From d01e99c3da6da9946572e8557eaa5fbf7c27a2c1 Mon Sep 17 00:00:00 2001
From: "Joshua M. Boniface" <joshua@boniface.me>
Date: Sat, 21 Nov 2020 20:22:14 -0500
Subject: [PATCH] Add mail roles

---
 package-postfix_access/defaults/main.yml      |  37 +++
 .../files/bl-logo-roundcube.png               | Bin 0 -> 6516 bytes
 package-postfix_access/handlers/main.yml      |  23 ++
 package-postfix_access/tasks/main.yml         | 222 ++++++++++++++++++
 .../templates/15-content_filter_mode.j2       |  12 +
 package-postfix_access/templates/50-user.j2   |  12 +
 .../templates/config.inc.php.j2               | 111 +++++++++
 .../templates/debian-db.php.j2                |   9 +
 .../templates/dovecot-ldap.conf.j2            |  21 ++
 .../templates/dovecot.conf.j2                 | 177 ++++++++++++++
 .../templates/helo_access.pcre.j2             | 143 +++++++++++
 package-postfix_access/templates/main.cf.j2   |  89 +++++++
 package-postfix_access/templates/master.cf.j2 |  73 ++++++
 .../templates/ports.conf.j2                   |   4 +
 .../postfix-ldap/catchall_maps.cf.j2          |  13 +
 .../recipient_bcc_maps_domain.cf.j2           |  13 +
 .../recipient_bcc_maps_user.cf.j2             |  13 +
 .../postfix-ldap/relay_domains.cf.j2          |  13 +
 .../postfix-ldap/sender_bcc_maps_domain.cf.j2 |  13 +
 .../postfix-ldap/sender_bcc_maps_user.cf.j2   |  13 +
 .../postfix-ldap/sender_login_maps.cf.j2      |  13 +
 .../postfix-ldap/transport_maps_domain.cf.j2  |  13 +
 .../postfix-ldap/transport_maps_user.cf.j2    |  13 +
 .../postfix-ldap/virtual_alias_maps.cf.j2     |  13 +
 .../postfix-ldap/virtual_group_maps.cf.j2     |  13 +
 .../virtual_group_members_maps.cf.j2          |  13 +
 .../virtual_mailbox_domains.cf.j2             |  13 +
 .../postfix-ldap/virtual_mailbox_maps.cf.j2   |  14 ++
 .../templates/roundcube.conf.j2               |  47 ++++
 package-postfix_access/templates/transport.j2 |   3 +
 package-postfix_filter/defaults/main.yml      |  35 +++
 .../files/ham-sample/README                   |   2 +
 .../files/spam-sample/README                  |   2 +
 package-postfix_filter/handlers/main.yml      |  19 ++
 package-postfix_filter/tasks/main.yml         | 220 +++++++++++++++++
 .../templates/15-content_filter_mode.j2       |  12 +
 package-postfix_filter/templates/50-user.j2   |  40 ++++
 .../templates/90_customrules.cf.j2            |   7 +
 .../templates/helo_access.j2                  |   2 +
 package-postfix_filter/templates/local.cf.j2  |  27 +++
 package-postfix_filter/templates/main.cf.j2   |  91 +++++++
 package-postfix_filter/templates/master.cf.j2 |  62 +++++
 .../templates/policyd-spf.conf.j2             |  12 +
 .../templates/recipient_access.j2             |   4 +
 .../templates/relay_domains.j2                |   3 +
 package-postfix_filter/templates/transport.j2 |   3 +
 package-postfix_filter/templates/virtual.j2   |   3 +
 47 files changed, 1710 insertions(+)
 create mode 100644 package-postfix_access/defaults/main.yml
 create mode 100644 package-postfix_access/files/bl-logo-roundcube.png
 create mode 100644 package-postfix_access/handlers/main.yml
 create mode 100644 package-postfix_access/tasks/main.yml
 create mode 100644 package-postfix_access/templates/15-content_filter_mode.j2
 create mode 100644 package-postfix_access/templates/50-user.j2
 create mode 100644 package-postfix_access/templates/config.inc.php.j2
 create mode 100644 package-postfix_access/templates/debian-db.php.j2
 create mode 100644 package-postfix_access/templates/dovecot-ldap.conf.j2
 create mode 100644 package-postfix_access/templates/dovecot.conf.j2
 create mode 100644 package-postfix_access/templates/helo_access.pcre.j2
 create mode 100644 package-postfix_access/templates/main.cf.j2
 create mode 100644 package-postfix_access/templates/master.cf.j2
 create mode 100644 package-postfix_access/templates/ports.conf.j2
 create mode 100644 package-postfix_access/templates/postfix-ldap/catchall_maps.cf.j2
 create mode 100644 package-postfix_access/templates/postfix-ldap/recipient_bcc_maps_domain.cf.j2
 create mode 100644 package-postfix_access/templates/postfix-ldap/recipient_bcc_maps_user.cf.j2
 create mode 100644 package-postfix_access/templates/postfix-ldap/relay_domains.cf.j2
 create mode 100644 package-postfix_access/templates/postfix-ldap/sender_bcc_maps_domain.cf.j2
 create mode 100644 package-postfix_access/templates/postfix-ldap/sender_bcc_maps_user.cf.j2
 create mode 100644 package-postfix_access/templates/postfix-ldap/sender_login_maps.cf.j2
 create mode 100644 package-postfix_access/templates/postfix-ldap/transport_maps_domain.cf.j2
 create mode 100644 package-postfix_access/templates/postfix-ldap/transport_maps_user.cf.j2
 create mode 100644 package-postfix_access/templates/postfix-ldap/virtual_alias_maps.cf.j2
 create mode 100644 package-postfix_access/templates/postfix-ldap/virtual_group_maps.cf.j2
 create mode 100644 package-postfix_access/templates/postfix-ldap/virtual_group_members_maps.cf.j2
 create mode 100644 package-postfix_access/templates/postfix-ldap/virtual_mailbox_domains.cf.j2
 create mode 100644 package-postfix_access/templates/postfix-ldap/virtual_mailbox_maps.cf.j2
 create mode 100644 package-postfix_access/templates/roundcube.conf.j2
 create mode 100644 package-postfix_access/templates/transport.j2
 create mode 100644 package-postfix_filter/defaults/main.yml
 create mode 100644 package-postfix_filter/files/ham-sample/README
 create mode 100644 package-postfix_filter/files/spam-sample/README
 create mode 100644 package-postfix_filter/handlers/main.yml
 create mode 100644 package-postfix_filter/tasks/main.yml
 create mode 100644 package-postfix_filter/templates/15-content_filter_mode.j2
 create mode 100644 package-postfix_filter/templates/50-user.j2
 create mode 100644 package-postfix_filter/templates/90_customrules.cf.j2
 create mode 100644 package-postfix_filter/templates/helo_access.j2
 create mode 100644 package-postfix_filter/templates/local.cf.j2
 create mode 100644 package-postfix_filter/templates/main.cf.j2
 create mode 100644 package-postfix_filter/templates/master.cf.j2
 create mode 100644 package-postfix_filter/templates/policyd-spf.conf.j2
 create mode 100644 package-postfix_filter/templates/recipient_access.j2
 create mode 100644 package-postfix_filter/templates/relay_domains.j2
 create mode 100644 package-postfix_filter/templates/transport.j2
 create mode 100644 package-postfix_filter/templates/virtual.j2

diff --git a/package-postfix_access/defaults/main.yml b/package-postfix_access/defaults/main.yml
new file mode 100644
index 0000000..c4d182e
--- /dev/null
+++ b/package-postfix_access/defaults/main.yml
@@ -0,0 +1,37 @@
+---
+# Default configurations
+# I populate these from external configs; I indicate what they are as inline comments
+
+domain: "{{ blsedomains_admindomain }}" # Base domain name
+postmaster: "root@{{ blsedomains_rootdomain }}" # Postmaster email address
+
+# Roundcube
+smtp_host: "{{ blsecluster_smtphost }}" # The hostname for SMTP access, usually the public name of your mail server
+support_url: "https://www.{{ blsedomains_webdomain }}" # Some website address for Roundcube support
+logo_filename: "bl-logo-roundcube.png" # The Roundcube logo under files/
+roundcube_deskey: "{{ passwd_roundcube_deskey }}" # The Roundcube DES key
+
+# Postfix
+banner_hostname: "{{ ansible_hostname }}.{{ domain }}" # Public hostname of *this* mail host
+myhostname: "{{ banner_hostname }}" # Hostname for Postfix myhostame
+mydomain: "{{ domain }}" # Domain for Postfix mydomain
+mynetworks: "{{ blsecluster_remote1v4 }} {{ blsecluster_remote2v4 }} {{ blsecluster_remote3v4 }} {{ blsecluster_hostsubnetv4 }}" # IP addresses for Postfix mynetworks
+
+# Dovecot
+# Note: SSL listeners aren't provided; HAProxy is expected to do SSL termination for us
+trusted_networks: "{{ blsecluster_hostsubnetv4 }} {{ blsecluster_hostsubnetv6 }}" # Trusted network ranges for Dovecot
+haproxy: yes # Enable HAProxy-specific (Proxy protocol) listeners on ports 10143 and 10110
+
+# LDAP integration (Postfix, Dovecot, Roundcube)
+ldap_host: "{{ blsecluster_ldaphost }}" # The hostname for LDAP access
+ldap_port: 389 # The LDAP port (always non-SSL)
+ldap_basedn: "o=domains,dc=bonilan,dc=net" # The LDAP base DN
+ldap_bind_username: "{{ username_ldap_admin }}" # The LDAP bind user name (usually cn=admin)
+ldap_bind_password: "{{ passwd_ldap_admin }}" # The LDAP bind user password
+
+# MySQL integration (Roundcube)
+mysql_host: "{{ blsecluster_sqlhost }}" # The hostname for MySQL access
+mysql_port: "{{ mysql_client['mail'].port }}" # The port for MySQL access
+mysql_database: "{{ mysql_client['mail'].database }}" # The database name
+mysql_username: "{{ mysql_client['mail'].username }}" # The database user
+mysql_password: "{{ mysql_client['mail'].passwd }}" # The database password
diff --git a/package-postfix_access/files/bl-logo-roundcube.png b/package-postfix_access/files/bl-logo-roundcube.png
new file mode 100644
index 0000000000000000000000000000000000000000..d47c557541db6369628b5a300cf3cb209e4923c7
GIT binary patch
literal 6516
zcmY*cby(ET*ZnL@cOw$g-QC^Y-AD-tSd<_O(nvQfDc!Yz)PjU`cS=elwIKEKegFH-
zJTvpm{p+4H=Q(q4q>h#{4(3Zt003}QRTT7|&${Qug^v2XJCWb$0|2I?i@dy!s=Pdn
z=Q|Ha7dHn0@L7WDI~nNjlS(4iF6GoCf|Aue^hnTY^yH$0h!dFDXfg2BB53m$Np!mj
z6cv#ve&t1gV`GD2NOU={qc9iHwrLAuLkc6JhVFj*7rM^1BX&n0o93nVDlec7<7jYn
z>{JzgUBMviGC693jgW!f{@>eNG7wA#PXHgi;Wh312YL{26DT3UP6tQp1VBF1Sm*#;
zGYif`8UBQKAeUhQ3i=9ye@GBfM-L(fWc*^~iUAoVP!KeoNgv2V25g4y?Y00NPQZrw
z%kDG~1ii`d2La~Ev?QRs1b~LfAwmIg76&TFjiM9*6CQxrQN33bSl|SBRE-@~fZApN
zK8BA~51?ZMJh~B~tN^k<VDpQf-Us-a0T3&l8%z9Uug2eFduA%5UZRyjR1sp1&gq3_
zY|KT?GNww#PAp`LWSc3&)#IB%&Ib{|+qf73fV>2fXS5d&K4ZAmV`D<GFkEZSgD%u3
zIy<|q$DQ#CPZ<FC{ULDjk%PP8Wso>(ko#i+;|a2}6;|FyM6_c)o=g*vx4&e3;rSmo
ziuv)ai;Fwk+Y4&Fa^|)}#sQB`J=SpJ2e;cmiF?G=M&~92gwGP9jC`}vGjgd>L^+;_
z@zri+H%|G!8SCkuYMQQB)vncqjd)9!&?{CUGv<P?h%Qntk+qL;>go07I>#MYYF!Yh
zeIo_(Pv9)Iv<F|SGvk|lfNvrI;JnSFdxixa9ONAGd))i!RQf?Vj}ZuRR88~(04oIs
zE`y;4=>c>AP{@O@)yh&_cE8|&qf&OGtaM}D+X#J?W9aRX!<WN+9Yp!ghP5(SjwNig
zmWs`Wdq##z0IusCmgI@c)nnL#E9r^%&lWwWo24Csfh_wAoyeAUDFS2{WkMf|PL>gR
zL))!_Oc>2TGZ;avOQ)V7sKTokWk6%7LUk_r4oNiJLg`0>_%DDj_&%&%nKv0yuPZr&
z-6Y>yD*W=RQUTV)>kqt{ain=!6Ym;dO2!D~?@d%V<1NKW$q(?r|GYrs?{(wh>i;QM
zC&Gb|WItR-SBYKG|FYJo65JMfWj|i$jZ6qpgkuOHd&|+-Qp>8CXqad%sFc!BG6)bX
zVF+V@zv}id(<POvH!}Soxb1ym$HyCPqQXHxM;J%Mjqe{J-z&^O7%9)k+!~LhTKC;x
zif~G4>a8CAK1W%WfXYkyq`{@vuJvf5$s9E7ze2a6+dsGYw<)%1&&@HRb~0YyZ}c}=
z^oHK3k?-K|2<)Ibr1Qxd7G~<LmgXA}2*#PoRprC<YIMU(i3C1oijIbms;U=N6{JkR
zbS85~xYYdl@PlAAg<30Z!gy+UU-?hkAMm9&Hcl8x$UuY>3whQHv=>g~-Y;s>HHyin
zqsa#hc!YTm)Aus)GCT}T*kEj*NfL%IQ`AzJQYhHC4a&-k%h$@W3@;3a4dTkI^aHAu
z4Ego9$}nb9D-6q_I*0lc`c7ryrQzjHr5*;--vdn_B2i6$YW&oe|E`-?XT8<lPlIJo
z-r&PQ>xxqm_7Ni3%TzbI`1uoCTlxc4TeM_(S-z+|zZ$=BgWg55qcqx9y4Owi2Q7>}
zmXfrKz^FCiQ`SvZiedqcR$d1S*Yeb~RFevo3f&6j!w#Y9;}U3bhhm%Q9Ryc)K#kdg
zS=lLW3<bKUzo@@jf>}bUDJgbU%~kGNM3LX7;NA7M<Rm?((<&%O!=q%)w`1=gWdQes
z!Grt1k}G9w6VwK52GnKju@@43f?ggHRNMp0e|6<8f6B-g*{0a0{r;NJIw?^&tMp9?
