From eb02fb37a1069ca1d97c8efbc272c91dbb28587d Mon Sep 17 00:00:00 2001
From: Joerg Lehmann <joerg.lehmann@nbit.ch>
Date: Mon, 5 Jul 2021 15:10:51 +0200
Subject: [PATCH] push as of 05jul2021

---
 README.md                                     |  67 ++++++++-
 ansible/roles/common/tasks/main.yml           |   6 +
 .../roles/mailserver/files/backup-mysql-dbs   |   4 +
 .../mailserver/files/backup-mysql-dbs.sh      |  21 +++
 .../mailserver/files/default_website.html     |  39 +++++-
 .../roles/mailserver/files/dkim_signing.conf  |   5 +
 ansible/roles/mailserver/files/dovecot.conf   |   4 +-
 ansible/roles/mailserver/files/local.conf     |   2 +
 .../roles/mailserver/files/mail.nbit.ch.conf  |  22 ++-
 ansible/roles/mailserver/files/master.cf      |  78 +++++++++++
 .../roles/mailserver/files/renew-certificates |   1 -
 .../files/submission_header_cleanup           |   6 +
 ansible/roles/mailserver/handlers/main.yml    |   3 +
 ansible/roles/mailserver/tasks/main.yml       | 127 +++++++++++++++++-
 .../roles/mailserver/templates/accounts.cf.j2 |   2 +-
 .../roles/mailserver/templates/aliases.cf.j2  |   2 +-
 .../roles/mailserver/templates/domains.cf.j2  |   2 +-
 ansible/roles/mailserver/templates/main.cf.j2 |  10 +-
 .../templates/recipient-access.cf.j2          |   2 +-
 .../templates/sender-login-maps.cf.j2         |   2 +-
 .../mailserver/templates/tls-policy.cf.j2     |   2 +-
 21 files changed, 381 insertions(+), 26 deletions(-)
 create mode 100644 ansible/roles/mailserver/files/backup-mysql-dbs
 create mode 100644 ansible/roles/mailserver/files/backup-mysql-dbs.sh
 create mode 100644 ansible/roles/mailserver/files/dkim_signing.conf
 create mode 100644 ansible/roles/mailserver/files/local.conf
 create mode 100644 ansible/roles/mailserver/files/master.cf
 delete mode 100644 ansible/roles/mailserver/files/renew-certificates
 create mode 100644 ansible/roles/mailserver/files/submission_header_cleanup

diff --git a/README.md b/README.md
index 30a0af1..3559c00 100644
--- a/README.md
+++ b/README.md
@@ -39,21 +39,60 @@ Root-Passwort setzen (das machen wir von Hand)
 ## Ansible Playbook laufen lassen
 ```bash
 $ cd ansible
-$ ansible-playbook -i production mailserver.yml
+$ ansible-playbook -i production --ask-vault-pass mailserver.yml
 ```
 
 ## Zertifikate erzeugen
 ```bash
-# systemctl stop nginx
-# certbot certonly --noninteractive --standalone --agree-tos -m postmaster@nbit.ch -d mail2.nbit.ch -d smtp.nbit.ch -d imap.nbit.ch
-# systemctl start nginx
+# curl https://get.acme.sh | sh -s email=postmaster@nbit.ch
+# acme.sh --issue -d mail.nbit.ch -d smtp.nbit.ch -d imap.nbit.ch -w /var/www/default_webroot
+
+[Fr Mär  5 10:16:02 CET 2021] Your cert is in  /root/.acme.sh/mail.nbit.ch/mail.nbit.ch.cer 
+[Fr Mär  5 10:16:02 CET 2021] Your cert key is in  /root/.acme.sh/mail.nbit.ch/mail.nbit.ch.key 
+[Fr Mär  5 10:16:02 CET 2021] The intermediate CA cert is in  /root/.acme.sh/mail.nbit.ch/ca.cer 
+[Fr Mär  5 10:16:02 CET 2021] And the full chain certs is there:  /root/.acme.sh/mail.nbit.ch/fullchain.cer 
+
+Install Certificate:
+# acme.sh --install-cert -d mail.nbit.ch --key-file /etc/letsencrypt/nbit.ch/mail.nbit.ch.key --fullchain-file /etc/letsencrypt/nbit.ch/fullchain.cer --reloadcmd  "service nginx force-reload"
 ```
 
