push as of 05jul2021

2021-07-05 15:10:51 +02:00 · 2021-07-05 15:10:51 +02:00 · eb02fb37a1
parent 87a2ae27c6
commit eb02fb37a1
21 changed files with 381 additions and 26 deletions
--- a/README.md
+++ b/README.md
@ -39,21 +39,60 @@ Root-Passwort setzen (das machen wir von Hand)
 ## Ansible Playbook laufen lassen
 ```bash
 $ cd ansible
-$ ansible-playbook -i production mailserver.yml
+$ ansible-playbook -i production --ask-vault-pass mailserver.yml
 ```

 ## Zertifikate erzeugen
 ```bash
-# systemctl stop nginx
-# certbot certonly --noninteractive --standalone --agree-tos -m postmaster@nbit.ch -d mail2.nbit.ch -d smtp.nbit.ch -d imap.nbit.ch
-# systemctl start nginx
+# curl https://get.acme.sh | sh -s email=postmaster@nbit.ch
+# acme.sh --issue -d mail.nbit.ch -d smtp.nbit.ch -d imap.nbit.ch -w /var/www/default_webroot
+
+[Fr Mär  5 10:16:02 CET 2021] Your cert is in  /root/.acme.sh/mail.nbit.ch/mail.nbit.ch.cer 
+[Fr Mär  5 10:16:02 CET 2021] Your cert key is in  /root/.acme.sh/mail.nbit.ch/mail.nbit.ch.key 
+[Fr Mär  5 10:16:02 CET 2021] The intermediate CA cert is in  /root/.acme.sh/mail.nbit.ch/ca.cer 
+[Fr Mär  5 10:16:02 CET 2021] And the full chain certs is there:  /root/.acme.sh/mail.nbit.ch/fullchain.cer 
+
+Install Certificate:
+# acme.sh --install-cert -d mail.nbit.ch --key-file /etc/letsencrypt/nbit.ch/mail.nbit.ch.key --fullchain-file /etc/letsencrypt/nbit.ch/fullchain.cer --reloadcmd  "service nginx force-reload"
 ```

+## SELinux Policy for Certificates
+```
+[root@mail ~]# cat my-mailserver.te 
+
+module my-mailserver 1.0;
+
+require {
+        type dovecot_t;
+        type postfix_smtpd_t;
+        type public_content_t;
+        class file read;
+        class file open;
+        class file getattr;
+}
+
+#============= dovecot_t ==============
+allow dovecot_t public_content_t:file read;
+allow dovecot_t public_content_t:file open;
+
+#============= postfix_smtpd_t ==============
+allow postfix_smtpd_t public_content_t:file read;
+allow postfix_smtpd_t public_content_t:file open;
+allow postfix_smtpd_t public_content_t:file getattr;
+
+
+[root@mail ~]# checkmodule -M -m -o my-mailserver.mod my-mailserver.te
+[root@mail ~]# semodule_package -o my-mailserver.pp -m my-mailserver.mod
+[root@mail ~]# semodule -i my-mailserver.pp
+```
+
+
 ## DB erstellen
 ```bash
 # mysql
 MariaDB [(none)]> create database vmail CHARACTER SET 'utf8';
 MariaDB [(none)]> grant select on vmail.* to 'vmail'@'localhost' identified by 'vmaildbpass';    
+MariaDB [(none)]> grant  SELECT, UPDATE, INSERT, DELETE on vmail.* to 'mailboxadm'@'localhost' identified by 'mailboxadmdbpass';    
 # anderes Passwort waehlen!
 MariaDB [(none)]> use vmail;

@ -62,6 +101,7 @@ Folgende Statements durchfuehren:
 CREATE TABLE `domains` (
    `id` int unsigned NOT NULL AUTO_INCREMENT,
    `domain` varchar(255) NOT NULL,
+    `mailboxadmin` boolean DEFAULT '0',
    PRIMARY KEY (`id`),
    UNIQUE KEY (`domain`)
 );
@ -74,6 +114,7 @@ CREATE TABLE `accounts` (
    `quota` int unsigned DEFAULT '0',
    `enabled` boolean DEFAULT '0',
    `sendonly` boolean DEFAULT '0',
+    `mailboxadmin` boolean DEFAULT '0',
    PRIMARY KEY (id),
    UNIQUE KEY (`username`, `domain`),
    FOREIGN KEY (`domain`) REFERENCES `domains` (`domain`)
@ -101,4 +142,22 @@ CREATE TABLE `tlspolicies` (
 );
 ```

