diff --git a/group_vars/all/main.yml b/group_vars/all/main.yml index 2ebf17d..89d58e5 100644 --- a/group_vars/all/main.yml +++ b/group_vars/all/main.yml @@ -1550,6 +1550,48 @@ git_other_repositories: [] copy_plain_files: [] +copy_plain_files_postfwd_host_specific: [] + +copy_plain_files_postfwd: + + # Postfix Firewall postfwd + # + - name: postfwd.cf + src_path: mailserver/etc/postfix/postfwd.cf + dest_path: /etc/postfix/postfwd.cf + + - name: postfwd.bl-hosts + src_path: mailserver/etc/postfix/postfwd.bl-hosts + dest_path: /etc/postfix/postfwd.bl-hosts + + - name: postfwd.bl-nets + src_path: mailserver/etc/postfix/postfwd.bl-nets + dest_path: /etc/postfix/postfwd.bl-nets + + - name: postfwd.bl-sender + src_path: mailserver/etc/postfix/postfwd.bl-sender + dest_path: /etc/postfix/postfwd.bl-sender + + - name: postfwd.bl-user + src_path: mailserver/etc/postfix/postfwd.bl-user + dest_path: /etc/postfix/postfwd.bl-user + + - name: postfwd.wl-hosts + src_path: mailserver/etc/postfix/postfwd.wl-hosts + dest_path: /etc/postfix/postfwd.wl-hosts + + - name: postfwd.wl-nets + src_path: mailserver/etc/postfix/postfwd.wl-nets + dest_path: /etc/postfix/postfwd.wl-nets + + - name: postfwd.wl-sender + src_path: mailserver/etc/postfix/postfwd.wl-sender + dest_path: /etc/postfix/postfwd.wl-sender + + - name: postfwd.wl-user + src_path: mailserver/etc/postfix/postfwd.wl-user + dest_path: /etc/postfix/postfwd.wl-user + copy_template_files: [] diff --git a/host_vars/a.mx.oopen.de.yml b/host_vars/a.mx.oopen.de.yml index 8edfd7e..eb73093 100644 --- a/host_vars/a.mx.oopen.de.yml +++ b/host_vars/a.mx.oopen.de.yml @@ -37,14 +37,14 @@ insert_root_ssh_keypair: true root_ssh_keypair: - name: id-rsa-dehydrated - priv_key_src: root/.ssh/a.mx-id_rsa-dehydrated + priv_key_src: a.mx/root/.ssh/a.mx-id_rsa-dehydrated priv_key_dest: /root/.ssh/id_rsa-dehydrated - pub_key_src: root/.ssh/a.mx-id_rsa-dehydrated.pub + pub_key_src: a.mx/root/.ssh/a.mx-id_rsa-dehydrated.pub pub_key_dest: /root/.ssh/id_rsa-dehydrated.pub - name: id-rsa-opendkim - priv_key_src: root/.ssh/a.mx-id_rsa-opendkim + priv_key_src: a.mx/root/.ssh/a.mx-id_rsa-opendkim priv_key_dest: /root/.ssh/id_rsa-opendkim - pub_key_src: root/.ssh/a.mx-id_rsa-opendkim.pub + pub_key_src: a.mx/root/.ssh/a.mx-id_rsa-opendkim.pub pub_key_dest: /root/.ssh/id_rsa-opendkim.pub @@ -111,26 +111,17 @@ copy_plain_files: src_path: a.mx/root/bin/postfix/conf/whitelist_mb_sigs.conf dest_path: /root/bin/postfix/conf/whitelist_mb_sigs.conf + +copy_plain_files_postfwd_host_specific: + # Postfix Firewall postfwd # - - name: postfwd.bl-sender - src_path: a.mx/etc/postfix/postfwd.bl-sender - dest_path: /etc/postfix/postfwd.bl-sender - - - name: postfwd.bl-sender_domain - src_path: a.mx/etc/postfix/postfwd.bl-sender_domain - dest_path: /etc/postfix/postfwd.bl-sender_domain - - - name: postfwd.bl-user - src_path: a.mx/etc/postfix/postfwd.bl-user - dest_path: /etc/postfix/postfwd.bl-user - - name: postfwd.wl-user src_path: a.mx/etc/postfix/postfwd.wl-user dest_path: /etc/postfix/postfwd.wl-user -copy_template_files: [] +#copy_template_files: [] # # - name: mailsystem_install_amavis.conf # src_path: usr/local/src/mailsystem/conf/install_amavis.conf.j2 @@ -156,7 +147,7 @@ db_in_use: !!str "true" postfix_db_type: PostgreSQL postfix_db_name: postfix postfix_db_user: postfix -postfix_db_host: localhost +#postfix_db_host: /run/postgresql postfix_db_pass: FKt4z55FxMZp # install_amavis.conf @@ -191,7 +182,7 @@ salutation: "O.OPEN\n --\n O.OPEN | Phone: +49 30 / 290 484 91\n Erkelenzdamm 21 | Fax: +49 30 / 290 484 99\n -D-10999 Berlin | http://oopen.de" +D-10999 Berlin | http://oopen.de\n" # install_upgrade_roundcube-webmail.conf # @@ -202,7 +193,7 @@ autoreply_hostname: autoreply.oopen.de roundcube_db_type: pgsql roundcube_db_name: roundcubemail roundcube_db_user: roundcube -roundcube_db_host: localhost +#roundcube_db_host: localhost roundcube_db_pass: '3Dsz3j5R' roundcube_product_name: O.OPEN - Webmailer @@ -216,7 +207,7 @@ autoreply_2_hostname: autoreply.oopen.de roundcube_2_db_type: pgsql roundcube_2_db_name: roundcubemail2 roundcube_2_db_user: roundcube -roundcube_2_db_host: localhost +#roundcube_2_db_host: localhost roundcube_2_db_pass: '3Dsz3j5R' roundcube_2_product_name: O.OPEN - Webmailer diff --git a/host_vars/b.mx.oopen.de.yml b/host_vars/b.mx.oopen.de.yml index 8368c66..9a7e9ba 100644 --- a/host_vars/b.mx.oopen.de.yml +++ b/host_vars/b.mx.oopen.de.yml @@ -35,14 +35,14 @@ insert_root_ssh_keypair: true root_ssh_keypair: - name: id-rsa-dehydrated - priv_key_src: root/.ssh/b.mx-id_rsa-dehydrated + priv_key_src: b.mx/root/.ssh/b.mx-id_rsa-dehydrated priv_key_dest: /root/.ssh/id_rsa-dehydrated - pub_key_src: root/.ssh/b.mx-id_rsa-dehydrated.pub + pub_key_src: b.mx/root/.ssh/b.mx-id_rsa-dehydrated.pub pub_key_dest: /root/.ssh/id_rsa-dehydrated.pub - name: id-rsa-opendkim - priv_key_src: root/.ssh/b.mx-id_rsa-opendkim + priv_key_src: b.mx/root/.ssh/b.mx-id_rsa-opendkim priv_key_dest: /root/.ssh/id_rsa-opendkim - pub_key_src: root/.ssh/b.mx-id_rsa-opendkim.pub + pub_key_src: b.mx/root/.ssh/b.mx-id_rsa-opendkim.pub pub_key_dest: /root/.ssh/id_rsa-opendkim.pub @@ -98,19 +98,23 @@ copy_plain_files: src_path: b.mx/root/bin/postfix/conf/whitelist_mb_sigs.conf dest_path: /root/bin/postfix/conf/whitelist_mb_sigs.conf - # Postfix Firewall postfwd - # - - name: postfwd.bl-sender - src_path: a.mx/etc/postfix/postfwd.bl-sender - dest_path: /etc/postfix/postfwd.bl-sender - - name: postfwd.bl-user - src_path: a.mx/etc/postfix/postfwd.bl-user - dest_path: /etc/postfix/postfwd.bl-user +copy_plain_files_postfwd_host_specific: [] - - name: postfwd.wl-user - src_path: a.mx/etc/postfix/postfwd.wl-user - dest_path: /etc/postfix/postfwd.wl-user +#copy_plain_files_postfwd_host_specific: +# # Postfix Firewall postfwd +# # +# - name: postfwd.bl-sender +# src_path: b.mx/etc/postfix/postfwd.bl-sender +# dest_path: /etc/postfix/postfwd.bl-sender +# +# - name: postfwd.bl-user +# src_path: b.mx/etc/postfix/postfwd.bl-user +# dest_path: /etc/postfix/postfwd.bl-user +# +# - name: postfwd.wl-user +# src_path: b.mx/etc/postfix/postfwd.wl-user +# dest_path: /etc/postfix/postfwd.wl-user copy_template_files: [] diff --git a/host_vars/c.mx.oopen.de.yml b/host_vars/c.mx.oopen.de.yml index 50f5514..350a754 100644 --- a/host_vars/c.mx.oopen.de.yml +++ b/host_vars/c.mx.oopen.de.yml @@ -37,19 +37,19 @@ insert_root_ssh_keypair: true root_ssh_keypair: - name: id-rsa-dehydrated - priv_key_src: root/.ssh/c.mx-id_rsa-dehydrated + priv_key_src: c.mx/root/.ssh/c.mx-id_rsa-dehydrated priv_key_dest: /root/.ssh/id_rsa-dehydrated - pub_key_src: root/.ssh/c.mx-id_rsa-dehydrated.pub + pub_key_src: c.mx/root/.ssh/c.mx-id_rsa-dehydrated.pub pub_key_dest: /root/.ssh/id_rsa-dehydrated.pub - name: id-rsa-opendkim - priv_key_src: root/.ssh/c.mx-id_rsa-opendkim + priv_key_src: c.mx/root/.ssh/c.mx-id_rsa-opendkim priv_key_dest: /root/.ssh/id_rsa-opendkim - pub_key_src: root/.ssh/c.mx-id_rsa-opendkim.pub + pub_key_src: c.mx/root/.ssh/c.mx-id_rsa-opendkim.pub pub_key_dest: /root/.ssh/id_rsa-opendkim.pub - name: id-rsa - priv_key_src: root/.ssh/c.mx-id_rsa + priv_key_src: c.mx/root/.ssh/c.mx-id_rsa priv_key_dest: /root/.ssh/id_rsa - pub_key_src: root/.ssh/c.mx-id_rsa.pub + pub_key_src: c.mx/root/.ssh/c.mx-id_rsa.pub pub_key_dest: /root/.ssh/id_rsa.pub @@ -81,3 +81,153 @@ root_ssh_keypair: # --- # # see: roles/common/tasks/vars + + +# --- +# vars used by roles/common/tasks/copy_files.yml +# --- + +copy_plain_files: + + # /root/bin/monitoring + # + - name: monitoring_check_cert_for_dovecot.conf + src_path: c.mx/root/bin/monitoring/conf/check_cert_for_dovecot.conf + dest_path: /root/bin/monitoring/conf/check_cert_for_dovecot.conf + + - name: monitoring_check_webservice_load.conf + src_path: c.mx/root/bin/monitoring/conf/check_webservice_load.conf + dest_path: /root/bin/monitoring/conf/check_webservice_load.conf + + # /root/bin/postfix + # + - name: postfix_create_opendkim_key.conf + src_path: c.mx/root/bin/postfix/conf/create_opendkim_key.conf + dest_path: /root/bin/postfix/conf/create_opendkim_key.conf + + - name: postfix_postfix_add_mailboxes.conf + src_path: c.mx/root/bin/postfix/conf/postfix_add_mailboxes.conf + dest_path: /root/bin/postfix/conf/postfix_add_mailboxes.conf + + - name: postfix_sent_userinfo_postfix.conf + src_path: c.mx/root/bin/postfix/conf/sent_userinfo_postfix.conf + dest_path: /root/bin/postfix/conf/sent_userinfo_postfix.conf + + - name: postfix_whitelist_mb_sigs.conf + src_path: c.mx/root/bin/postfix/conf/whitelist_mb_sigs.conf + dest_path: /root/bin/postfix/conf/whitelist_mb_sigs.conf + + +copy_plain_files_postfwd_host_specific: [] + + # Postfix Firewall postfwd + # + #- name: postfwd.wl-user + # src_path: c.mx/etc/postfix/postfwd.wl-user + # dest_path: /etc/postfix/postfwd.wl-user + + +#copy_template_files: [] +# +# - name: mailsystem_install_amavis.conf +# src_path: usr/local/src/mailsystem/conf/install_amavis.conf.j2 +# dest_path: /usr/local/src/mailsystem/conf/install_amavis.conf + + + + + +# --- +# vars used by roles/common/tasks/config_files_mailsystem_scripts.yml +# --- + +hostname: c.mx.oopen.de +ipv4_address: 83.223.86.116 +ipv6_address: 2a01:30:0:13:2c5:48ff:feee:f21c + +admin_email: admin@initiativenserver.de +is_relay_host: !!str "false" + +db_in_use: !!str "true" +# postfix_db_type +# +# possible values are 'PostgreSQL' and 'MySQL' +postfix_db_type: MySQL +postfix_db_name: postfix +postfix_db_user: postfix +postfix_db_host: 127.0.0.1 +postfix_db_pass: AeB4kohyie5rahJ7 + +# install_amavis.conf +# +mp_receipt_number: 106015125438 +si_authorisation_signature: b0b7e94d3fcc8f3b1f128edd5830392361868cf0174723a9924ac25bf8b1b588cb974b50234e1bc1d9839dfe0ca6e1627733d90daf1399347b1046d20c2e3a89 + +# install_postfixadmin.conf +# +website_name_postfixadmin: adm.initiativenserver.de + +email_welcome_message: "\n +Hallo,\n + +Ihre/Deine neue E-Mail Adresse ist eingerichtet.\n + +Aktionsbündnis gegen Gewalt, Rechtsextremismus und Fremdenfeindlichkeit + +--\n +Initiativenserver | phone: 0331 505824-28\n +Mittelstraße 38/39 | fax: 0331 505824-29\n +14467 Potsdam | email: kontakt@initiativenserver.de\n +" + +# install_update_dovecot.conf +# +dovecot_from_address: "Admin Initiativenserver " +dovecot_reply_to: "admin@initiativenserver.de" +webmailer_address: "https://webmail.initiativenserver.de" +salutation: "Aktionsbündnis gegen Gewalt, Rechtsextremismus und FremdenfeindlichkeitN\n + +--\n +Initiativenserver | phone: 0331 505824-28\n +Mittelstraße 38/39 | fax: 0331 505824-29\n +14467 Potsdam | email: kontakt@initiativenserver.de\n" + +# install_upgrade_roundcube-webmail.conf +# +# Webmailer +webmail_site_name: webmail.initiativenserver.de +autoreply_hostname: autoreply.initiativenserver.de +# possible values: 'pgsql' or 'mysql' +roundcube_db_type: mysql +roundcube_db_name: roundcubemail +roundcube_db_user: roundcube +roundcube_db_host: localhost +roundcube_db_pass: 're6Xe8Fereejai3D' + +roundcube_product_name: Webmailer Initiativenserver +roundcube_support_url: "https://www.aktionsbuendnis-brandenburg.de/" +roundcube_skin_logo: "images/oopen-logo.png" + + +template_files_mailsystem_script: + + - name: mailsystem_install_amavis.conf + src_path: usr/local/src/mailsystem/conf/install_amavis.conf.j2 + dest_path: /usr/local/src/mailsystem/conf/install_amavis.conf + + - name: mailsystem_install_postfixadmin.conf + src_path: usr/local/src/mailsystem/conf/install_postfix_advanced.conf.j2 + dest_path: /usr/local/src/mailsystem/conf/install_postfix_advanced.conf + + - name: mailsystem_install_postfixadmin.conf + src_path: usr/local/src/mailsystem/conf/install_postfixadmin.conf.j2 + dest_path: /usr/local/src/mailsystem/conf/install_postfixadmin.conf + + - name: mailsystem_install_update_dovecot.conf + src_path: usr/local/src/mailsystem/conf/install_update_dovecot.conf.j2 + dest_path: /usr/local/src/mailsystem/conf/install_update_dovecot.conf + + - name: mailsystem_install_upgrade_roundcube-webmail.conf + src_path: usr/local/src/mailsystem/conf/install_upgrade_roundcube-webmail.conf.j2 + dest_path: /usr/local/src/mailsystem/conf/install_upgrade_roundcube-webmail.conf + diff --git a/host_vars/cl-fm.oopen.de b/host_vars/cl-fm.oopen.de.yml similarity index 100% rename from host_vars/cl-fm.oopen.de rename to host_vars/cl-fm.oopen.de.yml diff --git a/host_vars/cl-irights.oopen.de b/host_vars/cl-irights.oopen.de.yml similarity index 100% rename from host_vars/cl-irights.oopen.de rename to host_vars/cl-irights.oopen.de.yml diff --git a/host_vars/e.mx.oopen.de.yml b/host_vars/e.mx.oopen.de.yml index 3d8aaa0..e8cb16f 100644 --- a/host_vars/e.mx.oopen.de.yml +++ b/host_vars/e.mx.oopen.de.yml @@ -37,14 +37,14 @@ insert_root_ssh_keypair: true root_ssh_keypair: - name: id-rsa-dehydrated - priv_key_src: root/.ssh/e.mx-id_rsa-dehydrated + priv_key_src: e.mx/root/.ssh/e.mx-id_rsa-dehydrated priv_key_dest: /root/.ssh/id_rsa-dehydrated - pub_key_src: root/.ssh/e.mx-id_rsa-dehydrated.pub + pub_key_src: e.mx/root/.ssh/e.mx-id_rsa-dehydrated.pub pub_key_dest: /root/.ssh/id_rsa-dehydrated.pub - name: id-rsa-opendkim - priv_key_src: root/.ssh/e.mx-id_rsa-opendkim + priv_key_src: e.mx/root/.ssh/e.mx-id_rsa-opendkim priv_key_dest: /root/.ssh/id_rsa-opendkim - pub_key_src: root/.ssh/e.mx-id_rsa-opendkim.pub + pub_key_src: e.mx/root/.ssh/e.mx-id_rsa-opendkim.pub pub_key_dest: /root/.ssh/id_rsa-opendkim.pub diff --git a/host_vars/mail.cadus.org.yml b/host_vars/mail.cadus.org.yml new file mode 100644 index 0000000..efc4ad1 --- /dev/null +++ b/host_vars/mail.cadus.org.yml @@ -0,0 +1,227 @@ +--- + +# --- +# vars used by roles/ansible_dependencies +# --- + + +# --- +# vars used by roles/ansible_user +# --- + + +# --- +# vars used by roles/common/tasks/basic.yml +# --- + + +# --- +# vars used by roles/common/tasks/sshd.yml +# --- + + +# --- +# vars used by roles/common/tasks/apt.yml +# --- + +apt_install_compiler_pkgs: true + +apt_install_postgresql_pkgs: true + + +# --- +# vars used by roles/common/tasks/users.yml +# --- + +insert_root_ssh_keypair: true + +root_ssh_keypair: + - name: id-rsa-dehydrated + priv_key_src: mail.cadus/root/.ssh/mail.cadus-id_rsa-dehydrated + priv_key_dest: /root/.ssh/id_rsa-dehydrated + pub_key_src: mail.cadus/root/.ssh/mail.cadus-id_rsa-dehydrated.pub + pub_key_dest: /root/.ssh/id_rsa-dehydrated.pub + - name: id-rsa-opendkim + priv_key_src: mail.cadus/root/.ssh/mail.cadus-id_rsa-opendkim + priv_key_dest: /root/.ssh/id_rsa-opendkim + pub_key_src: mail.cadus/root/.ssh/mail.cadus-id_rsa-opendkim.pub + pub_key_dest: /root/.ssh/id_rsa-opendkim.pub + + +# --- +# vars used by roles/common/tasks/users-systemfiles.yml +# --- + + +# --- +# vars used by roles/common/tasks/webadmin-user.yml +# --- + + +# --- +# vars used by roles/common/tasks/sudoers.yml +# --- +# +# see: roles/common/tasks/vars + + +# --- +# vars used by roles/common/tasks/caching-nameserver.yml +# --- + + +# --- +# vars used by roles/common/tasks/git.yml +# --- +# +# see: roles/common/tasks/vars + + +# --- +# vars used by roles/common/tasks/copy_files.yml +# --- + +copy_plain_files: + + # /root/bin/monitoring + # + - name: monitoring_check_cert_for_dovecot.conf + src_path: mail.cadus/root/bin/monitoring/conf/check_cert_for_dovecot.conf + dest_path: /root/bin/monitoring/conf/check_cert_for_dovecot.conf + + - name: monitoring_check_webservice_load.conf + src_path: mail.cadus/root/bin/monitoring/conf/check_webservice_load.conf + dest_path: /root/bin/monitoring/conf/check_webservice_load.conf + + # /root/bin/postfix + # + - name: postfix_create_opendkim_key.conf + src_path: mail.cadus/root/bin/postfix/conf/create_opendkim_key.conf + dest_path: /root/bin/postfix/conf/create_opendkim_key.conf + + - name: postfix_postfix_add_mailboxes.conf + src_path: mail.cadus/root/bin/postfix/conf/postfix_add_mailboxes.conf + dest_path: /root/bin/postfix/conf/postfix_add_mailboxes.conf + + - name: postfix_sent_userinfo_postfix.conf + src_path: mail.cadus/root/bin/postfix/conf/sent_userinfo_postfix.conf + dest_path: /root/bin/postfix/conf/sent_userinfo_postfix.conf + + - name: postfix_whitelist_mb_sigs.conf + src_path: mail.cadus/root/bin/postfix/conf/whitelist_mb_sigs.conf + dest_path: /root/bin/postfix/conf/whitelist_mb_sigs.conf + + +copy_plain_files_postfwd_host_specific: [] + + # Postfix Firewall postfwd + # + #- name: postfwd.wl-user + # src_path: mail.cadus/etc/postfix/postfwd.wl-user + # dest_path: /etc/postfix/postfwd.wl-user + + +#copy_template_files: [] +# +# - name: mailsystem_install_amavis.conf +# src_path: usr/local/src/mailsystem/conf/install_amavis.conf.j2 +# dest_path: /usr/local/src/mailsystem/conf/install_amavis.conf + + + +# --- +# vars used by roles/common/tasks/config_files_mailsystem_scripts.yml +# --- + +hostname: mail.cadus.org +ipv4_address: 46.4.25.245 +ipv6_address: 2a01:4f8:221:3b4e::245 + +admin_email: admin@cadus.org +is_relay_host: !!str "false" + +db_in_use: !!str "true" +# postfix_db_type +# +# possible values are 'PostgreSQL' and 'MySQL' +postfix_db_type: MySQL +postfix_db_name: postfix +postfix_db_user: postfix +postfix_db_host: "127.0.0.1" +postfix_db_pass: T3CJnFMJNX9wmhNs + +# install_amavis.conf +# +mp_receipt_number: 106015125438 +si_authorisation_signature: b0b7e94d3fcc8f3b1f128edd5830392361868cf0174723a9924ac25bf8b1b588cb974b50234e1bc1d9839dfe0ca6e1627733d90daf1399347b1046d20c2e3a89 + +# install_postfixadmin.conf +# +website_name_postfixadmin: adm.cadus.org + +email_welcome_message: "\n +Hallo,\n + +Ihre/Deine neue E-Mail Adresse ist eingerichtet.\n + +Cadus e.V. - Redefine Global Solidarity\n + +--\n +Cadus e.V.\n +Am Sudhaus 2\n +D-12053 Berlin\n +admin@cadus.org\n +" + +# install_update_dovecot.conf +# +dovecot_from_address: "Administrator E-Mail " +dovecot_reply_to: "admin@cadus.org" +webmailer_address: "https://webmail.cadus.org" +salutation: "Cadus e.V. - Redefine Global Solidarity\n + +--\n +Cadus e.V.