Add email - Dovecot, rspamd, exim4.

And appropriate configuration for various email domains.
This commit is contained in:
Jim Hague 2023-05-17 16:39:57 +01:00
parent ff199e101f
commit 7b94baa6cd
30 changed files with 436 additions and 0 deletions

View File

@ -0,0 +1,25 @@
dkim:
dkim_bear-cave: |
-----BEGIN OPENSSH PRIVATE KEY-----
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE==
-----END OPENSSH PRIVATE KEY-----
dkim_cryhavoc: |
-----BEGIN OPENSSH PRIVATE KEY-----
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE==
-----END OPENSSH PRIVATE KEY-----
dkim_lunch: |
-----BEGIN OPENSSH PRIVATE KEY-----
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE==
-----END OPENSSH PRIVATE KEY-----

View File

@ -4,6 +4,7 @@ base:
- secrets/mariadb - secrets/mariadb
- secrets/wordpress - secrets/wordpress
'scabbers.lunch.org.uk': 'scabbers.lunch.org.uk':
- secrets/dkim
- secrets/dnsapi - secrets/dnsapi
- secrets/gitea - secrets/gitea
- secrets/webmail - secrets/webmail

View File

@ -1,3 +1,9 @@
bullseye_backports:
pkgrepo.managed:
- name: deb http://deb.debian.org/debian bullseye-backports main
- dist: bullseye-backports
- file: /etc/apt/sources.list.d/bullseye-backports.list
deploy_sshd_config: deploy_sshd_config:
file.managed: file.managed:
- name: /etc/ssh/sshd_config - name: /etc/ssh/sshd_config

29
states/email/dovecot.sls Normal file
View File

@ -0,0 +1,29 @@
dovecot:
pkg.installed:
- pkgs:
- dovecot-core
- dovecot-imapd
- dovecot-sieve
- dovecot-managesieved
dovecot_certs_group:
group.present:
- name: ssl-cert
- system: true
- addusers:
- dovecot
dovecot_conf:
file.managed:
- mode: 0644
- names:
- /etc/dovecot/local.conf:
- source: salt://email/dovecot_local.conf
dovecot_service:
service.running:
- name: dovecot
- enable: true
- watch:
- pkg: dovecot
- file: /etc/dovecot/local.conf

View File

@ -0,0 +1,20 @@
# We use Maildir.
mail_location = maildir:~/Maildir
# Require SSL for all auth.
ssl = required
# SSL certificate locations.
ssl_cert = </var/local/certificates/mail.lunch.org.uk/fullchain.pem
ssl_key = </var/local/certificates/mail.lunch.org.uk/privkey.pem
# Plugins.
protocol lda {
mail_plugins = acl sieve
}
# IMAP - increase number of connections per IP.
protocol imap {
mail_max_userip_connections = 40
}

57
states/email/exim4.sls Normal file
View File

@ -0,0 +1,57 @@
exim4:
pkg.installed:
- name: exim4-daemon-heavy
exim4_conf:
file.recurse:
- name: /etc/exim4
- dir_mode: '0755'
- file_mode: '0644'
- source: salt://email/exim4
# To read system certificate details, you must be in ssl-cert.
exim4_certs_group:
group.present:
- name: ssl-cert
- system: true
- addusers:
- Debian-exim
# To deliver using the Dovecot LDA without getting a perms
# error on /run/dovecot/stats-writer, the Exim user must be in
# the dovecot group.
exim4_dovecot_group:
group.present:
- name: dovecot
- system: true
- addusers:
- Debian-exim
exim4_dkim_private_keys:
file.managed:
- mode: 0640
- group: Debian-exim
- names:
- /etc/exim4/dkim/bear-cave.org.uk-private.pem:
- contents_pillar: dkim:dkim_bear-cave
- /etc/exim4/dkim/cryhavoc.org.uk-private.pem:
- contents_pillar: dkim:dkim_cryhavoc
- /etc/exim4/dkim/lunch.org.uk-private.pem:
- contents_pillar: dkim:dkim_lunch
exim4_update_conf:
cmd.run:
- name: update-exim4.conf
- onchanges:
- file: exim4_conf
enable_exim4_service:
service.enabled:
- name: exim4
exim4_service:
service.running:
- name: exim4
- reload: true
- watch:
- cmd: exim4_update_conf

View File

@ -0,0 +1,7 @@
# AUTH acl check.
check_auth:
accept hosts = *
endpass
message = STARTTLS required before AUTH
encrypted = *

