diff options
| author | Guilhem Moulin <guilhem@fripost.org> | 2014-01-15 07:32:20 +0100 |
|---|---|---|
| committer | Guilhem Moulin <guilhem@fripost.org> | 2015-06-07 02:51:38 +0200 |
| commit | 9304813d505baaa50294ed0d37a11d9e3f0f6c79 (patch) | |
| tree | 450f263fb6e9d7cfa67cf2e1235c2c593bad14ab | |
| parent | ab83789bd70d294623e62e0b366b6b649cb5b0af (diff) | |
Fix the catch-all resolution again.
We introduce a limitation on the domain-aliases: they can't have
children (e.g., lists or users) any longer.
The whole alias resolution, including catch-alls and domain aliases, is
now done in 'virtual_alias_maps'. We stop the resolution by returning a
dummy alias A -> A for mailboxes, before trying the catch-all maps.
We're still using transport_maps for lists. If it turns out to be a
bottleneck due to the high-latency coming from LDAP maps, (and the fact
that there is a single qmgr(8) daemon), we could rewrite lists to a
dummy subdomain and use a static transport_maps instead:
virtual_alias_maps:
mylist@example.org -> mylist#example.org@mlmmj.localhost.localdomain
transport_maps:
mlmmj.localhost.localdomain mlmmj:
18 files changed, 67 insertions, 53 deletions
diff --git a/roles/IMAP/files/etc/postfix/virtual/mailbox_maps.cf b/roles/IMAP/files/etc/postfix/virtual/mailbox_maps.cf index da1b2cf..009dd98 100644 --- a/roles/IMAP/files/etc/postfix/virtual/mailbox_maps.cf +++ b/roles/IMAP/files/etc/postfix/virtual/mailbox_maps.cf @@ -1,8 +1,9 @@ server_host = ldapi://%2Fprivate%2Fldapi/ version = 3 search_base = fvl=%u,fvd=%d,ou=virtual,o=mailHosting,dc=fripost,dc=org +domain = static:all scope = base bind = none query_filter = (&(objectClass=FripostVirtualUser)(fvl=%u)) result_attribute = fvl result_format = OK diff --git a/roles/IMAP/files/etc/postfix/virtual/transport_content_filter_maps.cf b/roles/IMAP/files/etc/postfix/virtual/transport_content_filter_maps.cf index 3a97841..b082f69 100644 --- a/roles/IMAP/files/etc/postfix/virtual/transport_content_filter_maps.cf +++ b/roles/IMAP/files/etc/postfix/virtual/transport_content_filter_maps.cf @@ -1,8 +1,9 @@ server_host = ldapi://%2Fprivate%2Fldapi/ version = 3 search_base = fvl=%u,fvd=%d,ou=virtual,o=mailHosting,dc=fripost,dc=org +domain = static:all scope = base bind = none query_filter = (&(objectClass=FripostVirtualUser)(objectClass=AmavisAccount)(fvl=%u)) result_attribute = fvl result_format = amavisfeed:[127.0.0.1]:10041 diff --git a/roles/IMAP/templates/etc/postfix/main.cf.j2 b/roles/IMAP/templates/etc/postfix/main.cf.j2 index df2e9fb..2da85e9 100644 --- a/roles/IMAP/templates/etc/postfix/main.cf.j2 +++ b/roles/IMAP/templates/etc/postfix/main.cf.j2 @@ -1,41 +1,41 @@ ######################################################################## # MDA configuration # # {{ ansible_managed }} # Do NOT edit this file directly! smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU) biff = no readme_directory = no mail_owner = postfix delay_warning_time = 4h maximal_queue_lifetime = 5d myorigin = /etc/mailname myhostname = mda{{ imapno | default('') }}.$mydomain mydomain = {{ ansible_domain }} append_dot_mydomain = no # Turn off all TCP/IP listener ports except that necessary for the MDA. -master_service_disable = !127.0.0.1:2526.inet inet +master_service_disable = !2526.inet inet queue_directory = /var/spool/postfix-{{ postfix_instance[inst].name }} data_directory = /var/lib/postfix-{{ postfix_instance[inst].name }} multi_instance_group = {{ postfix_instance[inst].group | default('') }} multi_instance_name = postfix-{{ postfix_instance[inst].name }} multi_instance_enable = yes # This server is a Mail Delivery Agent mynetworks_style = host inet_interfaces = 