From 66717dcc139a5ac00d7f343f258c4e08bf8bcb36 Mon Sep 17 00:00:00 2001
From: VC <veretcle+framagit@mateu.be>
Date: Wed, 4 Sep 2019 18:02:51 +0200
Subject: [PATCH] =?UTF-8?q?Bascule=20Z-Push,=20pr=C3=A9paration=20Mail?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 mail.yml                                      |   7 +
 production/hosts                              |   4 +-
 roles/dovecot/files/dovecot.conf              |  86 ++++++++
 roles/dovecot/handlers/main.yml               |   4 +
 roles/dovecot/tasks/main.yml                  |  15 ++
 roles/firewall/templates/firewall.j2          |  11 ++
 roles/mailman/files/mm_cfg.py                 | 109 +++++++++++
 roles/mailman/handlers/main.yml               |   4 +
 roles/mailman/tasks/main.yml                  |  11 ++
 .../vhosts/autodiscover.libertus.eu.conf.j2   |   0
 .../templates/vhosts/z.libertus.eu.conf.j2    |  38 ++++
 roles/opendkim/files/dkim/KeyTable            |   5 +
 roles/opendkim/files/dkim/PeerList            |   2 +
 roles/opendkim/files/dkim/SigningTable        |   5 +
 roles/opendkim/files/dkim/TrustedHosts        |   1 +
 roles/opendkim/files/opendkim.conf            |  10 +
 roles/opendkim/handlers/main.yml              |   4 +
 roles/opendkim/tasks/main.yml                 |  32 +++
 roles/postfix/files/generate_email.sh         |  34 ++++
 roles/postfix/files/main.cf                   |  75 +++++++
 roles/postfix/files/master.cf                 |  83 ++++++++
 roles/postfix/files/transport                 |   5 +
 roles/postfix/files/virtual-regexp            |   1 +
 roles/postfix/handlers/main.yml               |  14 ++
 roles/postfix/tasks/main.yml                  |  34 ++++
 roles/spamassassin/files/local.cf             | 184 ++++++++++++++++++
 roles/spamassassin/handlers/main.yml          |   4 +
 roles/spamassassin/tasks/main.yml             |  15 ++
 roles/webapps/tasks/main.yml                  |   3 +
 roles/webapps/tasks/z-push.yml                |  30 +++
 30 files changed, 828 insertions(+), 2 deletions(-)
 create mode 100644 mail.yml
 create mode 100644 roles/dovecot/files/dovecot.conf
 create mode 100644 roles/dovecot/handlers/main.yml
 create mode 100644 roles/dovecot/tasks/main.yml
 create mode 100644 roles/mailman/files/mm_cfg.py
 create mode 100644 roles/mailman/handlers/main.yml
 create mode 100644 roles/mailman/tasks/main.yml
 create mode 100644 roles/nginx/templates/vhosts/autodiscover.libertus.eu.conf.j2
 create mode 100644 roles/nginx/templates/vhosts/z.libertus.eu.conf.j2
 create mode 100644 roles/opendkim/files/dkim/KeyTable
 create mode 100644 roles/opendkim/files/dkim/PeerList
 create mode 100644 roles/opendkim/files/dkim/SigningTable
 create mode 100644 roles/opendkim/files/dkim/TrustedHosts
 create mode 100644 roles/opendkim/files/opendkim.conf
 create mode 100644 roles/opendkim/handlers/main.yml
 create mode 100644 roles/opendkim/tasks/main.yml
 create mode 100755 roles/postfix/files/generate_email.sh
 create mode 100644 roles/postfix/files/main.cf
 create mode 100644 roles/postfix/files/master.cf
 create mode 100644 roles/postfix/files/transport
 create mode 100644 roles/postfix/files/virtual-regexp
 create mode 100644 roles/postfix/handlers/main.yml
 create mode 100644 roles/postfix/tasks/main.yml
 create mode 100644 roles/spamassassin/files/local.cf
 create mode 100644 roles/spamassassin/handlers/main.yml
 create mode 100644 roles/spamassassin/tasks/main.yml
 create mode 100644 roles/webapps/tasks/z-push.yml

diff --git a/mail.yml b/mail.yml
new file mode 100644
index 0000000..8486cb0
--- /dev/null
+++ b/mail.yml
@@ -0,0 +1,7 @@
+- hosts: mailservers
+  roles:
+      - postfix
+      - dovecot
+      - opendkim
+      - spamassassin
+      - mailman
diff --git a/production/hosts b/production/hosts
index 30d99a7..d3fb037 100644
--- a/production/hosts
+++ b/production/hosts
@@ -22,7 +22,7 @@ baybay-ponay.mateu.be borg_backup_path="['/home', '/etc']" borg_backup_excluded_
 bt.dmz.mateu.be borg_backup_path="['/etc', '/var/lib/transmission-daemon']"
 web1.dmz.mateu.be
 web2.dmz.mateu.be
-mail.dmz.mateu.be
+mail.dmz.mateu.be borg_backup_path="['/home', '/etc', '/var/lib/mailman']"
 jabber.dmz.mateu.be borg_backup_path="['/etc', '/var/lib/prosody']"
 ror.dmz.mateu.be
 
@@ -41,7 +41,7 @@ edelgard.dmz.mateu.be
 
 [webservers]
 bt.dmz.mateu.be web_hostname="['sonarr.mateu.be','bt.mateu.be','btf.mateu.be']"
