Excision Mail > Installation overview

Installation overview

Overview

Set up secrets
Set up vars
Set up the inventory
Execute site-preinstall playbook
Execute site-install playbook
Execute site-extras playbook (optional)

Set up secrets.yml

The ansible setup needs a few passwords to be generated on the user side, with the help of scripts/gen_secrets.py, which is to be run via

$ python3 scripts/gen_secrets.py

This will create/modify the file secrets.yml, any original passwords are not overwritten, by adding the (randomly generated) passwords needed by the setup.

Set up vars.yml

It is recommended to first start with a minimal configuration of only the necessities and then re-run the installation to enable the optional extras.

A detailed description of each option is given in the vars-sample.yml file.

A minimal configuration using the optional, but highly recommended, nsd(8) setup would be similar to:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61


hostname: mail.aisha.cc
admin: aisha

domains:
  - name: aisha.cc
    nsd: true

enable_nsd: true

# ip1
ipv4: 108.61.81.40
ipv6: 2001:19f0:5:36b:5400:2ff:fe7f:a634

# ip2
secondary_nameservers:
  - '69.65.50.192' # freedns2
  - '109.201.133.111' # rest are cloudns
  - '209.58.140.85'
  - '54.36.26.145'
  - '185.206.180.104'
  - '185.136.96.66'
  - '185.136.97.66'
  - '185.136.98.66'
  - '185.136.99.66'
  - '185.206.180.193'
  - '2a00:1768:1001:9::31:1'
  - '2605:fe80:2100:a013:7::1'
  - '2a0b:1640:1:1:1:1:8ec:5a47'
  - '2a06:fb00:1::1:66'
  - '2a06:fb00:1::2:66'
  - '2a06:fb00:1::3:66'
  - '2a06:fb00:1::4:66'
  - '2a0b:1640:1:3::1'

# ip3
public_nameservers:
  - name: freedns2 # freedns2
    ipv4: 66.65.50.223
  - name: pns31 # rest are cloudns
    ipv4: 185.136.96.66
    ipv6: 2a06:fb00:1::1:66
  - name: pns32
    ipv4: 185.136.97.66
    ipv6: 2a06:fb00:1::2:66
  - name: pns33
    ipv4: 185.136.98.66
    ipv6: 2a06:fb00:1::3:66
  - name: pns34
    ipv4: 185.136.99.66
    ipv6: 2a06:fb00:1::4:66
  - name: ns31
    ipv4: 109.201.133.111
    ipv6: 2a00:1768:1001:9::31:1
  - name: ns32
    ipv4: 209.58.140.85
    ipv6: 2605:fe80:2100:a013:7::1
  - name: ns33
    ipv4: 54.36.26.145
  - name: ns34
    ipv4: 185.206.180.104
    ipv6: 2a0b:1640:1:1:1:1:8ec:5a47

Set up the inventory

If you are running Ansible on the mail server, the default inventory-sample.ini should be enough. Just copy and rename the file to inventory.ini and it should work.

1
2
3
4
5
6
7
8
9


[extraserver]
extra ansible_connection=local ansible_python_interpreter=/usr/local/bin/python3

[mainserver]
extra ansible_connection=local ansible_python_interpreter=/usr/local/bin/python3

[global:children]
extraserver
mainserver

Execute site-preinstall playbook

The first playbook to run is the site-preinstall.yml:

$ ansible-playbook site-preinstall.yml

This runs the following preliminary roles (in order) for a basic setup:

base:
- Set up logging, login and cron jobs.
- Deploys excision commands
- Sets up MTA STS, OpenPGP Web Key Service and client autodiscovery infrastructure
pf
- Sets up basic pf(5) firewall rules
syslog
- Configures syslogd(8).
knot (optional, highly recommended)
- Sets up knot DNS for all domains with dns option enabled and configures an authoritative nameserver for Stealth master setup
zones (optional, highly recommended)
- Generate DNS zone files for knot
- Generates DKIM certificates

It will take about 10-15 minutes after running the site-preinstall role for the DNS changes to be in effect. Running the site-install role too soon may cause it to abort as Lets Encrypt may not be able to find the websites.

If you skipped the setup and configuration of knot, you should now follow the Manual DNS Setup guide to create the DNS records in your provider’s interface. For DKIM keys, login to the mailserver and create DKIM keys manually with:

$ excision ensure-dkim

Add the TXT records excisionRSA._domainkey (for outgoing mails signed by rspamd) and davRSA._domainkey (optional, for outgoing scheduling requests by davical) with the values shown in the above command’s output.

Execute site-install playbook

The buld of the work is done in the site-install.yml playbook:

$ ansible-playbook site-install.yml

The following roles are run (in order):

nginx_core
- Installs nginx and configures basic webserver settings
- Web server for all domains and subdomains
acme:
- Creates the SSL certificates with acme-client(1).
nginx_main_sites
- Configures nginx to serve ACME challenges, MTA STS information, OpenPGP Web Key Service and client autodiscovery.
openldap (work in progress)
- Sets up LDAP for all services to bind against (support in OpenSMTPD pending)
spamd (optional):
- Sets up grey listing and tarpitting for spam protection.
redis
- Sets up redis for use in rspamd

Update and enrich installation guide

clamav (optional):
- Sets up an antivirus which scans all attachments and emails.
- WARNING: this is quite heavy and may cripple smaller servers.
rspamd:
- Gives a lot of spam protection setup techniques.
- Enables DKIM signing for outgoing mails.
smtpd:
- Finally sets up the actual OpenSMTPD MTA.
dovecot:
- Sets up the IMAP/POP3 servers.
- Sets up the local MDA for virtuals users.

Execute site-extras playbook (optional)

This enables extra functionality that is not inherently needed for an email server but has become ubiquitous for almost all email setups.

$ ansible-playbook site-extra.yml

This installs and configures (in order):

php
mariadb
baikal: Calendar + contacts server
roundcube: Webmail server, along with a managesieve plugin for server side mail filtering.