push as of 05jul2021

2021-07-05 15:10:51 +02:00 · 2021-07-05 15:10:51 +02:00 · eb02fb37a1
parent 87a2ae27c6
commit eb02fb37a1
21 changed files with 381 additions and 26 deletions
--- a/README.md
+++ b/README.md
@ -39,21 +39,60 @@ Root-Passwort setzen (das machen wir von Hand)
 ## Ansible Playbook laufen lassen
 ```bash
 $ cd ansible
-$ ansible-playbook -i production mailserver.yml
+$ ansible-playbook -i production --ask-vault-pass mailserver.yml
 ```
 ## Zertifikate erzeugen
 ```bash
-# systemctl stop nginx
+# curl https://get.acme.sh | sh -s email=postmaster@nbit.ch
-# certbot certonly --noninteractive --standalone --agree-tos -m postmaster@nbit.ch -d mail2.nbit.ch -d smtp.nbit.ch -d imap.nbit.ch
+# acme.sh --issue -d mail.nbit.ch -d smtp.nbit.ch -d imap.nbit.ch -w /var/www/default_webroot
-# systemctl start nginx
+
 [Fr Mär  5 10:16:02 CET 2021] Your cert is in  /root/.acme.sh/mail.nbit.ch/mail.nbit.ch.cer 
 [Fr Mär  5 10:16:02 CET 2021] Your cert key is in  /root/.acme.sh/mail.nbit.ch/mail.nbit.ch.key 
 [Fr Mär  5 10:16:02 CET 2021] The intermediate CA cert is in  /root/.acme.sh/mail.nbit.ch/ca.cer 
 [Fr Mär  5 10:16:02 CET 2021] And the full chain certs is there:  /root/.acme.sh/mail.nbit.ch/fullchain.cer 
 Install Certificate:
 # acme.sh --install-cert -d mail.nbit.ch --key-file /etc/letsencrypt/nbit.ch/mail.nbit.ch.key --fullchain-file /etc/letsencrypt/nbit.ch/fullchain.cer --reloadcmd  "service nginx force-reload"
 ```
 ## SELinux Policy for Certificates
 ```
 [root@mail ~]# cat my-mailserver.te 
 module my-mailserver 1.0;
 require {
        type dovecot_t;
        type postfix_smtpd_t;
        type public_content_t;
        class file read;
        class file open;
        class file getattr;
 }
 #============= dovecot_t ==============
 allow dovecot_t public_content_t:file read;
 allow dovecot_t public_content_t:file open;
 #============= postfix_smtpd_t ==============
 allow postfix_smtpd_t public_content_t:file read;
 allow postfix_smtpd_t public_content_t:file open;
 allow postfix_smtpd_t public_content_t:file getattr;
 [root@mail ~]# checkmodule -M -m -o my-mailserver.mod my-mailserver.te
 [root@mail ~]# semodule_package -o my-mailserver.pp -m my-mailserver.mod
 [root@mail ~]# semodule -i my-mailserver.pp
 ```
 ## DB erstellen
 ```bash
 # mysql
 MariaDB [(none)]> create database vmail CHARACTER SET 'utf8';
 MariaDB [(none)]> grant select on vmail.* to 'vmail'@'localhost' identified by 'vmaildbpass';    
 MariaDB [(none)]> grant  SELECT, UPDATE, INSERT, DELETE on vmail.* to 'mailboxadm'@'localhost' identified by 'mailboxadmdbpass';    