zFUF<cVvAwRz2CjRkO`HEmPuXnK=UM1PqVd{wOCw3Tw`E#WVB#(E<-R&l6RhOFKaJr
zK5M<%#>~fz16B%aaZs(_HY+wgfwjL4H4`;0GBGr>Y*4C#Rx!@CRkf86l(cFkX;tLR
zIsL5t3mb%$HIvuwETAq|!`xv3woZ0rPR)JQKTnc6k^+7Ne0z{Y!wFx+t)Mca3Vh%A
zj#$h{Y%Oyv`$RgR?=p3t+sR}ce|&*|3q~}|+Uo+<&ze?tB6DheA94{99jP8X%#|j^
zl||9N`m1AG?ZcIq<!`^KD`-|jR?l(ia?Od*iOWg&O74h2E^Ce{|NDubzvMS`cP6E=
za#MI**DC|H<+UMBO?&j*_S^}^Rr9sYMc(BI+fy>BYpHj+TT)vR!fSkMrq(0E@aA95
z!`eSRa;!tw<-gEBy?*k0ngmLM7(q_pNQf-N9O>@H?=x*zthCs&!*%`Qv209Ut1O9Z
zTyRzJPIncp^RJ`$Dq6%|`dGr43vQ@R;Gek(G}~R<=%0bu%%S0-#$nR2o)IQ5CwbEZ
zy(d@X->)nDQ%F@<%W~q?7Omk_6J(Pr=XxWtB>Y3*hjc%eqv^=33DiW@O`TGdi>+Gd
zty|~%{qaTkCUg^P%bzTr`<JDsZ~j=%WoQX$85bdkSgMRhgqBG1nJhkADQOJjIgvMG
zET(S{RgV)L_oUEd#Dcs98@1NC3Y(^1;!#4opf5uoe-Xz{>sRKo_;w8(jnyo%9Ma5B
zH12$oVja98i3#yua^<v|Nie4ar(MTS!<7!9^^bjTqno*@Q_u!o8{#WbOgS-Oa>aiP
z%vk2x(CVEWj2*j1BZov&D{|OJk4GAYmg9x9PjjD+33~{CC&G%t)Qvf*Om;ge--y;r
zc=;}4Zjqp{hZ&((O0-15*xYBeD~^rRsslTi{4`x5R^3Cv-Ay3ZLo7qgozQ^8mHA^!
zZ4++O^(NbYVNePwlE|oP;$^Zlk}nG^D?U3E;T}U>87s++Wfi@xug4vy9QSwEICIQ#
zQ_ItK({SJ7EG{+TtQ$2RUtKFMbEl26EVqTg<Xa27BwE@XN(RS9#ib3t8(bRvGY~qN
zT5YnOzj-@(LgC+jEpRluY~GG|kQ(e<HUt@J&N|LI+^OC*Af&4!%lB_m@7yh`wA{Up
z2f$O{2Q+$I*nI2EEY*~xfnMAk`=K)Kz^l$j=&3g+ju4LFx9t8+dQS!4?R^BsI)WNU
zZ0S>sf8}qq=~thqoT#|p$Yq{qDrM<s-kIB(|Ii+hnw&dW^Sf7GeubAUAYtmOc408+
zva}yOo#b>r9s^B*1_W~5uGlOW!2I{@$JXEAd7S>h|L}WC@hN&wyj^_E;=JX<dHwPZ
zk#UQ0W{sG&`@x3;iN~aA?SZ!Jw#@2Q3)j{Yzm6t<N5nowj_}y(Wry!y(x<uE98t;D
zjtf5zL?7a6opd$u9rMH3aND9c^GQ{^cDwbZ%(3jE{A&2DwE5%8!s*JFH*oK~i^&yb
z1Zrr=_+!FV9G*N%Tt?h*7*5z>j);_~=%)0$hyD8!`SI7|OgUta1&_nkWTf1IH?xQH
zW0UEV`Dy2ANnP%riyjW(hvYTO{XPBEor6C7yjGV+cgNk{E8bM6h3k0Q+n;H^usk{6
z)?MjOl-wneCnY^0gVQhWPX&{MpX*9gJ9T9R;OW1a*HM!69KrBZF?|mJSVaFV5RjSu
z;yH-+K~+-`?KcuBIyLdybx0=w;MS@t$Qt-89cKl!lNmw>*3-~@jgZr3N{Ja?sc9M{
z&q>Nfu(M@0jTI1~PKLqQpbirxACm{EsVJ=zI%<<q+yzQLtLa24K#>Q{zVS?-5zr^=
zfrw;V5Y1mkyf1yy*B>5E6qi0(?_Kz<&ObbidF+n(-ejNt+{*@`{qG2W(rlc$qeXNO
zz>RK~EQ=QDPv@VFLL6V@g$Q7RCs8(aL@P{%dx{nLe*F+{8*Y<_vw)J0GJ+O}d<mXI
zDk&FOo&jy1;Cv>!VVEFW!1==}?Ex5p2g(HeS2d&Ml_y5&mH-=8&pgxWDL2Oxe>^~0
zeX<*F3~|AUSSDEjr-Lje#){fN;ea=I;D?LXpGL;9fYTQnTsHB#pP6~67u;6wI5*nh
zk#M;bN7t$!Qn;T%H-r-dH!e7}xFQyv^D&<)L0Y;l*A&8nxT6KpR}Vlm9AJkuGiLMr
zmGG2018=OYAo|IXAB8t)Ww0Q*C|saeP%OAV%CKw5OvN28B+Q8m#bpjUnM1q+64V;Z
zPW-JwsbDa~*f7&F?QYFfhTZeU+4Ks6(B`|zVq!dzLFPm0=3>ouCqjV7BI0=CtTX-w
z4}J(gksAv)%yds`@sZ>isD*K|jlLZV@L=Vky2&=N3hF{KE)~dfurP0U^-P5PiN7~F
z!&}ggXT%E$o^~lLcq%JD3f8{aLCp;^JJ8#mP5-{Fr&()-L4}U&K3ic){4VaxpH4L?
zT3lK|%tig1cy;4Uq!5U%qjyP;!ORtZX4k0Jz^Dl;LY2sys%%<AkxfpI{#`FJWBk~G
z{TiPU3zD>b7y@q*nfZcKuq_Xtg?GJ38}KSEd6Fcek4QX8#7ar04EKABc6ft&mV5d^
zY=-j-mOA#C;O%;}+;zFaiNECgb#n&fK+>C1wFYs6Oih%rg!G%o6-4z=K#ew3%q$3`
z#NxI5#EeCtpenp!7Y%QTcVSL?P8ckw7Nou1Io}-o*%Go0Az~3?)zWc+4V7+**(BeS
z0@A7eZrD6bJ`lAA<tMzjB2lfjp@Jif&m$~fuv%W-q!g}=sUN9jgE>(9K~FT1nUOp2
z1i7h)XR51AuzgSb@4(|aDsP4%g_XmP<S*!QwU<GzP6dLvAFIZiEEfaQ>QNgr5XicA
zTqkCf2WEX8O(HW@VHFZ%enw=pu*FnHuTt%OjjT#P_pNCoSi_)Hb6@`3We}b|H^{@p
zqtMH3VtnY<{q#ry_nxTs84iZt9EDH1oSZoZi!P^gNzNm@5UyiWpw@7!w-##m-d=ly
zf^F1MfY--ytA<n^;oy2sWMf5nkYe<CPxpwD+Rd;nSWc~-757T1H4rz{Y7NJP;kb)h
zWTwS~isv~h`EHyMPQZ6IyuB0%N9RQbxWQe>Z{y?x?C}|MzEb4YE?pw?;I+`=Uip=M
zAuD@g+jv!Vm<AvK7s`XQZ-<hY0gp0=|4zZe{rOf)lj$N6iQpiN0+kHaTgMF$hVrXO
z`Ble(UgEYoZ@r_<R3D9{n+uVd<?Y47pbLh9dS3J0o6y7&%cb8VA2zt*=_?2(l|}8Z
z@Hmh?1;Il6?ih(HFE^qidZ&b3Zo?2R2<1U{GDqej+xY?@P;~ivS#rVmwZU*5=aqGo
z6aFDBkQSM?0M1RTqRrQBtPmD*(@%ycqM9n7NIlDCZN7JvfPMzEWFW7Y$=U?Pf$QR@
zEgGdOXgqOlk}af}BN78qbv?>yc!=9dqk~y)RnYp|NEHTUqNrBYIgsd49V%alc4<*X
zb0C4S!6ztOWJv7$2&aP?FR3%vJa7L<OVv(mJ<1!<jn#?&yb3*N%+Li^ytq~&&}MCb
z6~z85XAXun)Da^WSTzv?7n(h&&liu#A51owr%|}@DD-z7)kXbKiY_A2W7vsbV#(NU
zrAbbVLOS7TSIgeJE`1$j#W$2&D5CL^jHkIE2gN807q8&89zLTyqxT<I(^}tDVM&|?
z>4-!u$hi5{cymvWR5A7vG7OZ&`st&(1owmQ*pKUW8nyDoTPb+1L-*pDL&Ac6yMe@x
zBYRrrWPERMbnoglN^xq^Y6h}K(IR(m`A1MJ*_C~nTEij~d-TobW`AG46pXHzno40%
ziqFRJ#W_S|M!7$qn%xM_(0xOr=4UbwULg$kI~AGP0xkPpl{%YyZ0PNuvK8KYdzFG!
