feat: mail config files only

roles/mail/files/dynamicmaps.cf

@@ -0,0 +1 @@
+sqlite	postfix-sqlite.so	dict_sqlite_open	

roles/mail/files/enabled_senders

@@ -0,0 +1,8 @@
+# Sender adress       the               user          may use :)
+HISTORY_PURGED_SECRET                    HISTORY_PURGED_SECRET
+check@atlantishq.de                     check@atlantishq.de,HISTORY_PURGED_SECRET
+test@atlantishq.de                      check@atlantishq.de
+joerg@darknet-fashion.de                joerg@darknet-fashion.de
+HISTORY_PURGED_SECRET               HISTORY_PURGED_SECRET
+@darknet-fashion.de                     joerg
+@atlantishq.de                          sheppy

roles/mail/files/main.cf

@@ -0,0 +1,99 @@
+# let's confuse atackers
+smtpd_banner = $myhostname Postfix
+# appending .domain is the MUA's job.
+append_dot_mydomain = no
+# Uncomment the next line to generate "delayed mail" warnings
+# delay_warning_time = 10h
+
+queue_directory = /var/spool/postfix
+
+# TLS parameters
+smtpd_tls_cert_file=/etc/letsencrypt/live/atlantishq.de/fullchain.pem
+smtpd_tls_key_file=/etc/letsencrypt/live/atlantishq.de/privkey.pem
+smtpd_use_tls=yes
+smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
+smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
+
+# tls paramaters
+smtpd_tls_protocols = TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3
+smtp_tls_protocols = TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3
+smtp_tls_ciphers = high
+smtpd_tls_ciphers = high
+smtpd_tls_mandatory_protocols = TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3
+smtp_tls_mandatory_protocols = TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3
+smtp_tls_mandatory_ciphers = high
+smtpd_tls_mandatory_ciphers = high
+smtpd_tls_mandatory_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL
+smtpd_tls_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL
+smtp_tls_mandatory_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL
+smtp_tls_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL
+tls_preempt_cipherlist = yes
+
+# breaks mailman for obvious reasons
+smtpd_tls_security_level=may
+smtpd_tls_auth_only = yes
+
+# SMTP (mainly from dovecot documentation)
+smtpd_relay_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination,reject_non_fqdn_sender
+smtpd_sasl_path = private/auth
+smtpd_sasl_auth_enable = yes
+smtpd_sasl_type = dovecot
+smtpd_sasl_security_options = noanonymous
+smtpd_sasl_local_domain = $myhostname
+#broken_sasl_auth_clients = no
+smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
+smtp_tls_mandatory_ciphers=high
+#smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
+smtp_sasl_security_options =
+smtpd_sender_login_maps=hash:/etc/postfix/enabled_senders
+## restrictions
+
+# PERMIT MY NETWORKS MUST ALWAYS BE THE FIRST ARGUMENT OR YOU CANNOT SEND TO NON-LOCAL domains from NOT-DOVECOT
+#policyd-spf_time_limit = 3600
+smtpd_recipient_restrictions=permit_mynetworks,reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,reject_unauth_destination,check_policy_service unix:private/policyd-spf,check_sender_access hash:/etc/postfix/sender_blacklist
+#smtpd_recipient_restrictions=permit_mynetworks,reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,reject_unauth_destination,check_sender_access hash:/etc/postfix/sender_blacklist
+#smtpd_sender_restrictions=permit_mynetworks,permit_sasl_authenticated,reject_non_fqdn_sender
+smtpd_sender_restrictions=reject_authenticated_sender_login_mismatch,reject_non_fqdn_sender,permit_sasl_authenticated
+
+# USER mappings (not reliant on unix users)
+
+# MAILMAN #
+virtual_mailbox_domains   = atlantishq.de,darknet-fashion.de,darknet-fashion.com,potaris.de
+virtual_alias_maps        = hash:/etc/postfix/virtual
+#recipient_cononical_maps = hash:/etc/postfix/canonical-recipient
+
+
+virtual_transport = lmtp:unix:private/dovecot_lmtp_target
+#relocated_maps = hash:/etc/postfix/mail_redirect
+alias_maps = hash:/etc/aliases
+virtual_minimum_uid = 100
+virtual_uid_maps = static:1009
+virtual_gid_maps = static:1009
+#receive_override_options = no_address_mappings
+
+# random shit
+biff = no
+readme_directory = no
+compatibility_level = 2
+myhostname = mail.atlantishq.de
+#mydestination = localhost.divercitystudio.de,localhost.atlantishq.de, ,localhost
+mydestination = localhost
+#,localhost.esports-erlangen.de,esports-erlangen.de
+relayhost = 
+mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
+mailbox_command = procmail -a "$EXTENSION"
+mailbox_size_limit = 0
+recipient_delimiter = +
+message_size_limit = 80480000
+inet_interfaces = all
+inet_protocols = all
+#alias_maps = hash:/etc/aliases
+
+# Milter configuration
+milter_default_action = accept
+milter_protocol = 6
+smtpd_milters = inet:localhost:8892
+non_smtpd_milters = $smtpd_milters
+disable_mime_output_conversion = yes
+
+authorized_submit_users = !check,static:all