\n +Am Sudhaus 2\n +D-12053 Berlin\n +admin@cadus.org\n +" + +# install_upgrade_roundcube-webmail.conf +# +# Webmailer +webmail_site_name: webmail.cadus.org +autoreply_hostname: autoreply.cadus.org +# possible values: 'pgsql' or 'mysql' +roundcube_db_type: mysql +roundcube_db_name: roundcubemail +roundcube_db_user: roundcube +roundcube_db_host: localhost +roundcube_db_pass: 'j3vqsK7Ldm7MxNjH' + +roundcube_product_name: O.OPEN - Webmailer +roundcube_support_url: https://www.cadus.org +roundcube_skin_logo: "images/cadu_logo_webmail.png" + + +template_files_mailsystem_script: + + - name: mailsystem_install_amavis.conf + src_path: usr/local/src/mailsystem/conf/install_amavis.conf.j2 + dest_path: /usr/local/src/mailsystem/conf/install_amavis.conf + + - name: mailsystem_install_postfixadmin.conf + src_path: usr/local/src/mailsystem/conf/install_postfix_advanced.conf.j2 + dest_path: /usr/local/src/mailsystem/conf/install_postfix_advanced.conf + + - name: mailsystem_install_postfixadmin.conf + src_path: usr/local/src/mailsystem/conf/install_postfixadmin.conf.j2 + dest_path: /usr/local/src/mailsystem/conf/install_postfixadmin.conf + + - name: mailsystem_install_update_dovecot.conf + src_path: usr/local/src/mailsystem/conf/install_update_dovecot.conf.j2 + dest_path: /usr/local/src/mailsystem/conf/install_update_dovecot.conf + + - name: mailsystem_install_upgrade_roundcube-webmail.conf + src_path: usr/local/src/mailsystem/conf/install_upgrade_roundcube-webmail.conf.j2 + dest_path: /usr/local/src/mailsystem/conf/install_upgrade_roundcube-webmail.conf diff --git a/host_vars/mail.faire-mobilitaet.de.yml b/host_vars/mail.faire-mobilitaet.de.yml new file mode 100644 index 0000000..74d12cb --- /dev/null +++ b/host_vars/mail.faire-mobilitaet.de.yml @@ -0,0 +1,223 @@ +--- + +# --- +# vars used by roles/ansible_dependencies +# --- + + +# --- +# vars used by roles/ansible_user +# --- + + +# --- +# vars used by roles/common/tasks/basic.yml +# --- + + +# --- +# vars used by roles/common/tasks/sshd.yml +# --- + + +# --- +# vars used by roles/common/tasks/apt.yml +# --- + +apt_install_compiler_pkgs: true + +apt_install_postgresql_pkgs: true + + +# --- +# vars used by roles/common/tasks/users.yml +# --- + +insert_root_ssh_keypair: true + +root_ssh_keypair: + - name: id-rsa-dehydrated + priv_key_src: mail.faire-mobilitaet/root/.ssh/mail.faire-mobilitaet-id_rsa-dehydrated + priv_key_dest: /root/.ssh/id_rsa-dehydrated + pub_key_src: mail.faire-mobilitaet/root/.ssh/mail.faire-mobilitaet-id_rsa-dehydrated.pub + pub_key_dest: /root/.ssh/id_rsa-dehydrated.pub + - name: id-rsa-opendkim + priv_key_src: mail.faire-mobilitaet/root/.ssh/mail.faire-mobilitaet-id_rsa-opendkim + priv_key_dest: /root/.ssh/id_rsa-opendkim + pub_key_src: mail.faire-mobilitaet/root/.ssh/mail.faire-mobilitaet-id_rsa-opendkim.pub + pub_key_dest: /root/.ssh/id_rsa-opendkim.pub + + +# --- +# vars used by roles/common/tasks/users-systemfiles.yml +# --- + + +# --- +# vars used by roles/common/tasks/webadmin-user.yml +# --- + + +# --- +# vars used by roles/common/tasks/sudoers.yml +# --- +# +# see: roles/common/tasks/vars + + +# --- +# vars used by roles/common/tasks/caching-nameserver.yml +# --- + + +# --- +# vars used by roles/common/tasks/git.yml +# --- +# +# see: roles/common/tasks/vars + + +# --- +# vars used by roles/common/tasks/copy_files.yml +# --- + +copy_plain_files: + + # /root/bin/monitoring + # + - name: monitoring_check_cert_for_dovecot.conf + src_path: mail.faire-mobilitaet/root/bin/monitoring/conf/check_cert_for_dovecot.conf + dest_path: /root/bin/monitoring/conf/check_cert_for_dovecot.conf + + - name: monitoring_check_webservice_load.conf + src_path: mail.faire-mobilitaet/root/bin/monitoring/conf/check_webservice_load.conf + dest_path: /root/bin/monitoring/conf/check_webservice_load.conf + + # /root/bin/postfix + # + - name: postfix_create_opendkim_key.conf + src_path: mail.faire-mobilitaet/root/bin/postfix/conf/create_opendkim_key.conf + dest_path: /root/bin/postfix/conf/create_opendkim_key.conf + + - name: postfix_postfix_add_mailboxes.conf + src_path: mail.faire-mobilitaet/root/bin/postfix/conf/postfix_add_mailboxes.conf + dest_path: /root/bin/postfix/conf/postfix_add_mailboxes.conf + + - name: postfix_sent_userinfo_postfix.conf + src_path: mail.faire-mobilitaet/root/bin/postfix/conf/sent_userinfo_postfix.conf + dest_path: /root/bin/postfix/conf/sent_userinfo_postfix.conf + + - name: postfix_whitelist_mb_sigs.conf + src_path: mail.faire-mobilitaet/root/bin/postfix/conf/whitelist_mb_sigs.conf + dest_path: /root/bin/postfix/conf/whitelist_mb_sigs.conf + + +copy_plain_files_postfwd_host_specific: [] + + # Postfix Firewall postfwd + # + #- name: postfwd.wl-user + # src_path: mail.faire-mobilitaet/etc/postfix/postfwd.wl-user + # dest_path: /etc/postfix/postfwd.wl-user + + +#copy_template_files: [] +# +# - name: mailsystem_install_amavis.conf +# src_path: usr/local/src/mailsystem/conf/install_amavis.conf.j2 +# dest_path: /usr/local/src/mailsystem/conf/install_amavis.conf + + + +# --- +# vars used by roles/common/tasks/config_files_mailsystem_scripts.yml +# --- + +hostname: mail.faire-mobilitaet.de +ipv4_address: 142.132.147.169 +ipv6_address: 2a01:4f8:261:1994::169 + +admin_email: admin@faire-mobilitaet.de +is_relay_host: !!str "false" + +db_in_use: !!str "true" +# postfix_db_type +# +# possible values are 'PostgreSQL' and 'MySQL' +postfix_db_type: PostgreSQL +postfix_db_name: postfix +postfix_db_user: postfix +#postfix_db_host: +postfix_db_pass: sp4xMdnXJkdMXnq9 + +# install_amavis.conf +# +mp_receipt_number: 106015125438 +si_authorisation_signature: b0b7e94d3fcc8f3b1f128edd5830392361868cf0174723a9924ac25bf8b1b588cb974b50234e1bc1d9839dfe0ca6e1627733d90daf1399347b1046d20c2e3a89 + +# install_postfixadmin.conf +# +website_name_postfixadmin: adm.cadus.org + +email_welcome_message: "\n +Hallo,\n + +Projekt Faire Mobilität + +--\n +Projekt Faire Mobilität | Phone: +49 30 219653721\n +Paula-Thiede-Ufer 10 | Fax:\n +D-10179 Berlin | E-MAIL: kontakt@faire-mobilitaet.de\n +" + +# install_update_dovecot.conf +# +dovecot_from_address: "Administrator E-Mail " +dovecot_reply_to: "admin@faire-mobilitaet.de" +webmailer_address: "https://webmail.faire-mobilitaet.de" +salutation: "\Projekt Faire Mobilität\n + +--\n +Projekt Faire Mobilität | Phone: +49 30 219653721\n +Paula-Thiede-Ufer 10 | Fax:\n +D-10179 Berlin | E-MAIL: kontakt@faire-mobilitaet.de\n +" + +# install_upgrade_roundcube-webmail.conf +# +# Webmailer +webmail_site_name: webmail.faire-mobilitaet.de +autoreply_hostname: autoreply.faire-mobilitaet.de +# possible values: 'pgsql' or 'mysql' +roundcube_db_type: pgsql +roundcube_db_name: roundcubemail +roundcube_db_user: roundcube +#roundcube_db_host: +roundcube_db_pass: 'gqnzTrfsjnRv4PWW' + +roundcube_product_name: O.OPEN - Webmailer +roundcube_support_url: https://www.cadus.org +roundcube_skin_logo: "images/oopen-logo.png" + + +template_files_mailsystem_script: + + - name: mailsystem_install_amavis.conf + src_path: usr/local/src/mailsystem/conf/install_amavis.conf.j2 + dest_path: /usr/local/src/mailsystem/conf/install_amavis.conf + + - name: mailsystem_install_postfixadmin.conf + src_path: usr/local/src/mailsystem/conf/install_postfix_advanced.conf.j2 + dest_path: /usr/local/src/mailsystem/conf/install_postfix_advanced.conf + + - name: mailsystem_install_postfixadmin.conf + src_path: usr/local/src/mailsystem/conf/install_postfixadmin.conf.j2 + dest_path: /usr/local/src/mailsystem/conf/install_postfixadmin.conf + + - name: mailsystem_install_update_dovecot.conf + src_path: usr/local/src/mailsystem/conf/install_update_dovecot.conf.j2 + dest_path: /usr/local/src/mailsystem/conf/install_update_dovecot.conf + + - name: mailsystem_install_upgrade_roundcube-webmail.conf + src_path: usr/local/src/mailsystem/conf/install_upgrade_roundcube-webmail.conf.j2 + dest_path: /usr/local/src/mailsystem/conf/install_upgrade_roundcube-webmail.conf diff --git a/hosts b/hosts index c488014..d420a28 100644 --- a/hosts +++ b/hosts @@ -154,7 +154,6 @@ o27.oopen.de cl-fm.oopen.de cl-fm-neu.oopen.de mail.faire-mobilitaet.de -mail-neu.faire-mobilitaet.de # Hetzner Cloud CX31 - AK o26.oopen.de @@ -352,7 +351,6 @@ o27.oopen.de cl-fm.oopen.de cl-fm-neu.oopen.de mail.faire-mobilitaet.de -mail-neu.faire-mobilitaet.de # Hetzner Cloud CX31 - AK o26.oopen.de @@ -508,7 +506,6 @@ cl-irights.oopen.de cl-fm.oopen.de cl-fm-neu.oopen.de mail.faire-mobilitaet.de -mail-neu.faire-mobilitaet.de # Backup Faire Mobilitaet o28.oopen.de @@ -745,7 +742,6 @@ mail.cadus.org # o27.oopen.de mail.faire-mobilitaet.de -mail-neu.faire-mobilitaet.de # o35.oopen.de e.mx.oopen.de @@ -790,7 +786,6 @@ o13-mail.oopen.de # o27.oopen.de mail.faire-mobilitaet.de -mail-neu.faire-mobilitaet.de # o35.oopen.de e.mx.oopen.de @@ -1018,7 +1013,6 @@ o22.oopen.de # o27.oopen.de mail.faire-mobilitaet.de -mail-neu.faire-mobilitaet.de # o35.oopen.de d.mx.oopen.de @@ -1263,7 +1257,6 @@ mm-irights.oopen.de cl-fm.oopen.de cl-fm-neu.oopen.de mail.faire-mobilitaet.de -mail-neu.faire-mobilitaet.de # Hetzner Cloud CX31 - AK o26.oopen.de @@ -1446,7 +1439,6 @@ o27.oopen.de cl-fm.oopen.de cl-fm-neu.oopen.de mail.faire-mobilitaet.de -mail-neu.faire-mobilitaet.de # Hetzner Cloud CX31 - AK o26.oopen.de diff --git a/roles/common/files/a.mx/etc/postfix/postfwd.bl-sender b/roles/common/files/a.mx/etc/postfix/postfwd.bl-sender deleted file mode 100644 index 949241e..0000000 --- a/roles/common/files/a.mx/etc/postfix/postfwd.bl-sender +++ /dev/null @@ -1,12 +0,0 @@ -# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] *** - -# --- -# Sender addresses blocked by postfwd -# --- - -# annoying spammer domains -.*@acieu.co.uk - -# annoying spammer addresses -error@mailfrom.com -sqek@eike.se diff --git a/roles/common/files/a.mx/etc/postfix/postfwd.bl-sender_domain b/roles/common/files/a.mx/etc/postfix/postfwd.bl-sender_domain deleted file mode 100644 index 98ca4e9..0000000 --- a/roles/common/files/a.mx/etc/postfix/postfwd.bl-sender_domain +++ /dev/null @@ -1,9 +0,0 @@ -# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] *** - -# --- -# Sender domains blocked by postfwd -# --- - -# annoying spammer domains -acieu.co.uk - diff --git a/roles/common/files/a.mx/etc/postfix/postfwd.bl-user b/roles/common/files/a.mx/etc/postfix/postfwd.bl-user deleted file mode 100644 index 8867e2a..0000000 --- a/roles/common/files/a.mx/etc/postfix/postfwd.bl-user +++ /dev/null @@ -1,6 +0,0 @@ -# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] *** - -# --- -# SASL Users blocked by postfwd -# --- - diff --git a/roles/common/files/a.mx/etc/postfix/postfwd.wl-user b/roles/common/files/a.mx/etc/postfix/postfwd.wl-user index f020728..66a76a8 100644 --- a/roles/common/files/a.mx/etc/postfix/postfwd.wl-user +++ b/roles/common/files/a.mx/etc/postfix/postfwd.wl-user @@ -2,9 +2,18 @@ # --- # SASL Users whitelisted by postfwd +# +# example: +# +# # give trusted sasl usernames here +# ckubu@oopen.de +# vertrieb@akweb.de +# # --- +# give trusted sasl usernames here abo@akweb.de vertrieb@akweb.de +prokla@akweb.de presse@mbr-berlin.de diff --git a/roles/common/files/root/.ssh/a.mx-id_rsa-dehydrated b/roles/common/files/a.mx/root/.ssh/a.mx-id_rsa-dehydrated similarity index 100% rename from roles/common/files/root/.ssh/a.mx-id_rsa-dehydrated rename to roles/common/files/a.mx/root/.ssh/a.mx-id_rsa-dehydrated diff --git a/roles/common/files/root/.ssh/a.mx-id_rsa-dehydrated.pub b/roles/common/files/a.mx/root/.ssh/a.mx-id_rsa-dehydrated.pub similarity index 100% rename from roles/common/files/root/.ssh/a.mx-id_rsa-dehydrated.pub rename to roles/common/files/a.mx/root/.ssh/a.mx-id_rsa-dehydrated.pub diff --git a/roles/common/files/root/.ssh/a.mx-id_rsa-opendkim b/roles/common/files/a.mx/root/.ssh/a.mx-id_rsa-opendkim similarity index 100% rename from roles/common/files/root/.ssh/a.mx-id_rsa-opendkim rename to roles/common/files/a.mx/root/.ssh/a.mx-id_rsa-opendkim diff --git a/roles/common/files/root/.ssh/a.mx-id_rsa-opendkim.pub b/roles/common/files/a.mx/root/.ssh/a.mx-id_rsa-opendkim.pub similarity index 100% rename from roles/common/files/root/.ssh/a.mx-id_rsa-opendkim.pub rename to roles/common/files/a.mx/root/.ssh/a.mx-id_rsa-opendkim.pub diff --git a/roles/common/files/a.mx/root/bin/postfix/conf/postfix_add_mailboxes.conf b/roles/common/files/a.mx/root/bin/postfix/conf/postfix_add_mailboxes.conf index 18f5848..35b3046 100644 --- a/roles/common/files/a.mx/root/bin/postfix/conf/postfix_add_mailboxes.conf +++ b/roles/common/files/a.mx/root/bin/postfix/conf/postfix_add_mailboxes.conf @@ -75,7 +75,7 @@ # - Defaults to: quota="536870912" # - #quota="536870912" -quota=1073741824 +quota=2147483648 # - log_file # - diff --git a/roles/common/files/b.mx/etc/postfix/postfwd.bl-hosts b/roles/common/files/b.mx/etc/postfix/postfwd.bl-hosts new file mode 100644 index 0000000..875dcf6 --- /dev/null +++ b/roles/common/files/b.mx/etc/postfix/postfwd.bl-hosts @@ -0,0 +1,22 @@ +# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] *** + +# --- +# hosts blocked by postfwd +# +# This file is called with '=~'. This means perl regexp is possible +# +# +# To increase performance use ^ and/or $ in regular expressions +# +# Example: +# +# # block all hosts of domain 'oopen.de' +# \.oopen\.de$ +# +# # block host a.mx.oopen.de +# ^a\.mx\.oopen\.de$ +# +# --- + +# give hostnames to blocke here + diff --git a/roles/common/files/b.mx/etc/postfix/postfwd.bl-nets b/roles/common/files/b.mx/etc/postfix/postfwd.bl-nets new file mode 100644 index 0000000..e1db645 --- /dev/null +++ b/roles/common/files/b.mx/etc/postfix/postfwd.bl-nets @@ -0,0 +1,16 @@ +# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] *** + +# --- +# Networks blocked by postfwd +# +# Example: +# +# # web0.warenform.de +# #83.223.86.76 +# #2a01:30:0:505:286:96ff:fe4a:6ee +# #2a01:30:0:13:286:96ff:fe4a:6eee +# +# --- + +# give networks to block here + diff --git a/roles/common/files/b.mx/etc/postfix/postfwd.bl-sender b/roles/common/files/b.mx/etc/postfix/postfwd.bl-sender index 2782ddc..efe38b9 100644 --- a/roles/common/files/b.mx/etc/postfix/postfwd.bl-sender +++ b/roles/common/files/b.mx/etc/postfix/postfwd.bl-sender @@ -2,4 +2,37 @@ # --- # Sender addresses blocked by postfwd +# +# This file is called with '=~'. This means perl regexp is possible +# +# +# To increase performance use ^ and/or $ in regular expressions +# +# @acieu\.co\.uk$ +# ^error@mailfrom.com$ +# +# instedt of +# +# @acieu.co.uk +# error@mailfrom.com +# +# +# Example: +# +# # # annoying spammer domains +# # block all senders of maildomaindomain 'oopen.de' +# @acieu\.co\.uk$ +# +# # annoying spammer addresses +# # block sender address +# error@mailfrom.com +# sqek@eike\.se$ +# # --- + +# annoying spammer domains +@acieu\.co\.uk$ + +# annoying spammer addresses +^error@mailfrom\.com$ +^sqek@eike\.se$ diff --git a/roles/common/files/b.mx/etc/postfix/postfwd.bl-user b/roles/common/files/b.mx/etc/postfix/postfwd.bl-user index 8867e2a..3ca2bb7 100644 --- a/roles/common/files/b.mx/etc/postfix/postfwd.bl-user +++ b/roles/common/files/b.mx/etc/postfix/postfwd.bl-user @@ -2,5 +2,12 @@ # --- # SASL Users blocked by postfwd +# +# Example: +# +# # give SASL usernames to block here +# ckubu@oopen.de +# # --- +# give SASL usernames to block here diff --git a/roles/common/files/b.mx/etc/postfix/postfwd.cf b/roles/common/files/b.mx/etc/postfix/postfwd.cf new file mode 100644 index 0000000..d106016 --- /dev/null +++ b/roles/common/files/b.mx/etc/postfix/postfwd.cf @@ -0,0 +1,172 @@ + +#======= Definitions ============ + +# Match messages with an associated SASL username +&&SASL_AUTH { + sasl_username!~^$ +} + +# Trusted networks +&&TRUSTED_NETS { + client_address==file:/etc/postfix/postfwd.wl-nets +} + +# Trusted hostnames +# client_name~=.warenform.de$ +&&TRUSTED_HOSTS { + client_name=~file:/etc/postfix/postfwd.wl-hosts +} + +# Trusted users +&&TRUSTED_USERS { + sasl_username==file:/etc/postfix/postfwd.wl-user +} + +# Trusted senders +&&TRUSTED_SENDERS { + sender=~file:/etc/postfix/postfwd.wl-sender +} + +# Blacklist networks +&&BLOCK_NETS { + client_address==file:/etc/postfix/postfwd.bl-nets +} + +# Blacklist hostnames +&&BLOCK_HOSTS { + client_name=~file:/etc/postfix/postfwd.bl-hosts +} + +# Blacklist users +&&BLOCK_USERS { + sasl_username==file:/etc/postfix/postfwd.bl-user +} + +# Blacklist sender adresses +&&BLOCK_SENDER { + # =~ + # using '=~' allows also matching entries for domains (i.e. @acieu.co.uk) + sender=~file:/etc/postfix/postfwd.bl-sender +} + +# Inbound emails only +&&INCOMING { + client_address!