-web1.dmz.mateu.be web_hostname="['fav.libertus.eu', 'rss.libertus.eu', 'o.libertus.eu', 'blog.libertus.eu', 'mail.libertus.eu', 'perso.nintendojo.fr', 'perso.libertus.eu', 'r.mateu.be','coince.mateu.be']"
+web1.dmz.mateu.be web_hostname="['fav.libertus.eu', 'rss.libertus.eu', 'o.libertus.eu', 'blog.libertus.eu', 'mail.libertus.eu', 'perso.nintendojo.fr', 'perso.libertus.eu', 'r.mateu.be','coince.mateu.be', 'z.libertus.eu', 'autodiscover.libertus.eu']"
 web2.dmz.mateu.be web_hostname="['analyse.nintendojo.fr', 'nintendojo.fr', 'www.nintendojo.fr', 'forum.nintendojo.fr', 'intendo.fr', 'www.intendo.fr']"
 ror.dmz.mateu.be web_hostname="['m.nintendojo.fr']"
 #mail.dmz.mateu.be
diff --git a/roles/dovecot/files/dovecot.conf b/roles/dovecot/files/dovecot.conf
new file mode 100644
index 0000000..77ce0a5
--- /dev/null
+++ b/roles/dovecot/files/dovecot.conf
@@ -0,0 +1,86 @@
+# 2.2.13: /etc/dovecot/dovecot.conf
+# ajout de lmtp (service pour déterminer la socket, protocol pour récupérer les mêmes fonctions que le LDA)
+# ajout de auth_username_format = %Ln pour vérifier que l'utilisateur est bien dans la base locale en passant par son nom et non par autre chose…
+# 2018-08-20	mortal	réintégration du fichier séparé 15-mailbox.conf + nettoyage/réorganisation + réécriture sieve globale
+# OS: Linux 3.16.0-4-amd64 x86_64 Debian 8.0 
+
+listen = *,[::]
+
+protocols = imap lmtp
+
+ssl_cert = </etc/x509/imap.libertus.eu/fullchain.cer
+ssl_key = </etc/x509/imap.libertus.eu/imap.libertus.eu.key
+
+#auth_debug=yes
+#auth_debug_passwords=yes
+
+auth_username_format = %Ln
+
+passdb {
+  driver = pam
+}
+
+userdb {
+  driver = passwd
+}
+
+plugin {
+  sieve = ~/sieve/default.sieve
+  sieve_dir = ~/sieve
+  sieve_before = /etc/dovecot/before.sieve
+}
+
+
+service auth {
+  inet_listener {
+    address = 127.0.0.1 ::1
+    port = 26
+  }
+}
+
+protocol sieve {
+  mail_location = maildir:~/Maildir
+}
+
+service lmtp {
+ inet_listener ltmp {
+    address = 127.0.0.1 ::1
+    port = 24
+ }
+}
+
+protocol lmtp {
+ mail_location = maildir:~/Maildir
+ mail_plugins = sieve
+}
+
+protocol lda {
+  mail_location = maildir:~/Maildir
+  mail_plugins = sieve
+  postmaster_address = postmaster@example.com
+}
+
+namespace inbox {
+  inbox=yes
+}
+
+## Mailbox definitions
+namespace inbox {
+  mailbox Drafts {
+    special_use = \Drafts
+  }
+  mailbox Junk {
+    special_use = \Junk
+  }
+  mailbox Trash {
+    special_use = \Trash
+  }
+
+  mailbox Sent {
+    special_use = \Sent
+  }
+  mailbox "Sent Messages" {
+    special_use = \Sent
+  }
+}
+
diff --git a/roles/dovecot/handlers/main.yml b/roles/dovecot/handlers/main.yml
new file mode 100644
index 0000000..bf8b437
--- /dev/null
+++ b/roles/dovecot/handlers/main.yml
@@ -0,0 +1,4 @@
+- name: restart dovecot
+  service:
+      name: dovecot
+      state: restarted
diff --git a/roles/dovecot/tasks/main.yml b/roles/dovecot/tasks/main.yml
new file mode 100644
index 0000000..ff4215b
--- /dev/null
+++ b/roles/dovecot/tasks/main.yml
@@ -0,0 +1,15 @@
+- name: install dovecot
+  package:
+      name: "{{ item }}"
+      state: present
+  loop:
+      - dovecot-imapd
+      - dovecot-sieve
+      - dovecot-lmtpd
+
+- name: main configuration file
+  copy:
+      src: ./files/dovecot.conf
+      dest: /etc/dovecot/dovecot.conf
+  notify:
+      - restart dovecot
diff --git a/roles/firewall/templates/firewall.j2 b/roles/firewall/templates/firewall.j2
index 1f7815c..65e84e1 100644
--- a/roles/firewall/templates/firewall.j2
+++ b/roles/firewall/templates/firewall.j2
@@ -456,6 +456,17 @@ config rule
 	option family 'ipv6'
 {% endfor %}
 
+# Allow SMTP traffic from mail
+config rule
+	option name 'Allow-OUTPUT-SMTP'
+	option src 'dmz'
+	option src_ip '{{ hostvars['mail.dmz.mateu.be']['ansible_default_ipv4']['address'] }}'
+	option proto 'tcp'
+	option dest 'wan'
+	option dst_port '25'
+	option target 'ACCEPT'
+	option family 'ipv4'
+
 ## Default configuration
 config defaults
 	option syn_flood '1'
diff --git a/roles/mailman/files/mm_cfg.py b/roles/mailman/files/mm_cfg.py
new file mode 100644
index 0000000..10f40cc
--- /dev/null
+++ b/roles/mailman/files/mm_cfg.py
@@ -0,0 +1,109 @@
+# -*- python -*-
+
+# Copyright (C) 1998,1999,2000 by the Free Software Foundation, Inc.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+# 
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+# 
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software 
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+# 02110-1301 USA
+
+
+"""This is the module which takes your site-specific settings.