172.16.0.1 {% if 'MX' in group_names %} 127.0.0.1 {% endif %} inet_protocols = ipv4 # No local delivery mydestination = local_transport = error:5.1.1 Mailbox unavailable alias_maps = alias_database = diff --git a/roles/MX/tasks/main.yml b/roles/MX/tasks/main.yml index 2ffe08d..e8dadb1 100644 --- a/roles/MX/tasks/main.yml +++ b/roles/MX/tasks/main.yml @@ -30,45 +30,46 @@ dest=/etc/postfix-{{ postfix_instance[inst].name }}/main.cf owner=root group=root mode=0644 register: r notify: - Restart Postfix - name: Create directory /etc/postfix-.../virtual file: path=/etc/postfix-{{ postfix_instance[inst].name }}/virtual state=directory owner=root group=root mode=0755 - name: Copy lookup tables template: src=etc/postfix/virtual/{{ item }}.j2 dest=/etc/postfix-{{ postfix_instance[inst].name }}/virtual/{{ item }} owner=root group=root mode=0644 with_items: - mailbox_domains.cf - - reserved_alias_maps - - alias_maps.cf - - catchall_maps.cf - - transport_reserved_maps.pcre - - transport_mailbox_maps.cf - - transport_lists_maps.cf - - transport_catchall_maps.cf + - reserved_alias.pcre + - alias.cf + - mailbox.cf + - list.cf + - alias_domains.cf + - catchall.cf + - transport_reserved_alias + - transport_list.cf - name: Compile the Reserved Transport Maps postmap: instance={{ postfix_instance[inst].name }} - src=/etc/postfix-{{ postfix_instance[inst].name }}/virtual/reserved_alias_maps db=cdb + src=/etc/postfix-{{ postfix_instance[inst].name }}/virtual/transport_reserved_alias db=cdb owner=root group=root mode=0644 - name: Copy reserved-alias.pl copy: src=usr/local/sbin/reserved-alias.pl dest=/usr/local/sbin/reserved-alias.pl owner=root group=root mode=0755 - name: Start Postfix service: name=postfix state=started when: not r.changed - meta: flush_handlers diff --git a/roles/MX/templates/etc/postfix/main.cf.j2 b/roles/MX/templates/etc/postfix/main.cf.j2 index 9f88eef..6c2004a 100644 --- a/roles/MX/templates/etc/postfix/main.cf.j2 +++ b/roles/MX/templates/etc/postfix/main.cf.j2 @@ -2,90 +2,91 @@ # MX configuration # # {{ ansible_managed }} # Do NOT edit this file directly! smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU) biff = no readme_directory = no mail_owner = postfix delay_warning_time = 4h maximal_queue_lifetime = 5d myorigin = /etc/mailname myhostname = mx{{ mxno | default('') }}.$mydomain mydomain = {{ ansible_domain }} append_dot_mydomain = no # Turn off all TCP/IP listener ports except that necessary for the mail # exchange. -master_service_disable = !smtp.inet !127.0.0.1:2599.inet inet +master_service_disable = !smtp.inet inet queue_directory = /var/spool/postfix-{{ postfix_instance[inst].name }} data_directory = /var/lib/postfix-{{ postfix_instance[inst].name }} multi_instance_group = {{ postfix_instance[inst].group | default('') }} multi_instance_name = postfix-{{ postfix_instance[inst].name }} multi_instance_enable = yes # This server is a Mail eXchange mynetworks_style = host inet_interfaces = all inet_protocols = all # No local delivery mydestination = local_transport = error:5.1.1 Mailbox unavailable alias_maps = alias_database = local_recipient_maps = message_size_limit = 67108864 recipient_delimiter = + # Forward everything to our internal mailhub {% if 'MTA-out' in group_names %} relayhost = [127.0.0.1]:{{ MTA_out.port }} {% else %} relayhost = [{{ MTA_out.host }}]:{{ MTA_out.port }} {% endif %} relay_domains = # Virtual transport {% if 'LDA' in group_names %} virtual_transport = smtpl:[127.0.0.1]:{{ LDA.port }} {% else %} virtual_transport = smtps:[{{ LDA.host }}]:{{ LDA.port }} {% endif %} -# It's a bit stupid to include part of the virtual_mailbox_maps here, -# but we need to tell postfix