Skip to content

Latest commit

 

History

History
108 lines (81 loc) · 5.08 KB

README.md

File metadata and controls

108 lines (81 loc) · 5.08 KB

A set of Ansible scripts to setup a secure email and personal files server. This project is for you if:

  • You are interested to host your emails yourself, for privacy, security or any other reason.
  • You want your server to be secure against both physical and remote intrusion.
  • You want a low maintenance box that keep itself updated automatically.
  • You trust the Debian community to publish security updates.

Official documentation and user's guide

Following the development using RSS feeds

Mailing lists

Thanks to Framasoft, two mailing lists have been created, one for general questions, suggestions and support, and another one dedicated for development.

Current project status

System installation and features

  • Install packages only from Debian stable (Bookworm).
  • Automatic letsencrypt certificates generation using DNS challenge.
  • Automatic security updates.
  • Centralised authentication with an LDAP users database and password policies.
  • AppArmor activated, with a profile for all daemons.
  • Random passwords generated and optionally saved using pass.
  • Can be used at home, on a dedicated or virtual server hosted online.
  • Flexible IP address support: IPv4 only, IPv6 only, and IPv4+IPv4 or IPv4+IPv6.
  • Embedded DNS server, with CAA, DNSSEC and SSH fingerprint (SSHFP records).
  • All the http sites ranked A+, with HSTS implemented out of the box.
  • Automatic firewall rules for inbound, outbound and forwarding traffic, using nftables.
  • Filtered outbound traffic as well.
  • Automatic update of DNS servers and glue records on Gandi.
  • Automatic configuration of OpenPGP Web Key Directory.

Emails

  • Postfix configuration and installation, with LDAP lookups, internationalised email aliases, fully SSL compliant.
  • Generate DKIM keys, SPF, DMARC and DANE DNS records. The DKIM keys are generated every year.
  • Automatic copy of sent emails into the sent folder.
  • Automatic creation of the postmaster account and special associated email addresses using RFC 2142 specifications.
  • Dovecot configuration, IMAPS, POP3S, Quotas, ManageSieve, simple spam and ham learning by moving emails in and out the Junk folder, sieve and vacation scripts.
  • Virtual folders for server search: unread messages, conversations view, all messages, flagged and messages labelled as "important".
  • Email addresses with recipient delimiter included, e.g. john.doe+lists@dbcooper.com.
  • Optional master user creation, e.g. for families with children or moderated communities.
  • Server side full text search inside emails, attached documents and files and compressed archives.
  • Modern and responsive web access to emails, calendars and address books.
  • Powerful and light antispam system with rspamd and optional access to the web interface.
  • Antivirus for inbound and outbound emails with clamav.
  • Automatic configuration for Thunderbird and Outlook using published XML and other clients with special DNS records (RFC 6186).

Calendar and Address book

  • Install and configure a CalDAV / CardDAV server, with DNS based automatic discovery (RFC 6186).
  • Groupware functionality in a web interface, with SOGo.
  • Recurring events, email alerts, shared address books and calendars.
  • Mobile devices compatibility: Android, Apple iOS, BlackBerry 10 and Windows mobile through Microsoft ActiveSync.

Other optional features

  • Static web site skeleton configuration, with https certificates and A+ security grade.
  • Jabber server, using ejabberd, with LDAP authentication, direct or offline file transfer and optional server to server communication.
  • Incremental backups, encrypted, on multiple destination (SFTP, S3, Samba share or USB drive), with email and Jabber reporting.
  • Wireguard VPN server, with QR code generation, multiple configuration per clients, and optional split tunnelling.
  • SSH certificates for users, with restricted commands, options and expiration date, with configuration files sent by email automatically.
  • Small and secure git server per user, with automatic repository creation on the first push.

Development

  • YAML files validation on each commit, using travis-ci.
  • End to end integration tests for the majority of components.
  • Playbooks to facilitate the installation or removal of development packages.
  • Global debug flag to activate the debug mode of all components.
  • Fully open source Ansible scripts licensed under GPLv3.