- name: Install dovecot and postfix
  # for EL6 w/o IUS: ['dovecot-mysql', 'dovecot', 'postfix', 'python-pip', 'gcc', 'python-devel', 'unzip']
  yum:
    name: ['dovecot22u-mysql', 'dovecot22u', 'postfix', 'python2-pip', 'gcc', 'python-devel', 'unzip']
    state: present

- name: Disable firewalls
  service:
    name: "{{item}}"
    state: stopped
    enabled: no
  with_items:
    - iptables
    - firewalld

- name: Download pfa 
  get_url:
    url: https://netix.dl.sourceforge.net/project/postfixadmin/postfixadmin/postfixadmin-3.2/postfixadmin-3.2-fedora.noarch.rpm
    dest: /tmp/postfixadmin-3.2-fedora.noarch.rpm
    force: no

- name: Download rainloop webmail
  get_url:
    url: https://www.rainloop.net/repository/webmail/rainloop-community-latest.zip
    dest: /tmp/rainloop-community-latest.zip
    force: no

- name: Install pfa rpm
  yum:
    name: /tmp/postfixadmin-3.2-fedora.noarch.rpm
    validate_certs: no
    state: installed

- name: Install MySQL-python
  pip:
    name: MySQL-python
    state: present

- name: Create postfix database
  mysql_db:
    name: postfix
    encoding: utf8
    state: present

- name: Create postfix database user
  mysql_user:
    name: pfa
    password: pfa-rocks-2018
    priv: 'postfix.*:ALL'
    state: present

- name: Wipe pfa database config
  copy:
    content: ""
    dest: /etc/postfixadmin/config.local.php

- name: Create pfa database config
  blockinfile:
    create: yes
    path: /etc/postfixadmin/config.local.php
    marker: "<!-- {mark} ANSIBLE MANAGED BLOCK -->"
    block: | 
      <?php
      $CONF['database_type'] = 'mysqli';
      $CONF['database_user'] = 'pfa';
      $CONF['database_password'] = 'pfa-rocks-2018';
      $CONF['database_name'] = 'postfix';
      $CONF['configured'] = true;
      $CONF['setup_password'] = '86f9fd9bd36a205055206e46ad31d421:dd74ee7940a549fc9349376c013d1912c43fe85c';
      ?>

- name: Create postfixadmin apache config
  blockinfile:
    path: /etc/httpd/conf.d/pfa.conf
    create: yes
    block: |
      Alias /postfixadmin /usr/share/postfixadmin/public
      <Directory /usr/share/postfixadmin>
         Require all granted
         Options FollowSymLinks
         php_admin_flag allow_url_include off
         php_admin_flag allow_url_fopen off
         php_admin_value open_basedir "/usr/share/postfixadmin:/etc/postfixadmin:/var/cache/postfixadmin:/usr/bin/doveadm"
         php_admin_value session.save_path /var/cache/postfixadmin/sessions
      </Directory>
      <Directory /usr/share/postfixadmin/public>
         require all granted
      </Directory>

- name: Give apache read access to pfa config
  file:
    path: "{{item}}"
    mode: 0644
  with_items:
    - /etc/postfixadmin/config.inc.php
    - /etc/postfixadmin/config.local.php

 
- name: Config postfix to listen to all
  replace:
    dest: /etc/postfix/main.cf
    regexp: '^inet_interfaces.*'
    replace: 'inet_interfaces = all'