+
+From a raw distribution it should be copied to mm_cfg.py.  If you
+already have an mm_cfg.py, be careful to add in only the new settings
+you want.  The complete set of distributed defaults, with annotation,
+are in ./Defaults.  In mm_cfg, override only those you want to
+change, after the
+
+  from Defaults import *
+
+line (see below).
+
+Note that these are just default settings - many can be overridden via the
+admin and user interfaces on a per-list or per-user basis.
+
+Note also that some of the settings are resolved against the active list
+setting by using the value as a format string against the
+list-instance-object's dictionary - see the distributed value of
+DEFAULT_MSG_FOOTER for an example."""
+
+
+#######################################################
+#    Here's where we get the distributed defaults.    #
+
+from Defaults import *
+
+##############################################################
+# Put YOUR site-specific configuration below, in mm_cfg.py . #
+# See Defaults.py for explanations of the values.            #
+
+#-------------------------------------------------------------
+# The name of the list Mailman uses to send password reminders
+# and similar. Don't change if you want mailman-owner to be
+# a valid local part.
+MAILMAN_SITE_LIST = 'listes'
+
+#-------------------------------------------------------------
+# If you change these, you have to configure your http server
+# accordingly (Alias and ScriptAlias directives in most httpds)
+DEFAULT_URL_PATTERN = 'https://%s/cgi-bin/mailman/'
+IMAGE_LOGOS         = '/images/mailman/'
+
+#-------------------------------------------------------------
+# Default domain for email addresses of newly created MLs
+DEFAULT_EMAIL_HOST = 'pipoworld.fr'
+#-------------------------------------------------------------
+# Default host for web interface of newly created MLs
+DEFAULT_URL_HOST   = 'mm.pipoworld.fr'
+#-------------------------------------------------------------
+# Required when setting any of its arguments.
+add_virtualhost(DEFAULT_URL_HOST, DEFAULT_EMAIL_HOST)
+add_virtualhost('mm.nintendojo.fr', 'nintendojo.fr')
+
+#-------------------------------------------------------------
+# The default language for this server.
+DEFAULT_SERVER_LANGUAGE = 'en'
+
+#-------------------------------------------------------------
+# Iirc this was used in pre 2.1, leave it for now
+USE_ENVELOPE_SENDER    = 0              # Still used?
+
+#-------------------------------------------------------------
+# Unset send_reminders on newly created lists
+DEFAULT_SEND_REMINDERS = 0
+
+#-------------------------------------------------------------
+# Uncomment this if you configured your MTA such that it
+# automatically recognizes newly created lists.
+# (see /usr/share/doc/mailman/README.Exim4.Debian or
+# /usr/share/mailman/postfix-to-mailman.py)
+# MTA=None   # Misnomer, suppresses alias output on newlist
+
+#-------------------------------------------------------------
+# Uncomment if you use Postfix virtual domains (but not
+# postfix-to-mailman.py), but be sure to see
+# /usr/share/doc/mailman/README.Debian first.
+# MTA='Postfix'
+
+#-------------------------------------------------------------
+# Uncomment if you want to filter mail with SpamAssassin. For
+# more information please visit this website:
+# http://www.jamesh.id.au/articles/mailman-spamassassin/
+#GLOBAL_PIPELINE.insert(1, 'SpamAssassin')
+#SPAMD_HOST    = 'localhost'
+
+# Note - if you're looking for something that is imported from mm_cfg, but you
+# didn't find it above, it's probably in /usr/lib/mailman/Mailman/Defaults.py.
+
+REMOVE_DKIM_HEADERS = Yes
diff --git a/roles/mailman/handlers/main.yml b/roles/mailman/handlers/main.yml
new file mode 100644
index 0000000..698b4aa
--- /dev/null
+++ b/roles/mailman/handlers/main.yml
@@ -0,0 +1,4 @@
+- name: restart mailman
+  service:
+      name: mailman
+      state: restarted
diff --git a/roles/mailman/tasks/main.yml b/roles/mailman/tasks/main.yml
new file mode 100644
index 0000000..f68450f
--- /dev/null
+++ b/roles/mailman/tasks/main.yml
@@ -0,0 +1,11 @@
+- name: install mailman
+  package:
+      name: mailman
+      state: present
+
+- name: main configuration files
+  copy:
+      src: ./files/mm_cfg.py
+      dest: /etc/mailman/mm_cfg.py
+  notify:
+      - restart mailman
diff --git a/roles/nginx/templates/vhosts/autodiscover.libertus.eu.conf.j2 b/roles/nginx/templates/vhosts/autodiscover.libertus.eu.conf.j2
new file mode 100644
index 0000000..e69de29