=127.0.0.1 +} + + +#======= Rule Sets ============ + +# --- +# +# Processing of the Rule Sets +# +# The parser checks the elements of a policy delegation request against the postfwd set +# of rules and, if necessary, triggers the configured action (action=). Similar to a +# classic firewall, a rule is considered true if every element of the set of rules (or +# one from every element list) applies to the comparison. I.e. the following rule: +# +# client_address=1.1.1.1, 1.1.1.2; client_name==unknown; action=REJECT +# +# triggers a REJECT if the +# +# Client address is equal (1.1.1.1 OR 1.1.1.2) AND the client name 'unknown' +# +# +# Note: +# If an element occurs more than once, an element list is formed: +# +# The following rule set is equivalent to the above: +# +# client_address=1.1.1.1; client_address=1.1.1.2; client_name==unknown; action=REJECT +# +# +# triggers a REJECT if (as above) the +# +# Client address (1.1.1.1 OR 1.1.1.2) AND the client name 'unknown' +# +# --- + +# Whitelists + +# Whitelist trusted networks +id=WHL_NETS + &&TRUSTED_NETS + action=DUNNO + +# Whitelist trusted hostnames +id=WHL_HOSTS + &&TRUSTED_HOSTS + action=DUNNO + +# Whitelist sasl users +id=WHL_USERS + &&TRUSTED_USERS + action=DUNNO + +# Whitelist senders +id=WHL_SENDERS + &&INCOMING + &&TRUSTED_SENDERS + action=DUNNO + + +# Blacklists + +# Block networks +id=BL_NETS + &&BLOCK_NETS + action=REJECT Network Address $$client_address blocked by Mailserver admins. Error: BL_NETS + +# Block hostname +id=BL_HOSTS + &&BLOCK_HOSTS + action=REJECT $$client_name blocked by Mailserver admins. Error: BL_HOSTS + +# Block users +id=BL_USERS + &&BLOCK_USERS + action=REJECT User is blocked by Mailserver admins. Error: BL_USERS + +# Blacklist sender +# +# Claim successful delivery and silently discard the message. +# +id=BL_SENDER + &&BLOCK_SENDER + #action=DISCARD + action=REJECT Sender address is blocked by Mailserver admins. Error: BL_SENDER + + +# Rate Limits + +# Throttle unknown clients to 5 recipients per 5 minutes: +id=RATE_UNKNOWN_CLIENT_ADDR + sasl_username =~ /^$/ + client_name==unknown + action=rate(client_address/5/300/450 4.7.1 only 5 recipients per 5 minutes allowed) + +# Block clients (ip-addresses) sending more than 50 messages per minute exceeded. Error:RATE_CLIENT) +id=RATE_CLIENT_ADDR + &&INCOMING + action=rate($$client_address/50/60/421 421 4.7.0 Too many connections from $$client_address) + +# Block messages with more than 50 recipients +id=BLOCK_MSG_RCPT + &&INCOMING + &&SASL_AUTH + recipient_count=50 + action=REJECT Too many recipients, please reduce to less than 50 or consider using a mailing list. Error: BLOCK_MSG_RCPT + +# Block users sending more than 50 messages/hour +id=RATE_MSG + &&INCOMING + &&SASL_AUTH + action=rate($$sasl_username/50/3600/450 4.7.1 Number messages per hour exceeded. Error:RATE_MSG) + +# Block users sending more than 250 recipients total/hour +id=RATE_RCPT + &&INCOMING + &&SASL_AUTH + action=rcpt($$sasl_username/250/3600/450 4.7.1 Number recipients per hour exceeded. Error:RATE_RCPT) + diff --git a/roles/common/files/b.mx/etc/postfix/postfwd.wl-hosts b/roles/common/files/b.mx/etc/postfix/postfwd.wl-hosts new file mode 100644 index 0000000..c425a4e --- /dev/null +++ b/roles/common/files/b.mx/etc/postfix/postfwd.wl-hosts @@ -0,0 +1,22 @@ +# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] *** + +# --- +# Trusted hosts whitelisted by postfwd +# +# This file is called with '=~'. This means perl regexp is possible +# +# +# To increase performance use ^ and/or $ in regular expressions +# +# Example: +# +# # all hosts of domain 'oopen.de' +# \.oopen\.de$ +# +# # host a.mx.oopen.de +# ^a\.mx\.oopen\.de$ +# +# --- + +# give truested hostnames here + diff --git a/roles/common/files/b.mx/etc/postfix/postfwd.wl-nets b/roles/common/files/b.mx/etc/postfix/postfwd.wl-nets new file mode 100644 index 0000000..d194340 --- /dev/null +++ b/roles/common/files/b.mx/etc/postfix/postfwd.wl-nets @@ -0,0 +1,15 @@ +# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] *** + +# --- +# Trusted networks whitelisted by postfwd +# +# Example: +# +# # web0.warenform.de +# #83.223.86.76 +# #2a01:30:0:505:286:96ff:fe4a:6ee +# #2a01:30:0:13:286:96ff:fe4a:6eee +# +# --- + +# give truested networrk adresses here diff --git a/roles/common/files/b.mx/etc/postfix/postfwd.wl-sender b/roles/common/files/b.mx/etc/postfix/postfwd.wl-sender new file mode 100644 index 0000000..d5c5acd --- /dev/null +++ b/roles/common/files/b.mx/etc/postfix/postfwd.wl-sender @@ -0,0 +1,22 @@ +# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] *** + +# --- +# Trusted senders whitelisted by postfwd +# +# This file is called with '=~'. This means perl regexp is possible +# +# +# To increase performance use ^ and/or $ in regular expressions +# +# Example: +# +# # all senders of maildomaindomain 'oopen.de' +# @oopen\.de$ +# +# # sender address ckubu@oopen.de +# ^ckubu@oopen\.de$ +# +# --- + +# give trusted sender addresses here + diff --git a/roles/common/files/b.mx/etc/postfix/postfwd.wl-user b/roles/common/files/b.mx/etc/postfix/postfwd.wl-user index a736dc3..dc052f5 100644 --- a/roles/common/files/b.mx/etc/postfix/postfwd.wl-user +++ b/roles/common/files/b.mx/etc/postfix/postfwd.wl-user @@ -2,6 +2,15 @@ # --- # SASL Users whitelisted by postfwd +# +# example: +# +# # give trusted sasl usernames here +# ckubu@oopen.de +# vertrieb@akweb.de +# # --- +# give trusted sasl usernames here + kanzlei-kiel@b.mx.oopen.de diff --git a/roles/common/files/root/.ssh/b.mx-id_rsa-dehydrated b/roles/common/files/b.mx/root/.ssh/b.mx-id_rsa-dehydrated similarity index 100% rename from roles/common/files/root/.ssh/b.mx-id_rsa-dehydrated rename to roles/common/files/b.mx/root/.ssh/b.mx-id_rsa-dehydrated diff --git a/roles/common/files/root/.ssh/b.mx-id_rsa-dehydrated.pub b/roles/common/files/b.mx/root/.ssh/b.mx-id_rsa-dehydrated.pub similarity index 100% rename from roles/common/files/root/.ssh/b.mx-id_rsa-dehydrated.pub rename to roles/common/files/b.mx/root/.ssh/b.mx-id_rsa-dehydrated.pub diff --git a/roles/common/files/root/.ssh/b.mx-id_rsa-opendkim b/roles/common/files/b.mx/root/.ssh/b.mx-id_rsa-opendkim similarity index 100% rename from roles/common/files/root/.ssh/b.mx-id_rsa-opendkim rename to roles/common/files/b.mx/root/.ssh/b.mx-id_rsa-opendkim diff --git a/roles/common/files/root/.ssh/b.mx-id_rsa-opendkim.pub b/roles/common/files/b.mx/root/.ssh/b.mx-id_rsa-opendkim.pub similarity index 100% rename from roles/common/files/root/.ssh/b.mx-id_rsa-opendkim.pub rename to roles/common/files/b.mx/root/.ssh/b.mx-id_rsa-opendkim.pub diff --git a/roles/common/files/root/.ssh/c.mx-id_rsa b/roles/common/files/c.mx/root/.ssh/c.mx-id_rsa similarity index 100% rename from roles/common/files/root/.ssh/c.mx-id_rsa rename to roles/common/files/c.mx/root/.ssh/c.mx-id_rsa diff --git a/roles/common/files/root/.ssh/c.mx-id_rsa-dehydrated b/roles/common/files/c.mx/root/.ssh/c.mx-id_rsa-dehydrated similarity index 100% rename from roles/common/files/root/.ssh/c.mx-id_rsa-dehydrated rename to roles/common/files/c.mx/root/.ssh/c.mx-id_rsa-dehydrated diff --git a/roles/common/files/root/.ssh/c.mx-id_rsa-dehydrated.pub b/roles/common/files/c.mx/root/.ssh/c.mx-id_rsa-dehydrated.pub similarity index 100% rename from roles/common/files/root/.ssh/c.mx-id_rsa-dehydrated.pub rename to roles/common/files/c.mx/root/.ssh/c.mx-id_rsa-dehydrated.pub diff --git a/roles/common/files/root/.ssh/c.mx-id_rsa-opendkim b/roles/common/files/c.mx/root/.ssh/c.mx-id_rsa-opendkim similarity index 100% rename from roles/common/files/root/.ssh/c.mx-id_rsa-opendkim rename to roles/common/files/c.mx/root/.ssh/c.mx-id_rsa-opendkim diff --git a/roles/common/files/root/.ssh/c.mx-id_rsa-opendkim.pub b/roles/common/files/c.mx/root/.ssh/c.mx-id_rsa-opendkim.pub similarity index 100% rename from roles/common/files/root/.ssh/c.mx-id_rsa-opendkim.pub rename to roles/common/files/c.mx/root/.ssh/c.mx-id_rsa-opendkim.pub diff --git a/roles/common/files/root/.ssh/c.mx-id_rsa.pub b/roles/common/files/c.mx/root/.ssh/c.mx-id_rsa.pub similarity index 100% rename from roles/common/files/root/.ssh/c.mx-id_rsa.pub rename to roles/common/files/c.mx/root/.ssh/c.mx-id_rsa.pub diff --git a/roles/common/files/c.mx/root/bin/monitoring/conf/check_cert_for_dovecot.conf b/roles/common/files/c.mx/root/bin/monitoring/conf/check_cert_for_dovecot.conf new file mode 100644 index 0000000..e3044f7 --- /dev/null +++ b/roles/common/files/c.mx/root/bin/monitoring/conf/check_cert_for_dovecot.conf @@ -0,0 +1,135 @@ +# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] *** + +#--------------------------------------- +#----------------------------- +# Settings for script check_cert_for_dovecot.sh +#----------------------------- +#--------------------------------------- + +# - service_domain +# - +# - The main domain for which the certificate was issued +# - +# - Example: +# - service_domain="a.mx.oopen.de" +# - service_domain="mail.cadus.org" +# - service_domain="mx.warenform.de" +# - +#service_domain="" +service_domain="mail.initiativenserver.de" + + +# - service_name +# - +# - Name of service. +# - +# - Note: this var will also be used to determin systemd service file +# - or sysVinit script. +# - +# - Example: +# - service_name="Mumble" +# - service_name="Prosody" +# - +# - Defaults to: +# - service_name="Dovecot" +# - +#service_name="" + + +# - check_string_ps +# - +# - String wich (clearly) identifies the service at the process list (ps) +# - +# - Example: +# - check_string_ps="[[:digit:]]\ /usr/sbin/murmurd" +# - check_string_ps="" +# - +# - Defaults to: +# - check_string_ps="[[:digit:]]\ /usr/local/dovecot-[[:digit:]]{1,2}\.[[:digit:]]{1,2}\.[[:digit:]]{1,2}(\.[[:digit:]]{1,2})?/sbin/dovecot" +# - +#check_string_ps="" + + +# - service_user +# - +# - User under which the service is running. +# - +# - Example: +# - service_user="mumble-server" +# - service_user="prosody" +# - +# - Defaults to: +# - service_user="prosody" +# - +#service_user="" + + +# - service_group +# - +# - Group under which the service is running. +# - +# - Example: +# - service_group="mumble-server" +# - service_group="prosody" +# - +# - Defaults to: +# - service_group="prosody" +# - +#service_group="" + + +# - cert_installed +# - +# - Locataion of certificate read by service +# - +# - Example: +# - cert_installed="/var/lib/mumble-server/fullchain.pem" +# - cert_installed="/var/lib/dehydrated/certs/jabber.so36.net/fullchain.pem" +# - +# - Defaults to: +# - /etc/dovecot/ssl/mailserver.crt +# - +#cert_installed="" + + +# - key_installed +# - +# - Location of the key read by service +# - +# - Example: +# - key_installed="/var/lib/mumble-server/privkey.pem" +# - key_installed="/etc/prosody/certs/privkey_jabber.so36.pem" +# - +# - Defaults to: +# - /etc/dovecot/ssl/mailserver.key +# - +#key_installed="" + + +# - cert_newest +# - +# - Location of the newest certificate. +# - +# - Example: +# - cert_newest="/var/lib/dehydrated/certs/il-mumble.oopen.de/fullchain.pem" +# - cert_newest="/var/lib/dehydrated/certs/jabber.so36.net/fullchain.pem" +# - +# - Defaults to: +# - /var/lib/dehydrated/certs/${service_domain}/fullchain.pem +# - +#cert_newest="" + + +# - key_newest +# - +# - Location of the newest Key +# - +# - Example: +# - key_newest="/var/lib/dehydrated/certs/il-mumble.oopen.de/privkey.pem" +# - key_newest="/var/lib/dehydrated/certs/jabber.so36.net/privkey.pem" +# - +# - Defaults to: +# - /var/lib/dehydrated/certs/${service_domain}/privkey.pem +# - +#key_newest="" + diff --git a/roles/common/files/c.mx/root/bin/monitoring/conf/check_webservice_load.conf b/roles/common/files/c.mx/root/bin/monitoring/conf/check_webservice_load.conf new file mode 100644 index 0000000..ae4314a --- /dev/null +++ b/roles/common/files/c.mx/root/bin/monitoring/conf/check_webservice_load.conf @@ -0,0 +1,178 @@ +# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] *** + +#--------------------------------------- +#----------------------------- +# Settings +#----------------------------- +#--------------------------------------- + + +# --- +# - LOGGING +# - +# - This Parameter is now obsolete. If script is running in a terminal, then output ist verbose, +# - the output will be verbos. If running as cronjob, output will only be written, if warnings or +# - errors occurs. +# --- + + +# - What to check +# - +check_load=true +check_mysql=true + +# - PostgreSQL +# - +# - NOT useful, if more than one PostgreSQL instances are running! +# - +check_postgresql=false + +check_apache=true +check_nginx=false +check_php_fpm=true +check_redis=false +check_website=false + +# - If service is not listen on 127.0.0.1/loclhost, curl check must +# - be ommited +# - +# - Defaults to: ommit_curl_check_nginx=false +# - +#ommit_curl_check_nginx=false + +# - Is this a vserver guest machine? +# - +# - Not VSerber guest host does not support systemd! +# - +# - defaults to: vserver_guest=false +# - +#vserver_guest=false + + +# - Additional Settings for check_mysql +# - +# - MySQL / MariaDB credentials +# - +# - Giving password on command line is insecure an sind mysql 5.5 +# - you will get a warning doing so. +# - +# - Reading username/password fro file ist also possible, using MySQL/MariaDB +# - commandline parameter '--defaults-file'. +# - +# - Since Mysql Version 5.6, you can read username/password from +# - encrypted file. +# - +# - Create (encrypted) option file: +# - $ mysql_config_editor set --login-path=local --socket=/tmp/mysql.sock --user=root --password +# - $ Password: +# - +# - Use of option file: +# - $ mysql --login-path=local ... +# - +# - Example +# - mysql_credential_args="--login-path=local" +# - mysql_credential_args="--defaults-file=/etc/mysql/debian.cnf" (Debian default) +# - mysql_credential_args="--defaults-file=/usr/local/mysql/sys-maint.cnf" +# - +mysql_credential_args="--login-path=local" + + +# - Additional Settings for check_php_fpm +# - +# - On Linux Vserver System set +# - curl_check_host=localhost +# - +# - On LX-Container set +# - curl_check_host=127.0.0.1 +# - +curl_check_host=127.0.0.1 + +# - Which PHP versions should be supported by this script. If more than one, +# - give a blank separated list +# - +# - Example: +# - php_versions="5.4 5.6 7.0 7.1" +# - +php_versions="7.4" + +# - If PHP-FPM's ping.path setting does not match ping-$php_major_version, +# - set the value given in your ping.path setting here. Give ping_path also +# - the concerning php_version in form +# - : +# - +# - Multiple settings are possible, give a blank separated list. +# - +# - Example: +# - +# - ping_path="5.4:ping-site36_net 5.6:ping-oopen_de" +# - +ping_path="" + + +# - Additional Settings for check_website - checking (expected) website response +# - +# - example: +# - is_working_url="https://www.outoflineshop.de/" +# - check_string='ool-account-links' +# - include_cleanup_function=true +# - extra_alert_address="ilker@so36.net" +# - cleanup_function=' +# - rm -rf /var/www/www.outoflineshop.de/htdocs/var/cache/* +# - rm -rf /var/www/www.outoflineshop.de/htdocs/var/session/* +# - /usr/local/bin/redis-cli flushall > /dev/null 2>&1 +# - if [[ "$?" = "0" ]]; then +# - ok "I have cleaned up directory \"/var/www/www.outoflineshop.de/htdocs/var/cache/\"" +# - else +# - error "Cleaning up directory \"/var/www/www.outoflineshop.de/htdocs/var/cache/\" failed!" +# - fi +# - /etc/init.d/redis_6379 restart +# - if [[ "$?" = "0" ]]; then +# - ok "I restarted the redis service" +# - echo -e "\t[ Ok ]: I restarted the redis service" >> $LOCK_DIR/extra_msg.txt +# - else +# - error "Restarting the redis server failed!" +# - echo -e "\t[ Error ]: Restarting the redis server failed!" >> $LOCK_DIR/extra_msg.txt +# - fi +# - ' +# - +is_working_url='' + +check_string='' + +include_cleanup_function=true + +# - An extra e-mail address, which will be informed, if the given check URL +# - does not response as expected (check_string) AFTER script checking, restarting +# - servervices (webserver, php-fpm) and cleaning up (cleanup_function) was done. +# - +extra_alert_address='' + +# - php_version_of_working_url +# - +# - If given website (is_working_url) does not response as expected, this PHP FPM +# - engines will be restarted. +# - +# - Type "None" if site does not support php +# - +# - If php_version_of_working_url is not set, PHP FPM processes of ALL versions (php_versions) +# - will be restarted +# - +php_version_of_working_url='' + +# - Notice: +# - If single qoutes "'" not needed inside cleanup function, then use single quotes +# - to enclose variable "cleanup_function". Then you don't have do masquerade any +# - sign inside. +# - +# - Otherwise use double quotes and masq any sign to prevent bash from interpreting. +# - +cleanup_function=' +' + + +# - E-Mail settings for sending script messages +# - +from_address="root@`hostname -f`" +content_type='Content-Type: text/plain;\n charset="utf-8"' +to_addresses="root" + diff --git a/roles/common/files/c.mx/root/bin/postfix/conf/create_opendkim_key.conf b/roles/common/files/c.mx/root/bin/postfix/conf/create_opendkim_key.conf new file mode 100644 index 0000000..d7c6925 --- /dev/null +++ b/roles/common/files/c.mx/root/bin/postfix/conf/create_opendkim_key.conf @@ -0,0 +1,172 @@ +# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] *** + +# --------------------------------------------------------- +# - Parameter Settings for script 'create_opendkim_key.sh'. +# --------------------------------------------------------- + + +# ---------- +# DNS Server +# ---------- + +# - dns_dkim_zone_master_server +# - +# - The DNS Server who is serving the update zone and is used +# - for the dynamic updates (nsupdate) +# - +dns_dkim_zone_master_server="b.ns.oopen.de" + +# - update_dns +# - +# - Possible Values are 'true' or 'false' +# - +#update_dns="" + +# - update_zone +# - +# - Zone containing the DKIM TXT record. +# - +# - Defaults to '_domainkey.' +# - +# - Note: +# - do NOT change/set this option unless you know what you do. +# - +#update_zone="" + +# - TTL +# - +# - TTL for the DKIM TXT Record. +# - +# - Defaults to "" if update_dns=false +# - Defaults to "43200" if update_dns=true +# +#TTL="" + + +# ---------- +# TSIG Key +# ---------- + +# - key_secret +# - +# - Sectret Key used by 'nsupdate' to create/update the +# - DKIM TXT record. +# - +# - Example: +# - key_secret="EtvvMdW0PXD4GMHP+onuHZ0dT/Z8OSJGlce/xH10OwI=" +# - +key_secret="4woPu0jqf9Jp1IX+gduJ3BVW/1ZMeyCPTQMqEsMXLFw=" + +# - key_algo +# - +# - The key algorithm used for key creation. Available choices are: hmac-md5, +# - hmac-sha1, hmac-sha224, hmac-sha256, hmac-sha384 and hmac-sha512. The +# - default is hmac-sha256. Options are case-insensitive. +# - +# - Example: +# - key_algo="hmac-md5" +# - +# - Defaults to 'hmac-sha256' +# - +key_algo="hmac-sha256" + +# - key_name +# - +# - Name of the Key +# - +# - Defaults to "$update_zone" +# - +key_name="update-dkim" + + +# ---------- +# Access Credentials DNS Server +# ---------- + +# - dns_ssh_user +# - +# - Defaults to 'manage-bind' +# - +#dns_ssh_user="manage-bind" + +# - dns_ssh_port +# - +# - Defaults to '22' +# - +#dns_ssh_port=22 + +# - dns_ssh_key +# - +# - Defaults to '/root/.ssh/id_rsa-opendkim' +# - +#dns_ssh_key="/root/.ssh/id_rsa-opendkim" + + +# ---------- +# Scripts envoked at DNS Server +# ---------- + +# - set_new_serial_script +# - +# - Script increases the serial for a given domain or a given +# - hostname's concerning domain. +# - +# - Defaults to '/root/bin/bind/bind_set_new_serial.sh' +# - +#set_new_serial_script="/root/bin/bind/bind_set_new_serial.sh" + +# - create_dkim_delegation_script +# - +# - Script adds DKIM subdomain delegation for a given domain +# - +# - Defaults to '/root/bin/bind/bind_create_dkim_delegation.sh' +# - +#create_dkim_delegation_script="/root/bin/bind/bind_create_dkim_delegation.sh" + +# - add_dkim_zone_master_script +# - +# - Script adds zone _domainkey. as master zone +# - +# - Defaults to '/root/bin/bind/bind_add_dkim_zone_master.sh' +# - +#add_dkim_zone_master_script="/root/bin/bind/bind_add_dkim_zone_master.sh" + +# - add_dkim_zone_slave_script +# - +# - Script adds zone _domainkey. as slave zone +# - +# - Defaults to '/root/bin/bind/bind_add_dkim_zone_slave.sh' +# - +#add_dkim_zone_slave_script="/root/bin/bind/bind_add_dkim_zone_slave.sh" + + + +# ---------- +# OpenDKIM Installation +# ---------- + +# - opendkim_dir +# - +# - OpenDKIM's etc-directory +# - +# - Defaults to opendkim_dir="/etc/opendkim" +# - +#opendkim_dir="/etc/opendkim" + +# - key_base_dir +# - +# - Defaults to "${opendkim_dir}/keys" +# - +#key_base_dir=${opendkim_dir}/keys + +# - signing_table_file +# - +# - Defaults to "${opendkim_dir}/signing.table" +# - +#signing_table_file="${opendkim_dir}/signing.table" + +# - key_table_file +# - +# - Defaults to "${opendkim_dir}/key.table" +# - +#key_table_file="${opendkim_dir}/key.table" diff --git a/roles/common/files/c.mx/root/bin/postfix/conf/postfix_add_mailboxes.conf b/roles/common/files/c.mx/root/bin/postfix/conf/postfix_add_mailboxes.conf new file mode 100644 index 0000000..18f5848 --- /dev/null +++ b/roles/common/files/c.mx/root/bin/postfix/conf/postfix_add_mailboxes.conf @@ -0,0 +1,86 @@ +# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] *** + +# ---------------------------------------------------- +# --- +# - Parameter Settings for script 