6 files changed, 171 insertions, 0 deletions
diff --git a/roles/mail/handlers/main.yaml b/roles/mail/handlers/main.yaml
new file mode 100644
index 0000000..2d6ec58
--- /dev/null
+++ b/roles/mail/handlers/main.yaml
@@ -0,0 +1,15 @@
+- name: Fix DKIM permissions
+  ansible.builtin.file:
+    path: /etc/opendkim/keys/
+    owner: opendkim
+    group: opendkim
+    recurse: yes
+
+- name: Restart Mail Services
+  ansible.builtin.systemd:
+    name: "{{ item }}"
+    state: restarted
+  loop:
+    - postfix
+    - dovecot
+    - opendkim
diff --git a/roles/mail/tasks/main.yaml b/roles/mail/tasks/main.yaml
new file mode 100644
index 0000000..66b4215
--- /dev/null
+++ b/roles/mail/tasks/main.yaml
@@ -0,0 +1,61 @@
+- name: Install Mail Packages
+  ansible.builtin.dnf:
+    name:
+      - postfix
+      - dovecot
+      - opendkim
+      - opendkim-tools
+    state: present
+
+- name: Ensure OpenDKIM keys directory exists
+  ansible.builtin.file:
+    path: "/etc/opendkim/keys/{{ vault_public_domain }}"
+    state: directory
+    owner: opendkim
+    group: opendkim
+    mode: "0750"
+
+- name: Generate DKIM Key
+  ansible.builtin.command:
+    cmd: "opendkim-genkey -a ed25519 -s default -d {{ vault_public_domain }} -D /etc/opendkim/keys/{{ vault_public_domain }}/"
+    creates: "/etc/opendkim/keys/{{ vault_public_domain }}/default.private"
+  notify: Fix DKIM permissions
+
+- name: Configure OpenDKIM mappings
+  ansible.builtin.copy:
+    dest: "{{ item.path }}"
+    content: "{{ item.content }}"
+    mode: "0644"
+  loop:
+    - { path: /etc/opendkim/KeyTable, content: "default._domainkey.{{ vault_public_domain }} {{ vault_public_domain }}:default:/etc/opendkim/keys/{{ vault_public_domain }}/default.private\n" }
+    - { path: /etc/opendkim/SigningTable, content: "*@{{ vault_public_domain }} default._domainkey.{{ vault_public_domain }}\n" }
+    - { path: /etc/opendkim/TrustedHosts, content: "127.0.0.1\nlocalhost\n10.0.0.0/24\n" }
+  notify: Restart Mail Services
+
+- name: Deploy Configurations
+  ansible.builtin.template:
+    src: "{{ item.src }}"
+    dest: "{{ item.dest }}"
+    mode: "0644"
+  loop:
+    - { src: postfix_main.cf.j2, dest: /etc/postfix/main.cf }
+    - { src: postfix_master.cf.j2, dest: /etc/postfix/master.cf }
+    - { src: dovecot.conf.j2, dest: /etc/dovecot/dovecot.conf }
+    - { src: opendkim.conf.j2, dest: /etc/opendkim.conf }
+  notify: Restart Mail Services
+
+- name: Add Mail User
+  ansible.builtin.user:
+    name: me
+    shell: /sbin/nologin
+    password: "{{ vault_mail_user_password | password_hash('sha512') }}"
+
+- name: Ensure Services are Enabled and Running
+  ansible.builtin.systemd:
+    name: "{{ item }}"
+    state: started
+    enabled: yes
+  loop:
+    - postfix
+    - dovecot
+    - opendkim
diff --git a/roles/mail/templates/dovecot.conf.j2 b/roles/mail/templates/dovecot.conf.j2
new file mode 100644
index 0000000..e733bae
--- /dev/null
+++ b/roles/mail/templates/dovecot.conf.j2
@@ -0,0 +1,22 @@
+protocols = imap
+listen = *
+mail_location = maildir:~/Maildir
+auth_mechanisms = plain login
+ssl = required
+ssl_cert = </etc/letsencrypt/live/{{ vault_public_domain }}/fullchain.pem
+ssl_key = </etc/letsencrypt/live/{{ vault_public_domain }}/privkey.pem
+
+passdb {
+  driver = pam
+}
+userdb {
+  driver = passwd
+}
+
+service auth {
+  unix_listener /var/spool/postfix/private/auth {
+    group = postfix
+    mode = 0660
+    user = postfix
+  }
+}
diff --git a/roles/mail/templates/opendkim.conf.j2 b/roles/mail/templates/opendkim.conf.j2
new file mode 100644
index 0000000..b29fcb3
--- /dev/null
+++ b/roles/mail/templates/opendkim.conf.j2
@@ -0,0 +1,15 @@
+PidFile                 /run/opendkim/opendkim.pid
+Mode                    sv