roles/mail/files/master.cf

@@ -0,0 +1,57 @@
+# ==========================================================================
+# service type  private unpriv  chroot  wakeup  maxproc command + args
+#               (yes)   (yes)   (no)    (never) (100)
+# ==========================================================================
+smtp       inet  n       -       y       -       -       smtpd
+    -o content_filter=spamassassin
+spamassassin unix -     n       n       -       -       pipe
+    user=spamd argv=/usr/bin/spamc -f -e  
+    /usr/sbin/sendmail -oi -f ${sender} ${recipient}
+#smtp      inet  n       -       y       -       1       postscreen
+smtps      inet  n       -       y       -       -       smtpd -v
+    -o smtpd_tls_wrappermode=yes
+#smtpd     pass  -       -       y       -       -       smtpd
+#dnsblog   unix  -       -       y       -       0       dnsblog
+#tlsproxy  unix  -       -       y       -       0       tlsproxy
+submission inet  n       -       y       -       -       smtpd
+#628       inet  n       -       y       -       -       qmqpd
+pickup     unix  n       -       y       60      1       pickup
+cleanup    unix  n       -       y       -       0       cleanup
+qmgr       unix  n       -       n       300     1       qmgr
+#qmgr      unix  n       -       n       300     1       oqmgr
+tlsmgr     unix  -       -       y       1000?   1       tlsmgr
+rewrite    unix  -       -       y       -       -       trivial-rewrite
+bounce     unix  -       -       y       -       0       bounce
+defer      unix  -       -       y       -       0       bounce
+trace      unix  -       -       y       -       0       bounce
+verify     unix  -       -       y       -       1       verify
+flush      unix  n       -       y       1000?   0       flush
+proxymap   unix  -       -       n       -       -       proxymap
+proxywrite unix  -       -       n       -       1       proxymap
+smtp       unix  -       -       y       -       -       smtp
+relay     unix  -       -       y       -       -       smtp
+showq     unix  n       -       y       -       -       showq
+error     unix  -       -       y       -       -       error
+retry     unix  -       -       y       -       -       error
+discard   unix  -       -       y       -       -       discard
+local     unix  -       n       n       -       -       local
+virtual   unix  -       n       n       -       -       virtual
+lmtp      unix  -       -       y       -       -       lmtp
+anvil     unix  -       -       y       -       1       anvil
+scache    unix  -       -       y       -       1       scache
+policyd-spf  unix  -       n       n       -       0    spawn
+    user=policyd-spf argv=/usr/bin/policyd-spf
+
+########################## OTHER #############################
+maildrop  unix  -       n       n       -       -       pipe
+  flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
+uucp      unix  -       n       n       -       -       pipe
+  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
+ifmail    unix  -       n       n       -       -       pipe
+  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
+bsmtp     unix  -       n       n       -       -       pipe
+  flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
+scalemail-backend unix	-	n	n	-	2	pipe
+  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
+dovecot unix    -       n       n       -       -      pipe
+  flags=DRhu user=vmail:vmail argv=/usr/local/libexec/dovecot/dovecot-lda -f ${sender} -d ${user}@${nexthop} -m ${extension}