+## Mail Domains und Users einrichten
+
+```bash
+MariaDB [(none)]> insert into domains (domain) values ('mysystems.tld');
+
+$ doveadm pw -s SHA512-CRYPT
+MariaDB [(none)]> insert into accounts (username, domain, password, quota, enabled, sendonly) values ('user1', 'mysystems.tld', '{SHA512-CRYPT}$6$wHyJsS[...]', 2048, true, false);
+
+MariaDB [(none)]> insert into aliases (source_username, source_domain, destination_username, destination_domain, enabled) values ('alias', 'mysystems.tld', 'user1', 'mysystems.tld', true);
+```
+
 ## DKIM Signing (manuell einrichten)
+
+```bash
+# mkdir /var/lib/rspamd/dkim
+# rspamadm dkim_keygen -b 2048 -s 2020 -k /var/lib/rspamd/dkim/2020.key > /var/lib/rspamd/dkim/2020.txt
+# chown -R _rspamd:_rspamd /var/lib/rspamd/dkim
+# chmod 440 /var/lib/rspamd/dkim/*
+```
--- a/ansible/roles/common/tasks/main.yml
+++ b/ansible/roles/common/tasks/main.yml
@ -15,6 +15,9 @@
    - telnet
    - git
    - yum-utils
+    - wget
+    - unzip
+    - tar

 - name: Enable SELinux
  selinux:
@ -82,6 +85,7 @@
    service: "{{ item }}"
    permanent: yes
    state: disabled
+    immediate: yes
  loop:
    - cockpit
  notify: reload firewalld
@ -91,8 +95,10 @@
    port: "{{ item }}"
    permanent: yes
    state: enabled
+    immediate: yes
  loop:
    - 10050/tcp
+    - 587/tcp
  notify: reload firewalld

