Ansible Playbooks for setting up a secured ssh, mail, and web server.
The scripts and playbooks here track https://github.com/hardware/mailserver
masteris in step with the latest stable branch (currentlyv1.1-stable)developis bleeding edge (docker tagv1.1-latest, git branchmaster)
Prerequisite: Recent version of Ansible installed on your control host.
Set up your host's domain name entries as documented here: https://github.com/hardware/mailserver (you can add the DKIM signature when the stack is up).
To start, you'll need to have the following set up in your DNS (A.B.C.D
represents your IP address):
| HOSTNAME | CLASS | TYPE | PRIORITY | VALUE |
|---|---|---|---|---|
| @ | IN | A/AAAA | any | A.B.C.D |
| IN | A/AAAA | any | A.B.C.D | |
| @ | IN | MX | 10 | mail.domain.tld. |
| www | IN | CNAME | any | mail.domain.tld. |
| postfixadmin | IN | CNAME | any | mail.domain.tld. |
| webmail | IN | CNAME | any | mail.domain.tld. |
| spam | IN | CNAME | any | mail.domain.tld. |
-
Create a recent Debian or Fedora server, using whatever process you choose. I created a Debian 9 (Stretch) server in the cloud. Also tested with a Fedora 26 Server instance.
-
make -
Reboot the installed server.
-
Add additional DNS records (for
SPF,DKIM, andDMARC) as documented here to increase your reputation score.
Once your server is up, from your control host, do ssh deploy@server.domain
so you can look at the generated secrets. e.g. to get the DKIM key to add
to your DNS, do:
ssh deploy@server.domain
cat /mnt/docker/mail/dkim/{your-domain-name}/public.key
-
At this point, visit your
postfixadminsetup script and follow the instructions here: https://github.com/hardware/mailserver/wiki/Postfixadmin-initial-configuration -
Using
postfixadmin, set up your super-administrator account, then set up your domain, and proceed to set up mailboxes foradminandcontact. Now set up aliases for the following:
| ALIAS | MAILBOX |
|---|---|
| abuse | admin@yourdomain.tld |
| hostmaster | admin@yourdomain.tld |
| noc | admin@yourdomain.tld |
| postmaster | admin@yourdomain.tld |
| spam | admin@yourdomain.tld |
| sales | contact@yourdomain.tld |
| webform | contact@yourdomain.tld |
-
Set up your Rainloop (webmail) configuration. Follow the instructions here: https://github.com/hardware/mailserver/wiki/Rainloop-initial-configuration
-
Using the RainLoop admin panel, make sure to set up your
ManageSieveand white-lists for users you allow to login to your domain. -
In the RainLoop admin, go to the
Pluginsand enable thepostfixadmin-change-passwordplugin. You will have to ensure that the plugin settings are set like this:
| PLUGIN SETTING | VALUE |
|---|---|
| MySQL Host | mariadb |
| MySQL Port | 3306 |
| MySQL Database | postfix |
| MySQL table | mailbox |
| MySQL username column | username |
| MySQL password column | password |
| MySQL User | postfix |
| MySQL Password | {MYSQL postfix user password} |
| Encrypt | md5encrypt |
| Allowed Emails | * |
The password to use in the change password settings is the postfix database
user password. You can get it by ssh into your host and examining the
docker-compose.yml file:
$ ssh deploy@yourdomain.tld
$ grep MYSQL_PASSWORD docker-compose.yml
- MYSQL_PASSWORD=XXXXXXXXX
Setting up the postfixadmin-change-password plugin will allow users
to change their mailbox passwords.
You can add postfix customizations to /mnt/docker/mail/postfix/custom.conf on your mailserver
machine and restart the stack.
More info about postfix overrides here: https://github.com/hardware/mailserver#override-postfix-configuration
The site at www.yourdomain.tld simply directs to the contact app
which renders a simple Contact Form as the front page of your your domain.
If you place files in www/yourdomain.tld/, the Ansible playbook will
create an alterate setup:
- /contact will refer to the Contact form served by the PHP container.
- / will refer to what you place in
www/yourdomain.tld/files/ - /~user will refer to what you place in
www/yourdomain.tld/people/user/
Note that files placed in www/ are ignored by git and will have
to be backed up.
The website setup tasks are tagged with website.
To only deploy web site files, run this:
make web
To run the mailserver playbook but skip web site deployment:
make noweb
Run make help for a quick explanation of all Makefile tasks.
On your control host, the first time you run this, it will run ./bin/setup
and set your ./inventory files and variable files in ./group_vars/all/.
Subsequent runs of ./bin/setup will read the stored values and present
them as defaults.
Use make reset to remove these files and start over.
You can also make do if you make changes to your
base variables and want to push those changes to your server.
If you want to make changes to your secrets (e.g. change passwords),
use make edit_secrets. This task decrypts and re-encrypts your secrets
using ansible-vault.
Refer to the Ansible docs regarding user passwords to understand how we generate the Linux user password hashes.
To ensure this works, make sure that the ./bin/mkpasswd script works:
./bin/mkpasswd TestTheHash
$6$JBPVsmzre/hFkiFF$RfmrOFdkXs.QNF515TIGtokseUafj[...]
If you wish to edit your secrets, use the edit task, like this:
$ EDITOR=vi make edit
Decryption successful
NOTE: Run "make do" to push your changes.
$ make do
After running the process the first time, you can do:
$ make save
This will create a file backup/{domain}-YYYYMMDD-hhmm.tar.gz which you can stash
and will include your inventory file, variables and vault password.