z&(=__lE$~TbaDy8{jz^$avD8sLGaQUBIN@VC=XQO<ir&Ej9Nt^^Lp2|vXlp@A~Qr=
zItU_lBfB&jwP2<Jf8#-GAsx2}NpwomaIpyaj@-I*^{b*N^I?bklIWFd^I?;0w{Lsx
zA~OU1`HzYC2omy!Z^g<7b3r~?@7CK)Ex6!SY@@03%MjP#U&ec#!eN^e_#{*M%4fm7
z&YXl4ocIXSFsWBaT-zOJF`Y!=e$a#%Nos{b2V&;)A$(cGcoPalC8_4kHY!%7a%etF
zQoeMg(-M-~H~9{}h{R4prOylH6<uGk7z6E1D|YH_{GysDZFj^?@fnqe5u}l)#;UQw
zEsrg#>e+yBM2Vji?iGb>G9~@P%LxT4GE>!zRNq4f4tQX(6Gp+dUfo(8l65ld^i5)i
zdC2$5=9YNElIN7$=~G1z9aeIQ9Slrj+MC6akkHmss+y^zZ(8v;j<klFkIg8$=fN%x
z3y(ayv#%v>O*;bI2nX^5`+n?ci_>BB<y+xYrXueS(Ws%KV|ed$Fh35V*oFyLZ0S7p
zl^(_s?==p8J;GjF{gAKKX&c69p6PZyCo-cwygOP3KbB2yXS`ULrL*n`+%uXKtE+s)
zk%Cq?_H+C0qz7vB7w}N|^Uf#(E<~i&ySWBaeK&1bf9Qy@qDU>KNeI2QV;v5o;=(X<
zIx|wtsDj<M8Nym4{WJgah&NskE2ygDGnx^mYpb0%rI~zJ`u@iK%zqxU=eq9k&3QKG
z9Fj}&0uB;&nu3pY-EP2k22?b_InMs+S%DGWi*K%6g1){h3~G{1)^JwYTtO&Bl>=uH
zY7M;bxSeK_^I|3XY)1CkUWF+8Om0;q0YOBEta$uFlW_NXgG#GEmGB}p#wS!Q!lryT
zbMhQYl5oFfRKzveZKVZ%M=%TdONBv5!7prBwX{Cp!}Q_3<;?4>yQmQnozAW|ziisT
z^PlV}&8lu)h@vHtL{tvi6|qa8_g|_qJn8tP(*9a!K&f$8((bJ2p*Qx1!6IkHDz?qT
zZyuvE+=U{?QFPxuTd6RP<xFyg6*0md;nEHTUgoaHr#Cn-C*2$tGx7<`1hXvG^q6J5
zo3r7?uGqN)!M|;enX{~!3j7U!ej9;v>?@%Nj=q7IQL?`L$4=dW4JL_+Mv<9@m;zco
zkH}{Tt;$jeBq@sUe}cN4*Z7Ox^$8a<&ArdcVWyx0x;X8PQXI1kGI5BYC-^psC;qF4
zp@eLsT-7vZd?}9Hr2=g~S-MQ*;$m%R`cj3Ig6-IdD>ik;Yte6Oo(23G``~ZbK`;Y;
z*BiQ#C0*<?{y}-3*fvb7q&_RVQlAFze+=*I;#$nbCCphVh<Et4unWFF8>`W+`5ZE2
zn6gmYkmK1=7B_b(Y}N1?+Xf{AifVRDJiad^zGBon`Sng}OQ-8)_`iKj?&)gAKqKO>
ze@R|)5PLYUaN_whAv!SFMvw9W)Sf?Pq})^z36+(etA0U#^#t?AX)mgnl4|sVZG|ZB
zOWgY82nQvV_YDN6QsfGQ@8x3YtNh=_BYQc86G^9hN~v@FX2*Ou{n6s22BJx~IvbSn
ztR>_ezD9or58q5X<HOH|<Ju^?^(Lf`JgkRIeCwf_FyD}~f=l8gg&s;b7Ai+8-KGZ#
zgUv<pn8&P_|8VSL{M4x4hp=Q|SupPeRDG{qBHZirPDcMb4IyD0t*(h5GGin)V@R9`
zX+72CJ!sL~PTz+QvyB#)3yA9%Eef)YYIHxm-MV0HJ;gZ%2p*j|N<%6Yew)Kd>Z3gJ
z7nTISyrM%E8s1gQ#ysr|wZtn%?7NthvmLjDJB$u_Zn_`dGD56>cc6Wh!0_S{uC7tF
z6P$}+%>_I5=dTfl|3li~t9ay9nzNqsa-=*6&!RjvUVKdc%@P71jyacSh5c$XoSCc$
zhPy&Ayh?ME*VpPL{t!pQ9V)vz{;Qbry`F1#YUte>YKr5Nq3rf3JhJsvk<aG+yY(z*
zd@P&Bqx;#PO0HLdMwf8EmL;0WaR%yk4GynXF>bVKe#_UC2Og-p=X8Ca4prFOTgh&O
z`U1aX5Lml1Kswl$>U5SmXFV&Lqa<b&8%OG^Uqzw40S9s)-&*1`hU*<gq<Y=^(IPCO
zLUfhYr&>)p{&3I`X$$qAs|f45b$irrp4=$}Qn+9FQlDLk%#6eM=iKc;>&a4*&njA?
zQG3*=qi{KxnSKr4b~7zqb+}LcMYqO=@t!X15Pz6mGfMs;GiEfAMh!RVQ=Fi{Henjz
zo#kYI)C?VuhX`_Beq$SzT9;AF(jyoS$d9_83;4+b3sUDWblJ69^!|hI_WtQd<>%>t
z60^7%;S_cJsnp`nZi5GoRBQP5vAkvGU#HWvR4WAh`!&DGJM}p}^Tl{>yuW#!#9$lx
zT<Y#*W)SMfHXZ!!wfwS(PB0fu(Jo)KNZ0zM7Jc{HH#{vU$sn^8aYQMmZ08$opNG8U
z1ZM3MolQ8Nsf*l<pLm_(*p=qjuX{8^HP?OJj+|XN<yMsSGThO&g2-QG>ik9D+tnYa
z$bpG=^U5j6so!go*O{j4n$wzVJ4{YDCVqR`3H5!l^Y<}N{@TYj3KLLS^HUKDpjdwO
z9mZ>3w21Q7jPeshwsXS#*`Cgy)K$jnDqZK#SV6bYkBHV&D0}3F=i029xk7O3vxG&V
zlDqpGDi(^{czToxu3$66Ov%SUNdtpuStXSQrJ}``$~OPo9sd6<yi4>E?YkN+UG3OO
R`g1!As48kHRLj`}{~wHZUxNSu

literal 0
HcmV?d00001

diff --git a/package-postfix_access/handlers/main.yml b/package-postfix_access/handlers/main.yml
new file mode 100644
index 0000000..fb24197
--- /dev/null
+++ b/package-postfix_access/handlers/main.yml
@@ -0,0 +1,23 @@
+---
+- name: postmap transport
+  command: "postmap /etc/postfix/transport"
+- name: restart amavis
+  service:
+    name: "amavis"
+    state: "restarted"
+- name: restart saslauthd
+  service:
+    name: "saslauthd"
+    state: "restarted"
+- name: restart postfix
+  service:
+    name: "postfix"
+    state: "restarted"
+- name: restart dovecot
+  service:
+    name: "dovecot"
+    state: "restarted"
+- name: restart apache2
+  service:
+    name: "apache2"
+    state: "restarted"
diff --git a/package-postfix_access/tasks/main.yml b/package-postfix_access/tasks/main.yml
new file mode 100644
index 0000000..617ccd8
--- /dev/null
+++ b/package-postfix_access/tasks/main.yml
@@ -0,0 +1,222 @@
+---
+- name: install filtering packages and monitoring components
+  apt:
+    name:
+      - postfix
+      - postfix-ldap
+      - postfix-pcre
+      - dovecot-core
+      - dovecot-imapd
+      - dovecot-pop3d
+      - dovecot-lmtpd
+      - dovecot-sieve
+      - dovecot-managesieved
+      - dovecot-ldap
+      - dovecot-mysql
+      - apache2
+      - libapache2-mod-php
+      - roundcube
+      - roundcube-plugins
+      - php-ldap
+      - php-net-sieve
+      - mailgraph
+      - amavis
+      - spamassassin
+      - clamav-daemon
+      - libnet-dns-perl
+      - libmail-spf-perl
+      - pyzor
+      - razor
+      - pfqueue
+    state: latest
+
+- name: install compression algorithms for scanning
+  apt:
+    name:
+      - p7zip-full
+      - arj
+      - bzip2
+      - cabextract
+      - cpio
+      - file
+      - gzip
+      - lhasa
+      - liblz4-tool
+      - lrzip
+      - lzop
+      - nomarch
+      - pax
+      - rar
+      - rpm
+      - unrar-free
+      - unzip
+      - xz-utils
+      - zip
+    state: latest
+
+# ClamAV
+- name: ensure clamav is in amavis group
+  user:
+    name: "clamav"
+    append: "yes"
+    groups: "amavis"
+
+- name: ensure amavis is in clamav group
+  user:
+    name: "amavis"
+    append: "yes"
+    groups: "clamav"
+
+# Amavis
+- name: install Amavis configs
+  template:
+    src: "{{ item }}.j2"
+    dest: "/etc/amavis/conf.d/{{ item }}"
+  notify:
+    - restart amavis
+  with_items:
+    - 15-content_filter_mode
+    - 50-user
+
+# Postfix
+- name: install Postfix main configs
+  template:
+    src: "{{ item }}.j2"
+    dest: "/etc/postfix/{{ item }}"
+  notify:
+    - restart postfix
+  with_items:
+    - main.cf
+    - master.cf
+    - helo_access.pcre
+    - transport
+
+- name: map transport
+  command: postmap /etc/postfix/transport
+
+- name: create LDAP config dir
+  file:
+    name: "/etc/postfix/ldap"
+    state: "directory"
+
+- name: install Postfix LDAP configs
+  template:
+    src: "postfix-ldap/{{ item }}.j2"
+    dest: "/etc/postfix/ldap/{{ item }}"
+    mode: "640"
+    group: "postfix"
+  notify:
+    - restart postfix
+  with_items:
+    - catchall_maps.cf
+    - recipient_bcc_maps_domain.cf
+    - recipient_bcc_maps_user.cf
+    - relay_domains.cf
+    - sender_bcc_maps_domain.cf
+    - sender_bcc_maps_user.cf
+    - sender_login_maps.cf
+    - transport_maps_domain.cf
+    - transport_maps_user.cf
+    - virtual_alias_maps.cf
+    - virtual_group_maps.cf
+    - virtual_group_members_maps.cf
+    - virtual_mailbox_domains.cf
+    - virtual_mailbox_maps.cf
+
+- name: link /etc/mailname to /etc/hostname
+  file:
+    dest: "/etc/mailname"
+    src: "/etc/hostname"
+    state: "link"
+    force: "yes"
+
+# Dovecot
+- name: install Dovecot main configs
+  template:
+    src: "{{ item }}.j2"
+    dest: "/etc/dovecot/{{ item }}"
+  notify:
+    - restart dovecot
+  with_items:
+    - dovecot.conf
+    - dovecot-ldap.conf
+
+- name: add vmail group
+  group:
+    name: "vmail"
+    gid: "2000"
+    state: "present"
+
+- name: add vmail user
+  user:
+    name: "vmail"
+    home: "/srv/vmail"
+    shell: "/bin/false"
+    uid: "2000"
+    group: "vmail"
+    state: "present"
+
+- name: ensure log ownership
+  file:
+    dest: "/var/log/{{ item }}"
+    owner: "vmail"
+    group: "adm"
+    mode: "644"
+    state: "touch"
+  with_items:
+    - dovecot.log
+    - dovecot-lmtp.log
+
+# Roundcube
+- name: Install roundcube PHP configs
+  template:
+    src: "{{ item }}.j2"
+    dest: "/etc/roundcube/{{ item }}"
+    mode: "640"
+    group: "www-data"
+  with_items:
+    - debian-db.php
+    - config.inc.php
+
+- name: Remove default apache2 config
+  file:
+    name: "/etc/apache2/sites-enabled/000-default.conf"
+    state: "absent"
+  notify:
+    - restart apache2
+
+- name: Install roundcube ports config
+  template:
+    src: "ports.conf.j2"
+    dest: "/etc/apache2/ports.conf"
+  notify:
+    - restart apache2
+
+- name: Install roundcube apache2 config
+  template:
+    src: "roundcube.conf.j2"
+    dest: "/etc/roundcube/apache.conf"
+  notify:
+    - restart apache2
+
+- name: create logo dir
+  file:
+    dest: "/var/lib/roundcube/images"
+    state: "directory"
+
+- name: install Roundcube logo
+  copy:
+    src: "{{ logo_filename }}"
+    dest: "/var/lib/roundcube/images/{{ logo_filename }}"
+
+# General
+- name: ensure services are running (and enabled at boot)
+  service:
+    name: "{{ item }}"
+    state: "started"
+    enabled: "yes"
+  with_items:
+    - postfix
+    - amavis
+    - clamav-daemon
+    - dovecot
diff --git a/package-postfix_access/templates/15-content_filter_mode.j2 b/package-postfix_access/templates/15-content_filter_mode.j2
new file mode 100644
index 0000000..8ea341f
--- /dev/null
+++ b/package-postfix_access/templates/15-content_filter_mode.j2
@@ -0,0 +1,12 @@
+use strict;
+
+# Amavis filter configuration
+# {{ ansible_managed }}
+
+@bypass_virus_checks_maps = (
+   \%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re);
+
+@bypass_spam_checks_maps = (
+   \%bypass_spam_checks, \@bypass_spam_checks_acl, \$bypass_spam_checks_re);
+
+1;  # ensure a defined return
diff --git a/package-postfix_access/templates/50-user.j2 b/package-postfix_access/templates/50-user.j2
new file mode 100644
index 0000000..3f9136a
--- /dev/null
+++ b/package-postfix_access/templates/50-user.j2
@@ -0,0 +1,12 @@
+use strict;
+
+@local_domains_acl = ( "." );
+$sa_tag_level_deflt = -9999;
+$sa_tag2_level_deflt = 4.5;
+$sa_kill_level_deflt = 4.5;
+$sa_spam_subject_tag = '*** SPAM *** ';
+
+$forward_method = 'smtp:[::1]:10025';
+
+#------------ Do not modify anything below this line -------------
+1;  # ensure a defined return
diff --git a/package-postfix_access/templates/config.inc.php.j2 b/package-postfix_access/templates/config.inc.php.j2
new file mode 100644
index 0000000..a6bd5af
--- /dev/null
+++ b/package-postfix_access/templates/config.inc.php.j2
@@ -0,0 +1,111 @@
+<?php
+
+/* Local configuration for Roundcube Webmail */
+/* {{ ansible_managed }} */
+
+$config['imap_auth_type'] = 'LOGIN';
+$config['imap_delimiter'] = '/';
+
+// ----------------------------------
+// SMTP
+// ----------------------------------
+$config['smtp_server'] = '{{ smtp_host }}';
+$config['smtp_auth_type'] = 'LOGIN';
+
+$config['support_url'] = '{{ support_url }}';
+
+array(
+    "elastic:login[small]" => "/images/logo_login_small.png",
+    "elastic:login" => "/images/logo_login.png",
+    "elastic:*[small]" => "/images/logo_small.png",
+    "larry:*" => "/images/larry.png",
+    "login" => "/images/logo_login.png",
+    "[print]" => "/images/logo_print.png",
+);
+$config['skin_logo'] = 'images/{{ logo_filename }}';
+
+$config['des_key'] = '{{ roundcube_deskey }}';
+
+// ----------------------------------
+// PLUGINS
+// ----------------------------------
+$config['plugins'] = array('managesieve');
+$config['create_default_folders'] = true;
+$config['quota_zero_as_unlimited'] = true;
+$config['ldap_public'] = array (
+    'global_ldap_abook' =>
+        array (
+            'name' => 'Global LDAP Address Book',
+            'hosts' =>
+                array (
+                    0 => '{{ ldap_host }}',
+                ),
+                'port' => {{ ldap_port }},
+                'use_tls' => false,
+                'ldap_version' => '3',
+                'network_timeout' => 10,
+                'user_specific' => true,
+                'base_dn' => '{{ ldap_basedn }}',