 - name: Create ~/.forward
--- a/ansible/roles/mailserver/files/backup-mysql-dbs
+++ b/ansible/roles/mailserver/files/backup-mysql-dbs
@ -0,0 +1,4 @@
+#
+# Backup Mysql DBs (dump)
+#
+55 3 * * * root /usr/local/bin/backup-mysql-dbs.sh >/dev/null
--- a/ansible/roles/mailserver/files/backup-mysql-dbs.sh
+++ b/ansible/roles/mailserver/files/backup-mysql-dbs.sh
@ -0,0 +1,21 @@
+#!/bin/bash
+umask 077
+echo "Alle MySQL-Datenbanken sichern:"
+# Bereinigte Liste der Datenbanken erzeugen
+DBASELIST=`mktemp`
+mysqlshow | awk '{print $2}' | grep -v Databases | sort >$DBASELIST
+# Wohin sollen die ganzen Backups geschrieben werden?
+cd /backup/mysql-dumps
+dir="mysql-dumps-$(hostname)-$(date +%Y%m%d)"
+mkdir -p ${dir}
+cd ${dir}
+for x in `cat $DBASELIST`; do 
+    echo "Datenbank: $x sichern"; 
+    mysqldump --opt --single-transaction $x >$x.sql;
+done;
+cd /backup/mysql-dumps
+tar cvzf ${dir}.tar.gz ${dir} >/dev/null && rm -rf /backup/mysql-dumps/${dir} 
+
+# Cleanup
+find /backup/mysql-dumps -type f -mtime +100 \( ! -name "backup-*-*1.????.tar.gz" ! -name "mysql-dumps-???????1.tar.gz" \) -exec rm {} \;
+
--- a/ansible/roles/mailserver/files/default_website.html
+++ b/ansible/roles/mailserver/files/default_website.html
@ -1 +1,38 @@
-<h1>mail2.nbit.ch</h1>
+<!DOCTYPE html>
+<html lang="en">
+  <head>
+    <meta charset="utf-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1">
+    <meta name="author" content="Joerg Lehmann">
+    <meta name="description" content="nbit Informatik Gmbh - Mailserver">
+    <meta property="og:title" content="nbit Informatik GmbH - Mailserver" />
+    <meta name="referrer" content="no-referrer">
+    <title>nbit Informatik GmbH - Mailserver</title>
+    <link rel="stylesheet" type="text/css" href="/css/bulma-nbit.css" />
+    <link rel="stylesheet" type="text/css" href="/css/nbit.css" />
+    <link rel="icon" type="image/png" href="/images/favicon-nbit-32x32.png" sizes="32x32">
+    <link rel="icon" type="image/png" href="/images/favicon-nbit-16x16.png" sizes="16x16">
+  </head>
+
+  <body>
+    <div class="container">
+      <div class="box has-background-light has-padding-10 has-margin-bottom-30 has-margin-top-10">
+        <div class="nbitlogo">
+          <img src="/images/nbit-logo.png" alt="nbit Informatik GmbH Logo">
+        </div>
+        <div class="emaillogo">
+          <img src="/images/mailserver.png" alt="nbit Informatik GmbH Mailserver Logo">
+        </div>
+        <p>
+          <h1>Mailserver der nbit Informatik GmbH</h1>
+        </p>
+        <p>
+<a href="https://mail2.nbit.ch/rainloop">Webmail</a>
+        </p>
+        <p>
+<a href="https://mail2.nbit.ch/mailboxadm">Mailbox Management</a>
+        </p>
+      </div>
+    </div>
+  </body>
+</html>
--- a/ansible/roles/mailserver/files/dkim_signing.conf
+++ b/ansible/roles/mailserver/files/dkim_signing.conf
@ -0,0 +1,5 @@
+path = "/var/lib/rspamd/dkim/$selector.key";
+selector = "2020";
+
+### Enable DKIM signing for alias sender addresses
+allow_username_mismatch = true;
--- a/ansible/roles/mailserver/files/dovecot.conf
+++ b/ansible/roles/mailserver/files/dovecot.conf
@ -11,8 +11,8 @@ protocols = imap lmtp sieve
 ##

 ssl = required
-ssl_cert = </etc/letsencrypt/live/mail2.nbit.ch/fullchain.pem
-ssl_key = </etc/letsencrypt/live/mail2.nbit.ch/privkey.pem
+ssl_cert = </root/.acme.sh/mail2.nbit.ch/fullchain.cer
+ssl_key = </root/.acme.sh/mail2.nbit.ch/mail2.nbit.ch.key
 ssl_dh = </etc/dovecot/dh4096.pem
 ssl_min_protocol = TLSv1.2
 ssl_cipher_list = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
--- a/ansible/roles/mailserver/files/local.conf
+++ b/ansible/roles/mailserver/files/local.conf
@ -0,0 +1,2 @@
+[Unit]
+After=network-online.target
--- a/ansible/roles/mailserver/files/mail.nbit.ch.conf
+++ b/ansible/roles/mailserver/files/mail.nbit.ch.conf
@ -7,11 +7,29 @@ server {
        server_name mail2.nbit.ch;

        root         /var/www/default_webroot;
-        ssl_certificate /etc/letsencrypt/live/mail2.nbit.ch/fullchain.pem;
-        ssl_certificate_key /etc/letsencrypt/live/mail2.nbit.ch/privkey.pem;
+        ssl_certificate /root/.acme.sh/mail2.nbit.ch/fullchain.cer;
+        ssl_certificate_key /root/.acme.sh/mail2.nbit.ch/mail2.nbit.ch.key;

        add_header Strict-Transport-Security max-age=15768000;