diff --git a/roles/nginx/templates/vhosts/z.libertus.eu.conf.j2 b/roles/nginx/templates/vhosts/z.libertus.eu.conf.j2
new file mode 100644
index 0000000..e7fe259
--- /dev/null
+++ b/roles/nginx/templates/vhosts/z.libertus.eu.conf.j2
@@ -0,0 +1,38 @@
+server {
+	listen *:443 ssl http2;
+	listen [::]:443 ssl http2;
+
+	server_name z.libertus.eu autodiscover.libertus.eu;
+	access_log /var/log/nginx/z.libertus.eu.access.log combined_port;
+	error_log /var/log/nginx/z.libertus.eu.error.log;
+
+	ssl_certificate /etc/x509/z.libertus.eu/fullchain.cer;
+	ssl_certificate_key /etc/x509/z.libertus.eu/z.libertus.eu.key;
+
+	root /usr/share/z-push;
+	index index.php;
+
+	client_max_body_size 20M;
+	client_body_buffer_size 128k;
+	keepalive_timeout 90;
+	proxy_read_timeout 1200;
+	sendfile on;
+
+	location / {
+		try_files $uri $uri/ index.php;
+	}
+
+	location /Microsoft-Server-ActiveSync {
+		rewrite ^(.*)$ /index.php last;
+	}
+
+	location ~* ^/autodiscover/autodiscover\.xml$ {
+		rewrite ^(.*)$ /autodiscover/autodiscover.php last;
+	}
+
+	location ~* \.php$ {
+		include fastcgi_params;
+		fastcgi_pass unix:/var/run/php/php{{ php_version }}-fpm.sock;
+		fastcgi_read_timeout 1200;
+	}
+}
diff --git a/roles/opendkim/files/dkim/KeyTable b/roles/opendkim/files/dkim/KeyTable
new file mode 100644
index 0000000..d3f54c8
--- /dev/null
+++ b/roles/opendkim/files/dkim/KeyTable
@@ -0,0 +1,5 @@
+dkim._domainkey.libertus.eu libertus.eu:dkim:/etc/dkim/keys/libertus.eu/mail.private
+dkim._domainkey.p.libertus.eu p.libertus.eu:dkim:/etc/dkim/keys/p.libertus.eu/mail.private
+dkim._domainkey.mateu.be mateu.be:dkim:/etc/dkim/keys/mateu.be/mail.private
+dkim._domainkey.pipoworld.fr pipoworld.fr:dkim:/etc/dkim/keys/pipoworld.fr/mail.private
+dkim._domainkey.nintendojo.fr nintendojo.fr:dkim:/etc/dkim/keys/nintendojo.fr/mail.private
diff --git a/roles/opendkim/files/dkim/PeerList b/roles/opendkim/files/dkim/PeerList
new file mode 100644
index 0000000..4fad22f
--- /dev/null
+++ b/roles/opendkim/files/dkim/PeerList
@@ -0,0 +1,2 @@
+::1
+127.0.0.1
diff --git a/roles/opendkim/files/dkim/SigningTable b/roles/opendkim/files/dkim/SigningTable
new file mode 100644
index 0000000..e146023
--- /dev/null
+++ b/roles/opendkim/files/dkim/SigningTable
@@ -0,0 +1,5 @@
+libertus.eu dkim._domainkey.libertus.eu
+p.libertus.eu dkim._domainkey.p.libertus.eu
+mateu.be dkim._domainkey.mateu.be
+pipoworld.fr dkim._domainkey.pipoworld.fr
+nintendojo.fr dkim._domainkey.nintendojo.fr
diff --git a/roles/opendkim/files/dkim/TrustedHosts b/roles/opendkim/files/dkim/TrustedHosts
new file mode 100644
index 0000000..863b549
--- /dev/null
+++ b/roles/opendkim/files/dkim/TrustedHosts
@@ -0,0 +1 @@
+mail.dmz.mateu.be
diff --git a/roles/opendkim/files/opendkim.conf b/roles/opendkim/files/opendkim.conf
new file mode 100644
index 0000000..d3315a5
--- /dev/null
+++ b/roles/opendkim/files/opendkim.conf
@@ -0,0 +1,10 @@
+Socket                  inet:8891@localhost
+LogWhy                  yes
+MilterDebug             1
+Syslog                  yes
+UMask                   002
+OversignHeaders         From
+
+KeyTable                /etc/dkim/KeyTable
+SigningTable            /etc/dkim/SigningTable
+PidFile                 /var/run/opendkim/opendkim.pid
diff --git a/roles/opendkim/handlers/main.yml b/roles/opendkim/handlers/main.yml
new file mode 100644
index 0000000..e872e8b
--- /dev/null
+++ b/roles/opendkim/handlers/main.yml
@@ -0,0 +1,4 @@
+- name: restart opendkim
+  service:
+      name: opendkim
+      state: restarted
diff --git a/roles/opendkim/tasks/main.yml b/roles/opendkim/tasks/main.yml
new file mode 100644
index 0000000..e5a89f0
--- /dev/null
+++ b/roles/opendkim/tasks/main.yml
@@ -0,0 +1,32 @@
+- name: install opendkim
+  package:
+      name: "{{ item }}"
+      state: present
+  loop:
+      - opendkim
+      - opendkim-tools
+
+- name: main configuration files
+  copy:
+      src: ./files/opendkim.conf
+      dest: /etc/opendkim.conf
+  notify:
+      - restart opendkim
+
+- name: dkim directory
+  file:
+      path: /etc/dkim
+      state: directory
+
+- name: secondary configuration files
+  copy:
+      src: "./files/dkim/{{ item }}"
+      dest: "/etc/dkim/{{ item }}"
+  loop:
+      - KeyTable
+      - PeerList
+      - SigningTable
+      - TrustedHosts
+  notify:
+      - restart opendkim
+
diff --git a/roles/postfix/files/generate_email.sh b/roles/postfix/files/generate_email.sh
new file mode 100755
index 0000000..df4c847
--- /dev/null
+++ b/roles/postfix/files/generate_email.sh
@@ -0,0 +1,34 @@
+#!/bin/bash
+
+mailto="$1"
+comment="$2"