'postfix_add_mailboxes.sh'. +# --- +# ---------------------------------------------------- + +# - dovecot_enc_method +# - +# - The (dovecot) password scheme which should be used to generate the hashed +# - passwords of EXISTING users. +# - +# - Possible values are: +# - +# - See output of 'doveadm pw -l' +# - +# - DEFAULTS to: dovecot_enc_method="SHA512-CRYPT" +# - +#dovecot_enc_method="SHA512-CRYPT" + +# - in_file +# - +# - The file from wich the script reads the e-mail-address/password +# - kombination(s). Each line in this file must only contain +# - +# - +# - Defaults to: in_file="${conf_dir}/mailboxes_new.lst" +# - +#in_file="${conf_dir}/mailboxes_new.lst" + +# - db_type +# - +# - Type of Postfix Database +# - +# - Possible values are 'pgsql' (PostgeSQL) or 'mysql' (MySQL) +# - +# - Defaults to: db_type="pgsql" +# - +#db_type="pgsql" + +# - db_name +# - +# - Database name for the postfix database +# - +# - Defaults to: db_name="postfix" +# - +#db_name="postfix" + +# - db_name +# - +# - Database name for the postfix database +# - +# - Defaults to: db_name="postfix" +# - +#db_name="postfix" + +# - mysql_credential_args (root access to MySQL Database) +# - +# - Example +# - mysql_credential_args="--login-path=local" +# - mysql_credential_args="--defaults-file=/etc/mysql/debian.cnf" (Debian default) +# - mysql_credential_args="--defaults-file=/usr/local/mysql/sys-maint.cnf" +# - +# - Defaults to: +# - '/etc/mysql/debian.cnf' if MySQL is installed from debian package system +# - '/usr/local/mysql/sys-maint.cnf' otherwise +# - +#mysql_credential_args="" + +# - quota +# - +# - The quota setting for the new mailboxes. +# - +# - Defaults to: quota="536870912" +# - +#quota="536870912" +quota=1073741824 + +# - log_file +# - +# - Where to write logging informations? +# - +# - Defaults to: log_file="${script_dir}/log/postfix_add_mailboxes.log" +# - +#log_file="${script_dir}/log/postfix_add_mailboxes.log" diff --git a/roles/common/files/c.mx/root/bin/postfix/conf/sent_userinfo_postfix.conf b/roles/common/files/c.mx/root/bin/postfix/conf/sent_userinfo_postfix.conf new file mode 100644 index 0000000..2efcb64 --- /dev/null +++ b/roles/common/files/c.mx/root/bin/postfix/conf/sent_userinfo_postfix.conf @@ -0,0 +1,94 @@ +# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] *** + +# ---------------------------------------------------- +# --- +# - Parameter Settings for script 'sent_userinfo_postfix.sh'. +# --- +# ---------------------------------------------------- + +# - message_body_file +# - +# - Full path to file containing the user info. This file must contain +# - the message body WITHOUT e-mail headers. If file is placed in the +# - 'files' directory use '${file_dir}/' +# - +# - Defaults to '${file_dir}/sent_userinfo_postfix.message' +# - +#message_body_file="${file_dir}/sent_userinfo_postfix.email" + + +# - email_from +# - +# - From Address of user info +# - +# - Example: 'oo@oopen.de' +# - +#email_from="" +email_from="admin@initiativenserver.de" + + +# - email_from_org +# - +# - Example: email_from_org="O.OPEN" +# - +#email_from_org="" +email_from_org="Aktionsbuendnis Brandenburg" + + +# - db_type +# - +# - Type of Postfix Database +# - +# - Possible values are 'pgsql' (PostgeSQL) or 'mysql' (MySQL) +# - +# - Defaults to: db_type="pgsql" +# - +#db_type="pgsql" + +# - db_name +# - +# - Database name for the postfix database +# - +# - Defaults to: db_name="postfix" +# - +#db_name="postfix" + +# - mysql_credential_args (root access to MySQL Database) +# - +# - Example +# - mysql_credential_args="--login-path=local" +# - mysql_credential_args="--defaults-file=/etc/mysql/debian.cnf" (Debian default) +# - mysql_credential_args="--defaults-file=/usr/local/mysql/sys-maint.cnf" +# - +# - Defaults to: +# - '/etc/mysql/debian.cnf' if MySQL is installed from debian package system +# - '/usr/local/mysql/sys-maint.cnf' otherwise +# - +#mysql_credential_args="" + + +# - mail_user +# - +# - The owner of the mailbox directories and within the e-mails itself. +# - +# - defaults to mail_user="vmail" +# - +#mail_user="vmail" + + +# - mail_group +# - +# - The group of the mailbox directories +# - +# - defaults to mail_group="vmail" +# - +#mail_group="vmail" + + +# - mail_basedir - No more needed! +# - +# - The root directory where all mailbox-domains are located. +# - +# - Defaults to '/var/vmail'. +# - +#mail_basedir=/var/vmail diff --git a/roles/common/files/c.mx/root/bin/postfix/conf/whitelist_mb_sigs.conf b/roles/common/files/c.mx/root/bin/postfix/conf/whitelist_mb_sigs.conf new file mode 100644 index 0000000..11c60fa --- /dev/null +++ b/roles/common/files/c.mx/root/bin/postfix/conf/whitelist_mb_sigs.conf @@ -0,0 +1,44 @@ +# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] *** + +# ====================================================== +# --- +# Parameter Settings for Script 'whitelist_mb_sigs.conf' +# --- +# ====================================================== + +# QUARANTINE_BASE_DIR +# +# Base directory where amavis stores quarantined e-mails, mostly in +# +# virus e-mails: $QUARANTINE_BASE_DIR/virus +# spam emails: $QUARANTINE_BASE_DIR/spam +# .. +# +# Defaults to: +# QUARANTINE_BASE_DIR="/var/QUARANTINE" +# +#QUARANTINE_BASE_DIR="/var/QUARANTINE" + + +# CLAMAV_VIRUS_WHITE_LIST +# +# Full path to clamav's (personal) white list file +# +# Defaults to: +# CLAMAV_VIRUS_WHITE_LIST="/var/lib/clamav/my_whitelist.ign2" +# +#CLAMAV_VIRUS_WHITE_LIST="/var/lib/clamav/my_whitelist.ign2" + + +# WHITE_LIST_STRINGS +# +# A blank separated list of strings to whitelist. +# +# Example: +# WHITE_LIST_STRINGS="google.com tinyurl.com" +# +# Defaults to: +# WHITE_LIST_STRINGS="google.com" +# +#WHITE_LIST_STRINGS="google.com" +WHITE_LIST_STRINGS="google.com tinyurl.com" diff --git a/roles/common/files/e.mx/etc/postfix/postfwd.bl-hosts b/roles/common/files/e.mx/etc/postfix/postfwd.bl-hosts new file mode 100644 index 0000000..875dcf6 --- /dev/null +++ b/roles/common/files/e.mx/etc/postfix/postfwd.bl-hosts @@ -0,0 +1,22 @@ +# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] *** + +# --- +# hosts blocked by postfwd +# +# This file is called with '=~'. This means perl regexp is possible +# +# +# To increase performance use ^ and/or $ in regular expressions +# +# Example: +# +# # block all hosts of domain 'oopen.de' +# \.oopen\.de$ +# +# # block host a.mx.oopen.de +# ^a\.mx\.oopen\.de$ +# +# --- + +# give hostnames to blocke here + diff --git a/roles/common/files/e.mx/etc/postfix/postfwd.bl-nets b/roles/common/files/e.mx/etc/postfix/postfwd.bl-nets new file mode 100644 index 0000000..e1db645 --- /dev/null +++ b/roles/common/files/e.mx/etc/postfix/postfwd.bl-nets @@ -0,0 +1,16 @@ +# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] *** + +# --- +# Networks blocked by postfwd +# +# Example: +# +# # web0.warenform.de +# #83.223.86.76 +# #2a01:30:0:505:286:96ff:fe4a:6ee +# #2a01:30:0:13:286:96ff:fe4a:6eee +# +# --- + +# give networks to block here + diff --git a/roles/common/files/e.mx/etc/postfix/postfwd.bl-sender b/roles/common/files/e.mx/etc/postfix/postfwd.bl-sender new file mode 100644 index 0000000..efe38b9 --- /dev/null +++ b/roles/common/files/e.mx/etc/postfix/postfwd.bl-sender @@ -0,0 +1,38 @@ +# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] *** + +# --- +# Sender addresses blocked by postfwd +# +# This file is called with '=~'. This means perl regexp is possible +# +# +# To increase performance use ^ and/or $ in regular expressions +# +# @acieu\.co\.uk$ +# ^error@mailfrom.com$ +# +# instedt of +# +# @acieu.co.uk +# error@mailfrom.com +# +# +# Example: +# +# # # annoying spammer domains +# # block all senders of maildomaindomain 'oopen.de' +# @acieu\.co\.uk$ +# +# # annoying spammer addresses +# # block sender address +# error@mailfrom.com +# sqek@eike\.se$ +# +# --- + +# annoying spammer domains +@acieu\.co\.uk$ + +# annoying spammer addresses +^error@mailfrom\.com$ +^sqek@eike\.se$ diff --git a/roles/common/files/e.mx/etc/postfix/postfwd.bl-user b/roles/common/files/e.mx/etc/postfix/postfwd.bl-user new file mode 100644 index 0000000..3ca2bb7 --- /dev/null +++ b/roles/common/files/e.mx/etc/postfix/postfwd.bl-user @@ -0,0 +1,13 @@ +# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] *** + +# --- +# SASL Users blocked by postfwd +# +# Example: +# +# # give SASL usernames to block here +# ckubu@oopen.de +# +# --- + +# give SASL usernames to block here diff --git a/roles/common/files/e.mx/etc/postfix/postfwd.cf b/roles/common/files/e.mx/etc/postfix/postfwd.cf new file mode 100644 index 0000000..d106016 --- /dev/null +++ b/roles/common/files/e.mx/etc/postfix/postfwd.cf @@ -0,0 +1,172 @@ + +#======= Definitions ============ + +# Match messages with an associated SASL username +&&SASL_AUTH { + sasl_username!~^$ +} + +# Trusted networks +&&TRUSTED_NETS { + client_address==file:/etc/postfix/postfwd.wl-nets +} + +# Trusted hostnames +# client_name~=.warenform.de$ +&&TRUSTED_HOSTS { + client_name=~file:/etc/postfix/postfwd.wl-hosts +} + +# Trusted users +&&TRUSTED_USERS { + sasl_username==file:/etc/postfix/postfwd.wl-user +} + +# Trusted senders +&&TRUSTED_SENDERS { + sender=~file:/etc/postfix/postfwd.wl-sender +} + +# Blacklist networks +&&BLOCK_NETS { + client_address==file:/etc/postfix/postfwd.bl-nets +} + +# Blacklist hostnames +&&BLOCK_HOSTS { + client_name=~file:/etc/postfix/postfwd.bl-hosts +} + +# Blacklist users +&&BLOCK_USERS { + sasl_username==file:/etc/postfix/postfwd.bl-user +} + +# Blacklist sender adresses +&&BLOCK_SENDER { + # =~ + # using '=~' allows also matching entries for domains (i.e. @acieu.co.uk) + sender=~file:/etc/postfix/postfwd.bl-sender +} + +# Inbound emails only +&&INCOMING { + client_address!=127.0.0.1 +} + + +#======= Rule Sets ============ + +# --- +# +# Processing of the Rule Sets +# +# The parser checks the elements of a policy delegation request against the postfwd set +# of rules and, if necessary, triggers the configured action (action=). Similar to a +# classic firewall, a rule is considered true if every element of the set of rules (or +# one from every element list) applies to the comparison. I.e. the following rule: +# +# client_address=1.1.1.1, 1.1.1.2; client_name==unknown; action=REJECT +# +# triggers a REJECT if the +# +# Client address is equal (1.1.1.1 OR 1.1.1.2) AND the client name 'unknown' +# +# +# Note: +# If an element occurs more than once, an element list is formed: +# +# The following rule set is equivalent to the above: +# +# client_address=1.1.1.1; client_address=1.1.1.2; client_name==unknown; action=REJECT +# +# +# triggers a REJECT if (as above) the +# +# Client address (1.1.1.1 OR 1.1.1.2) AND the client name 'unknown' +# +# --- + +# Whitelists + +# Whitelist trusted networks +id=WHL_NETS + &&TRUSTED_NETS + action=DUNNO + +# Whitelist trusted hostnames +id=WHL_HOSTS + &&TRUSTED_HOSTS + action=DUNNO + +# Whitelist sasl users +id=WHL_USERS + &&TRUSTED_USERS + action=DUNNO + +# Whitelist senders +id=WHL_SENDERS + &&INCOMING + &&TRUSTED_SENDERS + action=DUNNO + + +# Blacklists + +# Block networks +id=BL_NETS + &&BLOCK_NETS + action=REJECT Network Address $$client_address blocked by Mailserver admins. Error: BL_NETS + +# Block hostname +id=BL_HOSTS + &&BLOCK_HOSTS + action=REJECT $$client_name blocked by Mailserver admins. Error: BL_HOSTS + +# Block users +id=BL_USERS + &&BLOCK_USERS + action=REJECT User is blocked by Mailserver admins. Error: BL_USERS + +# Blacklist sender +# +# Claim successful delivery and silently discard the message. +# +id=BL_SENDER + &&BLOCK_SENDER + #action=DISCARD + action=REJECT Sender address is blocked by Mailserver admins. Error: BL_SENDER + + +# Rate Limits + +# Throttle unknown clients to 5 recipients per 5 minutes: +id=RATE_UNKNOWN_CLIENT_ADDR + sasl_username =~ /^$/ + client_name==unknown + action=rate(client_address/5/300/450 4.7.1 only 5 recipients per 5 minutes allowed) + +# Block clients (ip-addresses) sending more than 50 messages per minute exceeded. Error:RATE_CLIENT) +id=RATE_CLIENT_ADDR + &&INCOMING + action=rate($$client_address/50/60/421 421 4.7.0 Too many connections from $$client_address) + +# Block messages with more than 50 recipients +id=BLOCK_MSG_RCPT + &&INCOMING + &&SASL_AUTH + recipient_count=50 + action=REJECT Too many recipients, please reduce to less than 50 or consider using a mailing list. Error: BLOCK_MSG_RCPT + +# Block users sending more than 50 messages/hour +id=RATE_MSG + &&INCOMING + &&SASL_AUTH + action=rate($$sasl_username/50/3600/450 4.7.1 Number messages per hour exceeded. Error:RATE_MSG) + +# Block users sending more than 250 recipients total/hour +id=RATE_RCPT + &&INCOMING + &&SASL_AUTH + action=rcpt($$sasl_username/250/3600/450 4.7.1 Number recipients per hour exceeded. Error:RATE_RCPT) + diff --git a/roles/common/files/e.mx/etc/postfix/postfwd.wl-hosts b/roles/common/files/e.mx/etc/postfix/postfwd.wl-hosts new file mode 100644 index 0000000..c425a4e --- /dev/null +++ b/roles/common/files/e.mx/etc/postfix/postfwd.wl-hosts @@ -0,0 +1,22 @@ +# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] *** + +# --- +# Trusted hosts whitelisted by postfwd +# +# This file is called with '=~'. This means perl regexp is possible +# +# +# To increase performance use ^ and/or $ in regular expressions +# +# Example: +# +# # all hosts of domain 'oopen.de' +# \.oopen\.de$ +# +# # host a.mx.oopen.de +# ^a\.mx\.oopen\.de$ +# +# --- + +# give truested hostnames here + diff --git a/roles/common/files/e.mx/etc/postfix/postfwd.wl-nets b/roles/common/files/e.mx/etc/postfix/postfwd.wl-nets new file mode 100644 index 0000000..d194340 --- /dev/null +++ b/roles/common/files/e.mx/etc/postfix/postfwd.wl-nets @@ -0,0 +1,15 @@ +# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] *** + +# --- +# Trusted networks whitelisted by postfwd +# +# Example: +# +# # web0.warenform.de +# #83.223.86.76 +# #2a01:30:0:505:286:96ff:fe4a:6ee +# #2a01:30:0:13:286:96ff:fe4a:6eee +# +# --- + +# give truested networrk adresses here diff --git a/roles/common/files/e.mx/etc/postfix/postfwd.wl-sender b/roles/common/files/e.mx/etc/postfix/postfwd.wl-sender new file mode 100644 index 0000000..d5c5acd --- /dev/null +++ b/roles/common/files/e.mx/etc/postfix/postfwd.wl-sender @@ -0,0 +1,22 @@ +# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] *** + +# --- +# Trusted senders whitelisted by postfwd +# +# This file is called with '=~'. This means perl regexp is possible +# +# +# To increase performance use ^ and/or $ in regular expressions +# +# Example: +# +# # all senders of maildomaindomain 'oopen.de' +# @oopen\.de$ +# +# # sender address ckubu@oopen.de +# ^ckubu@oopen\.de$ +# +# --- + +# give trusted sender addresses here + diff --git a/roles/common/files/e.mx/etc/postfix/postfwd.wl-user b/roles/common/files/e.mx/etc/postfix/postfwd.wl-user new file mode 100644 index 0000000..f1d2ac5 --- /dev/null +++ b/roles/common/files/e.mx/etc/postfix/postfwd.wl-user @@ -0,0 +1,15 @@ +# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] *** + +# --- +# SASL Users whitelisted by postfwd +# +# example: +# +# # give trusted sasl usernames here +# ckubu@oopen.de +# vertrieb@akweb.de +# +# --- + +# give trusted sasl usernames here + diff --git a/roles/common/files/root/.ssh/e.mx-id_rsa-dehydrated b/roles/common/files/e.mx/root/.ssh/e.mx-id_rsa-dehydrated similarity index 100% rename from roles/common/files/root/.ssh/e.mx-id_rsa-dehydrated rename to roles/common/files/e.mx/root/.ssh/e.mx-id_rsa-dehydrated diff --git a/roles/common/files/root/.ssh/e.mx-id_rsa-dehydrated.pub b/roles/common/files/e.mx/root/.ssh/e.mx-id_rsa-dehydrated.pub similarity index 100% rename from roles/common/files/root/.ssh/e.mx-id_rsa-dehydrated.pub rename to roles/common/files/e.mx/root/.ssh/e.mx-id_rsa-dehydrated.pub diff --git a/roles/common/files/root/.ssh/e.mx-id_rsa-opendkim b/roles/common/files/e.mx/root/.ssh/e.mx-id_rsa-opendkim similarity index 100% rename from roles/common/files/root/.ssh/e.mx-id_rsa-opendkim rename to roles/common/files/e.mx/root/.ssh/e.mx-id_rsa-opendkim diff --git a/roles/common/files/root/.ssh/e.mx-id_rsa-opendkim.pub b/roles/common/files/e.mx/root/.ssh/e.mx-id_rsa-opendkim.pub similarity index 100% rename from roles/common/files/root/.ssh/e.mx-id_rsa-opendkim.pub rename to roles/common/files/e.mx/root/.ssh/e.mx-id_rsa-opendkim.pub diff --git a/roles/common/files/e.mx/root/bin/monitoring/conf/check_cert_for_dovecot.conf b/roles/common/files/e.mx/root/bin/monitoring/conf/check_cert_for_dovecot.conf index 133ceef..1436527 100644 --- a/roles/common/files/e.mx/root/bin/monitoring/conf/check_cert_for_dovecot.conf +++ b/roles/common/files/e.mx/root/bin/monitoring/conf/check_cert_for_dovecot.conf @@ -1,3 +1,5 @@ +# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] *** + #--------------------------------------- #----------------------------- # Settings for script check_cert_for_dovecot.sh diff --git a/roles/common/files/e.mx/root/bin/monitoring/conf/check_webservice_load.conf b/roles/common/files/e.mx/root/bin/monitoring/conf/check_webservice_load.conf index 87fe901..d3520b1 100644 --- a/roles/common/files/e.mx/root/bin/monitoring/conf/check_webservice_load.conf +++ b/roles/common/files/e.mx/root/bin/monitoring/conf/check_webservice_load.conf @@ -1,3 +1,5 @@ +# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] *** + #--------------------------------------- #----------------------------- # Settings diff --git a/roles/common/files/e.mx/root/bin/postfix/conf/create_opendkim_key.conf b/roles/common/files/e.mx/root/bin/postfix/conf/create_opendkim_key.conf index aded3df..5afd9c2 100644 --- a/roles/common/files/e.mx/root/bin/postfix/conf/create_opendkim_key.conf +++ b/roles/common/files/e.mx/root/bin/postfix/conf/create_opendkim_key.conf @@ -1,3 +1,5 @@ +# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] *** + # --------------------------------------------------------- # - Parameter Settings for script 'create_opendkim_key.sh'. # --------------------------------------------------------- diff --git a/roles/common/files/e.mx/root/bin/postfix/conf/postfix_add_mailboxes.conf b/roles/common/files/e.mx/root/bin/postfix/conf/postfix_add_mailboxes.conf index 3cffedf..18f5848 100644 --- a/roles/common/files/e.mx/root/bin/postfix/conf/postfix_add_mailboxes.conf +++ b/roles/common/files/e.mx/root/bin/postfix/conf/postfix_add_mailboxes.conf @@ -1,3 +1,5 @@ +# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] *** + # ---------------------------------------------------- # --- # - Parameter Settings for script 'postfix_add_mailboxes.sh'. diff --git a/roles/common/files/e.mx/root/bin/postfix/conf/sent_userinfo_postfix.conf