+                'bind_dn' => 'mail=%u@%d,ou=Users,domainName=%d,{{ ldap_basedn }}',
+                'hidden' => false,
+                'searchonly' => false,
+                'writable' => false,
+                'search_fields' =>
+                    array (
+                        0 => 'mail',
+                        1 => 'cn',
+                        2 => 'sn',
+                        3 => 'givenName',
+                        4 => 'street',
+                        5 => 'telephoneNumber',
+                        6 => 'mobile',
+                        7 => 'stree',
+                        8 => 'postalCode',
+                    ),
+                'fieldmap' =>
+                    array (
+                        'name' => 'cn',
+                        'surname' => 'sn',
+                        'firstname' => 'givenName',
+                        'title' => 'title',
+                        'email' => 'mail:*',
+                        'phone:work' => 'telephoneNumber',
+                        'phone:mobile' => 'mobile',
+                        'street' => 'street',
+                        'zipcode' => 'postalCode',
+                        'locality' => 'l',
+                        'department' => 'departmentNumber',
+                        'notes' => 'description',
+                        'phone:workfax' => 'facsimileTelephoneNumber',
+                        'photo' => 'jpegPhoto',
+                    ),
+                'sort' => 'cn',
+                'scope' => 'sub',
+                'filter' => '(&(enabledService=mail)(enabledService=deliver)(enabledService=displayedInGlobalAddressBook)(|(objectClass=mailList)(objectClass=mailAlias)(objectClass=mailUser)))',
+                'fuzzy_search' => true,
+                'vlv' => false,
+                'sizelimit' => '0',
+                'timelimit' => '0',
+                'referrals' => false,
+                'group_filters' =>
+                    array (
+                        'departments' =>
+                            array (
+                                'name' => 'Mailing Lists',
+                                'scope' => 'sub',
+                                'base_dn' => '{{ ldap_basedn }}',
+                                'filter' => '(&(objectclass=mailList)(accountStatus=active)(enabledService=displayedInGlobalAddressBook))',
+                                'name_attr' => 'cn',
+                                'email' => 'mail',
+                            ),
+                    ),
+        ),
+);
+$config['autocomplete_addressbooks'] = array('sql', 'global_ldap_abook');
+$config['skin'] = 'elastic';
+$config['addressbook_sort_col'] = 'name';
+$config['draft_autosave'] = 60;
+$config['check_all_folders'] = true;
+$config['autoexpand_threads'] = 2;
+
+include_once("/etc/roundcube/debian-db-roundcube.php");
diff --git a/package-postfix_access/templates/debian-db.php.j2 b/package-postfix_access/templates/debian-db.php.j2
new file mode 100644
index 0000000..191b384
--- /dev/null
+++ b/package-postfix_access/templates/debian-db.php.j2
@@ -0,0 +1,9 @@
+<?php
+/* {{ ansible_managed }} */
+$dbuser='{{ mysql_username }}';
+$dbpass='{{ mysql_password }}';
+$basepath='';
+$dbname='{{ mysql_database }}';
+$dbserver='{{ mysql_host }}';
+$dbport='{{ mysql_port }}';
+$dbtype='mysql';
diff --git a/package-postfix_access/templates/dovecot-ldap.conf.j2 b/package-postfix_access/templates/dovecot-ldap.conf.j2
new file mode 100644
index 0000000..1885806
--- /dev/null
+++ b/package-postfix_access/templates/dovecot-ldap.conf.j2
@@ -0,0 +1,21 @@
+# Dovecot LDAP interface configuration
+# {{ ansible_managed }}
+
+hosts           = {{ ldap_host }}:{{ ldap_port }}
+ldap_version    = 3
+auth_bind       = yes
+dn              = {{ ldap_bind_username }}
+dnpass          = {{ ldap_bind_password }}
+base            = {{ ldap_basedn }}
+scope           = subtree
+deref           = never
+
+# Below two are required by command 'doveadm mailbox ...'
+iterate_attrs   = mail=user
+iterate_filter  = (&(objectClass=mailUser)(accountStatus=active)(enabledService=mail))
+
+user_filter     = (&(objectClass=mailUser)(accountStatus=active)(enabledService=mail)(enabledService=%Ls%Lc)(|(mail=%u)(&(enabledService=shadowaddress)(shadowAddress=%u))))
+user_attrs      = mail=user,homeDirectory=home,=mail=maildir:~/Maildir/,mailQuota=quota_rule=*:bytes=%$
+pass_filter     = (&(objectClass=mailUser)(accountStatus=active)(enabledService=mail)(enabledService=%Ls%Lc)(|(mail=%u)(&(enabledService=shadowaddress)(shadowAddress=%u))))
+pass_attrs      = mail=user,userPassword=password
+default_pass_scheme = SSHA
diff --git a/package-postfix_access/templates/dovecot.conf.j2 b/package-postfix_access/templates/dovecot.conf.j2
new file mode 100644
index 0000000..6b8aa63
--- /dev/null
+++ b/package-postfix_access/templates/dovecot.conf.j2
@@ -0,0 +1,177 @@
+# Dovecot main configuration
+# {{ ansible_managed }}
+
+listen = *, [::]
+mail_plugins = quota
+protocols = pop3 imap sieve lmtp
+mail_uid = 2000
+mail_gid = 2000
+first_valid_uid = 2000
+last_valid_uid = 2000
+log_path = /var/log/dovecot.log
+mail_debug = no
+auth_verbose = no
+auth_debug = no
+auth_debug_passwords = no
+auth_verbose_passwords = no
+ssl = no
+mailbox_list_index = yes
+disable_plaintext_auth = no
+mail_location = maildir:/%Lh/Maildir/:INDEX=/%Lh/Maildir/:VOLATILEDIR=/tmp/dovecot-volatile/%d/%u
+auth_default_realm = {{ domain }}
+auth_mechanisms = PLAIN LOGIN
+haproxy_trusted_networks = {{ trusted_networks }}
+haproxy_timeout = 5s
+service auth {
+    unix_listener /var/spool/postfix/private/dovecot-auth {
+        user = postfix
+        group = postfix
+        mode = 0666
+    }
+    unix_listener auth-master {
+        user = vmail
+        group = vmail
+        mode = 0666
+    }
+    unix_listener auth-userdb {
+        user = vmail
+        group = vmail
+        mode = 0660
+    }
+}
+service lmtp {
+    user = vmail
+    process_min_avail = 5
+    executable = lmtp -L
+    unix_listener /var/spool/postfix/private/dovecot-lmtp {
+        user = postfix
+        group = postfix
+        mode = 0600
+    }
+    inet_listener lmtp {
+        port = 24
+    }
+}
+service stats {
+    unix_listener stats-reader {
+        user = dovecot
+        group = postfix
+        mode = 0660
+    }
+    unix_listener stats-writer {
+        user = dovecot
+        group = postfix
+        mode = 0660
+    }
+}
+userdb {
+    args = /etc/dovecot/dovecot-ldap.conf
+    driver = ldap
+}
+passdb {
+    args = /etc/dovecot/dovecot-ldap.conf
+    driver = ldap
+}
+plugin {
+    auth_socket_path = /var/run/dovecot/auth-master
+    acl = vfile
+    acl_shared_dict = proxy::acl
+    sieve_dir = /%Lh/sieve
+    sieve = /%Lh/sieve/dovecot.sieve
+    sieve_global_dir = /srv/vmail/sieve
+    sieve_default = /srv/vmail/sieve/dovecot.sieve
+}
+service dict {
+    unix_listener dict {
+        mode = 0660
+        user = vmail
+        group = vmail
+    }
+}
+protocol lda {
+    mail_plugins = $mail_plugins sieve
+    auth_socket_path = /run/dovecot/auth-master
+    log_path = /var/log/dovecot.log
+    lda_mailbox_autocreate = yes
+    postmaster_address = {{ postmaster }}
+}
+protocol lmtp {
+    info_log_path = /var/log/dovecot-lmtp.log
+    mail_plugins = quota sieve
+    postmaster_address = {{ postmaster }}
+    lmtp_save_to_detail_mailbox = yes
+    recipient_delimiter = +
+}
+protocol imap {
+    mail_plugins = $mail_plugins imap_quota
+    imap_client_workarounds = tb-extra-mailbox-sep
+}
+protocol pop3 {
+    mail_plugins = $mail_plugins
+    pop3_client_workarounds = outlook-no-nuls oe-ns-eoh
+    pop3_uidl_format = %08Xu%08Xv
+}
+service imap-login {
+    service_count = 1
+    process_limit = 500
+    inet_listener imap {
+        port = 143
+    }
+{% if haproxy %}
+    inet_listener imap-haproxy {
+        port = 10143
+        haproxy = yes
+    }
+{% endif %}
+}
+service pop3-login {
+    service_count = 1
+    process_limit = 500
+    inet_listener pop3 {
+        port = 110
+    }
+{% if haproxy %}
+    inet_listener pop3-haproxy {
+        port = 10110
+        haproxy = yes
+    }
+{% endif %}
+}
+namespace {
+    type = private
+    separator = /
+    prefix =
+    inbox = yes
+    mailbox Sent {
+        auto = subscribe
+        special_use = \Sent
+    }
+    mailbox "Sent Messages" {
+        auto = no
+        special_use = \Sent
+    }
+    mailbox Drafts {
+        auto = subscribe
+        special_use = \Drafts
+    }
+    mailbox Trash {
+        auto = subscribe
+        special_use = \Trash
+    }
+    mailbox Junk {
+        auto = subscribe
+        special_use = \Junk
+    }
+    mailbox Spam {
+        auto = no
+        special_use = \Junk
+    }
+}
+namespace {
+    type = shared
+    separator = /
+    prefix = Shared/%%u/
+    location = maildir:/%%Lh/Maildir/:INDEX=/%%Lh/Maildir/Shared/%%u:VOLATILEDIR=/tmp/dovecot-volatile/Shared/%%u
+    subscriptions = yes
+    list = children
+}
diff --git a/package-postfix_access/templates/helo_access.pcre.j2 b/package-postfix_access/templates/helo_access.pcre.j2
new file mode 100644
index 0000000..52dbede
--- /dev/null
+++ b/package-postfix_access/templates/helo_access.pcre.j2
@@ -0,0 +1,143 @@
+# Main Postfix configuration
+# {{ ansible_managed }}
+
+# No one will use these in helo command.
+/^(localhost)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+/^(localhost.localdomain)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+/(\.local)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+
+# Reject who use IP address as helo.
+# Correct:      [xxx.xxx.xxx.xxx]
+# Incorrect:    xxx.xxx.xxx.xxx
+/^([0-9\.]+)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server sent non RFC compliant HELO identity (${1})
+
+#
+# This is the real HELO identify of these ISPs:
+#   sohu.com    websmtp.sohu.com relay2nd.mail.sohu.com
+#   126.com     m15-78.126.com
+#   163.com     m31-189.vip.163.com m13-49.163.com
+#   sina.com    mail2-209.sinamail.sina.com.cn
+#   gmail.com   xx-out-NNNN.google.com
+/^(126\.com)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server seems to be impersonating another mail server (${1})
+/^(163\.com)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server seems to be impersonating another mail server (${1})
+/^(163\.net)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server seems to be impersonating another mail server (${1})
+/^(sohu\.com)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server seems to be impersonating another mail server (${1})
+/(gmail\.com)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server seems to be impersonating another mail server (${1})
+/^(google\.com)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server seems to be impersonating another mail server (${1})
+/^(yahoo\.com\.cn)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server seems to be impersonating another mail server (${1})
+/^(yahoo\.co\.jp)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server seems to be impersonating another mail server (${1})
+
+#
+# Spammers.