+
+vowels="aeiouy"
+consonants="bcdfgjklmnprstvwz"
+numbers="0123456789"
+n_vowels=`echo -n $vowels | wc -m`
+n_consonants=`echo -n $consonants | wc -m`
+n_numbers=`echo -n $numbers | wc -m`
+
+syllabes=$((RANDOM % 4 + 2))
+
+str1=""
+
+for f in `seq 0 $syllabes`
+do
+	str1+=${consonants:$((RANDOM % $n_consonants)):1}${vowels:$((RANDOM % $n_vowels)):1}
+done
+
+for f in `seq 0 $((syllabes - 1))`
+do
+	str2+=${numbers:$((RANDOM % $n_numbers)):1}
+done
+
+echo "Mail jetable : $str1-$str2@mateu.be"
+
+echo "$str1-$str2: $mailto ($comment)" >> /etc/aliases
+/usr/bin/newaliases
+systemctl reload postfix
+
+echo -n "" | mail -s "Votre nouvelle adresse temporaire pour $comment" $str1-$str2@mateu.be
+
diff --git a/roles/postfix/files/main.cf b/roles/postfix/files/main.cf
new file mode 100644
index 0000000..aa2b57f
--- /dev/null
+++ b/roles/postfix/files/main.cf
@@ -0,0 +1,75 @@
+## Configuration de postfix
+## 05/08/2018	mortal	Suppression de mailbox_command au profit de mailbox_transport : c'est toujours dovecot qui fait la livraison mais à travers une socket plutôt qu'un programme lancé par postfix
+## 30/07/2015	mortal	Suppression de la politique de réception pour wordpress@nintendojofr.com
+## 18/04/2013	mortal	Changement de la bannière
+## 14/11/2012	mortal	Ajout des domaines en relais ecolejmoulin-lepecq.fr
+## 10/07/2012	mortal	Ajout des instructions smtp en plus des instructions smtpd (avec smtp_tls_CApath pour avoir toutes les autorités de certif du système)
+## 13/06/2012 	mortal	Ajout du milter pour DKIM
+## 08/01/2012	mortal	Ajout de recipient_delimiter pour mettre automatique des adresses en wildcard
+## 06/12/2011	mortal	Ajout de la politique SPF et de la timelimit pour les politiques
+## 17/09/2010   mortal  Suppression de la gestion de dalleau.fr
+## 24/11/2008   mortal  Ajout de la configuration home_mailbox
+## 23/11/2009   mortal  Ajout des options pour pop-before-smtp + ajout des options pour être serveur et client SMTP sur TLS
+## 28/11/2009   mortal  Ajout du domaine libertus.eu
+## 02/12/2009   mortal  Ajout du support IPv6
+## 09/12/2009   mortal  Ajout de dalleau.fr
+## 27/05/2010   mortal  Suppression du passage par procmail
+## 28/05/2010   mortal  Authentification SASL auprès de dovecot, obligation d'être en TLS pour s'authentifier
+
+mail_name = I iz a mail server
+inet_protocols = all
+inet_interfaces = all
+mynetworks = 163.172.112.17, 127.0.0.1, [::1]/128, 10.233.212.64/27, [2001:bc8:26c1:101::]/64, 10.233.212.0/26, [2001:bc8:26c1:105::]/64, 172.17.0.0/16
+#relayhost = 178.32.223.202
+relayhost = 37.187.5.75
+transport_maps = hash:/etc/postfix/transport
+myhostname = n0box2.mateu.be
+myorigin = mateu.be
+mydestination = $myhostname,localhost.$mydomain,localhost,mateu.be,libertus.eu,p.libertus.eu,pipoworld.fr,nintendojo.fr
+recipient_delimiter = +
+virtual_alias_maps = regexp:/etc/postfix/virtual-regexp
+
+mail_owner = postfix
+unknown_local_recipient_reject_code = 550
+alias_maps = hash:/etc/aliases
+alias_database = hash:/etc/aliases
+#mailbox_command = /usr/lib/dovecot/deliver
+mailbox_transport = lmtp:inet:127.0.0.1:24
+message_size_limit = 26214400
+
+#SMTP de secours
+maximal_queue_lifetime = 5d
+
+## Référence de chiffrement TLS
+# serveur SMTP
+smtpd_tls_cert_file = /etc/x509/smtp.libertus.eu/fullchain.cer
+smtpd_tls_key_file = /etc/x509/smtp.libertus.eu/smtp.libertus.eu.key
+smtpd_use_tls = yes
+smtpd_tls_protocols =  !SSLv2,!SSLv3
+smtpd_tls_auth_only = yes
+smtpd_tls_session_cache_timeout = 10s
+smtpd_tls_loglevel = 1
+# client SMTP
+smtp_tls_CApath = /etc/ssl/certs
+smtp_tls_cert_file = /etc/x509/smtp.libertus.eu/fullchain.cer
+smtp_tls_key_file = /etc/x509/smtp.libertus.eu/smtp.libertus.eu.key
+smtp_use_tls = yes
+smtp_tls_protocols =  !SSLv2,!SSLv3
+smtp_tls_security_level = may
+smtp_tls_loglevel = 1
+
+# Référence de SASL (se sert de la socket de dovecot)
+smtpd_sasl_auth_enable = yes
+broken_sasl_auth_clients = yes
+smtpd_sasl_security_options = noanonymous
+smtpd_sasl_type = dovecot
+smtpd_sasl_path = inet:localhost:26
+
+# DKIM
+milter_default_action = accept
+milter_protocol = 2
+smtpd_milters = inet:localhost:8891
+non_smtpd_milters = inet:localhost:8891
+
+compatibility_level = 2
+
diff --git a/roles/postfix/files/master.cf b/roles/postfix/files/master.cf
new file mode 100644
index 0000000..b1416f9
--- /dev/null
+++ b/roles/postfix/files/master.cf
@@ -0,0 +1,83 @@
+#
+# Postfix master process configuration file.  For details on the format
+# of the file, see the master(5) manual page (command: "man 5 master").