 # anderes Passwort waehlen!
 MariaDB [(none)]> use vmail;
@ -62,6 +101,7 @@ Folgende Statements durchfuehren:
 CREATE TABLE `domains` (
    `id` int unsigned NOT NULL AUTO_INCREMENT,
    `domain` varchar(255) NOT NULL,
    `mailboxadmin` boolean DEFAULT '0',
    PRIMARY KEY (`id`),
    UNIQUE KEY (`domain`)
 );
@ -74,6 +114,7 @@ CREATE TABLE `accounts` (
    `quota` int unsigned DEFAULT '0',
    `enabled` boolean DEFAULT '0',
    `sendonly` boolean DEFAULT '0',
    `mailboxadmin` boolean DEFAULT '0',
    PRIMARY KEY (id),
    UNIQUE KEY (`username`, `domain`),
    FOREIGN KEY (`domain`) REFERENCES `domains` (`domain`)
@ -101,4 +142,22 @@ CREATE TABLE `tlspolicies` (
 );
 ```
 ## Mail Domains und Users einrichten
 ```bash
 MariaDB [(none)]> insert into domains (domain) values ('mysystems.tld');
 $ doveadm pw -s SHA512-CRYPT
 MariaDB [(none)]> insert into accounts (username, domain, password, quota, enabled, sendonly) values ('user1', 'mysystems.tld', '{SHA512-CRYPT}$6$wHyJsS[...]', 2048, true, false);
 MariaDB [(none)]> insert into aliases (source_username, source_domain, destination_username, destination_domain, enabled) values ('alias', 'mysystems.tld', 'user1', 'mysystems.tld', true);
 ```
 ## DKIM Signing (manuell einrichten)
 ```bash
 # mkdir /var/lib/rspamd/dkim
 # rspamadm dkim_keygen -b 2048 -s 2020 -k /var/lib/rspamd/dkim/2020.key > /var/lib/rspamd/dkim/2020.txt
 # chown -R _rspamd:_rspamd /var/lib/rspamd/dkim
 # chmod 440 /var/lib/rspamd/dkim/*
 ```
--- a/ansible/roles/common/tasks/main.yml
+++ b/ansible/roles/common/tasks/main.yml
@ -15,6 +15,9 @@
    - telnet
    - git
    - yum-utils
    - wget
    - unzip
    - tar
 - name: Enable SELinux
  selinux:
@ -82,6 +85,7 @@
    service: "{{ item }}"
    permanent: yes
    state: disabled
    immediate: yes
  loop:
    - cockpit
  notify: reload firewalld
@ -91,8 +95,10 @@
    port: "{{ item }}"
    permanent: yes
    state: enabled
    immediate: yes
  loop:
    - 10050/tcp
    - 587/tcp
  notify: reload firewalld
 - name: Create ~/.forward
--- a/ansible/roles/mailserver/files/backup-mysql-dbs
+++ b/ansible/roles/mailserver/files/backup-mysql-dbs
@ -0,0 +1,4 @@
 #
 # Backup Mysql DBs (dump)
 #
 55 3 * * * root /usr/local/bin/backup-mysql-dbs.sh >/dev/null
--- a/ansible/roles/mailserver/files/backup-mysql-dbs.sh
+++ b/ansible/roles/mailserver/files/backup-mysql-dbs.sh
@ -0,0 +1,21 @@
 #!/bin/bash
 umask 077
 echo "Alle MySQL-Datenbanken sichern:"