to accept the recipient -# (virtual_mailbox_maps) *before* sending away to the right machine -# (transport_maps) -transport_maps = pcre:$config_directory/virtual/transport_reserved_maps.pcre - ldap:$config_directory/virtual/transport_mailbox_maps.cf - ldap:$config_directory/virtual/transport_lists_maps.cf - ldap:$config_directory/virtual/transport_catchall_maps.cf virtual_mailbox_domains = ldap:$config_directory/virtual/mailbox_domains.cf -virtual_alias_maps = cdb:$config_directory/virtual/reserved_alias_maps - ldap:$config_directory/virtual/alias_maps.cf -virtual_mailbox_maps = $transport_maps +virtual_alias_maps = pcre:$config_directory/virtual/reserved_alias.pcre + ldap:$config_directory/virtual/alias.cf + # stop the alias resolution (by making finding + # an A -> A alias) before searching for + # catch-alls and domain aliases + $virtual_mailbox_maps + ldap:$config_directory/virtual/alias_domains.cf + ldap:$config_directory/virtual/catchall.cf +virtual_mailbox_maps = ldap:$config_directory/virtual/mailbox.cf + ldap:$config_directory/virtual/list.cf +transport_maps = cdb:$config_directory/virtual/transport_reserved_alias + ldap:$config_directory/virtual/transport_list.cf # Don't rewrite remote headers local_header_rewrite_clients = # Pass the client information along to the content filter smtp_send_xforward_command = yes # Avoid splitting the envelope and scanning messages multiple times smtp_destination_recipient_limit = 1000 # Tolerate occasional high latency smtp_data_done_timeout = 1200s # Tunnel everything through IPSec smtp_tls_security_level = none {% if 'MTA-out' in group_names %} smtp_bind_address = 127.0.0.1 {% else %} smtp_bind_address = 172.16.0.1 {% endif %} # TLS smtpd_tls_security_level = may diff --git a/roles/MX/templates/etc/postfix/virtual/alias_maps.cf.j2 b/roles/MX/templates/etc/postfix/virtual/alias.cf.j2 index 8e3a778..c7d2f0a 100644 --- a/roles/MX/templates/etc/postfix/virtual/alias_maps.cf.j2 +++ b/roles/MX/templates/etc/postfix/virtual/alias.cf.j2 @@ -1,6 +1,8 @@ server_host = ldapi://%2Fprivate%2Fldapi/ version = 3 search_base = fvl=%u,fvd=%d,ou=virtual,o=mailHosting,dc=fripost,dc=org +domain = static:all scope = base +bind = none query_filter = (&(objectClass=FripostVirtualAlias)(fvl=%u)) result_attribute = fripostMaildrop diff --git a/roles/MX/templates/etc/postfix/virtual/transport_catchall_maps.cf.j2 b/roles/MX/templates/etc/postfix/virtual/alias_domains.cf.j2 index cc189cf..dec8bce 100644 --- a/roles/MX/templates/etc/postfix/virtual/transport_catchall_maps.cf.j2 +++ b/roles/MX/templates/etc/postfix/virtual/alias_domains.cf.j2 @@ -1,8 +1,9 @@ server_host = ldapi://%2Fprivate%2Fldapi/ version = 3 search_base = fvd=%d,ou=virtual,o=mailHosting,dc=fripost,dc=org +domain = static:all scope = base bind = none -query_filter = (&(objectClass=FripostVirtualDomain)(fvd=%d)(fripostOptionalMaildrop=*)) -result_attribute = fvd -result_format = smtpl:[127.0.0.1]:2599 +query_filter = (&(objectClass=FripostVirtualAliasDomain)(fvd=%d)) +result_attribute = fripostMaildrop +result_format = %U@%s diff --git a/roles/MX/templates/etc/postfix/virtual/catchall_maps.cf.j2 b/roles/MX/templates/etc/postfix/virtual/catchall.cf.j2 index f8324f6..8ac40fd 100644 --- a/roles/MX/templates/etc/postfix/virtual/catchall_maps.cf.j2 +++ b/roles/MX/templates/etc/postfix/virtual/catchall.cf.j2 @@ -1,7 +1,8 @@ server_host = ldapi://%2Fprivate%2Fldapi/ version = 3 search_base = fvd=%d,ou=virtual,o=mailHosting,dc=fripost,dc=org +domain = static:all scope = base bind = none -query_filter = (&(objectClass=FripostVirtualDomain)(fvd=%d)(fripostOptionalMaildrop=*)) +query_filter = (&(objectClass=FripostVirtualDomain)(!