Ansible Playbooks for setting up a secured ssh, mail, and web server.
The scripts and playbooks here track https://github.com/hardware/mailserver
- Set
use_stable_release
to true (default) to use stable branch (currentlyv1.1-stable
) - Set
use_stable_release
to false for bleeding edge (docker tagv1.1-latest
, git branchmaster
)
Prerequisite: Recent version of Ansible installed on your control host.
Set up your host's domain name entries as documented here: https://github.com/hardware/mailserver (you can add the DKIM signature when the stack is up).
To start, you'll need to have the following set up in your DNS (A.B.C.D
represents your IP address):
HOSTNAME | CLASS | TYPE | PRIORITY | VALUE |
---|---|---|---|---|
@ | IN | A/AAAA | any | A.B.C.D |
IN | A/AAAA | any | A.B.C.D | |
@ | IN | MX | 10 | mail.domain.tld. |
www | IN | CNAME | any | mail.domain.tld. |
postfixadmin | IN | CNAME | any | mail.domain.tld. |
webmail | IN | CNAME | any | mail.domain.tld. |
spam | IN | CNAME | any | mail.domain.tld. |
If using opencart
, also add a CNAME entry for store
.
If using poweradmin
, also add a CNAME entry for poweradmin
.
If using pritunl
, also add a CNAME entry for vpn
.
-
Create a recent Debian or Fedora server, using whatever process you choose. I created a Debian 9 (Stretch) server in the cloud. Also tested with a Fedora 26 Server instance.
-
make
-
Reboot the installed server.
-
Add additional DNS records (for
SPF
,DKIM
, andDMARC
) as documented here to increase your reputation score.
Once your server is up, from your control host, do ssh [email protected]
so you can look at the generated secrets. e.g. to get the DKIM key to add
to your DNS, do:
ssh [email protected]
cat /mnt/docker/mail/dkim/{your-domain-name}/public.key
-
At this point, visit your
postfixadmin
setup script and follow the instructions here: https://github.com/hardware/mailserver/wiki/Postfixadmin-initial-configuration -
Using
postfixadmin
, set up your super-administrator account, then set up your domain, and proceed to set up mailboxes foradmin
andcontact
. If usingopencart
remember to also set up youropencart
admin user mailbox. -
Set up aliases for the following:
ALIAS | MAILBOX |
---|---|
abuse | [email protected] |
hostmaster | [email protected] |
noc | [email protected] |
postmaster | [email protected] |
spam | [email protected] |
sales | [email protected] |
webform | [email protected] |
-
Set up your Rainloop (webmail) configuration. Follow the instructions here: https://github.com/hardware/mailserver/wiki/Rainloop-initial-configuration
-
Using the RainLoop admin panel, make sure to set up your
ManageSieve
and white-lists for users you allow to login to your domain. -
In the RainLoop admin, go to the
Plugins
and enable thepostfixadmin-change-password
plugin. You will have to ensure that the plugin settings are set like this:
PLUGIN SETTING | VALUE |
---|---|
MySQL Host | mariadb |
MySQL Port | 3306 |
MySQL Database | postfix |
MySQL table | mailbox |
MySQL username column | username |
MySQL password column | password |
MySQL User | postfix |
MySQL Password | {MYSQL postfix user password} |
Encrypt | md5encrypt |
Allowed Emails | * |
The password to use in the change password settings is the postfix
database
user password. You can get it by ssh
into your host and examining the
docker-compose.yml
file:
$ ssh [email protected]
$ grep MYSQL_PASSWORD docker-compose.yml
- MYSQL_PASSWORD=XXXXXXXXX
Setting up the postfixadmin-change-password
plugin will allow users
to change their mailbox passwords.
You can add postfix customizations to /mnt/docker/mail/postfix/custom.conf
on your mailserver
machine and restart the stack.
By default, the setup will install an initial custom.conf
that allows unauthenticated mail
to be relayed from your other containers.
More info about postfix overrides here: https://github.com/hardware/mailserver#override-postfix-configuration
By default, your top level web site www.yourdomain.tld
simply directs to the contact
app
which renders a simple Contact Form as the front page of your your domain.
If you place files in www/yourdomain.tld/
, the Ansible playbook will
create an alterate setup:
- /contact will refer to the Contact form served by the PHP container.
- / will refer to what you place in
www/yourdomain.tld/files/
- /~user will refer to what you place in
www/yourdomain.tld/people/user/
Any text files placed in the files/
or people
subdirectories of
www/yourdomain.tld
will be installed using the jinja2
template
copy, enabling you to use variables like {{ domain_name }}
in
your files.
