If you need to specify some parameters before a batch install, you -can use the debconf module. Typically we install then configure, but -this might be useful in certain situations.
- -
-#dbconfig-common/bacula-director-mysql.conf:dbc_dbpass='whereami' #
-dbconfig-common
-
-# from debconf-show
-# bacula-director-pgsql/pgsql/app-pass: (password omitted)
-# bacula-director-pgsql/app-password-confirm: (password omitted)
-# bacula-director-pgsql/pgsql/admin-pass: (password omitted)
-# bacula-director-pgsql/password-confirm: (password omitted)
-
-# - name: Set MySQL root password before installing
-# debconf: name='mysql-server' question='mysql-server/root_password' value='{{mysql_root_pass | quote}}' vtype='password'
-
-# - name: Confirm MySQL root password before installing
-# debconf: name='mysql-server' question='mysql-server/root_password_again' value='{{mysql_root_pass | quote}}' vtype='password'
-
-
-
Copyright © 2020 David Loffredo, licensed under
diff --git a/docs/backup.html b/docs/backup.html
index 8a96d47..24fd0e4 100644
--- a/docs/backup.html
+++ b/docs/backup.html
@@ -89,16 +89,28 @@ The client does not need many settings. We will eventually have a
-variable for the file lists to back up.
-
-INCLUDE THE RSPAMD DBDIR /var/lib/rspamd
-
+ The client does not need many settings.
+The If you have detailed knowledge of Bacula, you can add
+ If a client does not need an ssh tunnel,
set I recommend firing up the console and getting familiar with it
before you need to. Try to manually run a backup ("run") and try to
restore some files ("restore"). The Bacula manual has
diff --git a/docs/index.html b/docs/index.html
index d21ecb5..b779aed 100644
--- a/docs/index.html
+++ b/docs/index.html
@@ -9,7 +9,7 @@
These pages explain what I learned, how to
-configure it, and why I made each choice, plus some fun
+ These pages cover what I learned, how to
+configure it, and why I made each choice, with some fun
pictures of my old hardware.
-If those details don't interest you, a push-button mail server
-like Modoboa,
-mail-in-a-box, or
-homebox is a
-fine alternative. I hope this is a useful starting point for your goals
and choices. If these details don't interest you, a push-button mail server
+like Modoboa,
+mail-in-a-box, or
+homebox is a
+fine alternative. The The machines are listed by fully qualified domain name (FQDN) and
-IP address, so the machine does not need to show up in DNS yet.
-Ansible uses the Machines are listed by fully qualified domain name (FQDN) and IP
+address. Ansible uses the After you have provisioned the machines, create
-DNS entries for them using your registrar or other service. We
-may eventually run Bind and make the cloud machine the DNS master, but
-still getting that sorted out. Once you have machines, create DNS entries for
+them using your registrar or other service. We may eventually run
+Bind on the cloud machine, but still getting that sorted out. The Most of our settings are in Most settings are in Sensitive values like passwords are in
- After this, remote password login is disabled and everything
diff --git a/hosts.example/group_vars/cloud.yml b/hosts.example/group_vars/cloud.yml
index e1d5e6c..0e7de84 100644
--- a/hosts.example/group_vars/cloud.yml
+++ b/hosts.example/group_vars/cloud.yml
@@ -56,6 +56,9 @@ webdata_root: /var/www
#==============================
# Backup Directories - for mail and web server
#
+# Should we include the rspamd dbdir /var/lib/rspamd
+# What about /var/log?
+#
bacula_client_fileset:
include:
- /etc/letsencrypt
diff --git a/roles/mailhost/tasks/dovecot.yml b/roles/mailhost/tasks/dovecot.yml
index 58dc8bd..a44ce85 100644
--- a/roles/mailhost/tasks/dovecot.yml
+++ b/roles/mailhost/tasks/dovecot.yml
@@ -5,6 +5,12 @@
# Dovecot for local mail delivery and IMAP access. Do not install the
# dovecot-pop3 package, because we will only use IMAP.
+# Saw the following in /var/log, might be a leftover from the default
+# install that had 143 enabled. Only seems to show up once. dovecot:
+# master: Error: systemd listens on port 143, but it's not configured
+# in Dovecot. Closing.
+
+
- name: dovecot and related packages present
package:
state: present
diff --git a/roles/mailhost/tasks/postfix.yml b/roles/mailhost/tasks/postfix.yml
index 41601a0..e160957 100644
--- a/roles/mailhost/tasks/postfix.yml
+++ b/roles/mailhost/tasks/postfix.yml
@@ -18,13 +18,6 @@
# The queue directory must be present or else the chroot will not be
# populated.
-
-# Seeing issue in log, has to do with socket think we were not
-# seeing it because original chroot had something we do not.