roles/mail/files/relocated

@@ -0,0 +1 @@
+test@atlantishq.de HISTORY_PURGED_SECRET

roles/mail/files/sender_blacklist

@@ -0,0 +1,6 @@
+alyssa@catapult.gg REJECT
+service-expert.net REJECT
+yougetnow.com      REJECT
+forestanes.pics    REJECT
+stockcard.io       REJECT
+zapingers.autos    REJECT

roles/mail/files/tls_policy

@@ -0,0 +1,13 @@
+[atlantishq.de]:587 encrypt protocols=TLSv1.2 ciphers=high
+[atlantishq.de]:msa encrypt protocols=TLSv1.2 ciphers=high
+[atlantishq.de]:submission encrypt protocols=TLSv1.2 ciphers=high
+[esports-erlangen.de]:587 encrypt protocols=TLSv1.2 ciphers=high
+[esports-erlangen.de]:msa encrypt protocols=TLSv1.2 ciphers=high
+[esports-erlangen.de]:submission encrypt protocols=TLSv1.2 ciphers=high
+[darknet-fashion.de]:587 encrypt protocols=TLSv1.2 ciphers=high
+[darknet-fashion.de]:msa encrypt protocols=TLSv1.2 ciphers=high
+[darknet-fashion.de]:submission encrypt protocols=TLSv1.2 ciphers=high
+[darknet-fashion.com]:587 encrypt protocols=TLSv1.2 ciphers=high
+[darknet-fashion.com]:msa encrypt protocols=TLSv1.2 ciphers=high
+[darknet-fashion.com]:submission encrypt protocols=TLSv1.2 ciphers=high
+.datev.de      encrypt

roles/mail/files/transport

@@ -0,0 +1,3 @@
+atlantishq.de             lmtp:unix:private/dovecot_lmtp_target
+darknet-fashion.de        lmtp:unix:private/dovecot_lmtp_target
+darknet-fashion.com       lmtp:unix:private/dovecot_lmtp_target

roles/mail/files/virtual

@@ -0,0 +1,34 @@
+# you can also so this: test-second-account@atlantishq.de test@atlantishq.de
+# which will give all incoming mails of test-second-account to test (sorta obvious)
+
+# IMPORTANT >> IT IS _NOT_ NESSESARY TO DO THE FOLLOWING << IMPORTANT
+# user@atlantishq.de user@esports-erlangen.de
+# every user will get emails from both domains
+
+# If a user also wants to _SEND_ mails, he also have to have an
+# entry in the /etc/postfix/enabled-senders
+
+# CHANGES IN THIS FILE MUST BE MAPPED BEFORE RESTART (!)
+# postmap FILENAME
+# CHANGES IN THIS FILE WILL ONLY BE APPLIED ON POSTFIX RESTART, NOT RELOAD (!)
+
+# sheppy
+HISTORY_PURGED_SECRET    HISTORY_PURGED_SECRET
+HISTORY_PURGED_SECRET        HISTORY_PURGED_SECRET
+HISTORY_PURGED_SECRET           HISTORY_PURGED_SECRET
+HISTORY_PURGED_SECRET         HISTORY_PURGED_SECRET
+#HISTORY_PURGED_SECRET   HISTORY_PURGED_SECRET
+HISTORY_PURGED_SECRET           HISTORY_PURGED_SECRET
+HISTORY_PURGED_SECRET	    	    HISTORY_PURGED_SECRET
+HISTORY_PURGED_SECRET	        HISTORY_PURGED_SECRET
+HISTORY_PURGED_SECRET          HISTORY_PURGED_SECRET,michel@pa-bu.de
+HISTORY_PURGED_SECRET         HISTORY_PURGED_SECRET
+
+# michy
+HISTORY_PURGED_SECRET        HISTORY_PURGED_SECRET
+
+# catchall
+#@atlantishq.de       HISTORY_PURGED_SECRET
+#@esports-erlangen.de HISTORY_PURGED_SECRET
+@darknet-fashion.com        joerg@darknet-fashion.de
+@darknet-fashion.de         joerg@darknet-fashion.de