ldap + dockermailserver

TODO.md

@@ -0,0 +1,3 @@
+- [ ] nameservers for users
+- [ ] create dmarc.report, postmaster email users, give access to infra users
+- [ ] figure oute mailbox permissions, ensure users can't just set random senders and stuff, domain fixing

deploy.yml

@@ -11,3 +11,6 @@
 
 - name: Kanidm
   ansible.builtin.import_playbook: playbooks/deploy-kanidm.yml
+
+- name: Mail
+  ansible.builtin.import_playbook: playbooks/deploy-mail.yml

group_vars/certbot.yml

@@ -3,3 +3,4 @@
 cloudflare_credentials_destination: /root/.cloudflare-dns-api-key.ini
 certbot_post_hook_dir: /etc/letsencrypt/renewal-hooks/post
 certbot_live_dir: /etc/letsencrypt/live
+certbot_email: infra@hatecomputers.club

group_vars/host_domains.yml

@@ -4,4 +4,4 @@ host_domains:
   fern.hatecomputers.club:
     - fern.hatecomputers.club
     - auth.hatecomputers.club
-    - vpn.hatecomputers.club
+    - mail.hatecomputers.club

group_vars/mail.yml

@@ -0,0 +1,22 @@
+---
+
+postmaster_email: postmaster@hatecomputers.club
+
+domain: hatecomputers.club
+mail_domain: mail.hatecomputers.club
+
+ldap_server_host: "ldaps://auth.hatecomputers.club:3636"
+ldap_search_base: "dc=auth,dc=hatecomputers,dc=club"
+ldap_bind_dn: "dn=token"
+
+ldap_query_filter_user: "(&(objectClass=posixAccount)(mail=%s))"
+ldap_query_filter_group: "(&(objectClass=posixAccount)(|(mail=%s)(uid=%s)))"
+ldap_query_filter_alias: "(&(objectClass=posixAccount)(emailalternative=%s))"
+ldap_query_filter_domain: "(&(objectClass=posixAccount)(|(mail=%s)(uid=%s)))"
+ldap_query_filter_senders: "(&(objectClass=posixAccount)(|(mail=%s)(uid=%s)))"
+
+sasl_ldap_filter: "(&(|(uid=%U)(mail=%U))(class=posixAccount))"
+
+dovecot_user_filter: "(&(class=posixAccount)(uid=%u))"
+dovecot_auth_bind_userdn: "uid=%u,dc=auth,dc=hatecomputers,dc=club"
+dovecot_user_attrs: "=mail=maildir:~/Maildir,uidNumber=uid,gidNumber=gid"

inventory

@@ -4,11 +4,14 @@ fern.hatecomputers.club  ansible_user=root ansible_connection=ssh
 [host_domains]
 fern.hatecomputers.club  ansible_user=root ansible_connection=ssh
 
+[nginx]
+fern.hatecomputers.club  ansible_user=root ansible_connection=ssh
+
 [certbot]
 fern.hatecomputers.club  ansible_user=root ansible_connection=ssh
 
 [kanidm]
 fern.hatecomputers.club  ansible_user=root ansible_connection=ssh
 
-[nginx]
+[mail]
 fern.hatecomputers.club  ansible_user=root ansible_connection=ssh

playbooks/deploy-mail.yml

@@ -0,0 +1,6 @@
+---
+
+- name: Mail setup
+  hosts: mail
+  roles:
+    - mail

playbooks/roles/kanidm/templates/kanidm.sh

@@ -0,0 +1,13 @@
+#!/bin/sh
+
+echo '{}' > ~/.cache/kanidm_tokens
+chmod 666 ~/.cache/kanidm_tokens
+docker pull kanidm/tools:latest
+docker run --rm -i -t \
+    --network host \
+    -v /etc/kanidm/config:/etc/kanidm/config:ro \
+    -v ~/.config/kanidm:/home/kanidm/.config/kanidm:ro \
+    -v ~/.cache/kanidm_tokens:/home/kanidm/.cache/kanidm_tokens \
+    kanidm/tools:latest \
+    /sbin/kanidm --help
+

playbooks/roles/mail/tasks/main.yml

@@ -0,0 +1,56 @@
+---
+
+- name: Ensure mail docker/compose exist
+  ansible.builtin.file:
+    path: /etc/docker/compose/mail
+    state: directory
+    owner: root
+    group: root
+    mode: 0700
+
+- name: Ensure mail config volume exist
+  file:
+    path: /etc/docker/compose/mail/docker-data/dms/config
+    state: directory
+    owner: root
+    group: root
+    mode: 0700
+
+- name: Ensure mail entries volume exist with correct permission
+  file:
+    path: /etc/docker/compose/mail/docker-data/dms/mail-data/
+    state: directory
+    owner: root
+    group: root
+    mode: 0777
+    recurse: true
+
+- name: Ensure dovecot ldap config exist
+  ansible.builtin.template:
+    src: user-patches.sh.j2
+    dest: /etc/docker/compose/mail/docker-data/dms/config/user-patches.sh
+    owner: root
+    group: root
+    mode: 0755
+
+- name: Ensure config user overrides config exist
+  ansible.builtin.template:
+    src: dovecot-ldap.conf.j2
+    dest: /etc/docker/compose/mail/docker-data/dms/config/dovecot-ldap.conf
+    owner: root
+    group: root
+    mode: 0700
+
+- name: Build mail docker-compose.yml.j2
+  ansible.builtin.template:
+    src: docker-compose.yml.j2
+    dest: /etc/docker/compose/mail/docker-compose.yml
+    owner: root
+    group: root
+    mode: 0700
+
+- name: Daemon-reload and enable mail
+  ansible.builtin.systemd_service:
+    state: restarted
+    enabled: true
+    name: docker-compose@mail