Occasionally, this template mechanism does not work well (javascript
source code, for example). To work around this, if you place
files in a static/
subtree, they will be copied without
templating. Place files in static/files/
and static/people/user
to
have them installed in the correct places.
Note that files placed in www/
are ignored by git and will have
to be backed up.
Alternatively, you can specify in the initial setup that you want to use Wordpress.
Use Wordpress as www site [false]: true
In this case, we use the official wordpress
Docker image. You can add
customizations for PHP (e.g. setting upload_max_filesize
) by modifying
/mnt/docker/php/custom.ini
.
Your wordpress files will end up in /mnt/docker/wordpress
and wordpress will
use the wordpress
database in the mariadb
server.
The website setup tasks are tagged with website
.
To only deploy web site files, run this:
make web
To run the mailserver
playbook but skip web site deployment:
make noweb
Run make help
for a quick explanation of all Makefile
tasks.
You can get security and bug fixes by updating your images periodically.
The /usr/local/bin/upgrade
is a helper script that simply does:
docker-compose pull
docker-compose up -d
Simply ssh [email protected]
and run the script:
$ upgrade
Pulling redis (redis:3.2-alpine)...
3.2-alpine: Pulling from library/redis
Digest: sha256:8858052e2c0e2ffecc6998b2733e7ffe1ce57998025bf3b373a33073cc1bd92d
Status: Image is up to date for redis:3.2-alpine
Pulling mariadb (mariadb:10.1)...
10.1: Pulling from library/mariadb
Digest: sha256:6cef4058a2c391dfd621939ecf7dfa325ece33e019011e32b34faae03782b5c9
Status: Image is up to date for mariadb:10.1
Pulling mailserver (hardware/mailserver:1.1-latest)...
1.1-latest: Pulling from hardware/mailserver
Digest: sha256:a0396ee689ad964bb77312ec80a846f0834cc51322c45ea82700908ad902446b
Status: Image is up to date for hardware/mailserver:1.1-latest
Pulling rainloop (hardware/rainloop:latest)...
latest: Pulling from hardware/rainloop
Digest: sha256:953d974a7616dfcbf0e1894b75065633a34562e2d5e77807e7316db5004d4727
Status: Image is up to date for hardware/rainloop:latest
Pulling contact (kayvan/contact-form:latest)...
latest: Pulling from kayvan/contact-form
Digest: sha256:7de5ada7dc950352df73f2f2bc704a7af53ffabf859777065b4b6c64d9f3588f
Status: Image is up to date for kayvan/contact-form:latest
Pulling postfixadmin (hardware/postfixadmin:latest)...
latest: Pulling from hardware/postfixadmin
Digest: sha256:b3473b126a527e5fe1899ace260292f3fa787753af43390831fe9d616e6b9900
Status: Image is up to date for hardware/postfixadmin:latest
Pulling nginx (wonderfall/boring-nginx:latest)...
latest: Pulling from wonderfall/boring-nginx
Digest: sha256:9eb46e5c893db961d50a8178bd47aa071c38d1da424fe453b11f4c6650b37e76
Status: Image is up to date for wonderfall/boring-nginx:latest
redis is up-to-date
mariadb is up-to-date
mailserver is up-to-date
postfixadmin is up-to-date
contact is up-to-date
rainloop is up-to-date
nginx is up-to-date
On your control host, the first time you run this, it will run ./bin/setup
and set your ./inventory
files and variable files in ./group_vars/all/
.
Subsequent runs of ./bin/setup
will read the stored values and present
them as defaults.
Use make reset
to remove these files and start over.
You can also make do
if you make changes to your
base variables and want to push those changes to your server.
If you want to make changes to your secrets (e.g. change passwords),
use make edit_secrets
. This task decrypts and re-encrypts your secrets
using ansible-vault
.
Refer to the Ansible docs regarding user passwords to understand how we generate the Linux user password hashes.
To ensure this works, make sure that the ./bin/mkpasswd
script works:
./bin/mkpasswd TestTheHash
$6$JBPVsmzre/hFkiFF$RfmrOFdkXs.QNF515TIGtokseUafj[...]
If you wish to edit your secrets, use the edit
task, like this:
$ EDITOR=vi make edit
Decryption successful
NOTE: Run "make do" to push your changes.
$ make do
After running the process the first time, you can do:
$ make save
This will create a file backup/{domain}-YYYYMMDD-hhmm.tar.gz
which you can stash
and will include your inventory file, variables and vault password.