Add email - Dovecot, rspamd, exim4.
And appropriate configuration for various email domains.
This commit is contained in:
parent
ff199e101f
commit
7b94baa6cd
|
@ -0,0 +1,25 @@
|
||||||
|
dkim:
|
||||||
|
dkim_bear-cave: |
|
||||||
|
-----BEGIN OPENSSH PRIVATE KEY-----
|
||||||
|
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
||||||
|
BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
|
||||||
|
CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
|
||||||
|
DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
|
||||||
|
EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE==
|
||||||
|
-----END OPENSSH PRIVATE KEY-----
|
||||||
|
dkim_cryhavoc: |
|
||||||
|
-----BEGIN OPENSSH PRIVATE KEY-----
|
||||||
|
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
||||||
|
BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
|
||||||
|
CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
|
||||||
|
DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
|
||||||
|
EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE==
|
||||||
|
-----END OPENSSH PRIVATE KEY-----
|
||||||
|
dkim_lunch: |
|
||||||
|
-----BEGIN OPENSSH PRIVATE KEY-----
|
||||||
|
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
||||||
|
BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
|
||||||
|
CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
|
||||||
|
DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
|
||||||
|
EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE==
|
||||||
|
-----END OPENSSH PRIVATE KEY-----
|
|
@ -4,6 +4,7 @@ base:
|
||||||
- secrets/mariadb
|
- secrets/mariadb
|
||||||
- secrets/wordpress
|
- secrets/wordpress
|
||||||
'scabbers.lunch.org.uk':
|
'scabbers.lunch.org.uk':
|
||||||
|
- secrets/dkim
|
||||||
- secrets/dnsapi
|
- secrets/dnsapi
|
||||||
- secrets/gitea
|
- secrets/gitea
|
||||||
- secrets/webmail
|
- secrets/webmail
|
||||||
|
|
|
@ -1,3 +1,9 @@
|
||||||
|
bullseye_backports:
|
||||||
|
pkgrepo.managed:
|
||||||
|
- name: deb http://deb.debian.org/debian bullseye-backports main
|
||||||
|
- dist: bullseye-backports
|
||||||
|
- file: /etc/apt/sources.list.d/bullseye-backports.list
|
||||||
|
|
||||||
deploy_sshd_config:
|
deploy_sshd_config:
|
||||||
file.managed:
|
file.managed:
|
||||||
- name: /etc/ssh/sshd_config
|
- name: /etc/ssh/sshd_config
|
||||||
|
|
|
@ -0,0 +1,29 @@
|
||||||
|
dovecot:
|
||||||
|
pkg.installed:
|
||||||
|
- pkgs:
|
||||||
|
- dovecot-core
|
||||||
|
- dovecot-imapd
|
||||||
|
- dovecot-sieve
|
||||||
|
- dovecot-managesieved
|
||||||
|
|
||||||
|
dovecot_certs_group:
|
||||||
|
group.present:
|
||||||
|
- name: ssl-cert
|
||||||
|
- system: true
|
||||||
|
- addusers:
|
||||||
|
- dovecot
|
||||||
|
|
||||||
|
dovecot_conf:
|
||||||
|
file.managed:
|
||||||
|
- mode: 0644
|
||||||
|
- names:
|
||||||
|
- /etc/dovecot/local.conf:
|
||||||
|
- source: salt://email/dovecot_local.conf
|
||||||
|
|
||||||
|
dovecot_service:
|
||||||
|
service.running:
|
||||||
|
- name: dovecot
|
||||||
|
- enable: true
|
||||||
|
- watch:
|
||||||
|
- pkg: dovecot
|
||||||
|
- file: /etc/dovecot/local.conf
|
|
@ -0,0 +1,20 @@
|
||||||
|
# We use Maildir.
|
||||||
|
mail_location = maildir:~/Maildir
|
||||||
|
|
||||||
|
# Require SSL for all auth.
|
||||||
|
ssl = required
|
||||||
|
|
||||||
|
# SSL certificate locations.
|
||||||
|
ssl_cert = </var/local/certificates/mail.lunch.org.uk/fullchain.pem
|
||||||
|
ssl_key = </var/local/certificates/mail.lunch.org.uk/privkey.pem
|
||||||
|
|
||||||
|
# Plugins.
|
||||||
|
protocol lda {
|
||||||
|
mail_plugins = acl sieve
|
||||||
|
}
|
||||||
|
|
||||||
|
# IMAP - increase number of connections per IP.
|
||||||
|
protocol imap {
|
||||||
|
mail_max_userip_connections = 40
|
||||||
|
}
|
||||||
|
|
|
@ -0,0 +1,57 @@
|
||||||
|
exim4:
|
||||||
|
pkg.installed:
|
||||||
|
- name: exim4-daemon-heavy
|
||||||
|
|
||||||
|
exim4_conf:
|
||||||
|
file.recurse:
|
||||||
|
- name: /etc/exim4
|
||||||
|
- dir_mode: '0755'
|
||||||
|
- file_mode: '0644'
|
||||||
|
- source: salt://email/exim4
|
||||||
|
|
||||||
|
# To read system certificate details, you must be in ssl-cert.
|
||||||
|
exim4_certs_group:
|
||||||
|
group.present:
|
||||||
|
- name: ssl-cert
|
||||||
|
- system: true
|
||||||
|
- addusers:
|
||||||
|
- Debian-exim
|
||||||
|
|
||||||
|
# To deliver using the Dovecot LDA without getting a perms
|
||||||
|
# error on /run/dovecot/stats-writer, the Exim user must be in
|
||||||
|
# the dovecot group.
|
||||||
|
exim4_dovecot_group:
|
||||||
|
group.present:
|
||||||
|
- name: dovecot
|
||||||
|
- system: true
|
||||||
|
- addusers:
|
||||||
|
- Debian-exim
|
||||||
|
|
||||||
|
exim4_dkim_private_keys:
|
||||||
|
file.managed:
|
||||||
|
- mode: 0640
|
||||||
|
- group: Debian-exim
|
||||||
|
- names:
|
||||||
|
- /etc/exim4/dkim/bear-cave.org.uk-private.pem:
|
||||||
|
- contents_pillar: dkim:dkim_bear-cave
|
||||||
|
- /etc/exim4/dkim/cryhavoc.org.uk-private.pem:
|
||||||
|
- contents_pillar: dkim:dkim_cryhavoc
|
||||||
|
- /etc/exim4/dkim/lunch.org.uk-private.pem:
|
||||||
|
- contents_pillar: dkim:dkim_lunch
|
||||||
|
|
||||||
|
exim4_update_conf:
|
||||||
|
cmd.run:
|
||||||
|
- name: update-exim4.conf
|
||||||
|
- onchanges:
|
||||||
|
- file: exim4_conf
|
||||||
|
|
||||||
|
enable_exim4_service:
|
||||||
|
service.enabled:
|
||||||
|
- name: exim4
|
||||||
|
|
||||||
|
exim4_service:
|
||||||
|
service.running:
|
||||||
|
- name: exim4
|
||||||
|
- reload: true
|
||||||
|
- watch:
|
||||||
|
- cmd: exim4_update_conf
|
|
@ -0,0 +1,7 @@
|
||||||
|
# AUTH acl check.
|
||||||
|
check_auth:
|
||||||
|
accept hosts = *
|
||||||
|
endpass
|
||||||
|
message = STARTTLS required before AUTH
|
||||||
|
encrypted = *
|
||||||
|
|
|
@ -0,0 +1,18 @@
|
||||||
|
# Authenticate via dovecot.
|
||||||
|
#
|
||||||
|
# For plain and login the connection must be ciphered.
|
||||||
|
|
||||||
|
dovecot_plain:
|
||||||
|
driver = dovecot
|
||||||
|
public_name = PLAIN
|
||||||
|
server_socket = /var/run/dovecot/auth-client
|
||||||
|
#server_set_id = $auth2
|
||||||
|
server_mail_auth_condition = false
|
||||||
|
|
||||||
|
|
||||||
|
#dovecot_login:
|
||||||
|
# driver = dovecot
|
||||||
|
# public_name = LOGIN
|
||||||
|
# server_socket = /var/run/dovecot/auth-client
|
||||||
|
# #server_set_id = $auth2
|
||||||
|
# server_mail_auth_condition = false
|
|
@ -0,0 +1,33 @@
|
||||||
|
# Trusted users and groups
|
||||||
|
MAIN_TRUSTED_USERS=mail:www-data
|
||||||
|
|
||||||
|
# User account UID range
|
||||||
|
FIRST_USER_ACCOUNT_UID=1000
|
||||||
|
|
||||||
|
# TLS configuration
|
||||||
|
MAIN_TLS_ENABLE=true
|
||||||
|
MAIN_TLS_CERTIFICATE=/var/local/certificates/mail.lunch.org.uk/fullchain.pem
|
||||||
|
MAIN_TLS_PRIVATEKEY=/var/local/certificates/mail.lunch.org.uk/privkey.pem
|
||||||
|
|
||||||
|
# Local settings
|
||||||
|
# CHECK_RCPT_LOCAL_ACL_FILE=/etc/exim4/local_check_rcpt
|
||||||
|
CHECK_DATA_LOCAL_ACL_FILE=/etc/exim4/local_check_data
|
||||||
|
|
||||||
|
# DKIM keys and handling.
|
||||||
|
DKIM_CANON = relaxed
|
||||||
|
DKIM_SELECTOR = 20160621
|
||||||
|
|
||||||
|
# Get the domain from the outgoing mail.
|
||||||
|
DKIM_DOMAIN = ${lc:${domain:$h_from:}}
|
||||||
|
|
||||||
|
# The private key file.
|
||||||
|
DKIM_FILE = ${lookup {DKIM_DOMAIN-private.pem} dsearch,ret=full,filter=file {/etc/exim4/dkim}}
|
||||||
|
|
||||||
|
# If key exists then use it, if not don't.
|
||||||
|
DKIM_PRIVATE_KEY = ${if exists{DKIM_FILE} {DKIM_FILE} {0}}
|
||||||
|
|
||||||
|
# Log more TLS info than default.
|
||||||
|
MAIN_LOG_SELECTOR = +tls_peerdn +tls_sni
|
||||||
|
|
||||||
|
# SRS
|
||||||
|
SRS_SECRET = sxN7DlwZMWHar1J;L!wlKwbzc9ECB[F>!LEYm9[LF0
|
|
@ -0,0 +1,13 @@
|
||||||
|
# Use rspamd as spam scanner.
|
||||||
|
spamd_address = 127.0.0.1 11333 variant=rspamd
|
||||||
|
|
||||||
|
# Timeout for virus and spam scans
|
||||||
|
local_scan_timeout = 4m
|
||||||
|
|
||||||
|
# Allow all users to see mail queue
|
||||||
|
no_queue_list_requires_admin
|
||||||
|
|
||||||
|
# Listen in ports 25, 465 and 587.
|
||||||
|
daemon_smtp_ports = smtp : submission : submissions
|
||||||
|
tls_on_connect_ports = submissions
|
||||||
|
|
|
@ -0,0 +1,24 @@
|
||||||
|
outbound:
|
||||||
|
driver = dnslookup
|
||||||
|
# if outbound, and forwarding has been done, use an alternate transport
|
||||||
|
domains = ! +local_domains
|
||||||
|
transport = ${if eq {$local_part@$domain} \
|
||||||
|
{$original_local_part@$original_domain} \
|
||||||
|
{remote_smtp} {remote_forwarded_smtp}}
|
||||||
|
|
||||||
|
inbound_srs:
|
||||||
|
driver = redirect
|
||||||
|
senders = :
|
||||||
|
domains = +local_domains
|
||||||
|
# detect inbound bounces which are SRS'd, and decode them
|
||||||
|
condition = ${if inbound_srs {$local_part} {SRS_SECRET}}
|
||||||
|
data = $srs_recipient
|
||||||
|
|
||||||
|
inbound_srs_failure:
|
||||||
|
driver = redirect
|
||||||
|
senders = :
|
||||||
|
domains = +local_domains
|
||||||
|
# detect inbound bounces which look SRS'd but are invalid
|
||||||
|
condition = ${if inbound_srs {$local_part} {}}
|
||||||
|
allow_fail
|
||||||
|
data = :fail: Invalid SRS recipient address
|
|
@ -0,0 +1,12 @@
|
||||||
|
# Allow a throwaway suffix to the local part. Might help spot who sells
|
||||||
|
# email addresses.
|
||||||
|
suffix_rewrite:
|
||||||
|
driver = redirect
|
||||||
|
allow_defer
|
||||||
|
allow_fail
|
||||||
|
data = ${local_part}@${domain}
|
||||||
|
local_part_suffix = "_*"