+        index index.php index.htm index.html;
+
+        location ~ \.(php|phar)(/.*)?$ {
+            fastcgi_split_path_info ^(.+\.(?:php|phar))(/.*)$;
+
+            fastcgi_intercept_errors on;
+            fastcgi_index  index.php;
+            include        fastcgi_params;
+            fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
+            fastcgi_param  PATH_INFO $fastcgi_path_info;
+            fastcgi_pass   php-fpm;
+        }
+
+        # Wegen Rainloop...
+	location ^~ /data {
+	  deny all;
+	}
+
        location /rspamd/ {
                proxy_pass http://localhost:11334/;
                proxy_set_header Host $host;
--- a/ansible/roles/mailserver/files/master.cf
+++ b/ansible/roles/mailserver/files/master.cf
@ -0,0 +1,78 @@
+# ==========================================================================
+# service type  private unpriv  chroot  wakeup  maxproc command + args
+#               (yes)   (yes)   (no)    (never) (100)
+# ==========================================================================
+###
+### SMTP-Serverbindungen aus dem Internet
+### Authentifizuerung hier nicht erlaubt (Anmeldung nur via smtps/submission!)
+smtp      inet  n       -       n       -       1       smtpd     
+    -o smtpd_sasl_auth_enable=no
+###
+### SMTPS Service (Submission mit implizitem TLS - ohne STARTTLS) - Port 465
+### Für Mailclients gelten andere Regeln, als für andere Mailserver (siehe smtpd_ in main.cf)
+###
+smtps     inet  n       -       n       -       -       smtpd
+    -o syslog_name=postfix/smtps
+    -o smtpd_tls_wrappermode=yes
+    -o smtpd_tls_security_level=encrypt
+    -o smtpd_sasl_auth_enable=yes
+    -o smtpd_sasl_type=dovecot
+    -o smtpd_sasl_path=private/auth
+    -o smtpd_sasl_security_options=noanonymous
+    -o smtpd_client_restrictions=$mua_client_restrictions
+    -o smtpd_sender_restrictions=$mua_sender_restrictions
+    -o smtpd_relay_restrictions=$mua_relay_restrictions
+    -o milter_macro_daemon_name=ORIGINATING
+    -o smtpd_sender_login_maps=proxy:mysql:/etc/postfix/sql/sender-login-maps.cf
+    -o smtpd_helo_required=no
+    -o smtpd_helo_restrictions=
+    -o cleanup_service_name=submission-header-cleanup
+###
+### Submission-Zugang für Clients (mit STARTTLS - für Rückwärtskompatibilität) - Port 587
+###
+submission inet n       -       n       -       -       smtpd
+    -o syslog_name=postfix/submission
+    -o smtpd_tls_security_level=encrypt
+    -o smtpd_sasl_auth_enable=yes
+    -o smtpd_sasl_type=dovecot
+    -o smtpd_sasl_path=private/auth
+    -o smtpd_sasl_security_options=noanonymous
+    -o smtpd_client_restrictions=$mua_client_restrictions
+    -o smtpd_sender_restrictions=$mua_sender_restrictions
+    -o smtpd_relay_restrictions=$mua_relay_restrictions
+    -o milter_macro_daemon_name=ORIGINATING
+    -o smtpd_sender_login_maps=proxy:mysql:/etc/postfix/sql/sender-login-maps.cf
+    -o smtpd_helo_required=no
+    -o smtpd_helo_restrictions=
+    -o cleanup_service_name=submission-header-cleanup
+###
+### Weitere wichtige Dienste für den Serverbetrieb
+###
+pickup    unix  n       -       n       60      1       pickup
+cleanup   unix  n       -       n       -       0       cleanup
+qmgr      unix  n       -       n       300     1       qmgr
