Use a Unix socket instead of a TCP socket as a Unix socket doesn't play nicely with postfix running
smtpd in a chroot. The author of rmilter recommends using a TCP socket per
https://github.com/vstakhov/rmilter/issues/39

Changelog at https://github.com/SSilence/selfoss/releases/tag/2.15

Setup postgres in common role

Added abuse as a default alias
It's mentioned in RFC 2142, I think it'll do no harm to add this

Postgres is used by several roles, but the setup is currently part of the 'mailserver' role. By moving it to 'common', it's possible to disable the mailserver without breaking the others.

Make opendmarc database setup more robust

Make opendmarc database setup more robust

Instead of registering a handler to run when the database is created,
register a variable and check it immediately to run the schema import.
This avoids a problem where an error between database creation and
schema import 1) leaves the server in a broken state, and 2) rerunning
the playbook doesn't fix it.

Change the name from `dmarc` to `opendmarc` to be consistent with the
names of other task lists in the role.

This merge switches Sovereign from systems based on Debian 7 to Debian
8.  It's a recursive merge of the jessie branch with direction to take
conflicting hunks from jessie (-Xours).  The merge was subsequently
cleaned up to match the jessie branch with a couple of exceptions noted
in the cleanup commit.

Clean up some artifacts from the merge to match the `jessie` branch.
Keep the changes on master made with commits bfe6fe84 and e229c551.

This commit merges the jessie branch to master.  It's a recursive merge
with direction to take conflicting hunks from the jessie
branch (-Xours).

This patch corrects a bug in the OpenDMARC 1.2.0+dfsg-1 package, fixed in 1.3.0 (or Debian 1.2.0+dfsg-2 which has not yet made it to Ubuntu Trusty).  See also

- https://sourceforge.net/p/opendmarc/tickets/90/
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=742447

This patch finalizes the switch to port 587 for email submission that
was started with commit 166c57.

This merge reinstates the webmail role lost when we moved to Jessie. The carddav, managesieve, and twofactor_gauthentication plugins are carried forward.

- managesieve :: this allows sieve filters to be edited through a
  brower
- twofactor_gauthenticator :: allow optional two-factor authentication
  when logging into webmail
- carddav :: sync ownCloud contacts with roundcube

Allow SSH agent forwarding when using sudo.  This allows one to use SSH agent forwarding from a local machine when logged in as a root on the Sovereign server.  This is useful, for example, for cloning a Github repository to /var/www (owned by root) without the need to store private SSH keys on the Sovereign server.

Baseline the configuration file distributed Roundcube 1.4.1 before
modification for sovereign.

The rmilter package changed the name of its listener service similar to
what was done for rspamd (see commit 2dbc976b).

Update Rspamd setup

Fix SSH connections to Github

The `private_key` variable used to check for changes was never
registered.

Use submission port for client outgoing email

Eliminate need for access_compat module in Apache

Remove duplicate when statement in Let's Encrypt task

While adding the Let's Encrypt offline testing block in 1746afcc we
accidentially duplicated a the 'when' statement. Ansible only looks at
the last when statement for a given block meaning the earlier one has no
use. This commit merges both lines in one.

Update testing to work with modularized Sovereign

* Harvest testing configuration into group variables
* Define testing group for Vagrant to use
* Move testing passwords to secrets directory that Vagrant uses
* Update .gitignore to keep the testing secrets

VPN - enforce TLS min version on the client

The directives provided by `mod_access_compat` are deprecated.  This
patch eliminates references to them.

Currently client email is submitted via ssmtp (port 465).  This has been
deprecated for years.  The correct way to submit email is via
submission (port 587).

This patch adds port 587 as a second and the default way of submitting
email for delivery.  Port 465 remains open for backwards compatibility
with existing clients.

Modularize sovereign

Add missing configuration parameter for ircbouncer