+#
+# Do not forget to execute "postfix reload" after editing this file.
+#
+# ==========================================================================
+# service type  private unpriv  chroot  wakeup  maxproc command + args
+#               (yes)   (yes)   (yes)   (never) (100)
+# ==========================================================================
+smtp      inet  n       -       -       -       -       smtpd -o content_filter=spamassassin
+submission inet n       -       -       -       -       smtpd
+  -o smtpd_tls_security_level=encrypt
+  -o smtpd_sasl_auth_enable=yes
+  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
+#  -o milter_macro_daemon_name=ORIGINATING
+smtps     inet  n       -       -       -       -       smtpd
+  -o smtpd_tls_wrappermode=yes
+  -o smtpd_sasl_auth_enable=yes
+  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
+#  -o milter_macro_daemon_name=ORIGINATING
+#628      inet  n       -       -       -       -       qmqpd
+pickup    fifo  n       -       -       60      1       pickup
+cleanup   unix  n       -       -       -       0       cleanup
+qmgr      fifo  n       -       n       300     1       qmgr
+#qmgr     fifo  n       -       -       300     1       oqmgr
+tlsmgr    unix  -       -       -       1000?   1       tlsmgr
+rewrite   unix  -       -       -       -       -       trivial-rewrite
+bounce    unix  -       -       -       -       0       bounce
+defer     unix  -       -       -       -       0       bounce
+trace     unix  -       -       -       -       0       bounce
+verify    unix  -       -       -       -       1       verify
+flush     unix  n       -       -       1000?   0       flush
+proxymap  unix  -       -       n       -       -       proxymap
+proxywrite unix -       -       n       -       1       proxymap
+smtp      unix  -       -       -       -       -       smtp
+# When relaying mail as backup MX, disable fallback_relay to avoid MX loops
+relay     unix  -       -       -       -       -       smtp
+	-o smtp_fallback_relay=
+#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
+showq     unix  n       -       -       -       -       showq
+error     unix  -       -       -       -       -       error
+retry     unix  -       -       -       -       -       error
+discard   unix  -       -       -       -       -       discard
+local     unix  -       n       n       -       -       local
+virtual   unix  -       n       n       -       -       virtual
+lmtp      unix  -       -       -       -       -       lmtp
+anvil     unix  -       -       -       -       1       anvil
+scache    unix  -       -       -       -       1       scache
+#
+# ====================================================================
+# Interfaces to non-Postfix software. Be sure to examine the manual
+# pages of the non-Postfix software to find out what options it wants.
+#
+# Many of the following services use the Postfix pipe(8) delivery
+# agent.  See the pipe(8) man page for information about ${recipient}
+# and other message envelope options.
+# ====================================================================
+#
+# maildrop. See the Postfix MAILDROP_README file for details.
+# Also specify in main.cf: maildrop_destination_recipient_limit=1
+#
+maildrop  unix  -       n       n       -       -       pipe
+  flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
+#
+# See the Postfix UUCP_README file for configuration details.
+#
+uucp      unix  -       n       n       -       -       pipe
+  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
+#
+# Other external delivery methods.
+#
+ifmail    unix  -       n       n       -       -       pipe
+  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
+bsmtp     unix  -       n       n       -       -       pipe
+  flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
+scalemail-backend unix	-	n	n	-	2	pipe
+  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
+mailman   unix  -       n       n       -       -       pipe
+  flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
+  ${nexthop} ${user}
+spamassassin unix -     n       n       -       -       pipe
+	flags=R user=nobody argv=/usr/bin/spamc -f -e /usr/sbin/sendmail -oi -f ${sender} ${recipient}
diff --git a/roles/postfix/files/transport b/roles/postfix/files/transport
new file mode 100644
index 0000000..199cb9c
--- /dev/null
+++ b/roles/postfix/files/transport
@@ -0,0 +1,5 @@
+caramail.com	smtp:
+gmx.com		smtp:
+gmx.us		smtp:
+gmx.fr		smtp:
+gmx.net		smtp:
diff --git a/roles/postfix/files/virtual-regexp b/roles/postfix/files/virtual-regexp
