+           # antispam_backend = spool2dir
+
+           # mail signature (used with any backend requiring a signature)
+           #antispam_signature = X-DSPAM-Signature
+
+           # action to take on mails without signature
+           # (used with any backend requiring a signature)
+           # (we recommend only setting this to 'move' after verifying that the
+           # whole setup is working)
+           # antispam_signature_missing = move # move silently without training
+           #antispam_signature_missing = error
+
+           # The list of folders for trash, spam and unsure can be given
+           # with three options, e.g. "trash" matches the given folders
+           # exactly as written, "trash_pattern" accept the * wildcard at
+           # the end of the foldername, "trash_pattern_ignorecase"
+           # accepts the * wildcard at the end of the foldername _and_
+           # matches the name case insensitivly.
+
+           # the *-wildcard with the following meaning:
+           #    * at the end: any folder that _start_ with the string
+           # e.g.:
+           #     antispam_trash_pattern = deleted *;Gel&APY-schte *
+           # match any folders that start with "deleted " or "Gelöschte "
+           # match is _case_senstive_!
+           #
+           #     antispam_trash_pattern_ignorecase = deleted *;Gel&APY-schte *
+           # match any folders that start with "deleted " or "gelöschte "
+           # match is _case_insenstive_, except the non-USASCII letters,
+           # "ö" in this example.
+           # To match the upper-case Ö, too, you need to add yet another
+           # pattern "gel&ANY-schte *", note the different UTF7 encoding:
+           # &ANY- instead of &APY-.
+
+
+           # semicolon-separated list of Trash folders (default unset i.e. none)
+           # antispam_trash =
+           # antispam_trash = trash;Trash;Deleted Items; Deleted Messages
+           # antispam_trash_pattern = trash;Trash;Deleted *
+           # antispam_trash_pattern_ignorecase = trash;Deleted *
+           antispam_trash = Trash
+
+           # semicolon-separated list of spam folders
+           antispam_spam = SPAM
+           # antispam_spam_pattern = SPAM
+           # antispam_spam_pattern_ignorecase = SPAM
+
+           # semicolon-separated list of unsure folders (default unset i.e. none)
+           # antispam_unsure =
+           # antispam_unsure_pattern =
+           # antispam_unsure_pattern_ignorecase =
+
+           # Whether to allow APPENDing to SPAM folders or not. Must be set to
+           # "yes" (case insensitive) to be activated. Before activating, please
+           # read the discussion below.
+           # antispam_allow_append_to_spam = no
+
+           ###########################
+           # BACKEND SPECIFIC OPTIONS
+           #
+
+           #===================
+           # dspam plugin
+
+           # dspam binary
+           antispam_dspam_binary = /usr/bin/dspam
+
+           # semicolon-separated list of extra arguments to dspam
+           # (default unset i.e. none)
+           # antispam_dspam_args =
+           # antispam_dspam_args = --deliver=;--user;%u  # % expansion done by dovecot
+           # antispam_dspam_args = --mode=teft
+
+           # Ignore mails where the DSPAM result header contains any of the
+           # strings listed in the blacklist
+           # (default unset i.e. none)
+           # antispam_dspam_result_header = X-DSPAM-Result
+           # semicolon-separated list of blacklisted results, case insensitive
+           # antispam_dspam_result_blacklist = Virus
+
+           # semicolon-separated list of environment variables to set
+           # (default unset i.e. none)
+           # antispam_dspam_env =
+           # antispam_dspam_env = HOME=%h;USER=%u
+
+           #=====================
+           # pipe plugin
+           #
+           # This plug can be used to train via an arbitrary program that
+           # receives the message on standard input. Since sendmail can be
+           # such a program, it can be used to send the message to another
+           # email address for training there.
+           #
+           # For example:
+           #   antispam_pipe_program = /path/to/mailtrain
+           #        (defaults to /usr/sbin/sendmail)
+           #   antispam_pipe_program_args = --for;%u
+           #   antispam_pipe_program_spam_arg = --spam
+           #   antispam_pipe_program_notspam_arg = --ham
+           #   antispam_pipe_tmpdir = /tmp
+           # will call it, for example, like this:
+           #   /path/to/mailtrain --for jberg --spam
+           #
+           # The old configuration options from when this plugin was called
+           # "mailtrain" are still valid, these are, in the same order as
+           # above: antispam_mail_sendmail, antispam_mail_sendmail_args,
+           # antispam_mail_spam, antispam_mail_notspam and antispam_mail_tmpdir.
+           #
+           # Alternatively, if you need to give multiple options, you can use
+           # the spam_args/notspam_args parameters (which are used in preference
+           # of the singular form):
+           #   antispam_pipe_program_spam_args = --spam;--my-other-param1
+           #   antispam_pipe_program_notspam_args = --ham;--my-other-param2
+           # which will then call
+           #   /path/to/mailtrain --for jberg --spam --my-other-param1
+
+           # temporary directory
+           antispam_pipe_tmpdir = /tmp
+
+           # spam/not-spam argument (default unset which will is not what you want)
+           antispam_pipe_program_spam_arg = learn_spam
+           antispam_pipe_program_notspam_arg = learn_ham
+
+           # binary to pipe mail to
+           #antispam_pipe_program = /usr/local/bin/sa-learn-pipe.sh
+           #antispam_pipe_program_args = --dbpath /home/froxlor/mail/spamassassin/%d/%n/bayes # % expansion done by dovecot
+           #antispam_pipe_program_args = -f;%u@example.com # % expansion done by dovecot
+	   antispam_pipe_program = /usr/bin/rspamc
+	   antispam_pipe_program_args = -h;localhost:11334;-P;{{ rspamd_password }}
+
+           #===================
+           # crm114 plugin
+
+           # mailreaver binary
+           antispam_crm_binary = /bin/false
+           # antispam_crm_binary = /usr/share/crm114/mailreaver.crm
+
+           # semicolon-separated list of extra arguments to crm114
+           # (default unset i.e. none)
+           # antispam_crm_args =
+           # antispam_crm_args = --config=/path/to/config
+
+           # semicolon-separated list of environment variables to set
+           # (default unset i.e. none)
+           # antispam_crm_env =
+           # antispam_crm_env = HOME=%h;USER=%u
+
+           # NOTE: you need to set the signature for this backend
+           antispam_signature = X-CRM114-CacheID
+
+           #===================
+           # spool2dir plugin
+
+           # spam/not-spam spool2dir drop (default unset which will give errors)
+           # The first %%lu is replaced by the current time.
+           # The second %%lu is replaced by a counter to generate unique names.
+           # These two tokens MUST be present in the template! However
+           # you can insert any C-style modifier as shown.
+           # antispam_spool2dir_spam    = /tmp/spamspool/%%020lu-%u-%%05lus
+           # antispam_spool2dir_notspam = /tmp/spamspool/%%020lu-%u-%%05luh
+}
diff --git a/roles/dovecot/templates/conf.d/90-quota.conf.j2 b/roles/dovecot/templates/conf.d/90-quota.conf.j2
new file mode 100644
index 0000000..db1f718
--- /dev/null
+++ b/roles/dovecot/templates/conf.d/90-quota.conf.j2
@@ -0,0 +1,80 @@
+##
+## Quota configuration.
+##
+
+# Note that you also have to enable quota plugin in mail_plugins setting.
+# <doc/wiki/Quota.txt>
+
+##
+## Quota limits
+##
+
+# Quota limits are set using "quota_rule" parameters. To get per-user quota
+# limits, you can set/override them by returning "quota_rule" extra field
+# from userdb. It's also possible to give mailbox-specific limits, for example
+# to give additional 100 MB when saving to Trash:
+
+plugin {
+  #quota_rule = *:storage=1G
+  #quota_rule2 = Trash:storage=+100M
+
+  # LDA/LMTP allows saving the last mail to bring user from under quota to
+  # over quota, if the quota doesn't grow too high. Default is to allow as
+  # long as quota will stay under 10% above the limit. Also allowed e.g. 10M.
+  #quota_grace = 10%%
+}
+
+##
+## Quota warnings
+##
+
+# You can execute a given command when user exceeds a specified quota limit.
+# Each quota root has separate limits. Only the command for the first
+# exceeded limit is excecuted, so put the highest limit first.
+# The commands are executed via script service by connecting to the named
+# UNIX socket (quota-warning below).
+# Note that % needs to be escaped as %%, otherwise "% " expands to empty.
+
+plugin {
+  #quota_warning = storage=95%% quota-warning 95 %u
+  #quota_warning2 = storage=80%% quota-warning 80 %u
+}
+
+# Example quota-warning service. The unix listener's permissions should be
+# set in a way that mail processes can connect to it. Below example assumes
+# that mail processes run as vmail user. If you use mode=0666, all system users
+# can generate quota warnings to anyone.
+#service quota-warning {
+#  executable = script /usr/local/bin/quota-warning.sh
+#  user = dovecot
+#  unix_listener quota-warning {
+#    user = vmail
+#  }
+#}
+
+##
+## Quota backends
+##
+
+# Multiple backends are supported:
+#   dirsize: Find and sum all the files found from mail directory.
+#            Extremely SLOW with Maildir. It'll eat your CPU and disk I/O.
+#   dict: Keep quota stored in dictionary (eg. SQL)
+#   maildir: Maildir++ quota
+#   fs: Read-only support for filesystem quota
+
+plugin {
+  #quota = dirsize:User quota
+  #quota = maildir:User quota
+  #quota = dict:User quota::proxy::quota
+  #quota = fs:User quota
+}
+
+# Multiple quota roots are also possible, for example this gives each user
+# their own 100MB quota and one shared 1GB quota within the domain:
+plugin {
+  #quota = dict:user::proxy::quota
+  #quota2 = dict:domain:%d:proxy::quota_domain
+  #quota_rule = *:storage=102400
+  #quota2_rule = *:storage=1048576
+}
diff --git a/roles/dovecot/templates/conf.d/90-sieve.conf.j2 b/roles/dovecot/templates/conf.d/90-sieve.conf.j2
new file mode 100644
index 0000000..a03c3dc
--- /dev/null
+++ b/roles/dovecot/templates/conf.d/90-sieve.conf.j2
@@ -0,0 +1,138 @@
+##
+## Settings for the Sieve interpreter
+##
+
+# Do not forget to enable the Sieve plugin in 15-lda.conf and 20-lmtp.conf
+# by adding it to the respective mail_plugins= settings.
+
+# The Sieve interpreter can retrieve Sieve scripts from several types of
+# locations. The default `file' location type is a local filesystem path
+# pointing to a Sieve script file or a directory containing multiple Sieve
+# script files. More complex setups can use other location types such as
+# `ldap' or `dict' to fetch Sieve scripts from remote databases.
+#
+# All settings that specify the location of one ore more Sieve scripts accept
+# the following syntax:
+#
+# location = [<type>:]path[;<option>[=<value>][;...]]
+#
+# If the type prefix is omitted, the script location type is 'file' and the 
+# location is interpreted as a local filesystem path pointing to a Sieve script
+# file or directory. Refer to Pigeonhole wiki or INSTALL file for more
+# information.
+
+plugin {
+  # The location of the user's main Sieve script or script storage. The LDA
+  # Sieve plugin uses this to find the active script for Sieve filtering at
+  # delivery. The "include" extension uses this location for retrieving
+  # :personal" scripts. This is also where the  ManageSieve service will store
+  # the user's scripts, if supported.
+  # 
+  # Currently only the 'file:' location type supports ManageSieve operation.
+  # Other location types like 'dict:' and 'ldap:' can currently only
+  # be used as a read-only script source ().
+  #
+  # For the 'file:' type: use the ';active=' parameter to specify where the
+  # active script symlink is located.
+  # For other types: use the ';name=' parameter to specify the name of the
+  # default/active script.
+  sieve = file:~/sieve;active=~/.dovecot.sieve
+
+  # The default Sieve script when the user has none. This is the location of a
+  # global sieve script file, which gets executed ONLY if user's personal Sieve
+  # script doesn't exist. Be sure to pre-compile this script manually using the
+  # sievec command line tool if the binary is not stored in a global location.
+  # --> See sieve_before for executing scripts before the user's personal
+  #     script.
+  #sieve_default = /var/lib/dovecot/sieve/default.sieve
+
+  # The name by which the default Sieve script (as configured by the 
+  # sieve_default setting) is visible to the user through ManageSieve. 
+  #sieve_default_name = 
+
+  # Location for ":global" include scripts as used by the "include" extension.
+  #sieve_global =
+
+  # Location Sieve of scripts that need to be executed before the user's
+  # personal script. If a 'file' location path points to a directory, all the 
+  # Sieve scripts contained therein (with the proper `.sieve' extension) are
+  # executed. The order of execution within that directory is determined by the
+  # file names, using a normal 8bit per-character comparison.
+  #
+  # Multiple script locations can be specified by appending an increasing number
+  # to the setting name. The Sieve scripts found from these locations are added
+  # to the script execution sequence in the specified order. Reading the
+  # numbered sieve_before settings stops at the first missing setting, so no
+  # numbers may be skipped.
+  #sieve_before = /var/lib/dovecot/sieve.d/
+  #sieve_before2 = ldap:/etc/sieve-ldap.conf;name=ldap-domain
+  #sieve_before3 = (etc...)
+
+  # Identical to sieve_before, only the specified scripts are executed after the
+  # user's script (only when keep is still in effect!). Multiple script
+  # locations can be specified by appending an increasing number.
+  #sieve_after =
+  #sieve_after2 =
+  #sieve_after2 = (etc...)
+
+  # Which Sieve language extensions are available to users. By default, all
+  # supported extensions are available, except for deprecated extensions or
+  # those that are still under development. Some system administrators may want
+  # to disable certain Sieve extensions or enable those that are not available
+  # by default. This setting can use '+' and '-' to specify differences relative
+  # to the default. For example `sieve_extensions = +imapflags' will enable the
+  # deprecated imapflags extension in addition to all extensions were already
+  # enabled by default.
+  #sieve_extensions = +notify +imapflags
+
+  # Which Sieve language extensions are ONLY available in global scripts. This
+  # can be used to restrict the use of certain Sieve extensions to administrator
+  # control, for instance when these extensions can cause security concerns.
+  # This setting has higher precedence than the `sieve_extensions' setting
+  # (above), meaning that the extensions enabled with this setting are never
+  # available to the user's personal script no matter what is specified for the
+  # `sieve_extensions' setting. The syntax of this setting is similar to the
+  # `sieve_extensions' setting, with the difference that extensions are
+  # enabled or disabled for exclusive use in global scripts. Currently, no
+  # extensions are marked as such by default.
+  #sieve_global_extensions =
+
+  # The Pigeonhole Sieve interpreter can have plugins of its own. Using this
+  # setting, the used plugins can be specified. Check the Dovecot wiki
+  # (wiki2.dovecot.org) or the pigeonhole website
+  # (http://pigeonhole.dovecot.org) for available plugins.
+  # The sieve_extprograms plugin is included in this release.
+  #sieve_plugins =
+
+  # The separator that is expected between the :user and :detail
+  # address parts introduced by the subaddress extension. This may
+  # also be a sequence of characters (e.g. '--'). The current
+  # implementation looks for the separator from the left of the
+  # localpart and uses the first one encountered. The :user part is
+  # left of the separator and the :detail part is right. This setting
+  # is also used by Dovecot's LMTP service.
+  recipient_delimiter = +
+
+  # The maximum size of a Sieve script. The compiler will refuse to compile any
+  # script larger than this limit. If set to 0, no limit on the script size is
+  # enforced.
+  #sieve_max_script_size = 1M
+
+  # The maximum number of actions that can be performed during a single script
+  # execution. If set to 0, no limit on the total number of actions is enforced.
+  #sieve_max_actions = 32
+
+  # The maximum number of redirect actions that can be performed during a single
+  # script execution. If set to 0, no redirect actions are allowed.
+  #sieve_max_redirects = 4
+
+  # The maximum number of personal Sieve scripts a single user can have. If set
+  # to 0, no limit on the number of scripts is enforced.
