2026-02-11 18:01:51 -03:00
# Ansible Role: Mail
2025-07-25 17:29:20 -03:00
2026-02-11 18:01:51 -03:00
An Ansible role to deploy and configure an internal mail server on Debian-based systems.
2025-07-28 21:08:28 -03:00
2026-02-11 18:01:51 -03:00
## Description
2025-07-28 21:08:28 -03:00
2026-02-11 18:01:51 -03:00
This role sets up a complete internal mail server stack, currently including:
2025-07-28 21:08:28 -03:00
2026-02-11 18:01:51 -03:00
- **Postfix** - Mail Transfer Agent (MTA) for sending and receiving mail
- **Dovecot** - IMAP/POP3 server for mail retrieval
2025-07-28 21:08:28 -03:00
2026-02-11 18:01:51 -03:00
The role is designed for **internal use cases ** where applications, services, and users within your infrastructure need to send and receive email. Outbound mail is relayed through a configured smarthost (e.g., SendGrid, Mailgun, or your ISP's SMTP server).
2025-07-28 21:08:28 -03:00
2026-02-11 18:01:51 -03:00
### Use Cases
2025-07-28 21:08:28 -03:00
2026-02-11 18:01:51 -03:00
- Internal applications sending notifications (cron jobs, monitoring, CI/CD pipelines)
- Service accounts that need to receive and process email
- Development and testing environments
- Private mail infrastructure for small teams
2025-07-28 21:08:28 -03:00
2026-02-11 18:01:51 -03:00
### What This Role Does NOT Include
2025-07-28 21:08:28 -03:00
2026-02-11 18:01:51 -03:00
This role intentionally omits antispam and antivirus components. Since it's designed for internal mail that doesn't interact with external/untrusted sources, these features are unnecessary and would add complexity.
2025-07-28 21:08:28 -03:00
2026-02-11 18:01:51 -03:00
## Requirements
2025-07-28 21:08:28 -03:00
2026-02-11 18:01:51 -03:00
- **Target OS**: Debian-based distributions (Debian, Ubuntu)
- **Ansible**: Version 2.10 or newer
2025-07-28 21:08:28 -03:00
2026-02-11 18:01:51 -03:00
## Role Variables
2026-02-10 17:24:59 -03:00
2026-02-11 18:01:51 -03:00
Default values are defined in `defaults/main.yml` .
2026-02-10 17:24:59 -03:00
2026-02-11 18:01:51 -03:00
### General Settings
| Variable | Default | Description |
| :--- | :--- | :--- |
| mail_ssl_cert | snakeoil | Path to SSL certificate (shared by Postfix and Dovecot). |
| mail_ssl_key | snakeoil | Path to SSL private key (shared by Postfix and Dovecot). |
### Postfix Configuration
| Variable | Default | Description |
| :--- | :--- | :--- |
| postfix_relayhost | "" | **Required. ** Smarthost for relaying outbound mail. Use brackets to skip MX lookups (e.g., `[smtp.sendgrid.net]:587` ). |
| postfix_relayhost_user | (undefined) | Username for smarthost SASL authentication. |
| postfix_relayhost_password | (undefined) | Password/API key for smarthost. Store in Ansible Vault. |
| postfix_mail_domain | `{{ ansible_domain }}` | Primary mail domain for this server. |
| postfix_myhostname | `mail.{{ postfix_mail_domain }}` | FQDN of the mail server. |
| postfix_mydestination | `$myhostname, localhost...` | Domains accepted for local delivery. |
| postfix_mynetworks | `127.0.0.0/8 [::1]/128` | Trusted networks allowed to relay. |
| postfix_inet_interfaces | all | Network interfaces to listen on. Use `loopback-only` for local-only access. |
| postfix_inet_protocols | all | IP protocols to use (ipv4, ipv6, or all). |
SASL authentication for the smarthost is automatically enabled when both `postfix_relayhost_user` and `postfix_relayhost_password` are defined.
### Dovecot Configuration
| Variable | Default | Description |
| :--- | :--- | :--- |
| dovecot_enabled | true | Install and configure Dovecot. |
2026-02-10 17:24:59 -03:00
| dovecot_protocols | "imap pop3 lmtp" | Protocols to enable. |
2026-02-11 18:01:51 -03:00
| dovecot_mail_location | "maildir:~/Maildir" | Mail storage format and location. |
| dovecot_ssl | "yes" | SSL/TLS mode: `yes` , `no` , or `required` . |
| dovecot_auth_mechanisms | "plain login" | Allowed authentication mechanisms. |
| dovecot_postfix_sasl_enable | true | Allow Postfix to authenticate users via Dovecot. |
| dovecot_postfix_lmtp_enable | true | Deliver mail to Dovecot via LMTP. |
| dovecot_imap_capability | "" | Adjust advertised IMAP capabilities (e.g., `+IMAP4rev1 -LITERAL+` ). |
| dovecot_users | [] | List of virtual mailbox users. See below. |
2026-02-10 17:51:23 -03:00
2026-02-11 18:01:51 -03:00
### Virtual Mailbox Users
2026-02-10 17:51:23 -03:00
2026-02-11 18:01:51 -03:00
Define users for Dovecot virtual mailboxes:
2026-02-10 17:51:23 -03:00
```yaml
dovecot_users:
- name: "service1"
pass: "mysecretpassword"
```
2026-02-11 18:01:51 -03:00
For security, the role generates a random 16-character token on the server (stored in `/etc/dovecot/dovecot_token` ). The actual password is `token + password` . For example, if the token is `He5rN5SPH33AbFLn` , the user must authenticate with `He5rN5SPH33AbFLnmysecretpassword` .
2026-02-10 17:24:59 -03:00
2026-02-11 18:01:51 -03:00
## Dependencies
2025-07-28 21:08:28 -03:00
2026-02-11 18:01:51 -03:00
None.
2025-07-28 21:08:28 -03:00
2026-02-11 18:01:51 -03:00
## Example Playbook
2025-07-28 21:08:28 -03:00
2026-02-11 18:01:51 -03:00
```yaml
---
- hosts: mail_servers
become: true
roles:
- role: giacchetta.mail
vars:
2025-07-28 21:08:28 -03:00
postfix_mail_domain: "example.com"
2026-02-11 18:01:51 -03:00
postfix_relayhost: "[smtp.mailgun.org]:587"
postfix_relayhost_user: "postmaster@mg .example.com"
postfix_relayhost_password: "{{ vault_mailgun_password }}"
mail_ssl_cert: "/etc/letsencrypt/live/mail.example.com/fullchain.pem"
mail_ssl_key: "/etc/letsencrypt/live/mail.example.com/privkey.pem"
dovecot_ssl: "required"
dovecot_users:
- name: "alerts"
pass: "{{ vault_alerts_password }}"
2025-07-28 21:08:28 -03:00
```
2026-02-11 18:01:51 -03:00
## License
2025-07-28 21:08:28 -03:00
GPL-3.0-only
2026-02-11 18:01:51 -03:00
## Author Information
2025-07-28 21:08:28 -03:00
2026-02-11 18:01:51 -03:00
This role was created by Giacchetta Networks.