 # Bereinigte Liste der Datenbanken erzeugen
 DBASELIST=`mktemp`
 mysqlshow | awk '{print $2}' | grep -v Databases | sort >$DBASELIST
 # Wohin sollen die ganzen Backups geschrieben werden?
 cd /backup/mysql-dumps
 dir="mysql-dumps-$(hostname)-$(date +%Y%m%d)"
 mkdir -p ${dir}
 cd ${dir}
 for x in `cat $DBASELIST`; do 
    echo "Datenbank: $x sichern"; 
    mysqldump --opt --single-transaction $x >$x.sql;
 done;
 cd /backup/mysql-dumps
 tar cvzf ${dir}.tar.gz ${dir} >/dev/null && rm -rf /backup/mysql-dumps/${dir} 
 # Cleanup
 find /backup/mysql-dumps -type f -mtime +100 \( ! -name "backup-*-*1.????.tar.gz" ! -name "mysql-dumps-???????1.tar.gz" \) -exec rm {} \;
--- a/ansible/roles/mailserver/files/default_website.html
+++ b/ansible/roles/mailserver/files/default_website.html
@ -1 +1,38 @@
-<h1>mail2.nbit.ch</h1>
+<!DOCTYPE html>
 <html lang="en">
  <head>
    <meta charset="utf-8">
    <meta name="viewport" content="width=device-width, initial-scale=1">
    <meta name="author" content="Joerg Lehmann">
    <meta name="description" content="nbit Informatik Gmbh - Mailserver">
    <meta property="og:title" content="nbit Informatik GmbH - Mailserver" />
    <meta name="referrer" content="no-referrer">
    <title>nbit Informatik GmbH - Mailserver</title>
    <link rel="stylesheet" type="text/css" href="/css/bulma-nbit.css" />
    <link rel="stylesheet" type="text/css" href="/css/nbit.css" />
    <link rel="icon" type="image/png" href="/images/favicon-nbit-32x32.png" sizes="32x32">
    <link rel="icon" type="image/png" href="/images/favicon-nbit-16x16.png" sizes="16x16">
  </head>
  <body>
    <div class="container">
      <div class="box has-background-light has-padding-10 has-margin-bottom-30 has-margin-top-10">
        <div class="nbitlogo">
          <img src="/images/nbit-logo.png" alt="nbit Informatik GmbH Logo">
        </div>
        <div class="emaillogo">
          <img src="/images/mailserver.png" alt="nbit Informatik GmbH Mailserver Logo">
        </div>
        <p>
          <h1>Mailserver der nbit Informatik GmbH</h1>
        </p>
        <p>
 <a href="https://mail2.nbit.ch/rainloop">Webmail</a>
        </p>
        <p>
 <a href="https://mail2.nbit.ch/mailboxadm">Mailbox Management</a>
        </p>
      </div>
    </div>
  </body>
 </html>
--- a/ansible/roles/mailserver/files/dkim_signing.conf
+++ b/ansible/roles/mailserver/files/dkim_signing.conf
@ -0,0 +1,5 @@
 path = "/var/lib/rspamd/dkim/$selector.key";
 selector = "2020";
 ### Enable DKIM signing for alias sender addresses
 allow_username_mismatch = true;
--- a/ansible/roles/mailserver/files/dovecot.conf
+++ b/ansible/roles/mailserver/files/dovecot.conf
@ -11,8 +11,8 @@ protocols = imap lmtp sieve
 ##
 ssl = required
-ssl_cert = </etc/letsencrypt/live/mail2.nbit.ch/fullchain.pem
+ssl_cert = </root/.acme.sh/mail2.nbit.ch/fullchain.cer
-ssl_key = </etc/letsencrypt/live/mail2.nbit.ch/privkey.pem
+ssl_key = </root/.acme.sh/mail2.nbit.ch/mail2.nbit.ch.key
 ssl_dh = </etc/dovecot/dh4096.pem
 ssl_min_protocol = TLSv1.2
 ssl_cipher_list = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
--- a/ansible/roles/mailserver/files/local.conf
+++ b/ansible/roles/mailserver/files/local.conf
@ -0,0 +1,2 @@
 [Unit]
 After=network-online.target
--- a/ansible/roles/mailserver/files/mail.nbit.ch.conf
+++ b/ansible/roles/mailserver/files/mail.nbit.ch.conf
@ -7,11 +7,29 @@ server {
        server_name mail2.nbit.ch;
        root         /var/www/default_webroot;
-        ssl_certificate /etc/letsencrypt/live/mail2.nbit.ch/fullchain.pem;
+        ssl_certificate /root/.acme.sh/mail2.nbit.ch/fullchain.cer;
-        ssl_certificate_key /etc/letsencrypt/live/mail2.nbit.ch/privkey.pem;
+        ssl_certificate_key /root/.acme.sh/mail2.nbit.ch/mail2.nbit.ch.key;
        add_header Strict-Transport-Security max-age=15768000;
        index index.php index.htm index.html;
        location ~ \.(php|phar)(/.*)?$ {
            fastcgi_split_path_info ^(.+\.(?:php|phar))(/.*)$;
            fastcgi_intercept_errors on;
            fastcgi_index  index.php;
            include        fastcgi_params;
            fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
            fastcgi_param  PATH_INFO $fastcgi_path_info;
            fastcgi_pass   php-fpm;