+  # (Currently only relevant for ManageSieve)
+  #sieve_quota_max_scripts = 0
+
+  # The maximum amount of disk storage a single user's scripts may occupy. If
+  # set to 0, no limit on the used amount of disk storage is enforced.
+  # (Currently only relevant for ManageSieve)
+  #sieve_quota_max_storage = 0
+}
diff --git a/roles/dovecot/templates/conf.d/auth-checkpassword-ipa.conf.ext.j2 b/roles/dovecot/templates/conf.d/auth-checkpassword-ipa.conf.ext.j2
new file mode 100644
index 0000000..4eba469
--- /dev/null
+++ b/roles/dovecot/templates/conf.d/auth-checkpassword-ipa.conf.ext.j2
@@ -0,0 +1,21 @@
+# Authentication for checkpassword users. Included from 10-auth.conf.
+#
+# <doc/wiki/AuthDatabase.CheckPassword.txt>
+
+passdb {
+  driver = checkpassword
+  args = /usr/local/bin/checkpassword
+}
+
+# passdb lookup should return also userdb info
+#userdb {
+#  driver = prefetch
+#}
+
+# Standard checkpassword doesn't support direct userdb lookups.
+# If you need checkpassword userdb, the checkpassword must support
+# Dovecot-specific extensions.
+#userdb {
+#  driver = checkpassword
+#  args = /usr/bin/checkpassword
+#}
diff --git a/roles/dovecot/templates/conf.d/auth-ldap-ipa.conf.ext.j2 b/roles/dovecot/templates/conf.d/auth-ldap-ipa.conf.ext.j2
new file mode 100644
index 0000000..149ac8c
--- /dev/null
+++ b/roles/dovecot/templates/conf.d/auth-ldap-ipa.conf.ext.j2
@@ -0,0 +1,25 @@
+# Authentication for LDAP users. Included from 10-auth.conf.
+#
+# <doc/wiki/AuthDatabase.LDAP.txt>
+#
+# Mailboxes are fetched from LDAP cn=mail,cn=accounts,{{ ldap_base }}
+# but authentication is done via master authentication using accounts
+# from cn=users,cn=accounts,{{ ldap_base }}
+
+#auth_master_user_separator = *
+
+#passdb {
+#  driver = ldap
+#  args = /etc/dovecot/dovecot-ldap-ipa-passdb.conf.ext
+#  master = yes
+#}
+
+#passdb {
+#  driver = ldap
+#  args = /etc/dovecot/dovecot-ldap-ipa-passdb.conf.ext
+#}
+
+userdb {
+  driver = ldap
+  args = /etc/dovecot/dovecot-ldap-ipa-userdb.conf.ext
+}
diff --git a/roles/dovecot/templates/dovecot-ldap-ipa-userdb.conf.ext.j2 b/roles/dovecot/templates/dovecot-ldap-ipa-userdb.conf.ext.j2
new file mode 100644
index 0000000..22af87c
--- /dev/null
+++ b/roles/dovecot/templates/dovecot-ldap-ipa-userdb.conf.ext.j2
@@ -0,0 +1,104 @@
+# This file is commonly accessed via passdb {} or userdb {} section in
+# conf.d/auth-ldap.conf.ext
+
+# This file is opened as root, so it should be owned by root and mode 0600.
+#
+# http://wiki2.dovecot.org/AuthDatabase/LDAP
+#
+# NOTE: If you're not using authentication binds, you'll need to give
+# dovecot-auth read access to userPassword field in the LDAP server.
+# With OpenLDAP this is done by modifying /etc/ldap/slapd.conf. There should
+# already be something like this:
+
+# access to attribute=userPassword
+#        by dn="<dovecot's dn>" read # add this
+#        by anonymous auth
+#        by self write
+#        by * none
+
+# Space separated list of LDAP hosts to use. host:port is allowed too.
+#hosts = 
+
+# LDAP URIs to use. You can use this instead of hosts list. Note that this
+# setting isn't supported by all LDAP libraries.
+uris = {{ ldap_host }}
+
+# Distinguished Name - the username used to login to the LDAP server.
+# Leave it commented out to bind anonymously (useful with auth_bind=yes).
+#dn = 
+
+# Password for LDAP server, if dn is specified.
+#dnpass = 
+
+# Use SASL binding instead of the simple binding. Note that this changes
+# ldap_version automatically to be 3 if it's lower. Also note that SASL binds
+# and auth_bind=yes don't work together.
+#sasl_bind = no
+# SASL mechanism name to use.
+#sasl_mech =
+# SASL realm to use.
+#sasl_realm =
+# SASL authorization ID, ie. the dnpass is for this "master user", but the
+# dn is still the logged in user. Normally you want to keep this empty.
+#sasl_authz_id =
+
+# Use TLS to connect to the LDAP server.
+tls = yes
+# TLS options, currently supported only with OpenLDAP:
+#tls_ca_cert_file = 
+#tls_ca_cert_dir =
+#tls_cipher_suite =
+# TLS cert/key is used only if LDAP server requires a client certificate.
+#tls_cert_file =
+#tls_key_file =
+# Valid values: never, hard, demand, allow, try
+#tls_require_cert =
+
+# Use the given ldaprc path.
+#ldaprc_path =
+
+# LDAP library debug level as specified by LDAP_DEBUG_* in ldap_log.h.
+# -1 = everything. You may need to recompile OpenLDAP with debugging enabled
+# to get enough output.
+#debug_level = 0
+
+# LDAP protocol version to use. Likely 2 or 3.
+#ldap_version = 3
+
+# LDAP base. %variables can be used here.
+# For example: dc=mail, dc=example, dc=org
+base = cn=mail,cn=accounts,{{ ldap_base }}
+
+# Dereference: never, searching, finding, always
+#deref = never
+
+# Search scope: base, onelevel, subtree
+scope = subtree
+
+# User attributes are given in LDAP-name=dovecot-internal-name list. The
+# internal names are:
+#   uid - System UID
+#   gid - System GID
+#   home - Home directory
+#   mail - Mail location
+#
+# There are also other special fields which can be returned, see
+# http://wiki2.dovecot.org/UserDatabase/ExtraFields
+user_attrs = \
+	   =user=%{ldap:mail}, \
+	   =quota_rule=*:bytes=%{ldap:mailQuota}, \
+	   =uid=999, \
+	   =gid=999, \
+	   =home=/home/vmail/%d/%n
+	   
+
+# Filter for user lookup. Some variables can be used (see
+# http://wiki2.dovecot.org/Variables for full list):
+#   %u - username
+#   %n - user part in user@domain, same as %u if there's no domain
+#   %d - domain part in user@domain, empty if user there's no domain
+user_filter = (&(objectClass=mailRecipient)(mail=%u))
+
+# Attributes and filter to get a list of all users
+iterate_attrs = mail=user
+iterate_filter = (objectClass=mailRecipient)
diff --git a/roles/letsencrypt_common/defaults/main.yml b/roles/letsencrypt_common/defaults/main.yml
new file mode 100644
index 0000000..98838db
--- /dev/null
+++ b/roles/letsencrypt_common/defaults/main.yml
@@ -0,0 +1,4 @@
+---
+# defaults file for letsencrypt
+
+letsencrypt_venv: /usr/local/letsencrypt-venv
diff --git a/roles/letsencrypt_common/files/renew-letsencrypt-certs b/roles/letsencrypt_common/files/renew-letsencrypt-certs
new file mode 100644
index 0000000..469a6f1
--- /dev/null
+++ b/roles/letsencrypt_common/files/renew-letsencrypt-certs
@@ -0,0 +1,25 @@
+#!/bin/bash -e
+
+/usr/bin/letsencrypt renew
+
+set +e
+
+if [ -d /etc/nginx ]
+then
+/usr/sbin/service nginx reload
+fi
+
+if [ -d /etc/apache2 ]
+then
+/usr/sbin/service apache2 reload
+fi
+
+for script in /etc/letsencrypt/renewal.d/*
+do
+    if [ -x ${script} ]
+    then
+        ${script}
+    fi
+done
+
+set -e
diff --git a/roles/letsencrypt_common/tasks/main.yml b/roles/letsencrypt_common/tasks/main.yml
new file mode 100644
index 0000000..0817a1c
--- /dev/null
+++ b/roles/letsencrypt_common/tasks/main.yml
@@ -0,0 +1,17 @@
+- apt_repository: repo='deb http://ftp.debian.org/debian jessie-backports main' state=present
+  when: "ansible_distribution == 'Debian' and ansible_distribution_release=='jessie'"
+
+- apt: name='certbot' default_release='jessie-backports' state=present
+  when: "ansible_distribution == 'Debian' and ansible_distribution_release=='jessie'"
+  
+- copy: src='renew-letsencrypt-certs' dest='/usr/local/sbin/renew-letsencrypt-certs' owner='root' group='root' mode='0700'
+
+- file: path='/etc/letsencrypt/renewal.d' owner='root' group='root' mode='0755' state=directory
+  
+- cron:
+    job='/usr/local/sbin/renew-letsencrypt-certs'
+    name='renew-letsencrypt-certs'
+    hour='5'
+    minute='23'
+    weekday='2'
+    state=present
diff --git a/roles/mailman/defaults/main.yml b/roles/mailman/defaults/main.yml
new file mode 100644
index 0000000..cf05c2b
--- /dev/null
+++ b/roles/mailman/defaults/main.yml
@@ -0,0 +1,2 @@
+mailman_dir: /opt/mailman
+mailman_web_dir: /opt/mailman_web
diff --git a/roles/mailman/files/__init__.py b/roles/mailman/files/__init__.py
new file mode 100644
index 0000000..e69de29
diff --git a/roles/mailman/handlers/main.yml b/roles/mailman/handlers/main.yml
new file mode 100644
index 0000000..3e553e5
--- /dev/null
+++ b/roles/mailman/handlers/main.yml
@@ -0,0 +1,2 @@
+- name: restart mailman
+  service: name='mailman3' state=restarted
diff --git a/roles/mailman/tasks/main.yml b/roles/mailman/tasks/main.yml
new file mode 100644
index 0000000..85b0cab
--- /dev/null
+++ b/roles/mailman/tasks/main.yml
@@ -0,0 +1,128 @@
+#- name: enable deadsnake repository for python 3.4 (needed for mailman 3.0)
+#  apt_repository: repo='ppa:fkrull/deadsnakes' state=present
+#
+#- name: install python 3.4
+#  apt: name='python3.4' state=present
+#
+#- name: install mailman
+#  pip: name='mailman' virtualenv='{{ mailman_dir }}' virtualenv_python='python3.4' version='3.0.3' state=present
+
+- name: install python3 stuff
+  apt: name='{{ item }}' state=present
+  with_items:
+    - python3-virtualenv
+    - python3-pip
+    - virtualenv
+
+- name: install mailman
+  pip: name='mailman' virtualenv='{{ mailman_dir }}' virtualenv_python='python3.5' version='3.1' state=present
+
+- name: install mailman-hyperkitty backend
+  pip: name='mailman-hyperkitty' virtualenv='{{ mailman_dir }}' virtualenv_python='python3.5' version='1.1.0' state=present
+  
+- template: src='mailman3.service.j2' dest='/lib/systemd/system/mailman3.service' owner='root' group='root' mode='0644'
+
+- group: name='mailman' system=yes state=present
+
+- user: name='mailman' group='mailman' system=yes home='/var/lib/mailman' shell='/bin/false' state=present
+
+- file: path='{{ item }}' owner='mailman' group='mailman' mode='2775' state=directory
+  with_items:
+    - '/var/run/mailman'
+    - '/var/lib/mailman'
+    - '/var/spool/mailman'
+    - '/var/lock/mailman'
+    - '/var/log/mailman'
+
+- template: src='mailman.cfg.j2' dest='/etc/mailman.cfg' owner='root' group='mailman' mode='0640'
+  notify: restart mailman
+
+- template: src='mailman-hyperkitty.cfg.j2' dest='/etc/mailman-hyperkitty.cfg' owner='root' group='mailman' mode='0640'
+  notify: restart mailman
+
+- systemd: name='mailman3' daemon_reload=yes enabled=yes state=started
+  
+- meta: flush_handlers
+
+- systemd: name='mailman3' enabled=yes state=started
+
+- name: install python 2.7 headers
+  apt: name='python2.7-dev' state=present
+#- name: install python 3.5 headers
+#  apt: name='python3.5-dev' state=present
+  
+- name: install postorius web gui
+  pip: name='postorius' virtualenv='{{ mailman_web_dir }}' virtualenv_python='python2.7' version='1.1.0' state=present
+#- name: install postorius web gui
+#  pip: name='postorius' virtualenv='{{ mailman_web_dir }}' virtualenv_python='python3.5' version='1.1.0' state=present
+
+- name: install hyperkitty web gui
+  pip: name='hyperkitty' virtualenv='{{ mailman_web_dir }}' virtualenv_python='python2.7' version='1.1.0' state=present
+#- name: install hyperkitty web gui
+#  pip: name='hyperkitty' virtualenv='{{ mailman_web_dir }}' virtualenv_python='python3.5' version='1.1.0' state=present
+
+- apt: name='{{ item }}' state=present
+  with_items:
+    - 'libmysqlclient-dev'
+    - 'pysassc'
+
+- file: path='/usr/bin/sassc' src='/usr/bin/pysassc' state=link
+  
+- name: install libs
+  pip: name='{{ item }}' virtualenv='{{ mailman_web_dir }}' virtualenv_python='python2.7' state=present
+  with_items:
+    - 'django-mailman3'
+  #  - 'mysqlclient'
+  
+- name: mailman web root
+  file: path='/var/www/mailman_web' owner='root' group='mailman' mode='0755' state=directory
+
+- name: mailman web log
+  file: path='/var/www/mailman_web/logs' owner='root' group='mailman' mode='0775' state=directory
+  
+- name: mailman web public root
+  file: path='/var/www/mailman_web/public' owner='root' group='mailman' mode='0755' state=directory
+
+- name: mailman web tmp dir
+  file: path='/var/www/mailman_web/tmp' owner='root' group='mailman' mode='0755' state=directory
+  
+- name: django project settings
+  template: src='web/settings.py.j2' dest='/var/www/mailman_web/settings.py' owner='root' group='mailman' mode='0640'
+  
+- name: django project urls
+  template: src='web/urls.py.j2' dest='/var/www/mailman_web/urls.py' owner='root' group='mailman' mode='0644'
+
+- name: django project wsgi
+  template: src='web/wsgi.py.j2' dest='/var/www/mailman_web/wsgi.py' owner='root' group='mailman' mode='0644'
+
+- name: django project settingswsgi
+  template: src='web/passenger_wsgi.py.j2' dest='/var/www/mailman_web/passenger_wsgi.py' owner='mailman' group='mailman' mode='0644'
+
+- name: django project init
+  copy: src='__init__.py' dest='/var/www/mailman_web/__init__.py' owner='root' group='mailman' mode='0644'
+  
+- name: django project manage.py
+  template: src='web/manage.py.j2' dest='/var/www/mailman_web/manage.py' owner='root' group='mailman' mode='0755'
+
+- name: django my.cnf
+  template: src='web/my.cnf.j2' dest='/var/www/mailman_web/my.cnf' owner='root' group='mailman' mode='0640'
+  when: mailman.mysql_host | default(False)
+
+#- mysql_db: name='{{ mailman.mysql_db }}' state=present
+#  delegate_to: '{{ mailman.mysql_host }}'
+  
+#- mysql_user: name='{{ mailman.mysql_user }}' password='{{ mailman.mysql_password }}' host='{{ ansible_host }}' priv='{{ mailman.mysql_db }}.*:ALL' state=present
+#  delegate_to: '{{ mailman.mysql_host }}'
+
+- django_manage: app_path='/var/www/mailman_web' virtualenv='{{ mailman_web_dir }}' command='migrate'
+  become: yes
+  become_user: mailman
+
+- django_manage: app_path='/var/www/mailman_web' virtualenv='{{ mailman_web_dir }}' command='collectstatic'
+  become: yes
+  become_user: mailman
+
+  
+# todo: sqlite is the way to go (currently)
+# todo: cronjobs?