View File

@ -0,0 +1,18 @@
# Authenticate via dovecot.
#
# For plain and login the connection must be ciphered.
dovecot_plain:
driver = dovecot
public_name = PLAIN
server_socket = /var/run/dovecot/auth-client
#server_set_id = $auth2
server_mail_auth_condition = false
#dovecot_login:
# driver = dovecot
# public_name = LOGIN
# server_socket = /var/run/dovecot/auth-client
# #server_set_id = $auth2
# server_mail_auth_condition = false

View File

@ -0,0 +1,33 @@
# Trusted users and groups
MAIN_TRUSTED_USERS=mail:www-data
# User account UID range
FIRST_USER_ACCOUNT_UID=1000
# TLS configuration
MAIN_TLS_ENABLE=true
MAIN_TLS_CERTIFICATE=/var/local/certificates/mail.lunch.org.uk/fullchain.pem
MAIN_TLS_PRIVATEKEY=/var/local/certificates/mail.lunch.org.uk/privkey.pem
# Local settings
# CHECK_RCPT_LOCAL_ACL_FILE=/etc/exim4/local_check_rcpt
CHECK_DATA_LOCAL_ACL_FILE=/etc/exim4/local_check_data
# DKIM keys and handling.
DKIM_CANON = relaxed
DKIM_SELECTOR = 20160621
# Get the domain from the outgoing mail.
DKIM_DOMAIN = ${lc:${domain:$h_from:}}
# The private key file.
DKIM_FILE = ${lookup {DKIM_DOMAIN-private.pem} dsearch,ret=full,filter=file {/etc/exim4/dkim}}
# If key exists then use it, if not don't.
DKIM_PRIVATE_KEY = ${if exists{DKIM_FILE} {DKIM_FILE} {0}}
# Log more TLS info than default.
MAIN_LOG_SELECTOR = +tls_peerdn +tls_sni
# SRS
SRS_SECRET = sxN7DlwZMWHar1J;L!wlKwbzc9ECB[F>!LEYm9[LF0

View File

@ -0,0 +1,13 @@
# Use rspamd as spam scanner.
spamd_address = 127.0.0.1 11333 variant=rspamd
# Timeout for virus and spam scans
local_scan_timeout = 4m
# Allow all users to see mail queue
no_queue_list_requires_admin
# Listen in ports 25, 465 and 587.
daemon_smtp_ports = smtp : submission : submissions
tls_on_connect_ports = submissions

View File

@ -0,0 +1,24 @@
outbound:
driver = dnslookup
# if outbound, and forwarding has been done, use an alternate transport
domains = ! +local_domains
transport = ${if eq {$local_part@$domain} \
{$original_local_part@$original_domain} \
{remote_smtp} {remote_forwarded_smtp}}
inbound_srs:
driver = redirect
senders = :
domains = +local_domains
# detect inbound bounces which are SRS'd, and decode them
condition = ${if inbound_srs {$local_part} {SRS_SECRET}}
data = $srs_recipient
inbound_srs_failure:
driver = redirect
senders = :
domains = +local_domains
# detect inbound bounces which look SRS'd but are invalid
condition = ${if inbound_srs {$local_part} {}}
allow_fail
data = :fail: Invalid SRS recipient address

View File

@ -0,0 +1,12 @@
# Allow a throwaway suffix to the local part. Might help spot who sells
# email addresses.
suffix_rewrite:
driver = redirect
allow_defer
allow_fail
data = ${local_part}@${domain}
local_part_suffix = "_*"
local_part_suffix_optional
qualify_preserve_domain
retry_use_local_part

View File

@ -0,0 +1,35 @@
# cryhavoc.org.uk has its own aliases. These are separate to the system
# ones - see system_aliases.
cryhavoc_aliases:
driver = redirect
allow_defer
allow_fail
data = ${lookup{$local_part}lsearch{/etc/aliases.cryhavoc.org.uk}}
domains = cryhavoc.org.uk
qualify_preserve_domain
pipe_transport = address_pipe
no_more
# cowboybuilder.org.uk has its own aliases. These are separate to the system
# ones - see system_aliases.
cowboybuilder_aliases:
driver = redirect
allow_defer
allow_fail
data = ${lookup{$local_part}lsearch{/etc/aliases.cowboybuilder.org.uk}}
domains = cowboybuilder.org.uk
qualify_preserve_domain
pipe_transport = address_pipe
no_more
# lunch.org.uk has its own aliases. These are separate to the system
# ones - see system_aliases.
lunch_aliases:
driver = redirect
allow_defer
allow_fail
data = ${lookup{$local_part}lsearch{/etc/aliases.lunch.org.uk}}
domains = lunch.org.uk
qualify_preserve_domain
retry_use_local_part