- name: Update postfix main.cf
  blockinfile:
    path: /etc/postfix/main.cf
    block: |
      virtual_mailbox_domains = proxy:mysql:/etc/postfix/sql/mysql_virtual_domains_maps.cf
      virtual_alias_maps =
        proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_maps.cf,
        proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_domain_maps.cf,
        proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_domain_catchall_maps.cf
      virtual_mailbox_maps =
        proxy:mysql:/etc/postfix/sql/mysql_virtual_mailbox_maps.cf,
        proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_domain_mailbox_maps.cf
      virtual_mailbox_base = /var/vmail
      virtual_uid_maps = static:1001
      virtual_gid_maps = static:12
      # smtpd tls
      smtpd_use_tls = yes
      smtpd_tls_security_level = may
      smtpd_tls_key_file = /etc/postfix/server.key
      smtpd_tls_cert_file = /etc/postfix/server.crt
      smtpd_tls_loglevel = 1
      smtpd_tls_received_header = yes
      smtpd_tls_session_cache_timeout = 3600s
      tls_random_source = dev:/dev/urandom
      smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
      # smtp auth
      smtpd_sasl_type = dovecot
      smtpd_sasl_path = private/auth
      smtpd_sasl_auth_enable = yes
      smtpd_sasl_security_options = noanonymous
      smtpd_sasl_local_domain = $myhostname
      broken_sasl_auth_clients = yes
      # relay restrictions, bare minimal
      smtpd_relay_restrictions =
        permit_mynetworks,
        permit_sasl_authenticated,
        reject_unauth_destination

- name: Setup submission port on postfix
  blockinfile:
    path: /etc/postfix/master.cf
    block:
      submission inet n       -       n       -       -       smtpd
        -o syslog_name=postfix/submission
        -o smtpd_tls_security_level=encrypt
        -o smtpd_sasl_type=dovecot
        -o smtpd_sasl_path=private/auth
        -o broken_sasl_auth_clients=yes
        -o smtpd_sasl_local_domain=$myhostname
        -o smtpd_tls_auth_only=yes
        -o smtpd_sasl_auth_enable=yes
        -o smtpd_reject_unlisted_recipient=no
        -o smtpd_relay_restrictions=permit_sasl_authenticated,reject

- name: Generate self-signed cert for postfix
  shell: openssl req -new -x509 -newkey rsa:2048 -keyout /etc/postfix/server.key -nodes -out /etc/postfix/server.crt -days 3650 -set_serial 201811 -subj "/C=US/ST=NJ/L=SelfSigned City/O=SelfSigned Company/OU=Mail/CN=mail.domain.tld"

- name: Create sql directory in postfix
  file:
    path: /etc/postfix/sql
    state: directory

- name: Create mysql_virtual_alias_maps.cf
  blockinfile:
    path: /etc/postfix/sql/mysql_virtual_alias_maps.cf
    create: yes
    block: |
      user = pfa
      password = pfa-rocks-2018
      hosts = localhost
      dbname = postfix
      query = SELECT goto FROM alias WHERE address='%s' AND active = '1'

- name: Create mysql_virtual_alias_domain_maps.cf
  blockinfile:
    path: /etc/postfix/sql/mysql_virtual_alias_domain_maps.cf
    create: yes
    block: |
      user = pfa
      password = pfa-rocks-2018
      hosts = localhost
      dbname = postfix
      query = SELECT goto FROM alias,alias_domain WHERE alias_domain.alias_domain = '%d' and alias.address = CONCAT('%u', '@', alias_domain.target_domain) AND alias.active = 1 AND alias_domain.active='1'

- name: Create mysql_virtual_alias_domain_catchall_maps.cf
  blockinfile:
    path: /etc/postfix/sql/mysql_virtual_alias_domain_catchall_maps.cf
    create: yes
    block: |
      user = pfa
      password = pfa-rocks-2018
      hosts = localhost
      dbname = postfix
      query = SELECT goto FROM alias,alias_domain WHERE alias_domain.alias_domain = '%d' and alias.address = CONCAT('@', alias_domain.target_domain) AND alias.active = 1 AND alias_domain.active='1'

- name: Create mysql_virtual_domains_maps.cf
  blockinfile:
    path: /etc/postfix/sql/mysql_virtual_domains_maps.cf
    create: yes      
    block: |
      user = pfa
      password = pfa-rocks-2018
      hosts = localhost
      dbname = postfix
      query = SELECT domain FROM domain WHERE domain='%s' AND active = '1'

- name: Create mysql_virtual_mailbox_maps.cf
  blockinfile:
    path: /etc/postfix/sql/mysql_virtual_mailbox_maps.cf
    create: yes
    block: |
      user = pfa
      password = pfa-rocks-2018
      hosts = localhost
      dbname = postfix
      query = SELECT maildir FROM mailbox WHERE username='%s' AND active = '1'

