summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem@fripost.org>2018-12-06 21:06:38 +0100
committerGuilhem Moulin <guilhem@fripost.org>2018-12-09 20:25:39 +0100
commit09cd9f998780fb7179b7fc23c593c305a12b050a (patch)
tree33dad72c3a5256347a0e9700b975612c8c477918
parent37d64e4a05b32599405ed824316e73aa8d0880b2 (diff)
MX: chroot postscreen(8), smtpd(8) and cleanup(8) daemons.
Unlike what we wrote in 2014 (cf. 4fb4be4d279dd94cab33fc778cfa318b93d6926f) the postscreen(8) server can run chrooted, meaning we can also chroot the smtpd(8), tlsproxy(8), dnsblog(8) and cleanup(8) daemons.
-rw-r--r--roles/MX/files/etc/postfix/reject-unknown-client-hostname.cf2
-rw-r--r--roles/MX/files/etc/postfix/virtual/alias.cf2
-rw-r--r--roles/MX/files/etc/postfix/virtual/alias_domains.cf2
-rw-r--r--roles/MX/files/etc/postfix/virtual/catchall.cf2
-rw-r--r--roles/MX/files/etc/postfix/virtual/domains.cf2
-rw-r--r--roles/MX/files/etc/postfix/virtual/list.cf2
-rw-r--r--roles/MX/files/etc/postfix/virtual/mailbox.cf2
-rw-r--r--roles/common/templates/etc/postfix/master.cf.j214
8 files changed, 12 insertions, 16 deletions
diff --git a/roles/MX/files/etc/postfix/reject-unknown-client-hostname.cf b/roles/MX/files/etc/postfix/reject-unknown-client-hostname.cf
index 6969f75..1f61f4b 100644
--- a/roles/MX/files/etc/postfix/reject-unknown-client-hostname.cf
+++ b/roles/MX/files/etc/postfix/reject-unknown-client-hostname.cf
@@ -1,4 +1,4 @@
-server_host = ldapi://%2Fvar%2Fspool%2Fpostfix-mx%2Fprivate%2Fldapi/
+server_host = ldapi://%2Fprivate%2Fldapi/
version = 3
search_base = fvd=%d,ou=virtual,dc=fripost,dc=org
domain = static:all
diff --git a/roles/MX/files/etc/postfix/virtual/alias.cf b/roles/MX/files/etc/postfix/virtual/alias.cf
index 1c104a9..2e846ca 100644
--- a/roles/MX/files/etc/postfix/virtual/alias.cf
+++ b/roles/MX/files/etc/postfix/virtual/alias.cf
@@ -1,4 +1,4 @@
-server_host = ldapi://%2Fvar%2Fspool%2Fpostfix-mx%2Fprivate%2Fldapi/
+server_host = ldapi://%2Fprivate%2Fldapi/
version = 3
search_base = fvd=%d,ou=virtual,dc=fripost,dc=org
domain = static:all
diff --git a/roles/MX/files/etc/postfix/virtual/alias_domains.cf b/roles/MX/files/etc/postfix/virtual/alias_domains.cf
index 907166f..1108ea1 100644
--- a/roles/MX/files/etc/postfix/virtual/alias_domains.cf
+++ b/roles/MX/files/etc/postfix/virtual/alias_domains.cf
@@ -1,4 +1,4 @@
-server_host = ldapi://%2Fvar%2Fspool%2Fpostfix-mx%2Fprivate%2Fldapi/
+server_host = ldapi://%2Fprivate%2Fldapi/
version = 3
search_base = ou=virtual,dc=fripost,dc=org
domain = static:all
diff --git a/roles/MX/files/etc/postfix/virtual/catchall.cf b/roles/MX/files/etc/postfix/virtual/catchall.cf
index e0e6350..a67d39c 100644
--- a/roles/MX/files/etc/postfix/virtual/catchall.cf
+++ b/roles/MX/files/etc/postfix/virtual/catchall.cf
@@ -1,4 +1,4 @@
-server_host = ldapi://%2Fvar%2Fspool%2Fpostfix-mx%2Fprivate%2Fldapi/
+server_host = ldapi://%2Fprivate%2Fldapi/
version = 3
search_base = ou=virtual,dc=fripost,dc=org
domain = static:all
diff --git a/roles/MX/files/etc/postfix/virtual/domains.cf b/roles/MX/files/etc/postfix/virtual/domains.cf
index f5a7f25..88e17e2 100644
--- a/roles/MX/files/etc/postfix/virtual/domains.cf
+++ b/roles/MX/files/etc/postfix/virtual/domains.cf
@@ -1,5 +1,3 @@
-# XXX: How come we use a socked relative to the chroot here? smtpd(8) is
-# not (can't be) chrooted...
