I’m working this morning on giving administrators in my organization access to Postfix to make changes. I’m going with Postfix Admin for this, but it requires some changes to the mailserver role of Sovereign for it to work.

In keeping with portability, I want people to be able to use Postfix Admin (PA) or to continue going with the config-based user setup. To accomplish that, I’m setting a boolean in user.yml that indicates which route we’re going to use. We’ll use this to change the Postfix maps as appropriate.

In user.yml:

# postfixadmin
use_postfix_admin: true

The next order of business is to sort out the conflict between where PA wants to store its information and how Postfix and Dovecot were configured to do so. Sovereign is creating the mailserver database and creating three arbitrary tables therein:

• virtual_domains
• virtual_users
• virtual_aliases

It and Dovecot are then querying these tables for login and mail delivery.

I’ve modified the SQL maps in the mailserver role with a conditional to install with one query if we’re using PA and another if we’re going with the defaults. I’ve also modified the postfix role to only trigger the SQL-related actions if we’re not using PA. This provides the separation that I’m after.

PA is a delegation of responsibility to the end user or their chosen admins. I’ve decided to leave them with everything after the initial installation and configuration. This means that they will have to go to /setup.php and create their admin user and then create their domains and mailboxes.

Our system uses several folders for management of spam:

• Spam - this is where sieve puts mail marked as spam by dspam.
• Ham - this is for reclassifying mail incorrectly classified as spam
• Junk - this is for reclassifying mail incorrectly classified as ham

We also use Archive as a folder for archiving, a workflow that some of my users employ.

PA can set these up automatically, but for Sovereign it required changing the config to connect via SSL to port 993:

$CONF['create_mailbox_subdirs_hostport']=993;
$CONF['create_mailbox_subdirs_hostoptions'] = array('novalidate-cert','norsh', 'ssl');

After making these changes, a test installation of my Sovereign fork seems to be working. I’m able to create users via PA, deliver mail to those users via Postfix, and log in as those users via Dovecot.

This, of course, removes the need for having users and their hashes in Ansible, along with all domain and alias configuration. That will actually be quite nice.

The opendkim role also uses mail_virtual_domains, which we’ll be removing from the configuration if we’re using PA. I’m changing that to pull a list of domains from the database if we’re running PA, and then we’ll use register to stick that in a variable we can use to generate the keys.

All that remains is to write a script to export and import the current configuration into the new PA tables and to schedule a maintenance window to deploy it to production.