+# todo: hyperkitty everything
diff --git a/roles/mailman/templates/mailman-hyperkitty.cfg.j2 b/roles/mailman/templates/mailman-hyperkitty.cfg.j2
new file mode 100644
index 0000000..f819c20
--- /dev/null
+++ b/roles/mailman/templates/mailman-hyperkitty.cfg.j2
@@ -0,0 +1,11 @@
+# This is the mailman extension configuration file to enable HyperKitty as an
+# archiver. Remember to add the following lines in the mailman.cfg file:
+#
+# [archiver.hyperkitty]
+# class: mailman_hyperkitty.Archiver
+# enable: yes
+# configuration: /path/to/here/hyperkitty.cfg
+#
+[general]
+base_url: http://127.0.0.1:8000/archives
+api_key: SecretArchiverAPIKey
\ No newline at end of file
diff --git a/roles/mailman/templates/mailman.cfg.j2 b/roles/mailman/templates/mailman.cfg.j2
new file mode 100644
index 0000000..fbcaea7
--- /dev/null
+++ b/roles/mailman/templates/mailman.cfg.j2
@@ -0,0 +1,65 @@
+# This is the absolute bare minimum base configuration file.  User supplied
+# configurations are pushed onto this.
+
+[mailman]
+# This address is the "site owner" address.  Certain messages which must be
+# delivered to a human, but which can't be delivered to a list owner (e.g. a
+# bounce from a list owner), will be sent to this address.  It should point to
+# a human.
+site_owner: {{ admin_mail }}
+layout: here
+
+[paths.here]
+bin_dir: /opt/mailman/bin
+var_dir: /var/lib/mailman
+queue_dir: /var/spool/mailman
+log_dir: /var/log/mailman
+lock_dir: /var/lock/mailman
+etc_dir: /etc
+#ext_dir: /etc/mailman.d
+pid_file: /var/run/mailman/mailman.pid
+
+#[database]
+#class: mailman.database.postgresql.PostgreSQLDatabase
+#url: postgres://mailman:mailman-db-password@localhost/mailman
+
+[archiver.hyperkitty]
+class: mailman_hyperkitty.Archiver
+enable: yes
+configuration: /etc/mailman-hyperkitty.cfg
+
+[archiver.prototype]
+enable: yes
+
+[webservice]
+# The hostname at which admin web service resources are exposed.
+hostname: localhost
+
+# The port at which the admin web service resources are exposed.
+port: 8001
+
+# Whether or not requests to the web service are secured through SSL.
+use_https: no
+
+# Whether or not to show tracebacks in an HTTP response for a request that
+# raised an exception.
+#show_tracebacks: yes
+
+# The API version number for the current (highest) API.
+#api_version: 3.0
+
+# The administrative username.
+admin_user: {{ mailman.rest_user }}
+
+# The administrative password.
+admin_pass: {{ mailman.rest_password }}
+
+
+[mta]
+incoming: mailman.mta.postfix.LMTP
+outgoing: mailman.mta.deliver.deliver
+lmtp_host: 127.0.0.1
+lmtp_port: 8024
+smtp_host: localhost
+smtp_port: 25
+configuration: python:mailman.config.postfix
diff --git a/roles/mailman/templates/mailman3.service.j2 b/roles/mailman/templates/mailman3.service.j2
new file mode 100644
index 0000000..3c4f8ea
--- /dev/null
+++ b/roles/mailman/templates/mailman3.service.j2
@@ -0,0 +1,28 @@
+# It's not recommended to modify this file in-place, because it will be
+# overwritten during package upgrades.  If you want to customize, the
+# best way is to create a file "/etc/systemd/system/mailman3.service",
+# containing
+#       .include /usr/lib/systemd/system/mailman3.service
+#       ...make your changes here...
+# For more info about custom unit files, see
+# http://fedoraproject.org/wiki/Systemd#How_do_I_customize_a_unit_file.2F_add_a_custom_unit_file.3F
+
+
+[Unit]
+Description=GNU Mailing List Manager
+After=syslog.target network.target
+
+[Service]
+Type=forking
+PIDFile=/var/run/mailman/mailman.pid
+User=mailman
+Group=mailman
+ExecStartPre=-/bin/mkdir /var/run/mailman
+ExecStartPre=/bin/chown -R mailman:mailman /var/run/mailman
+ExecStartPre=/bin/chmod 2775 /var/run/mailman
+ExecStart={{ mailman_dir }}/bin/mailman start
+ExecReload={{ mailman_dir }}/bin/mailman restart
+ExecStop={{ mailman_dir }}/bin/mailman stop
+
+[Install]
+WantedBy=multi-user.target
\ No newline at end of file
diff --git a/roles/mailman/templates/web/manage.py.j2 b/roles/mailman/templates/web/manage.py.j2
new file mode 100644
index 0000000..d6c2dc2
--- /dev/null
+++ b/roles/mailman/templates/web/manage.py.j2
@@ -0,0 +1,11 @@
+#!{{ mailman_web_dir }}/bin/python
+import os
+import sys
+
+if __name__ == "__main__":
+    os.environ.setdefault("DJANGO_SETTINGS_MODULE", "settings")
+
+    from django.core.management import execute_from_command_line
+
+    execute_from_command_line(sys.argv)
+
diff --git a/roles/mailman/templates/web/my.cnf.j2 b/roles/mailman/templates/web/my.cnf.j2
new file mode 100644
index 0000000..30b7471
--- /dev/null
+++ b/roles/mailman/templates/web/my.cnf.j2
@@ -0,0 +1,6 @@
+[client]
+host = {{ mailman.mysql_host }}
+database = {{ mailman.mysql_db }}
+user = {{ mailman.mysql_user }}
+password = {{ mailman.mysql_password }}
+default-character-set = utf8
diff --git a/roles/mailman/templates/web/passenger_wsgi.py.j2 b/roles/mailman/templates/web/passenger_wsgi.py.j2
new file mode 100644
index 0000000..20ed9f8
--- /dev/null
+++ b/roles/mailman/templates/web/passenger_wsgi.py.j2
@@ -0,0 +1,2 @@
+import wsgi
+application = wsgi.application
diff --git a/roles/mailman/templates/web/settings.py.j2 b/roles/mailman/templates/web/settings.py.j2
new file mode 100644
index 0000000..7170a02
--- /dev/null
+++ b/roles/mailman/templates/web/settings.py.j2
@@ -0,0 +1,447 @@
+#-*- coding: utf-8 -*-
+"""
+Django settings for HyperKitty + Postorius
+"""
+
+# Build paths inside the project like this: os.path.join(BASE_DIR, ...)
+import os
+
+BASE_DIR = os.path.dirname(os.path.abspath(__file__))
+#VAR_DIR = os.path.join(BASE_DIR, "..", "var")
+
+# Make this unique, and don't share it with anybody.
+SECRET_KEY = '{{ mailman.django_secret_key }}'
+
+# SECURITY WARNING: don't run with debug turned on in production!
+DEBUG = False
+
+ADMINS = (
+     ('Mailman Admin', 'root@localhost'),
+)
+
+SITE_ID = 1
+
+# Hosts/domain names that are valid for this site; required if DEBUG is False
+# See https://docs.djangoproject.com/en/1.8/ref/settings/#allowed-hosts
+ALLOWED_HOSTS = [
+    "localhost",  # Archiving API from Mailman, keep it.
+{% for domain in mailman.domains %}
+    "{{ domain }}",
+{% endfor %}
+]
+
+# Mailman API credentials
+MAILMAN_REST_API_URL = 'http://localhost:8001'
+MAILMAN_REST_API_USER = '{{ mailman.rest_user }}'
+MAILMAN_REST_API_PASS = '{{ mailman.rest_password }}'
+MAILMAN_ARCHIVER_KEY = '{{ mailman.archiver_key }}'
+MAILMAN_ARCHIVER_FROM = ('127.0.0.1', '::1')
+
+# CSS theme for postorius
+MAILMAN_THEME = "default"
+
+# Application definition
+
+INSTALLED_APPS = (
+    'hyperkitty',
+    'django_mailman3',
+    # Uncomment the next line to enable the admin:
+    'django.contrib.admin',
+    # Uncomment the next line to enable admin documentation:
+    # 'django.contrib.admindocs',
+    'django.contrib.auth',
+    'django.contrib.contenttypes',
+    'django.contrib.sessions',
+    'django.contrib.sites',
+    'django.contrib.messages',
+    'django.contrib.staticfiles',
+    'rest_framework',
+    'django_gravatar',
+    'paintstore',
+    'compressor',
+    'haystack',
+    'django_extensions',
+    'allauth',
+    'allauth.account',
+    'allauth.socialaccount',
+    #'django_mailman3.lib.auth.fedora',
+    #'allauth.socialaccount.providers.openid',
+    #'allauth.socialaccount.providers.github',
+    #'allauth.socialaccount.providers.gitlab',
+    #'allauth.socialaccount.providers.google',
+    ##'allauth.socialaccount.providers.facebook',
+    #'allauth.socialaccount.providers.twitter',
+    #'allauth.socialaccount.providers.stackexchange',
+    'postorius',
+)
+
+MIDDLEWARE_CLASSES = (
+    'django.contrib.sessions.middleware.SessionMiddleware',
+    'django.middleware.common.CommonMiddleware',
+    'django.middleware.csrf.CsrfViewMiddleware',
+    'django.middleware.locale.LocaleMiddleware',
+    'django.contrib.auth.middleware.AuthenticationMiddleware',
+    'django.contrib.auth.middleware.SessionAuthenticationMiddleware',
+    'django.contrib.messages.middleware.MessageMiddleware',
+    'django.middleware.clickjacking.XFrameOptionsMiddleware',
+    'django.middleware.security.SecurityMiddleware',
+    'django_mailman3.middleware.TimezoneMiddleware',
+    'postorius.middleware.PostoriusMiddleware',
+)
+
+ROOT_URLCONF = 'urls'
+
+
+TEMPLATES = [
+    {
+        'BACKEND': 'django.template.backends.django.DjangoTemplates',
+        'DIRS': [],
+        'APP_DIRS': True,
+        'OPTIONS': {
+            'context_processors': [
+                'django.template.context_processors.debug',
+                'django.template.context_processors.i18n',
+                'django.template.context_processors.media',
+                'django.template.context_processors.static',
+                'django.template.context_processors.tz',
+                'django.template.context_processors.csrf',
+                'django.template.context_processors.request',
+                'django.contrib.auth.context_processors.auth',
+                'django.contrib.messages.context_processors.messages',
+                'django_mailman3.context_processors.common',
+                #'hyperkitty.context_processors.common',
+	        'postorius.context_processors.postorius',
+            ],
+        },
+    },
+]
+
+WSGI_APPLICATION = 'wsgi.application'
+
+
+# Database
+# https://docs.djangoproject.com/en/1.8/ref/settings/#databases
+
+{% if mailman.mysql_host | default(False) %}
+DATABASES = {
+    'default': {
+	'ENGINE': 'django.db.backends.mysql',
+	'OPTIONS': {
+	  'read_default_file': os.path.join(BASE_DIR, 'my.cnf'),
+	},
+    }
+}
+{% else %}
+DATABASES = {
+    'default': {
+        'ENGINE': 'django.db.backends.sqlite3',
+        'NAME': 'mailman.db',
+    }
+}
+{% endif %}
+
+# If you're behind a proxy, use the X-Forwarded-Host header
+# See https://docs.djangoproject.com/en/1.8/ref/settings/#use-x-forwarded-host
+# USE_X_FORWARDED_HOST = True
+
+# And if your proxy does your SSL encoding for you, set SECURE_PROXY_SSL_HEADER
+# https://docs.djangoproject.com/en/1.8/ref/settings/#secure-proxy-ssl-header
+# SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')
+# SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_SCHEME', 'https')
+
+# Other security settings
+# SECURE_SSL_REDIRECT = True
+# If you set SECURE_SSL_REDIRECT to True, make sure the SECURE_REDIRECT_EXEMPT
+# contains at least this line:
+# SECURE_REDIRECT_EXEMPT = [
+#     "archives/api/mailman/.*",  # Request from Mailman.
+#     ]
+# SESSION_COOKIE_SECURE = True
+# SECURE_CONTENT_TYPE_NOSNIFF = True
+# SECURE_BROWSER_XSS_FILTER = True
+# CSRF_COOKIE_SECURE = True
+# CSRF_COOKIE_HTTPONLY = True
+# X_FRAME_OPTIONS = 'DENY'
+
+
+# Internationalization
+# https://docs.djangoproject.com/en/1.8/topics/i18n/
+
+LANGUAGE_CODE = 'en-us'
+
+TIME_ZONE = 'Europe/Berlin'
+
+USE_I18N = True
+
+USE_L10N = True
+
+USE_TZ = True
+
+
+# Static files (CSS, JavaScript, Images)
+# https://docs.djangoproject.com/en/1.8/howto/static-files/
+
+# Absolute path to the directory static files should be collected to.
+# Don't put anything in this directory yourself; store your static files
+# in apps' "static/" subdirectories and in STATICFILES_DIRS.
+# Example: "/var/www/example.com/static/"
+STATIC_ROOT = os.path.join(BASE_DIR, 'public', 'static')
+
+# URL prefix for static files.
+# Example: "http://example.com/static/", "http://static.example.com/"
+STATIC_URL = '/static/'
+
+# Additional locations of static files
+STATICFILES_DIRS = (
+    # Put strings here, like "/home/html/static" or "C:/www/django/static".
+    # Always use forward slashes, even on Windows.
+    # Don't forget to use absolute paths, not relative paths.
+    # BASE_DIR + '/static/',
+)
+
+# List of finder classes that know how to find static files in
+# various locations.
+STATICFILES_FINDERS = (
+    'django.contrib.staticfiles.finders.FileSystemFinder',
+    'django.contrib.staticfiles.finders.AppDirectoriesFinder',
+    # 'django.contrib.staticfiles.finders.DefaultStorageFinder',
+    'compressor.finders.CompressorFinder',
+)
+
+# Django 1.6+ defaults to a JSON serializer, but it won't work with
+# django-openid, see
+# https://bugs.launchpad.net/django-openid-auth/+bug/1252826
+SESSION_SERIALIZER = 'django.contrib.sessions.serializers.PickleSerializer'
+
+
+LOGIN_URL = 'account_login'
+LOGIN_REDIRECT_URL = 'hk_root'
+LOGOUT_URL = 'account_logout'
+
+
+# If you enable internal authentication, this is the address that the emails
+# will appear to be coming from. Make sure you set a valid domain name,
+# otherwise the emails may get rejected.
+# https://docs.djangoproject.com/en/1.8/ref/settings/#default-from-email
+DEFAULT_FROM_EMAIL = "{{ admin_mail }}"
+
+# If you enable email reporting for error messages, this is where those emails
+# will appear to be coming from. Make sure you set a valid domain name,
+# otherwise the emails may get rejected.