+## SELinux Policy for Certificates
+```
+[root@mail ~]# cat my-mailserver.te 
+
+module my-mailserver 1.0;
+
+require {
+        type dovecot_t;
+        type postfix_smtpd_t;
+        type public_content_t;
+        class file read;
+        class file open;
+        class file getattr;
+}
+
+#============= dovecot_t ==============
+allow dovecot_t public_content_t:file read;
+allow dovecot_t public_content_t:file open;
+
+#============= postfix_smtpd_t ==============
+allow postfix_smtpd_t public_content_t:file read;
+allow postfix_smtpd_t public_content_t:file open;
+allow postfix_smtpd_t public_content_t:file getattr;
+
+
+[root@mail ~]# checkmodule -M -m -o my-mailserver.mod my-mailserver.te
+[root@mail ~]# semodule_package -o my-mailserver.pp -m my-mailserver.mod
+[root@mail ~]# semodule -i my-mailserver.pp
+```
+
+
 ## DB erstellen
 ```bash
 # mysql
 MariaDB [(none)]> create database vmail CHARACTER SET 'utf8';
 MariaDB [(none)]> grant select on vmail.* to 'vmail'@'localhost' identified by 'vmaildbpass';    
+MariaDB [(none)]> grant  SELECT, UPDATE, INSERT, DELETE on vmail.* to 'mailboxadm'@'localhost' identified by 'mailboxadmdbpass';    
 # anderes Passwort waehlen!
 MariaDB [(none)]> use vmail;
 
@@ -62,6 +101,7 @@ Folgende Statements durchfuehren:
 CREATE TABLE `domains` (
     `id` int unsigned NOT NULL AUTO_INCREMENT,
     `domain` varchar(255) NOT NULL,
+    `mailboxadmin` boolean DEFAULT '0',
     PRIMARY KEY (`id`),
     UNIQUE KEY (`domain`)
 );
@@ -74,6 +114,7 @@ CREATE TABLE `accounts` (
     `quota` int unsigned DEFAULT '0',
     `enabled` boolean DEFAULT '0',
     `sendonly` boolean DEFAULT '0',
+    `mailboxadmin` boolean DEFAULT '0',
     PRIMARY KEY (id),
     UNIQUE KEY (`username`, `domain`),
     FOREIGN KEY (`domain`) REFERENCES `domains` (`domain`)
@@ -101,4 +142,22 @@ CREATE TABLE `tlspolicies` (
 );
 ```
 
+## Mail Domains und Users einrichten
+
+```bash
+MariaDB [(none)]> insert into domains (domain) values ('mysystems.tld');
+
+$ doveadm pw -s SHA512-CRYPT
+MariaDB [(none)]> insert into accounts (username, domain, password, quota, enabled, sendonly) values ('user1', 'mysystems.tld', '{SHA512-CRYPT}$6$wHyJsS[...]', 2048, true, false);
+
+MariaDB [(none)]> insert into aliases (source_username, source_domain, destination_username, destination_domain, enabled) values ('alias', 'mysystems.tld', 'user1', 'mysystems.tld', true);
+```
+
 ## DKIM Signing (manuell einrichten)
+
+```bash
+# mkdir /var/lib/rspamd/dkim
+# rspamadm dkim_keygen -b 2048 -s 2020 -k /var/lib/rspamd/dkim/2020.key > /var/lib/rspamd/dkim/2020.txt
+# chown -R _rspamd:_rspamd /var/lib/rspamd/dkim
+# chmod 440 /var/lib/rspamd/dkim/*
+```
diff --git a/ansible/roles/common/tasks/main.yml b/ansible/roles/common/tasks/main.yml
index 893fda8..bf8153c 100644
--- a/ansible/roles/common/tasks/main.yml
+++ b/ansible/roles/common/tasks/main.yml
@@ -15,6 +15,9 @@
     - telnet
     - git
     - yum-utils
+    - wget
+    - unzip
+    - tar
 