|
||||||
|
local_part_suffix_optional
|
||||||
|
qualify_preserve_domain
|
||||||
|
retry_use_local_part
|
||||||
|
|
|
@ -0,0 +1,35 @@
|
||||||
|
|
||||||
|
# cryhavoc.org.uk has its own aliases. These are separate to the system
|
||||||
|
# ones - see system_aliases.
|
||||||
|
cryhavoc_aliases:
|
||||||
|
driver = redirect
|
||||||
|
allow_defer
|
||||||
|
allow_fail
|
||||||
|
data = ${lookup{$local_part}lsearch{/etc/aliases.cryhavoc.org.uk}}
|
||||||
|
domains = cryhavoc.org.uk
|
||||||
|
qualify_preserve_domain
|
||||||
|
pipe_transport = address_pipe
|
||||||
|
no_more
|
||||||
|
|
||||||
|
# cowboybuilder.org.uk has its own aliases. These are separate to the system
|
||||||
|
# ones - see system_aliases.
|
||||||
|
cowboybuilder_aliases:
|
||||||
|
driver = redirect
|
||||||
|
allow_defer
|
||||||
|
allow_fail
|
||||||
|
data = ${lookup{$local_part}lsearch{/etc/aliases.cowboybuilder.org.uk}}
|
||||||
|
domains = cowboybuilder.org.uk
|
||||||
|
qualify_preserve_domain
|
||||||
|
pipe_transport = address_pipe
|
||||||
|
no_more
|
||||||
|
|
||||||
|
# lunch.org.uk has its own aliases. These are separate to the system
|
||||||
|
# ones - see system_aliases.
|
||||||
|
lunch_aliases:
|
||||||
|
driver = redirect
|
||||||
|
allow_defer
|
||||||
|
allow_fail
|
||||||
|
data = ${lookup{$local_part}lsearch{/etc/aliases.lunch.org.uk}}
|
||||||
|
domains = lunch.org.uk
|
||||||
|
qualify_preserve_domain
|
||||||
|
retry_use_local_part
|
|
@ -0,0 +1,16 @@
|
||||||
|
|
||||||
|
# Use this to deliver to system users.
|
||||||
|
# Exim runs this as the user from the local_user router.
|
||||||
|
dovecot_home:
|
||||||
|
debug_print = "T: dovecot_home for $local_part@$domain"
|
||||||
|
driver = pipe
|
||||||
|
#command = sh -c "/usr/bin/bogofilter -e -u -p | /usr/lib/dovecot/deliver"
|
||||||
|
command = /usr/lib/dovecot/deliver
|
||||||
|
message_prefix =
|
||||||
|
message_suffix =
|
||||||
|
log_output
|
||||||
|
delivery_date_add
|
||||||
|
envelope_to_add
|
||||||
|
return_path_add
|
||||||
|
temp_errors = 64 : 69 : 70: 71 : 72 : 73 : 74 : 75 : 78
|
||||||
|
|
|
@ -0,0 +1,7 @@
|
||||||
|
# transport; should look like the non-forward outbound
|
||||||
|
# one, plus the max_rcpt and return_path options
|
||||||
|
remote_forwarded_smtp:
|
||||||
|
driver = smtp
|
||||||
|
# modify the envelope from, for mails that we forward
|
||||||
|
max_rcpt = 1
|
||||||
|
return_path = ${srs_encode {SRS_SECRET} {$return_path} {$original_domain}}
|
|
@ -0,0 +1 @@
|
||||||
|
k=rsa;p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC97rpW4HWK3q4TIjQnWO6WQZxa1EPPRCJJp3yYcjej8ierPPA420RWm3hyUbfPvwN9ynUXPVfrYYj7FJWMR8W3/dGJGOEjaBvL4pITwSg5WZt/7fDpGYkro4P//TnMMcF3iRAOm+XQywatNISuBYKQvOdy16Lw0XQyhV37pt0ixwIDAQAB
|
|
@ -0,0 +1 @@
|
||||||
|
