This role deploys a reasonably secure small mail server stack. This Ansible playbook installs and configures:

• TREES from riseuplabs
• Dovecot
• Postfix
• OpenDKIM
• sqlite3 user database
• SSL certs from Let's Encrypt on a single host.

• Debian 12+
• The hostname in mailfruit_server_hostname pointing to the server(s) this is deployed to, for Certbot to grab certificates :)

• mailfruit_server_hostname - required
• mailfruit_mail_domains - required a list of domains this server can accept mail for. The first item in this list is used as a default for various things.
• mailfruit_admin_email - required
• mailfruit_certbot_authenticator - optional, default: standalone
• mailfruit_trees_git_ref - optional, default: master
• mailfruit_dkim_selector - optional, default: mail. Set this to something unique per-server, unless you syncronize your DKIM keys another way.
• mailfruit_extra_server_hostnames - optional, default: undefined. A list of extra hostnames to fetch SSL certificates for, with certbot.

I've opted to require TLS at every step with pre-wrapped ports - ie, using port 993 for IMAPS instead of 143, where TLS is negotiated within a cleartext connection.

GPLv3

Important: For each server you deploy this to, you must host the DKIM TXT record for each domain. This record can be found on each server at /etc/opendkim/keys/mail.txt. You must also configure your SPF/DMARC records. If you do not do this, you will have very poor email deliverability.

You should probably use something like fail2ban to prevent account harvesting & break-in attempts. You should almost certainly harden your SSH install. You should definitely take backups of this server, particularly the user database; without it, the mail files become unreadable. You should implement external monitoring of this server; in particular, if this monitoring sends emails to alert you, those email addresses shouldn't reside on this server ;)