+#
+/^(728154EA470B4AA\.com)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1})
+/^(taj-co\.com)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1})
+/^(CF8D3DB045C1455\.net)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1})
+/^(dsgsfdg\.com)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1})
+/^(se\.nit7-ngbo\.com)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1})
+/^(mail\.goo\.ne\.jp)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1})
+/^(n-ong_an\.com)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1})
+/^(meqail\.teamefs-ine5tl\.com)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1})
+/^(zzg\.jhf-sp\.com)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1})
+/^(din_glo-ng\.net)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1})
+/^(fda-cnc\.ie\.com)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1})
+/^(yrtaj-yrco\.com)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1})
+/^(m\.am\.biz\.cn)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1})
+/^(xr_haig\.roup\.com)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1})
+/^(hjn\.cn)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1})
+/^(we_blf\.com\.cn)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1})
+/^(netvigator\.com)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1})
+/^(mysam\.biz)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1})
+/^(mail\.teams-intl\.com)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1})
+/^(seningbo\.com)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1})
+/^(nblf\.com\.cn)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1})
+/^(kdn\.ktguide\.com)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1})
+/^(zzsp\.com)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1})
+/^(nblongan\.com)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1})
+/^(dpu\.cn)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1})
+/^(nbalton\.com)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1})
+/^(cncie\.com)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1})
+/^(xinhaigroup\.com)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1})
+/^(wz\.com)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1})
+/(\.zj\.cn)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1})
+/(\.kornet)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1})
+
+/^(dsldevice\.lan)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+/^(system\.mail)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+/^(speedtouch\.lan)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+/^(dsldevice\.lan)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+
+#
+# Reject adsl spammers.
+#
+/(adsl)/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery (${1})
+/(dynamic)/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery (${1})
+/(\d{1,3}-\d{1,3}-\d{1,3}-\d{1,3})/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery (${1})
+/(pppoe)/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery (${1})
+/(dsl\.brasiltelecom\.net\.br)/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery (${1})
+/(dsl\.optinet\.hr)/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery (${1})
+/(dsl\.telesp\.net\.br)/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery (${1})
+/(dialup)/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery (${1})
+/(dhcp)/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery (${1})
+/(pool-)/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery (${1})
+/^(cpe-)/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery (${1})
+/(\.cpe\.)/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery (${1})
+
+/(speedy\.com\.ar)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery (${1})
+/(speedyterra\.com\.br)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery (${1})
+/(static\.sbb\.rs)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery (${1})
+/(static\.vsnl\.net\.in)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery (${1})
+
+/(advance\.com\.ar)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+/(airtelbroadband\.in)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+/(bb\.netvision\.net\.il)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+/(bezeqint\.net)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+/(broadband3\.iol\.cz)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+/(cable\.net\.co)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+/(catv\.broadband\.hu)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+/(chello\.nl)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+/(chello\.sk)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+/(client\.mchsi\.com)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+/(comunitel\.net)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+/(coprosys\.cz)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+/(dclient\.hispeed\.ch)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+/(dip0\.t-ipconnect\.de)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+/(domain\.invalid)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+/(dyn\.centurytel\.net)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+/(embarqhsd\.net)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+/(emcali\.net\.co)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+/(epm\.net\.co)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+/(eutelia\.it)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+/(fastwebnet\.it)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+/(fibertel\.com\.ar)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+/(freedom2surf\.net)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+/(hgcbroadband\.com)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+/(HINET-IP\.hinet\.net)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+/(infonet\.by)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+/(is74\.ru)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+/(kievnet\.com\.ua)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+/(metrotel\.net\.co)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+/(nw\.nuvox\.net)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+/(pldt\.net)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+/(pool\.invitel\.hu)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+/(pool\.ukrtel\.net)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+/(pools\.arcor-ip\.net)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+/(pppoe\.avangarddsl\.ru)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+/(retail\.telecomitalia\.it)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+/(revip2\.asianet\.co\.th)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+/(tim\.ro)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+/(tsi\.tychy\.pl)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+/(ttnet\.net\.tr)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+/(tttmaxnet\.com)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+/(user\.veloxzone\.com\.br)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+/(utk\.ru)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+/(veloxzone\.com\.br)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+/(virtua\.com\.br)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+/(wanamaroc\.com)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+/(wbt\.ru)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+/(wireless\.iaw\.on\.ca)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+/(business\.telecomitalia\.it)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+/(cotas\.com\.bo)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+/(marunouchi\.tokyo\.ocn\.ne\.jp)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+/(amedex\.com)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+/(aageneva\.com)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
diff --git a/package-postfix_access/templates/main.cf.j2 b/package-postfix_access/templates/main.cf.j2
new file mode 100644
index 0000000..ca936de
--- /dev/null
+++ b/package-postfix_access/templates/main.cf.j2
@@ -0,0 +1,89 @@
+# Main Postfix configuration
+# {{ ansible_managed }}
+
+smtpd_banner = {{ banner_hostname }} ESMTP $mail_name (Debian/GNU)
+biff = no
+append_dot_mydomain = no
+delay_warning_time = 48h
+maximal_queue_lifetime = 14d
+bounce_queue_lifetime = 14d
+readme_directory = no
+compatibility_level = 2
+
+smtp_use_tls=yes
+smtp_tls_cert_file=/etc/ssl/{{ banner_hostname }}.crt
+smtp_tls_key_file=/etc/ssl/{{ banner_hostname }}.key
+smtpd_tls_cert_file=/etc/ssl/letsencrypt/infrastructure.pem
+smtpd_tls_key_file=/etc/ssl/letsencrypt/infrastructure.pem
+smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
+
+myhostname = {{ myhostname }}
+mydomain = {{ mydomain }}
+alias_maps = hash:/etc/aliases
+alias_database = hash:/etc/aliases
+myorigin = /etc/mailname
+mydestination = localhost
+
+mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 {{ mynetworks }}
+mailbox_size_limit = 0
+recipient_delimiter = +
+inet_interfaces = all
+inet_protocols = all
+
+swap_bangpath = no
+mynetworks_style = host
+smtpd_data_restrictions = reject_unauth_pipelining
+smtpd_reject_unlisted_recipient = yes
+smtpd_reject_unlisted_sender = yes
+smtp_tls_security_level = may
+smtp_tls_CAfile = $smtpd_tls_CAfile
+smtp_tls_loglevel = 0
+smtp_tls_note_starttls_offer = yes
+proxy_read_maps = $canonical_maps $lmtp_generic_maps $local_recipient_maps $mydestination $mynetworks $recipient_bcc_maps $recipient_canonical_maps $relay_domains $relay_recipient_maps $relocated_maps $sender_bcc_maps $sender_canonical_maps $smtp_generic_maps $smtpd_sender_login_maps $transport_maps $virtual_alias_domains $virtual_alias_maps $virtual_mailbox_domains $virtual_mailbox_maps $smtpd_sender_restrictions
+smtp_data_init_timeout = 240s
+smtp_data_xfer_timeout = 600s
+smtpd_helo_required = yes
+smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, check_helo_access pcre:/etc/postfix/helo_access.pcre
+queue_run_delay = 300s
+minimal_backoff_time = 300s
+maximal_backoff_time = 4000s
+enable_original_recipient = no
+disable_vrfy_command = yes
+home_mailbox = Maildir/
+allow_min_user = no
+message_size_limit = 52428800
+virtual_minimum_uid = 2000
+virtual_uid_maps = static:2000
+virtual_gid_maps = static:2000
+virtual_mailbox_base = /srv/vmail
+
+transport_maps = proxy:ldap:/etc/postfix/ldap/transport_maps_user.cf, proxy:ldap:/etc/postfix/ldap/transport_maps_domain.cf, hash:/etc/postfix/transport
+virtual_alias_maps = proxy:ldap:/etc/postfix/ldap/virtual_alias_maps.cf, proxy:ldap:/etc/postfix/ldap/virtual_group_maps.cf, proxy:ldap:/etc/postfix/ldap/virtual_group_members_maps.cf, proxy:ldap:/etc/postfix/ldap/catchall_maps.cf
+virtual_mailbox_domains = proxy:ldap:/etc/postfix/ldap/virtual_mailbox_domains.cf
+virtual_mailbox_maps = proxy:ldap:/etc/postfix/ldap/virtual_mailbox_maps.cf
+sender_bcc_maps = proxy:ldap:/etc/postfix/ldap/sender_bcc_maps_user.cf, proxy:ldap:/etc/postfix/ldap/sender_bcc_maps_domain.cf
+recipient_bcc_maps = proxy:ldap:/etc/postfix/ldap/recipient_bcc_maps_user.cf, proxy:ldap:/etc/postfix/ldap/recipient_bcc_maps_domain.cf
+
+smtpd_sender_login_maps = proxy:ldap:/etc/postfix/ldap/sender_login_maps.cf
+smtpd_sasl_auth_enable = yes
+smtpd_sasl_local_domain = 
+broken_sasl_auth_clients = yes
+smtpd_sasl_security_options = noanonymous
+smtpd_tls_auth_only = no
+smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination
+smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination
+smtpd_relay_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination
+smtpd_tls_security_level = may
+smtpd_tls_loglevel = 0
+tls_random_source = dev:/dev/urandom
+
+command_time_limit = 12h
+ipc_timeout = 12h
+
+mailbox_command = /usr/lib/dovecot/deliver
+virtual_transport = dovecot
+dovecot_destination_recipient_limit = 1
+smtpd_sasl_type = dovecot
+smtpd_sasl_path = private/dovecot-auth
+smtp-amavis_destination_recipient_limit = 1
+virtual_alias_domains = 
diff --git a/package-postfix_access/templates/master.cf.j2 b/package-postfix_access/templates/master.cf.j2
new file mode 100644
index 0000000..f83609f
--- /dev/null
+++ b/package-postfix_access/templates/master.cf.j2
@@ -0,0 +1,73 @@
+# Postfix master process configuration file
+# {{ ansible_managed }}
+
+# ==========================================================================
+# service type  private unpriv  chroot  wakeup  maxproc command + args
+#         (yes)   (yes)   (yes)   (never) (100)
+# ==========================================================================
+smtp      inet  n       -       y       -       -       smtpd
+pickup    unix  n       -       y       60      1       pickup
+  -o content_filter=
+  -o receive_override_options=no_header_body_checks
+cleanup   unix  n       -       y       -       0       cleanup
+qmgr      unix  n       -       n       300     1       qmgr
+tlsmgr    unix  -       -       y       1000?   1       tlsmgr
+rewrite   unix  -       -       y       -       -       trivial-rewrite
+bounce    unix  -       -       y       -       0       bounce
+defer     unix  -       -       y       -       0       bounce
+trace     unix  -       -       y       -       0       bounce
+verify    unix  -       -       y       -       1       verify
+flush     unix  n       -       y       1000?   0       flush
+proxymap  unix  -       -       n       -       -       proxymap
+proxywrite unix -       -       n       -       1       proxymap
+smtp      unix  -       -       y       -       -       smtp
+smtp-ipv4 unix  -       -       y       -       -       smtp
+  -o inet_protocols=ipv4
+relay     unix  -       -       y       -       -       smtp
+showq     unix  n       -       y       -       -       showq
+error     unix  -       -       y       -       -       error
+retry     unix  -       -       y       -       -       error
+discard   unix  -       -       y       -       -       discard
+local     unix  -       n       n       -       -       local
+virtual   unix  -       n       n       -       -       virtual
+lmtp      unix  -       -       y       -       -       lmtp
+anvil     unix  -       -       y       -       1       anvil
+scache    unix  -       -       y       -       1       scache