playbooks/roles/mail/templates/docker-compose.yml.j2

@@ -0,0 +1,45 @@
+services:
+  mailserver:
+    image: ghcr.io/docker-mailserver/docker-mailserver:latest
+    container_name: mailserver
+    hostname: {{ mail_domain }}
+    ports:
+      - "0.0.0.0:25:25"
+      - "0.0.0.0:465:465"
+      - "0.0.0.0:587:587"
+      - "0.0.0.0:993:993"
+    volumes:
+      - ./docker-data/dms/mail-data/:/var/mail/
+      - ./docker-data/dms/mail-state/:/var/mail-state/
+      - ./docker-data/dms/mail-logs/:/var/log/mail/
+      - ./docker-data/dms/config/:/tmp/docker-mailserver/
+      - ./docker-data/dms/config/dovecot-ldap.conf:/etc/dovecot/dovecot-ldap.conf.ext
+      - /etc/letsencrypt:/etc/letsencrypt:ro
+      - /etc/localtime:/etc/localtime:ro
+    environment:
+      - SSL_TYPE=letsencrypt
+      - ENABLE_CLAMAV=1
+      - ENABLE_AMAVIS=1
+      - ENABLE_FAIL2BAN=1
+      - ENABLE_SASLAUTHD=1
+      - ENABLE_POSTGREY=0
+
+      - SPOOF_PROTECTION=1
+      - ACCOUNT_PROVISIONER=LDAP
+      - LDAP_SERVER_HOST={{ ldap_server_host }}
+      - LDAP_SEARCH_BASE={{ ldap_search_base }}
+      - LDAP_BIND_DN={{ ldap_bind_dn }}
+      - LDAP_BIND_PW={{ email_ldap_api_token }}
+
+      - LDAP_QUERY_FILTER_USER={{ ldap_query_filter_user }}
+      - LDAP_QUERY_FILTER_GROUP={{ ldap_query_filter_group }}
+      - LDAP_QUERY_FILTER_ALIAS={{ ldap_query_filter_alias }}
+      - LDAP_QUERY_FILTER_DOMAIN={{ ldap_query_filter_domain }}
+      - LDAP_QUERY_FILTER_SENDERS={{ ldap_query_filter_senders }}
+
+      - POSTMASTER_ADDRESS={{ postmaster_email }}
+
+      - ENABLE_SASLAUTHD=1
+      - SASLAUTHD_MECHANISMS=ldap
+      - SASLAUTHD_LDAP_FILTER={{ sasl_ldap_filter }} 
+    restart: always

playbooks/roles/mail/templates/dovecot-ldap.conf.j2

@@ -0,0 +1,10 @@
+base = {{ ldap_search_base }}
+uris = {{ ldap_server_host }}
+tls = no
+ldap_version = 3
+default_pass_scheme = SSHA
+
+auth_bind = yes
+auth_bind_userdn = {{ dovecot_auth_bind_userdn }}
+user_filter = {{ dovecot_user_filter }}
+user_attrs = {{ dovecot_user_attrs }}

playbooks/roles/mail/templates/user-patches.sh.j2

@@ -0,0 +1,10 @@
+#!/bin/bash
+
+postconf -e 'smtpd_sasl_auth_enable = yes'
+
+postconf -e 'smtpd_sasl_type = dovecot'
+postconf -e 'smtpd_sasl_path = /dev/shm/sasl-auth.sock'
+postconf -e 'smtpd_sasl_auth_enable = yes'
+postconf -e 'broken_sasl_auth_clients = yes'
+
+echo 'auth_username_format = %Ln' >> /etc/dovecot/conf.d/10-auth.conf

playbooks/roles/nginx/templates/fern.hatecomputers.club/http.mail.hatecomputers.club.conf

@@ -0,0 +1,8 @@
+server {
+  listen 80;
+  server_name mail.hatecomputers.club;
+
+  location / {
+    rewrite ^ https://mail.hatecomputers.club$request_uri? permanent;
+  }
+}

playbooks/roles/nginx/templates/fern.hatecomputers.club/https.mail.hatecomputers.club.conf

@@ -0,0 +1,21 @@
+server {
+  server_name mail.hatecomputers.club;
+  listen 443 ssl;
+
+  ssl_dhparam /etc/nginx/dhparams.pem;
+  
+  ssl_session_timeout 1d;
+  ssl_session_tickets off;
+  ssl_protocols TLSv1.2 TLSv1.3;
+  ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
+  ssl_prefer_server_ciphers off;
+
+  ssl_certificate /etc/letsencrypt/live/mail.hatecomputers.club/fullchain.pem;
+  ssl_certificate_key /etc/letsencrypt/live/mail.hatecomputers.club/privkey.pem;
+
+  location / {
+    proxy_pass         http://127.0.0.1:8331;
+    proxy_set_header   X-Real-IP $remote_addr;
+    proxy_set_header   Host $host;
+  }
+}

secrets.txt

@@ -1,2 +1,3 @@
 cloudflare_api_token
 certbot_email
+email_ldap_api_token