-# root@davecloud:/vault# grep "systemd listens" /var/log/mail.log
-# Jan 23 22:55:52 davecloud dovecot: master: Error: systemd listens on port 143, but it's not configured in Dovecot. Closing.
-# Jan 23 22:55:52 davecloud dovecot: master: Error: systemd listens on port 143, but it's not configured in Dovecot. Closing.
-
- name: other mail directories and permissions
file: state=directory path={{item}} mode=0755
with_items:
@@ -33,11 +26,10 @@
# The virtual user database holds account details. We use SQLite
-# because this small, simple, and relatively static, but you can use
-# MySQL, Maria, or Postgres if you prefer. I've written the mailcfg
-# perl utility to manage the database. It uses DBI and might just
-# need minor changes to the connect statement and SQL for use with
-# other RDBs.
+# because this small, simple, and relatively static, but MySQL, Maria,
+# or Postgres would also work. I wrote the mailcfg perl script to
+# manage the database. It uses DBI and might just need minor changes
+# to the connect statement and SQL for the other RDBs.
- name: postfix and related packages present
package:
state: present
@@ -61,10 +53,11 @@
with_items:
- main.cf
- master.cf
+ - denied_recipients
+ - sqlite-sender-login-maps.cf
- sqlite-virtual-alias-maps.cf
- sqlite-virtual-mailbox-domains.cf
- sqlite-virtual-mailbox-maps.cf
- - denied_recipients
notify:
- postmap files
- restart postfix
diff --git a/roles/mailhost/templates/postfix/main.cf b/roles/mailhost/templates/postfix/main.cf
index d7f49a3..9b82b83 100644
--- a/roles/mailhost/templates/postfix/main.cf
+++ b/roles/mailhost/templates/postfix/main.cf
@@ -64,8 +64,6 @@ virtual_alias_maps = sqlite:/etc/postfix/sqlite-virtual-alias-maps.cf
local_recipient_maps = $virtual_mailbox_maps
-
-
# ==============================
# TLS parameters
@@ -159,7 +157,7 @@ smtpd_recipient_restrictions =
reject_non_fqdn_recipient,
reject_unknown_recipient_domain
-#Some DNS BL's - high availability:
+#Some DNS BL's - high availability: HANDLED BY RSPAMD
# reject_rbl_client zen.spamhaus.org,
# reject_rbl_client bl.spamcop.net,
# reject_rbl_client dul.dnsbl.sorbs.net,
@@ -180,6 +178,11 @@ smtpd_sender_restrictions =
reject_unknown_reverse_client_hostname
# reject_unknown_address
+# Declare owners for each FROM mail address, AUTH user can send as
+# self or an alias, relay can send as anyone. Enforced for submission
+# and smtps in master.cf
+smtpd_sender_login_maps = sqlite:/etc/postfix/sqlite-sender-login-maps.cf
+
# Deny any useful feedback to abusing systems by changing all errors
# to 554: Transaction Failed
diff --git a/roles/mailhost/templates/postfix/master.cf b/roles/mailhost/templates/postfix/master.cf
index 225cbd5..ec86504 100644
--- a/roles/mailhost/templates/postfix/master.cf
+++ b/roles/mailhost/templates/postfix/master.cf
@@ -15,6 +15,8 @@ smtp inet n - y - - smtpd
#smtpd pass - - y - - smtpd
#dnsblog unix - - y - 0 dnsblog
#tlsproxy unix - - y - 0 tlsproxy
+
+# SMTP with STARTTLS on port 587. Only with AUTH
submission inet n - y - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
@@ -23,15 +25,15 @@ submission inet n - y - - smtpd
-o smtpd_sasl_path=private/auth
-o smtpd_reject_unlisted_recipient=no
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
+ -o smtpd_sender_restrictions=reject_sender_login_mismatch
-o milter_macro_daemon_name=ORIGINATING
-# -o smtpd_client_restrictions=$mua_client_restrictions
+# client_restrictions say only allow authenticated clients to connect
+# sender_restrictions say auth must own that address to use it. Sql lookup
# -o smtpd_helo_restrictions=$mua_helo_restrictions
-# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=
# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-# -o milter_macro_daemon_name=ORIGINATING
-# SMTP over SSL/TLS on port 465.