new file mode 100644
index 0000000..f8f9b4b
--- /dev/null
+++ b/roles/postfix/files/virtual-regexp
@@ -0,0 +1 @@
+/(.*)_(.*)@mateu.be/	${1}+${2}@mateu.be
diff --git a/roles/postfix/handlers/main.yml b/roles/postfix/handlers/main.yml
new file mode 100644
index 0000000..7ec66b0
--- /dev/null
+++ b/roles/postfix/handlers/main.yml
@@ -0,0 +1,14 @@
+- name: postmap virtual-regexp
+  command: postmap /etc/postfix/virtual-regexp
+  listen: "postmap files"
+
+- name: postmap transport
+  command: postmap /etc/postfix/transport
+  listen: "postmap files"
+
+- name: restart postfix
+  service:
+      name: postfix
+      state: restarted
+
+
diff --git a/roles/postfix/tasks/main.yml b/roles/postfix/tasks/main.yml
new file mode 100644
index 0000000..98edee7
--- /dev/null
+++ b/roles/postfix/tasks/main.yml
@@ -0,0 +1,34 @@
+- name: install postfix
+  package:
+      name: postfix
+      state: present
+
+- name: main configuration files
+  copy:
+      src: "./files/{{ item }}"
+      dest: "/etc/postfix/{{ item }}"
+  loop:
+      - main.cf
+      - master.cf
+  notify:
+      - restart postfix
+
+- name: map files
+  copy:
+      src: "./files/{{ item }}"
+      dest: "/etc/postfix/{{ item }}"
+  loop:
+      - transport
+      - virtual-regexp
+  notify:
+      - postmap files
+      - restart postfix
+
+- name: mail generation script
+  copy:
+      src: ./files/generate_email.sh
+      dest: /usr/local/bin/generate_email.sh
+      owner: root
+      group: root
+      mode: '0755'
+
diff --git a/roles/spamassassin/files/local.cf b/roles/spamassassin/files/local.cf
new file mode 100644
index 0000000..d93a66c
--- /dev/null
+++ b/roles/spamassassin/files/local.cf
@@ -0,0 +1,184 @@
+required_hits 3.5
+report_safe 1
+rewrite_header Subject *****SPAM*****
+use_bayes               1
+bayes_auto_learn              1
+ok_locales      fr
+score   UNWANTED_LANGUAGE_BODY  5
+
+rawbody		LOCAL_AGRAND_PENIS	/AGRANDISSEMENT DU P/i
+score		LOCAL_AGRAND_PENIS	50.0
+
+rawbody		LOCAL_NO_CASINO	/casino review/i
+score		LOCAL_NO_CASINO	5.0
+
+header		LOCAL_PROFIT	Subject =~ /profit opportunity/i
+score		LOCAL_PROFIT	10.0
+
+header 		LOCAL_PHARMACY	From =~ /pharmacy/i
+score		LOCAL_PHARMACY	3.0
+
+header		LOCAL_PHARMARCIE	From =~ /premium pharmacie/i
+score		LOCAL_PHARMACIE	3.0
+
+header		LOCAL_VIAGRA	From =~ /viagra/i
+score		LOCAL_VIAGRA	10.0
+
+header		LOCAL_POTENCY	From =~ /potency/i
+score		LOCAL_POTENCY	3.0
+
+header		LOCAL_POTENCE	From =~ /potence/i
+score		LOCAL_POTENCE	3.0
+
+header		LOCAL_NEUFIMMO	To =~ /neufimmo\.fr/i
+score		LOCAL_NEUFIMMO	50.0
+
+header		LOCAL_TESTO	Subject =~ /testostérone/i
+score		LOCAL_TESTO	3.0
+
+header		LOCAL_RENCO	Subject =~ /pour le sexe/i
+score		LOCAL_RENCO	10.0
+
+header		LOCAL_PROSTATITE	Subject =~ /prostatite/i
+score		LOCAL_PROSTATITE	10.0
+
+header		LOCAL_PILLS	Subject =~ /pills for/i
+score		LOCAL_PILLS	10.0
+
+header		LOCAL_PUISS	Subject =~ /puissance sex/i
+score		LOCAL_PUISS	10.0
+
+header		LOCAL_PILU	Subject =~ /pilules de puissance/i
+score		LOCAL_PILU	10.0
+
+header		LOCAL_PPUISS	Subject =~ /pour la puissance/i
+score		LOCAL_PPUISS	10.0
+
+header		LOCAL_EXCIT	Subject =~ /excitateur/i
+score		LOCAL_EXCIT	10.0
+
+header		LOCAL_CAVIAR	Subject =~ /beluga caviar/i
+score		LOCAL_CAVIAR	10.0
+
+header		LOCAL_BITCOIN	Subject =~ /bitcoin/i
+score		LOCAL_BITCOIN	10.0
+
+# Whitelist manuel
+whitelist_from *@chichiclothing.com
+
+# Blacklist manuel
+blacklist_from *@bizertym.de
+blacklist_from *@*.city
+blacklist_from *@arjenam.de
+blacklist_from *@bizers.eu
+blacklist_from *@brandaspiration.com
+blacklist_from *@bitermalens.de
+blacklist_from *@jortemsa.eu
+blacklist_from *@yotares.eu
+blacklist_from *@aerogan.eu
+blacklist_from *@jimser.eu
+blacklist_from *@rostovsh.eu
+blacklist_from *@allbizem.eu
+blacklist_from *@onlinepms.eu
+blacklist_from *@bookisem.eu
+blacklist_from *@timenfor.eu
+blacklist_from *@fooders.eu
+blacklist_from *@versalem.eu
+blacklist_from *@hoomeltd.eu
+blacklist_from *@businnes.eu
+blacklist_from *@bambool.eu
+blacklist_from *@alexoni.eu
+blacklist_from *@*.network
+blacklist_from *@macketom.eu
+blacklist_from *@bestorbit.eu
+blacklist_from *@stopglisse.com
+blacklist_from *@wintemo.eu
+blacklist_from *@bintego.eu
+blacklist_from *@mercyr.eu
+blacklist_from *@bestione.eu
+blacklist_from *@wolemse.eu
+blacklist_from *@dopilsa.eu
+blacklist_from *@monetry.eu
+blacklist_from *@@ragaasacademy.com
+blacklist_from *@childprotectionnetwork.org
+blacklist_from *@starvillage.net
+blacklist_from *@aberton.eu
+blacklist_from *@boomange.eu
+blacklist_from *@gormia.eu
+blacklist_from *@amteros.eu
+blacklist_from *@fulince.eu