+# https://docs.djangoproject.com/en/1.8/ref/settings/#std:setting-SERVER_EMAIL
+SERVER_EMAIL = '{{ admin_mail }}'
+
+
+# Compatibility with Bootstrap 3
+from django.contrib.messages import constants as messages  # flake8: noqa
+MESSAGE_TAGS = {
+    messages.ERROR: 'danger'
+}
+
+
+#
+# Social auth
+#
+AUTHENTICATION_BACKENDS = (
+    'django.contrib.auth.backends.ModelBackend',
+    'allauth.account.auth_backends.AuthenticationBackend',
+)
+
+# Django Allauth
+ACCOUNT_AUTHENTICATION_METHOD = "username_email"
+ACCOUNT_EMAIL_REQUIRED = True
+ACCOUNT_EMAIL_VERIFICATION = "mandatory"
+ACCOUNT_DEFAULT_HTTP_PROTOCOL = "https"
+ACCOUNT_UNIQUE_EMAIL  = True
+
+SOCIALACCOUNT_PROVIDERS = {
+    'openid': {
+        'SERVERS': [
+            dict(id='yahoo',
+                 name='Yahoo',
+                 openid_url='http://me.yahoo.com'),
+        ],
+    },
+    'google': {
+        'SCOPE': ['profile', 'email'],
+        'AUTH_PARAMS': {'access_type': 'online'},
+    },
+    'facebook': {
+       'METHOD': 'oauth2',
+       'SCOPE': ['email'],
+       'FIELDS': [
+           'email',
+           'name',
+           'first_name',
+           'last_name',
+           'locale',
+           'timezone',
+           ],
+       'VERSION': 'v2.4',
+    },
+}
+
+
+
+# Password validation
+# https://docs.djangoproject.com/en/1.9/ref/settings/#auth-password-validators
+AUTH_PASSWORD_VALIDATORS = [
+    {
+        'NAME': 'django.contrib.auth.password_validation.UserAttributeSimilarityValidator',
+    },
+    {
+        'NAME': 'django.contrib.auth.password_validation.MinimumLengthValidator',
+    },
+    {
+        'NAME': 'django.contrib.auth.password_validation.CommonPasswordValidator',
+    },
+    {
+        'NAME': 'django.contrib.auth.password_validation.NumericPasswordValidator',
+    },
+]
+
+
+#
+# Gravatar
+# https://github.com/twaddington/django-gravatar
+#
+# Gravatar base url.
+#GRAVATAR_URL = 'http://cdn.libravatar.org/'
+# Gravatar base secure https url.
+#GRAVATAR_SECURE_URL = 'https://seccdn.libravatar.org/'
+# Gravatar size in pixels.
+# GRAVATAR_DEFAULT_SIZE = '80'
+# An image url or one of the following: 'mm', 'identicon', 'monsterid',
+# 'wavatar', 'retro'.
+# GRAVATAR_DEFAULT_IMAGE = 'mm'
+# One of the following: 'g', 'pg', 'r', 'x'.
+#GRAVATAR_DEFAULT_RATING = 'g'
+# True to use https by default, False for plain http.
+#GRAVATAR_DEFAULT_SECURE = True
+
+#
+# django-compressor
+# https://pypi.python.org/pypi/django_compressor
+#
+COMPRESS_PRECOMPILERS = (
+   ('text/less', 'lessc {infile} {outfile}'),
+   ('text/x-scss', 'sassc -t compressed {infile} {outfile}'),
+   ('text/x-sass', 'sassc -t compressed {infile} {outfile}'),
+)
+# On a production setup, setting COMPRESS_OFFLINE to True will bring a
+# significant performance improvement, as CSS files will not need to be
+# recompiled on each requests. It means running an additional "compress"
+# management command after each code upgrade.
+# http://django-compressor.readthedocs.io/en/latest/usage/#offline-compression
+# COMPRESS_OFFLINE = True
+
+# Needed for debug mode
+# INTERNAL_IPS = ('127.0.0.1',)
+
+
+#
+# Full-text search engine
+#
+HAYSTACK_CONNECTIONS = {
+    'default': {
+        'ENGINE': 'haystack.backends.whoosh_backend.WhooshEngine',
+        'PATH': os.path.join(BASE_DIR, "fulltext_index"),
+        # You can also use the Xapian engine, it's faster and more accurate,
+        # but requires another library.
+        # http://django-haystack.readthedocs.io/en/v2.4.1/installing_search_engines.html#xapian
+        # Example configuration for Xapian:
+        #'ENGINE': 'xapian_backend.XapianEngine'
+    },
+}
+
+
+# A sample logging configuration. The only tangible logging
+# performed by this configuration is to send an email to
+# the site admins on every HTTP 500 error when DEBUG=False.
+# See http://docs.djangoproject.com/en/dev/topics/logging for
+# more details on how to customize your logging configuration.
+LOGGING = {
+    'version': 1,
+    'disable_existing_loggers': False,
+    'filters': {
+        'require_debug_false': {
+            '()': 'django.utils.log.RequireDebugFalse'
+        }
+    },
+    'handlers': {
+        'mail_admins': {
+            'level': 'ERROR',
+            'filters': ['require_debug_false'],
+            'class': 'django.utils.log.AdminEmailHandler'
+        },
+        'file':{
+            'level': 'INFO',
+            #'class': 'logging.handlers.RotatingFileHandler',
+            'class': 'logging.handlers.WatchedFileHandler',
+            'filename': os.path.join(BASE_DIR, 'logs', 'django.log'),
+            'formatter': 'verbose',
+        },
+    },
+    'loggers': {
+        'django.request': {
+            'handlers': ['mail_admins', 'file'],
+            'level': 'ERROR',
+            'propagate': True,
+        },
+        'django': {
+            'handlers': ['file'],
+            'level': 'ERROR',
+            'propagate': True,
+        },
+        'hyperkitty': {
+            'handlers': ['file'],
+            'level': 'DEBUG',
+            'propagate': True,
+        },
+    },
+    'formatters': {
+        'verbose': {
+            'format': '%(levelname)s %(asctime)s %(process)d %(name)s %(message)s'
+        },
+        'simple': {
+            'format': '%(levelname)s %(message)s'
+        },
+    },
+    #'root': {
+    #    'handlers': ['file'],
+    #    'level': 'INFO',
+    #},
+}
+
+
+# Using the cache infrastructure can significantly improve performance on a
+# production setup. This is an example with a local Memcached server.
+#CACHES = {
+#    'default': {
+#        'BACKEND': 'django.core.cache.backends.memcached.PyLibMCCache',
+#        'LOCATION': '127.0.0.1:11211',
+#    }
+#}
+
+
+# When DEBUG is True, don't actually send emails to the SMTP server, just store
+# them in a directory. This way you won't accidentally spam your mailing-lists
+# while you're fiddling with the code.
+if DEBUG == True:
+    EMAIL_BACKEND = 'django.core.mail.backends.filebased.EmailBackend'
+    EMAIL_FILE_PATH = os.path.join(BASE_DIR, 'emails')
+
+
+#
+# HyperKitty-specific
+#
+
+# Only display mailing-lists from the same virtual host as the webserver
+FILTER_VHOST = False
+
+USE_MOCKUPS = False
+
+try:
+    from settings_local import *
+except ImportError:
+    pass
\ No newline at end of file
diff --git a/roles/mailman/templates/web/urls.py.j2 b/roles/mailman/templates/web/urls.py.j2
new file mode 100644
index 0000000..20f1a4f
--- /dev/null
+++ b/roles/mailman/templates/web/urls.py.j2
@@ -0,0 +1,34 @@
+# -*- coding: utf-8 -*-
+# Copyright (C) 1998-2016 by the Free Software Foundation, Inc.
+#
+# This file is part of HyperKitty.
+#
+# HyperKitty is free software: you can redistribute it and/or modify it under
+# the terms of the GNU General Public License as published by the Free
+# Software Foundation, either version 3 of the License, or (at your option)
+# any later version.
+#
+# HyperKitty is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+# FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for
+# more details.
+#
+# You should have received a copy of the GNU General Public License along with
+# HyperKitty.  If not, see <http://www.gnu.org/licenses/>.
+"""
+This file is the main URL config for a Django website including HyperKitty.
+"""
+from django.conf.urls import include, url
+from django.core.urlresolvers import reverse_lazy
+from django.views.generic import RedirectView
+from django.contrib import admin
+urlpatterns = [
+    url(r'^$', RedirectView.as_view(
+        url=reverse_lazy('hk_root'))),
+    url(r'^hyperkitty/', include('hyperkitty.urls')),
+    url(r'^postorius/', include('postorius.urls')),
+    url(r'', include('django_mailman3.urls')),
+    url(r'^accounts/', include('allauth.urls')),
+    # Django admin
+    url(r'^admin/', include(admin.site.urls)),
+]
diff --git a/roles/mailman/templates/web/wsgi.py.j2 b/roles/mailman/templates/web/wsgi.py.j2
new file mode 100644
index 0000000..0a62ee4
--- /dev/null
+++ b/roles/mailman/templates/web/wsgi.py.j2
@@ -0,0 +1,4 @@
+import os
+os.environ.setdefault("DJANGO_SETTINGS_MODULE", "settings")
+from django.core.wsgi import get_wsgi_application
+application = get_wsgi_application()
\ No newline at end of file
diff --git a/roles/passenger_common/tasks/main.yml b/roles/passenger_common/tasks/main.yml
new file mode 100644
index 0000000..c29d191
--- /dev/null
+++ b/roles/passenger_common/tasks/main.yml
@@ -0,0 +1,12 @@
+- name: add passenger key
+  apt_key: keyserver='hkp://keyserver.ubuntu.com:80' id='561F9B9CAC40B2F7' state=present
+
+- name: add apt requirements for passenger
+  apt: name='{{ item }}' state=present
+  with_items:
+    - apt-transport-https
+    - ca-certificates
+  
+- name: add passenger repository
+  apt_repository: repo='deb https://oss-binaries.phusionpassenger.com/apt/passenger {{ ansible_distribution_release }} main' state=present
+  when: "ansible_distribution == 'Ubuntu'"
diff --git a/roles/postfix/handlers/main.yml b/roles/postfix/handlers/main.yml
new file mode 100644
index 0000000..6e78fb9
--- /dev/null
+++ b/roles/postfix/handlers/main.yml
@@ -0,0 +1,2 @@
+- name: reload postfix
+  service: name='postfix' state=reloaded
diff --git a/roles/postfix/tasks/main.yml b/roles/postfix/tasks/main.yml
new file mode 100644
index 0000000..2be2208
--- /dev/null
+++ b/roles/postfix/tasks/main.yml
@@ -0,0 +1,29 @@
+- apt: name='{{ item }}' state=present
+  with_items:
+    - 'postfix'
+    - 'postfix-ldap'
+    - 'mailutils'
+
+- name: create diffie-hellman parameters
+  command: /usr/bin/openssl dhparam -out /etc/postfix/dh2048.pem 2048 creates='/etc/postfix/dh2048.pem'
+  
+- file: path='/etc/postfix/ldap' owner='root' group='root' mode='0755' state=directory
+
+- template: src='{{ item }}.j2' dest='/etc/postfix/{{ item }}' owner='root' group='root' mode='0644'
+  with_items:
+    - 'main.cf'
+    - 'master.cf'
+  notify: reload postfix
+
+- template: src='{{ item }}.j2' dest='/etc/postfix/{{ item }}' owner='root' group='root' mode='0644'
+  with_items:
+    - 'ldap/virtual_mailbox_domains.cf'
+    - 'ldap/virtual_mailbox_maps.cf'
+    - 'ldap/virtual_alias_maps.cf'
+  notify: reload postfix
+  
+- service: name='postfix' enabled=yes state=started
+
+- meta: flush_handlers
+
+- service: name='postfix' state=started
diff --git a/roles/postfix/templates/ldap/virtual_alias_maps.cf.j2 b/roles/postfix/templates/ldap/virtual_alias_maps.cf.j2
new file mode 100644
index 0000000..a7ceca1
--- /dev/null
+++ b/roles/postfix/templates/ldap/virtual_alias_maps.cf.j2
@@ -0,0 +1,4 @@
+server_host = {{ ldap_host }}
+search_base = cn=%d,cn=mail,cn=accounts,{{ ldap_base }}
+query_filter = (&(mail=%s)(objectClass=mailGroup))
+result_attribute = mailRoutingAddress
diff --git a/roles/postfix/templates/ldap/virtual_mailbox_domains.cf.j2 b/roles/postfix/templates/ldap/virtual_mailbox_domains.cf.j2
new file mode 100644
index 0000000..512bef5
--- /dev/null
+++ b/roles/postfix/templates/ldap/virtual_mailbox_domains.cf.j2
@@ -0,0 +1,5 @@
+server_host = {{ ldap_host }}
+search_base = cn=mail,cn=accounts,{{ ldap_base }}
+query_filter = (&(cn=%s)(objectClass=inetDomain))
+result_attribute = cn
+scope = sub
\ No newline at end of file
diff --git a/roles/postfix/templates/ldap/virtual_mailbox_maps.cf.j2 b/roles/postfix/templates/ldap/virtual_mailbox_maps.cf.j2
new file mode 100644
index 0000000..57823b7
--- /dev/null
+++ b/roles/postfix/templates/ldap/virtual_mailbox_maps.cf.j2
@@ -0,0 +1,4 @@
+server_host = {{ ldap_host }}
+search_base = cn=%d,cn=mail,cn=accounts,{{ ldap_base }}
+query_filter = (&(mail=%s)(objectClass=mailRecipient))
+result_attribute = mail
diff --git a/roles/postfix/templates/main.cf.j2 b/roles/postfix/templates/main.cf.j2
new file mode 100644
index 0000000..bbc4c7f
--- /dev/null
+++ b/roles/postfix/templates/main.cf.j2
@@ -0,0 +1,790 @@
+# Global Postfix configuration file. This file lists only a subset
+# of all parameters. For the syntax, and for a complete parameter
+# list, see the postconf(5) manual page (command: "man 5 postconf").
+#
+# For common configuration examples, see BASIC_CONFIGURATION_README
+# and STANDARD_CONFIGURATION_README. To find these documents, use
+# the command "postconf html_directory readme_directory", or go to
+# http://www.postfix.org/BASIC_CONFIGURATION_README.html etc.
+#
+# For best results, change no more than 2-3 parameters at a time,
+# and test if Postfix still works after every change.
+
+# SOFT BOUNCE
+#
+# The soft_bounce parameter provides a limited safety net for
+# testing.  When soft_bounce is enabled, mail will remain queued that
+# would otherwise bounce. This parameter disables locally-generated
+# bounces, and prevents the SMTP server from rejecting mail permanently
+# (by changing 5xx replies into 4xx replies). However, soft_bounce
+# is no cure for address rewriting mistakes or mail routing mistakes.
+#
+#soft_bounce = no
+
+# LOCAL PATHNAME INFORMATION
+#
+# The queue_directory specifies the location of the Postfix queue.
+# This is also the root directory of Postfix daemons that run chrooted.
+# See the files in examples/chroot-setup for setting up Postfix chroot
+# environments on different UNIX systems.
+#
+#queue_directory = /var/spool/postfix
+
+# The command_directory parameter specifies the location of all
+# postXXX commands.
+#
+#command_directory = /usr/sbin
+
+# The daemon_directory parameter specifies the location of all Postfix
+# daemon programs (i.e. programs listed in the master.cf file). This
+# directory must be owned by root.
+#
+#daemon_directory = /usr/lib/postfix
+
+# The data_directory parameter specifies the location of Postfix-writable
+# data files (caches, random numbers). This directory must be owned
+# by the mail_owner account (see below).
+#
+#data_directory = /var/lib/postfix
+
+# QUEUE AND PROCESS OWNERSHIP
+#
+# The mail_owner parameter specifies the owner of the Postfix queue
+# and of most Postfix daemon processes.  Specify the name of a user
+# account THAT DOES NOT SHARE ITS USER OR GROUP ID WITH OTHER ACCOUNTS
+# AND THAT OWNS NO OTHER FILES OR PROCESSES ON THE SYSTEM.  In
+# particular, don't specify nobody or daemon. PLEASE USE A DEDICATED
+# USER.
+#
+#mail_owner = postfix
+
+# The default_privs parameter specifies the default rights used by
+# the local delivery agent for delivery to external file or command.
+# These rights are used in the absence of a recipient user context.
+# DO NOT SPECIFY A PRIVILEGED USER OR THE POSTFIX OWNER.
+#
+#default_privs = nobody
+
+# INTERNET HOST AND DOMAIN NAMES
+# 
+# The myhostname parameter specifies the internet hostname of this
+# mail system. The default is to use the fully-qualified domain name
+# from gethostname(). $myhostname is used as a default value for many
+# other configuration parameters.
