This role deploys a reasonably secure small mail server stack. This Ansible playbook installs and configures:
- TREES from riseuplabs
- Dovecot
- Postfix
- OpenDKIM
- sqlite3 user database
- SSL certs from Let's Encrypt on a single host.
- Debian 12+
- The hostname in
mailfruit_server_hostnamepointing to the server(s) this is deployed to, for Certbot to grab certificates :)
mailfruit_server_hostname- requiredmailfruit_mail_domains- required a list of domains this server can accept mail for. The first item in this list is used as a default for various things.mailfruit_admin_email- requiredmailfruit_certbot_authenticator- optional, default:standalonemailfruit_trees_git_ref- optional, default:mastermailfruit_dkim_selector- optional, default:mail. Set this to something unique per-server, unless you syncronize your DKIM keys another way.mailfruit_extra_server_hostnames- optional, default: undefined. A list of extra hostnames to fetch SSL certificates for, with certbot.
I've opted to require TLS at every step with pre-wrapped ports - ie, using port 993 for IMAPS instead of 143, where TLS is negotiated within a cleartext connection.
GPLv3
Important: For each server you deploy this to, you must host the DKIM TXT record for each domain. This record can be found on each server at /etc/opendkim/keys/mail.txt. You must also configure your SPF/DMARC records. If you do not do this, you will have very poor email deliverability.
You should probably use something like fail2ban to prevent account harvesting & break-in attempts. You should almost certainly harden your SSH install. You should definitely take backups of this server, particularly the user database; without it, the mail files become unreadable. You should implement external monitoring of this server; in particular, if this monitoring sends emails to alert you, those email addresses shouldn't reside on this server ;)