(objectClass=FripostVirtualAliasDomain))(fvd=%d)(fripostOptionalMaildrop=*)) result_attribute = fripostOptionalMaildrop diff --git a/roles/MX/templates/etc/postfix/virtual/list.cf.j2 b/roles/MX/templates/etc/postfix/virtual/list.cf.j2 new file mode 100644 index 0000000..8bcd5df --- /dev/null +++ b/roles/MX/templates/etc/postfix/virtual/list.cf.j2 @@ -0,0 +1,9 @@ +server_host = ldapi://%2Fprivate%2Fldapi/ +version = 3 +search_base = fvl=%u,fvd=%d,ou=virtual,o=mailHosting,dc=fripost,dc=org +domain = static:all +scope = base +bind = none +query_filter = (&(objectClass=FripostVirtualList)(fvl=%u)) +result_attribute = fvl +result_format = %S diff --git a/roles/MX/templates/etc/postfix/virtual/transport_mailbox_maps.cf.j2 b/roles/MX/templates/etc/postfix/virtual/mailbox.cf.j2 index 3e003db..b421e9a 100644 --- a/roles/MX/templates/etc/postfix/virtual/transport_mailbox_maps.cf.j2 +++ b/roles/MX/templates/etc/postfix/virtual/mailbox.cf.j2 @@ -1,12 +1,9 @@ server_host = ldapi://%2Fprivate%2Fldapi/ version = 3 search_base = fvl=%u,fvd=%d,ou=virtual,o=mailHosting,dc=fripost,dc=org +domain = static:all scope = base bind = none query_filter = (&(objectClass=FripostVirtualUser)(fvl=%u)) result_attribute = fvl -{% if 'LDA' in group_names %} -result_format = smtpl:[127.0.0.1]:{{ LDA.port }} -{% else %} -result_format = smtps:[{{ LDA.host }}]:{{ LDA.port }} -{% endif %} +result_format = %S diff --git a/roles/MX/templates/etc/postfix/virtual/transport_reserved_maps.pcre.j2 b/roles/MX/templates/etc/postfix/virtual/reserved_alias.pcre.j2 index e240e91..6f62a01 100644 --- a/roles/MX/templates/etc/postfix/virtual/transport_reserved_maps.pcre.j2 +++ b/roles/MX/templates/etc/postfix/virtual/reserved_alias.pcre.j2 @@ -1,6 +1,5 @@ -if !/@fripost\.org$/ +/^(?:postmaster|abuse)(?:\+.*)?@fripost\.org$/ admin@fripost.org # For other domains, RFC 822 section 6.3 and RFC 2142 section 4 # mandatory aliases are forwarded to OUR admin team and to the domain # owner or postmaster, if there are any. -/^(?:postmaster|abuse)(?:\+.*)?@/ reserved-alias: -endif +/^((?:postmaster|abuse)(?:\+.*)?@.*)/ $1@reserved.locahost.localdomain diff --git a/roles/MX/templates/etc/postfix/virtual/reserved_alias_maps.j2 b/roles/MX/templates/etc/postfix/virtual/reserved_alias_maps.j2 deleted file mode 100644 index fe04715..0000000 --- a/roles/MX/templates/etc/postfix/virtual/reserved_alias_maps.j2 +++ /dev/null @@ -1,4 +0,0 @@ -# RFC 822 section 6.3 and RFC 2142 section 4 mandatory aliases are -# forwarded to the admin team. -postmaster@fripost.org admin@fripost.org -abuse@fripost.org admin@fripost.org diff --git a/roles/MX/templates/etc/postfix/virtual/transport_lists_maps.cf.j2 b/roles/MX/templates/etc/postfix/virtual/transport_list.cf.j2 index 6a0965f..eb696db 100644 --- a/roles/MX/templates/etc/postfix/virtual/transport_lists_maps.cf.j2 +++ b/roles/MX/templates/etc/postfix/virtual/transport_list.cf.j2 @@ -1,12 +1,13 @@ server_host = ldapi://%2Fprivate%2Fldapi/ version = 3 search_base = fvl=%u,fvd=%d,ou=virtual,o=mailHosting,dc=fripost,dc=org +domain = static:all scope = base bind = none -query_filter = (&(|(objectClass=FripostVirtualList)(objectClass=FripostVirtualListCommand))(fvl=%u)) +query_filter = (&(objectClass=FripostVirtualList)(fvl=%u)) result_attribute = fvl {% if 'lists' in group_names %} result_format = smtpl:[127.0.0.1]:{{ lists.port }} {% else %} result_format = smtps:[{{ lists.host }}]:{{ lists.port }} {% endif %} diff --git a/roles/MX/templates/etc/postfix/virtual/transport_reserved_alias.j2 b/roles/MX/templates/etc/postfix/virtual/transport_reserved_alias.j2 new file mode 100644 index 0000000..4af5318 --- /dev/null +++ b/roles/MX/templates/etc/postfix/virtual/transport_reserved_alias.j2 @@ -0,0 +1 @@ +reserved.locahost.localdomain reserved-alias: diff --git a/roles/common-LDAP/files/etc/ldap/schema/fripost.ldif b/roles/common-LDAP/files/etc/ldap/schema/fripost.ldif index 72695ab..54f3037 100644 --- a/roles/common-LDAP/files/etc/ldap/schema/fripost.ldif +++ b/roles/common-LDAP/files/etc/ldap/schema/fripost.ldif @@ -66,41 +66,41 @@ olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.1 NAME 'fvd' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} SINGLE-VALUE ) # olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.2 NAME 'fvl' DESC 'The local part of a virtual user, alias, list or list command' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} SINGLE-VALUE ) # olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.3 NAME 'fripostMaildrop' DESC 'An email address the virtual alias should be mapped to' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} ) # # We are creating a new attribute, optional in virtual domains and # users, because the presence index should *not* apply to the # mandatory attribute above. olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.4 NAME 'fripostOptionalMaildrop' - DESC 'An optional email address for catch-all aliases on domains and users' + DESC 'An optional email address for catch-all or domain aliases' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} ) # olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.5 NAME 'fripostIsStatusActive' DESC 'When present, a token locking the entry in an inactive state' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) # olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.6 NAME 'fripostPendingToken' DESC 'Is the entry pending?' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{64} SINGLE-VALUE ) # olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.7 NAME 'fripostUserQuota' DESC 'The quota on a user e.g., "50MB"' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32} SINGLE-VALUE ) # olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.8 NAME 'fripostCanAddDomain' @@ -128,43 +128,49 @@ olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.13 NAME 'fripostListManager' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{64} SINGLE-VALUE ) # # # Objects: 1.3.6.1.4.1.40011.1.2 # olcObjectClasses: ( 1.3.6.1.4.1.40011.1.2.1 NAME 'FripostVirtual' AUXILIARY DESC 'Virtual mail hosting' MAY ( fripostCanAddDomain ) ) # olcObjectClasses: ( 1.3.6.1.4.1.40011.1.2.2 NAME 'FripostVirtualDomain' SUP top STRUCTURAL DESC 'Virtual domain' MUST ( fvd $ fripostIsStatusActive ) MAY ( fripostCanAddAlias $ fripostCanAddList $ fripostOwner $ fripostPostmaster $ fripostOptionalMaildrop $ description ) ) # +# Domain alias (for the domain given by fripostMaildrop). Children are ignored. +olcObjectClasses: ( 1.3.6.1.4.1.40011.1.2.3 NAME 'FripostVirtualAliasDomain' + SUP FripostVirtualDomain STRUCTURAL + DESC 'Virtual alias domain' + MUST ( fripostMaildrop ) ) +# # | TODO: add limits here -olcObjectClasses: ( 1.3.6.1.4.1.40011.1.2.3 NAME 'FripostVirtualUser' +olcObjectClasses: ( 1.3.6.1.4.1.40011.1.2.4 NAME 'FripostVirtualUser' SUP top STRUCTURAL DESC 'Virtual user' MUST ( fvl $ userPassword $ fripostIsStatusActive ) - MAY ( fripostUserQuota $ fripostOptionalMaildrop $ description) ) + MAY ( fripostUserQuota $ description) ) # -olcObjectClasses: ( 1.3.6.1.4.1.40011.1.2.4 NAME 'FripostVirtualAlias' +olcObjectClasses: ( 1.3.6.1.4.1.40011.1.2.5 NAME 'FripostVirtualAlias' SUP top STRUCTURAL DESC 'Virtual alias' MUST ( fvl $ fripostMaildrop $ fripostIsStatusActive ) MAY ( fripostOwner $ description ) ) # -olcObjectClasses: ( 1.3.6.1.4.1.40011.1.2.5 