I use Dovecot as my IMAP/IMAPS server – it has always worked very reliably for me.

srv/salt/dovecot.sls

First, this file needs to include sslcerts.sls to make sure that the certificates are installed. Dovecot starts as root so it doesn’t need any special groups to get access to the key.

Once the packages are installed there is a bit of configuration to set up:

• Configure the system to use Maildir format;
• Get rid of any configuration to use mbox format;
• Ensure that SSL is turned on and that the ssl_cert and ssl_key values are set correctly;
• Ensure that SSL isn’t turned off.

It isn’t really possible to run an email server without a spam filter these days – there is just too much spam. Spam Assassin does the job very well, even with just its default configuration. Once exim is configured to use it, configuration of Spam Assassin itself is easy.

srv/salt/exim.sls

This YAML file is responsible for installing and configuring exim. First thing is to install SASL to handle authentication – exim needs access to the passwords and SASL is one of the standard ways to do this.

As discussed previously I’ve chosen to install the SSL certificates centrally in /etc/ssl; I’ve set up a group ssl-cert to allow access to these. Exim also needs to run under the sasl group to get access to the authentication daemon.

Debian uses a complex configuration system for exim. This makes it easy to configure with Saltstack – we can just add our configuration to the default and Debian will put it all together for us. However it must be noted that there appears to be a bug in Saltstack at present – it should be able to tell Debian to update the configuration when a file changes but at present I’m getting infinite recursion so that bit is commented out for now.

This is basic server configuration – making sure that the time on the server is set by NTP otherwise lots of weird things happen.

ntp.sls

# Install NTP to keep the time correct
ntp:
  pkg:
    - installed

The first thing we need to do is ensure that SaltStack itself is configured for masterless mode. We need to ensure that the minion isn’t running as a daemon:

saltmasterless.sls

# Turn off the salt minion daemon as we're running masterless
salt-minion:
  service.dead:
    - enable: False

I’ve needed to update my email server for a while. This time I wanted to do the installation with Saltstack:

• Saltstack is fun
• It means I have an easy-to-read document about what is on the server and how it is installed.

Tools like Saltstack are not just for when you’ve got lots of servers. Having a simple set of files that show exactly what has been changed from default and why is invaluable.

Ok – there are a few parts to this system.

• exim4 handles the SMTP part – incoming and outgoing email;
• SpamAssassin will do the SPAM filtering;
• dovecot will handle reading email via IMAP

Plus we need various security bits and pieces, user accounts and so on.

I’ll be running SaltStack in masterless mode – there isn’t any point in running a dedicated Salt Master server.