 - name: Enable SELinux
   selinux:
@@ -82,6 +85,7 @@
     service: "{{ item }}"
     permanent: yes
     state: disabled
+    immediate: yes
   loop:
     - cockpit
   notify: reload firewalld
@@ -91,8 +95,10 @@
     port: "{{ item }}"
     permanent: yes
     state: enabled
+    immediate: yes
   loop:
     - 10050/tcp
+    - 587/tcp
   notify: reload firewalld
 
 - name: Create ~/.forward
diff --git a/ansible/roles/mailserver/files/backup-mysql-dbs b/ansible/roles/mailserver/files/backup-mysql-dbs
new file mode 100644
index 0000000..5b48206
--- /dev/null
+++ b/ansible/roles/mailserver/files/backup-mysql-dbs
@@ -0,0 +1,4 @@
+#
+# Backup Mysql DBs (dump)
+#
+55 3 * * * root /usr/local/bin/backup-mysql-dbs.sh >/dev/null
diff --git a/ansible/roles/mailserver/files/backup-mysql-dbs.sh b/ansible/roles/mailserver/files/backup-mysql-dbs.sh
new file mode 100644
index 0000000..5a08783
--- /dev/null
+++ b/ansible/roles/mailserver/files/backup-mysql-dbs.sh
@@ -0,0 +1,21 @@
+#!/bin/bash
+umask 077
+echo "Alle MySQL-Datenbanken sichern:"
+# Bereinigte Liste der Datenbanken erzeugen
+DBASELIST=`mktemp`
+mysqlshow | awk '{print $2}' | grep -v Databases | sort >$DBASELIST
+# Wohin sollen die ganzen Backups geschrieben werden?
+cd /backup/mysql-dumps
+dir="mysql-dumps-$(hostname)-$(date +%Y%m%d)"
+mkdir -p ${dir}
+cd ${dir}
+for x in `cat $DBASELIST`; do 
+    echo "Datenbank: $x sichern"; 
+    mysqldump --opt --single-transaction $x >$x.sql;
+done;
+cd /backup/mysql-dumps
+tar cvzf ${dir}.tar.gz ${dir} >/dev/null && rm -rf /backup/mysql-dumps/${dir} 
+
+# Cleanup
+find /backup/mysql-dumps -type f -mtime +100 \( ! -name "backup-*-*1.????.tar.gz" ! -name "mysql-dumps-???????1.tar.gz" \) -exec rm {} \;
+
diff --git a/ansible/roles/mailserver/files/default_website.html b/ansible/roles/mailserver/files/default_website.html
index 3d9db70..17715a0 100644
--- a/ansible/roles/mailserver/files/default_website.html
+++ b/ansible/roles/mailserver/files/default_website.html
@@ -1 +1,38 @@
-<h1>mail2.nbit.ch</h1>
+<!DOCTYPE html>
+<html lang="en">
+  <head>
+    <meta charset="utf-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1">
+    <meta name="author" content="Joerg Lehmann">
+    <meta name="description" content="nbit Informatik Gmbh - Mailserver">
+    <meta property="og:title" content="nbit Informatik GmbH - Mailserver" />
+    <meta name="referrer" content="no-referrer">
+    <title>nbit Informatik GmbH - Mailserver</title>
+    <link rel="stylesheet" type="text/css" href="/css/bulma-nbit.css" />
+    <link rel="stylesheet" type="text/css" href="/css/nbit.css" />
+    <link rel="icon" type="image/png" href="/images/favicon-nbit-32x32.png" sizes="32x32">
+    <link rel="icon" type="image/png" href="/images/favicon-nbit-16x16.png" sizes="16x16">
+  </head>
+
+  <body>
+    <div class="container">
+      <div class="box has-background-light has-padding-10 has-margin-bottom-30 has-margin-top-10">
+        <div class="nbitlogo">
+          <img src="/images/nbit-logo.png" alt="nbit Informatik GmbH Logo">
+        </div>
+        <div class="emaillogo">
+          <img src="/images/mailserver.png" alt="nbit Informatik GmbH Mailserver Logo">
+        </div>
+        <p>
+          <h1>Mailserver der nbit Informatik GmbH</h1>
+        </p>
+        <p>
+<a href="https://mail2.nbit.ch/rainloop">Webmail</a>
+        </p>
+        <p>
+<a href="https://mail2.nbit.ch/mailboxadm">Mailbox Management</a>
+        </p>
+      </div>
+    </div>
+  </body>
+</html>
diff --git a/ansible/roles/mailserver/files/dkim_signing.conf b/ansible/roles/mailserver/files/dkim_signing.conf
new file mode 100644
index 0000000..2fa3cf9
--- /dev/null
+++ b/ansible/roles/mailserver/files/dkim_signing.conf
@@ -0,0 +1,5 @@
+path = "/var/lib/rspamd/dkim/$selector.key";
+selector = "2020";
+
+### Enable DKIM signing for alias sender addresses
+allow_username_mismatch = true;
diff --git a/ansible/roles/mailserver/files/dovecot.conf b/ansible/roles/mailserver/files/dovecot.conf
index c1b6b84..8d738d1 100644
--- a/ansible/roles/mailserver/files/dovecot.conf
+++ b/ansible/roles/mailserver/files/dovecot.conf
@@ -11,8 +11,8 @@ protocols = imap lmtp sieve
 ##
 
