SMTP service.

4 files changed, 64 insertions, 29 deletions

diff --git a/ldap/acl.ldif b/ldap/acl.ldif
index eb28872..212d4d9 100644
--- a/ldap/acl.ldif
+++ b/ldap/acl.ldif
@@ -23,15 +23,39 @@
 dn: olcDatabase={1}hdb,cn=config
 changetype: modify
 replace: olcAccess
-## Managers have read/write access to the "virtual" subtree.
-#olcAccess: to dn.subtree="ou=virtual,o=mailHosting,dc=fripost,dc=dev"
-#    by dn.onelevel="ou=managers,o=mailHosting,dc=fripost,dc=org" write
-#    by * break
-#-
-## 1. Users/Services/Managers can change their password (but not read it).
-## 2. Anonymous users/services/managers can bind.
-## 3. Else, we inspect the 2 following ACLs.
-olcAccess: to dn.subtree="o=mailHosting,dc=fripost,dc=dev"
+#
+# Services have read access to the attribute they need. We put this ACL
+# first as it's likely to be the most used.
+# TODO: for postfix, it'd be more efficient and more secure to SASL-bind
+# on a UNIX socket (EXTERNAL mechanism); wait for Postfix 2.8.
+# TODO: IMAP & SASLauth
+olcAccess: to dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev"
+        attrs=entry,objectClass,fvd,fripostIsStatusActive,fripostOptionalMaildrop,fvu,fripostOptionalMaildrop,fva,fripostMaildrop,fvl,fripostListCommand
+        filter=(|(objectClass=FripostVirtualDomain)(objectClass=FripostVirtualMailbox)(objectClass=FripostVirtualAlias)(objectClass=FripostVirtualList))
+    by dn.exact="cn=SMTP,ou=services,o=mailHosting,dc=fripost,dc=dev" =rsd
+    by users none break
+#
+# Anonymous can authenticate into the services. (But not read or write the password.)
+olcAccess: to dn.one="ou=services,o=mailHosting,dc=fripost,dc=dev"
+        attrs=userPassword
+    by anonymous auth
+#
+# That's necessary for SASL proxy Authorize the web application.
+olcAccess: to dn.one="ou=services,o=mailHosting,dc=fripost,dc=dev"
+        attrs=entry,objectClass,authzTo
+    by * =x
+#
+# 1. Services have no access other than the one above.
+# 2. Managers have read/write access to the "virtual" subtree.
+olcAccess: to dn.subtree="ou=virtual,o=mailHosting,dc=fripost,dc=dev"
+    by dn.onelevel="ou=services,o=mailHosting,dc=fripost,dc=dev" none
+    by dn.onelevel="ou=managers,o=mailHosting,dc=fripost,dc=org" write
+    by * none break
+#
+# 1. Users can change their password (but not read it).
+# 2. Anonymous users/services/managers can bind.
+# 3. Else, we inspect the 2 following ACLs.
+olcAccess: to dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev"
         attrs=userPassword
     by self =w
     by anonymous auth
@@ -49,17 +73,6 @@ olcAccess: to dn.subtree="o=mailHosting,dc=fripost,dc=dev"
         attrs=userPassword
     by * none
 #
-# That's necessary for SASL proxy Authorize the web application.
-olcAccess: to dn.one="ou=services,o=mailHosting,dc=fripost,dc=dev"
-        attrs=entry,objectClass,authzTo
-    by * =x
-##
-## Services can read the whole subtree (minus the userPassword attributes).
-#olcAccess: to dn.subtree="o=mailHosting,dc=fripost,dc=dev"
-#        attrs=entry,creatorsName,@fripostVirtualDomain,@fripostVirtualMailbox,@fripostVirtualAlias,@fripostVirtualList
-#    by dn.onelevel="ou=services,o=mailHosting,dc=fripost,dc=dev" read
-#    by users none break
-#
 # Users can search (e.g., to list the entries they have created).
 olcAccess: to dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev"
         attrs=objectClass
@@ -270,6 +283,10 @@ olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripos
     by group/fripostVirtualDomain/fripostPostmaster.expand="$1" +rwd
     by set.exact="this/-1/fripostCanCreateList & (user | user/-1)" +a
     by users +0
+#TODO
+#olcAccess: to dn.regex="^fvl=([^,]+)-request,fvl=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$"
+#        filter=(objectClass=FripostVirtualListCommand)
+#    by users read
 #
 # Catch the "break" control above.
 olcAccess: to dn.subtree="ou=virtual,o=mailHosting,dc=fripost,dc=dev"
diff --git a/ldap/authz.ldif b/ldap/authz.ldif
index 8f88d80..657d718 100644
--- a/ldap/authz.ldif
+++ b/ldap/authz.ldif
@@ -1,14 +1,18 @@
 # Load this file with
 #
-#   ldapadd -Y EXTERNAL -H ldapi:/// -f authz.ldif
+#   ldapmodify -Y EXTERNAL -H ldapi:/// -f authz.ldif
 #
 # That will allow the SASL-authenticated user (service) to be
 # reformatted into a proper DN under our services directory.
 # 
 # SASL authentication can be checked with:
 #
-#   ldapwhoami -W -Y PLAIN -U FPanel -H ldapi://
-#   ldapwhoami -W -Y PLAIN -U FPanel -H ldapi:// -X "dn:fvu=user1,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev"
+#   ldapwhoami -W -Y PLAIN -U AdminWebPanel@fripost.org -H ldapi://
+#   ldapwhoami -W -Y PLAIN -U AdminWebPanel@fripost.org -H ldapi:// -X "dn:fvu=user1,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev"
+#
+# WARNING: Beware that will also delete existing AuthzRegexp and
+# AuthzPolicy.
+# Note: you may have to restart slapd to flush the cache.
 #
 # References:
 # - http://www.openldap.org/doc/admin24/sasl.html#Direct%20Mapping
@@ -18,7 +22,8 @@
 dn: cn=config
 changetype: modify
 replace: olcAuthzRegexp
-olcAuthzRegexp: uid=([^,]+),cn=[^,]+,cn=auth cn=$1,ou=services,o=mailHosting,dc=fripost,dc=dev
+# TODO: force the mechanism here (GSSAPI)
+olcAuthzRegexp: uid=(AdminWebPanel)@fripost\.org,cn=[^,]+,cn=auth cn=$1,ou=services,o=mailHosting,dc=fripost,dc=dev
 -
 replace: olcAuthzPolicy
 olcAuthzPolicy: to
diff --git a/ldap/base.ldif b/ldap/base.ldif
index f91946b..8acbe10 100644
--- a/ldap/base.ldif
+++ b/ldap/base.ldif
@@ -22,9 +22,16 @@ description: Virtual mail hosting
 dn: ou=services,o=mailHosting,dc=fripost,dc=dev
 objectClass: organizationalUnit
 