b/roles/common/files/e.mx/root/bin/postfix/conf/sent_userinfo_postfix.conf index 56574b2..1ce0fff 100644 --- a/roles/common/files/e.mx/root/bin/postfix/conf/sent_userinfo_postfix.conf +++ b/roles/common/files/e.mx/root/bin/postfix/conf/sent_userinfo_postfix.conf @@ -1,3 +1,5 @@ +# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] *** + # ---------------------------------------------------- # --- # - Parameter Settings for script 'sent_userinfo_postfix.sh'. diff --git a/roles/common/files/e.mx/root/bin/postfix/conf/whitelist_mb_sigs.conf b/roles/common/files/e.mx/root/bin/postfix/conf/whitelist_mb_sigs.conf index e7cf6b5..11c60fa 100644 --- a/roles/common/files/e.mx/root/bin/postfix/conf/whitelist_mb_sigs.conf +++ b/roles/common/files/e.mx/root/bin/postfix/conf/whitelist_mb_sigs.conf @@ -1,3 +1,5 @@ +# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] *** + # ====================================================== # --- # Parameter Settings for Script 'whitelist_mb_sigs.conf' diff --git a/roles/common/files/mail.cadus/root/.ssh/mail.cadus-id_rsa-dehydrated b/roles/common/files/mail.cadus/root/.ssh/mail.cadus-id_rsa-dehydrated new file mode 100644 index 0000000..1f31859 --- /dev/null +++ b/roles/common/files/mail.cadus/root/.ssh/mail.cadus-id_rsa-dehydrated @@ -0,0 +1,51 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIJKAIBAAKCAgEA8Q7zcxe+VCBbnLzMVLlLKBfjle1hBDwTAv18dSSvpXc6iy4R +1UGWoS4tm+8EV8uBdd40vvkwdGGrLDPplsSqdPFaSj5wlRh7zHTYbRwq9RFFLnk0 +xvJQk8HrQTV+MNAI4Of0nqf1JcgPL0d0mcug7gZ9gQCdFHjcKZafpbl4Afri2Chc +SHd4HGlXmVMYwM9W4TzWfauxaYVLxhpO/aBQ4v5NKFGIYlZN/D67JNA0uSZ/geGq +lCWQpVMLh7avWR2mdRo6hHcM9hmF7J1R3GZKzXIlSHHEIy+fru7Da+Ak2ufWI/P8 +aY1lQrHOkxK91oOk8BT/WIFKKVxby5mI+jdO4rTn95Ha4pYvGrxTPiywwO0Lmpzm +1ti1iRSV4aFIQ7BpFKCzb4/vdFUjM/cTI4qGNbCv/dpAVSRuAcZ2T82QKSK6FpgE +FJJ6v6pk6oB/9E+vOyW+2gOB5Rva5h6OpSIQmbRfPbXIujEQ6lFmqV7dbBrf6nkG +Gk6xf3ZJyqFCwTy+ea9RZ1ZiXlF+p9xVJPhSiAfwL7+EdfkDjfQaS2SJKy1qQw+v +2mG315hjJzL7y/KoiNcNG9VVrKAc4v0mG7fHs+4+YdMEBRvpciYgdEVRtJBGePe3 +RyBS4zwqJHJP9Ev3xUFFPw0dT3FaXRFLzeXOC3fCeBCM6tb5HkXUuk0DxdcCAwEA +AQKCAgAWbf+1C9aH2WLs2JxincMifeaNQsMuM7DJLHDyLXGygb+Ox8CdCTdM1BEm +Wz0aNjNblktuIZ2ilpvoxwPLJY1+yB5QnjK3jMmoIo8ox+AvYWYAhwKkKFPbC8Yq +ESImxJSu6KZYROSImW7gRVPSI6Jbw3rWEAqNpxlFPWCpePJzrLaCym6bx5IDgsHF +4HeDKUe6OYDzvJALc32zdys2aj5cgLEJOVzpWYJ0IBoluMHPIIfou+i1VDF7UJjY +DeWO8zVT3Bbp0HICTCmr9I9zZIk9SIuzi/JmG75N9qV0WizTuZKxUbiA0clERWsl +QC8t0J3+QNXplE4kPxXDggu+zHqoa1VK4ZeNFMMOHv2R87PXgwOhIEBRY5/QQdKH +M0RWLcUHiyakx+QyfWNOUTwPNHpwwicHJR/k2oppIYvQj121acsSo0br+Zncg0Dg +WagHBGbZncjXCXWsZktRTz4srNoTEytVUqbVt6RCdUeEI6K6rh0X6w+qpu0GmS0X +CykA/VzxAVZT2F9FBrp/l+6MeoiBSdwjqmBPp+2NcIJNLfS8NrjRIbWI03CIkCuR +dKEDVnHIX2O4QAQgNfxFIbnelbQ6fZ74scpsF1pqhIwsajEgIuDINx3pd0OQCK4U +yjK6BkpoOXn1AbM0l5F63st5zjb35iibIUP/baQ8UZCRYKiEsQKCAQEA+08MrI/f +SrelrhuBZvXicxL2MDBz1FZwSgltIsCrtBZQrCyrh7myISor2DZLe0XftFSRaZQa +iBjrhsgHD2EetGmPT/zaQEc/fJo20JDkWs8E5Z6b18NYaOuhMXlpinXgS/myD9UX +vLY3DN+YVnb0q/uhm+ddYQaxQ24rdFbI3EH66fgy33NB4A0yVTjazp29RdKHXL3m +2OtXIh2BqUPeau639iLRU9PzjYVzX7M6ddKuhYatblOrprnJyUx1jrGjfjRUt8D1 +Mn4scMfmRYg8eH3bh+Kp4l0QHYRq8+KR2i7QZ4Gh4WHp7ROiwuHf3IBPyYHgb6FI +tnaRmXOzwkV8bQKCAQEA9Y7qxkr8D5iVzH0M5xJOch1pZ4e4Eq2wsZQ4eFX+1aZr +nqAgCCs/UuEdbJh7AdUQhjtLsEW2WjOEEqMyXAVc5wgNGh6Zw46CvCIJ+k7rKccF +xx4b/Fwm8D0eXTGdiGA0shkelRGX8HN3AJp8dKy6vDrumSDZXdqZi8lkjz09NdYm +rt/qC3/4getxOkeDS6tlUSCISm15XoL00taDskpUl0hqqxzsd1+RDvmCcook3Re6 +iBi1RwCmoF4Dil94q8fjMEAxg5RtHnYxWWDpFSHzhE7TAkE8jW3V9tg1Pfb9JMYU +glojMEHOsETyNqNVqIwHMvmXIVW7aiigv6ctneQY0wKCAQAKSM/h9/lRW3aiS2ne +Rs2/m9ULX9A9rlPmE8CtnWjpc8hVY3aZlVXe2ZT1wjMQlmlzPcq9oVv8mdh5qZHw +ZS8WfwNoaJad7syAUudPXb6aoMI4i2chS1NA5/OuzKMvEWfedBd/Yl8YT/SsyDG5 +yCB3MVMJyEwf/mAevFF2715E9UZJcOjUEClv+9pFdpAtyHLIercjanoaAneMY9y8 +ipR9l8tbfU1HuvLKpd102ybXT4no2Pwb+byalBvX6xMchdSFA6s74d+m81bqPqQD +0HF5FN15ECOXqetQ6exekrUZUrUgp0Nyr8kc9KLCiu/YXD/npTMEHnuVTADlYMDI +gIN5AoIBABq59Gmira6Q3/UCw02/G1SmSNug1PMLfojFZiQK0BK26023heT9uAWw +RMCWFAVOCF9jwsgrvj4xDzXsF0YWu1bV9H8cR4YWU7pgRg+9WTER3Voft9IOwZoy +PMTN6qR2PCYKP97frFbaamBhcBxO1IA6Nc/q2F2ztjSVteE1PB1I8qrj6hhYVFbn +pko+kFbDD+L1lH/tTGFyBW2RNYJJPs28bweyvTX868/ibkVDLeH2fDHl5o0U0A3y +TZZY78xalCqjQgBdPkcrfBGLT7MiH9wNrD+5k/qcssYMIDdfU4wWFxNc9imBcBqV +VnuF6YPPwdTVf5J8P0q9o0lYy8k8k0sCggEBAMLlHCucicV2ldGH1hvcsUEBbsS1 +Ave+1utiGpb9QCHKpMLmBzxNFq6ZgV52F03pDjR/ACiuT40Uc2uxAiw6EQ6UtU6s +dd8mKUjJUAUi/fujCFs0nn9VETZGBSyUipLA4AH6LyJSwXLZ4HKN37o34K9CcMJ0 +XBYm+67Inn37Z/lRSViGTBSyOizwN1KHGQoEtUlTD5iMBdvmr44unaPB4WXzbKX7 +nm9yeN+OjAvxfvYRczmmlOJ3+p6CqRqOOv21pdV6DOfJ4kml1Y2A+gYft4rANOGC +KaBJaopIm11AMyiauOMrGy7L968xOfKRLnXGjxNqg5+I9YD6V91y32vOJWc= +-----END RSA PRIVATE KEY----- diff --git a/roles/common/files/mail.cadus/root/.ssh/mail.cadus-id_rsa-dehydrated.pub b/roles/common/files/mail.cadus/root/.ssh/mail.cadus-id_rsa-dehydrated.pub new file mode 100644 index 0000000..3fa2c50 --- /dev/null +++ b/roles/common/files/mail.cadus/root/.ssh/mail.cadus-id_rsa-dehydrated.pub @@ -0,0 +1 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDxDvNzF75UIFucvMxUuUsoF+OV7WEEPBMC/Xx1JK+ldzqLLhHVQZahLi2b7wRXy4F13jS++TB0YassM+mWxKp08VpKPnCVGHvMdNhtHCr1EUUueTTG8lCTwetBNX4w0Ajg5/Sep/UlyA8vR3SZy6DuBn2BAJ0UeNwplp+luXgB+uLYKFxId3gcaVeZUxjAz1bhPNZ9q7FphUvGGk79oFDi/k0oUYhiVk38Prsk0DS5Jn+B4aqUJZClUwuHtq9ZHaZ1GjqEdwz2GYXsnVHcZkrNciVIccQjL5+u7sNr4CTa59Yj8/xpjWVCsc6TEr3Wg6TwFP9YgUopXFvLmYj6N07itOf3kdrili8avFM+LLDA7QuanObW2LWJFJXhoUhDsGkUoLNvj+90VSMz9xMjioY1sK/92kBVJG4BxnZPzZApIroWmAQUknq/qmTqgH/0T687Jb7aA4HlG9rmHo6lIhCZtF89tci6MRDqUWapXt1sGt/qeQYaTrF/dknKoULBPL55r1FnVmJeUX6n3FUk+FKIB/Avv4R1+QON9BpLZIkrLWpDD6/aYbfXmGMnMvvL8qiI1w0b1VWsoBzi/SYbt8ez7j5h0wQFG+lyJiB0RVG0kEZ497dHIFLjPCokck/0S/fFQUU/DR1PcVpdEUvN5c4Ld8J4EIzq1vkeRdS6TQPF1w== root@mail.cadus.org diff --git a/roles/common/files/mail.cadus/root/.ssh/mail.cadus-id_rsa-opendkim b/roles/common/files/mail.cadus/root/.ssh/mail.cadus-id_rsa-opendkim new file mode 100644 index 0000000..7e19fdd --- /dev/null +++ b/roles/common/files/mail.cadus/root/.ssh/mail.cadus-id_rsa-opendkim @@ -0,0 +1,51 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIJKgIBAAKCAgEAzOY9bQkcFRrxmrVUFS8VM1eK+ROUBEV8ZBBnBqGrCxfMwUDu +SmOtIqlPwyw419M09ho7uXZVVHf7NTf3or9C4X4MTnCit9bVjlZvKF+YLCAvsr/X +CGwCaLobLVcQIBqFHIuZtv4rP6tln1EVrrxhaAlc6yUXqk4f8jJGHoHEaZxUr/vz +rnCLf6kMrDkEh8if5qyF+h50yr1oGx41Zz49I5InEeccnxmcT2EGEuKLDcnlskeX ++UGiFxVB4VpkHfpsN5u+ZJJMcKPEJtP8o+1uymTWg9gGsIhRTcstN+EC1BJMf8WZ +KdoA//Gq6i2eUv5q4R+Luy6zeQXhPvEaCsilZR1onWlw9cvUunCunEP3zvhqti4X +Pi4ITwGh9Mk4H2FO2AQnKjWBMku7BhDIfLvGkBU2AljqWWouW/p7vWOh5g2T+woH +w+GzSATQZdQrBk4VoUk+wyA4T6CeMbaAop7saKqvEXY21aQHz1HnJL82Yp8H+qdX +3ynAYUyWCP/mmKzaj6Cwp+vqT/9G9QOu5MpdButMTtdz558SUrEQYk4qg/DmDzOg +Q5kLn7XO91ziWWx8Q91RTtAeONJPeP0vVkKjDVWh+wADEmm1PXa7yPGn4MMXX7ke +3c0GWDLWVavcYHP514m01un7fO8mNoPHibDzTC0rznbhPGvlZ1JgIfqdEqUCAwEA +AQKCAgAMQxMV/V+S28PtsEBR7Dlmkyyb71ICV240Rs8DlJU52rjEL/CSvxhTZLKD +SZg1Qkx/Fd7RIIXGwk9kRe8p7CxCdlqiLxdtzQuGsyF/1wiyS1LPba+er2gNgGWz +9uveH/grVydhziAkdUtll2KmzFs/8J+A6v1ZkcdTpTKRDM8GSva+eWOB4vZWM3Ww +sNDWl2kKUvTJnRz8LQ2X4dzsSss537s61QvfcZbrITFN3ATaVGTMoIA1yHm8y+bf +Z5tqN9xWD5n7Rs4QR5yrfjA2VzU0I4i65yivU9kZwLj6CRs0OcweMWMTIBrDNmE2 +FnjNGrCmvE6OayMOcQ2jyKX4Uz2ijgVcelY/KzVl6VZK1bj3ooZYEqZOhj2dKnvJ +rqAKzOTjVUMPAi52I/l8/lTmJbJlkaNpAgu64xXRquxhJNCNhqTn0I2OzM5oTV0c +gcCrOLmCN4qwuronM7JI1Zj0PRKNOavhIg4qI2hgNqIeE4RBURGLzvnquz1vhPyr +LurhblP5+9bcuG0+rO0eWK0TJMzeHuf+AIo3XZGJhP06aoABFhfgtDqcKALZ8gic +fa/4mu5jkvCO6a3y+TfJtS1IVpIRLiOfSYJ9As+E1l/ahfG28/DJvOeICv2mR46l +t4gnYu+u2j21UxH0VfoT54PJFW3b5fFZpNmP1h/51u+pEmbbgQKCAQEA8j59XYPQ +bjvW4zssTWHUGxIfGrzrcOahpZMxk/2F19nhjs55ILk1Tu0niPcLKq0JftjxQ/AN +x3SyxXrbngxpH1VdNGFujn61g/FTdSyr5APtORLjbgS3gu6OHocjvQeS7ApZlfGW +ptn4bRiHOyZJMu0kv7ZOgR4LfmwMF7mWXAhlOxAu6q3Nl9qc8pBXc62xfHfL+5Zv +JapfcjvhonIw1zDHLJ+Z6B+w/+j4PWl/uEfLCQ+waO+wVwjuCABXg4NTiTjfhNol +PM7sjmhS3a8INIoLrdF+SdxVlOynCg+t1Y3A8PYc84+4l+jeopYLqtMTHPDsQfU+ +PdDv//8WJVrlsQKCAQEA2IjeZt6OnvatltY/ynlusRergaOc+8jQeFLlg7Rvs4NO +0/dq5bBWpNc0kmY8ARKGMYS13bVv38ZGVeXaxmMTPbf+eUOu2wZJaawq23UWDEor +DV7mQutGy7yosVBzIa3bFR+CW0pTHvTyPhQmWgFsflMsjZKSR8IjhIYkW9XIJN2i +Ho4Hef5MN2VXjt9hOOt0hH5KsIJ8iQM6fS6eMRw4EjRADp53ps3HfTSNAa1w8op3 +9YltsarFG+1zRBlbLrbIiWNmmfu5Q5R8pbPgOY29bQTMbWPD3iyrM/rUvVppDOyw +g9I0wVYBLfXP4LD/DeWm3X8vm3O3LwGKD5KFwjQVNQKCAQEAw+hHqL42bT/VnHU5 +cedhCveP0ibg3bCXH/m3SbDpclRRtxVCHnXKJ+dhZsIr9Lp2CHDYRZI5AopdHZor +TFlLFr0JoJf/Ohw9HdSoIwYaiU+npNWiulH0O15D72ppO7GJX31LUBlONefnogsJ +Kove/OGOK8D7Ii6zKu2kpfdAI3Pism53EvG2aE2zSfPz1ait9jRH8lKJ1tM/V3oY +EzD4UL+xBGSaqoAevAej4r6UPOtKxyw6BdN6MBkXr77fB4vInhwxoBZvsQrDgrPZ ++FBaeWr+4PaghIk9aTAuMtPVSPTYCcdwSIV9ytTYYHKqQt9rAKfS2dDFImb8AXNB +bLpjMQKCAQEAlrm3Lh4PYuHM9akPYG5kucsDLEtqc+1WB9uUPbh05J0rWurnsxir +RzUyOBIIBKsTVBbPzZOFW1wWC6bjQaMnepfAAEM3zOg0Y+VfM8Ht5gIes8DyQXSq +pBkfx8V7Tt9JGAwF3mv/LhZNJR87jv1cuxZEdgun3WFq/c2uM2q9VcQdHG27EJUO +EqVtbFtbvpZPVgbfELzT2T+xEABKR18gPLO4PzTZjvfAvAu/d4J2k64FUJooDDsV +15nS2X1Y9kxvjQrvGZKaZEtQ9LsgApACYoerkR2X8uhfB+C7A0+Svldni2rgJBAs +5AQufnZWJCNOovHsfqXuxj6pDqvshcFhXQKCAQEAiTdFEQ5phltKANr+viBS4Mec +UwbIRUg4MZOaOLqHytCh30uK/a+fX6SwbVcuD2IFheUorox8GsC13a/5ruKO2Vh/ +JccgfkypMDDYzoAodrX1lBQvlvc5SnNhNTJMlMqkWQcKtILy+f2gzxx/xsA9b92t +LpAnrGIKnbf+ewnfOvJqopBxr1H6EanCjo7VtDPU8l5zR/xxaWAwZV1/z0y1CwkP +MNTp6Xao1lVrgjUz2s9VykDPIDE8FazmnSKSXbuxuEo3+qlPhDKVVsd7LSMdlukz +lkrS7ROdtFNB91sQnwmSPdTCqjso8SUIlpFqGfno5pl7UPD6DuQQDHsF6lMajw== +-----END RSA PRIVATE KEY----- diff --git a/roles/common/files/mail.cadus/root/.ssh/mail.cadus-id_rsa-opendkim.pub b/roles/common/files/mail.cadus/root/.ssh/mail.cadus-id_rsa-opendkim.pub new file mode 100644 index 0000000..6b44ad6 --- /dev/null +++ b/roles/common/files/mail.cadus/root/.ssh/mail.cadus-id_rsa-opendkim.pub @@ -0,0 +1 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDM5j1tCRwVGvGatVQVLxUzV4r5E5QERXxkEGcGoasLF8zBQO5KY60iqU/DLDjX0zT2Gju5dlVUd/s1N/eiv0LhfgxOcKK31tWOVm8oX5gsIC+yv9cIbAJouhstVxAgGoUci5m2/is/q2WfURWuvGFoCVzrJReqTh/yMkYegcRpnFSv+/OucIt/qQysOQSHyJ/mrIX6HnTKvWgbHjVnPj0jkicR5xyfGZxPYQYS4osNyeWyR5f5QaIXFUHhWmQd+mw3m75kkkxwo8Qm0/yj7W7KZNaD2AawiFFNyy034QLUEkx/xZkp2gD/8arqLZ5S/mrhH4u7LrN5BeE+8RoKyKVlHWidaXD1y9S6cK6cQ/fO+Gq2Lhc+LghPAaH0yTgfYU7YBCcqNYEyS7sGEMh8u8aQFTYCWOpZai5b+nu9Y6HmDZP7CgfD4bNIBNBl1CsGThWhST7DIDhPoJ4xtoCinuxoqq8RdjbVpAfPUeckvzZinwf6p1ffKcBhTJYI/+aYrNqPoLCn6+pP/0b1A67kyl0G60xO13PnnxJSsRBiTiqD8OYPM6BDmQuftc73XOJZbHxD3VFO0B440k94/S9WQqMNVaH7AAMSabU9drvI8afgwxdfuR7dzQZYMtZVq9xgc/nXibTW6ft87yY2g8eJsPNMLSvOduE8a+VnUmAh+p0SpQ== root@mail diff --git a/roles/common/files/mail.cadus/root/bin/monitoring/conf/check_cert_for_dovecot.conf b/roles/common/files/mail.cadus/root/bin/monitoring/conf/check_cert_for_dovecot.conf new file mode 100644 index 0000000..f1b7189 --- /dev/null +++ b/roles/common/files/mail.cadus/root/bin/monitoring/conf/check_cert_for_dovecot.conf @@ -0,0 +1,135 @@ +# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] *** + +#--------------------------------------- +#----------------------------- +# Settings for script check_cert_for_dovecot.sh +#----------------------------- +#--------------------------------------- + +# - service_domain +# - +# - The main domain for which the certificate was issued +# - +# - Example: +# - service_domain="a.mx.oopen.de" +# - service_domain="mail.cadus.org" +# - service_domain="mx.warenform.de" +# - +#service_domain="" +service_domain="mail.cadus.org" + + +# - service_name +# - +# - Name of service. +# - +# - Note: this var will also be used to determin systemd service file +# - or sysVinit script. +# - +# - Example: +# - service_name="Mumble" +# - service_name="Prosody" +# - +# - Defaults to: +# - service_name="Dovecot" +# - +#service_name="" + + +# - check_string_ps +# - +# - String wich (clearly) identifies the service at the process list (ps) +# - +# - Example: +# - check_string_ps="[[:digit:]]\ /usr/sbin/murmurd" +# - check_string_ps="" +# - +# - Defaults to: +# - check_string_ps="[[:digit:]]\ /usr/local/dovecot-[[:digit:]]{1,2}\.[[:digit:]]{1,2}\.[[:digit:]]{1,2}(\.[[:digit:]]{1,2})?/sbin/dovecot" +# - +#check_string_ps="" + + +# - service_user +# - +# - User under which the service is running. +# - +# - Example: +# - service_user="mumble-server" +# - service_user="prosody" +# - +# - Defaults to: +# - service_user="prosody" +# - +#service_user="" + + +# - service_group +# - +# - Group under which the service is running. +# - +# - Example: +# - service_group="mumble-server" +# - service_group="prosody" +# - +# - Defaults to: +# - service_group="prosody" +# - +#service_group="" + + +# - cert_installed +# - +# - Locataion of certificate read by service +# - +# - Example: +# - cert_installed="/var/lib/mumble-server/fullchain.pem" +# - cert_installed="/var/lib/dehydrated/certs/jabber.so36.net/fullchain.pem" +# - +# - Defaults to: +# - /etc/dovecot/ssl/mailserver.crt +# - +#cert_installed="" + + +# - key_installed +# - +# - Location of the key read by service +# - +# - Example: +# - key_installed="/var/lib/mumble-server/privkey.pem" +# - key_installed="/etc/prosody/certs/privkey_jabber.so36.pem" +# - +# - Defaults to: +# - /etc/dovecot/ssl/mailserver.key +# - +#key_installed="" + + +# - cert_newest +# - +# - Location of the newest certificate. +# - +# - Example: +# - cert_newest="/var/lib/dehydrated/certs/il-mumble.oopen.de/fullchain.pem" +# - cert_newest="/var/lib/dehydrated/certs/jabber.so36.net/fullchain.pem" +# - +# - Defaults to: +# - /var/lib/dehydrated/certs/${service_domain}/fullchain.pem +# - +#cert_newest="" + + +# - key_newest +# - +# - Location of the newest Key +# - +# - Example: +# - key_newest="/var/lib/dehydrated/certs/il-mumble.oopen.de/privkey.pem" +# - key_newest="/var/lib/dehydrated/certs/jabber.so36.net/privkey.pem" +# - +# - Defaults to: +# - /var/lib/dehydrated/certs/${service_domain}/privkey.pem +# - +#key_newest="" + diff --git a/roles/common/files/mail.cadus/root/bin/monitoring/conf/check_webservice_load.conf b/roles/common/files/mail.cadus/root/bin/monitoring/conf/check_webservice_load.conf new file mode 100644 index 0000000..ae4314a --- /dev/null +++ b/roles/common/files/mail.cadus/root/bin/monitoring/conf/check_webservice_load.conf @@ -0,0 +1,178 @@ +# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] *** + +#--------------------------------------- +#----------------------------- +# Settings +#----------------------------- +#--------------------------------------- + + +# --- +# - LOGGING +# - +# - This Parameter is now obsolete. If script is running in a terminal, then output ist verbose, +# - the output will be verbos. If running as cronjob, output will only be written, if warnings or +# - errors occurs. +# --- + + +# - What to check +# - +check_load=true +check_mysql=true + +# - PostgreSQL +# - +# - NOT useful, if more than one PostgreSQL instances are running! +# - +check_postgresql=false + +check_apache=true +check_nginx=false +check_php_fpm=true +check_redis=false +check_website=false + +# - If service is not listen on 127.0.0.1/loclhost, curl check must +# - be ommited +# - +# - Defaults to: ommit_curl_check_nginx=false +# - +#ommit_curl_check_nginx=false + +# - Is this a vserver guest machine? +# - +# - Not VSerber guest host does not support systemd! +# - +# - defaults to: vserver_guest=false +# - +#vserver_guest=false + + +# - Additional Settings for check_mysql +# - +# - MySQL / MariaDB credentials +# - +# - Giving password on command line is insecure an sind mysql 5.5 +# - you will get a warning doing so. +# - +# - Reading username/password fro file ist also possible, using MySQL/MariaDB +# - commandline parameter '--defaults-file'. +# - +# - Since Mysql Version 5.6, you can read username/password from +# - encrypted file. +# - +# - Create (encrypted) option file: +# - $ mysql_config_editor set --login-path=local --socket=/tmp/mysql.sock --user=root --password +# - $ Password: +# - +# - Use of option file: +# - $ mysql --login-path=local ... +# - +# - Example +# - mysql_credential_args="--login-path=local" +# - mysql_credential_args="--defaults-file=/etc/mysql/debian.cnf" (Debian default) +# - mysql_credential_args="--defaults-file=/usr/local/mysql/sys-maint.cnf" +# - +mysql_credential_args="--login-path=local" + + +# - Additional Settings for check_php_fpm +# - +# - On Linux Vserver System set +# - curl_check_host=localhost +# - +# - On LX-Container set +# - curl_check_host=127.0.0.1 +# - +curl_check_host=127.0.0.1 + +# - Which PHP versions should be supported by this script. If more than one, +# - give a blank separated list +# - +# - Example: +# - php_versions="5.4 5.6 7.0 7.1" +# - +php_versions="7.4" + +# - If PHP-FPM's ping.path setting does not match ping-$php_major_version, +# - set the value given in your ping.path setting here. Give ping_path also +# - the concerning php_version in form +# - : +# - +# - Multiple settings are possible, give a blank separated list. +# - +# - Example: +# - +# - ping_path="5.4:ping-site36_net 5.6:ping-oopen_de" +# - +ping_path="" + + +# - Additional Settings for check_website - checking (expected) website response +# - +# - example: +# - is_working_url="https://www.outoflineshop.de/" +# - check_string='ool-account-links' +# - include_cleanup_function=true +# - extra_alert_address="ilker@so36.net" +# - cleanup_function=' +# - rm -rf /var/www/www.outoflineshop.de/htdocs/var/cache/* +# - rm -rf /var/www/www.outoflineshop.de/htdocs/var/session/* +# - /usr/local/bin/redis-cli flushall > /dev/null 2>&1 +# - if [[ "$?" = "0" ]]; then +# - ok "I have cleaned up directory \"/var/www/www.outoflineshop.de/htdocs/var/cache/\"" +# - else +# - error "Cleaning up directory \"/var/www/www.outoflineshop.de/htdocs/var/cache/\" failed!" +# - fi +# - /etc/init.d/redis_6379 restart +# - if [[ "$?" = "0" ]]; then +# - ok "I restarted the redis service" +# - echo -e "\t[ Ok ]: I restarted the redis service" >> $LOCK_DIR/extra_msg.txt +# - else +# - error "Restarting the redis server failed!" +# - echo -e "\t[ Error ]: Restarting the redis server failed!" >> $LOCK_DIR/extra_msg.txt +# - fi +# - ' +# - +is_working_url='' + +check_string='' + +include_cleanup_function=true + +# - An extra e-mail address, which will be informed, if the given check URL +# - does not response as expected (check_string) AFTER script checking, restarting +# - servervices (webserver, php-fpm) and cleaning up (cleanup_function) was done. +# - +extra_alert_address='' + +# - php_version_of_working_url +# - +# - If given website (is_working_url) does not response as expected, this PHP FPM +# - engines will be restarted. +# - +# - Type "None" if site does not support php +# - +# - If php_version_of_working_url is not set, PHP FPM processes of ALL versions (php_versions) +# - will be restarted +# - +php_version_of_working_url='' + +# - Notice: +# - If single qoutes "'" not needed inside cleanup function, then use single quotes +# - to enclose variable "cleanup_function". Then you don't have do masquerade any +# - sign inside. +# - +# - Otherwise use double quotes and masq any sign to prevent bash from interpreting. +# - +cleanup_function=' +' + + +# - E-Mail settings for sending script messages +# - +from_address="root@`hostname -f`" +content_type='Content-Type: text/plain;\n charset="utf-8"' +to_addresses="root" + diff --git a/roles/common/files/mail.cadus/root/bin/postfix/conf/create_opendkim_key.conf b/roles/common/files/mail.cadus/root/bin/postfix/conf/create_opendkim_key.conf new file mode 100644 index 0000000..424d06d --- /dev/null +++ b/roles/common/files/mail.cadus/root/bin/postfix/conf/create_opendkim_key.conf @@ -0,0 +1,176 @@ +# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] *** + +# --------------------------------------------------------- +# - Parameter Settings for script 'create_opendkim_key.sh'. +# --------------------------------------------------------- + + +# ---------- +# DNS Server +# ---------- + +# - dns_dkim_zone_master_server +# - +# - The DNS Server who is serving the update zone and is used +# - for the dynamic updates (nsupdate) +# - +#dns_dkim_zone_master_server="" +dns_dkim_zone_master_server="b.ns.oopen.de" + +# - update_dns +# - +# - Possible Values are 'true' or 'false' +# - +#update_dns="" + +# - update_zone +# - +# - Zone containing the DKIM TXT record. +# - +# - Defaults to '_domainkey.' +# - +# - Note: +# - do NOT change/set this option unless you know what you do. +# - +#update_zone="" + +# - TTL +# - +# - TTL for the DKIM TXT Record. +# - +# - Defaults to "" if update_dns=false +# - Defaults to "43200" if update_dns=true +# +#TTL="" + + +# ---------- +# TSIG Key +# ---------- + +# - key_secret +# - +# - Sectret Key used by 'nsupdate' to create/update the +# - DKIM TXT record. +# - +# - Example: +# - key_secret="EtvvMdW0PXD4GMHP+onuHZ0dT/Z8OSJGlce/xH10OwI=" +# - +#key_secret="" +key_secret="4woPu0jqf9Jp1IX+gduJ3BVW/1ZMeyCPTQMqEsMXLFw=" + +# - key_algo +# - +# - The key algorithm used for key creation. Available choices are: hmac-md5, +# - hmac-sha1, hmac-sha224, hmac-sha256, hmac-sha384 and hmac-sha512. The +# - default is hmac-sha256. Options are case-insensitive. +# - +# - Example: +# - key_algo="hmac-md5" +# - +# - Defaults to 'hmac-sha256' +# - +#key_algo="hmac-sha256" +key_algo="hmac-sha256" + +# - key_name +# - +# - Name of the Key +# - +# - Defaults to "$update_zone" +# - +#key_name= +key_name="update-dkim" + + +# ---------- +# Access Credentials DNS Server +# ---------- + +# - dns_ssh_user +# - +# - Defaults to 'manage-bind' +# - +#dns_ssh_user="manage-bind" + +# - dns_ssh_port +# - +# - Defaults to '22' +# - +#dns_ssh_port=22 + +# - dns_ssh_key +# - +# - Defaults to '/root/.ssh/id_rsa-opendkim' +# - +#dns_ssh_key="/root/.ssh/id_rsa-opendkim" + + +# ---------- +# Scripts envoked at DNS Server +# ---------- + +# - set_new_serial_script +# - +# - Script increases the serial for a given domain or a given +# - hostname's concerning domain. +# - +# - Defaults to '/root/bin/bind/bind_set_new_serial.sh' +# - +#set_new_serial_script="/root/bin/bind/bind_set_new_serial.sh" + +# - create_dkim_delegation_script +# - +# - Script adds DKIM subdomain delegation for a given domain +# - +# - Defaults to '/root/bin/bind/bind_create_dkim_delegation.sh' +# - +#create_dkim_delegation_script="/root/bin/bind/bind_create_dkim_delegation.sh" + +# - add_dkim_zone_master_script +# - +# - Script adds zone _domainkey. as master zone +# - +# - Defaults to '/root/bin/bind/bind_add_dkim_zone_master.sh' +# - +#add_dkim_zone_master_script="/root/bin/bind/bind_add_dkim_zone_master.sh" + +# - add_dkim_zone_slave_script +# - +# - Script adds zone _domainkey. as slave zone +# - +# - Defaults to '/root/bin/bind/bind_add_dkim_zone_slave.sh' +# - +#add_dkim_zone_slave_script="/root/bin/bind/bind_add_dkim_zone_slave.sh" + + + +# ---------- +# OpenDKIM Installation +# ---------- + +# - opendkim_dir +# - +# - OpenDKIM's etc-directory +# - +# - Defaults to opendkim_dir="/etc/opendkim" +# - +#opendkim_dir="/etc/opendkim" + +# - key_base_dir +# - +# - Defaults to "${opendkim_dir}/keys" +# - +#key_base_dir=${opendkim_dir}/keys + +# - signing_table_file +# - +# - Defaults to "${opendkim_dir}/signing.table" +# - +#signing_table_file="${opendkim_dir}/signing.table" + +# - key_table_file +# - +# - Defaults to "${opendkim_dir}/key.table" +# - +#key_table_file="${opendkim_dir}/key.table" diff --git a/roles/common/files/mail.cadus/root/bin/postfix/conf/postfix_add_mailboxes.conf b/roles/common/files/mail.cadus/root/bin/postfix/conf/postfix_add_mailboxes.conf new file mode 100644 index 0000000..91479fc --- /dev/null +++ b/roles/common/files/mail.cadus/root/bin/postfix/conf/postfix_add_mailboxes.conf @@ -0,0 +1,87 @@ +# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] *** + +# ---------------------------------------------------- +# --- +# - Parameter Settings for script 'postfix_add_mailboxes.sh'. +# --- +# ---------------------------------------------------- + +# - dovecot_enc_method +# - +# - The (dovecot) password scheme which should be used to generate the hashed +# - passwords of EXISTING users. +# - +# - Possible values are: +# - +# - See output of 'doveadm pw -l' +# - +# - DEFAULTS to: dovecot_enc_method="SHA512-CRYPT" +# - +#dovecot_enc_method="SHA512-CRYPT" + +# - in_file +# - +# - The file from wich the script reads the e-mail-address/password +# - kombination(s). Each line in this file must only contain +# - +# - +# - Defaults to: in_file="${conf_dir}/mailboxes_new.lst" +# - +#in_file="${conf_dir}/mailboxes_new.lst" + +# - db_type +# - +# - Type of Postfix Database +# - +# - Possible values are 'pgsql' (PostgeSQL) or 'mysql' (MySQL) +# - +# - Defaults to: db_type="pgsql" +# - +#db_type="pgsql" +db_type="mysql" + +# - db_name +# - +# - Database name for the postfix database +# - +# - Defaults to: db_name="postfix" +# - +#db_name="postfix" + +# - db_name +# - +# - Database name for the postfix database +# - +# - Defaults to: db_name="postfix" +# - +#db_name="postfix" + +# - mysql_credential_args (root access to MySQL Database) +# - +# - Example +# - mysql_credential_args="--login-path=local" +# - mysql_credential_args="--defaults-file=/etc/mysql/debian.cnf" (Debian default) +# - mysql_credential_args="--defaults-file=/usr/local/mysql/sys-maint.cnf" +# - +# - Defaults to: +# - '/etc/mysql/debian.cnf' if MySQL is installed from debian package system +# - '/usr/local/mysql/sys-maint.cnf' otherwise +# - +#mysql_credential_args="" + +# - quota +# - +# - The quota setting for the new mailboxes. +# - +# - Defaults to: quota="536870912" +# - +#quota="536870912" +quota="1073741824" + +# - log_file +# - +# - Where to write logging informations? +# - +# - Defaults to: log_file="${script_dir}/log/postfix_add_mailboxes.log" +# - +#log_file="${script_dir}/log/postfix_add_mailboxes.log" diff --git a/roles/common/files/mail.cadus/root/bin/postfix/conf/sent_userinfo_postfix.conf b/roles/common/files/mail.cadus/root/bin/postfix/conf/sent_userinfo_postfix.conf new file mode 100644 index 0000000..a259728 --- /dev/null +++ b/roles/common/files/mail.cadus/root/bin/postfix/conf/sent_userinfo_postfix.conf @@ -0,0 +1,92 @@ +# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] *** + +# ---------------------------------------------------- +# --- +# - Parameter Settings for script 'sent_userinfo_postfix.sh'. +# --- +# ---------------------------------------------------- + +# - message_body_file +# - +# - Full path to file containing the user info. This file must contain +# - the message body WITHOUT e-mail headers. If file is placed in the +# - 'files' directory use '${file_dir}/' +# - +# - Defaults to '${file_dir}/sent_userinfo_postfix.message' +# - +#message_body_file="${file_dir}/sent_userinfo_postfix.email" + + +# - email_from +# - +# - From Address of user info +# - +# - Example: 'oo@oopen.de' +# - +email_from="postmaster@cadus.org" + + +# - email_from_org +# - +# - Example: email_from_org="O.OPEN" +# - +email_from_org="Cadus e.V." + + +# - db_type +# - +# - Type of Postfix Database +# - +# - Possible values are 'pgsql' (PostgeSQL) or 'mysql' (MySQL) +# - +# - Defaults to: db_type="pgsql" +# - +#db_type="pgsql" + +# - db_name +# - +# - Database name for the postfix database +# - +# - Defaults to: db_name="postfix" +# - +#db_name="postfix" + +# - mysql_credential_args (root access to MySQL Database) +# - +# - Example +# - mysql_credential_args="--login-path=local" +# - mysql_credential_args="--defaults-file=/etc/mysql/debian.cnf" (Debian default) +# - mysql_credential_args="--defaults-file=/usr/local/mysql/sys-maint.cnf" +# - +# - Defaults to: +# - '/etc/mysql/debian.cnf' if MySQL is installed from debian package system +# - '/usr/local/mysql/sys-maint.cnf' otherwise +# - +#mysql_credential_args="" + + +# - mail_user +# - +# - The owner of the mailbox directories and within the e-mails itself. +# - +# - defaults to mail_user="vmail" +# - +#mail_user="vmail" + + +# - mail_group +# - +# - The group of the mailbox directories +# - +# - defaults to mail_group="vmail" +# - +#mail_group="vmail" + + +# - mail_basedir - No more needed! +# - +# - The root directory where all mailbox-domains are located. +# - +# - Defaults to '/var/vmail'. +# - +#mail_basedir=/var/vmail diff --git a/roles/common/files/mail.cadus/root/bin/postfix/conf/whitelist_mb_sigs.conf b/roles/common/files/mail.cadus/root/bin/postfix/conf/whitelist_mb_sigs.conf new file mode 100644 index 0000000..0f7e877 --- /dev/null +++ b/roles/common/files/mail.cadus/root/bin/postfix/conf/whitelist_mb_sigs.conf @@ -0,0 +1,44 @@ +# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] *** + +# ====================================================== +# --- +# Parameter Settings for Script 'whitelist_mb_sigs.conf' +# --- +# ====================================================== + +# QUARANTINE_BASE_DIR +# +# Base directory where amavis stores quarantined e-mails, mostly in +# +# virus e-mails: $QUARANTINE_BASE_DIR/virus +# spam emails: $QUARANTINE_BASE_DIR/spam +# .. +# +# Defaults to: +# QUARANTINE_BASE_DIR="/var/QUARANTINE" +# +#QUARANTINE_BASE_DIR="/var/QUARANTINE" + + +# CLAMAV_VIRUS_WHITE_LIST +# +# Full path to clamav's (personal) white list file +# +# Defaults to: +# CLAMAV_VIRUS_WHITE_LIST="/var/lib/clamav/my_whitelist.ign2" +# +#CLAMAV_VIRUS_WHITE_LIST="/var/lib/clamav/my_whitelist.ign2" + + +# WHITE_LIST_STRINGS +# +# A blank separated list of strings to whitelist. +# +# Example: +# WHITE_LIST_STRINGS="google.com tinyurl.com" +# +# Defaults to: +# WHITE_LIST_STRINGS="google.com" +# +#WHITE_LIST_STRINGS="google.com" +WHITE_LIST_STRINGS="google.com tinyurl.com ngosafety.org" diff --git a/roles/common/files/mail.faire-mobilitaet/root/.ssh/mail.faire-mobilitaet-id_rsa-dehydrated b/roles/common/files/mail.faire-mobilitaet/root/.ssh/mail.faire-mobilitaet-id_rsa-dehydrated new file mode 100644 index 0000000..fbdeaa8 --- /dev/null +++ b/roles/common/files/mail.faire-mobilitaet/root/.ssh/mail.faire-mobilitaet-id_rsa-dehydrated @@ -0,0 +1,49 @@ +-----BEGIN OPENSSH PRIVATE KEY----- +b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAACFwAAAAdzc2gtcn +NhAAAAAwEAAQAAAgEAzObdiB309CxdWnNh9FvcZciVIFCKkpBOZA5lv7gKCZFk5bO/oeA5 +2mBdPX+UP+hzm/EVfGOcxUGSxvPbuptpMjSUY1nyikv4OpAq53LQkgI/Tz7YVCsalVgYjo +9EEnMR6S4cYHm3jK9UXdYUFAhWDrjnfqe3Winf3W69w4c1X0kgfNhba5y2lWswcl/24pO2 +dnaJA/9NtK9bVF2PrEexXtYhewDwlo3DUC1HAchprmDFYjVZw/NmUmKhFIwOFBnZ7YeIpk +uOzRU88c+cvsluSxofltesNlqZ4S24kqhdpRp2gnzcyhwXUdWrSCbc2IRcDtb8X+ONHZbF +sIMfMKwVvXFWg7Wj1ZY9D8EidAyiwWqmMVRQKNd9ns49fEMQDAKuEBHEWeKWV5l7ocvpoP +dT3ETecCHIbpTIbG7Q8kFhfjd0thQyD6CFzRSP0Tj4kKH8Z5sxO2nRStYKj+krIYw0ncdE +pmPhLpgDJ0fbAFS2h7AtpdmTIh2H8agigawiP6KQgMCpw/h4Giy9Hrxy8mkqVGDXzW0qXM +vNL7ARdLPyNYm8oRgpML9+IqQw/sN/RRy+x8/CmSUAVOV1OuEs4a7Dhwk1dzEUxvtEvGFP +dy/P+0xMtMSI7y+WAFF0Ft0WpmR6SBvrRO/EcbV6QvPOXXDlw69M3H/lLsZLGI7UFQryst +8AAAdA6cyXPOnMlzwAAAAHc3NoLXJzYQAAAgEAzObdiB309CxdWnNh9FvcZciVIFCKkpBO +ZA5lv7gKCZFk5bO/oeA52mBdPX+UP+hzm/EVfGOcxUGSxvPbuptpMjSUY1nyikv4OpAq53 +LQkgI/Tz7YVCsalVgYjo9EEnMR6S4cYHm3jK9UXdYUFAhWDrjnfqe3Winf3W69w4c1X0kg +fNhba5y2lWswcl/24pO2dnaJA/9NtK9bVF2PrEexXtYhewDwlo3DUC1HAchprmDFYjVZw/ +NmUmKhFIwOFBnZ7YeIpkuOzRU88c+cvsluSxofltesNlqZ4S24kqhdpRp2gnzcyhwXUdWr +SCbc2IRcDtb8X+ONHZbFsIMfMKwVvXFWg7Wj1ZY9D8EidAyiwWqmMVRQKNd9ns49fEMQDA +KuEBHEWeKWV5l7ocvpoPdT3ETecCHIbpTIbG7Q8kFhfjd0thQyD6CFzRSP0Tj4kKH8Z5sx +O2nRStYKj+krIYw0ncdEpmPhLpgDJ0fbAFS2h7AtpdmTIh2H8agigawiP6KQgMCpw/h4Gi +y9Hrxy8mkqVGDXzW0qXMvNL7ARdLPyNYm8oRgpML9+IqQw/sN/RRy+x8/CmSUAVOV1OuEs +4a7Dhwk1dzEUxvtEvGFPdy/P+0xMtMSI7y+WAFF0Ft0WpmR6SBvrRO/EcbV6QvPOXXDlw6 +9M3H/lLsZLGI7UFQryst8AAAADAQABAAACAQDDE0Dx6GNfXCV8icFGXXaVSMQBQezL4Kth +QvvH7TVRKqU+s0TMnqc1quzaMe44cdwvKPVluYh1nBpbY6tcG72pWLm1ZNsuo2kuiDbwpz +S+7XjMv25Bo8/pQzgN8YPDdN4mfAn0J62COSI/PCNddxpHZe6vfIlpQ9in/liYIM/Fad+O +PIW9DDQgSS6UlZx81liuq+eCcLvQO+rdhT3VrWPGgGLbsmdbTpgWayThI6bJp8QD3fsaPU +67PL9SyoxUws/h/lkwyVqpEYE2ToxSb3+b7MEKYUbJcLRz142Twst09p7BWJLzsI7bEGvD +g4xabpkeX7tip0egVfzcMdmuAwel381t2vy1dDYG7bpg41MQkxlmthxgAM8Sm6qvOAZdR/ +/DuQLFIoaQNgW0457e3i99zfnJ6eJDlRPj7nD2a9MMOyHHyYTLA38vDQ6c5/uGfAal8Y/q +woXxNQmfbAqxJ/Osv24ar4aFzTpMkVCi1yxyBiTFyg4TimPN4Tjhgjf4fmwUs7dsquTrsK +L3nUeQYf/tVX/etQNvRBxsam1GgKQhv1lDXBFZPqoova7g44HRRB7YndgiW74lQ8yuTSqj +Tyrq8jO4fjZAebjDtjwFu3ZYYxyj/MOcXBRKsTDFD9LLA1mdNoMERx3I5QH+XIOry+sCyz +7OXQfh433wimRCfa8dcQAAAQEAmxHGMKSC0YXKsj8KR/NBDVLg5MudvYrtsPlk3UIaioh5 +0wwPkrsvCMlRiTAsdDLGVPSEqNe8EWvMmJvqssCC75KVoxWr2VfhVnPFlogrJy+wz+TkX+ +oaasVm+59KP30jm6SlUkahbyfSABxnWuZUeckpST9EanUSG5mbqVvA+eZsAb7OmT9OVOLd +hIBu+n9muziGAkCKigPUx7aw60aD982rsp6gro+qv+nWF2vrJoGZYJQrB7nHlyPI8WlOt7 +ue9aXCitKjrcbFggHlfuhsej3p3cy3UhgIC0/PUp4av1mYgLc8Z56RBlX5lhdGMPvLR2y2 +iaqCrtOwgVgNmYLaRAAAAQEA/9aVC8Z90GQ5t0kVEa/KUYytp2EM41MnDqqLy0TM9MtNbF +NKD/PzP1IjQR49qKAgtLc2njTsMIUoDNT6osPkMHIwIhx+Z6c4GcOBqYu4bdaN7UEHKvbh +DOB18rAH+8nOEQfIP3iixnNFtilcJ0UcGSDgU0kAG/5hovMTXSYcahSsTuLTi9MLbriUvv +jhAxq0RwMa38nRLDG7lNRRqdMAV9d6ViYSRcuQlH1CqUy0PAJE16hhFsXDtLDzzgx23fAS +sQrAW5vDjkmB+65x6WSTsN1wNGf+7+oboB0uKrb1Owob/cn9Fk3JWlYweMTGNwo5qQ1SIi +Gku0hoIefPc1SuXQAAAQEAzQgJepA65Hcl7qpuPpc1AtIZWnwWHVBsKrBQGMeB22xd0z67 +/F7xzas+FmLmZIMOIhr3KYpHpe/XdL9c71CWwryQYu386liib7el/7rGM6aeINR1Y/c1ei +3ZgbfotBW+95537DFha25HW12lGOxIVcKl1o93XsisVayLI73q2kLRmQq6BqvoObo5pzg3 +hFbwAzGpVVi3P3wBnSwt/JApIEoOgQCDK44W6FcBbKGa8EclxY8gugaaZ+1W8hHAVq4TeA +1kP/MbPUiSOqGN20IWqo3ORNlnIyc5oEgWinHEKHFTuiXuIBulUQtClOTotElbJJhnav2i +I13KhvLmCvP6awAAAAlyb290QG1haWw= +-----END OPENSSH PRIVATE KEY----- diff --git a/roles/common/files/mail.faire-mobilitaet/root/.ssh/mail.faire-mobilitaet-id_rsa-dehydrated.pub b/roles/common/files/mail.faire-mobilitaet/root/.ssh/mail.faire-mobilitaet-id_rsa-dehydrated.pub new file mode 100644 index 0000000..10cdfd4 --- /dev/null +++ b/roles/common/files/mail.faire-mobilitaet/root/.ssh/mail.faire-mobilitaet-id_rsa-dehydrated.pub @@ -0,0 +1 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDM5t2IHfT0LF1ac2H0W9xlyJUgUIqSkE5kDmW/uAoJkWTls7+h4DnaYF09f5Q/6HOb8RV8Y5zFQZLG89u6m2kyNJRjWfKKS/g6kCrnctCSAj9PPthUKxqVWBiOj0QScxHpLhxgebeMr1Rd1hQUCFYOuOd+p7daKd/dbr3DhzVfSSB82FtrnLaVazByX/bik7Z2dokD/020r1tUXY+sR7Fe1iF7APCWjcNQLUcByGmuYMViNVnD82ZSYqEUjA4UGdnth4imS47NFTzxz5y+yW5LGh+W16w2WpnhLbiSqF2lGnaCfNzKHBdR1atIJtzYhFwO1vxf440dlsWwgx8wrBW9cVaDtaPVlj0PwSJ0DKLBaqYxVFAo132ezj18QxAMAq4QEcRZ4pZXmXuhy+mg91PcRN5wIchulMhsbtDyQWF+N3S2FDIPoIXNFI/ROPiQofxnmzE7adFK1gqP6SshjDSdx0SmY+EumAMnR9sAVLaHsC2l2ZMiHYfxqCKBrCI/opCAwKnD+HgaLL0evHLyaSpUYNfNbSpcy80vsBF0s/I1ibyhGCkwv34ipDD+w39FHL7Hz8KZJQBU5XU64SzhrsOHCTV3MRTG+0S8YU93L8/7TEy0xIjvL5YAUXQW3RamZHpIG+tE78RxtXpC885dcOXDr0zcf+UuxksYjtQVCvKy3w== root@mail diff --git a/roles/common/files/mail.faire-mobilitaet/root/.ssh/mail.faire-mobilitaet-id_rsa-opendkim b/roles/common/files/mail.faire-mobilitaet/root/.ssh/mail.faire-mobilitaet-id_rsa-opendkim new file mode 100644 index 0000000..3ea653e --- /dev/null +++ b/roles/common/files/mail.faire-mobilitaet/root/.ssh/mail.faire-mobilitaet-id_rsa-opendkim @@ -0,0 +1,49 @@ +-----BEGIN OPENSSH PRIVATE KEY----- +b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAACFwAAAAdzc2gtcn +NhAAAAAwEAAQAAAgEA35XdcuUkcGZptZJWsAPLG5bqQVMWX4NnKIJvbTin6xrDfAGTpaLR +RIVj5mUdMXC02s2CXTtzIIUVFBMN5qnNs5g1z+1hgq0DQlwWNMaR2/QfsJ7zEDKNHS7DpO +vuPGdU1srXgP+71dG6MP1ouT3xloZ9wTVFVRcPczy+RdbAl6u/W35cNvzPkOsABx4ULDUP +JxpSFarpvrQngxT+GJcDGsqtNxpsUxjPZJm/3IjTXJs/Y0jS8DPX1lUai8eEHB8DPU4x/x +uGH5p+tw4E3k5YfKRZSFKoEL0zwIAEsppJs7QEe1KFuLWjIZUp9OS6p2YwEppqMdpG/UO8 +ZOMiVnQOOnwH/OuO//+zfDFK+1hCziwxscVZyp0X7aNh4eW/hmLXsP33MXOkqQ1KkB/1aq +RQh5SnuRFPELGUyTEUbRqX97hA/6q4p6Hk7oUSomyyTXLQImmpF5F75jJzPIjXo6IcMtNI +xEcdHQH2ZpB4ucOseu+31syrtInQbF97aq6p70DffVS8HS0jbaaXxNhJEg8vINMQ1CACbG +rz9vxp6T6eAsONIpy/eIHxu5wafZKBmynyDNO9jysunh86/uHxk1lBqZuB72hjfImsymoV +NSVbHtTnIwk4mb7rdEt2OpzkC7VdXDt8ii4TbzxIeDZUbDaGlW5/5EenvezNJ1QyCmCh7f +MAAAdAf2KMEH9ijBAAAAAHc3NoLXJzYQAAAgEA35XdcuUkcGZptZJWsAPLG5bqQVMWX4Nn +KIJvbTin6xrDfAGTpaLRRIVj5mUdMXC02s2CXTtzIIUVFBMN5qnNs5g1z+1hgq0DQlwWNM +aR2/QfsJ7zEDKNHS7DpOvuPGdU1srXgP+71dG6MP1ouT3xloZ9wTVFVRcPczy+RdbAl6u/ +W35cNvzPkOsABx4ULDUPJxpSFarpvrQngxT+GJcDGsqtNxpsUxjPZJm/3IjTXJs/Y0jS8D +PX1lUai8eEHB8DPU4x/xuGH5p+tw4E3k5YfKRZSFKoEL0zwIAEsppJs7QEe1KFuLWjIZUp +9OS6p2YwEppqMdpG/UO8ZOMiVnQOOnwH/OuO//+zfDFK+1hCziwxscVZyp0X7aNh4eW/hm +LXsP33MXOkqQ1KkB/1aqRQh5SnuRFPELGUyTEUbRqX97hA/6q4p6Hk7oUSomyyTXLQImmp +F5F75jJzPIjXo6IcMtNIxEcdHQH2ZpB4ucOseu+31syrtInQbF97aq6p70DffVS8HS0jba +aXxNhJEg8vINMQ1CACbGrz9vxp6T6eAsONIpy/eIHxu5wafZKBmynyDNO9jysunh86/uHx +k1lBqZuB72hjfImsymoVNSVbHtTnIwk4mb7rdEt2OpzkC7VdXDt8ii4TbzxIeDZUbDaGlW +5/5EenvezNJ1QyCmCh7fMAAAADAQABAAACADG9sYqCF905q4LNj6OQ9Hqq1Gq8BVoybZzB +h/CQjirrxVmtMB/FXTEVS+hRznDVVibnWX1MYIx3jvzsUEdkt3KhBje/49Wij/sPaZFMK9 +73LKWqdwC/fk1jvfrO0i11/5XZgqAcRLmI8xc7CTVM5pZKTWfSZh5MBw/oD5yR7j7P4r6E +GhfRnovq/BKZSnubQke8v046u83FXpT28qCd1/754BdGNZs3Bcynt9tkRUFw+GUqKmNt5T +K1tDYsqONostvMrarHgMs/H7mx0Lt0SpNQLNy+Js2yifTlhiYF1Se5gNW+wikZn7U07iSh +TjU3srIw0DdPDEQD8cGwFk+Neix2H89d5Br2Y9eR9MI7iGO2F8h7nakH6jH6qjR+Msk67B +KyO8CCVuoacoBl01rM3WDaHg91CIP/jdimEyc51Q2huTQl3ljSg1hruxpluEE6hRyKEyWB +ipE7peQtHsXY/oofPJoGH8vK/d9ShhLo4I/v4h77gtOGMZlZkChWLXVxJmGr25cMganQJC +UVBbK1gCNgZ/o/FbVb/Sa7qs4kMxaa8UkGU/ARx6jnj+Tywz4QOiukvm17/ZUB844KXfyi +FvOVYD7nMrOO6J4htl+4ejEPhqYXn41OXhLiQyU4f8d9CRDkblJR8UM/wwtaA7+OaK1Ad8 +t2wGKVNEXJNvV1CmPBAAABAQCs2kuDZfBPls1+7UCEoCcupKSGSMUcPiTbx+ImF0YTVYhs +Dokv+9xhQ6KWyk2V2OAaxBu9Ic/k/ehM6rIcGVnL+/z6LCrUqq34w/q4PdE8SzqrBwdthv +N3C7u150hlc8LHutDCUAAP7di/8XgzaVcl/FmI+2+RSdhoV3YGRP/DtvP3/4+FpjFIEBlg +TljexM8l4ie/cCeULu59bCGLjE4ZYUR2F9yDoJvG+S1B30PecV+oohwbbYGDIw+1+VhbkJ +tztk8qd6SafR+WHqffMiqHerg0LeqbT04cNWGyNEaBtcajv3Koi04EG6uXthgBJXG2anl9 +RAdKgissLWx54ug7AAABAQD7LE558uvMho1PuEYZZpjHc+OAcnT3+nQ8y+zM28kYugFV+o +KOd4vp6olASbpTs9nDhrGy6bOvDoxVi/auP/XsIt/no78IiFzmoAVce9NvveR89GAgGhnI +7cqEEFgEWfupfwrC/WK3Dmiij/ah3nslHC5ECwhfxpurIEaHrhxhkdWS9ZzUxREL+xQqyn +7dr1CUnhU8z/W5ISdkLUWkwk6cHQ/bz+AA6YQZCYi3oiQt4QyQBxQHj5PT6rJBJWvlAfzV +XGvMLVCDCUfpGzedoQ8YjFLryON8DgrmkW6V/eBoiVM8HAPR9ZtKZCuqoovRe2pcmcKYrb +Xw1uuQoxjxEI75AAABAQDj4dX0iJv8sg+UB6SYXImzM2avjNzi7xZJXZMvYHvNW+Jk8Qvq +4A9rNooQRsCs5TMg3N/72/gVYnxHjiDunxepTW2qvLf7i27epjKTSqbpmxKa48e5lJk+V9 +38BI6NdS9oCXlqYvo54WtqeniQFH+/nZMVe9EowSHEsaKZ7IUCEmYwpsZvrGuaKALmeZfX +wvDkj6KZl/Fcuhx8U8jFl4c9SEBpeouNC/ZZZ2eRwb3b9zpL0tDr8VYDhoT92yGflwP/db +crz3FRXR4rfmzMu4Jlezt2LqjiGCzG51Weucgvz+2CliJ7zIwUDhpzaPJoITo4Xk1A7IXi +asSfThIqHCNLAAAACXJvb3RAbWFpbAE= +-----END OPENSSH PRIVATE KEY----- diff --git a/roles/common/files/mail.faire-mobilitaet/root/.ssh/mail.faire-mobilitaet-id_rsa-opendkim.pub b/roles/common/files/mail.faire-mobilitaet/root/.ssh/mail.faire-mobilitaet-id_rsa-opendkim.pub new file mode 100644 index 0000000..b4ff6f3 --- /dev/null +++ b/roles/common/files/mail.faire-mobilitaet/root/.ssh/mail.faire-mobilitaet-id_rsa-opendkim.pub @@ -0,0 +1 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDfld1y5SRwZmm1klawA8sblupBUxZfg2cogm9tOKfrGsN8AZOlotFEhWPmZR0xcLTazYJdO3MghRUUEw3mqc2zmDXP7WGCrQNCXBY0xpHb9B+wnvMQMo0dLsOk6+48Z1TWyteA/7vV0bow/Wi5PfGWhn3BNUVVFw9zPL5F1sCXq79bflw2/M+Q6wAHHhQsNQ8nGlIVqum+tCeDFP4YlwMayq03GmxTGM9kmb/ciNNcmz9jSNLwM9fWVRqLx4QcHwM9TjH/G4Yfmn63DgTeTlh8pFlIUqgQvTPAgASymkmztAR7UoW4taMhlSn05LqnZjASmmox2kb9Q7xk4yJWdA46fAf8647//7N8MUr7WELOLDGxxVnKnRfto2Hh5b+GYtew/fcxc6SpDUqQH/VqpFCHlKe5EU8QsZTJMRRtGpf3uED/qrinoeTuhRKibLJNctAiaakXkXvmMnM8iNejohwy00jERx0dAfZmkHi5w6x677fWzKu0idBsX3tqrqnvQN99VLwdLSNtppfE2EkSDy8g0xDUIAJsavP2/GnpPp4Cw40inL94gfG7nBp9koGbKfIM072PKy6eHzr+4fGTWUGpm4HvaGN8iazKahU1JVse1OcjCTiZvut0S3Y6nOQLtV1cO3yKLhNvPEh4NlRsNoaVbn/kR6e97M0nVDIKYKHt8w== root@mail.faire-mobilitaet.de-opendkim diff --git a/roles/common/files/mail.faire-mobilitaet/root/bin/monitoring/conf/check_cert_for_dovecot.conf b/roles/common/files/mail.faire-mobilitaet/root/bin/monitoring/conf/check_cert_for_dovecot.conf new file mode 100644 index 0000000..a4256bf --- /dev/null +++ b/roles/common/files/mail.faire-mobilitaet/root/bin/monitoring/conf/check_cert_for_dovecot.conf @@ -0,0 +1,135 @@ +# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] *** + +#--------------------------------------- +#----------------------------- +# Settings for script check_cert_for_dovecot.sh +#----------------------------- +#--------------------------------------- + +# - service_domain +# - +# - The main domain for which the certificate was issued +# - +# - Example: +# - service_domain="a.mx.oopen.de" +# - service_domain="mail.cadus.org" +# - service_domain="mx.warenform.de" +# - +#service_domain="" +service_domain="mail.faire-mobilitaet.de" + + +# - service_name +# - +# - Name of service. +# - +# - Note: this var will also be used to determin systemd service file +# - or sysVinit script. +# - +# - Example: +# - service_name="Mumble" +# - service_name="Prosody" +# - +# - Defaults to: +# - service_name="Dovecot" +# - +#service_name="" + + +# - check_string_ps +# - +# - String wich (clearly) identifies the service at the process list (ps) +# - +# - Example: +# - check_string_ps="[[:digit:]]\ /usr/sbin/murmurd" +# - check_string_ps="" +# - +# - Defaults to: +# - check_string_ps="[[:digit:]]\ /usr/local/dovecot-[[:digit:]]{1,2}\.[[:digit:]]{1,2}\.[[:digit:]]{1,2}(\.[[:digit:]]{1,2})?/sbin/dovecot" +# - +#check_string_ps="" + + +# - service_user +# - +# - User under which the service is running. +# - +# - Example: +# - service_user="mumble-server" +# - service_user="prosody" +# - +# - Defaults to: +# - service_user="prosody" +# - +#service_user="" + + +# - service_group +# - +# - Group under which the service is running. +# - +# - Example: +# - service_group="mumble-server" +# - service_group="prosody" +# - +# - Defaults to: +# - service_group="prosody" +# - +#service_group="" + + +# - cert_installed +# - +# - Locataion of certificate read by service +# - +# - Example: +# - cert_installed="/var/lib/mumble-server/fullchain.pem" +# - cert_installed="/var/lib/dehydrated/certs/jabber.so36.net/fullchain.pem" +# - +# - Defaults to: +# - /etc/dovecot/ssl/mailserver.crt +# - +#cert_installed="" + + +# - key_installed +# - +# - Location of the key read by service +# - +# - Example: +# - key_installed="/var/lib/mumble-server/privkey.pem" +# - key_installed="/etc/prosody/certs/privkey_jabber.so36.pem" +# - +# - Defaults to: +# - /etc/dovecot/ssl/mailserver.key +# - +#key_installed="" + + +# - cert_newest +# - +# - Location of the newest certificate. +# - +# - Example: +# - cert_newest="/var/lib/dehydrated/certs/il-mumble.oopen.de/fullchain.pem" +# - cert_newest="/var/lib/dehydrated/certs/jabber.so36.net/fullchain.pem" +# - +# - Defaults to: +# - /var/lib/dehydrated/certs/${service_domain}/fullchain.pem +# - +#cert_newest="" + + +# - key_newest +# - +# - Location of the newest Key +# - +# - Example: +# - key_newest="/var/lib/dehydrated/certs/il-mumble.oopen.de/privkey.pem" +# - key_newest="/var/lib/dehydrated/certs/jabber.so36.net/privkey.pem" +# - +# - Defaults to: +# - /var/lib/dehydrated/certs/${service_domain}/privkey.pem +# - +#key_newest="" + diff --git a/roles/common/files/mail.faire-mobilitaet/root/bin/monitoring/conf/check_webservice_load.conf b/roles/common/files/mail.faire-mobilitaet/root/bin/monitoring/conf/check_webservice_load.conf new file mode 100644 index 0000000..c152dce --- /dev/null +++ b/roles/common/files/mail.faire-mobilitaet/root/bin/monitoring/conf/check_webservice_load.conf @@ -0,0 +1,178 @@ +# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] *** + +#--------------------------------------- +#----------------------------- +# Settings +#----------------------------- +#--------------------------------------- + + +# --- +# - LOGGING +# - +# - This Parameter is now obsolete. If script is running in a terminal, then output ist verbose, +# - the output will be verbos. If running as cronjob, output will only be written, if warnings or +# - errors occurs. +# --- + + +# - What to check +# - +check_load=true +check_mysql=false + +# - PostgreSQL +# - +# - NOT useful, if more than one PostgreSQL instances are running! +# - +check_postgresql=false + +check_apache=true +check_nginx=false +check_php_fpm=true +check_redis=false +check_website=false + +# - If service is not listen on 127.0.0.1/loclhost, curl check must +# - be ommited +# - +# - Defaults to: ommit_curl_check_nginx=false +# - +#ommit_curl_check_nginx=false + +# - Is this a vserver guest machine? +# - +# - Not VSerber guest host does not support systemd! +# - +# - defaults to: vserver_guest=false +# - +#vserver_guest=false + + +# - Additional Settings for check_mysql +# - +# - MySQL / MariaDB credentials +# - +# - Giving password on command line is insecure an sind mysql 5.5 +# - you will get a warning doing so. +# - +# - Reading username/password fro file ist also possible, using MySQL/MariaDB +# - commandline parameter '--defaults-file'. +# - +# - Since Mysql Version 5.6, you can read username/password from +# - encrypted file. +# - +# - Create (encrypted) option file: +# - $ mysql_config_editor set --login-path=local --socket=/tmp/mysql.sock --user=root --password +# - $ Password: +# - +# - Use of option file: +# - $ mysql --login-path=local ... +# - +# - Example +# - mysql_credential_args="--login-path=local" +# - mysql_credential_args="--defaults-file=/etc/mysql/debian.cnf" (Debian default) +# - mysql_credential_args="--defaults-file=/usr/local/mysql/sys-maint.cnf" +# - +mysql_credential_args="--defaults-file=/usr/local/mysql/sys-maint.cnf" + + +# - Additional Settings for check_php_fpm +# - +# - On Linux Vserver System set +# - curl_check_host=localhost +# - +# - On LX-Container set +# - curl_check_host=127.0.0.1 +# - +curl_check_host=127.0.0.1 + +# - Which PHP versions should be supported by this script. If more than one, +# - give a blank separated list +# - +# - Example: +# - php_versions="5.4 5.6 7.0 7.1" +# - +php_versions="7.4" + +# - If PHP-FPM's ping.path setting does not match ping-$php_major_version, +# - set the value given in your ping.path setting here. Give ping_path also +# - the concerning php_version in form +# - : +# - +# - Multiple settings are possible, give a blank separated list. +# - +# - Example: +# - +# - ping_path="5.4:ping-site36_net 5.6:ping-oopen_de" +# - +ping_path="" + + +# - Additional Settings for check_website - checking (expected) website response +# - +# - example: +# - is_working_url="https://www.outoflineshop.de/" +# - check_string='ool-account-links' +# - include_cleanup_function=true +# - extra_alert_address="ilker@so36.net" +# - cleanup_function=' +# - rm -rf /var/www/www.outoflineshop.de/htdocs/var/cache/* +# - rm -rf /var/www/www.outoflineshop.de/htdocs/var/session/* +# - /usr/local/bin/redis-cli flushall > /dev/null 2>&1 +# - if [[ "$?" = "0" ]]; then +# - ok "I have cleaned up directory \"/var/www/www.outoflineshop.de/htdocs/var/cache/\"" +# - else +# - error "Cleaning up directory \"/var/www/www.outoflineshop.de/htdocs/var/cache/\" failed!" +# - fi +# - /etc/init.d/redis_6379 restart +# - if [[ "$?" = "0" ]]; then +# - ok "I restarted the redis service" +# - echo -e "\t[ Ok ]: I restarted the redis service" >> $LOCK_DIR/extra_msg.txt +# - else +# - error "Restarting the redis server failed!" +# - echo -e "\t[ Error ]: Restarting the redis server failed!" >> $LOCK_DIR/extra_msg.txt +# - fi +# - ' +# - +is_working_url='' + +check_string='' + +include_cleanup_function=true + +# - An extra e-mail address, which will be informed, if the given check URL +# - does not response as expected (check_string) AFTER script checking, restarting +# - servervices (webserver, php-fpm) and cleaning up (cleanup_function) was done. +# - +extra_alert_address='' + +# - php_version_of_working_url +# - +# - If given website (is_working_url) does not response as expected, this PHP FPM +# - engines will be restarted. +# - +# - Type "None" if site does not support php +# - +# - If php_version_of_working_url is not set, PHP FPM processes of ALL versions (php_versions) +# - will be restarted +# - +php_version_of_working_url='' + +# - Notice: +# - If single qoutes "'" not needed inside cleanup function, then use single quotes +# - to enclose variable "cleanup_function". Then you don't have do masquerade any +# - sign inside. +# - +# - Otherwise use double quotes and masq any sign to prevent bash from interpreting. +# - +cleanup_function=' +' + + +# - E-Mail settings for sending script messages +# - +from_address="root@`hostname -f`" +content_type='Content-Type: text/plain;\n charset="utf-8"' +to_addresses="root" + diff --git a/roles/common/files/mail.faire-mobilitaet/root/bin/postfix/conf/create_opendkim_key.conf b/roles/common/files/mail.faire-mobilitaet/root/bin/postfix/conf/create_opendkim_key.conf new file mode 100644 index 0000000..424d06d --- /dev/null +++ b/roles/common/files/mail.faire-mobilitaet/root/bin/postfix/conf/create_opendkim_key.conf @@ -0,0 +1,176 @@ +# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] *** + +# --------------------------------------------------------- +# - Parameter Settings for script 'create_opendkim_key.sh'. +# --------------------------------------------------------- + + +# ---------- +# DNS Server +# ---------- + +# - dns_dkim_zone_master_server +# - +# - The DNS Server who is serving the update zone and is used +# - for the dynamic updates (nsupdate) +# - +#dns_dkim_zone_master_server="" +dns_dkim_zone_master_server="b.ns.oopen.de" + +# - update_dns +# - +# - Possible Values are 'true' or 'false' +# - +#update_dns="" + +# - update_zone +# - +# - Zone containing the DKIM TXT record. +# - +# - Defaults to '_domainkey.' +# - +# - Note: +# - do NOT change/set this option unless you know what you do. +# - +#update_zone="" + +# - TTL +# - +# - TTL for the DKIM TXT Record. +# - +# - Defaults to "" if update_dns=false +# - Defaults to "43200" if update_dns=true +# +#TTL="" + + +# ---------- +# TSIG Key +# ---------- + +# - key_secret +# - +# - Sectret Key used by 'nsupdate' to create/update the +# - DKIM TXT record. +# - +# - Example: +# - key_secret="EtvvMdW0PXD4GMHP+onuHZ0dT/Z8OSJGlce/xH10OwI=" +# - +#key_secret="" +key_secret="4woPu0jqf9Jp1IX+gduJ3BVW/1ZMeyCPTQMqEsMXLFw=" + +# - key_algo +# - +# - The key algorithm used for key creation. Available choices are: hmac-md5, +# - hmac-sha1, hmac-sha224, hmac-sha256, hmac-sha384 and hmac-sha512. The +# - default is hmac-sha256. Options are case-insensitive. +# - +# - Example: +# - key_algo="hmac-md5" +# - +# - Defaults to 'hmac-sha256' +# - +#key_algo="hmac-sha256" +key_algo="hmac-sha256" + +# - key_name +# - +# - Name of the Key +# - +# - Defaults to "$update_zone" +# - +#key_name= +key_name="update-dkim" + + +# ---------- +# Access Credentials DNS Server +# ---------- + +# - dns_ssh_user +# - +# - Defaults to 'manage-bind' +# - +#dns_ssh_user="manage-bind" + +# - dns_ssh_port +# - +# - Defaults to '22' +# - +#dns_ssh_port=22 + +# - dns_ssh_key +# - +# - Defaults to '/root/.ssh/id_rsa-opendkim' +# - +#dns_ssh_key="/root/.ssh/id_rsa-opendkim" + + +# ---------- +# Scripts envoked at DNS Server +# ---------- + +# - set_new_serial_script +# - +# - Script increases the serial for a given domain or a given +# - hostname's concerning domain. +# - +# - Defaults to '/root/bin/bind/bind_set_new_serial.sh' +# - +#set_new_serial_script="/root/bin/bind/bind_set_new_serial.sh" + +# - create_dkim_delegation_script +# - +# - Script adds DKIM subdomain delegation for a given domain +# - +# - Defaults to '/root/bin/bind/bind_create_dkim_delegation.sh' +# - +#create_dkim_delegation_script="/root/bin/bind/bind_create_dkim_delegation.sh" + +# - add_dkim_zone_master_script +# - +# - Script adds zone _domainkey. as master zone +# - +# - Defaults to '/root/bin/bind/bind_add_dkim_zone_master.sh' +# - +#add_dkim_zone_master_script="/root/bin/bind/bind_add_dkim_zone_master.sh" + +# - add_dkim_zone_slave_script +# - +# - Script adds zone _domainkey. as slave zone +# - +# - Defaults to '/root/bin/bind/bind_add_dkim_zone_slave.sh' +# - +#add_dkim_zone_slave_script="/root/bin/bind/bind_add_dkim_zone_slave.sh" + + + +# ---------- +# OpenDKIM Installation +# ---------- + +# - opendkim_dir +# - +# - OpenDKIM's etc-directory +# - +# - Defaults to opendkim_dir="/etc/opendkim" +# - +#opendkim_dir="/etc/opendkim" + +# - key_base_dir +# - +# - Defaults to "${opendkim_dir}/keys" +# - +#key_base_dir=${opendkim_dir}/keys + +# - signing_table_file +# - +# - Defaults to "${opendkim_dir}/signing.table" +# - +#signing_table_file="${opendkim_dir}/signing.table" + +# - key_table_file +# - +# - Defaults to "${opendkim_dir}/key.table" +# - +#key_table_file="${opendkim_dir}/key.table" diff --git a/roles/common/files/mail.faire-mobilitaet/root/bin/postfix/conf/postfix_add_mailboxes.conf b/roles/common/files/mail.faire-mobilitaet/root/bin/postfix/conf/postfix_add_mailboxes.conf new file mode 100644 index 0000000..6b2aa7c --- /dev/null +++ b/roles/common/files/mail.faire-mobilitaet/root/bin/postfix/conf/postfix_add_mailboxes.conf @@ -0,0 +1,86 @@ +# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] *** + +# ---------------------------------------------------- +# --- +# - Parameter Settings for script 'postfix_add_mailboxes.sh'. +# --- +# ---------------------------------------------------- + +# - dovecot_enc_method +# - +# - The (dovecot) password scheme which should be used to generate the hashed +# - passwords of EXISTING users. +# - +# - Possible values are: +# - +# - See output of 'doveadm pw -l' +# - +# - DEFAULTS to: dovecot_enc_method="SHA512-CRYPT" +# - +#dovecot_enc_method="SHA512-CRYPT" + +# - in_file +# - +# - The file from wich the script reads the e-mail-address/password +# - kombination(s). Each line in this file must only contain +# - +# - +# - Defaults to: in_file="${conf_dir}/mailboxes_new.lst" +# - +#in_file="${conf_dir}/mailboxes_new.lst" + +# - db_type +# - +# - Type of Postfix Database +# - +# - Possible values are 'pgsql' (PostgeSQL) or 'mysql' (MySQL) +# - +# - Defaults to: db_type="pgsql" +# - +db_type="pgsql" + +# - db_name +# - +# - Database name for the postfix database +# - +# - Defaults to: db_name="postfix" +# - +#db_name="postfix" + +# - db_name +# - +# - Database name for the postfix database +# - +# - Defaults to: db_name="postfix" +# - +#db_name="postfix" + +# - mysql_credential_args (root access to MySQL Database) +# - +# - Example +# - mysql_credential_args="--login-path=local" +# - mysql_credential_args="--defaults-file=/etc/mysql/debian.cnf" (Debian default) +# - mysql_credential_args="--defaults-file=/usr/local/mysql/sys-maint.cnf" +# - +# - Defaults to: +# - '--defaults-file=/etc/mysql/debian.cnf' if MySQL is installed from debian package system +# - '--defaults-file=/usr/local/mysql/sys-maint.cnf' otherwise +# - +#mysql_credential_args="" + +# - quota +# - +# - The quota setting for the new mailboxes. +# - +# - Defaults to: quota="536870912" +# - +#quota="536870912" +quota="1073741824" + +# - log_file +# - +# - Where to write logging informations? +# - +# - Defaults to: log_file="${script_dir}/log/postfix_add_mailboxes.log" +# - +#log_file="${script_dir}/log/postfix_add_mailboxes.log" diff --git a/roles/common/files/mail.faire-mobilitaet/root/bin/postfix/conf/sent_userinfo_postfix.conf b/roles/common/files/mail.faire-mobilitaet/root/bin/postfix/conf/sent_userinfo_postfix.conf new file mode 100644 index 0000000..a7dbc78 --- /dev/null +++ b/roles/common/files/mail.faire-mobilitaet/root/bin/postfix/conf/sent_userinfo_postfix.conf @@ -0,0 +1,92 @@ +# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] *** + +# ---------------------------------------------------- +# --- +# - Parameter Settings for script 'sent_userinfo_postfix.sh'. +# --- +# ---------------------------------------------------- + +# - message_body_file +# - +# - Full path to file containing the user info. This file must contain +# - the message body WITHOUT e-mail headers. If file is placed in the +# - 'files' directory use '${file_dir}/' +# - +# - Defaults to '${file_dir}/sent_userinfo_postfix.message' +# - +#message_body_file="${file_dir}/sent_userinfo_postfix.email" + + +# - email_from +# - +# - From Address of user info +# - +# - Example: 