server_host = ldapi://%2Fprivate%2Fldapi/
version = 3
search_base = ou=virtual,dc=fripost,dc=org
diff --git a/roles/MX/files/etc/postfix/virtual/list.cf b/roles/MX/files/etc/postfix/virtual/list.cf
index 99e2147..e2df119 100644
--- a/roles/MX/files/etc/postfix/virtual/list.cf
+++ b/roles/MX/files/etc/postfix/virtual/list.cf
@@ -1,4 +1,4 @@
-server_host = ldapi://%2Fvar%2Fspool%2Fpostfix-mx%2Fprivate%2Fldapi/
+server_host = ldapi://%2Fprivate%2Fldapi/
version = 3
search_base = fvd=%d,ou=virtual,dc=fripost,dc=org
domain = static:all
diff --git a/roles/MX/files/etc/postfix/virtual/mailbox.cf b/roles/MX/files/etc/postfix/virtual/mailbox.cf
index 7289670..36862db 100644
--- a/roles/MX/files/etc/postfix/virtual/mailbox.cf
+++ b/roles/MX/files/etc/postfix/virtual/mailbox.cf
@@ -1,4 +1,4 @@
-server_host = ldapi://%2Fvar%2Fspool%2Fpostfix-mx%2Fprivate%2Fldapi/
+server_host = ldapi://%2Fprivate%2Fldapi/
version = 3
search_base = fvd=%d,ou=virtual,dc=fripost,dc=org
domain = static:all
diff --git a/roles/common/templates/etc/postfix/master.cf.j2 b/roles/common/templates/etc/postfix/master.cf.j2
index 10fc303..4356363 100644
--- a/roles/common/templates/etc/postfix/master.cf.j2
+++ b/roles/common/templates/etc/postfix/master.cf.j2
@@ -13,17 +13,15 @@
{% if inst is not defined %}
[127.0.0.1]:16132 inet n - y - - smtpd
{% elif inst == 'MX' %}
-smtpd pass - - n - - smtpd
- -o cleanup_service_name=cleanup_nochroot
-smtp inet n - n - 1 postscreen
-tlsproxy unix - - n - 0 tlsproxy
-dnsblog unix - - n - 0 dnsblog
-cleanup_nochroot unix n - n - 0 cleanup
+smtpd pass - - y - - smtpd
+smtp inet n - y - 1 postscreen
+tlsproxy unix - - y - 0 tlsproxy
+dnsblog unix - - y - 0 dnsblog
{% elif inst == 'MSA' %}
submission inet n - y - - smtpd
-o tls_high_cipherlist=EECDH+AESGCM:!MEDIUM:!LOW:!EXP:!aNULL:!eNULL
{% if groups.webmail | difference([inventory_hostname]) | length > 0 %}
-[{{ postfix_instance.MSA.addr }}]:{{ postfix_instance.MSA.port }} inet n - - - - smtpd
+[{{ postfix_instance.MSA.addr }}]:{{ postfix_instance.MSA.port }} inet n - y - - smtpd
-o broken_sasl_auth_clients=no
-o smtpd_tls_security_level=none
-o smtpd_sasl_security_options=noanonymous
@@ -31,7 +29,7 @@ submission inet n - y - - smtpd
-o smtpd_authorized_xforward_hosts=127.0.0.0/8,[::1]/128{{ ipsec_subnet is defined | ternary(','+ipsec_subnet, '') }}
{% endif %}
{% elif inst in ['IMAP', 'out', 'lists'] %}
-[{{ postfix_instance[inst].addr }}]:{{ postfix_instance[inst].port }} inet n - - - - smtpd
+[{{ postfix_instance[inst].addr }}]:{{ postfix_instance[inst].port }} inet n - y - - smtpd
-o smtpd_authorized_xforward_hosts=127.0.0.0/8,[::1]/128{{ ipsec_subnet is defined | ternary(','+ipsec_subnet, '') }}
{% endif %}
pickup unix n - y 60 1 pickup