+Syslog                  yes
+SyslogSuccess           yes
+LogWhy                  yes
+UserID                  opendkim:opendkim
+Socket                  inet:8891@localhost
+Umask                   002
+Canonicalization        relaxed/relaxed
+Selector                default
+MinimumKeyBits          1024
+KeyTable                /etc/opendkim/KeyTable
+SigningTable            refile:/etc/opendkim/SigningTable
+ExternalIgnoreList      refile:/etc/opendkim/TrustedHosts
+InternalHosts           refile:/etc/opendkim/TrustedHosts
diff --git a/roles/mail/templates/postfix_main.cf.j2 b/roles/mail/templates/postfix_main.cf.j2
new file mode 100644
index 0000000..df20610
--- /dev/null
+++ b/roles/mail/templates/postfix_main.cf.j2
@@ -0,0 +1,27 @@
+myhostname = mail.{{ vault_public_domain }}
+mydomain = {{ vault_public_domain }}
+myorigin = $mydomain
+mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
+inet_interfaces = all
+inet_protocols = ipv4
+mynetworks = 127.0.0.0/8, 10.0.0.0/24
+home_mailbox = Maildir/
+message_size_limit = 26214400
+alias_maps = lmdb:/etc/aliases
+alias_database = lmdb:/etc/aliases
+
+smtpd_tls_cert_file = /etc/letsencrypt/live/{{ vault_public_domain }}/fullchain.pem
+smtpd_tls_key_file = /etc/letsencrypt/live/{{ vault_public_domain }}/privkey.pem
+smtpd_tls_security_level = may
+smtp_tls_security_level = may
+smtpd_tls_protocols = >=TLSv1.2
+smtp_tls_protocols = >=TLSv1.2
+
+smtpd_sasl_type = dovecot
+smtpd_sasl_path = private/auth
+smtpd_sasl_auth_enable = yes
+smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
+
+smtpd_milters = inet:localhost:8891
+non_smtpd_milters = inet:localhost:8891
+milter_default_action = accept
diff --git a/roles/mail/templates/postfix_master.cf.j2 b/roles/mail/templates/postfix_master.cf.j2
new file mode 100644
index 0000000..c2648ca
--- /dev/null
+++ b/roles/mail/templates/postfix_master.cf.j2
@@ -0,0 +1,31 @@
+smtp       inet  n       -       y       -       -       smtpd
+pickup     unix  n       -       y       60      1       pickup
+cleanup    unix  n       -       y       -       0       cleanup
+qmgr       unix  n       -       n       300     1       qmgr
+tlsmgr     unix  -       -       y       1000?   1       tlsmgr
+rewrite    unix  -       -       y       -       -       trivial-rewrite
+bounce     unix  -       -       y       -       0       bounce
+defer      unix  -       -       y       -       0       bounce
+trace      unix  -       -       y       -       0       bounce
+verify     unix  -       -       y       -       1       verify
+flush      unix  n       -       y       1000?   0       flush
+proxymap   unix  -       -       n       -       -       proxymap
+proxywrite unix  -       -       n       -       1       proxymap
+smtp       unix  -       -       y       -       -       smtp
+relay      unix  -       -       y       -       -       smtp
+showq      unix  n       -       y       -       -       showq
+error      unix  -       -       y       -       -       error
+retry      unix  -       -       y       -       -       error
+discard    unix  -       -       y       -       -       discard
+local      unix  -       n       n       -       -       local
+virtual    unix  -       n       n       -       -       virtual
+lmtp       unix  -       -       y       -       -       lmtp
+anvil      unix  -       -       y       -       1       anvil
+scache     unix  -       -       y       -       1       scache
+smtps      inet  n       -       y       -       -       smtpd
+  -o syslog_name=postfix/smtps
+  -o smtpd_tls_wrappermode=yes
+  -o smtpd_sasl_auth_enable=yes
+  -o smtpd_reject_unlisted_recipient=no
+  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
+  -o milter_macro_daemon_name=ORIGINATING