+blacklist_from *@nemaner.eu
+blacklist_from *@tankofworlds.eu
+blacklist_from *@noybery.institute
+blacklist_from *@matrixe.wtf
+blacklist_from *@chatnrun.nl
+blacklist_from *@livestorem.eu
+blacklist_from *@jokmexi.eu
+blacklist_from *@noomberg.eu
+blacklist_from *@forestmen.eu
+blacklist_from *@medicome.eu
+blacklist_from *@orgsoft.eu
+blacklist_from *@dreamse.eu
+blacklist_from *@lisamo.eu
+blacklist_from *@abinjorna.eu
+blacklist_from *@dreamse.eu
+blacklist_from *@jominsta.eu
+blacklist_from *@minfine.eu
+blacklist_from *@mainstree.eu
+blacklist_from *@financerm.eu
+blacklist_from *@dinamer.eu
+blacklist_from *@boominge.eu
+blacklist_from *@centroban.eu
+blacklist_from *@hismag.eu
+blacklist_from *@dinercam.eu
+blacklist_from *@*.art
+blacklist_from *@onymaxys.eu
+blacklist_from *@tramstreem.eu
+blacklist_from *@gylinsa.eu
+blacklist_from *@shallems.eu
+blacklist_from *@oxizone.eu
+blacklist_from account@liberynws.com
+blacklist_from *@pivotalperspectives.org
+blacklist_from account@zepeem.com
+blacklist_from *@*clubexpresso.com
+blacklist_from *@metta.hk
+blacklist_from voicemail@libertus.eu
+blacklist_from *@*bousey.com
+blacklist_from *@shopermes.com
+blacklist_from *@*.thampsen.com
+blacklist_from *@octavainc.com
+blacklist_from nathalie-bretel@orange.fr
+blacklist_from bare.vanessa@orange.fr
+blacklist_from *@sport-fitness-advisor.com
+blacklist_from *@*.ua
+blacklist_from *@*.co.ua
+blacklist_from *@*.biz.ua
+blacklist_from *@marineland.fr
+blacklist_from *@*.calvacom.fr
+blacklist_from *@addel.org
+blacklist_from *@arbatov.eu
+blacklist_from *@solyf.fr
+blacklist_from *@jkyg.espmp-cufr.net
+blacklist_from *@mnptwdo.com
+blacklist_from *@audecibel.online
+blacklist_from *@goletsetcom.online
+blacklist_from contact@wordpressformation.fr
+blacklist_from *@wistorym.eu
+blacklist_from *@viream.eu
+blacklist_from *@frederikem.eu
+blacklist_from *@lincoral.eu
+blacklist_from *@bassai.eu
+blacklist_from *@jokiser.eu
+blacklist_from *@loomberge.eu
+blacklist_from *@eurosalm.eu
+blacklist_from *@motherm.eu
+blacklist_from *@newlevis.eu
+blacklist_from *@flixbus.com
+blacklist_from *@flixbus.fr
+blacklist_from *@woolsic.eu
+blacklist_from *@max-exposure.com
+blacklist_from *@tophostel.eu
+blacklist_from *@jodas.fr
+blacklist_from *@rentautos.eu
+blacklist_from *@yahting.eu
+blacklist_from *@newsyork.eu
diff --git a/roles/spamassassin/handlers/main.yml b/roles/spamassassin/handlers/main.yml
new file mode 100644
index 0000000..5dde9e2
--- /dev/null
+++ b/roles/spamassassin/handlers/main.yml
@@ -0,0 +1,4 @@
+- name: restart spamassassin
+  service:
+      name: spamassassin
+      state: restarted
diff --git a/roles/spamassassin/tasks/main.yml b/roles/spamassassin/tasks/main.yml
new file mode 100644
index 0000000..578ca40
--- /dev/null
+++ b/roles/spamassassin/tasks/main.yml
@@ -0,0 +1,15 @@
+- name: install spamassassin
+  package:
+      name: "{{ item }}"
+      state: present
+  loop:
+      - spamassassin
+      - libmail-dkim-perl
+      - libmail-spf-perl
+
+- name: main configuration files
+  copy:
+      src: ./files/local.cf
+      dest: /etc/spamassassin/local.cf
+  notify:
+      - restart spamassassin
diff --git a/roles/webapps/tasks/main.yml b/roles/webapps/tasks/main.yml
index 36a39c1..bc975f9 100644
--- a/roles/webapps/tasks/main.yml
+++ b/roles/webapps/tasks/main.yml
@@ -4,6 +4,9 @@
 - name: include php flag for NextCloud
   include_tasks: nextcloud.yml
   when: inventory_hostname == 'web1.dmz.mateu.be'
+- name: include z-push
+  include_tasks: z-push.yml
+  when: inventory_hostname == 'web1.dmz.mateu.be'
 - name: include matomo for web2
   include_tasks: matomo.yml
   when: inventory_hostname == 'web2.dmz.mateu.be'
diff --git a/roles/webapps/tasks/z-push.yml b/roles/webapps/tasks/z-push.yml
new file mode 100644
index 0000000..21c5abe
--- /dev/null
+++ b/roles/webapps/tasks/z-push.yml
@@ -0,0 +1,30 @@
+- name: install z-push repokey
+  apt_key:
+      url: http://repo.z-hub.io/z-push:/final/Debian_10/Release.key
+      state: present
+
+- name: install z-push repo
+  apt_repository:
+      repo: deb http://repo.z-hub.io/z-push:/final/Debian_10/ /
+      state: present
+
+- name: install z-push packages
+  package:
+      name: "{{ item }}"
+      state: present
+  loop:
+      - z-push-autodiscover
+      - z-push-backend-caldav
+      - z-push-backend-carddav
+      - z-push-backend-combined
+      - z-push-backend-imap
+      - z-push-common
+      - z-push-ipc-sharedmemory
+      - z-push-state-sql
+
+- name: log directory
+  file:
+      path: /var/log/z-push/
+      owner: www-data
+      group: www-data
+      state: directory