 ssl = required
-ssl_cert = </etc/letsencrypt/live/mail2.nbit.ch/fullchain.pem
-ssl_key = </etc/letsencrypt/live/mail2.nbit.ch/privkey.pem
+ssl_cert = </root/.acme.sh/mail2.nbit.ch/fullchain.cer
+ssl_key = </root/.acme.sh/mail2.nbit.ch/mail2.nbit.ch.key
 ssl_dh = </etc/dovecot/dh4096.pem
 ssl_min_protocol = TLSv1.2
 ssl_cipher_list = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
diff --git a/ansible/roles/mailserver/files/local.conf b/ansible/roles/mailserver/files/local.conf
new file mode 100644
index 0000000..758b827
--- /dev/null
+++ b/ansible/roles/mailserver/files/local.conf
@@ -0,0 +1,2 @@
+[Unit]
+After=network-online.target
diff --git a/ansible/roles/mailserver/files/mail.nbit.ch.conf b/ansible/roles/mailserver/files/mail.nbit.ch.conf
index 19e6e5c..1a7789d 100644
--- a/ansible/roles/mailserver/files/mail.nbit.ch.conf
+++ b/ansible/roles/mailserver/files/mail.nbit.ch.conf
@@ -7,11 +7,29 @@ server {
         server_name mail2.nbit.ch;
 
         root         /var/www/default_webroot;
-        ssl_certificate /etc/letsencrypt/live/mail2.nbit.ch/fullchain.pem;
-        ssl_certificate_key /etc/letsencrypt/live/mail2.nbit.ch/privkey.pem;
+        ssl_certificate /root/.acme.sh/mail2.nbit.ch/fullchain.cer;
+        ssl_certificate_key /root/.acme.sh/mail2.nbit.ch/mail2.nbit.ch.key;
 
         add_header Strict-Transport-Security max-age=15768000;
 