+# SMTP over SSL/TLS on port 465. Only with AUTH
smtps inet n - y - - smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
@@ -39,14 +41,13 @@ smtps inet n - y - - smtpd
-o smtpd_sasl_type=dovecot
-o smtpd_sasl_path=private/auth
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
+ -o smtpd_sender_restrictions=reject_sender_login_mismatch
-o milter_macro_daemon_name=ORIGINATING
# -o smtpd_reject_unlisted_recipient=no
- # -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
- # -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=
# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
- # -o milter_macro_daemon_name=ORIGINATING
+
#628 inet n - y - - qmqpd
pickup unix n - y 60 1 pickup
cleanup unix n - y - 0 cleanup
diff --git a/roles/mailhost/templates/postfix/sqlite-sender-login-maps.cf b/roles/mailhost/templates/postfix/sqlite-sender-login-maps.cf
new file mode 100644
index 0000000..a64978d
--- /dev/null
+++ b/roles/mailhost/templates/postfix/sqlite-sender-login-maps.cf
@@ -0,0 +1,9 @@
+
+# Simple SQLite query for sender/login map. Returns list of AUTH
+# logins that are allowed to send as a given address. For a given
+# address, this includes the address (if an auth user), the alias
+# destination (if an alias), and the relay user if the address is one
+# that we handle mail for.
+
+dbpath = {{ mail_db }}
+query = SELECT email FROM users WHERE email='%s' AND active=1 UNION SELECT dst FROM aliases WHERE src='%s' UNION SELECT 'relay@{{domain}}' FROM domains WHERE name='%d'
bacula_tunnel_sshkeypath: ~/.ssh/tunnel.key
-
bacula_client_fileset variable describes the
+directories you want backed up. There are many knobs other knobs to
+play with if you want to do something fancy.
-# Eventual list of files
+bacula_client_fileset:
+ include:
+ - /etc/letsencrypt
+ - "{{mail_db_root}}"
+ - "{{mail_dkim_root}}"
+ - "{{mail_spool_root}}"
+ - "{{webdata_root}}"
+options and exclude entries to
+the bacula_client_fileset dictionary. These translate to
+the equivalent Bacula FileSet sub-blocks. You can also include
+a freeform entry with raw text for your own jobs and
+filesets.
+
bacula_client_tunnel to false in variables for
that client. You can have some clients with a tunnel and others
@@ -116,9 +128,9 @@
variables. Most roles need settings for just one machine at a time.
The Bacula roles need settings over a network of machines, like each
client of a director. Defaults makes it even more interesting.
-The
bacula-common role is used by the client and director
-roles to coordinate these settings. The comments in that role has
-more discussion on defaults and hostvars.
+The bacula-dflts role is used by the client and director
+roles to coordinate these settings. The source files for that role
+contain more discussion on defaults and hostvars.
@@ -128,7 +140,6 @@
the admin account when they are done. All other interaction is done
on the director machine using the Bacula console
bconsole.
-
-
+DaveCloud Mail, Web, and Backup
Packages
@@ -78,6 +75,11 @@
@@ -117,14 +119,13 @@
myhosts/hosts file
-identifies the machines that you are
-managing, and organizes them into groups. The playbooks describe
-tasks and roles that apply to the machines in each group. We use two
-groups: cloud and backup-server.ansible_host variable to connect, and
+identifies your machines, and organizes
+them into groups. We use two groups: cloud
+and backup-server. The playbooks apply tasks to the
+machines in each group. ansible_host to connect, and
sets the inventory_hostname variable to the FQDN for use
in the scripts.
guardian.example.com ansible_host=5.6.7.8
-
Variables
myhosts/group_vars directory contains settings for
-the groups of machines in the hosts file. Ansible looks for
+the machine groups in the hosts file. Ansible looks for
a <group-name>.yml file or
a <group-name>/ directory containing YML files.
Every machine belongs to the special all group.group_vars/all/all.yml.
-Look through this file and customize the values as appropriate. Some
-things that are unique to the mail and web server, and that we do not
-want to apply to the backup server, are
-in group_vars/cloud.yml.
+all/all.yml. Look through this
+file and customize the values as appropriate. A few things unique to
+each machine are kept in cloud.yml
+and backup-server.yml.
group_vars/all/vault.yml, which will be an encrypted
+all/vault.yml, which will be an encrypted
Ansible
vault file. The vault.yml that you copied is not yet
-encrypted and contains placeholders. Edit it to contain real values
-and then encrypt it with your own unique password:
+encrypted and contains placeholders. Edit it to contain real values,
+then encrypt it with your own unique password:
$ ansible-vault encrypt vault.yml # encrypt plain file
@@ -221,11 +220,12 @@
for
--ask-pass. This is the only time a password-based
login ever happens. Ansible needs the sshpass package on
your local machine to do password-based login to a remote machine. If
-you can pre-install an ssh key for root, you could change this
-logic.
+you can pre-install an ssh key for root, you could use
+the --private-key flag instead.
-$ ansible-playbook -k --ask-vault-pass -i ../myhosts first.yml --limit machinename
+$ ansible-playbook -k --ask-vault-pass -i ../myhosts first.yml --limit cloud
+$ ansible-playbook -k --ask-vault-pass -i ../myhosts first.yml --limit backup-server