# ansible playbook
#
# Install a complete mail system with
#
#   - postfix
#   - dovecot
#   - clamav (with unofficial signatures)
#   - rspamd (integrating clamav)
#
# not included here: list server, roundcube, account and alias management
#
# Please edit the host's config (inventory/host_vars/${hostname}):
# Add a new dictionary 'mailserver':
#
# mailserver:
#   postgresql:
#     host: 127.0.0.1
#     port: 5432
#     dbname: mailserver
#     username: mailserver
#     password: !vault |
#         $ANSIBLE_VAULT;1.1;AES256
#         XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
#         XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
#         XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
#         XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
#         XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
#   postfix:
#     overwrite_config: no
#     reject_sender_login_mismatch: yes
#     mynetworks: "10.0.0.0/24 [2a01:XXXX:XXXX:XXXX::]/64"
#     verp_marker: rstxyz
#   dovecot:
#     auth_default_realm: mymaindomain.org
#
# Take care thate the verp_marker only contains [a-z0-9]+ (NO UPPER CASE LETTERS!).
#
# (Use ansible-vault encrypt_string to encrypt the password.)
#
# TODOs after running this playbook:
#
# Open the firewall:
#
#     - open or DNAT the TCP ports 25, 143, 587, 4190 to the host (incoming)
#     - allow outgoing traffic
#
# Configure mail DNS for your host:
#
#     - MX
#     - PTR (IPv4 and IPv6)
#
# Add SPF, DMARC and DKIM DNS records whenever you add a mail domain:
#
#     - SPF ('IN TXT "v=spf1 mx"' or more)
#     - DMARC ('_dmarc IN TXT "v=DMARC1; p=reject; rua=mailto:admin@mymaindomain.org; adkim=s; aspf=s;"')
#     - DKIM (rspamadm dkim_keygen -d mymaindomain.org -s 20190911 -b 4096;
#             get the DNS entry and also save the private key)
#
# Replace the ssl certificates with signed ones.
#
# Users and domains can be added to the PostgreSQL tables;
# code for that is not part of this playbook.
# Mind that if you create a catchall alias, you must also
# add an alias for each account to the aliases, or you can
# prepend the following to the SELECT in /etc/postfix/aliases.cf
#     SELECT u.username || '@' || d.name FROM users u JOIN domains d ON u.domain_id=d.id WHERE d.relay_transport is null AND u.username || '@' || d.name = '%s'
#     UNION

- name: install mail_system
  user: root
  hosts: mail
  roles:
    - mail_system