+        index index.php index.htm index.html;
+
+        location ~ \.(php|phar)(/.*)?$ {
+            fastcgi_split_path_info ^(.+\.(?:php|phar))(/.*)$;
+
+            fastcgi_intercept_errors on;
+            fastcgi_index  index.php;
+            include        fastcgi_params;
+            fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
+            fastcgi_param  PATH_INFO $fastcgi_path_info;
+            fastcgi_pass   php-fpm;
+        }
+
+        # Wegen Rainloop...
+	location ^~ /data {
+	  deny all;
+	}
+
         location /rspamd/ {
                 proxy_pass http://localhost:11334/;
                 proxy_set_header Host $host;
diff --git a/ansible/roles/mailserver/files/master.cf b/ansible/roles/mailserver/files/master.cf
new file mode 100644
index 0000000..1d408a7
--- /dev/null
+++ b/ansible/roles/mailserver/files/master.cf
@@ -0,0 +1,78 @@
+# ==========================================================================
+# service type  private unpriv  chroot  wakeup  maxproc command + args
+#               (yes)   (yes)   (no)    (never) (100)
+# ==========================================================================
+###
+### SMTP-Serverbindungen aus dem Internet
+### Authentifizuerung hier nicht erlaubt (Anmeldung nur via smtps/submission!)
+smtp      inet  n       -       n       -       1       smtpd     
+    -o smtpd_sasl_auth_enable=no
+###
+### SMTPS Service (Submission mit implizitem TLS - ohne STARTTLS) - Port 465
+### Für Mailclients gelten andere Regeln, als für andere Mailserver (siehe smtpd_ in main.cf)
+###
+smtps     inet  n       -       n       -       -       smtpd
+    -o syslog_name=postfix/smtps
+    -o smtpd_tls_wrappermode=yes
+    -o smtpd_tls_security_level=encrypt
+    -o smtpd_sasl_auth_enable=yes
+    -o smtpd_sasl_type=dovecot
+    -o smtpd_sasl_path=private/auth
+    -o smtpd_sasl_security_options=noanonymous
+    -o smtpd_client_restrictions=$mua_client_restrictions
+    -o smtpd_sender_restrictions=$mua_sender_restrictions
+    -o smtpd_relay_restrictions=$mua_relay_restrictions
+    -o milter_macro_daemon_name=ORIGINATING
+    -o smtpd_sender_login_maps=proxy:mysql:/etc/postfix/sql/sender-login-maps.cf
+    -o smtpd_helo_required=no
+    -o smtpd_helo_restrictions=
+    -o cleanup_service_name=submission-header-cleanup
+###
+### Submission-Zugang für Clients (mit STARTTLS - für Rückwärtskompatibilität) - Port 587
+###
+submission inet n       -       n       -       -       smtpd
+    -o syslog_name=postfix/submission
+    -o smtpd_tls_security_level=encrypt
+    -o smtpd_sasl_auth_enable=yes
+    -o smtpd_sasl_type=dovecot
+    -o smtpd_sasl_path=private/auth
+    -o smtpd_sasl_security_options=noanonymous
+    -o smtpd_client_restrictions=$mua_client_restrictions
+    -o smtpd_sender_restrictions=$mua_sender_restrictions
+    -o smtpd_relay_restrictions=$mua_relay_restrictions
+    -o milter_macro_daemon_name=ORIGINATING
+    -o smtpd_sender_login_maps=proxy:mysql:/etc/postfix/sql/sender-login-maps.cf
+    -o smtpd_helo_required=no
+    -o smtpd_helo_restrictions=
+    -o cleanup_service_name=submission-header-cleanup
+###
+### Weitere wichtige Dienste für den Serverbetrieb
+###
+pickup    unix  n       -       n       60      1       pickup
+cleanup   unix  n       -       n       -       0       cleanup
+qmgr      unix  n       -       n       300     1       qmgr
+tlsmgr    unix  -       -       n       1000?   1       tlsmgr
+rewrite   unix  -       -       n       -       -       trivial-rewrite
+bounce    unix  -       -       n       -       0       bounce
+defer     unix  -       -       n       -       0       bounce
+trace     unix  -       -       n       -       0       bounce
+verify    unix  -       -       n       -       1       verify
+flush     unix  n       -       n       1000?   0       flush
+proxymap  unix  -       -       n       -       -       proxymap
+proxywrite unix -       -       n       -       1       proxymap
+smtp      unix  -       -       n       -       -       smtp
+relay     unix  -       -       n       -       -       smtp
+showq     unix  n       -       n       -       -       showq
+error     unix  -       -       n       -       -       error
+retry     unix  -       -       n       -       -       error
+discard   unix  -       -       n       -       -       discard
+local     unix  -       n       n       -       -       local
+virtual   unix  -       n       n       -       -       virtual
+lmtp      unix  -       -       n       -       -       lmtp
+anvil     unix  -       -       n       -       1       anvil
+scache    unix  -       -       n       -       1       scache
+###
+### Cleanup-Service um MUA header zu entfernen
+###
+submission-header-cleanup unix n - n    -       0       cleanup
+    -o header_checks=regexp:/etc/postfix/submission_header_cleanup
diff --git a/ansible/roles/mailserver/files/renew-certificates b/ansible/roles/mailserver/files/renew-certificates
deleted file mode 100644
index de3c0dd..0000000
--- a/ansible/roles/mailserver/files/renew-certificates
+++ /dev/null
@@ -1 +0,0 @@
-0 20 * * * root python -c 'import random; import time; time.sleep(random.random() * 3600)' && certbot renew
diff --git a/ansible/roles/mailserver/files/submission_header_cleanup b/ansible/roles/mailserver/files/submission_header_cleanup
new file mode 100644
index 0000000..b8bdc88
--- /dev/null
+++ b/ansible/roles/mailserver/files/submission_header_cleanup
@@ -0,0 +1,6 @@
+### Entfernt Datenschutz-relevante Header aus E-Mails von MTUAs
+
+/^Received:/            IGNORE
+/^X-Originating-IP:/    IGNORE
+/^X-Mailer:/            IGNORE
+/^User-Agent:/          IGNORE
diff --git a/ansible/roles/mailserver/handlers/main.yml b/ansible/roles/mailserver/handlers/main.yml
index 9cfdc32..ef6ba3f 100644
--- a/ansible/roles/mailserver/handlers/main.yml
+++ b/ansible/roles/mailserver/handlers/main.yml
@@ -38,3 +38,6 @@
   service:
     name=nginx
     state=restarted
+
+- name: Restore selinux context
+  command: restorecon -irv /etc/letsecnrypt/nbit.ch
diff --git a/ansible/roles/mailserver/tasks/main.yml b/ansible/roles/mailserver/tasks/main.yml
index e2c54eb..c269535 100644
--- a/ansible/roles/mailserver/tasks/main.yml
+++ b/ansible/roles/mailserver/tasks/main.yml
@@ -20,8 +20,40 @@
     - mariadb-server
     - nginx
     - unbound
-    - certbot
     - haveged
+    - php-fpm
+    - php-mysqlnd
+    - php-json
+    - php-xml
+    - socat
+
+- name: Replace apache with nginx in config file
+  replace:
+    path: /etc/php-fpm.d/www.conf
+    regexp: '^(user|group) = apache'
+    replace: '\1 = nginx'
+
+- name: Allow webserver to read files in /etc/letsencrypt/nbit.ch
+  sefcontext:
+    target: '/etc/letsencrypt/nbit.ch(/.*)?'
+    setype: public_content_t
+    state: present
+  notify:
+    - Restore selinux context
+
+- name: create /etc/systemd/system/postfix.service.d
+  file:
+    path: /etc/systemd/system/postfix.service.d
+    state: directory
+    mode: '0755'
+
+- name: Copy /etc/systemd/system/postfix.service.d/local.conf
+  copy:
+    src: local.conf
+    dest: /etc/systemd/system/postfix.service.d/local.conf
+    owner: root
+    group: root
+    mode: '0644'
 
