The role is designed for internal use cases where applications, services, and users within your infrastructure need to send and receive email. Outbound mail is relayed through a configured smarthost (e.g., SendGrid, Mailgun, or your ISP's SMTP server).

Use Cases

Internal applications sending notifications (cron jobs, monitoring, CI/CD pipelines)
Service accounts that need to receive and process email
Development and testing environments
Private mail infrastructure for small teams

What This Role Does NOT Include

This role intentionally omits antispam and antivirus components. Since it's designed for internal mail that doesn't interact with external/untrusted sources, these features are unnecessary and would add complexity.

Requirements

Target OS: Debian-based distributions (Debian, Ubuntu)
Ansible: Version 2.10 or newer

Role Variables

Default values are defined in defaults/main.yml.

General Settings

Variable	Default	Description
mail_ssl_cert	snakeoil	Path to SSL certificate (shared by Postfix and Dovecot).
mail_ssl_key	snakeoil	Path to SSL private key (shared by Postfix and Dovecot).

Postfix Configuration

Variable	Default	Description
postfix_relayhost	""	Required. Smarthost for relaying outbound mail. Use brackets to skip MX lookups (e.g., `[smtp.sendgrid.net]:587`).
postfix_relayhost_user	(undefined)	Username for smarthost SASL authentication.
postfix_relayhost_password	(undefined)	Password/API key for smarthost. Store in Ansible Vault.
postfix_mail_domain	`{{ ansible_domain }}`	Primary mail domain for this server.
postfix_myhostname	`mail.{{ postfix_mail_domain }}`	FQDN of the mail server.
postfix_mydestination	`$myhostname, localhost...`	Domains accepted for local delivery.
postfix_mynetworks	`127.0.0.0/8 [::1]/128`	Trusted networks allowed to relay.
postfix_inet_interfaces	all	Network interfaces to listen on. Use `loopback-only` for local-only access.
postfix_inet_protocols	all	IP protocols to use (ipv4, ipv6, or all).

SASL authentication for the smarthost is automatically enabled when both postfix_relayhost_user and postfix_relayhost_password are defined.

Dovecot Configuration

Variable	Default	Description
dovecot_enabled	true	Install and configure Dovecot.
dovecot_protocols	"imap pop3 lmtp"	Protocols to enable.
dovecot_mail_location	"maildir:~/Maildir"	Mail storage format and location.
dovecot_ssl	"yes"	SSL/TLS mode: `yes`, `no`, or `required`.
dovecot_auth_mechanisms	"plain login"	Allowed authentication mechanisms.
dovecot_postfix_sasl_enable	true	Allow Postfix to authenticate users via Dovecot.
dovecot_postfix_lmtp_enable	true	Deliver mail to Dovecot via LMTP.
dovecot_imap_capability	""	Adjust advertised IMAP capabilities (e.g., `+IMAP4rev1 -LITERAL+`).
dovecot_users	[]	List of virtual mailbox users. See below.

Virtual Mailbox Users

Define users for Dovecot virtual mailboxes:

dovecot_users:
  - name: "service1"
    pass: "mysecretpassword"

For security, the role generates a random 16-character token on the server (stored in /etc/dovecot/dovecot_token). The actual password is token + password. For example, if the token is He5rN5SPH33AbFLn, the user must authenticate with He5rN5SPH33AbFLnmysecretpassword.

Dependencies

None.

Example Playbook

---
- hosts: mail_servers
  become: true
  roles:
    - role: giacchetta.mail
      vars:
        postfix_mail_domain: "example.com"
        postfix_relayhost: "[smtp.mailgun.org]:587"
        postfix_relayhost_user: "postmaster@mg.example.com"
        postfix_relayhost_password: "{{ vault_mailgun_password }}"
        mail_ssl_cert: "/etc/letsencrypt/live/mail.example.com/fullchain.pem"
        mail_ssl_key: "/etc/letsencrypt/live/mail.example.com/privkey.pem"
        dovecot_ssl: "required"
        dovecot_users:
          - name: "alerts"
            pass: "{{ vault_alerts_password }}"

License

GPL-3.0-only

Author Information

This role was created by Giacchetta Networks.