+#
+#myhostname = host.domain.tld
+#myhostname = virtual.domain.tld
+myhostname = {{ mailname }}
+
+# The mydomain parameter specifies the local internet domain name.
+# The default is to use $myhostname minus the first component.
+# $mydomain is used as a default value for many other configuration
+# parameters.
+#
+#mydomain = domain.tld
+mydomain = {{ mailname }}
+
+# SENDING MAIL
+# 
+# The myorigin parameter specifies the domain that locally-posted
+# mail appears to come from. The default is to append $myhostname,
+# which is fine for small sites.  If you run a domain with multiple
+# machines, you should (1) change this to $mydomain and (2) set up
+# a domain-wide alias database that aliases each user to
+# user@that.users.mailhost.
+#
+# For the sake of consistency between sender and recipient addresses,
+# myorigin also specifies the default domain name that is appended
+# to recipient addresses that have no @domain part.
+#
+# Debian GNU/Linux specific:  Specifying a file name will cause the
+# first line of that file to be used as the name.  The Debian default
+# is /etc/mailname.
+#
+#myorigin = /etc/mailname
+#myorigin = $myhostname
+#myorigin = $mydomain
+myorigin = {{ mailname }}
+
+# RECEIVING MAIL
+
+# The inet_interfaces parameter specifies the network interface
+# addresses that this mail system receives mail on.  By default,
+# the software claims all active interfaces on the machine. The
+# parameter also controls delivery of mail to user@[ip.address].
+#
+# See also the proxy_interfaces parameter, for network addresses that
+# are forwarded to us via a proxy or network address translator.
+#
+# Note: you need to stop/start Postfix when this parameter changes.
+#
+inet_interfaces = all
+#inet_interfaces = $myhostname
+#inet_interfaces = $myhostname, localhost
+
+# The proxy_interfaces parameter specifies the network interface
+# addresses that this mail system receives mail on by way of a
+# proxy or network address translation unit. This setting extends
+# the address list specified with the inet_interfaces parameter.
+#
+# You must specify your proxy/NAT addresses when your system is a
+# backup MX host for other domains, otherwise mail delivery loops
+# will happen when the primary MX host is down.
+#
+#proxy_interfaces =
+#proxy_interfaces = 1.2.3.4
+
+# The mydestination parameter specifies the list of domains that this
+# machine considers itself the final destination for.
+#
+# These domains are routed to the delivery agent specified with the
+# local_transport parameter setting. By default, that is the UNIX
+# compatible delivery agent that lookups all recipients in /etc/passwd
+# and /etc/aliases or their equivalent.
+#
+# The default is $myhostname + localhost.$mydomain.  On a mail domain
+# gateway, you should also include $mydomain.
+#
+# Do not specify the names of virtual domains - those domains are
+# specified elsewhere (see VIRTUAL_README).
+#
+# Do not specify the names of domains that this machine is backup MX
+# host for. Specify those names via the relay_domains settings for
+# the SMTP server, or use permit_mx_backup if you are lazy (see
+# STANDARD_CONFIGURATION_README).
+#
+# The local machine is always the final destination for mail addressed
+# to user@[the.net.work.address] of an interface that the mail system
+# receives mail on (see the inet_interfaces parameter).
+#
+# Specify a list of host or domain names, /file/name or type:table
+# patterns, separated by commas and/or whitespace. A /file/name
+# pattern is replaced by its contents; a type:table is matched when
+# a name matches a lookup key (the right-hand side is ignored).
+# Continue long lines by starting the next line with whitespace.
+#
+# See also below, section "REJECTING MAIL FOR UNKNOWN LOCAL USERS".
+#
+#mydestination = $myhostname, localhost.$mydomain, localhost
+mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
+#mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain,
+#	mail.$mydomain, www.$mydomain, ftp.$mydomain
+
+# REJECTING MAIL FOR UNKNOWN LOCAL USERS
+#
+# The local_recipient_maps parameter specifies optional lookup tables
+# with all names or addresses of users that are local with respect
+# to $mydestination, $inet_interfaces or $proxy_interfaces.
+#
+# If this parameter is defined, then the SMTP server will reject
+# mail for unknown local users. This parameter is defined by default.
+#
+# To turn off local recipient checking in the SMTP server, specify
+# local_recipient_maps = (i.e. empty).
+#
+# The default setting assumes that you use the default Postfix local
+# delivery agent for local delivery. You need to update the
+# local_recipient_maps setting if:
+#
+# - You define $mydestination domain recipients in files other than
+#   /etc/passwd, /etc/aliases, or the $virtual_alias_maps files.
+#   For example, you define $mydestination domain recipients in    
+#   the $virtual_mailbox_maps files.
+#
+# - You redefine the local delivery agent in master.cf.
+#
+# - You redefine the "local_transport" setting in main.cf.
+#
+# - You use the "luser_relay", "mailbox_transport", or "fallback_transport"
+#   feature of the Postfix local delivery agent (see local(8)).
+#
+# Details are described in the LOCAL_RECIPIENT_README file.
+#
+# Beware: if the Postfix SMTP server runs chrooted, you probably have
+# to access the passwd file via the proxymap service, in order to
+# overcome chroot restrictions. The alternative, having a copy of
+# the system passwd file in the chroot jail is just not practical.
+#
+# The right-hand side of the lookup tables is conveniently ignored.
+# In the left-hand side, specify a bare username, an @domain.tld
+# wild-card, or specify a user@domain.tld address.
+# 
+#local_recipient_maps = unix:passwd.byname $alias_maps
+#local_recipient_maps = proxy:unix:passwd.byname $alias_maps
+#local_recipient_maps =
+local_recipient_maps = hash:/var/lib/mailman/data/postfix_lmtp
+
+# The unknown_local_recipient_reject_code specifies the SMTP server
+# response code when a recipient domain matches $mydestination or
+# ${proxy,inet}_interfaces, while $local_recipient_maps is non-empty
+# and the recipient address or address local-part is not found.
+#
+# The default setting is 550 (reject mail) but it is safer to start
+# with 450 (try again later) until you are certain that your
+# local_recipient_maps settings are OK.
+#
+unknown_local_recipient_reject_code = 550
+
+# TRUST AND RELAY CONTROL
+
+# The mynetworks parameter specifies the list of "trusted" SMTP
+# clients that have more privileges than "strangers".
+#
+# In particular, "trusted" SMTP clients are allowed to relay mail
+# through Postfix.  See the smtpd_recipient_restrictions parameter
+# in postconf(5).
+#
+# You can specify the list of "trusted" network addresses by hand
+# or you can let Postfix do it for you (which is the default).
+#
+# By default (mynetworks_style = subnet), Postfix "trusts" SMTP
+# clients in the same IP subnetworks as the local machine.
+# On Linux, this does works correctly only with interfaces specified
+# with the "ifconfig" command.
+# 
+# Specify "mynetworks_style = class" when Postfix should "trust" SMTP
+# clients in the same IP class A/B/C networks as the local machine.
+# Don't do this with a dialup site - it would cause Postfix to "trust"
+# your entire provider's network.  Instead, specify an explicit
+# mynetworks list by hand, as described below.
+#  
+# Specify "mynetworks_style = host" when Postfix should "trust"
+# only the local machine.
+# 
+#mynetworks_style = class
+#mynetworks_style = subnet
+#mynetworks_style = host
+
+# Alternatively, you can specify the mynetworks list by hand, in
+# which case Postfix ignores the mynetworks_style setting.
+#
+# Specify an explicit list of network/netmask patterns, where the
+# mask specifies the number of bits in the network part of a host
+# address.
+#
+# You can also specify the absolute pathname of a pattern file instead
+# of listing the patterns here. Specify type:table for table-based lookups
+# (the value on the table right-hand side is not used).
+#
+#mynetworks = 168.100.189.0/28, 127.0.0.0/8
+#mynetworks = $config_directory/mynetworks
+#mynetworks = hash:/etc/postfix/network_table
+mynetworks = 127.0.0.0/8, 172.16.0.0/12
+
+# The relay_domains parameter restricts what destinations this system will
+# relay mail to.  See the smtpd_recipient_restrictions description in
+# postconf(5) for detailed information.
+#
+# By default, Postfix relays mail
+# - from "trusted" clients (IP address matches $mynetworks) to any destination,
+# - from "untrusted" clients to destinations that match $relay_domains or
+#   subdomains thereof, except addresses with sender-specified routing.
+# The default relay_domains value is $mydestination.
+# 
+# In addition to the above, the Postfix SMTP server by default accepts mail
+# that Postfix is final destination for:
+# - destinations that match $inet_interfaces or $proxy_interfaces,
+# - destinations that match $mydestination
+# - destinations that match $virtual_alias_domains,
+# - destinations that match $virtual_mailbox_domains.
+# These destinations do not need to be listed in $relay_domains.
+# 
+# Specify a list of hosts or domains, /file/name patterns or type:name
+# lookup tables, separated by commas and/or whitespace.  Continue
+# long lines by starting the next line with whitespace. A file name
+# is replaced by its contents; a type:name table is matched when a
+# (parent) domain appears as lookup key.
+#
+# NOTE: Postfix will not automatically forward mail for domains that
+# list this system as their primary or backup MX host. See the
+# permit_mx_backup restriction description in postconf(5).
+#
+relay_domains = $mydestination hash:/var/lib/mailman/data/postfix_domains
+
+# INTERNET OR INTRANET
+
+# The relayhost parameter specifies the default host to send mail to
+# when no entry is matched in the optional transport(5) table. When
+# no relayhost is given, mail is routed directly to the destination.
+#
+# On an intranet, specify the organizational domain name. If your
+# internal DNS uses no MX records, specify the name of the intranet
+# gateway host instead.
+#
+# In the case of SMTP, specify a domain, host, host:port, [host]:port,
+# [address] or [address]:port; the form [host] turns off MX lookups.
+#
+# If you're connected via UUCP, see also the default_transport parameter.
+#
+#relayhost = $mydomain
+#relayhost = [gateway.my.domain]
+#relayhost = [mailserver.isp.tld]
+#relayhost = uucphost
+#relayhost = [an.ip.add.ress]
+
+# REJECTING UNKNOWN RELAY USERS
+#
+# The relay_recipient_maps parameter specifies optional lookup tables
+# with all addresses in the domains that match $relay_domains.
+#
+# If this parameter is defined, then the SMTP server will reject
+# mail for unknown relay users. This feature is off by default.
+#
+# The right-hand side of the lookup tables is conveniently ignored.
+# In the left-hand side, specify an @domain.tld wild-card, or specify
+# a user@domain.tld address.
+# 
+#relay_recipient_maps = hash:/etc/postfix/relay_recipients
+
+# INPUT RATE CONTROL
+#
+# The in_flow_delay configuration parameter implements mail input
+# flow control. This feature is turned on by default, although it
+# still needs further development (it's disabled on SCO UNIX due
+# to an SCO bug).
+# 
+# A Postfix process will pause for $in_flow_delay seconds before
+# accepting a new message, when the message arrival rate exceeds the
+# message delivery rate. With the default 100 SMTP server process
+# limit, this limits the mail inflow to 100 messages a second more
+# than the number of messages delivered per second.
+# 
+# Specify 0 to disable the feature. Valid delays are 0..10.
+# 
+#in_flow_delay = 1s
+
+# ADDRESS REWRITING
+#
+# The ADDRESS_REWRITING_README document gives information about
+# address masquerading or other forms of address rewriting including
+# username->Firstname.Lastname mapping.
+
+# ADDRESS REDIRECTION (VIRTUAL DOMAIN)
+#
+# The VIRTUAL_README document gives information about the many forms
+# of domain hosting that Postfix supports.
+
+# "USER HAS MOVED" BOUNCE MESSAGES
+#
+# See the discussion in the ADDRESS_REWRITING_README document.
+
+# TRANSPORT MAP
+#
+# See the discussion in the ADDRESS_REWRITING_README document.
+
+# ALIAS DATABASE
+#
+# The alias_maps parameter specifies the list of alias databases used
+# by the local delivery agent. The default list is system dependent.
+#
+# On systems with NIS, the default is to search the local alias
+# database, then the NIS alias database. See aliases(5) for syntax
+# details.
+# 
+# If you change the alias database, run "postalias /etc/aliases" (or
+# wherever your system stores the mail alias file), or simply run
+# "newaliases" to build the necessary DBM or DB file.
+#
+# It will take a minute or so before changes become visible.  Use
+# "postfix reload" to eliminate the delay.
+#
+#alias_maps = dbm:/etc/aliases
+#alias_maps = hash:/etc/aliases
+#alias_maps = hash:/etc/aliases, nis:mail.aliases
+#alias_maps = netinfo:/aliases
+
+# The alias_database parameter specifies the alias database(s) that
+# are built with "newaliases" or "sendmail -bi".  This is a separate
+# configuration parameter, because alias_maps (see above) may specify
+# tables that are not necessarily all under control by Postfix.
+#
+#alias_database = dbm:/etc/aliases
+#alias_database = dbm:/etc/mail/aliases
+#alias_database = hash:/etc/aliases
+#alias_database = hash:/etc/aliases, hash:/opt/majordomo/aliases
+
+# ADDRESS EXTENSIONS (e.g., user+foo)
+#
+# The recipient_delimiter parameter specifies the separator between
+# user names and address extensions (user+foo). See canonical(5),
+# local(8), relocated(5) and virtual(5) for the effects this has on
+# aliases, canonical, virtual, relocated and .forward file lookups.
+# Basically, the software tries user+foo and .forward+foo before
+# trying user and .forward.
+#
+recipient_delimiter = +
+owner_request_special = no
+
+# DELIVERY TO MAILBOX
+#
+# The home_mailbox parameter specifies the optional pathname of a
+# mailbox file relative to a user's home directory. The default
+# mailbox file is /var/spool/mail/user or /var/mail/user.  Specify
+# "Maildir/" for qmail-style delivery (the / is required).
+#
+#home_mailbox = Mailbox
+#home_mailbox = Maildir/
+ 
+# The mail_spool_directory parameter specifies the directory where
+# UNIX-style mailboxes are kept. The default setting depends on the
+# system type.
+#
+#mail_spool_directory = /var/mail
+#mail_spool_directory = /var/spool/mail
+
+# The mailbox_command parameter specifies the optional external
+# command to use instead of mailbox delivery. The command is run as
+# the recipient with proper HOME, SHELL and LOGNAME environment settings.
+# Exception:  delivery for root is done as $default_user.
+#
+# Other environment variables of interest: USER (recipient username),
+# EXTENSION (address extension), DOMAIN (domain part of address),
+# and LOCAL (the address localpart).
+#
+# Unlike other Postfix configuration parameters, the mailbox_command
+# parameter is not subjected to $parameter substitutions. This is to
+# make it easier to specify shell syntax (see example below).
+#
+# Avoid shell meta characters because they will force Postfix to run
+# an expensive shell process. Procmail alone is expensive enough.
+#
+# IF YOU USE THIS TO DELIVER MAIL SYSTEM-WIDE, YOU MUST SET UP AN
+# ALIAS THAT FORWARDS MAIL FOR ROOT TO A REAL USER.
+#
+#mailbox_command = /usr/bin/procmail
+#mailbox_command = /usr/bin/procmail -a "$EXTENSION"
+
+# The mailbox_transport specifies the optional transport in master.cf
+# to use after processing aliases and .forward files. This parameter
+# has precedence over the mailbox_command, fallback_transport and
+# luser_relay parameters.
+#
+# Specify a string of the form transport:nexthop, where transport is
+# the name of a mail delivery transport defined in master.cf.  The
+# :nexthop part is optional. For more details see the sample transport
+# configuration file.
+#
+# NOTE: if you use this feature for accounts not in the UNIX password
+# file, then you must update the "local_recipient_maps" setting in
+# the main.cf file, otherwise the SMTP server will reject mail for    
+# non-UNIX accounts with "User unknown in local recipient table".