        }
        # Wegen Rainloop...
 	location ^~ /data {
 	  deny all;
 	}
        location /rspamd/ {
                proxy_pass http://localhost:11334/;
                proxy_set_header Host $host;
--- a/ansible/roles/mailserver/files/master.cf
+++ b/ansible/roles/mailserver/files/master.cf
@ -0,0 +1,78 @@
 # ==========================================================================
 # service type  private unpriv  chroot  wakeup  maxproc command + args
 #               (yes)   (yes)   (no)    (never) (100)
 # ==========================================================================
 ###
 ### SMTP-Serverbindungen aus dem Internet
 ### Authentifizuerung hier nicht erlaubt (Anmeldung nur via smtps/submission!)
 smtp      inet  n       -       n       -       1       smtpd     
    -o smtpd_sasl_auth_enable=no
 ###
 ### SMTPS Service (Submission mit implizitem TLS - ohne STARTTLS) - Port 465
 ### Für Mailclients gelten andere Regeln, als für andere Mailserver (siehe smtpd_ in main.cf)
 ###
 smtps     inet  n       -       n       -       -       smtpd
    -o syslog_name=postfix/smtps
    -o smtpd_tls_wrappermode=yes
    -o smtpd_tls_security_level=encrypt
    -o smtpd_sasl_auth_enable=yes
    -o smtpd_sasl_type=dovecot
    -o smtpd_sasl_path=private/auth
    -o smtpd_sasl_security_options=noanonymous
    -o smtpd_client_restrictions=$mua_client_restrictions
    -o smtpd_sender_restrictions=$mua_sender_restrictions
    -o smtpd_relay_restrictions=$mua_relay_restrictions
    -o milter_macro_daemon_name=ORIGINATING
    -o smtpd_sender_login_maps=proxy:mysql:/etc/postfix/sql/sender-login-maps.cf
    -o smtpd_helo_required=no
    -o smtpd_helo_restrictions=
    -o cleanup_service_name=submission-header-cleanup
 ###
 ### Submission-Zugang für Clients (mit STARTTLS - für Rückwärtskompatibilität) - Port 587
 ###
 submission inet n       -       n       -       -       smtpd
    -o syslog_name=postfix/submission
    -o smtpd_tls_security_level=encrypt
    -o smtpd_sasl_auth_enable=yes
    -o smtpd_sasl_type=dovecot
    -o smtpd_sasl_path=private/auth
    -o smtpd_sasl_security_options=noanonymous
    -o smtpd_client_restrictions=$mua_client_restrictions
    -o smtpd_sender_restrictions=$mua_sender_restrictions
    -o smtpd_relay_restrictions=$mua_relay_restrictions
    -o milter_macro_daemon_name=ORIGINATING
    -o smtpd_sender_login_maps=proxy:mysql:/etc/postfix/sql/sender-login-maps.cf
    -o smtpd_helo_required=no
    -o smtpd_helo_restrictions=
    -o cleanup_service_name=submission-header-cleanup
 ###
 ### Weitere wichtige Dienste für den Serverbetrieb
 ###
 pickup    unix  n       -       n       60      1       pickup
 cleanup   unix  n       -       n       -       0       cleanup
 qmgr      unix  n       -       n       300     1       qmgr
 tlsmgr    unix  -       -       n       1000?   1       tlsmgr
 rewrite   unix  -       -       n       -       -       trivial-rewrite
 bounce    unix  -       -       n       -       0       bounce