+
+submission inet n       -       n       -       -       smtpd
+  -o smtpd_enforce_tls=no
+  -o smtpd_sasl_auth_enable=yes
+  -o smtpd_upstream_proxy_protocol=haproxy
+  -o smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
+  -o content_filter=smtp-amavis:[::1]:10024
+
+dovecot unix    -       n       n       -       -      pipe
+    -o soft_bounce=yes
+    flags=DRhu user=vmail:vmail argv=/usr/lib/dovecot/deliver -f ${sender} -d ${user}@${domain} -m ${extension}
+
+smtp-amavis     unix    -       -       y       -       2       smtp
+  -o smtp_data_done_timeout=1200
+  -o smtp_send_xforward_command=yes
+  -o disable_dns_lookups=yes
+  -o max_use=20
+
+[::1]:10025 inet    n       -       y       -       -       smtpd
+  -o inet_protocols=ipv6
+  -o content_filter=
+  -o local_recipient_maps=
+  -o relay_recipient_maps=
+  -o smtpd_restriction_classes=
+  -o smtpd_delay_reject=no
+  -o smtpd_client_restrictions=permit_mynetworks,reject
+  -o smtpd_helo_restrictions=
+  -o smtpd_sender_restrictions=
+  -o smtpd_recipient_restrictions=permit_mynetworks,reject
+  -o smtpd_data_restrictions=reject_unauth_pipelining
+  -o smtpd_end_of_data_restrictions=
+  -o mynetworks=127.0.0.0/8,[::1]/128
+  -o smtpd_error_sleep_time=0
+  -o smtpd_soft_error_limit=1001
+  -o smtpd_hard_error_limit=1000
+  -o smtpd_client_connection_count_limit=0
+  -o smtpd_client_connection_rate_limit=0
+  -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks
diff --git a/package-postfix_access/templates/ports.conf.j2 b/package-postfix_access/templates/ports.conf.j2
new file mode 100644
index 0000000..87830fb
--- /dev/null
+++ b/package-postfix_access/templates/ports.conf.j2
@@ -0,0 +1,4 @@
+# Roundcube custom port configuration
+# {{ ansible_managed }}
+
+Listen 81
diff --git a/package-postfix_access/templates/postfix-ldap/catchall_maps.cf.j2 b/package-postfix_access/templates/postfix-ldap/catchall_maps.cf.j2
new file mode 100644
index 0000000..14d3eca
--- /dev/null
+++ b/package-postfix_access/templates/postfix-ldap/catchall_maps.cf.j2
@@ -0,0 +1,13 @@
+# {{ ansible_managed }}
+server_host     = {{ ldap_host }}
+server_port     = {{ ldap_port }}
+version         = 3
+bind            = yes
+start_tls       = no
+bind_dn         = {{ username_ldap_admin }}
+bind_pw         = {{ passwd_ldap_admin }}
+search_base     = {{ ldap_basedn }}
+scope           = sub
+query_filter    = (&(objectClass=mailUser)(accountStatus=active)(|(mail=@%d)(shadowAddress=@%d)))
+result_attribute= mailForwardingAddress
+debuglevel      = 0
diff --git a/package-postfix_access/templates/postfix-ldap/recipient_bcc_maps_domain.cf.j2 b/package-postfix_access/templates/postfix-ldap/recipient_bcc_maps_domain.cf.j2
new file mode 100644
index 0000000..7157f02
--- /dev/null
+++ b/package-postfix_access/templates/postfix-ldap/recipient_bcc_maps_domain.cf.j2
@@ -0,0 +1,13 @@
+# {{ ansible_managed }}
+server_host     = {{ ldap_host }}
+server_port     = {{ ldap_port }}
+version         = 3
+bind            = yes
+start_tls       = no
+bind_dn         = {{ username_ldap_admin }}
+bind_pw         = {{ passwd_ldap_admin }}
+search_base     = {{ ldap_basedn }}
+scope           = one
+query_filter    = (&(objectClass=mailDomain)(|(domainName=%d)(domainAliasName=%d))(accountStatus=active)(enabledService=mail)(enabledService=recipientbcc))
+result_attribute= domainRecipientBccAddress
+debuglevel      = 0
diff --git a/package-postfix_access/templates/postfix-ldap/recipient_bcc_maps_user.cf.j2 b/package-postfix_access/templates/postfix-ldap/recipient_bcc_maps_user.cf.j2
new file mode 100644
index 0000000..6008c2f
--- /dev/null
+++ b/package-postfix_access/templates/postfix-ldap/recipient_bcc_maps_user.cf.j2
@@ -0,0 +1,13 @@
+# {{ ansible_managed }}
+server_host     = {{ ldap_host }}
+server_port     = {{ ldap_port }}
+version         = 3
+bind            = yes
+start_tls       = no
+bind_dn         = {{ username_ldap_admin }}
+bind_pw         = {{ passwd_ldap_admin }}
+search_base     = ou=Users,domainName=%d,{{ ldap_basedn }}
+scope           = one
+query_filter    = (&(|(mail=%s)(&(enabledService=shadowaddress)(shadowAddress=%s)))(objectClass=mailUser)(accountStatus=active)(enabledService=mail)(enabledService=recipientbcc))
+result_attribute= userRecipientBccAddress
+debuglevel      = 0
diff --git a/package-postfix_access/templates/postfix-ldap/relay_domains.cf.j2 b/package-postfix_access/templates/postfix-ldap/relay_domains.cf.j2
new file mode 100644
index 0000000..4d23609
--- /dev/null
+++ b/package-postfix_access/templates/postfix-ldap/relay_domains.cf.j2
@@ -0,0 +1,13 @@
+# {{ ansible_managed }}
+server_host     = {{ ldap_host }}
+server_port     = {{ ldap_port }}
+bind            = yes
+start_tls       = no
+version         = 3
+bind_dn         = {{ username_ldap_admin }}
+bind_pw         = {{ passwd_ldap_admin }}
+search_base     = {{ ldap_basedn }}
+scope           = one
+query_filter    = (&(objectClass=mailDomain)(|(domainName=%s)(&(enabledService=domainalias)(domainAliasName=%s)))(domainBackupMX=yes)(accountStatus=active)(enabledService=mail))
+result_attribute= domainName
+debuglevel      = 0
diff --git a/package-postfix_access/templates/postfix-ldap/sender_bcc_maps_domain.cf.j2 b/package-postfix_access/templates/postfix-ldap/sender_bcc_maps_domain.cf.j2
new file mode 100644
index 0000000..d3eace7
--- /dev/null
+++ b/package-postfix_access/templates/postfix-ldap/sender_bcc_maps_domain.cf.j2
@@ -0,0 +1,13 @@
+# {{ ansible_managed }}
+server_host     = {{ ldap_host }}
+server_port     = {{ ldap_port }}
+version         = 3
+bind            = yes
+start_tls       = no
+bind_dn         = {{ username_ldap_admin }}
+bind_pw         = {{ passwd_ldap_admin }}
+search_base     = {{ ldap_basedn }}
+scope           = one
+query_filter    = (&(objectClass=mailDomain)(|(domainName=%d)(domainAliasName=%d))(accountStatus=active)(enabledService=mail)(enabledService=senderbcc))
+result_attribute= domainSenderBccAddress
+debuglevel      = 0
diff --git a/package-postfix_access/templates/postfix-ldap/sender_bcc_maps_user.cf.j2 b/package-postfix_access/templates/postfix-ldap/sender_bcc_maps_user.cf.j2
new file mode 100644
index 0000000..1a9b1cf
--- /dev/null
+++ b/package-postfix_access/templates/postfix-ldap/sender_bcc_maps_user.cf.j2
@@ -0,0 +1,13 @@
+# {{ ansible_managed }}
+server_host     = {{ ldap_host }}
+server_port     = {{ ldap_port }}
+version         = 3
+bind            = yes
+start_tls       = no
+bind_dn         = {{ username_ldap_admin }}
+bind_pw         = {{ passwd_ldap_admin }}
+search_base     = ou=Users,domainName=%d,{{ ldap_basedn }}
+scope           = one
+query_filter    = (&(|(mail=%s)(&(enabledService=shadowaddress)(shadowAddress=%s)))(objectClass=mailUser)(accountStatus=active)(enabledService=mail)(enabledService=senderbcc))
+result_attribute= userSenderBccAddress
+debuglevel      = 0
diff --git a/package-postfix_access/templates/postfix-ldap/sender_login_maps.cf.j2 b/package-postfix_access/templates/postfix-ldap/sender_login_maps.cf.j2
new file mode 100644
index 0000000..d479cdd
--- /dev/null
+++ b/package-postfix_access/templates/postfix-ldap/sender_login_maps.cf.j2
@@ -0,0 +1,13 @@
+# {{ ansible_managed }}
+server_host     = {{ ldap_host }}
+server_port     = {{ ldap_port }}
+version         = 3
+bind            = yes
+start_tls       = no
+bind_dn         = {{ username_ldap_admin }}
+bind_pw         = {{ passwd_ldap_admin }}
+search_base     = {{ ldap_basedn }}
+scope           = sub
+query_filter    = (&(objectClass=mailUser)(accountStatus=active)(enabledService=mail)(enabledService=smtp)(|(mail=%s)(&(enabledService=shadowaddress)(shadowAddress=%s))))
+result_attribute= mail
+debuglevel      = 0
diff --git a/package-postfix_access/templates/postfix-ldap/transport_maps_domain.cf.j2 b/package-postfix_access/templates/postfix-ldap/transport_maps_domain.cf.j2
new file mode 100644
index 0000000..a283c70
--- /dev/null
+++ b/package-postfix_access/templates/postfix-ldap/transport_maps_domain.cf.j2
@@ -0,0 +1,13 @@
+# {{ ansible_managed }}
+server_host     = {{ ldap_host }}
+server_port     = {{ ldap_port }}
+version         = 3
+bind            = yes
+start_tls       = no
+bind_dn         = {{ username_ldap_admin }}
+bind_pw         = {{ passwd_ldap_admin }}
+search_base     = {{ ldap_basedn }}
+scope           = one
+query_filter    = (&(objectClass=mailDomain)(accountStatus=active)(enabledService=mail)(|(domainName=%s)(domainAliasName=%s)))
+result_attribute= mtaTransport
+debuglevel      = 0
diff --git a/package-postfix_access/templates/postfix-ldap/transport_maps_user.cf.j2 b/package-postfix_access/templates/postfix-ldap/transport_maps_user.cf.j2
new file mode 100644
index 0000000..5147f24
--- /dev/null
+++ b/package-postfix_access/templates/postfix-ldap/transport_maps_user.cf.j2
@@ -0,0 +1,13 @@
+# {{ ansible_managed }}
+server_host     = {{ ldap_host }}
+server_port     = {{ ldap_port }}
+version         = 3
+bind            = yes
+start_tls       = no
+bind_dn         = {{ username_ldap_admin }}
+bind_pw         = {{ passwd_ldap_admin }}
+search_base     = ou=Users,domainName=%d,{{ ldap_basedn }}
+scope           = one
+query_filter    = (&(objectClass=mailUser)(mail=%s)(accountStatus=active)(enabledService=mail))
+result_attribute= mtaTransport
+debuglevel      = 0
diff --git a/package-postfix_access/templates/postfix-ldap/virtual_alias_maps.cf.j2 b/package-postfix_access/templates/postfix-ldap/virtual_alias_maps.cf.j2
new file mode 100644
index 0000000..1d8867d
--- /dev/null
+++ b/package-postfix_access/templates/postfix-ldap/virtual_alias_maps.cf.j2
@@ -0,0 +1,13 @@
+# {{ ansible_managed }}
+server_host     = {{ ldap_host }}
+server_port     = {{ ldap_port }}
+version         = 3
+bind            = yes
+start_tls       = no
+bind_dn         = {{ username_ldap_admin }}
+bind_pw         = {{ passwd_ldap_admin }}
+search_base     = {{ ldap_basedn }}
+scope           = sub
+query_filter    = (&(|(mail=%s)(shadowAddress=%s))(accountStatus=active)(enabledService=mail)(enabledService=deliver)(|(objectClass=mailAlias)(&(objectClass=mailUser)(enabledService=forward))))
+result_attribute= mailForwardingAddress
+debuglevel      = 0
diff --git a/package-postfix_access/templates/postfix-ldap/virtual_group_maps.cf.j2 b/package-postfix_access/templates/postfix-ldap/virtual_group_maps.cf.j2
new file mode 100644
index 0000000..009d6fd
--- /dev/null
+++ b/package-postfix_access/templates/postfix-ldap/virtual_group_maps.cf.j2
@@ -0,0 +1,13 @@
+# {{ ansible_managed }}
+server_host     = {{ ldap_host }}
+server_port     = {{ ldap_port }}
+version         = 3
+bind            = yes
+start_tls       = no
+bind_dn         = {{ username_ldap_admin }}
+bind_pw         = {{ passwd_ldap_admin }}
+search_base     = {{ ldap_basedn }}
+scope           = sub
+query_filter    = (&(accountStatus=active)(enabledService=mail)(enabledService=deliver)(|(&(|(memberOfGroup=%s)(shadowAddress=%s))(objectClass=mailUser))(&(memberOfGroup=%s)(!(shadowAddress=%s))(|(objectClass=mailExternalUser)(objectClass=mailList)(objectClass=mailAlias)))))
+result_attribute= mail
+debuglevel      = 0
diff --git a/package-postfix_access/templates/postfix-ldap/virtual_group_members_maps.cf.j2 b/package-postfix_access/templates/postfix-ldap/virtual_group_members_maps.cf.j2
new file mode 100644
index 0000000..da5a6c6
--- /dev/null
+++ b/package-postfix_access/templates/postfix-ldap/virtual_group_members_maps.cf.j2
@@ -0,0 +1,13 @@
+# {{ ansible_managed }}
+server_host     = {{ ldap_host }}
+server_port     = {{ ldap_port }}
+version         = 3
+bind            = yes
+start_tls       = no
+bind_dn         = {{ username_ldap_admin }}
+bind_pw         = {{ passwd_ldap_admin }}
+search_base     = {{ ldap_basedn }}
+scope           = sub
+query_filter    = (&(objectClass=mailUser)(accountStatus=active)(enabledService=mail)(enabledService=deliver)(|(mail=%s)(&(enabledService=shadowaddress)(shadowAddress=%s))))
+result_attribute= mail
+debuglevel      = 0
diff --git a/package-postfix_access/templates/postfix-ldap/virtual_mailbox_domains.cf.j2 b/package-postfix_access/templates/postfix-ldap/virtual_mailbox_domains.cf.j2
new file mode 100644
index 0000000..b831c35
--- /dev/null
+++ b/package-postfix_access/templates/postfix-ldap/virtual_mailbox_domains.cf.j2
@@ -0,0 +1,13 @@
+# {{ ansible_managed }}
+server_host     = {{ ldap_host }}
+server_port     = {{ ldap_port }}
+bind            = yes
+start_tls       = no
+version         = 3
+bind_dn         = {{ username_ldap_admin }}
+bind_pw         = {{ passwd_ldap_admin }}
+search_base     = {{ ldap_basedn }}
+scope           = one
+query_filter    = (&(objectClass=mailDomain)(|(domainName=%s)(&(enabledService=domainalias)(domainAliasName=%s)))(!(domainBackupMX=yes))(accountStatus=active)(enabledService=mail))
+result_attribute= domainName
+debuglevel      = 0
diff --git a/package-postfix_access/templates/postfix-ldap/virtual_mailbox_maps.cf.j2 b/package-postfix_access/templates/postfix-ldap/virtual_mailbox_maps.cf.j2
new file mode 100644
index 0000000..442a2f8
--- /dev/null
+++ b/package-postfix_access/templates/postfix-ldap/virtual_mailbox_maps.cf.j2
@@ -0,0 +1,14 @@
+# {{ ansible_managed }}
+server_host     = {{ ldap_host }}
+server_port     = {{ ldap_port }}
+version         = 3
+bind            = yes
+start_tls       = no
+bind_dn         = {{ username_ldap_admin }}
+bind_pw         = {{ passwd_ldap_admin }}
+search_base     = {{ ldap_basedn }}
+scope           = sub
+query_filter    = (&(objectClass=mailUser)(|(mail=%s)(&(enabledService=shadowaddress)(shadowAddress=%s)))(accountStatus=active)(enabledService=mail)(enabledService=deliver))
+result_attribute= mailMessageStore
+result_format   = %s/Maildir/
+debuglevel      = 0
diff --git a/package-postfix_access/templates/roundcube.conf.j2 b/package-postfix_access/templates/roundcube.conf.j2
new file mode 100644
index 0000000..67439e1
--- /dev/null
+++ b/package-postfix_access/templates/roundcube.conf.j2
@@ -0,0 +1,47 @@
+DocumentRoot /var/lib/roundcube
+Alias /mail /var/lib/roundcube
+
+<Directory /var/lib/roundcube/>
+  Options +FollowSymLinks
+  # This is needed to parse /var/lib/roundcube/.htaccess. See its
+  # content before setting AllowOverride to None.