k=rsa;p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDoEgY4ekHBKJFey4JtZOO9K0bc25aYKGZiUMd+ESgwZfB3uP0JYxdII8CKLYpHFopmPs8mBW9pNs9L2Iyl6U4v4EE+LwHAhz7uZJfpLylmjQrfb9x72AQONGb4AiK7drc4jbcHr80gMorr27RE9RuYe00U4HdERGwjWcU7rJaRzQIDAQAB
|
|
@ -0,0 +1 @@
|
||||||
|
k=rsa;p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDT6tLjGtCGeZz7MtLq2AazdP7CojC1Vk6CrY+qvM7/rdhIaL++y28+l6WYQhEO0+0kUYNtGewjhvUuq9nEVPvTEh370xOOSDlfAsMTZXZnJFmZGVDegF8mbOg+CQSWqmKRPCmDFsTy1ablh9JnxCIk6q/hiMLfsM1qEO51Wafw/wIDAQAB
|
|
@ -0,0 +1,6 @@
|
||||||
|
-----BEGIN PUBLIC KEY-----
|
||||||
|
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC97rpW4HWK3q4TIjQnWO6WQZxa
|
||||||
|
1EPPRCJJp3yYcjej8ierPPA420RWm3hyUbfPvwN9ynUXPVfrYYj7FJWMR8W3/dGJ
|
||||||
|
GOEjaBvL4pITwSg5WZt/7fDpGYkro4P//TnMMcF3iRAOm+XQywatNISuBYKQvOdy
|
||||||
|
16Lw0XQyhV37pt0ixwIDAQAB
|
||||||
|
-----END PUBLIC KEY-----
|
|
@ -0,0 +1,6 @@
|
||||||
|
-----BEGIN PUBLIC KEY-----
|
||||||
|
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDoEgY4ekHBKJFey4JtZOO9K0bc
|
||||||
|
25aYKGZiUMd+ESgwZfB3uP0JYxdII8CKLYpHFopmPs8mBW9pNs9L2Iyl6U4v4EE+
|
||||||
|
LwHAhz7uZJfpLylmjQrfb9x72AQONGb4AiK7drc4jbcHr80gMorr27RE9RuYe00U
|
||||||
|
4HdERGwjWcU7rJaRzQIDAQAB
|
||||||
|
-----END PUBLIC KEY-----
|
|
@ -0,0 +1,6 @@
|
||||||
|
-----BEGIN PUBLIC KEY-----
|
||||||
|
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDT6tLjGtCGeZz7MtLq2AazdP7C
|
||||||
|
ojC1Vk6CrY+qvM7/rdhIaL++y28+l6WYQhEO0+0kUYNtGewjhvUuq9nEVPvTEh37
|
||||||
|
0xOOSDlfAsMTZXZnJFmZGVDegF8mbOg+CQSWqmKRPCmDFsTy1ablh9JnxCIk6q/h
|
||||||
|
iMLfsM1qEO51Wafw/wIDAQAB
|
||||||
|
-----END PUBLIC KEY-----
|
|
@ -0,0 +1,41 @@
|
||||||
|
# From rspamd docs.
|
||||||
|
|
||||||
|
# skip scanning for authenticated users (if desired?)
|
||||||
|
accept authenticated = *
|
||||||
|
|
||||||
|
# scan the message with rspamd
|
||||||
|
warn spam = Debian-exim:true
|
||||||
|
# This will set variables as follows:
|
||||||
|
# $spam_action is the action recommended by rspamd
|
||||||
|
# $spam_score is the message score (we unlikely need it)
|
||||||
|
# $spam_score_int is spam score multiplied by 10
|
||||||
|
# $spam_report lists symbols matched & protocol messages
|
||||||
|
# $spam_bar is a visual indicator of spam/ham level
|
||||||
|
|
||||||
|
# use greylisting available in rspamd v1.3+
|
||||||
|
#defer message = Please try again later
|
||||||
|
# condition = ${if eq{$spam_action}{soft reject}}
|
||||||
|
|
||||||
|
#deny message = Message discarded as high-probability spam
|
||||||
|
# condition = ${if eq{$spam_action}{reject}}
|
||||||
|
|
||||||
|
# Remove foreign headers
|
||||||
|
warn remove_header = x-spam-bar : x-spam-score : x-spam-report : x-spam-status
|
||||||
|
|
||||||
|
# add spam-score and spam-report header when "add header" action is recommended by rspamd
|
||||||
|
warn
|
||||||
|
condition = ${if eq{$spam_action}{add header}}
|
||||||
|
add_header = X-Spam-Score: $spam_score ($spam_bar)