NAME 'FripostVirtualList' +olcObjectClasses: ( 1.3.6.1.4.1.40011.1.2.6 NAME 'FripostVirtualList' SUP top STRUCTURAL DESC 'Virtual list' MUST ( fvl $ fripostListManager $ fripostIsStatusActive ) MAY ( fripostOwner $ description ) ) # -olcObjectClasses: ( 1.3.6.1.4.1.40011.1.2.6 NAME 'FripostPendingEntry' +olcObjectClasses: ( 1.3.6.1.4.1.40011.1.2.7 NAME 'FripostPendingEntry' SUP top AUXILIARY DESC 'Virtual pending entry' MAY ( fripostPendingToken ) ) diff --git a/roles/common-LDAP/templates/etc/ldap/database.ldif.j2 b/roles/common-LDAP/templates/etc/ldap/database.ldif.j2 index 6e5961b..33ef108 100644 --- a/roles/common-LDAP/templates/etc/ldap/database.ldif.j2 +++ b/roles/common-LDAP/templates/etc/ldap/database.ldif.j2 @@ -272,52 +272,52 @@ olcAccess: to dn.regex="^fvl=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost filter=(&(objectClass=FripostVirtualList)(objectClass=FripostPendingEntry)) attrs=fripostPendingToken by dn.exact="cn=CreateList,ou=services,o=mailHosting,dc=fripost,dc=org" +z by * +0 # # The cleaning service can list the (expired) pending entries and delete them. olcAccess: to dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=org" filter=(objectClass=FripostPendingEntry) attrs=entry by dn.exact="cn=DeletePendingEntries,ou=services,o=mailHosting,dc=fripost,dc=org" =zrd break by * =0 break # # One can search search everywhere in the virtual tree. olcAccess: to dn.subtree="ou=virtual,o=mailHosting,dc=fripost,dc=org" attrs=entry by dn.exact="cn=DeletePendingEntries,ou=services,o=mailHosting,dc=fripost,dc=org" +s by * =s break # # We're giving away create/delete access on the children attributes, but we will be carefull # with the 'entry' permissions. -olcAccess: to dn.base="ou=virtual,o=mailHosting,dc=fripost,dc=org" +olcAccess: to dn.exact="ou=virtual,o=mailHosting,dc=fripost,dc=org" filter=(objectClass=FripostVirtual) attrs=children by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=org" =w by dn.exact="cn=DeletePendingEntries,ou=services,o=mailHosting,dc=fripost,dc=org" =z olcAccess: to dn.one="ou=virtual,o=mailHosting,dc=fripost,dc=org" filter=(objectClass=FripostVirtualDomain) attrs=children by dn.exact="cn=DeletePendingEntries,ou=services,o=mailHosting,dc=fripost,dc=org" =z by * break olcAccess: to dn.one="ou=virtual,o=mailHosting,dc=fripost,dc=org" - filter=(&(objectClass=FripostVirtualDomain)(!(objectClass=FripostPendingEntry))) + filter=(&(objectClass=FripostVirtualDomain)(!(objectClass=FripostPendingEntry))(!(objectClass=FripostVirtualAliasDomain))) attrs=children by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=org" =w # # The cleaning service needs to know when entries have been created. olcAccess: to dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=org" filter=(objectClass=FripostPendingEntry) attrs=createTimestamp by dn.exact="cn=DeletePendingEntries,ou=services,o=mailHosting,dc=fripost,dc=org" =s # # Users can use these in filters (e.g., to list the entries they have created). olcAccess: to dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=org" filter=(|(objectClass=FripostVirtualDomain)(objectClass=FripostVirtualUser)(objectClass=FripostVirtualAlias)(objectClass=FripostVirtualList)) attrs=fripostOwner,fripostPostmaster,fripostCanAddAlias,fripostCanAddList by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=org" =s break # # ######################################################################## # Virtual subtree, domains # # 1. The postmaster of a domain can give (or take back) people the right to create @@ -517,32 +517,32 @@ olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripos by dn.exact="cn=CreateList,ou=services,o=mailHosting,dc=fripost,dc=org" +rd