 - name: enable services
   systemd:
@@ -37,6 +69,7 @@
     - postfix
     - redis
     - rspamd
+    - php-fpm
 
 - name: Copy disable_dns.conf
   copy:
@@ -143,7 +176,17 @@
     group: postfix
     mode: '0755'
 
-- name: Create postfix conf
+- name: Create postfix conf - master.cf
+  copy:
+    src: master.cf
+    dest: "/etc/postfix/master.cf"
+    owner: root
+    group: root
+    backup: no
+    mode: '0644'
+  notify: Restart postfix
+
+- name: Create postfix conf - main.cf
   template:
     src: main.cf.j2
     dest: "/etc/postfix/main.cf"
@@ -153,6 +196,16 @@
     mode: '0644'
   notify: Restart postfix
 
+- name: Create postfix conf - submission_header_cleanup
+  copy:
+    src: submission_header_cleanup
+    dest: "/etc/postfix/submission_header_cleanup"
+    owner: root
+    group: root
+    backup: no
+    mode: '0644'
+  notify: Restart postfix
+
 - name: create postfix sql files
   template:
     src: "{{ item }}.j2"
@@ -232,21 +285,67 @@
    - blacklist_ip.map
    - blacklist_from.map
 
+- name: create /etc/rspamd/local.d/dkim_signing.conf
+  copy:
+    src: "dkim_signing.conf"
+    dest: "/etc/rspamd/local.d/dkim_signing.conf"
+    owner: root
+    group: root
+    backup: no
+    mode: '0644'
+  notify: Restart rspamd
+
+- name: create /etc/rspamd/local.d/arc.conf
+  copy:
+    # same as dkim_signing.conf
+    src: "dkim_signing.conf"
+    dest: "/etc/rspamd/local.d/arc.conf"
+    owner: root
+    group: root
+    backup: no
+    mode: '0644'
+  notify: Restart rspamd
+
 - name: Set httpd_can_network_connect flag on and keep it persistent across reboots
   seboolean:
     name: httpd_can_network_connect
     state: yes
     persistent: yes
 
