4.0 KiB
Ansible Role: disposable-mail
This is an Ansible role that sets up a mail server by installing and configuring postfix, dovecot, and opendkim.
It is intended to facilitate using smtp and imap service with disposable mail aliases for a single user. It stores mail using Maildir, which is a simple plaintext format. The configuration uses unix sockets for inter-process communication and prefers strong encryption for network connections. The configured header_checks filter out unnecessary postfix mail headers to limit leakage of personal information.
This configuration is not intended to replace a user's primary personal email account. Do not use a disposable alias for important or sensitive accounts. Messages are by default stored in plaintext on your server (unless you've set up disk encryption separately).
It includes a helper script to create new email aliases. You can create an alias to call it.
alias addmail='ssh root@host create-email-alias'
Usage: addmail newservice
creates an alias to receive mail at newservice@example.com
I go one step further and add an alias on my local machine: alias addmail="ssh root@mail.example.com create-email-alias"
Requirements
- Debian/Ubuntu
- robertdebock.dovecot
See requirements.yml
Variables
postfix_domain: example.com
postfix_hostname: mail.example.com
postfix_smtpd_tls_cert_file: ""
postfix_smtpd_tls_key_file: ""
postfix_smtpd_tls_dh1024_param_file: ""
To operate multiple domains from a single server, add additional domains to the virtual_domains
list:
postfix_virtual_domains:
- name: example.org
cert: /var/acme/certificates/mail.example.org.crt
key: /var/acme/certificates/mail.example.org.key
- name: example.net
cert: /var/acme/certificates/mail.example.net.crt
key: /var/acme/certificates/mail.example.net.key
See the default variables.
Example Playbook
- hosts: mail
become: yes
roles:
- bleetube.disposable-mail
Example Deployment
Security
For hardening, we recommend that network access to dovecot (TCP/993) be restricted to trusted IPs. See cve details.
Privacy
Postfix master.cf
should configure smtpd behavior to require encrypted client connections. In practice, this means figuring out what connection method for a given mail client that is going to work with a mail server that requires strong encryption.
See docs/CLIENTS.md for notes on mail clients.
Backups
See the provided example script. Keep in mind that when restoring the imap.passwd
file for Dovecot, that a new system will have different user ids for maildir. There is a helper to rewrite all the uid/gids to the maildir user when restoring from a backup on a new system:
ansible-playbook -e 'force_dovecot_passwd_file_maildir_ids=yes' playbooks/mail.yml
Troubleshooting
systemctl status opendkim dovecot postfix
journalctl -fu postfix@-
journalctl -fu dovecot
Misc
There are some interesting mta implementations that may replace or compliment parts of this stack in the future:
- simple-nixos-mailserver
- maddy (go)
- jmap, vsmtp (rust)
- roundcube (php)
Credit
Thanks to Mischa ter Smitten for his work on the ansible-postfix role. The postfix setup process is largely a modified version of that role. The relevant license and copyright notice can be found in postfix.yml.