+tlsmgr    unix  -       -       n       1000?   1       tlsmgr
+rewrite   unix  -       -       n       -       -       trivial-rewrite
+bounce    unix  -       -       n       -       0       bounce
+defer     unix  -       -       n       -       0       bounce
+trace     unix  -       -       n       -       0       bounce
+verify    unix  -       -       n       -       1       verify
+flush     unix  n       -       n       1000?   0       flush
+proxymap  unix  -       -       n       -       -       proxymap
+proxywrite unix -       -       n       -       1       proxymap
+smtp      unix  -       -       n       -       -       smtp
+relay     unix  -       -       n       -       -       smtp
+showq     unix  n       -       n       -       -       showq
+error     unix  -       -       n       -       -       error
+retry     unix  -       -       n       -       -       error
+discard   unix  -       -       n       -       -       discard
+local     unix  -       n       n       -       -       local
+virtual   unix  -       n       n       -       -       virtual
+lmtp      unix  -       -       n       -       -       lmtp
+anvil     unix  -       -       n       -       1       anvil
+scache    unix  -       -       n       -       1       scache
+###
+### Cleanup-Service um MUA header zu entfernen
+###
+submission-header-cleanup unix n - n    -       0       cleanup
+    -o header_checks=regexp:/etc/postfix/submission_header_cleanup
--- a/ansible/roles/mailserver/files/renew-certificates
+++ b/ansible/roles/mailserver/files/renew-certificates
@ -1 +0,0 @@
-0 20 * * * root python -c 'import random; import time; time.sleep(random.random() * 3600)' && certbot renew
--- a/ansible/roles/mailserver/files/submission_header_cleanup
+++ b/ansible/roles/mailserver/files/submission_header_cleanup
@ -0,0 +1,6 @@
+### Entfernt Datenschutz-relevante Header aus E-Mails von MTUAs
+
+/^Received:/            IGNORE
+/^X-Originating-IP:/    IGNORE
+/^X-Mailer:/            IGNORE
+/^User-Agent:/          IGNORE
--- a/ansible/roles/mailserver/handlers/main.yml
+++ b/ansible/roles/mailserver/handlers/main.yml
@ -38,3 +38,6 @@
  service:
    name=nginx
    state=restarted
+
+- name: Restore selinux context
+  command: restorecon -irv /etc/letsecnrypt/nbit.ch
--- a/ansible/roles/mailserver/tasks/main.yml
+++ b/ansible/roles/mailserver/tasks/main.yml
@ -20,8 +20,40 @@
    - mariadb-server
    - nginx
    - unbound
-    - certbot
    - haveged
+    - php-fpm
+    - php-mysqlnd
+    - php-json
+    - php-xml
+    - socat
+
+- name: Replace apache with nginx in config file
+  replace:
+    path: /etc/php-fpm.d/www.conf
+    regexp: '^(user|group) = apache'
+    replace: '\1 = nginx'
+
+- name: Allow webserver to read files in /etc/letsencrypt/nbit.ch
+  sefcontext:
+    target: '/etc/letsencrypt/nbit.ch(/.*)?'
+    setype: public_content_t
+    state: present
+  notify:
+    - Restore selinux context
+
+- name: create /etc/systemd/system/postfix.service.d
+  file:
+    path: /etc/systemd/system/postfix.service.d
+    state: directory
+    mode: '0755'
+
+- name: Copy /etc/systemd/system/postfix.service.d/local.conf
+  copy:
+    src: local.conf
+    dest: /etc/systemd/system/postfix.service.d/local.conf
+    owner: root
+    group: root
+    mode: '0644'