-- name: create Cronjob for certbot
+- name: create Cronjob for MysqlDB Backups
   copy:
-    src: renew-certificates
-    dest: "/etc/cron.d/renew-certificates"
+    src: backup-mysql-dbs
+    dest: "/etc/cron.d/backup-mysql-dbs"
     owner: root
     group: root
     backup: no
     mode: '0644'
 
+- name: create Mysql Backupscript
+  copy:
+    src: backup-mysql-dbs.sh
+    dest: "/usr/local/bin/backup-mysql-dbs.sh"
+    owner: root
+    group: root
+    backup: no
+    mode: '0755'
+
+- name: Create /backup
+  file:
+    path: "/backup"
+    state: directory
+    owner: root
+    group: root
+    mode: '0755'
+
+- name: Create /backup/mysql-dumps
+  file:
+    path: "/backup/mysql-dumps"
+    state: directory
+    owner: root
+    group: root
+    mode: '0755'
+
 - name: Replace nginx root
   lineinfile:
     path: /etc/nginx/nginx.conf
@@ -257,6 +356,14 @@
     mode: '0644'
   notify: Restart nginx
 
+- name: Change /var/lib/php/session group
+  file:
+    path: "/var/lib/php/session"
+    state: directory
+    owner: root
+    group: nginx
+    mode: '0770'
+
 - name: Create /var/www/default_webroot
   file:
     path: "/var/www/default_webroot"
@@ -273,3 +380,13 @@
     group: root
     backup: no
     mode: '0644'
+
+- sefcontext:
+    target: '/var/www/default_webroot/rainloop(/.*)?'
+    setype: httpd_sys_rw_content_t
+    state: present
+
+- sefcontext:
+    target: '/var/vmail/mailboxes(/.*)?'
+    setype: mail_home_rw_t
+    state: present
diff --git a/ansible/roles/mailserver/templates/accounts.cf.j2 b/ansible/roles/mailserver/templates/accounts.cf.j2
index 97caeb3..33fcd06 100644
--- a/ansible/roles/mailserver/templates/accounts.cf.j2
+++ b/ansible/roles/mailserver/templates/accounts.cf.j2
@@ -1,5 +1,5 @@
 user = vmail
 password = {{ vmaildbpass }}
-hosts = unix:/run/mysqld/mysqld.sock
+hosts = unix:/var/lib/mysql/mysql.sock
 dbname = vmail
 query = select 1 as found from accounts where username = '%u' and domain = '%d' and enabled = true LIMIT 1;
diff --git a/ansible/roles/mailserver/templates/aliases.cf.j2 b/ansible/roles/mailserver/templates/aliases.cf.j2
index 7c02f12..52646ef 100644
--- a/ansible/roles/mailserver/templates/aliases.cf.j2
+++ b/ansible/roles/mailserver/templates/aliases.cf.j2
@@ -1,6 +1,6 @@
 user = vmail
 password = {{ vmaildbpass }}
-hosts = unix:/run/mysqld/mysqld.sock
+hosts = unix:/var/lib/mysql/mysql.sock
 dbname = vmail
 query = SELECT DISTINCT concat(destination_username, '@', destination_domain) AS destinations FROM aliases
         WHERE (source_username = '%u' OR source_username IS NULL) AND source_domain = '%d'
diff --git a/ansible/roles/mailserver/templates/domains.cf.j2 b/ansible/roles/mailserver/templates/domains.cf.j2
index d242b65..57984a4 100644
--- a/ansible/roles/mailserver/templates/domains.cf.j2
+++ b/ansible/roles/mailserver/templates/domains.cf.j2
@@ -1,5 +1,5 @@
 user = vmail
 password = {{ vmaildbpass }}
-hosts = unix:/run/mysqld/mysqld.sock
+hosts = unix:/var/lib/mysql/mysql.sock
 dbname = vmail
 query = SELECT domain FROM domains WHERE domain='%s';
diff --git a/ansible/roles/mailserver/templates/main.cf.j2 b/ansible/roles/mailserver/templates/main.cf.j2
index 50bd762..40eae72 100644
--- a/ansible/roles/mailserver/templates/main.cf.j2
+++ b/ansible/roles/mailserver/templates/main.cf.j2
@@ -3,7 +3,7 @@
 ##
 
 mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
-inet_interfaces = 127.0.0.1, ::1, {{ ansible_default_ipv4.address }}, {{ ansible_default_ipv6.address }}
+inet_interfaces = 127.0.0.1, [::1], {{ ansible_default_ipv4.address }}, {{ ansible_default_ipv6.address }}
 myhostname = mail2.nbit.ch
 
 
@@ -43,8 +43,8 @@ smtpd_tls_ciphers = medium
 smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
 smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
 smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
-smtpd_tls_cert_file=/etc/letsencrypt/live/mail2.nbit.ch/fullchain.pem
-smtpd_tls_key_file=/etc/letsencrypt/live/mail2.nbit.ch/privkey.pem
+smtpd_tls_cert_file=/root/.acme.sh/mail2.nbit.ch/fullchain.cer
+smtpd_tls_key_file=/root/.acme.sh/mail2.nbit.ch/mail2.nbit.ch.key
 smtpd_tls_dh1024_param_file = /etc/postfix/dh2048.pem
 
 
@@ -59,8 +59,8 @@ virtual_transport = lmtp:unix:private/dovecot-lmtp
 ## Spamfilter und DKIM-Signaturen via Rspamd
 ##
 
-smtpd_milters = inet:localhost:11332
-non_smtpd_milters = inet:localhost:11332
+smtpd_milters = inet:127.0.0.1:11332
+non_smtpd_milters = inet:127.0.0.1:11332
 milter_protocol = 6
 milter_mail_macros =  i {mail_addr} {client_addr} {client_name} {auth_authen}
 milter_default_action = accept
diff --git a/ansible/roles/mailserver/templates/recipient-access.cf.j2 b/ansible/roles/mailserver/templates/recipient-access.cf.j2
index 4e9bc50..7ec702c 100644
--- a/ansible/roles/mailserver/templates/recipient-access.cf.j2
+++ b/ansible/roles/mailserver/templates/recipient-access.cf.j2
@@ -1,5 +1,5 @@
 user = vmail
 password = {{ vmaildbpass }}
-hosts = unix:/run/mysqld/mysqld.sock
+hosts = unix:/var/lib/mysql/mysql.sock
 dbname = vmail
 query = select if(sendonly = true, 'REJECT', 'OK') AS access from accounts where username = '%u' and domain = '%d' and enabled = true LIMIT 1;
diff --git a/ansible/roles/mailserver/templates/sender-login-maps.cf.j2 b/ansible/roles/mailserver/templates/sender-login-maps.cf.j2
index ebb3871..9286fef 100644
--- a/ansible/roles/mailserver/templates/sender-login-maps.cf.j2
+++ b/ansible/roles/mailserver/templates/sender-login-maps.cf.j2
@@ -1,6 +1,6 @@
 user = vmail
 password = {{ vmaildbpass }}
-hosts = unix:/run/mysqld/mysqld.sock
+hosts = unix:/var/lib/mysql/mysql.sock
 dbname = vmail
 query = select concat(username, '@', domain) as 'owns' from accounts where username = '%u' AND domain = '%d' and enabled = true union select 
         concat(destination_username, '@', destination_domain) AS 'owns' from aliases 
diff --git a/ansible/roles/mailserver/templates/tls-policy.cf.j2 b/ansible/roles/mailserver/templates/tls-policy.cf.j2
index 0333689..81e31f7 100644
--- a/ansible/roles/mailserver/templates/tls-policy.cf.j2
+++ b/ansible/roles/mailserver/templates/tls-policy.cf.j2
@@ -1,5 +1,5 @@
 user = vmail
 password = {{ vmaildbpass }}
-hosts = unix:/run/mysqld/mysqld.sock
+hosts = unix:/var/lib/mysql/mysql.sock
 dbname = vmail
 query = SELECT policy, params FROM tlspolicies WHERE domain = '%s';