Introduction

• This was a fork of http://github.com/sovereign/sovereign (follow most of the steps here first)
• Read https://thomas-leister.de/en/mailserver-debian-stretch/ - this will give you idea of what to expect after you run this playbook

Goals

• Have a server at DigitalOcean running Debian 64-bit 9.x "stretch" that runs all mail related services for one (primary) or more domains
• Admin UI: https://mail.domain.com (primary domain)
• Provide you with DNS entries *
• Provide you with settings that will work for your mail client
  • POP3 Server:
  • IMAP Server:
  • SMTP Server:
  • Also provide a webmail interface
• Create 2nd playbook to enable you to add 2nd, 3rd, 4th domains to provide mail services for after the initial setup

Running

ansible-playbook -i hosts.yml --ask-vault-pass site.yml

Fork Notes

• Targets Debian 9.x "stretch" (DO Debian 64-bit 9.4)
• Focuses on running a mail server (closer to only what is in https://mailinabox.email/)
  • IMAP over SSL via Dovecot, complete with full text search provided by Solr.
  • POP3 over SSL, also via Dovecot
  • SMTP over SSL via Postfix, including a nice set of DNSBLs to discard spam before it ever hits your filters.
  • Virtual domains for your email, backed by PostgreSQL.
  • Spam fighting via Rspamd.
  • Mail server verification using DKIM and DMARC so the Internet knows your mailserver is legit.
  • Secure on-disk storage for email and more via EncFS (not 100% sure what this doing yet).
  • Webmail via Roundcube.
  • Mobile push notifications via Z-Push.
  • Email client automatic configuration.
  • Jabber/XMPP instant messaging via Prosody.
  • An RSS Reader via Selfoss.
  • CalDAV and CardDAV to keep your calendars and contacts in sync, via ownCloud.
  • Your own private storage cloud via ownCloud.
  • Your own VPN server via OpenVPN.
  • An IRC bouncer via ZNC.
  • Monit.
  • collectd.
  • Web hosting (ex: for your blog) via Apache.
  • Firewall management via [Uncomplicated Firewall (ufw).
  • Intrusion prevention via fail2ban and rootkit detection via rkhunter.
  • SSH configuration preventing root login and insecure password authentication
  • <delRFC6238 two-factor authentication compatible with Google Authenticator and various hardware tokens
  • Nightly backups to Tarsnap.
  • Git hosting via cgit and gitolite - try http://gitlab.com instead.
  • Read-it-later via Wallabag
  • TODO: A bunch of nice-to-have tools like mosh and htop that make life with a server a little easier.
• TODO: Use Nginx as web server (instead of Apache)
• TODO: Use Mariadb (MySQL) as database server (instead of Postgres)
• Use Tomcat8 for Solr (instead of Tomcat7) - default tomcat in Debian 9
• Fix deprecation warning: state=installed to state=present
• TODO: Fix deprecation warning: The sudo command line option has been deprecated in favor of the "become" command line arguments