'oo@oopen.de' +# - +email_from="postmster@faire-mobilitaet.de" + + +# - email_from_org +# - +# - Example: email_from_org="O.OPEN" +# - +email_from_org="Projekt Faire Mobilität" + + +# - db_type +# - +# - Type of Postfix Database +# - +# - Possible values are 'pgsql' (PostgeSQL) or 'mysql' (MySQL) +# - +# - Defaults to: db_type="pgsql" +# - +#db_type="pgsql" + +# - db_name +# - +# - Database name for the postfix database +# - +# - Defaults to: db_name="postfix" +# - +#db_name="postfix" + +# - mysql_credential_args (root access to MySQL Database) +# - +# - Example +# - mysql_credential_args="--login-path=local" +# - mysql_credential_args="--defaults-file=/etc/mysql/debian.cnf" (Debian default) +# - mysql_credential_args="--defaults-file=/usr/local/mysql/sys-maint.cnf" +# - +# - Defaults to: +# - '/etc/mysql/debian.cnf' if MySQL is installed from debian package system +# - '/usr/local/mysql/sys-maint.cnf' otherwise +# - +#mysql_credential_args="" + + +# - mail_user +# - +# - The owner of the mailbox directories and within the e-mails itself. +# - +# - defaults to mail_user="vmail" +# - +#mail_user="vmail" + + +# - mail_group +# - +# - The group of the mailbox directories +# - +# - defaults to mail_group="vmail" +# - +#mail_group="vmail" + + +# - mail_basedir - No more needed! +# - +# - The root directory where all mailbox-domains are located. +# - +# - Defaults to '/var/vmail'. +# - +#mail_basedir=/var/vmail diff --git a/roles/common/files/mail.faire-mobilitaet/root/bin/postfix/conf/whitelist_mb_sigs.conf b/roles/common/files/mail.faire-mobilitaet/root/bin/postfix/conf/whitelist_mb_sigs.conf new file mode 100644 index 0000000..11c60fa --- /dev/null +++ b/roles/common/files/mail.faire-mobilitaet/root/bin/postfix/conf/whitelist_mb_sigs.conf @@ -0,0 +1,44 @@ +# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] *** + +# ====================================================== +# --- +# Parameter Settings for Script 'whitelist_mb_sigs.conf' +# --- +# ====================================================== + +# QUARANTINE_BASE_DIR +# +# Base directory where amavis stores quarantined e-mails, mostly in +# +# virus e-mails: $QUARANTINE_BASE_DIR/virus +# spam emails: $QUARANTINE_BASE_DIR/spam +# .. +# +# Defaults to: +# QUARANTINE_BASE_DIR="/var/QUARANTINE" +# +#QUARANTINE_BASE_DIR="/var/QUARANTINE" + + +# CLAMAV_VIRUS_WHITE_LIST +# +# Full path to clamav's (personal) white list file +# +# Defaults to: +# CLAMAV_VIRUS_WHITE_LIST="/var/lib/clamav/my_whitelist.ign2" +# +#CLAMAV_VIRUS_WHITE_LIST="/var/lib/clamav/my_whitelist.ign2" + + +# WHITE_LIST_STRINGS +# +# A blank separated list of strings to whitelist. +# +# Example: +# WHITE_LIST_STRINGS="google.com tinyurl.com" +# +# Defaults to: +# WHITE_LIST_STRINGS="google.com" +# +#WHITE_LIST_STRINGS="google.com" +WHITE_LIST_STRINGS="google.com tinyurl.com" diff --git a/roles/common/files/mailserver/etc/postfix/postfwd.bl-hosts b/roles/common/files/mailserver/etc/postfix/postfwd.bl-hosts new file mode 100644 index 0000000..7cf08f4 --- /dev/null +++ b/roles/common/files/mailserver/etc/postfix/postfwd.bl-hosts @@ -0,0 +1,24 @@ +# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] *** + +# --- +# hosts blocked by postfwd +# +# This file is called with '=~'. This means perl regexp is possible +# +# +# To increase performance use ^ and/or $ in regular expressions +# +# Example: +# +# # block all hosts of domain 'oopen.de' +# \.oopen\.de$ +# +# # block host a.mx.oopen.de +# ^a\.mx\.oopen\.de$ +# +# --- + +# give hostnames to blocke here +illuminatus\.lionheart\.lovejoy$ +dancortez\.500$ +geplosser\.pl$ diff --git a/roles/common/files/mailserver/etc/postfix/postfwd.bl-nets b/roles/common/files/mailserver/etc/postfix/postfwd.bl-nets new file mode 100644 index 0000000..40da8b5 --- /dev/null +++ b/roles/common/files/mailserver/etc/postfix/postfwd.bl-nets @@ -0,0 +1,20 @@ +# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] *** + +# --- +# Networks blocked by postfwd +# +# Example: +# +# # web0.warenform.de +# #83.223.86.76 +# #2a01:30:0:505:286:96ff:fe4a:6ee +# #2a01:30:0:13:286:96ff:fe4a:6eee +# +# --- + +# give networks to block here +188.214.104.0/24 +91.219.236.254 +85.254.72.106 +103.136.40.0/23 +185.53.170.115 diff --git a/roles/common/files/mailserver/etc/postfix/postfwd.bl-sender b/roles/common/files/mailserver/etc/postfix/postfwd.bl-sender new file mode 100644 index 0000000..cd3881e --- /dev/null +++ b/roles/common/files/mailserver/etc/postfix/postfwd.bl-sender @@ -0,0 +1,58 @@ +# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] *** + +# --- +# Sender addresses blocked by postfwd +# +# This file is called with '=~'. This means perl regexp is possible +# +# +# To increase performance use ^ and/or $ in regular expressions +# +# @acieu\.co\.uk$ +# ^error@mailfrom.com$ +# +# instedt of +# +# @acieu.co.uk +# error@mailfrom.com +# +# +# Example: +# +# # # annoying spammer domains +# # block all senders of maildomaindomain 'oopen.de' +# @acieu\.co\.uk$ +# +# # annoying spammer addresses +# # block sender address +# error@mailfrom.com +# sqek@eike\.se$ +# +# --- + +# annoying spammer domains +@acieu\.co\.uk$ +@sendelope\.eu$ +@growthrecords\.com$ +@videosicherheit.biz$ +@arbeitsschutzmasken.shop$ +@medprodukte.shop$ +@geplosser\.pl$ +@alfasells\.de$ +@news-des-tages\.de$ + +@inx1and1\..+$ +@ppe-healthcare-europe\.\S+$ +@testbedarf\.shop$ +@acievents\.\S+$ +@dokpotenz\.\S+$ +@doktorapo\.\S+$ +@team-de-luxe\.\S+$ +@klickensiejetzt\.\S+$ +@podiumskate\.\S+$ +@ppe-healthcare-europe\.\S+$ + + +# annoying spammer addresses +^error@mailfrom\.com$ +^sqek@eike\.se$ diff --git a/roles/common/files/mailserver/etc/postfix/postfwd.bl-user b/roles/common/files/mailserver/etc/postfix/postfwd.bl-user new file mode 100644 index 0000000..3ca2bb7 --- /dev/null +++ b/roles/common/files/mailserver/etc/postfix/postfwd.bl-user @@ -0,0 +1,13 @@ +# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] *** + +# --- +# SASL Users blocked by postfwd +# +# Example: +# +# # give SASL usernames to block here +# ckubu@oopen.de +# +# --- + +# give SASL usernames to block here diff --git a/roles/common/files/mailserver/etc/postfix/postfwd.cf b/roles/common/files/mailserver/etc/postfix/postfwd.cf new file mode 100644 index 0000000..9b8b549 --- /dev/null +++ b/roles/common/files/mailserver/etc/postfix/postfwd.cf @@ -0,0 +1,173 @@ +# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] *** + +#======= Definitions ============ + +# Match messages with an associated SASL username +&&SASL_AUTH { + sasl_username!~^$ +} + +# Trusted networks +&&TRUSTED_NETS { + client_address==file:/etc/postfix/postfwd.wl-nets +} + +# Trusted hostnames +# client_name~=.warenform.de$ +&&TRUSTED_HOSTS { + client_name=~file:/etc/postfix/postfwd.wl-hosts +} + +# Trusted users +&&TRUSTED_USERS { + sasl_username==file:/etc/postfix/postfwd.wl-user +} + +# Trusted senders +&&TRUSTED_SENDERS { + sender=~file:/etc/postfix/postfwd.wl-sender +} + +# Blacklist networks +&&BLOCK_NETS { + client_address==file:/etc/postfix/postfwd.bl-nets +} + +# Blacklist hostnames +&&BLOCK_HOSTS { + client_name=~file:/etc/postfix/postfwd.bl-hosts +} + +# Blacklist users +&&BLOCK_USERS { + sasl_username==file:/etc/postfix/postfwd.bl-user +} + +# Blacklist sender adresses +&&BLOCK_SENDER { + # =~ + # using '=~' allows also matching entries for domains (i.e. @acieu.co.uk) + sender=~file:/etc/postfix/postfwd.bl-sender +} + +# Inbound emails only +&&INCOMING { + client_address!=127.0.0.1 +} + + +#======= Rule Sets ============ + +# --- +# +# Processing of the Rule Sets +# +# The parser checks the elements of a policy delegation request against the postfwd set +# of rules and, if necessary, triggers the configured action (action=). Similar to a +# classic firewall, a rule is considered true if every element of the set of rules (or +# one from every element list) applies to the comparison. I.e. the following rule: +# +# client_address=1.1.1.1, 1.1.1.2; client_name==unknown; action=REJECT +# +# triggers a REJECT if the +# +# Client address is equal (1.1.1.1 OR 1.1.1.2) AND the client name 'unknown' +# +# +# Note: +# If an element occurs more than once, an element list is formed: +# +# The following rule set is equivalent to the above: +# +# client_address=1.1.1.1; client_address=1.1.1.2; client_name==unknown; action=REJECT +# +# +# triggers a REJECT if (as above) the +# +# Client address (1.1.1.1 OR 1.1.1.2) AND the client name 'unknown' +# +# --- + +# Whitelists + +# Whitelist trusted networks +id=WHL_NETS + &&TRUSTED_NETS + action=DUNNO + +# Whitelist trusted hostnames +id=WHL_HOSTS + &&TRUSTED_HOSTS + action=DUNNO + +# Whitelist sasl users +id=WHL_USERS + &&TRUSTED_USERS + action=DUNNO + +# Whitelist senders +id=WHL_SENDERS + &&INCOMING + &&TRUSTED_SENDERS + action=DUNNO + + +# Blacklists + +# Block networks +id=BL_NETS + &&BLOCK_NETS + action=REJECT Network Address $$client_address blocked by Mailserver admins. Error: BL_NETS + +# Block hostname +id=BL_HOSTS + &&BLOCK_HOSTS + action=REJECT $$client_name blocked by Mailserver admins. Error: BL_HOSTS + +# Block users +id=BL_USERS + &&BLOCK_USERS + action=REJECT User is blocked by Mailserver admins. Error: BL_USERS + +# Blacklist sender +# +# Claim successful delivery and silently discard the message. +# +id=BL_SENDER + &&BLOCK_SENDER + #action=DISCARD + action=REJECT Sender address is blocked by Mailserver admins. Error: BL_SENDER + + +# Rate Limits + +# Throttle unknown clients to 5 recipients per 5 minutes: +id=RATE_UNKNOWN_CLIENT_ADDR + sasl_username =~ /^$/ + client_name==unknown + action=rate(client_address/5/300/450 4.7.1 only 5 recipients per 5 minutes allowed) + +# Block clients (ip-addresses) sending more than 50 messages per minute exceeded. Error:RATE_CLIENT) +id=RATE_CLIENT_ADDR + &&INCOMING + action=rate($$client_address/50/60/421 421 4.7.0 Too many connections from $$client_address) + +# Block messages with more than 50 recipients +id=BLOCK_MSG_RCPT + &&INCOMING + &&SASL_AUTH + recipient_count=50 + action=REJECT Too many recipients, please reduce to less than 50 or consider using a mailing list. Error: BLOCK_MSG_RCPT + +# Block users sending more than 50 messages/hour +id=RATE_MSG + &&INCOMING + &&SASL_AUTH + action=rate($$sasl_username/50/3600/450 4.7.1 Number messages per hour exceeded. Error:RATE_MSG) + +# Block users sending more than 250 recipients total/hour +id=RATE_RCPT + &&INCOMING + &&SASL_AUTH + action=rcpt($$sasl_username/250/3600/450 4.7.1 Number recipients per hour exceeded. Error:RATE_RCPT) + diff --git a/roles/common/files/mailserver/etc/postfix/postfwd.wl-hosts b/roles/common/files/mailserver/etc/postfix/postfwd.wl-hosts new file mode 100644 index 0000000..c425a4e --- /dev/null +++ b/roles/common/files/mailserver/etc/postfix/postfwd.wl-hosts @@ -0,0 +1,22 @@ +# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] *** + +# --- +# Trusted hosts whitelisted by postfwd +# +# This file is called with '=~'. This means perl regexp is possible +# +# +# To increase performance use ^ and/or $ in regular expressions +# +# Example: +# +# # all hosts of domain 'oopen.de' +# \.oopen\.de$ +# +# # host a.mx.oopen.de +# ^a\.mx\.oopen\.de$ +# +# --- + +# give truested hostnames here + diff --git a/roles/common/files/mailserver/etc/postfix/postfwd.wl-nets b/roles/common/files/mailserver/etc/postfix/postfwd.wl-nets new file mode 100644 index 0000000..d194340 --- /dev/null +++ b/roles/common/files/mailserver/etc/postfix/postfwd.wl-nets @@ -0,0 +1,15 @@ +# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] *** + +# --- +# Trusted networks whitelisted by postfwd +# +# Example: +# +# # web0.warenform.de +# #83.223.86.76 +# #2a01:30:0:505:286:96ff:fe4a:6ee +# #2a01:30:0:13:286:96ff:fe4a:6eee +# +# --- + +# give truested networrk adresses here diff --git a/roles/common/files/mailserver/etc/postfix/postfwd.wl-sender b/roles/common/files/mailserver/etc/postfix/postfwd.wl-sender new file mode 100644 index 0000000..d5c5acd --- /dev/null +++ b/roles/common/files/mailserver/etc/postfix/postfwd.wl-sender @@ -0,0 +1,22 @@ +# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] *** + +# --- +# Trusted senders whitelisted by postfwd +# +# This file is called with '=~'. This means perl regexp is possible +# +# +# To increase performance use ^ and/or $ in regular expressions +# +# Example: +# +# # all senders of maildomaindomain 'oopen.de' +# @oopen\.de$ +# +# # sender address ckubu@oopen.de +# ^ckubu@oopen\.de$ +# +# --- + +# give trusted sender addresses here + diff --git a/roles/common/files/mailserver/etc/postfix/postfwd.wl-user b/roles/common/files/mailserver/etc/postfix/postfwd.wl-user new file mode 100644 index 0000000..f1d2ac5 --- /dev/null +++ b/roles/common/files/mailserver/etc/postfix/postfwd.wl-user @@ -0,0 +1,15 @@ +# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] *** + +# --- +# SASL Users whitelisted by postfwd +# +# example: +# +# # give trusted sasl usernames here +# ckubu@oopen.de +# vertrieb@akweb.de +# +# --- + +# give trusted sasl usernames here + diff --git a/roles/common/handlers/main.yml b/roles/common/handlers/main.yml index fec35b3..ad7083c 100644 --- a/roles/common/handlers/main.yml +++ b/roles/common/handlers/main.yml @@ -68,3 +68,8 @@ service: name: tor state: reloaded + +- name: Reload postfwd + service: + name: postfwd + state: reloaded diff --git a/roles/common/tasks/copy_files.yml b/roles/common/tasks/copy_files.yml index b66b6aa..23a07d2 100644 --- a/roles/common/tasks/copy_files.yml +++ b/roles/common/tasks/copy_files.yml @@ -19,6 +19,45 @@ - copy-files - copy-plain-files +- name: (copy_files.yml) Copy plain files Postfix Firewall (postfwd) + copy: + src: '{{ item.src_path }}' + dest: '{{ item.dest_path }}' + owner: root + group: root + mode: '0644' + loop: "{{ copy_plain_files_postfwd }}" + loop_control: + label: 'dest: {{ item.name }}' + when: + - inventory_hostname in groups['mail_server'] + - copy_plain_files_postfwd is defined + - copy_plain_files_postfwd|length > 0 + tags: + - copy-files + - copy-plain-files + notify: "Reload postfwd" + +- name: (copy_files.yml) Copy host specific plain files Postfix Firewall (postfwd) + copy: + src: '{{ item.src_path }}' + dest: '{{ item.dest_path }}' + owner: root + group: root + mode: '0644' + loop: "{{ copy_plain_files_postfwd_host_specific }}" + loop_control: + label: 'dest: {{ item.name }}' + when: + - inventory_hostname in groups['mail_server'] + - copy_plain_files_postfwd_host_specific is defined + - copy_plain_files_postfwd_host_specific|length > 0 + tags: + - copy-files + - copy-plain-files + notify: "Reload postfwd" + + - name: (copy_files.yml) Copy template files template: src: '{{ item.src_path }}' diff --git a/roles/common/templates/usr/local/src/mailsystem/conf/install_postfix_advanced.conf.j2 b/roles/common/templates/usr/local/src/mailsystem/conf/install_postfix_advanced.conf.j2 index 4de79b6..db3d732 100644 --- a/roles/common/templates/usr/local/src/mailsystem/conf/install_postfix_advanced.conf.j2 +++ b/roles/common/templates/usr/local/src/mailsystem/conf/install_postfix_advanced.conf.j2 @@ -12,7 +12,7 @@ _HOSTNAME={{ hostname }} _IPV4='{{ ipv4_address | default(omit) }}' _IPV6='{{ ipv6_address | default(omit) }}' -_ADMIN_EMAIL=argus@oopen.de +_ADMIN_EMAIL="{{ admin_email }}" _SASL_AUTH_ENABLED="{{ sasl_auth_enable | default('no') }}" _SASL_USER='{{ sasl_user | default(omit) }}' _SASL_PASS='{{ sasl_pass | default(omit) }}' diff --git a/roles/common/templates/usr/local/src/mailsystem/conf/install_postfixadmin.conf.j2 b/roles/common/templates/usr/local/src/mailsystem/conf/install_postfixadmin.conf.j2 index dcc43dc..ef8b37d 100644 --- a/roles/common/templates/usr/local/src/mailsystem/conf/install_postfixadmin.conf.j2 +++ b/roles/common/templates/usr/local/src/mailsystem/conf/install_postfixadmin.conf.j2 @@ -234,9 +234,13 @@ POSTFIX_DB_TYPE="mysql" # - Example: # - POSTFIX_DB_HOST_PGSQL='/var/run/postgresql' # - -# - Defaults to '/var/run/postgresql' +# - Defaults to '/run/postgresql' # - +{% if (postfix_db_host is defined) and postfix_db_host %} +POSTFIX_DB_HOST_PGSQL="{{ postfix_db_host }}" +{% else %} #POSTFIX_DB_HOST_PGSQL="" +{% endif %} # - Name of Postfix Database # - diff --git a/roles/common/templates/usr/local/src/mailsystem/conf/install_update_dovecot.conf.j2 b/roles/common/templates/usr/local/src/mailsystem/conf/install_update_dovecot.conf.j2 index 2946ffd..47ec534 100644 --- a/roles/common/templates/usr/local/src/mailsystem/conf/install_update_dovecot.conf.j2 +++ b/roles/common/templates/usr/local/src/mailsystem/conf/install_update_dovecot.conf.j2 @@ -36,7 +36,7 @@ systemd_support="true" # - Example: # - postmaster_address="admin\@warenform.net" # - -postmaster_address="admin\@oopen.de" +postmaster_address="{{ admin_email | split('@') | first }}\@{{ admin_email | split('@') | last }}" # - hostname diff --git a/roles/common/templates/usr/local/src/mailsystem/conf/install_upgrade_roundcube-webmail.conf.j2 b/roles/common/templates/usr/local/src/mailsystem/conf/install_upgrade_roundcube-webmail.conf.j2 index 86a6f71..61058bf 100644 --- a/roles/common/templates/usr/local/src/mailsystem/conf/install_upgrade_roundcube-webmail.conf.j2 +++ b/roles/common/templates/usr/local/src/mailsystem/conf/install_upgrade_roundcube-webmail.conf.j2 @@ -143,7 +143,11 @@ DB_TYPE="{{ roundcube_db_type | default(omit) }}" # - # - Defaults to 'localhost' # - -DB_HOST="{{ roundcube_db_host | default(omit) }}" +{% if (roundcube_db_host is defined) and roundcube_db_host %} +DB_HOST="{{ roundcube_db_host }}" +{% else %} +#DB_HOST="" +{% endif %} # - Name of Roundcube Database # - @@ -239,7 +243,11 @@ POSTFIX_DB_TYPE="mysql" # - # - Defaults to 'localhost' # - -POSTFIX_DB_HOST="{{ postfix_db_host | default(omit) }}" +{% if (postfix_db_host is defined) and postfix_db_host %} +POSTFIX_DB_HOST_PGSQL="{{ postfix_db_host }}" +{% else %} +#POSTFIX_DB_HOST_PGSQL="" +{% endif %} # - Name of Postfix Database # - @@ -247,7 +255,11 @@ POSTFIX_DB_HOST="{{ postfix_db_host | default(omit) }}" # - # - Defaults to 'postfix' # - -POSTFIX_DB_NAME="{{ postfix_db_name | default(omit) }}" +{% if (postfix_db_name is defined) and postfix_db_name %} +POSTFIX_DB_NAME="{{ postfix_db_name }}" +{% else %} +#POSTFIX_DB_NAME="" +{% endif %} # - User of Postfix Database # - @@ -255,7 +267,11 @@ POSTFIX_DB_NAME="{{ postfix_db_name | default(omit) }}" # - # - Defaults to 'postfix' # - -POSTFIX_DB_USER="{{ postfix_db_user | default(omit) }}" +{% if (postfix_db_name is defined) and postfix_db_name %} +POSTFIX_DB_USER="{{ postfix_db_user }}" +{% else %} +#POSTFIX_DB_USER="" +{% endif %} # - Password of Postfix Database # -