 - name: enable services
  systemd:
@ -37,6 +69,7 @@
    - postfix
    - redis
    - rspamd
+    - php-fpm

 - name: Copy disable_dns.conf
  copy:
@ -143,7 +176,17 @@
    group: postfix
    mode: '0755'

- name: Create postfix conf
+- name: Create postfix conf - master.cf
+  copy:
+    src: master.cf
+    dest: "/etc/postfix/master.cf"
+    owner: root
+    group: root
+    backup: no
+    mode: '0644'
+  notify: Restart postfix
+
+- name: Create postfix conf - main.cf
  template:
    src: main.cf.j2
    dest: "/etc/postfix/main.cf"
@ -153,6 +196,16 @@
    mode: '0644'
  notify: Restart postfix

+- name: Create postfix conf - submission_header_cleanup
+  copy:
+    src: submission_header_cleanup
+    dest: "/etc/postfix/submission_header_cleanup"
+    owner: root
+    group: root
+    backup: no
+    mode: '0644'
+  notify: Restart postfix
+
 - name: create postfix sql files
  template:
    src: "{{ item }}.j2"
@ -232,21 +285,67 @@
   - blacklist_ip.map
   - blacklist_from.map

+- name: create /etc/rspamd/local.d/dkim_signing.conf
+  copy:
+    src: "dkim_signing.conf"
+    dest: "/etc/rspamd/local.d/dkim_signing.conf"
+    owner: root
+    group: root
+    backup: no
+    mode: '0644'
+  notify: Restart rspamd
+
+- name: create /etc/rspamd/local.d/arc.conf
+  copy:
+    # same as dkim_signing.conf
+    src: "dkim_signing.conf"
+    dest: "/etc/rspamd/local.d/arc.conf"
+    owner: root
+    group: root
+    backup: no
+    mode: '0644'
+  notify: Restart rspamd
+
 - name: Set httpd_can_network_connect flag on and keep it persistent across reboots
  seboolean:
    name: httpd_can_network_connect
    state: yes
    persistent: yes

- name: create Cronjob for certbot
+- name: create Cronjob for MysqlDB Backups
  copy:
-    src: renew-certificates
-    dest: "/etc/cron.d/renew-certificates"
+    src: backup-mysql-dbs
+    dest: "/etc/cron.d/backup-mysql-dbs"
    owner: root
    group: root
    backup: no
    mode: '0644'

+- name: create Mysql Backupscript
+  copy:
+    src: backup-mysql-dbs.sh
+    dest: "/usr/local/bin/backup-mysql-dbs.sh"
+    owner: root
+    group: root
+    backup: no
+    mode: '0755'
+
+- name: Create /backup
+  file:
+    path: "/backup"
+    state: directory
+    owner: root
+    group: root
+    mode: '0755'
+
+- name: Create /backup/mysql-dumps
+  file:
+    path: "/backup/mysql-dumps"
+    state: directory
+    owner: root
+    group: root
+    mode: '0755'
+
 - name: Replace nginx root
  lineinfile:
    path: /etc/nginx/nginx.conf
@ -257,6 +356,14 @@
    mode: '0644'
  notify: Restart nginx

+- name: Change /var/lib/php/session group
+  file:
+    path: "/var/lib/php/session"
+    state: directory
+    owner: root
+    group: nginx
+    mode: '0770'
+
 - name: Create /var/www/default_webroot
  file:
    path: "/var/www/default_webroot"
@ -273,3 +380,13 @@
    group: root
    backup: no
    mode: '0644'
+
+- sefcontext:
+    target: '/var/www/default_webroot/rainloop(/.*)?'
+    setype: httpd_sys_rw_content_t
+    state: present
+
+- sefcontext:
+    target: '/var/vmail/mailboxes(/.*)?'
+    setype: mail_home_rw_t
+    state: present
--- a/ansible/roles/mailserver/templates/accounts.cf.j2
+++ b/ansible/roles/mailserver/templates/accounts.cf.j2
@ -1,5 +1,5 @@
 user = vmail
 password = {{ vmaildbpass }}
-hosts = unix:/run/mysqld/mysqld.sock
+hosts = unix:/var/lib/mysql/mysql.sock
 dbname = vmail
 query = select 1 as found from accounts where username = '%u' and domain = '%d' and enabled = true LIMIT 1;
--- a/ansible/roles/mailserver/templates/aliases.cf.j2
+++ b/ansible/roles/mailserver/templates/aliases.cf.j2
@ -1,6 +1,6 @@
 user = vmail
 password = {{ vmaildbpass }}
-hosts = unix:/run/mysqld/mysqld.sock
+hosts = unix:/var/lib/mysql/mysql.sock
 dbname = vmail
 query = SELECT DISTINCT concat(destination_username, '@', destination_domain) AS destinations FROM aliases
        WHERE (source_username = '%u' OR source_username IS NULL) AND source_domain = '%d'
--- a/ansible/roles/mailserver/templates/domains.cf.j2
+++ b/ansible/roles/mailserver/templates/domains.cf.j2
@ -1,5 +1,5 @@
 user = vmail
 password = {{ vmaildbpass }}
-hosts = unix:/run/mysqld/mysqld.sock
+hosts = unix:/var/lib/mysql/mysql.sock
 dbname = vmail
 query = SELECT domain FROM domains WHERE domain='%s';
--- a/ansible/roles/mailserver/templates/main.cf.j2
+++ b/ansible/roles/mailserver/templates/main.cf.j2
@ -3,7 +3,7 @@
 ##

 mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
-inet_interfaces = 127.0.0.1, ::1, {{ ansible_default_ipv4.address }}, {{ ansible_default_ipv6.address }}
+inet_interfaces = 127.0.0.1, [::1], {{ ansible_default_ipv4.address }}, {{ ansible_default_ipv6.address }}
 myhostname = mail2.nbit.ch


@ -43,8 +43,8 @@ smtpd_tls_ciphers = medium
 smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
 smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
 smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
-smtpd_tls_cert_file=/etc/letsencrypt/live/mail2.nbit.ch/fullchain.pem
-smtpd_tls_key_file=/etc/letsencrypt/live/mail2.nbit.ch/privkey.pem
+smtpd_tls_cert_file=/root/.acme.sh/mail2.nbit.ch/fullchain.cer
+smtpd_tls_key_file=/root/.acme.sh/mail2.nbit.ch/mail2.nbit.ch.key
 smtpd_tls_dh1024_param_file = /etc/postfix/dh2048.pem


@ -59,8 +59,8 @@ virtual_transport = lmtp:unix:private/dovecot-lmtp
 ## Spamfilter und DKIM-Signaturen via Rspamd
 ##

-smtpd_milters = inet:localhost:11332
-non_smtpd_milters = inet:localhost:11332
+smtpd_milters = inet:127.0.0.1:11332
+non_smtpd_milters = inet:127.0.0.1:11332
 milter_protocol = 6
 milter_mail_macros =  i {mail_addr} {client_addr} {client_name} {auth_authen}
 milter_default_action = accept
--- a/ansible/roles/mailserver/templates/recipient-access.cf.j2
+++ b/ansible/roles/mailserver/templates/recipient-access.cf.j2
@ -1,5 +1,5 @@
 user = vmail
 password = {{ vmaildbpass }}
-hosts = unix:/run/mysqld/mysqld.sock
+hosts = unix:/var/lib/mysql/mysql.sock
 dbname = vmail
 query = select if(sendonly = true, 'REJECT', 'OK') AS access from accounts where username = '%u' and domain = '%d' and enabled = true LIMIT 1;
--- a/ansible/roles/mailserver/templates/sender-login-maps.cf.j2
+++ b/ansible/roles/mailserver/templates/sender-login-maps.cf.j2
@ -1,6 +1,6 @@
 user = vmail
 password = {{ vmaildbpass }}
-hosts = unix:/run/mysqld/mysqld.sock
+hosts = unix:/var/lib/mysql/mysql.sock
 dbname = vmail
 query = select concat(username, '@', domain) as 'owns' from accounts where username = '%u' AND domain = '%d' and enabled = true union select 
        concat(destination_username, '@', destination_domain) AS 'owns' from aliases 
--- a/ansible/roles/mailserver/templates/tls-policy.cf.j2
+++ b/ansible/roles/mailserver/templates/tls-policy.cf.j2
@ -1,5 +1,5 @@
 user = vmail
 password = {{ vmaildbpass }}
-hosts = unix:/run/mysqld/mysqld.sock
+hosts = unix:/var/lib/mysql/mysql.sock
 dbname = vmail
 query = SELECT policy, params FROM tlspolicies WHERE domain = '%s';
				`@ -1 +0,0 @@`
				`0 20 * * * root python -c 'import random; import time; time.sleep(random.random() * 3600)' && certbot renew`