-dn: cn=FPanel,ou=services,o=mailHosting,dc=fripost,dc=dev
+dn: cn=AdminWebPanel,ou=services,o=mailHosting,dc=fripost,dc=dev
 objectClass: simpleSecurityObject
 objectClass: organizationalRole
 description: The adminstrator Web Panel
 userPassword: panel
 authzTo: dn.regex:^fvu=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$
+
+dn: cn=SMTP,ou=services,o=mailHosting,dc=fripost,dc=dev
+objectClass: simpleSecurityObject
+objectClass: organizationalRole
+userPassword: smtp
+description: The entry the replicates bind to when fetching the LDAP
+    directory. Right now it is also used by Postfix for LDAP lookups.
diff --git a/ldap/populate.ldif b/ldap/populate.ldif
index 87c0a4b..70dcc3e 100644
--- a/ldap/populate.ldif
+++ b/ldap/populate.ldif
@@ -123,6 +123,9 @@ fripostIsStatusActive: TRUE
 fripostOwner: fvu=user1,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
 # Buggy owner
 fripostOwner: fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
+fripostOptionalMaildrop: catch-all@example.org
+fripostOptionalMaildrop: @example2.org
+fripostOptionalMaildrop: @xn--v4h.net
 
 dn: fva=alias,fvd=owned.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
 objectClass: FripostVirtualAlias
@@ -170,6 +173,9 @@ fripostPostmaster: fvu=user,fvd=xn--v4h.net,ou=virtual,o=mailHosting,dc=fripost,
 # Buggy owner
 fripostPostmaster: fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
 fripostCanCreateAlias: fvu=user,fvd=postmastered.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
+fripostOptionalMaildrop: catch-all@example.org
+fripostOptionalMaildrop: @example2.org
+fripostOptionalMaildrop: @xn--v4h.net
 
 dn: fva=alias,fvd=postmastered.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
 objectClass: FripostVirtualAlias
@@ -195,11 +201,11 @@ fripostListManager: mailman
 fripostIsStatusActive: TRUE
 fripostListCommand: list-request
 fripostListCommand: list-bounces
-FripostLocalAlias: postmastered.org#list-request
+#FripostLocalAlias: postmastered.org#list-request
 
-dn: fvlc=list-request,fvl=list,fvd=postmastered.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
-objectClass: FripostVirtualListCommand
-FripostLocalAlias: postmastered.org#list-request
+#dn: fvlc=list-request,fvl=list,fvd=postmastered.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
+#objectClass: FripostVirtualListCommand
+#FripostLocalAlias: postmastered.org#list-request
 
 dn: fvu=user,fvd=postmastered.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
 objectClass: FripostVirtualMailbox