- name: Create mysql_virtual_alias_domain_mailbox_maps.cf
  blockinfile:
    path: /etc/postfix/sql/mysql_virtual_alias_domain_mailbox_maps.cf
    create: yes
    block: |
      user = pfa
      password = pfa-rocks-2018
      hosts = localhost
      dbname = postfix
      query = SELECT maildir FROM mailbox,alias_domain WHERE alias_domain.alias_domain = '%d' and mailbox.username = CONCAT('%u', '@', alias_domain.target_domain) AND mailbox.active = 1 AND alias_domain.active='1'

- name: Create vmail directory
  file:
    path: /var/vmail
    state: directory
    owner: 1001
    group: mail
    mode: 0755

- name: Wipe existing dovecot config
  copy:
    content: ""
    dest: /etc/dovecot/dovecot.conf

- name: Configure dovecot
  blockinfile:
    path: /etc/dovecot/dovecot.conf
    create: yes
    block: |
      mail_location = maildir:/var/vmail/%d/%n/
      namespace inbox {
        inbox = yes
        location =
        mailbox Drafts {
          special_use = \Drafts
          auto = subscribe
        }
        mailbox Junk {
          special_use = \Junk
          auto = subscribe
        }
        mailbox Sent {
          special_use = \Sent
          auto = subscribe
        }
        mailbox "Sent Messages" {
          special_use = \Sent
          auto = subscribe
        }
        mailbox Trash {
          special_use = \Trash
          auto = subscribe
        }
        prefix =
      }
      protocols = "imap pop3"
      ssl = no
      # login is for outlook express smtpd auth
      auth_mechanisms = plain login
      userdb {
          driver = sql
          args = /etc/dovecot/dovecot-sql.conf
      }
      passdb {
          driver = sql
          args = /etc/dovecot/dovecot-sql.conf
      }
      first_valid_uid = 1000
      disable_plaintext_auth = no
      log_path = /var/log/dovecot.log
      auth_verbose = yes
      auth_debug = yes
      mail_debug = yes
      # postfix smtp auth
      service auth {
        unix_listener /var/spool/postfix/private/auth {
          mode = 0666
        }
      }
      # enable ssl
      ssl = yes
      ssl_cert = </etc/postfix/server.crt
      ssl_key = </etc/postfix/server.key
      ssl_protocols = !SSLv2 !SSLv3 !TLSv1 !TLSv1.1
      ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL:!3DES:!RC4:!MD5:!DSS:!DH:!MEDIUM

- name: Create dovecot-sql.conf
  blockinfile:
    create: yes
    path: /etc/dovecot/dovecot-sql.conf
    block: |
      connect = host=localhost dbname=postfix user=pfa password=pfa-rocks-2018
      driver = mysql
      default_pass_scheme = MD5-CRYPT
      password_query = SELECT username AS user,password FROM mailbox WHERE username = '%u' AND active='1'
      user_query = SELECT maildir, 1001 AS uid, 1001 AS gid FROM mailbox WHERE username = '%u' AND active='1'

- name: Prepare rainloop webmail installation
  stat:
    path: /var/log/rainloop-installed
  register: rainloopInstalled

- name: Install rainloop webmail
  shell: touch /var/log/rainloop-installed; mkdir /var/www/rainloop; unzip /tmp/rainloop-community-latest.zip -d /var/www/rainloop
  when: rainloopInstalled.stat.exists == False

- name: Create rainloop apache config
  blockinfile:
    path: /etc/httpd/conf.d/rainloop.conf
    create: yes
    block: |
      Alias /webmail /var/www/rainloop
      <Directory /var/www/rainloop>
        Require all granted
      </Directory>
      <Directory /var/www/rainloop/data>
        Require all denied
      </Directory>

- name: Set rainloop data directory perm
  file:
    path: /var/www/rainloop/data
    owner: apache

- name: Restart apache, postfix, and dovecot
  service:
    name: "{{item}}"
    state: restarted
    enabled: yes
  with_items:
    - httpd
    - postfix
    - dovecot