View File

@ -0,0 +1,16 @@
# Use this to deliver to system users.
# Exim runs this as the user from the local_user router.
dovecot_home:
debug_print = "T: dovecot_home for $local_part@$domain"
driver = pipe
#command = sh -c "/usr/bin/bogofilter -e -u -p | /usr/lib/dovecot/deliver"
command = /usr/lib/dovecot/deliver
message_prefix =
message_suffix =
log_output
delivery_date_add
envelope_to_add
return_path_add
temp_errors = 64 : 69 : 70: 71 : 72 : 73 : 74 : 75 : 78

View File

@ -0,0 +1,7 @@
# transport; should look like the non-forward outbound
# one, plus the max_rcpt and return_path options
remote_forwarded_smtp:
driver = smtp
# modify the envelope from, for mails that we forward
max_rcpt = 1
return_path = ${srs_encode {SRS_SECRET} {$return_path} {$original_domain}}

View File

@ -0,0 +1 @@
k=rsa;p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC97rpW4HWK3q4TIjQnWO6WQZxa1EPPRCJJp3yYcjej8ierPPA420RWm3hyUbfPvwN9ynUXPVfrYYj7FJWMR8W3/dGJGOEjaBvL4pITwSg5WZt/7fDpGYkro4P//TnMMcF3iRAOm+XQywatNISuBYKQvOdy16Lw0XQyhV37pt0ixwIDAQAB

View File

@ -0,0 +1 @@
k=rsa;p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDoEgY4ekHBKJFey4JtZOO9K0bc25aYKGZiUMd+ESgwZfB3uP0JYxdII8CKLYpHFopmPs8mBW9pNs9L2Iyl6U4v4EE+LwHAhz7uZJfpLylmjQrfb9x72AQONGb4AiK7drc4jbcHr80gMorr27RE9RuYe00U4HdERGwjWcU7rJaRzQIDAQAB

View File

@ -0,0 +1 @@
k=rsa;p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDT6tLjGtCGeZz7MtLq2AazdP7CojC1Vk6CrY+qvM7/rdhIaL++y28+l6WYQhEO0+0kUYNtGewjhvUuq9nEVPvTEh370xOOSDlfAsMTZXZnJFmZGVDegF8mbOg+CQSWqmKRPCmDFsTy1ablh9JnxCIk6q/hiMLfsM1qEO51Wafw/wIDAQAB

View File

@ -0,0 +1,6 @@
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC97rpW4HWK3q4TIjQnWO6WQZxa
1EPPRCJJp3yYcjej8ierPPA420RWm3hyUbfPvwN9ynUXPVfrYYj7FJWMR8W3/dGJ
GOEjaBvL4pITwSg5WZt/7fDpGYkro4P//TnMMcF3iRAOm+XQywatNISuBYKQvOdy
16Lw0XQyhV37pt0ixwIDAQAB
-----END PUBLIC KEY-----

View File

@ -0,0 +1,6 @@
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDoEgY4ekHBKJFey4JtZOO9K0bc
25aYKGZiUMd+ESgwZfB3uP0JYxdII8CKLYpHFopmPs8mBW9pNs9L2Iyl6U4v4EE+
LwHAhz7uZJfpLylmjQrfb9x72AQONGb4AiK7drc4jbcHr80gMorr27RE9RuYe00U
4HdERGwjWcU7rJaRzQIDAQAB
-----END PUBLIC KEY-----

View File

@ -0,0 +1,6 @@
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDT6tLjGtCGeZz7MtLq2AazdP7C
ojC1Vk6CrY+qvM7/rdhIaL++y28+l6WYQhEO0+0kUYNtGewjhvUuq9nEVPvTEh37
0xOOSDlfAsMTZXZnJFmZGVDegF8mbOg+CQSWqmKRPCmDFsTy1ablh9JnxCIk6q/h
iMLfsM1qEO51Wafw/wIDAQAB
-----END PUBLIC KEY-----