+#
+# Cyrus IMAP over LMTP. Specify ``lmtpunix      cmd="lmtpd"
+# listen="/var/imap/socket/lmtp" prefork=0'' in cyrus.conf.
+#mailbox_transport = lmtp:unix:/var/imap/socket/lmtp
+#
+# Cyrus IMAP via command line. Uncomment the "cyrus...pipe" and
+# subsequent line in master.cf.
+#mailbox_transport = cyrus
+
+# The fallback_transport specifies the optional transport in master.cf
+# to use for recipients that are not found in the UNIX passwd database.
+# This parameter has precedence over the luser_relay parameter.
+#
+# Specify a string of the form transport:nexthop, where transport is
+# the name of a mail delivery transport defined in master.cf.  The
+# :nexthop part is optional. For more details see the sample transport
+# configuration file.
+#
+# NOTE: if you use this feature for accounts not in the UNIX password
+# file, then you must update the "local_recipient_maps" setting in
+# the main.cf file, otherwise the SMTP server will reject mail for    
+# non-UNIX accounts with "User unknown in local recipient table".
+#
+#fallback_transport = lmtp:unix:/file/name
+#fallback_transport = cyrus
+#fallback_transport =
+
+# The luser_relay parameter specifies an optional destination address
+# for unknown recipients.  By default, mail for unknown@$mydestination,
+# unknown@[$inet_interfaces] or unknown@[$proxy_interfaces] is returned
+# as undeliverable.
+#
+# The following expansions are done on luser_relay: $user (recipient
+# username), $shell (recipient shell), $home (recipient home directory),
+# $recipient (full recipient address), $extension (recipient address
+# extension), $domain (recipient domain), $local (entire recipient
+# localpart), $recipient_delimiter. Specify ${name?value} or
+# ${name:value} to expand value only when $name does (does not) exist.
+#
+# luser_relay works only for the default Postfix local delivery agent.
+#
+# NOTE: if you use this feature for accounts not in the UNIX password
+# file, then you must specify "local_recipient_maps =" (i.e. empty) in
+# the main.cf file, otherwise the SMTP server will reject mail for    
+# non-UNIX accounts with "User unknown in local recipient table".
+#
+#luser_relay = $user@other.host
+#luser_relay = $local@other.host
+#luser_relay = admin+$local
+  
+# JUNK MAIL CONTROLS
+# 
+# The controls listed here are only a very small subset. The file
+# SMTPD_ACCESS_README provides an overview.
+
+# The header_checks parameter specifies an optional table with patterns
+# that each logical message header is matched against, including
+# headers that span multiple physical lines.
+#
+# By default, these patterns also apply to MIME headers and to the
+# headers of attached messages. With older Postfix versions, MIME and
+# attached message headers were treated as body text.
+#
+# For details, see "man header_checks".
+#
+#header_checks = regexp:/etc/postfix/header_checks
+
+# FAST ETRN SERVICE
+#
+# Postfix maintains per-destination logfiles with information about
+# deferred mail, so that mail can be flushed quickly with the SMTP
+# "ETRN domain.tld" command, or by executing "sendmail -qRdomain.tld".
+# See the ETRN_README document for a detailed description.
+# 
+# The fast_flush_domains parameter controls what destinations are
+# eligible for this service. By default, they are all domains that
+# this server is willing to relay mail to.
+# 
+#fast_flush_domains = $relay_domains
+
+# SHOW SOFTWARE VERSION OR NOT
+#
+# The smtpd_banner parameter specifies the text that follows the 220
+# code in the SMTP server's greeting banner. Some people like to see
+# the mail version advertised. By default, Postfix shows no version.
+#
+# You MUST specify $myhostname at the start of the text. That is an
+# RFC requirement. Postfix itself does not care.
+#
+#smtpd_banner = $myhostname ESMTP $mail_name
+#smtpd_banner = $myhostname ESMTP $mail_name ($mail_version)
+smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
+
+
+# PARALLEL DELIVERY TO THE SAME DESTINATION
+#
+# How many parallel deliveries to the same user or domain? With local
+# delivery, it does not make sense to do massively parallel delivery
+# to the same user, because mailbox updates must happen sequentially,
+# and expensive pipelines in .forward files can cause disasters when
+# too many are run at the same time. With SMTP deliveries, 10
+# simultaneous connections to the same domain could be sufficient to
+# raise eyebrows.
+# 
+# Each message delivery transport has its XXX_destination_concurrency_limit
+# parameter.  The default is $default_destination_concurrency_limit for
+# most delivery transports. For the local delivery agent the default is 2.
+
+#local_destination_concurrency_limit = 2
+#default_destination_concurrency_limit = 20
+
+# DEBUGGING CONTROL
+#
+# The debug_peer_level parameter specifies the increment in verbose
+# logging level when an SMTP client or server host name or address
+# matches a pattern in the debug_peer_list parameter.
+#
+#debug_peer_level = 2
+
+# The debug_peer_list parameter specifies an optional list of domain
+# or network patterns, /file/name patterns or type:name tables. When
+# an SMTP client or server host name or address matches a pattern,
+# increase the verbose logging level by the amount specified in the
+# debug_peer_level parameter.
+#
+#debug_peer_list = 127.0.0.1
+#debug_peer_list = some.domain
+
+# The debugger_command specifies the external command that is executed
+# when a Postfix daemon program is run with the -D option.
+#
+# Use "command .. & sleep 5" so that the debugger can attach before
+# the process marches on. If you use an X-based debugger, be sure to
+# set up your XAUTHORITY environment variable before starting Postfix.
+#
+#debugger_command =
+#	 PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
+#	 ddd $daemon_directory/$process_name $process_id & sleep 5
+
+# If you can't use X, use this to capture the call stack when a
+# daemon crashes. The result is in a file in the configuration
+# directory, and is named after the process name and the process ID.
+#
+# debugger_command =
+#	PATH=/bin:/usr/bin:/usr/local/bin; export PATH; (echo cont;
+#	echo where) | gdb $daemon_directory/$process_name $process_id 2>&1
+#	>$config_directory/$process_name.$process_id.log & sleep 5
+#
+# Another possibility is to run gdb under a detached screen session.
+# To attach to the screen sesssion, su root and run "screen -r
+# <id_string>" where <id_string> uniquely matches one of the detached
+# sessions (from "screen -list").
+#
+# debugger_command =
+#	PATH=/bin:/usr/bin:/sbin:/usr/sbin; export PATH; screen
+#	-dmS $process_name gdb $daemon_directory/$process_name
+#	$process_id & sleep 1
+
+# INSTALL-TIME CONFIGURATION INFORMATION
+#
+# The following parameters are used when installing a new Postfix version.
+# 
+# sendmail_path: The full pathname of the Postfix sendmail command.
+# This is the Sendmail-compatible mail posting interface.
+# 
+sendmail_path = /usr/sbin/sendmail 
+
+# newaliases_path: The full pathname of the Postfix newaliases command.
+# This is the Sendmail-compatible command to build alias databases.
+#
+newaliases_path = /usr/bin/newaliases
+
+# mailq_path: The full pathname of the Postfix mailq command.  This
+# is the Sendmail-compatible mail queue listing command.
+# 
+mailq_path = /usr/bin/mailq
+
+# setgid_group: The group for mail submission and queue management
+# commands.  This must be a group name with a numerical group ID that
+# is not shared with other accounts, not even with the Postfix account.
+#
+setgid_group = postdrop
+
+# html_directory: The location of the Postfix HTML documentation.
+#
+html_directory = no
+
+# manpage_directory: The location of the Postfix on-line manual pages.
+#
+manpage_directory = /usr/share/man
+
+# sample_directory: The location of the Postfix sample configuration files.
+# This parameter is obsolete as of Postfix 2.1.
+#
+sample_directory = /usr/share/doc/postfix
+
+# readme_directory: The location of the Postfix README files.
+#
+#readme_directory = /usr/share/doc/postfix
+readme_directory = no
+
+inet_protocols = ipv4, ipv6
+
+append_dot_mydomain = no
+biff = no
+#smtpd_helo_required = yes
+#smtpd_recipient_restrictions = permit_mynetworks,
+#	permit_sasl_authenticated,
+#	reject_unauth_destination,
+#	reject_unauth_pipelining,
+#	reject_non_fqdn_recipient,
+#	check_policy_service inet:127.0.0.1:2501
+#smtpd_sender_restrictions = permit_mynetworks,
+#	reject_sender_login_mismatch,
+#	permit_sasl_authenticated, 
+##	reject_unknown_helo_hostname, 
+#	reject_unknown_recipient_domain, 
+#	reject_unknown_sender_domain
+#smtpd_client_restrictions = permit_mynetworks,
+#	permit_sasl_authenticated,
+#	check_client_access hash:/etc/postfix/smtpd_client_whitelist,
+##	reject_unknown_reverse_client_hostname
+##	reject_unknown_client_hostname  -- disabled due to high rejects of HAM - replaced with reject_unknown_reverse_client_hostname
+
+# Postfix 2.10 requires this option. Postfix < 2.10 ignores this.
+# The option is intentionally left empty.
+#smtpd_relay_restrictions = 
+
+# Maximum size of Message in bytes (50MB)
+message_size_limit = 52428800
+
+## SASL Auth Settings
+#smtpd_sasl_auth_enable = yes
+#smtpd_sasl_local_domain = $myhostname
+#broken_sasl_auth_clients = yes
+## Dovecot Settings for deliver, SASL Auth and virtual transport
+#smtpd_sasl_type = dovecot
+#virtual_transport = dovecot
+#mailbox_transport = lmtp:unix:private/dovecot-lmtp
+#dovecot_destination_recipient_limit = 1
+#smtpd_sasl_path = private/auth
+
+# Virtual delivery settings
+#virtual_mailbox_base = /home/vmailv
+virtual_transport = lmtp:unix:private/dovecot-lmtp
+virtual_mailbox_maps = ldap:/etc/postfix/ldap/virtual_mailbox_maps.cf
+virtual_mailbox_domains = ldap:/etc/postfix/ldap/virtual_mailbox_domains.cf
+#hash:/etc/postfix/virtual_mailbox_domains
+virtual_alias_maps = ldap:/etc/postfix/ldap/virtual_alias_maps.cf
+#smtpd_sender_login_maps = mysql:/etc/postfix/mysql-virtual_sender_permissions.cf
+#virtual_uid_maps = static:2000
+#virtual_gid_maps = static:2000
+
+# Local delivery settings
+#local_transport = local
+#alias_maps = $alias_database
+
+# Default Mailbox size, is set to 0 which means unlimited!
+mailbox_size_limit = 0
+virtual_mailbox_limit = 0
+
+### TLS settings
+###
+## TLS for outgoing mails from the server to another server
+# Manual high cipherlist because Postfix's is crappy
+tls_high_cipherlist = HIGH:MEDIUM:!ADH:!RC4:!aNULL:!MD5:!DSS:!DES:!3DES:!SEED:!kRSA
+tls_preempt_cipherlist = yes
+smtp_tls_security_level = dane
+smtp_tls_note_starttls_offer = yes
+## TLS for email client
+smtpd_tls_security_level = may
+smtpd_tls_cert_file = /etc/letsencrypt/live/{{ mailname }}/fullchain.pem
+smtpd_tls_key_file = /etc/letsencrypt/live/{{ mailname }}/privkey.pem
+#smtpd_tls_CAfile = 
+smtpd_tls_loglevel = 1
+smtpd_tls_received_header = yes
+smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
+smtpd_tls_mandatory_ciphers = high
+smtpd_tls_protocols=!SSLv2,!SSLv3,!TLSv1,!TLSv1.1
+smtpd_tls_dh1024_param_file = /etc/postfix/dh2048.pem
+smtp_tls_loglevel = 1
+smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
+smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
+
+
+### Milters
+###
+#smtpd_milters = unix:/clamav/clamav-milter.ctl, unix:/spamass/spamass.sock
+#milter_connect_macros = j {daemon_name} v {if_name} _
+
+smtpd_milters = inet:127.0.0.1:11335
+# or for TCP socket
+# smtpd_milters = inet:localhost:9900
+milter_protocol = 6
+milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen}
+# skip mail without checks if milter will die
+milter_default_action = accept
+
+
+
+#transport_maps = hash:/etc/postfix/transport
+transport_maps = hash:/var/lib/mailman/data/postfix_lmtp
+
+
+
+#mailman_destination_recipient_limit = 1
+
+
+delay_warning_time = 4h
+
+
+
+#mua_client_restrictions = permit_sasl_authenticated, reject
+#mua_sender_restrictions = reject_sender_login_mismatch, permit_sasl_authenticated, reject
+#mua_helo_restrictions =
+
+compatibility_level = 3
+
+# Definitions used in master.cf due to Postfix master.cf whitespacing limitations
+#custom_recipient_restriction_rmilter = check_policy_service inet:127.0.0.1:11333
\ No newline at end of file
diff --git a/roles/postfix/templates/master.cf.j2 b/roles/postfix/templates/master.cf.j2
new file mode 100644
index 0000000..e9cc852
--- /dev/null
+++ b/roles/postfix/templates/master.cf.j2
@@ -0,0 +1,142 @@
+#
+# Postfix master process configuration file.  For details on the format
+# of the file, see the master(5) manual page (command: "man 5 master" or
+# on-line: http://www.postfix.org/master.5.html).
+#
+# Do not forget to execute "postfix reload" after editing this file.
+#
+# ==========================================================================
+# service type  private unpriv  chroot  wakeup  maxproc command + args
+#               (yes)   (yes)   (yes)   (never) (100)
+# ==========================================================================
+smtp      inet  n       -       -       -       -       smtpd
+  -o smtpd_tls_security_level=may
+  # If smtpd_tls_security_level=may, explicitly forbid AUTH over non-authenticated connections
+  -o smtpd_tls_auth_only=yes
+  # Spam blocking
+  -o smtpd_helo_required=yes
+  -o smtpd_helo_restrictions=reject_invalid_helo_hostname,reject_non_fqdn_helo_hostname
+  -o smtpd_sender_restrictions=reject_non_fqdn_sender,reject_unknown_sender_domain
+  -o smtpd_recipient_restrictions=reject_non_fqdn_recipient,reject_unauth_destination
+  #,$custom_recipient_restriction_rmilter
+#smtp      inet  n       -       -       -       1       postscreen
+#smtpd     pass  -       -       -       -       -       smtpd
+#dnsblog   unix  -       -       -       -       0       dnsblog
+#tlsproxy  unix  -       -       -       -       0       tlsproxy
+submission inet n       -       -       -       -       smtpd
+  -o smtpd_tls_security_level=encrypt
+  -o smtpd_sasl_auth_enable=yes
+  -o smtpd_sasl_type=dovecot
+  -o smtpd_sasl_path=private/auth
+  -o smtpd_sasl_security_options=noanonymous
+  -o smtpd_sender_login_maps=ldap:/etc/postfix/ldap/virtual_mailbox_maps.cf
+  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
+  -o smtpd_relay_restrictions=reject_sender_login_mismatch,permit_sasl_authenticated,reject
+#  -o smtpd_milters=unix:/var/run/rmilter/rmilter.sock
+#  -o syslog_name=postfix/submission
+#  -o smtpd_tls_security_level=encrypt
+#  -o smtpd_sasl_auth_enable=yes
+#  -o smtpd_reject_unlisted_recipient=no
+#  -o smtpd_client_restrictions=$mua_client_restrictions
+#  -o smtpd_helo_restrictions=$mua_helo_restrictions
+#  -o smtpd_sender_restrictions=$mua_sender_restrictions
+#  -o smtpd_recipient_restrictions=
+#  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
+#  -o milter_macro_daemon_name=ORIGINATING
+#smtps     inet  n       -       -       -       -       smtpd
+#  -o syslog_name=postfix/smtps
+#  -o smtpd_tls_wrappermode=yes
+#  -o smtpd_sasl_auth_enable=yes
+#  -o smtpd_reject_unlisted_recipient=no
+#  -o smtpd_client_restrictions=$mua_client_restrictions
+#  -o smtpd_helo_restrictions=$mua_helo_restrictions
+#  -o smtpd_sender_restrictions=$mua_sender_restrictions
+#  -o smtpd_recipient_restrictions=
+#  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
+#  -o milter_macro_daemon_name=ORIGINATING
+#628       inet  n       -       -       -       -       qmqpd
+pickup    unix  n       -       -       60      1       pickup
+cleanup   unix  n       -       -       -       0       cleanup
+qmgr      unix  n       -       n       300     1       qmgr
+#qmgr     unix  n       -       n       300     1       oqmgr
+tlsmgr    unix  -       -       -       1000?   1       tlsmgr
+rewrite   unix  -       -       -       -       -       trivial-rewrite
+bounce    unix  -       -       -       -       0       bounce
+defer     unix  -       -       -       -       0       bounce
+trace     unix  -       -       -       -       0       bounce
+verify    unix  -       -       -       -       1       verify
+flush     unix  n       -       -       1000?   0       flush
+proxymap  unix  -       -       n       -       -       proxymap
+proxywrite unix -       -       n       -       1       proxymap
+smtp      unix  -       -       -       -       -       smtp
+relay     unix  -       -       -       -       -       smtp
+#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
+showq     unix  n       -       -       -       -       showq
+error     unix  -       -       -       -       -       error
+retry     unix  -       -       -       -       -       error
+discard   unix  -       -       -       -       -       discard
+local     unix  -       n       n       -       -       local
+virtual   unix  -       n       n       -       -       virtual
+lmtp      unix  -       -       -       -       -       lmtp
+anvil     unix  -       -       -       -       1       anvil
+scache    unix  -       -       -       -       1       scache
+#
+# ====================================================================
+# Interfaces to non-Postfix software. Be sure to examine the manual
+# pages of the non-Postfix software to find out what options it wants.