by * +0 break # # 1. The list owners can read the entry. # 2. So can the domain's Owner. # 3. So can the domain's Postmaster. olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=org)$" filter=(objectClass=FripostVirtualList) attrs=entry by dnattr=fripostOwner +rd by group/FripostVirtualDomain/fripostOwner.expand="$1" +rd by group/FripostVirtualDomain/fripostPostmaster.expand="$1" +rd by * +0 # # ######################################################################## # Catchall # # Users with "canAddDomain" access can see that they have the right # to create domains. -olcAccess: to dn.base="ou=virtual,o=mailHosting,dc=fripost,dc=org" +olcAccess: to dn.exact="ou=virtual,o=mailHosting,dc=fripost,dc=org" filter=(objectClass=FripostVirtual) attrs=entry by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=org" +rd -olcAccess: to dn.base="ou=virtual,o=mailHosting,dc=fripost,dc=org" +olcAccess: to dn.exact="ou=virtual,o=mailHosting,dc=fripost,dc=org" filter=(objectClass=FripostVirtual) attrs=fripostCanAddDomain by set.exact="this/fripostCanAddDomain & (user | user/-1)" =rscd # Catch the break above olcAccess: to dn.subtree="ou=virtual,o=mailHosting,dc=fripost,dc=org" by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=org" +0 # vim: set filetype=ldif : diff --git a/roles/common/files/etc/postfix/master.cf b/roles/common/files/etc/postfix/master.cf index 3833446..4fdbff3 100644 --- a/roles/common/files/etc/postfix/master.cf +++ b/roles/common/files/etc/postfix/master.cf @@ -22,38 +22,34 @@ verify unix - - - - 1 verify flush unix n - - 1000? 0 flush proxymap unix - - n - - proxymap proxywrite unix - - n - 1 proxymap smtp unix - - - - - smtp smtpl unix - - - - - smtp -o smtp_bind_address=127.0.0.1 smtps unix - - - - - smtp -o smtp_bind_address=172.16.0.1 relay unix - - - - - smtp # -o smtp_helo_timeout=5 -o smtp_connect_timeout=5 showq unix n - - - - showq error unix - - - - - error retry unix - - - - - error discard unix - - - - - discard local unix - n n - - local virtual unix - n n - - virtual lmtp unix - - - - - lmtp anvil unix - - - - 1 anvil scache unix - - - - 1 scache 127.0.0.1:16132 inet n - - - - smtpd -127.0.0.1:2526 inet n - - - - smtpd +2526 inet n - - - - smtpd 2527 inet n - - - - smtpd -o mynetworks=0.0.0.0/0 127.0.0.1:2580 inet n - - - - smtpd -127.0.0.1:2599 inet n - - - - smtpd - -o cleanup_service_name=cleanup-catchall -cleanup-catchall unix n - - - 0 cleanup - -o virtual_alias_maps=cdb:$config_directory/virtual/reserved_alias_maps,ldap:$config_directory/virtual/alias_maps.cf,ldap:/etc/postfix-mx/virtual/catchall_maps.cf 127.0.0.1:smtp inet n - - - - smtpd -o inet_interfaces=127.0.0.1 reserved-alias unix - n n - - pipe flags=Rhu user=nobody argv=/usr/local/sbin/reserved-alias.pl ${sender} ${original_recipient} @fripost.org mlmmj unix - n n - - pipe flags=Rhu user=mlmmj argv=/usr/bin/mlmmj-receive -L /var/spool/mlmmj/${domain}/${user} amavisfeed unix - - n - 2 lmtp -o lmtp_destination_recipient_limit=1000 -o lmtp_send_xforward_command=yes -o lmtp_data_done_timeout=1200s diff --git a/roles/lists/files/etc/postfix/virtual/transport_lists_maps.cf b/roles/lists/files/etc/postfix/virtual/transport_lists_maps.cf index 50631e5..f85c4f8 100644 --- a/roles/lists/files/etc/postfix/virtual/transport_lists_maps.cf +++ b/roles/lists/files/etc/postfix/virtual/transport_lists_maps.cf @@ -1,7 +1,8 @@ server_host = ldapi://%2Fprivate%2Fldapi/ version = 3 search_base = fvl=%u,fvd=%d,ou=virtual,o=mailHosting,dc=fripost,dc=org +domain = static:all scope = base bind = none query_filter = (&(objectClass=FripostVirtualList)(fvl=%u)) result_attribute = fripostListManager |