From 5e4bf1268c266e63d0e92e845ad910a2103b86ff Mon Sep 17 00:00:00 2001
From: Roman Ilin <me@romanilin.is>
Date: Mon, 15 Jun 2026 12:59:09 +0300
Subject:

---
 roles/mail/templates/dovecot.conf.j2      | 22 ++++++++++++++++++++++
 roles/mail/templates/opendkim.conf.j2     | 15 +++++++++++++++
 roles/mail/templates/postfix_main.cf.j2   | 27 +++++++++++++++++++++++++++
 roles/mail/templates/postfix_master.cf.j2 | 31 +++++++++++++++++++++++++++++++
 4 files changed, 95 insertions(+)
 create mode 100644 roles/mail/templates/dovecot.conf.j2
 create mode 100644 roles/mail/templates/opendkim.conf.j2
 create mode 100644 roles/mail/templates/postfix_main.cf.j2
 create mode 100644 roles/mail/templates/postfix_master.cf.j2

(limited to 'roles/mail/templates')

diff --git a/roles/mail/templates/dovecot.conf.j2 b/roles/mail/templates/dovecot.conf.j2
new file mode 100644
index 0000000..e733bae
--- /dev/null
+++ b/roles/mail/templates/dovecot.conf.j2
@@ -0,0 +1,22 @@
+protocols = imap
+listen = *
+mail_location = maildir:~/Maildir
+auth_mechanisms = plain login
+ssl = required
+ssl_cert = </etc/letsencrypt/live/{{ vault_public_domain }}/fullchain.pem
+ssl_key = </etc/letsencrypt/live/{{ vault_public_domain }}/privkey.pem
+
+passdb {
+  driver = pam
+}
+userdb {
+  driver = passwd
+}
+
+service auth {
+  unix_listener /var/spool/postfix/private/auth {
+    group = postfix
+    mode = 0660
+    user = postfix
+  }
+}
diff --git a/roles/mail/templates/opendkim.conf.j2 b/roles/mail/templates/opendkim.conf.j2
new file mode 100644
index 0000000..b29fcb3
--- /dev/null
+++ b/roles/mail/templates/opendkim.conf.j2
@@ -0,0 +1,15 @@
+PidFile                 /run/opendkim/opendkim.pid
+Mode                    sv
+Syslog                  yes
+SyslogSuccess           yes
+LogWhy                  yes
+UserID                  opendkim:opendkim
+Socket                  inet:8891@localhost
+Umask                   002
+Canonicalization        relaxed/relaxed
+Selector                default
+MinimumKeyBits          1024
+KeyTable                /etc/opendkim/KeyTable
+SigningTable            refile:/etc/opendkim/SigningTable
+ExternalIgnoreList      refile:/etc/opendkim/TrustedHosts
+InternalHosts           refile:/etc/opendkim/TrustedHosts
diff --git a/roles/mail/templates/postfix_main.cf.j2 b/roles/mail/templates/postfix_main.cf.j2
new file mode 100644
index 0000000..df20610
--- /dev/null
+++ b/roles/mail/templates/postfix_main.cf.j2
@@ -0,0 +1,27 @@
+myhostname = mail.{{ vault_public_domain }}
+mydomain = {{ vault_public_domain }}
+myorigin = $mydomain
+mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
+inet_interfaces = all
+inet_protocols = ipv4
+mynetworks = 127.0.0.0/8, 10.0.0.0/24
+home_mailbox = Maildir/
+message_size_limit = 26214400
+alias_maps = lmdb:/etc/aliases
+alias_database = lmdb:/etc/aliases
+
+smtpd_tls_cert_file = /etc/letsencrypt/live/{{ vault_public_domain }}/fullchain.pem
+smtpd_tls_key_file = /etc/letsencrypt/live/{{ vault_public_domain }}/privkey.pem
+smtpd_tls_security_level = may
+smtp_tls_security_level = may
+smtpd_tls_protocols = >=TLSv1.2
+smtp_tls_protocols = >=TLSv1.2
+
+smtpd_sasl_type = dovecot
+smtpd_sasl_path = private/auth
+smtpd_sasl_auth_enable = yes
+smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
+
+smtpd_milters = inet:localhost:8891
+non_smtpd_milters = inet:localhost:8891
+milter_default_action = accept
diff --git a/roles/mail/templates/postfix_master.cf.j2 b/roles/mail/templates/postfix_master.cf.j2
new file mode 100644
index 0000000..c2648ca
--- /dev/null
+++ b/roles/mail/templates/postfix_master.cf.j2
@@ -0,0 +1,31 @@
+smtp       inet  n       -       y       -       -       smtpd
+pickup     unix  n       -       y       60      1       pickup
+cleanup    unix  n       -       y       -       0       cleanup
+qmgr       unix  n       -       n       300     1       qmgr
+tlsmgr     unix  -       -       y       1000?   1       tlsmgr
+rewrite    unix  -       -       y       -       -       trivial-rewrite
+bounce     unix  -       -       y       -       0       bounce
+defer      unix  -       -       y       -       0       bounce
+trace      unix  -       -       y       -       0       bounce
+verify     unix  -       -       y       -       1       verify
+flush      unix  n       -       y       1000?   0       flush
+proxymap   unix  -       -       n       -       -       proxymap
+proxywrite unix  -       -       n       -       1       proxymap
+smtp       unix  -       -       y       -       -       smtp
+relay      unix  -       -       y       -       -       smtp
+showq      unix  n       -       y       -       -       showq
+error      unix  -       -       y       -       -       error
+retry      unix  -       -       y       -       -       error
+discard    unix  -       -       y       -       -       discard
+local      unix  -       n       n       -       -       local
+virtual    unix  -       n       n       -       -       virtual
+lmtp       unix  -       -       y       -       -       lmtp
+anvil      unix  -       -       y       -       1       anvil
+scache     unix  -       -       y       -       1       scache
+smtps      inet  n       -       y       -       -       smtpd
+  -o syslog_name=postfix/smtps
+  -o smtpd_tls_wrappermode=yes
+  -o smtpd_sasl_auth_enable=yes
+  -o smtpd_reject_unlisted_recipient=no
+  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
+  -o milter_macro_daemon_name=ORIGINATING
-- 
cgit