 defer     unix  -       -       n       -       0       bounce
 trace     unix  -       -       n       -       0       bounce
 verify    unix  -       -       n       -       1       verify
 flush     unix  n       -       n       1000?   0       flush
 proxymap  unix  -       -       n       -       -       proxymap
 proxywrite unix -       -       n       -       1       proxymap
 smtp      unix  -       -       n       -       -       smtp
 relay     unix  -       -       n       -       -       smtp
 showq     unix  n       -       n       -       -       showq
 error     unix  -       -       n       -       -       error
 retry     unix  -       -       n       -       -       error
 discard   unix  -       -       n       -       -       discard
 local     unix  -       n       n       -       -       local
 virtual   unix  -       n       n       -       -       virtual
 lmtp      unix  -       -       n       -       -       lmtp
 anvil     unix  -       -       n       -       1       anvil
 scache    unix  -       -       n       -       1       scache
 ###
 ### Cleanup-Service um MUA header zu entfernen
 ###
 submission-header-cleanup unix n - n    -       0       cleanup
    -o header_checks=regexp:/etc/postfix/submission_header_cleanup
--- a/ansible/roles/mailserver/files/renew-certificates
+++ b/ansible/roles/mailserver/files/renew-certificates
@ -1 +0,0 @@
 0 20 * * * root python -c 'import random; import time; time.sleep(random.random() * 3600)' && certbot renew
--- a/ansible/roles/mailserver/files/submission_header_cleanup
+++ b/ansible/roles/mailserver/files/submission_header_cleanup
@ -0,0 +1,6 @@
 ### Entfernt Datenschutz-relevante Header aus E-Mails von MTUAs
 /^Received:/            IGNORE
 /^X-Originating-IP:/    IGNORE
 /^X-Mailer:/            IGNORE
 /^User-Agent:/          IGNORE
--- a/ansible/roles/mailserver/handlers/main.yml
+++ b/ansible/roles/mailserver/handlers/main.yml
@ -38,3 +38,6 @@
  service:
    name=nginx
    state=restarted
 - name: Restore selinux context
  command: restorecon -irv /etc/letsecnrypt/nbit.ch
--- a/ansible/roles/mailserver/tasks/main.yml
+++ b/ansible/roles/mailserver/tasks/main.yml
@ -20,8 +20,40 @@
    - mariadb-server
    - nginx
    - unbound
    - certbot
    - haveged
    - php-fpm
    - php-mysqlnd
    - php-json
    - php-xml
    - socat
 - name: Replace apache with nginx in config file
  replace:
    path: /etc/php-fpm.d/www.conf
    regexp: '^(user|group) = apache'
    replace: '\1 = nginx'
 - name: Allow webserver to read files in /etc/letsencrypt/nbit.ch
  sefcontext:
    target: '/etc/letsencrypt/nbit.ch(/.*)?'
    setype: public_content_t
    state: present
  notify:
    - Restore selinux context
 - name: create /etc/systemd/system/postfix.service.d
  file:
    path: /etc/systemd/system/postfix.service.d
    state: directory
    mode: '0755'
 - name: Copy /etc/systemd/system/postfix.service.d/local.conf
  copy:
    src: local.conf
    dest: /etc/systemd/system/postfix.service.d/local.conf
    owner: root
