1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
|
# Load this file with
#
# ldapadd -Y EXTERNAL -H ldapi:/// -f base.ldif
#
# It will create the base directory and add services needed to for our
# systems to work.
# If "o=mailHosting,dc=fripost,dc=dev" exists, you can delete it with
#
# ldapdelete -Y EXTERNAL -H ldapi:/// -r "o=mailHosting,dc=fripost,dc=dev"
dn: o=mailHosting,dc=fripost,dc=dev
objectClass: organization
description: Mail hosting
dn: ou=ppolicies,o=mailHosting,dc=fripost,dc=dev
objectClass: organizationalUnit
description: Password Policies
# The password policy for our users, hardened to counter brute-force
# attacks. (Account are locked for 15min after 3 consecutive password
# mismatchs with less than 5min in between.)
dn: cn=users,ou=ppolicies,o=mailHosting,dc=fripost,dc=dev
objectClass: organizationalRole
description: The Password Policy for our virtual users
objectClass: pwdPolicy
pwdAttribute: userPassword
pwdLockout: TRUE
pwdMaxFailure: 3
pwdLockoutDuration: 900
pwdFailureCountInterval: 300
# The password policy for our services, not hardened since not facing
# the internet.
dn: cn=services,ou=ppolicies,o=mailHosting,dc=fripost,dc=dev
objectClass: organizationalRole
description: The Password Policy for our services
objectClass: pwdPolicy
pwdAttribute: userPassword
pwdLockout: FALSE
dn: ou=virtual,o=mailHosting,dc=fripost,dc=dev
objectClass: organizationalUnit
objectClass: fripostVirtual
fripostCanAddDomain: fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
fripostCanAddDomain: fvl=test,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
fripostCanAddDomain: fvl=bigbrother,fvd=postmastered.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
description: Virtual mail hosting
# TODO: for postfix, it'd be more efficient and more secure to SASL-bind
# on a UNIX socket (EXTERNAL mechanism); wait for Postfix 2.8.
# TODO: IMAP, SASLauth, Amavis
# TODO: if possible, make use GSSAPI/EXTERNAL for the services and the replication.
dn: ou=services,o=mailHosting,dc=fripost,dc=dev
objectClass: organizationalUnit
dn: cn=Postfix,ou=services,o=mailHosting,dc=fripost,dc=dev
objectClass: organizationalRole
description: Where Postfix binds to for its LDAP lookups.
objectClass: simpleSecurityObject
userPassword: postfix
objectClass: pwdPolicy
pwdAttribute: userPassword
pwdPolicySubentry: cn=services,ou=ppolicies,o=mailHosting,dc=fripost,dc=dev
dn: cn=CreateList,ou=services,o=mailHosting,dc=fripost,dc=dev
objectClass: organizationalRole
description: The entity that is authorized to add list commands
objectClass: simpleSecurityObject
userPassword: createlist
objectClass: pwdPolicy
pwdAttribute: userPassword
pwdPolicySubentry: cn=services,ou=ppolicies,o=mailHosting,dc=fripost,dc=dev
dn: cn=DeletePendingEntries,ou=services,o=mailHosting,dc=fripost,dc=dev
objectClass: organizationalRole
description: Delete expired pending entries
objectClass: simpleSecurityObject
userPassword: deletependingentries
objectClass: pwdPolicy
pwdAttribute: userPassword
pwdPolicySubentry: cn=services,ou=ppolicies,o=mailHosting,dc=fripost,dc=dev
dn: cn=AdminWebPanel,ou=services,o=mailHosting,dc=fripost,dc=dev
objectClass: organizationalRole
description: The adminstrator Web Panel
objectClass: simpleSecurityObject
userPassword: {CLEARTEXT}panel
# NOTE: ^ The password needs to be stored clear for DIGEST-MD5 SASL authentication
authzTo: dn.regex:^fvl=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$
#authzTo: ldap:///ou=virtual,o=mailHosting,dc=fripost,dc=dev??sub?(objectClass=FripostVirtualUser)
# NOTE: ^ This is an expensive operation, and requires search perms for the service.
objectClass: pwdPolicy
pwdAttribute: userPassword
pwdPolicySubentry: cn=services,ou=ppolicies,o=mailHosting,dc=fripost,dc=dev
|