View File

@ -0,0 +1,41 @@
# From rspamd docs.
# skip scanning for authenticated users (if desired?)
accept authenticated = *
# scan the message with rspamd
warn spam = Debian-exim:true
# This will set variables as follows:
# $spam_action is the action recommended by rspamd
# $spam_score is the message score (we unlikely need it)
# $spam_score_int is spam score multiplied by 10
# $spam_report lists symbols matched & protocol messages
# $spam_bar is a visual indicator of spam/ham level
# use greylisting available in rspamd v1.3+
#defer message = Please try again later
# condition = ${if eq{$spam_action}{soft reject}}
#deny message = Message discarded as high-probability spam
# condition = ${if eq{$spam_action}{reject}}
# Remove foreign headers
warn remove_header = x-spam-bar : x-spam-score : x-spam-report : x-spam-status
# add spam-score and spam-report header when "add header" action is recommended by rspamd
warn
condition = ${if eq{$spam_action}{add header}}
add_header = X-Spam-Score: $spam_score ($spam_bar)
add_header = X-Spam-Report: $spam_report
# add x-spam-status header if message is not ham
warn
! condition = ${if match{$spam_action}{^no action\$|^greylist\$}}
add_header = X-Spam-Status: Yes
# add x-spam-bar header if score is positive
warn
condition = ${if >{$spam_score_int}{0}}
add_header = X-Spam-Bar: $spam_bar

View File

@ -0,0 +1,31 @@
# /etc/exim4/update-exim4.conf.conf
#
# Edit this file and /etc/mailname by hand and execute update-exim4.conf
# yourself or use 'dpkg-reconfigure exim4-config'
#
# Please note that this is _not_ a dpkg-conffile and that automatic changes
# to this file might happen. The code handling this will honor your local
# changes, so this is usually fine, but will break local schemes that mess
# around with multiple versions of the file.
#
# update-exim4.conf uses this file to determine variable values to replace
# the DEBCONFsomethingDEBCONF strings in the configuration template files.
#
# Most settings found in here do have corresponding questions in the
# Debconf configuration, but not all of them.
#
# This is a Debian specific file
dc_eximconfig_configtype='smarthost'
dc_other_hostnames='bear-cave.org.uk:*.bear-cave.org.uk:lunch.org.uk:*.lunch.org.uk:cryhavoc.org.uk:cowboybuilder.org.uk:oxfordbeginnersession.org.uk'
dc_local_interfaces=''
dc_readhost=''
dc_relay_domains=''
dc_minimaldns='false'
dc_relay_nets=''
dc_smarthost='smtpout.mythic-beasts.com'
CFILEMODE='644'
dc_use_split_config='true'
dc_hide_mailname='false'
dc_mailname_in_oh='true'
dc_localdelivery='dovecot_home'

4
states/email/init.sls Normal file
View File

@ -0,0 +1,4 @@
include:
- email/dovecot
- email/rspamd
- email/exim4

20
states/email/rspamd.sls Normal file
View File

@ -0,0 +1,20 @@
# Stock bullseye rspamd doesn't start.
rspamd:
pkg.installed:
- name: rspamd
- fromrepo: bullseye-backports
rspamd_conf:
file.recurse:
- name: /etc/rspamd/local.d
- dir_mode: '0755'
- file_mode: '0644'
- source: salt://email/rspamd/local.d
rspamd_service:
service.running:
- name: rspamd
- enable: true
- watch:
- pkg: rspamd
- file: /etc/rspamd/local.d

View File

@ -0,0 +1 @@
# 2a00:1098:8:d6::1/64

View File

@ -0,0 +1,6 @@
IP_WHITELIST {
type = "ip";
prefilter = "true";
map = "/${LOCAL_CONFDIR}/local.d/ip_whitelist.map";
action = "accept";
}

View File

@ -0,0 +1,2 @@
write_servers = "localhost";
read_servers = "localhost";

View File

@ -5,6 +5,12 @@ scabbers_public:
- services: - services:
- dhcpv6-client - dhcpv6-client
- ssh - ssh
- imap
- imaps
- managesieve
- smtp
- smtps
- smtp-submission
- prune_services: True - prune_services: True
- require: - require:
- firewalld - firewalld

View File

@ -22,6 +22,7 @@ base:
- backup - backup
- backup/scabbers - backup/scabbers
- dottes_website - dottes_website
- email
- fail2ban - fail2ban
- firewalls/scabbers - firewalls/scabbers
- gitea - gitea