    group: root
    mode: '0644'
 - name: enable services
  systemd:
@ -37,6 +69,7 @@
    - postfix
    - redis
    - rspamd
    - php-fpm
 - name: Copy disable_dns.conf
  copy:
@ -143,7 +176,17 @@
    group: postfix
    mode: '0755'
- name: Create postfix conf
+- name: Create postfix conf - master.cf
  copy:
    src: master.cf
    dest: "/etc/postfix/master.cf"
    owner: root
    group: root
    backup: no
    mode: '0644'
  notify: Restart postfix
 - name: Create postfix conf - main.cf
  template:
    src: main.cf.j2
    dest: "/etc/postfix/main.cf"
@ -153,6 +196,16 @@
    mode: '0644'
  notify: Restart postfix
 - name: Create postfix conf - submission_header_cleanup
  copy:
    src: submission_header_cleanup
    dest: "/etc/postfix/submission_header_cleanup"
    owner: root
    group: root
    backup: no
    mode: '0644'
  notify: Restart postfix
 - name: create postfix sql files
  template:
    src: "{{ item }}.j2"
@ -232,21 +285,67 @@
   - blacklist_ip.map
   - blacklist_from.map
 - name: create /etc/rspamd/local.d/dkim_signing.conf
  copy:
    src: "dkim_signing.conf"
    dest: "/etc/rspamd/local.d/dkim_signing.conf"
    owner: root
    group: root
    backup: no
    mode: '0644'
  notify: Restart rspamd
 - name: create /etc/rspamd/local.d/arc.conf
  copy:
    # same as dkim_signing.conf
    src: "dkim_signing.conf"
    dest: "/etc/rspamd/local.d/arc.conf"
    owner: root
    group: root
    backup: no
    mode: '0644'
  notify: Restart rspamd
 - name: Set httpd_can_network_connect flag on and keep it persistent across reboots
  seboolean:
    name: httpd_can_network_connect
    state: yes
    persistent: yes
- name: create Cronjob for certbot
+- name: create Cronjob for MysqlDB Backups
  copy:
-    src: renew-certificates
+    src: backup-mysql-dbs
-    dest: "/etc/cron.d/renew-certificates"
+    dest: "/etc/cron.d/backup-mysql-dbs"
    owner: root
    group: root
    backup: no
    mode: '0644'
 - name: create Mysql Backupscript
  copy:
    src: backup-mysql-dbs.sh
    dest: "/usr/local/bin/backup-mysql-dbs.sh"
    owner: root
    group: root
    backup: no
    mode: '0755'
 - name: Create /backup
  file:
    path: "/backup"
    state: directory
    owner: root
    group: root
    mode: '0755'
 - name: Create /backup/mysql-dumps
  file:
    path: "/backup/mysql-dumps"
    state: directory
    owner: root
    group: root
    mode: '0755'
 - name: Replace nginx root
  lineinfile:
    path: /etc/nginx/nginx.conf
@ -257,6 +356,14 @@
    mode: '0644'
  notify: Restart nginx
 - name: Change /var/lib/php/session group
  file:
    path: "/var/lib/php/session"
    state: directory
    owner: root
    group: nginx
    mode: '0770'
 - name: Create /var/www/default_webroot
  file:
    path: "/var/www/default_webroot"
@ -273,3 +380,13 @@
    group: root
    backup: no
    mode: '0644'
 - sefcontext:
    target: '/var/www/default_webroot/rainloop(/.*)?'
    setype: httpd_sys_rw_content_t
    state: present
 - sefcontext:
    target: '/var/vmail/mailboxes(/.*)?'