+  AllowOverride All
+  <IfVersion >= 2.3>
+    Require all granted
+  </IfVersion> 
+  <IfVersion < 2.3>
+    Order allow,deny
+    Allow from all
+  </IfVersion>
+</Directory>
+
+# Protecting basic directories:
+<Directory /var/lib/roundcube/config>
+        Options -FollowSymLinks
+        AllowOverride None
+</Directory>
+
+<Directory /var/lib/roundcube/temp>
+        Options -FollowSymLinks
+        AllowOverride None
+        <IfVersion >= 2.3>
+          Require all denied
+        </IfVersion> 
+        <IfVersion < 2.3>
+          Order allow,deny
+          Deny from all
+        </IfVersion>
+</Directory>
+
+<Directory /var/lib/roundcube/logs>
+        Options -FollowSymLinks
+        AllowOverride None
+        <IfVersion >= 2.3>
+          Require all denied
+        </IfVersion> 
+        <IfVersion < 2.3>
+          Order allow,deny
+          Deny from all
+        </IfVersion>
+</Directory>
+
diff --git a/package-postfix_access/templates/transport.j2 b/package-postfix_access/templates/transport.j2
new file mode 100644
index 0000000..da9f35c
--- /dev/null
+++ b/package-postfix_access/templates/transport.j2
@@ -0,0 +1,3 @@
+# Gmail-specific transfer policy
+# {{ ansible_managed }}
+gmail.com smtp-ipv4:
diff --git a/package-postfix_filter/defaults/main.yml b/package-postfix_filter/defaults/main.yml
new file mode 100644
index 0000000..7e116ab
--- /dev/null
+++ b/package-postfix_filter/defaults/main.yml
@@ -0,0 +1,35 @@
+---
+# Default configurations
+# I populate these from external configs; I indicate what the are as inline comments
+
+# Postfix
+
+# A list of relay domains and their target (square-bracked hostname/IP + port); examples follow
+relay_domains: "{{ blse_relaydomains }}"
+#  - domain: "some.domain.tld"
+#    relay: "[mail.domain.tld]"
+#  - domain: "other.domain.tld"
+#    relay: "[secure.domain.tld]:465"
+
+# A list of RBLs to check for rejecting incoming mail
+remote_block_lists:
+  - bl.spamcop.net
+  - zen.spamhaus.org
+  - cbl.abuseat.org
+
+# Enable TLS (literal yes/no only) and, if yes, the cert and key files
+tls_enabled: yes
+tls_cert: "/etc/ssl/{{ ansible_fqdn }}.crt"
+tls_key: "/etc/ssl/{{ ansible_fqdn }}.key"
+
+# Virtual address maps
+virtual_maps:
+  - regex: "/^postmaster@/"
+    map: "root@{{ blsedomains_admindomain }}"
+
+# SpamAssassin
+notify_admin: "joshua@boniface.me" # Administrative address to notify
+notify_method: "smtp:{{ blsecluster_smtphost }}:25"
+custom_sender_scores:
+  - [qr'^(offers)@'i => 1.0]
+  - [qr'^.*@pizzanova.com'i => 1.0]
diff --git a/package-postfix_filter/files/ham-sample/README b/package-postfix_filter/files/ham-sample/README
new file mode 100644
index 0000000..76b5c47
--- /dev/null
+++ b/package-postfix_filter/files/ham-sample/README
@@ -0,0 +1,2 @@
+Populate me with spam-tagged legit emails.
+Then `tar -cvJf ham-sample.txz ham-sample/` in the parent directory.
diff --git a/package-postfix_filter/files/spam-sample/README b/package-postfix_filter/files/spam-sample/README
new file mode 100644
index 0000000..76b5c47
--- /dev/null
+++ b/package-postfix_filter/files/spam-sample/README
@@ -0,0 +1,2 @@
+Populate me with spam-tagged legit emails.
+Then `tar -cvJf ham-sample.txz ham-sample/` in the parent directory.
diff --git a/package-postfix_filter/handlers/main.yml b/package-postfix_filter/handlers/main.yml
new file mode 100644
index 0000000..e7784cc
--- /dev/null
+++ b/package-postfix_filter/handlers/main.yml
@@ -0,0 +1,19 @@
+---
+- name: postmap transport
+  command: "postmap /etc/postfix/transport"
+- name: restart amavis
+  service:
+    name: "amavis"
+    state: "restarted"
+- name: restart saslauthd
+  service:
+    name: "saslauthd"
+    state: "restarted"
+- name: restart postfix
+  service:
+    name: "postfix"
+    state: "restarted"
+- name: restart spamassassin
+  service:
+    name: "spamassassin"
+    state: "restarted"
diff --git a/package-postfix_filter/tasks/main.yml b/package-postfix_filter/tasks/main.yml
new file mode 100644
index 0000000..ba1f684
--- /dev/null
+++ b/package-postfix_filter/tasks/main.yml
@@ -0,0 +1,220 @@
+---
+#
+# Install role packages
+#
+
+- name: install filtering packages and monitoring components
+  apt:
+    name:
+      - postfix
+      - postfix-pcre
+      - mailgraph
+      - amavis
+      - spamassassin
+      - clamav-daemon
+      - libnet-dns-perl
+      - libmail-spf-perl
+      - postfix-policyd-spf-python
+      - pfqueue
+    state: latest
+
+- name: install compression algorithms for scanning
+  apt:
+    name:
+      - p7zip-full
+      - arj
+      - bzip2
+      - cabextract
+      - cpio
+      - file
+      - gzip
+      - lhasa
+      - liblz4-tool
+      - lrzip
+      - lzop
+      - nomarch
+      - pax
+      - rar
+      - rpm
+      - unrar-free
+      - unzip
+      - xz-utils
+      - zip
+    state: latest
+
+#
+# ClamAV
+#
+
+- name: ensure clamav is in amavis group
+  user:
+    name: "clamav"
+    append: "yes"
+    groups: "amavis"
+
+- name: ensure amavis is in clamav group
+  user:
+    name: "amavis"
+    append: "yes"
+    groups: "clamav"
+
+#
+# policyd SPF
+#
+
+- name: install policyd-spf config
+  template: 
+   src: "{{ item }}.j2"
+   dest: "/etc/postfix-policyd-spf-python/{{ item }}"
+  notify:
+    - restart postfix
+  with_items:
+    - "policyd-spf.conf"
+
+#
+# SpamAssassin
+#
+
+- name: install SpamAssassin config
+  template:
+    src: "{{ item }}.j2"
+    dest: "/etc/spamassassin/{{ item }}"
+  notify:
+    - restart spamassassin
+    - restart amavis
+  with_items:
+  - "local.cf"
+  - "90_customrules.cf"
+
+#
+# Amavis
+#
+
+- name: install Amavis configs
+  template:
+    src: "{{ item }}.j2"
+    dest: "/etc/amavis/conf.d/{{ item }}"
+  notify:
+    - restart amavis
+  with_items:
+  - "15-content_filter_mode"
+  - "50-user"
+
+#
+# Postfix
+#
+
+- name: create the Postfix local config dir
+  file:
+    state: directory
+    dest: "/etc/postfix/local"
+
+- name: install the Postfix main configs
+  template:
+    src: "{{ item }}.j2"
+    dest: "/etc/postfix/{{ item }}"
+  notify:
+  - restart postfix
+  with_items:
+  - "main.cf"
+  - "master.cf"
+
+- name: install the Postfix local configs
+  template:
+    src: "{{ item }}.j2"
+    dest: "/etc/postfix/local/{{ item }}"
+  notify:
+  - restart postfix
+  with_items:
+    - helo_access
+    - recipient_access
+    - relay_domains
+    - transport
+    - virtual
+
+- name: link /etc/mailname to /etc/hostname
+  file:
+    dest: "/etc/mailname"
+    src: "/etc/hostname"
+    state: "link"
+    force: "yes"
+
+#
+# Verify and enable services
+#
+
+- name: verify and enable services
+  service:
+    name: "{{ item }}"
+    state: "started"
+    enabled: "yes"
+  with_items:
+  - "postfix"
+  - "amavis"
+  - "clamav-daemon"
+
+#
+# SpamAssassin training
+#
+
+- name: download spam sample archive
+  copy:
+    src: "spam-sample.txz"
+    dest: "/var/cache/spam-sample.txz"
+    owner: "root"
+    group: "root"
+    mode: "400"
+  register: spamsample
+
+- name: make temporary directory
+  command: "mktemp -d"
+  register: tempdirspam
+  when: spamsample.changed
+
+- name: extract spam sample archive to temporary directory
+  unarchive:
+    remote_src: "yes"
+    src: "/var/cache/spam-sample.txz"
+    dest: "{{ tempdirspam.stdout }}/"
+  when: spamsample.changed
+
+- name: sa-learn from the spam sample
+  command: "sa-learn --spam {{ tempdirspam.stdout }}/spam-sample/"
+  when: spamsample.changed
+
+- name: remove temporary directory
+  file:
+    dest: "{{ tempdirspam.stdout }}"
+    state: "absent"
+  when: spamsample.changed
+
+- name: download ham sample archive
+  copy:
+    src: "ham-sample.txz"
+    dest: "/var/cache/ham-sample.txz"
+    owner: "root"
+    group: "root"
+    mode: "400"
+  register: hamsample
+
+- name: make temporary directory
+  command: "mktemp -d"
+  register: tempdirham
+  when: hamsample.changed
+
+- name: extract ham sample archive to temporary directory
+  unarchive:
+    remote_src: "yes"
+    src: "/var/cache/ham-sample.txz"
+    dest: "{{ tempdirham.stdout }}/"
+  when: hamsample.changed
+
+- name: sa-learn from the ham sample
+  command: "sa-learn --ham {{ tempdirham.stdout }}/ham-sample/"
+  when: hamsample.changed
+
+- name: remove temporary directory
+  file:
+    dest: "{{ tempdirham.stdout }}"
+    state: "absent"
+  when: hamsample.changed
diff --git a/package-postfix_filter/templates/15-content_filter_mode.j2 b/package-postfix_filter/templates/15-content_filter_mode.j2
new file mode 100644
index 0000000..8ea341f
--- /dev/null
+++ b/package-postfix_filter/templates/15-content_filter_mode.j2
@@ -0,0 +1,12 @@
+use strict;
+
+# Amavis filter configuration
+# {{ ansible_managed }}
+
+@bypass_virus_checks_maps = (
+   \%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re);
+
+@bypass_spam_checks_maps = (
+   \%bypass_spam_checks, \@bypass_spam_checks_acl, \$bypass_spam_checks_re);
+
+1;  # ensure a defined return
diff --git a/package-postfix_filter/templates/50-user.j2 b/package-postfix_filter/templates/50-user.j2
new file mode 100644
index 0000000..50125ae
--- /dev/null
+++ b/package-postfix_filter/templates/50-user.j2
@@ -0,0 +1,40 @@
+use strict;
+
+@local_domains_acl = ( "." );
+$sa_tag_level_deflt = -9999;
+$sa_tag2_level_deflt = 5;
+$sa_kill_level_deflt = 9999;
+$sa_spam_subject_tag = '*** SPAM *** ';
+$final_spam_destiny = 'D_PASS';
+
+$bad_header_quarantine_method = undef;
+
+$notify_method  = '{{ notify_method }}';
+
+$newvirus_admin = '{{ notify_admin }}';
+$virus_admin = '{{ notify_admin }}';
+$spam_admin  = '{{ notify_admin }}';
+
+$banned_admin     = \@virus_admin_maps;  # for compatibility with pre-2.2.1
+$bad_header_admin = \@virus_admin_maps;  # for compatibility with pre-2.2.1
+@newvirus_admin_maps  = (\$newvirus_admin);
+@virus_admin_maps     = (\%virus_admin, \$virus_admin);
+@spam_admin_maps      = (\%spam_admin,  \$spam_admin);
+@banned_admin_maps    = (\$banned_admin);
+@bad_header_admin_maps= (\$bad_header_admin);
+
+{% if custom_sender_scores is defined %}
+# Custom sender_map scores
+@score_sender_maps = ({
+  '.' => [
+    new_RE(
+{% for score in custom_sender_scores %}
+      {{ score }},
+{% endfor %}
+    ),
+  ],
+});
+{% endif %}
+
+#------------ Do not modify anything below this line -------------
+1;  # ensure a defined return