+#
+# Many of the following services use the Postfix pipe(8) delivery
+# agent.  See the pipe(8) man page for information about ${recipient}
+# and other message envelope options.
+# ====================================================================
+#
+# maildrop. See the Postfix MAILDROP_README file for details.
+# Also specify in main.cf: maildrop_destination_recipient_limit=1
+#
+#maildrop  unix  -       n       n       -       -       pipe
+#  flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
+#
+# ====================================================================
+#
+# Recent Cyrus versions can use the existing "lmtp" master.cf entry.
+#
+# Specify in cyrus.conf:
+#   lmtp    cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
+#
+# Specify in main.cf one or more of the following:
+#  mailbox_transport = lmtp:inet:localhost
+#  virtual_transport = lmtp:inet:localhost
+#
+# ====================================================================
+#
+# Cyrus 2.1.5 (Amos Gouaux)
+# Also specify in main.cf: cyrus_destination_recipient_limit=1
+#
+#cyrus     unix  -       n       n       -       -       pipe
+#  user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
+#
+# ====================================================================
+# Old example of delivery via Cyrus.
+#
+#old-cyrus unix  -       n       n       -       -       pipe
+#  flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
+#
+# ====================================================================
+#
+# See the Postfix UUCP_README file for configuration details.
+#
+#uucp      unix  -       n       n       -       -       pipe
+#  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
+#
+# Other external delivery methods.
+#
+#ifmail    unix  -       n       n       -       -       pipe
+#  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
+#bsmtp     unix  -       n       n       -       -       pipe
+#  flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
+#scalemail-backend unix	-	n	n	-	2	pipe
+#  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
+#mailman   unix  -       n       n       -       -       pipe
+#  flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
+#  ${nexthop} ${user}
+
diff --git a/roles/rspamd/handlers/main.yml b/roles/rspamd/handlers/main.yml
new file mode 100644
index 0000000..baeb288
--- /dev/null
+++ b/roles/rspamd/handlers/main.yml
@@ -0,0 +1,5 @@
+- name: reload rmilter
+  service: name='rmilter' state=reloaded
+
+- name: reload rspamd
+  service: name='rspamd' state=reloaded
diff --git a/roles/rspamd/tasks/main.yml b/roles/rspamd/tasks/main.yml
new file mode 100644
index 0000000..a2ca37e
--- /dev/null
+++ b/roles/rspamd/tasks/main.yml
@@ -0,0 +1,42 @@
+- apt_key: url='https://rspamd.com/apt-stable/gpg.key' state=present
+
+- apt_repository: repo='deb http://rspamd.com/apt-stable/ {{ ansible_distribution_release }} main' state=present
+
+- apt_repository: repo='deb-src http://rspamd.com/apt-stable/ {{ ansible_distribution_release }} main' state=present
+
+- apt: name='{{ item }}' state=present
+  with_items:
+    - 'rspamd'
+    - 'rmilter'
+    - 'redis-server'
+    - 'clamav-daemon'
+    - 'clamav-freshclam'
+    - 'spamassassin'
+    
+- template: src='rmilter.conf.local.j2' dest='/etc/rmilter.conf.local' owner='root' group='root' mode='0644'
+  notify: reload rmilter
+
+- template: src='{{ item }}.j2' dest='/etc/rspamd/local.d/{{ item }}' owner='root' group='root' mode='0644'
+  with_items:
+    - 'antivirus.conf'
+    - 'redis.conf'
+    - 'rmilter_headers.conf'
+    - 'spamassassin.conf'
+    - 'worker-controller.inc'
+  notify: reload rspamd
+
+- meta: flush_handlers
+
+- service: name='{{ item }}' enabled=yes state=started
+  with_items:
+    - 'rspamd'
+    - 'rmilter'
+    - 'redis'
+    - 'clamav-daemon'
+    - 'clamav-freshclam'
+
+- cron: hour='3' minute='37' job='/usr/bin/sa-update && /usr/sbin/service rspamd reload' name='sa-update-rspam'
+    
+# todo: check rspamd config
+# todo: check spamassassin plugin
+# todo: redis auth
diff --git a/roles/rspamd/templates/antivirus.conf.j2 b/roles/rspamd/templates/antivirus.conf.j2
new file mode 100644
index 0000000..72a99c3
--- /dev/null
+++ b/roles/rspamd/templates/antivirus.conf.j2
@@ -0,0 +1,3 @@
+clamav {
+  servers = "/var/run/clamav/clamd.ctl";
+}
diff --git a/roles/rspamd/templates/redis.conf.j2 b/roles/rspamd/templates/redis.conf.j2
new file mode 100644
index 0000000..5a9c582
--- /dev/null
+++ b/roles/rspamd/templates/redis.conf.j2
@@ -0,0 +1 @@
+servers = "127.0.0.1";
diff --git a/roles/rspamd/templates/rmilter.conf.local.j2 b/roles/rspamd/templates/rmilter.conf.local.j2
new file mode 100644
index 0000000..4dc6f2b
--- /dev/null
+++ b/roles/rspamd/templates/rmilter.conf.local.j2
@@ -0,0 +1,13 @@
+bind_socket = inet:11335@127.0.0.1
+
+extended_spam_headers = yes
+
+limits {
+    enable = false;
+}
+greylisting {
+    enable = false;
+}
+dkim {
+    enable = false;
+}
diff --git a/roles/rspamd/templates/rmilter_headers.conf.j2 b/roles/rspamd/templates/rmilter_headers.conf.j2
new file mode 100644
index 0000000..acb3377
--- /dev/null
+++ b/roles/rspamd/templates/rmilter_headers.conf.j2
@@ -0,0 +1,7 @@
+use = ["authentication-results", "x-spam-status", "x-virus"];
+
+routines {
+   x-virus {
+      symbols = ["CLAM_VIRUS"];
+	   }
+}
diff --git a/roles/rspamd/templates/spamassassin.conf.j2 b/roles/rspamd/templates/spamassassin.conf.j2
new file mode 100644
index 0000000..becbce7
--- /dev/null
+++ b/roles/rspamd/templates/spamassassin.conf.j2
@@ -0,0 +1 @@
+ruleset = "/var/lib/spamassassin/3.004001/*.cf";
diff --git a/roles/rspamd/templates/worker-controller.inc.j2 b/roles/rspamd/templates/worker-controller.inc.j2
new file mode 100644
index 0000000..2ebd330
--- /dev/null
+++ b/roles/rspamd/templates/worker-controller.inc.j2
@@ -0,0 +1 @@
+password = "{{ rspamd_password }}";
diff --git a/roles/web_server/handlers/main.yml b/roles/web_server/handlers/main.yml
new file mode 100644
index 0000000..39b7bcf
--- /dev/null
+++ b/roles/web_server/handlers/main.yml
@@ -0,0 +1,5 @@
+- name: restart apache
+  service: name='apache2' state=restarted
+
+- name: reload apache
+  service: name='apache2' state=reloaded
diff --git a/roles/web_server/meta/main.yml b/roles/web_server/meta/main.yml
new file mode 100644
index 0000000..b4a5e05
--- /dev/null
+++ b/roles/web_server/meta/main.yml
@@ -0,0 +1,3 @@
+dependencies:
+  - role: letsencrypt_common
+  - role: passenger_common
diff --git a/roles/web_server/tasks/main.yml b/roles/web_server/tasks/main.yml
new file mode 100644
index 0000000..75649e9
--- /dev/null
+++ b/roles/web_server/tasks/main.yml
@@ -0,0 +1,137 @@
+- apt: name='{{ item }}' state=present
+  with_items:
+    - apache2
+    - apache2-dev
+    - git
+    - libapache2-mod-passenger
+    - logrotate
+    - xsltproc
+  notify: restart apache
+
+- apt: name='{{ item }}' state=absent
+  with_items:
+    - libapache2-mod-php5
+    - libmysqlclient18
+
+- file: path='/etc/apache2/sites-available' state=directory owner='root' group='root' mode='700'
+
+- file: path='/etc/apache2/sites-enabled' state=directory owner='root' group='root' mode='700'
+
+- apache2_module: name='{{ item }}' state=absent
+  with_items:
+    - userdir
+  notify: restart apache
+    
+- apache2_module: name='{{ item }}' state=present
+  with_items:
+    - actions
+    - headers
+    - passenger
+    - proxy_http
+    - rewrite
+    - ssl
+    - suexec
+  notify: restart apache
+
+- lineinfile: dest='/etc/apache2/mods-enabled/ssl.conf' line='	SSLProtocol all -SSLv3' regexp='SSLProtocol'
+  notify: restart apache
+- lineinfile: dest='/etc/apache2/mods-enabled/ssl.conf' line='	SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4"' regexp='SSLCipherSuite'
+  notify: restart apache
+- lineinfile: dest='/etc/apache2/mods-enabled/ssl.conf' line='	SSLHonorCipherOrder on' regexp='SSLHonorCipherOrder'
+  notify: restart apache
+- lineinfile: dest='/etc/apache2/mods-enabled/ssl.conf' line='	SSLUseStapling on' regexp='SSLUseStapling'
+  notify: restart apache
+- lineinfile: dest='/etc/apache2/mods-enabled/ssl.conf' line='	SSLStaplingCache shmcb:${APACHE_RUN_DIR}/ssl_stapling_cache(8192)' regexp='SSLStaplingCache'
+  notify: restart apache
+
+- lineinfile: dest='/etc/apache2/mods-enabled/passenger.conf' line='PassengerEnabled off' state=present
+  notify: restart apache
+  
+- template: src='apache2.conf.j2' dest='/etc/apache2/apache2.conf' owner='root' group='root' mode='644'
+  notify: restart apache
+
+- name: create groups
+  group: name="{{ item.group | default('www-data') }}" system="{{ item.group_system | default('yes') }}" state=present
+  with_items: "{{ web_server }}"
+
+- name: create users
+  user: name="{{ item.user | default('www-data') }}" system="{{ item.user_system | default('yes') }}" createhome=no group="{{ item.group | default('www-data') }}" state=present
+  with_items: "{{ web_server }}"
+  
+- name: create webroots
+  file: path="{{ item.root }}" owner="{{ item.user | default('www-data') }}" group="{{ item.group | default('www-data') }}" mode=0755 state=directory
+  with_items: '{{ web_server }}'
+  
+- name: create directory for generic error vhost
+  file: path='/var/www/default' owner='root' group='root' mode='0755' state=directory
+
+- name: create generic error vhost index page
+  template: src='default-index.html.j2' dest='/var/www/default/index.html' owner='root' group='root' mode='0644'
+
+- name: create http hosts
+  template: src='http.conf.j2' dest='/etc/apache2/sites-enabled/http-{{ item.domains.0 }}.conf' owner='root' group='root' mode='644'
+  with_items: '{{ web_server }}'
+  notify: reload apache
+  register: apache_sites_http_confs
+
+- name: create php-fpm dummy directories
+  file: path='/var/www/php-fpm/{{ item.domains[0] }}' owner='root' group='root' mode='0755' state=directory
+  with_items: '{{ web_server }}'
+  when: "item.mode == 'php70' or item.mode == 'php56' or item.mode == 'php55'"
+  
+#################
+
+- name: reload everything so that letsencrypt webroot method can run
+  meta: flush_handlers
+
+- name: ensure apache is running
+  service: name='apache2' state=started
+
+#################
+
+- set_fact:
+    letsencrypt_items_undefined: "{{ web_server | selectattr('letsencrypt', 'undefined') | list }}"
+    letsencrypt_items_true: "{{ web_server | selectattr('letsencrypt', 'defined') | selectattr('letsencrypt') | list }}"
+
+- set_fact:
+    letsencrypt_hosts: "{{ letsencrypt_items_undefined | union(letsencrypt_items_true) }}"
+
+- include: ../../letsencrypt_common/snippets/webroot.yml
+  vars:
+    letsencrypt_items: "{{ letsencrypt_hosts }}"
+
+
+- name: create https hosts
+  template: src='https.conf.j2' dest='/etc/apache2/sites-enabled/https-{{ item.domains.0 }}.conf' owner='root' group='root' mode='644'
+  with_items: '{{ web_server }}'
+  when: ( item.letsencrypt | default(True) )
+  notify: reload apache
+  register: apache_sites_https_confs
+
+
+
+
+# flatten and map the results into simple list
+# unchanged files have attribute dest, changed have attribute path
+- set_fact:
+    apache_sites_confs: "{{ apache_sites_http_confs.results|selectattr('dest', 'string')|map(attribute='dest')|list + apache_sites_http_confs.results|selectattr('path', 'string')|map(attribute='path')|select|list + apache_sites_https_confs.results|selectattr('dest', 'string')|map(attribute='dest')|list + apache_sites_https_confs.results|selectattr('path', 'string')|map(attribute='path')|select|list }}"
+
+# get contents of conf dir
+- find: paths='/etc/apache2/sites-enabled'
+  register: apache_sites_contents
+  when: apache_sites_confs
+
+# so we can delete the ones we don't manage
+- name: empty unmanaged or old confs
+  file: path="{{ item.path }}" state=absent
+  with_items: "{{ apache_sites_contents.files }}"
+  when: apache_sites_confs and item.path not in apache_sites_confs
+  notify: reload apache
+
+
+  
+- name: reload everything
+  meta: flush_handlers
+
+- name: ensure apache is running
+  service: name='apache2' state=started
diff --git a/roles/web_server/templates/apache2.conf.j2 b/roles/web_server/templates/apache2.conf.j2
new file mode 100644
index 0000000..b1fb1ba
--- /dev/null
+++ b/roles/web_server/templates/apache2.conf.j2
@@ -0,0 +1,352 @@
+# This is the main Apache server configuration file.  It contains the
+# configuration directives that give the server its instructions.
+# See http://httpd.apache.org/docs/2.4/ for detailed information about
+# the directives and /usr/share/doc/apache2/README.Debian about Debian specific
+# hints.
+#
+#
+# Summary of how the Apache 2 configuration works in Debian:
+# The Apache 2 web server configuration in Debian is quite different to
+# upstream's suggested way to configure the web server. This is because Debian's
+# default Apache2 installation attempts to make adding and removing modules,
+# virtual hosts, and extra configuration directives as flexible as possible, in
+# order to make automating the changes and administering the server as easy as
+# possible.