|
||||||
|
add_header = X-Spam-Report: $spam_report
|
||||||
|
|
||||||
|
# add x-spam-status header if message is not ham
|
||||||
|
warn
|
||||||
|
! condition = ${if match{$spam_action}{^no action\$|^greylist\$}}
|
||||||
|
add_header = X-Spam-Status: Yes
|
||||||
|
|
||||||
|
# add x-spam-bar header if score is positive
|
||||||
|
warn
|
||||||
|
condition = ${if >{$spam_score_int}{0}}
|
||||||
|
add_header = X-Spam-Bar: $spam_bar
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,31 @@
|
||||||
|
# /etc/exim4/update-exim4.conf.conf
|
||||||
|
#
|
||||||
|
# Edit this file and /etc/mailname by hand and execute update-exim4.conf
|
||||||
|
# yourself or use 'dpkg-reconfigure exim4-config'
|
||||||
|
#
|
||||||
|
# Please note that this is _not_ a dpkg-conffile and that automatic changes
|
||||||
|
# to this file might happen. The code handling this will honor your local
|
||||||
|
# changes, so this is usually fine, but will break local schemes that mess
|
||||||
|
# around with multiple versions of the file.
|
||||||
|
#
|
||||||
|
# update-exim4.conf uses this file to determine variable values to replace
|
||||||
|
# the DEBCONFsomethingDEBCONF strings in the configuration template files.
|
||||||
|
#
|
||||||
|
# Most settings found in here do have corresponding questions in the
|
||||||
|
# Debconf configuration, but not all of them.
|
||||||
|
#
|
||||||
|
# This is a Debian specific file
|
||||||
|
|
||||||
|
dc_eximconfig_configtype='smarthost'
|
||||||
|
dc_other_hostnames='bear-cave.org.uk:*.bear-cave.org.uk:lunch.org.uk:*.lunch.org.uk:cryhavoc.org.uk:cowboybuilder.org.uk:oxfordbeginnersession.org.uk'
|
||||||
|
dc_local_interfaces=''
|
||||||
|
dc_readhost=''
|
||||||
|
dc_relay_domains=''
|
||||||
|
dc_minimaldns='false'
|
||||||
|
dc_relay_nets=''
|
||||||
|
dc_smarthost='smtpout.mythic-beasts.com'
|
||||||
|
CFILEMODE='644'
|
||||||
|
dc_use_split_config='true'
|
||||||
|
dc_hide_mailname='false'
|
||||||
|
dc_mailname_in_oh='true'
|
||||||
|
dc_localdelivery='dovecot_home'
|
|
@ -0,0 +1,4 @@
|
||||||
|
include:
|
||||||
|
- email/dovecot
|
||||||
|
- email/rspamd
|
||||||
|
- email/exim4
|
|
@ -0,0 +1,20 @@
|
||||||
|
# Stock bullseye rspamd doesn't start.
|
||||||
|
rspamd:
|
||||||
|
pkg.installed:
|
||||||
|
- name: rspamd
|
||||||
|
- fromrepo: bullseye-backports
|
||||||
|
|
||||||
|
rspamd_conf:
|
||||||
|
file.recurse:
|
||||||
|
- name: /etc/rspamd/local.d
|
||||||
|
- dir_mode: '0755'
|
||||||
|
- file_mode: '0644'
|
||||||
|
- source: salt://email/rspamd/local.d
|
||||||
|
|
||||||
|
rspamd_service:
|
||||||
|
service.running:
|
||||||
|
- name: rspamd
|
||||||
|
- enable: true
|
||||||
|
- watch:
|
||||||
|
- pkg: rspamd
|
||||||
|
- file: /etc/rspamd/local.d
|
|
@ -0,0 +1 @@
|
||||||
|
# 2a00:1098:8:d6::1/64
|
|
@ -0,0 +1,6 @@
|
||||||
|
IP_WHITELIST {
|
||||||
|
type = "ip";
|
||||||
|
prefilter = "true";
|
||||||
|
map = "/${LOCAL_CONFDIR}/local.d/ip_whitelist.map";
|
||||||
|
action = "accept";
|
||||||
|
}
|
|
@ -0,0 +1,2 @@
|
||||||
|
write_servers = "localhost";
|
||||||
|
read_servers = "localhost";
|
|
@ -5,6 +5,12 @@ scabbers_public:
|
||||||
- services:
|
- services:
|
||||||
- dhcpv6-client
|
- dhcpv6-client
|
||||||
- ssh
|
- ssh
|
||||||
|
- imap
|
||||||
|
- imaps
|
||||||
|
- managesieve
|
||||||
|
- smtp
|
||||||
|
- smtps
|
||||||
|
- smtp-submission
|
||||||
- prune_services: True
|
- prune_services: True
|
||||||
- require:
|
- require:
|
||||||
- firewalld
|
- firewalld
|
||||||
|
|
|
@ -22,6 +22,7 @@ base:
|
||||||
- backup
|
- backup
|
||||||
- backup/scabbers
|
- backup/scabbers
|
||||||
- dottes_website
|
- dottes_website
|
||||||
|
- email
|
||||||
- fail2ban
|
- fail2ban
|
||||||
- firewalls/scabbers
|
- firewalls/scabbers
|
||||||
- gitea
|
- gitea
|
||||||
|
|
Loading…
Reference in New Issue