diff --git a/package-postfix_filter/templates/90_customrules.cf.j2 b/package-postfix_filter/templates/90_customrules.cf.j2
new file mode 100644
index 0000000..92bacf9
--- /dev/null
+++ b/package-postfix_filter/templates/90_customrules.cf.j2
@@ -0,0 +1,7 @@
+# Adjustments to default SpamAssassin scoring
+# {{ ansible_managed }}
+score RCVD_IN_PSBL 3.5		# Increase default score significantly
+score URIBL_BLACK 3.5		# Increase default score significantly
+score LOTS_OF_MONEY 2		# Increase default score a little
+score ADVANCE_FEE_4_NEW 2	# Increase default score a little
+score RDNS_NONE 0.5		# Decrease default score a little
diff --git a/package-postfix_filter/templates/helo_access.j2 b/package-postfix_filter/templates/helo_access.j2
new file mode 100644
index 0000000..266c7fb
--- /dev/null
+++ b/package-postfix_filter/templates/helo_access.j2
@@ -0,0 +1,2 @@
+/^\[[0-9]{1,3}(\.[0-9]{1,3}){3}\]$/     DUNNO   announced self using an address literal
+/^[0-9]{1,3}(\.[0-9]{1,3}){3}$/         REJECT  announced self with an IP address instead of a domain name
diff --git a/package-postfix_filter/templates/local.cf.j2 b/package-postfix_filter/templates/local.cf.j2
new file mode 100644
index 0000000..73e0a67
--- /dev/null
+++ b/package-postfix_filter/templates/local.cf.j2
@@ -0,0 +1,27 @@
+# SpamAssassin local config
+# {{ ansible_managed }}
+
+report_safe 1
+required_score 4.5
+
+use_bayes 1
+bayes_auto_learn 1
+bayes_auto_learn_threshold_nonspam -0.1
+bayes_auto_learn_threshold_spam 9.0
+
+score BAYES_00 -4
+score BAYES_05 -2
+score BAYES_80 2
+score BAYES_95 6
+score BAYES_99 8
+
+bayes_ignore_header X-Bogosity
+bayes_ignore_header X-Spam-Flag
+bayes_ignore_header X-Spam-Status
+
+bayes_path /var/spamassassin/bayes_db/bayes
+bayes_file_mode 0777
+
+skip_rbl_checks 0
+ok_languages all
+ok_locales all
diff --git a/package-postfix_filter/templates/main.cf.j2 b/package-postfix_filter/templates/main.cf.j2
new file mode 100644
index 0000000..9b71172
--- /dev/null
+++ b/package-postfix_filter/templates/main.cf.j2
@@ -0,0 +1,91 @@
+# Main Postfix configuration
+# {{ ansible_managed }}
+
+myorigin = /etc/mailname
+myhostname = {{ ansible_fqdn }}
+
+mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
+message_size_limit = 26214400
+mailbox_size_limit = 0
+default_process_limit = 1000
+recipient_delimiter = +
+inet_interfaces = all
+
+smtpd_banner = {{ ansible_fqdn }} ESMTP $mail_name (Debian/GNU)
+biff = no
+append_dot_mydomain = no
+delay_warning_time = 48h
+maximal_queue_lifetime = 14d
+bounce_queue_lifetime = 14d
+readme_directory = no
+compatibility_level = 2
+
+smtpd_use_tls={{ tls_enabled }}
+smtpd_tls_dh1024_param_file = /etc/ssl/dhparams.pem
+smtpd_tls_cert_file={{ tls_cert }}
+smtpd_tls_key_file={{ tls_key }}
+smtpd_tls_ask_ccert = yes
+smtpd_tls_received_header = yes
+smtpd_tls_loglevel = 1
+smtpd_tls_session_cache_database = btree:$data_directory/smtpd_scache
+smtpd_tls_security_level = may
+smtpd_tls_protocols = !SSLv2,!SSLv3
+smtpd_tls_ciphers = medium
+smtpd_tls_exclude_ciphers = RC4, CAMELLIA, SEED, 3DES
+
+smtp_use_tls={{ tls_enabled }}
+smtp_tls_cert_file={{ tls_cert }}
+smtp_tls_key_file={{ tls_key }}
+smtp_tls_session_cache_database = btree:$data_directory/smtp_scache
+smtp_tls_loglevel = 1
+smtp_tls_security_level = may
+smtp_tls_protocols = $smtpd_tls_protocols
+smtp_tls_ciphers = $smtpd_tls_ciphers
+smtp_tls_exclude_ciphers = $smtpd_tls_exclude_ciphers
+
+mydestination =
+local_recipient_maps =
+alias_maps =
+alias_database =
+virtual_alias_maps = pcre:$config_directory/local/virtual
+local_transport = error:local mail delivery is disabled
+transport_maps = pcre:$config_directory/local/transport
+relay_domains = $config_directory/local/relay_domains
+
+content_filter = smtp-amavis:[127.0.0.1]:10024
+smtpd_client_recipient_rate_limit = 250
+strict_rfc821_envelopes = yes
+receive_override_options = no_address_mappings
+policyd-spf_time_limit = 3600
+smtpd_relay_restrictions =
+    permit_mynetworks
+    reject_unauth_destination
+    check_policy_service unix:private/policyd-spf
+{% for rbl in remote_block_lists %}
+    reject_rbl_client {{ rbl }}
+{% endfor %}
+    warn_if_reject reject_unknown_client
+
+smtpd_helo_required = yes
+smtpd_helo_restrictions =
+    check_helo_access pcre:$config_directory/local/helo_access
+    reject_invalid_hostname
+
+smtpd_sender_restrictions =
+    check_sender_mx_access cidr:$config_directory/local/mx_access
+    reject_unknown_sender_domain
+    reject_non_fqdn_sender
+    check_sender_access pcre:$config_directory/local/sender_access
+
+smtpd_recipient_restrictions =
+    reject_unknown_recipient_domain
+    reject_non_fqdn_recipient
+    reject_unauth_pipelining
+    reject_unauth_destination
+    check_policy_service unix:private/policyd-spf
+    check_recipient_access pcre:$config_directory/local/recipient_access
+    reject_unverified_recipient
+
+smtpd_data_restrictions =
+    reject_multi_recipient_bounce
+    reject_unauth_pipelining
diff --git a/package-postfix_filter/templates/master.cf.j2 b/package-postfix_filter/templates/master.cf.j2
new file mode 100644
index 0000000..dea0256
--- /dev/null
+++ b/package-postfix_filter/templates/master.cf.j2
@@ -0,0 +1,62 @@
+# Postfix master process configuration file
+# {{ ansible_managed }}
+
+# ==========================================================================
+# service type  private unpriv  chroot  wakeup  maxproc command + args
+#         (yes)   (yes)   (yes)   (never) (100)
+# ==========================================================================
+smtp      inet  n       -       y       -       -       smtpd
+pickup    unix  n       -       y       60      1       pickup
+  -o content_filter=
+  -o receive_override_options=no_header_body_checks
+cleanup   unix  n       -       y       -       0       cleanup
+qmgr      unix  n       -       n       300     1       qmgr
+tlsmgr    unix  -       -       y       1000?   1       tlsmgr
+rewrite   unix  -       -       y       -       -       trivial-rewrite
+bounce    unix  -       -       y       -       0       bounce
+defer     unix  -       -       y       -       0       bounce
+trace     unix  -       -       y       -       0       bounce
+verify    unix  -       -       y       -       1       verify
+flush     unix  n       -       y       1000?   0       flush
+proxymap  unix  -       -       n       -       -       proxymap
+proxywrite unix -       -       n       -       1       proxymap
+smtp      unix  -       -       y       -       -       smtp
+relay     unix  -       -       y       -       -       smtp
+showq     unix  n       -       y       -       -       showq
+error     unix  -       -       y       -       -       error
+retry     unix  -       -       y       -       -       error
+discard   unix  -       -       y       -       -       discard
+local     unix  -       n       n       -       -       local
+virtual   unix  -       n       n       -       -       virtual
+lmtp      unix  -       -       y       -       -       lmtp
+anvil     unix  -       -       y       -       1       anvil
+scache    unix  -       -       y       -       1       scache
+
+policyd-spf  unix  -       n       n       -       0       spawn
+    user=policyd-spf argv=/usr/bin/policyd-spf
+
+smtp-amavis     unix    -       -       y       -       2       smtp
+  -o smtp_data_done_timeout=1200
+  -o smtp_send_xforward_command=yes
+  -o disable_dns_lookups=yes
+  -o max_use=20
+
+127.0.0.1:10025 inet    n       -       y       -       -       smtpd
+  -o content_filter=
+  -o local_recipient_maps=
+  -o relay_recipient_maps=
+  -o smtpd_restriction_classes=
+  -o smtpd_delay_reject=no
+  -o smtpd_client_restrictions=permit_mynetworks,reject
+  -o smtpd_helo_restrictions=
+  -o smtpd_sender_restrictions=
+  -o smtpd_recipient_restrictions=permit_mynetworks,reject
+  -o smtpd_data_restrictions=reject_unauth_pipelining
+  -o smtpd_end_of_data_restrictions=
+  -o mynetworks=127.0.0.0/8
+  -o smtpd_error_sleep_time=0
+  -o smtpd_soft_error_limit=1001
+  -o smtpd_hard_error_limit=1000
+  -o smtpd_client_connection_count_limit=0
+  -o smtpd_client_connection_rate_limit=0
+  -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks
diff --git a/package-postfix_filter/templates/policyd-spf.conf.j2 b/package-postfix_filter/templates/policyd-spf.conf.j2
new file mode 100644
index 0000000..cccd84a
--- /dev/null
+++ b/package-postfix_filter/templates/policyd-spf.conf.j2
@@ -0,0 +1,12 @@
+# policyd SPF config
+# {{ ansible_managed }}
+
+debugLevel = 1 
+
+HELO_reject = False
+Mail_From_reject = False
+
+PermError_reject = False
+TempError_Defer = False
+
+skip_addresses = 127.0.0.0/8,::ffff:127.0.0.0/104,::1
diff --git a/package-postfix_filter/templates/recipient_access.j2 b/package-postfix_filter/templates/recipient_access.j2
new file mode 100644
index 0000000..eeee382
--- /dev/null
+++ b/package-postfix_filter/templates/recipient_access.j2
@@ -0,0 +1,4 @@
+/[%!@].*[%!@]/  REJECT          sender-specified routing in recipient address
+/&.*@/          REJECT          invalid user
+/^(daemon|bin|sys|sync|games|man|lp|news|uucp|proxy|www-data|backup|list|irc|gnats|nobody)@/    REJECT  reserved system user
+/^(ntp|sshd|munin|postfix|clamav|sqlgrey|policyd-spf|bind|statd|freerad|mysql|smokeping|systemd-.+|)@/  REJECT  reserved system user
diff --git a/package-postfix_filter/templates/relay_domains.j2 b/package-postfix_filter/templates/relay_domains.j2
new file mode 100644
index 0000000..16dbac2
--- /dev/null
+++ b/package-postfix_filter/templates/relay_domains.j2
@@ -0,0 +1,3 @@
+{% for domain in relay_domains %}
+{{ domain.domain }}
+{% endfor %}
diff --git a/package-postfix_filter/templates/transport.j2 b/package-postfix_filter/templates/transport.j2
new file mode 100644
index 0000000..80a2133
--- /dev/null
+++ b/package-postfix_filter/templates/transport.j2
@@ -0,0 +1,3 @@
+{% for domain in relay_domains %}
+/@{{ domain.domain }}$/ relay:{{ domain.relay }}
+{% endfor %}
diff --git a/package-postfix_filter/templates/virtual.j2 b/package-postfix_filter/templates/virtual.j2
new file mode 100644
index 0000000..d89602a
--- /dev/null
+++ b/package-postfix_filter/templates/virtual.j2
@@ -0,0 +1,3 @@
+{% for map in virtual_maps %}
+{{ map.regex }} {{ map.map }}
+{% endfor %}