+
+# It is split into several files forming the configuration hierarchy outlined
+# below, all located in the /etc/apache2/ directory:
+#
+#	/etc/apache2/
+#	|-- apache2.conf
+#	|	`--  ports.conf  # DISABLED
+#	|-- mods-enabled
+#	|	|-- *.load
+#	|	`-- *.conf
+#	|-- conf-enabled
+#	|	`-- *.conf       # DISABLED
+# 	`-- sites-enabled
+#	 	`-- *.conf
+#
+#
+# * apache2.conf is the main configuration file (this file). It puts the pieces
+#   together by including all remaining configuration files when starting up the
+#   web server.
+#
+# * ports.conf is always included from the main configuration file. It is
+#   supposed to determine listening ports for incoming connections which can be
+#   customized anytime.
+#
+# * Configuration files in the mods-enabled/, conf-enabled/ and sites-enabled/
+#   directories contain particular configuration snippets which manage modules,
+#   global configuration fragments, or virtual host configurations,
+#   respectively.
+#
+#   They are activated by symlinking available configuration files from their
+#   respective *-available/ counterparts. These should be managed by using our
+#   helpers a2enmod/a2dismod, a2ensite/a2dissite and a2enconf/a2disconf. See
+#   their respective man pages for detailed information.
+#
+# * The binary is called apache2. Due to the use of environment variables, in
+#   the default configuration, apache2 needs to be started/stopped with
+#   /etc/init.d/apache2 or apache2ctl. Calling /usr/bin/apache2 directly will not
+#   work with the default configuration.
+
+
+# Global configuration
+#
+
+#
+# ServerRoot: The top of the directory tree under which the server's
+# configuration, error, and log files are kept.
+#
+# NOTE!  If you intend to place this on an NFS (or otherwise network)
+# mounted filesystem then please read the Mutex documentation (available
+# at <URL:http://httpd.apache.org/docs/2.4/mod/core.html#mutex>);
+# you will save yourself a lot of trouble.
+#
+# Do NOT add a slash at the end of the directory path.
+#
+#ServerRoot "/etc/apache2"
+
+#
+# The accept serialization lock file MUST BE STORED ON A LOCAL DISK.
+#
+Mutex file:${APACHE_LOCK_DIR} default
+
+#
+# PidFile: The file in which the server should record its process
+# identification number when it starts.
+# This needs to be set in /etc/apache2/envvars
+#
+PidFile ${APACHE_PID_FILE}
+
+#
+# Timeout: The number of seconds before receives and sends time out.
+#
+Timeout 300
+
+#
+# KeepAlive: Whether or not to allow persistent connections (more than
+# one request per connection). Set to "Off" to deactivate.
+#
+KeepAlive On
+
+#
+# MaxKeepAliveRequests: The maximum number of requests to allow
+# during a persistent connection. Set to 0 to allow an unlimited amount.
+# We recommend you leave this number high, for maximum performance.
+#
+MaxKeepAliveRequests 100
+
+#
+# KeepAliveTimeout: Number of seconds to wait for the next request from the
+# same client on the same connection.
+#
+KeepAliveTimeout 5
+
+
+# These need to be set in /etc/apache2/envvars
+User ${APACHE_RUN_USER}
+Group ${APACHE_RUN_GROUP}
+
+#
+# HostnameLookups: Log the names of clients or just their IP addresses
+# e.g., www.apache.org (on) or 204.62.129.132 (off).
+# The default is off because it'd be overall better for the net if people
+# had to knowingly turn this feature on, since enabling it means that
+# each client request will result in AT LEAST one lookup request to the
+# nameserver.
+#
+HostnameLookups Off
+
+# ErrorLog: The location of the error log file.
+# If you do not specify an ErrorLog directive within a <VirtualHost>
+# container, error messages relating to that virtual host will be
+# logged here.  If you *do* define an error logfile for a <VirtualHost>
+# container, that host's errors will be logged there and not here.
+#
+ErrorLog ${APACHE_LOG_DIR}/error.log
+
+#
+# LogLevel: Control the severity of messages logged to the error_log.
+# Available values: trace8, ..., trace1, debug, info, notice, warn,
+# error, crit, alert, emerg.
+# It is also possible to configure the log level for particular modules, e.g.
+# "LogLevel info ssl:warn"
+#
+LogLevel warn
+
+# Include module configuration:
+IncludeOptional mods-enabled/*.load
+IncludeOptional mods-enabled/*.conf
+
+# Include list of ports to listen on
+#Include ports.conf
+Listen 80
+Listen 443
+
+# Sets the default security model of the Apache2 HTTPD server. It does
+# not allow access to the root filesystem outside of /usr/share and /var/www.
+# The former is used by web applications packaged in Debian,
+# the latter may be used for local directories served by the web server. If
+# your system is serving content from a sub-directory in /srv you must allow
+# access here, or in any related virtual host.
+<Directory />
+	Options FollowSymLinks
+	AllowOverride None
+	Require all denied
+</Directory>
+
+<Directory /usr/share>
+	AllowOverride None
+	Require all granted
+</Directory>
+
+<Directory /var/www/>
+	Options Indexes FollowSymLinks
+	AllowOverride None
+	Require all granted
+</Directory>
+
+#<Directory /srv/>
+#	Options Indexes FollowSymLinks
+#	AllowOverride None
+#	Require all granted
+#</Directory>
+
+
+
+
+# AccessFileName: The name of the file to look for in each directory
+# for additional configuration directives.  See also the AllowOverride
+# directive.
+#
+AccessFileName .htaccess
+
+#
+# The following lines prevent .htaccess and .htpasswd files from being
+# viewed by Web clients.
+#
+<FilesMatch "^\.ht">
+	Require all denied
+</FilesMatch>
+
+
+#
+# The following directives define some format nicknames for use with
+# a CustomLog directive.
+#
+# These deviate from the Common Log Format definitions in that they use %O
+# (the actual bytes sent including headers) instead of %b (the size of the
+# requested file), because the latter makes it impossible to detect partial
+# requests.
+#
+# Note that the use of %{X-Forwarded-For}i instead of %h is not recommended.
+# Use mod_remoteip instead.
+#
+#LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined
+#LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined
+#LogFormat "%h %l %u %t \"%r\" %>s %O" common
+LogFormat "%v:%p %a %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined
+LogFormat "%a %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined
+LogFormat "%a (%{X-FORWARDED-FOR}i) %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" proxy_combined
+LogFormat "%a %l %u %t \"%r\" %>s %O" common
+LogFormat "%{Referer}i -> %U" referer
+LogFormat "%{User-agent}i" agent
+
+
+
+
+# Read the documentation before enabling AddDefaultCharset.
+# In general, it is only a good idea if you know that all your files
+# have this encoding. It will override any encoding given in the files
+# in meta http-equiv or xml encoding tags.
+
+AddDefaultCharset UTF-8
+
+
+# --- THIS BLOCK SEEMS TO BE DEPRECATED ---
+#
+# Disable access to the entire file system except for the directories that
+# are explicitly allowed later.
+#
+# This currently breaks the configurations that come with some web application
+# Debian packages.
+#
+#<Directory />
+#   AllowOverride None
+#   Order Deny,Allow
+#   Deny from all
+#</Directory>
+
+
+# Changing the following options will not really affect the security of the
+# server, but might make attacks slightly more difficult in some cases.
+
+#
+# ServerTokens
+# This directive configures what you return as the Server HTTP response
+# Header. The default is 'Full' which sends information about the OS-Type
+# and compiled in modules.
+# Set to one of:  Full | OS | Minimal | Minor | Major | Prod
+# where Full conveys the most information, and Prod the least.
+#ServerTokens Minimal
+#ServerTokens OS
+#ServerTokens Full
+ServerTokens Prod
+
+#
+# Optionally add a line containing the server version and virtual host
+# name to server-generated pages (internal error documents, FTP directory
+# listings, mod_status and mod_info output etc., but not CGI generated
+# documents or custom error documents).
+# Set to "EMail" to also include a mailto: link to the ServerAdmin.
+# Set to one of:  On | Off | EMail
+ServerSignature Off
+#ServerSignature On
+
+#
+# Allow TRACE method
+#
+# Set to "extended" to also reflect the request body (only for testing and
+# diagnostic purposes).
+#
+# Set to one of:  On | Off | extended
+TraceEnable Off
+#TraceEnable On
+
+#
+# Forbid access to version control directories
+#
+# If you use version control systems in your document root, you should
+# probably deny access to their directories. For example, for subversion:
+#
+<DirectoryMatch "/\.svn">
+   Require all denied
+</DirectoryMatch>
+<DirectoryMatch "/\.git">
+   Require all denied
+</DirectoryMatch>
+
+#
+# Setting this header will prevent MSIE from interpreting files as something
+# else than declared by the content type in the HTTP headers.
+# Requires mod_headers to be enabled.
+#
+#Header set X-Content-Type-Options: "nosniff"
+
+#
+# Setting this header will prevent other sites from embedding pages from this
+# site as frames. This defends against clickjacking attacks.
+# Requires mod_headers to be enabled.
+#
+#Header set X-Frame-Options: "sameorigin"
+
+
+# Prevent httpoxy attack
+RequestHeader unset Proxy early
+
+
+
+
+# Include of directories ignores editors' and dpkg's backup files,
+# see README.Debian for details.
+
+# Include generic snippets of statements
+#IncludeOptional conf-enabled/*.conf
+
+<VirtualHost *:80>
+  
+  ErrorLog "/var/log/apache2/http-default-error.log"
+  CustomLog "/var/log/apache2/http-default-access.log" combined
+
+  ServerName localhost
+  ServerAdmin {{ admin_mail }}
+
+  DocumentRoot /var/www/default
+  <Directory /var/www/default>
+    Require all granted
+  </Directory>
+</VirtualHost>
+
+<VirtualHost *:443>
+  
+  ErrorLog "/var/log/apache2/https-default-error.log"
+  CustomLog "/var/log/apache2/https-default-access.log" combined
+
+  SSLEngine On
+  SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
+  SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
+
+  ServerName localhost
+  ServerAdmin {{ admin_mail }}
+
+  DocumentRoot /var/www/default
+  <Directory /var/www/default>
+    Require all granted
+  </Directory>
+</VirtualHost>
+
+# Include the virtual host configurations:
+IncludeOptional sites-enabled/*.conf
+
diff --git a/roles/web_server/templates/default-index.html.j2 b/roles/web_server/templates/default-index.html.j2
new file mode 100644
index 0000000..59a4be9
--- /dev/null
+++ b/roles/web_server/templates/default-index.html.j2
@@ -0,0 +1,48 @@
+<html>
+<head>
+<title>- ooops! -</title>
+<style>
+ body {
+    background:#0000aa;
+    color:#ffffff;
+    font-family:monospace;
+    font-size:12pt;
+    text-align:center;
+    margin:100px;
+}
+
+.neg {
+    background:#fff;
+    color:#0000aa;
+    padding:2px 8px;
+    font-weight:bold;
+}
+
+p {
+    margin:30px 100px;
+    text-align:center;
+}
+
+a,a:hover {
+    color:inherit;
+    font:inherit;
+}
+
+.footer {
+    text-align:center;
+    margin-top:50px;
+}
+</style>
+</head>
+<body>
+<span class="neg">ERROR NO VHOST</span>
+<p>
+    This virtual host is missing or was never created. You can wait and<br>
+    see if it becomes available again, or you can restart the internet.
+</p>
+<div class="footer">
+{{ inventory_hostname }}
+</div>
+
+</body>
+</html>
diff --git a/roles/web_server/templates/http-body.j2 b/roles/web_server/templates/http-body.j2
new file mode 100644
index 0000000..283e2d5
--- /dev/null
+++ b/roles/web_server/templates/http-body.j2
@@ -0,0 +1,48 @@
+{% for d in item.domains %}
+  {% if loop.first %}ServerName{% else %}ServerAlias{% endif %} {{ d }}
+{% endfor %}
+  ServerAdmin {{ admin_mail }}
+
+{% if item.httpsonly | default(False) %}
+ Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
+{% endif %}
+{% if (item.httpsonly | default(False)) and (not (is_https | default(False))) %}
+  
+  RewriteEngine On
+  RewriteCond "%{REQUEST_URI}" "!^/\.well-known/acme-challenge/.*"
+  RewriteRule ^/(.*) https://{{ item.domains[0] }}/$1
+{% else %}
+
+  DocumentRoot {{ item.root }}
+  <Directory {{ item.root }}>
+    Options FollowSymLinks
+    AllowOverride all
+    Require all granted
+    
+{% if item.mode in ['php55','php56','php70'] %}
+    <FilesMatch "\.php$">
+      SetHandler php-fastcgi
+      Action php-fastcgi /fastcgiphp
+      Options +ExecCGI
+    </FilesMatch>
+{% endif %}
+  </Directory>
+{% if item.mode in ['php55','php56','php70'] %}
+  Alias /fastcgiphp /var/www/php-fpm/{{ item.domains.0 }}/fpm.external
+{% endif %}
+{% if item.mode == 'passenger' %}
+  PassengerEnabled on
+{% endif %}
+
+  {{ item.settings | default("") }}
+
+{% endif %}
+
+  Alias /.well-known/acme-challenge /var/www/letsencrypt/.well-known/acme-challenge
+  <Directory /var/www/letsencrypt/.well-known/acme-challenge>
+    Require all granted
+  </Directory>
+  <Location /.well-known/acme-challenge>
+    Require all granted
+  </Location>
+
diff --git a/roles/web_server/templates/http.conf.j2 b/roles/web_server/templates/http.conf.j2
new file mode 100644
index 0000000..b5af8c2
--- /dev/null
+++ b/roles/web_server/templates/http.conf.j2
@@ -0,0 +1,9 @@
+{% set is_https=False %}
+<VirtualHost *:80>
+
+  ErrorLog "/var/log/apache2/http-{{ item.domains[0] }}-error.log"
+  CustomLog "/var/log/apache2/http-{{ item.domains[0] }}-access.log" {{ item.log_format | default('combined') }}
+
+  {% include "http-body.j2" %}
+  
+</VirtualHost>
diff --git a/roles/web_server/templates/https.conf.j2 b/roles/web_server/templates/https.conf.j2
new file mode 100644
index 0000000..ffe31c7
--- /dev/null
+++ b/roles/web_server/templates/https.conf.j2
@@ -0,0 +1,15 @@
+{% set is_https=True %}
+<VirtualHost *:443>
+  
+  ErrorLog "/var/log/apache2/https-{{ item.domains[0] }}-error.log"
+  CustomLog "/var/log/apache2/https-{{ item.domains[0] }}-access.log" {{ item.log_format | default('combined') }}
+
+  SSLEngine On
+  SSLCertificateFile /etc/letsencrypt/live/{{ item.domains.0 }}/cert.pem
+  SSLCertificateKeyFile /etc/letsencrypt/live/{{ item.domains.0 }}/privkey.pem
+  SSLCertificateChainFile /etc/letsencrypt/live/{{ item.domains.0 }}/chain.pem
+
+  {% set is_https=True %}
+  {% include "http-body.j2" %}
+  
+</VirtualHost>
diff --git a/site-mail.yml b/site-mail.yml
new file mode 100755
index 0000000..1baf99f
--- /dev/null
+++ b/site-mail.yml
@@ -0,0 +1,31 @@
+#!/usr/bin/ansible-playbook
+---
+- hosts: mail
+  roles:
+    - role: dovecot
+      tags:
+        - 'mail'
+        - 'dovecot'
+    - role: rspamd
+      tags:
+        - 'mail'
+        - 'rspamd'
+    - role: postfix
+      tags:
+        - 'mail'
+        - 'postfix'
+- hosts: mailman
+  roles:
+    - role: mailman
+      tags:
+        - mail
+        - mailman
+    - role: web_server
+      tags:
+        - mailman
+        - web
+
+- hosts: postfix_satellite
+  roles:
+    - postfix_satellite
+