ansible-role-disposable-mail/README.md

4.0 KiB

Ansible Role: disposable-mail

This is an Ansible role that sets up a mail server by installing and configuring postfix, dovecot, and opendkim.

It is intended to facilitate using smtp and imap service with disposable mail aliases for a single user. It stores mail using Maildir, which is a simple plaintext format. The configuration uses unix sockets for inter-process communication and prefers strong encryption for network connections. The configured header_checks filter out unnecessary postfix mail headers to limit leakage of personal information.

This configuration is not intended to replace a user's primary personal email account. Do not use a disposable alias for important or sensitive accounts. Messages are by default stored in plaintext on your server (unless you've set up disk encryption separately).

It includes a helper script to create new email aliases. You can create an alias to call it.

alias addmail='ssh root@host create-email-alias'

Usage: addmail newservice creates an alias to receive mail at newservice@example.com

I go one step further and add an alias on my local machine: alias addmail="ssh root@mail.example.com create-email-alias"

Requirements

See requirements.yml

Variables

postfix_domain: example.com
postfix_hostname: mail.example.com
postfix_smtpd_tls_cert_file: ""
postfix_smtpd_tls_key_file: ""
postfix_smtpd_tls_dh1024_param_file: ""

To operate multiple domains from a single server, add additional domains to the virtual_domains list:

postfix_virtual_domains:
  - name: example.org
    cert: /var/acme/certificates/mail.example.org.crt
    key: /var/acme/certificates/mail.example.org.key
  - name: example.net
    cert: /var/acme/certificates/mail.example.net.crt
    key: /var/acme/certificates/mail.example.net.key

See the default variables.

Example Playbook

- hosts: mail
  become: yes
  roles:
    - bleetube.disposable-mail

Example Deployment

See docs/DEPLOYMENT.md

Security

For hardening, we recommend that network access to dovecot (TCP/993) be restricted to trusted IPs. See cve details.

Privacy

Postfix master.cf should configure smtpd behavior to require encrypted client connections. In practice, this means figuring out what connection method for a given mail client that is going to work with a mail server that requires strong encryption.

See docs/CLIENTS.md for notes on mail clients.

Backups

See the provided example script. Keep in mind that when restoring the imap.passwd file for Dovecot, that a new system will have different user ids for maildir. There is a helper to rewrite all the uid/gids to the maildir user when restoring from a backup on a new system:

ansible-playbook -e 'force_dovecot_passwd_file_maildir_ids=yes' playbooks/mail.yml

Troubleshooting

systemctl status opendkim dovecot postfix
journalctl -fu postfix@-
journalctl -fu dovecot

Misc

There are some interesting mta implementations that may replace or compliment parts of this stack in the future:

Credit

Thanks to Mischa ter Smitten for his work on the ansible-postfix role. The postfix setup process is largely a modified version of that role. The relevant license and copyright notice can be found in postfix.yml.