    setype: mail_home_rw_t
    state: present
--- a/ansible/roles/mailserver/templates/accounts.cf.j2
+++ b/ansible/roles/mailserver/templates/accounts.cf.j2
@ -1,5 +1,5 @@
 user = vmail
 password = {{ vmaildbpass }}
-hosts = unix:/run/mysqld/mysqld.sock
+hosts = unix:/var/lib/mysql/mysql.sock
 dbname = vmail
 query = select 1 as found from accounts where username = '%u' and domain = '%d' and enabled = true LIMIT 1;
--- a/ansible/roles/mailserver/templates/aliases.cf.j2
+++ b/ansible/roles/mailserver/templates/aliases.cf.j2
@ -1,6 +1,6 @@
 user = vmail
 password = {{ vmaildbpass }}
-hosts = unix:/run/mysqld/mysqld.sock
+hosts = unix:/var/lib/mysql/mysql.sock
 dbname = vmail
 query = SELECT DISTINCT concat(destination_username, '@', destination_domain) AS destinations FROM aliases
        WHERE (source_username = '%u' OR source_username IS NULL) AND source_domain = '%d'
--- a/ansible/roles/mailserver/templates/domains.cf.j2
+++ b/ansible/roles/mailserver/templates/domains.cf.j2
@ -1,5 +1,5 @@
 user = vmail
 password = {{ vmaildbpass }}
-hosts = unix:/run/mysqld/mysqld.sock
+hosts = unix:/var/lib/mysql/mysql.sock
 dbname = vmail
 query = SELECT domain FROM domains WHERE domain='%s';
--- a/ansible/roles/mailserver/templates/main.cf.j2
+++ b/ansible/roles/mailserver/templates/main.cf.j2
@ -3,7 +3,7 @@
 ##
 mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
-inet_interfaces = 127.0.0.1, ::1, {{ ansible_default_ipv4.address }}, {{ ansible_default_ipv6.address }}
+inet_interfaces = 127.0.0.1, [::1], {{ ansible_default_ipv4.address }}, {{ ansible_default_ipv6.address }}
 myhostname = mail2.nbit.ch
@ -43,8 +43,8 @@ smtpd_tls_ciphers = medium
 smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
 smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
 smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
-smtpd_tls_cert_file=/etc/letsencrypt/live/mail2.nbit.ch/fullchain.pem
+smtpd_tls_cert_file=/root/.acme.sh/mail2.nbit.ch/fullchain.cer
-smtpd_tls_key_file=/etc/letsencrypt/live/mail2.nbit.ch/privkey.pem
+smtpd_tls_key_file=/root/.acme.sh/mail2.nbit.ch/mail2.nbit.ch.key
 smtpd_tls_dh1024_param_file = /etc/postfix/dh2048.pem
@ -59,8 +59,8 @@ virtual_transport = lmtp:unix:private/dovecot-lmtp
 ## Spamfilter und DKIM-Signaturen via Rspamd
 ##
-smtpd_milters = inet:localhost:11332
+smtpd_milters = inet:127.0.0.1:11332
-non_smtpd_milters = inet:localhost:11332
+non_smtpd_milters = inet:127.0.0.1:11332
 milter_protocol = 6
 milter_mail_macros =  i {mail_addr} {client_addr} {client_name} {auth_authen}
 milter_default_action = accept
--- a/ansible/roles/mailserver/templates/recipient-access.cf.j2
+++ b/ansible/roles/mailserver/templates/recipient-access.cf.j2
@ -1,5 +1,5 @@
 user = vmail
 password = {{ vmaildbpass }}
-hosts = unix:/run/mysqld/mysqld.sock
+hosts = unix:/var/lib/mysql/mysql.sock
 dbname = vmail
 query = select if(sendonly = true, 'REJECT', 'OK') AS access from accounts where username = '%u' and domain = '%d' and enabled = true LIMIT 1;
--- a/ansible/roles/mailserver/templates/sender-login-maps.cf.j2
+++ b/ansible/roles/mailserver/templates/sender-login-maps.cf.j2
@ -1,6 +1,6 @@
 user = vmail
 password = {{ vmaildbpass }}
-hosts = unix:/run/mysqld/mysqld.sock
+hosts = unix:/var/lib/mysql/mysql.sock
 dbname = vmail
 query = select concat(username, '@', domain) as 'owns' from accounts where username = '%u' AND domain = '%d' and enabled = true union select 
        concat(destination_username, '@', destination_domain) AS 'owns' from aliases 
--- a/ansible/roles/mailserver/templates/tls-policy.cf.j2
+++ b/ansible/roles/mailserver/templates/tls-policy.cf.j2
@ -1,5 +1,5 @@
 user = vmail
 password = {{ vmaildbpass }}
-hosts = unix:/run/mysqld/mysqld.sock
+hosts = unix:/var/lib/mysql/mysql.sock
 dbname = vmail
 query = SELECT policy, params FROM tlspolicies WHERE domain = '%s';
		`@ -1 +0,0 @@`
			`0 20 * * * root python -c 'import random; import time; time.sleep(random.random() * 3600)' && certbot renew`