MX: chroot postscreen(8), smtpd(8) and cleanup(8) daemons.

Unlike what we wrote in 2014 (cf. 4fb4be4d279dd94cab33fc778cfa318b93d6926f)
the postscreen(8) server can run chrooted, meaning we can also chroot
the smtpd(8), tlsproxy(8), dnsblog(8) and cleanup(8) daemons.

8 files changed, 12 insertions, 16 deletions

diff --git a/roles/MX/files/etc/postfix/reject-unknown-client-hostname.cf b/roles/MX/files/etc/postfix/reject-unknown-client-hostname.cf
index 6969f75..1f61f4b 100644
--- a/roles/MX/files/etc/postfix/reject-unknown-client-hostname.cf
+++ b/roles/MX/files/etc/postfix/reject-unknown-client-hostname.cf
@@ -1,10 +1,10 @@
-server_host      = ldapi://%2Fvar%2Fspool%2Fpostfix-mx%2Fprivate%2Fldapi/
+server_host      = ldapi://%2Fprivate%2Fldapi/
 version          = 3
 search_base      = fvd=%d,ou=virtual,dc=fripost,dc=org
 domain           = static:all
 scope            = one
 bind             = sasl
 sasl_mechs       = EXTERNAL
 query_filter     = (&(objectClass=FripostVirtualList)(!(objectClass=FripostPendingEntry))(fvl=%u)(fripostIsStatusActive=TRUE))
 result_attribute = fvl
 result_format    = reject_unknown_client_hostname
diff --git a/roles/MX/files/etc/postfix/virtual/alias.cf b/roles/MX/files/etc/postfix/virtual/alias.cf
index 1c104a9..2e846ca 100644
--- a/roles/MX/files/etc/postfix/virtual/alias.cf
+++ b/roles/MX/files/etc/postfix/virtual/alias.cf
@@ -1,9 +1,9 @@
-server_host      = ldapi://%2Fvar%2Fspool%2Fpostfix-mx%2Fprivate%2Fldapi/
+server_host      = ldapi://%2Fprivate%2Fldapi/
 version          = 3
 search_base      = fvd=%d,ou=virtual,dc=fripost,dc=org
 domain           = static:all
 scope            = one
 bind             = sasl
 sasl_mechs       = EXTERNAL
 query_filter     = (&(objectClass=FripostVirtualAlias)(fvl=%u)(fripostIsStatusActive=TRUE))
 result_attribute = fripostMaildrop
diff --git a/roles/MX/files/etc/postfix/virtual/alias_domains.cf b/roles/MX/files/etc/postfix/virtual/alias_domains.cf
index 907166f..1108ea1 100644
--- a/roles/MX/files/etc/postfix/virtual/alias_domains.cf
+++ b/roles/MX/files/etc/postfix/virtual/alias_domains.cf
@@ -1,11 +1,11 @@
-server_host      = ldapi://%2Fvar%2Fspool%2Fpostfix-mx%2Fprivate%2Fldapi/
+server_host      = ldapi://%2Fprivate%2Fldapi/
 version          = 3
 search_base      = ou=virtual,dc=fripost,dc=org
 domain           = static:all
 scope            = one
 bind             = sasl
 sasl_mechs       = EXTERNAL
 # The domain has already been validated (it's active and not pending)
 query_filter     = (&(objectClass=FripostVirtualAliasDomain)(fvd=%d))
 result_attribute = fripostMaildrop
 result_format    = %U@%s
diff --git a/roles/MX/files/etc/postfix/virtual/catchall.cf b/roles/MX/files/etc/postfix/virtual/catchall.cf
index e0e6350..a67d39c 100644
--- a/roles/MX/files/etc/postfix/virtual/catchall.cf
+++ b/roles/MX/files/etc/postfix/virtual/catchall.cf
@@ -1,10 +1,10 @@
-server_host      = ldapi://%2Fvar%2Fspool%2Fpostfix-mx%2Fprivate%2Fldapi/
+server_host      = ldapi://%2Fprivate%2Fldapi/
 version          = 3
 search_base      = ou=virtual,dc=fripost,dc=org
 domain           = static:all
 scope            = one
 bind             = sasl
 sasl_mechs       = EXTERNAL
 # The domain has already been validated (it's active and not pending)
 query_filter     = (&(objectClass=FripostVirtualDomain)(!(objectClass=FripostVirtualAliasDomain))(fvd=%d)(fripostOptionalMaildrop=*))
 result_attribute = fripostOptionalMaildrop
diff --git a/roles/MX/files/etc/postfix/virtual/domains.cf b/roles/MX/files/etc/postfix/virtual/domains.cf
index f5a7f25..88e17e2 100644
--- a/roles/MX/files/etc/postfix/virtual/domains.cf
+++ b/roles/MX/files/etc/postfix/virtual/domains.cf
@@ -1,11 +1,9 @@
-# XXX: How come we use a socked relative to the chroot here? smtpd(8) is
-# not (can't be) chrooted...
 server_host      = ldapi://%2Fprivate%2Fldapi/
 version          = 3
 search_base      = ou=virtual,dc=fripost,dc=org
 scope            = one
 bind             = sasl
 sasl_mechs       = EXTERNAL
 query_filter     = (&(objectClass=FripostVirtualDomain)(!(objectClass=FripostPendingEntry))(fvd=%s)(fripostIsStatusActive=TRUE))
 result_attribute = fvd
 result_format    = OK
diff --git a/roles/MX/files/etc/postfix/virtual/list.cf b/roles/MX/files/etc/postfix/virtual/list.cf
index 99e2147..e2df119 100644
--- a/roles/MX/files/etc/postfix/virtual/list.cf
+++ b/roles/MX/files/etc/postfix/virtual/list.cf
@@ -1,12 +1,12 @@
-server_host      = ldapi://%2Fvar%2Fspool%2Fpostfix-mx%2Fprivate%2Fldapi/
+server_host      = ldapi://%2Fprivate%2Fldapi/
 version          = 3
 search_base      = fvd=%d,ou=virtual,dc=fripost,dc=org
 domain           = static:all
 scope            = one
 bind             = sasl
 sasl_mechs       = EXTERNAL
 query_filter     = (&(objectClass=FripostVirtualList)(!(objectClass=FripostPendingEntry))(fvl=%u)(fripostIsStatusActive=TRUE))
 result_attribute = fripostListManager
 # Use a dedicated "virtual" domain to decongestion potential bottlenecks
 # on trivial_rewrite(8) due to slow LDAP lookups in tranport_maps.
 result_format    = %D/%U@%s.fripost.org
diff --git a/roles/MX/files/etc/postfix/virtual/mailbox.cf b/roles/MX/files/etc/postfix/virtual/mailbox.cf
index 7289670..36862db 100644
--- a/roles/MX/files/etc/postfix/virtual/mailbox.cf
+++ b/roles/MX/files/etc/postfix/virtual/mailbox.cf
@@ -1,12 +1,12 @@
-server_host      = ldapi://%2Fvar%2Fspool%2Fpostfix-mx%2Fprivate%2Fldapi/
+server_host      = ldapi://%2Fprivate%2Fldapi/
 version          = 3
 search_base      = fvd=%d,ou=virtual,dc=fripost,dc=org
 domain           = static:all
 scope            = one
 bind             = sasl
 sasl_mechs       = EXTERNAL
 query_filter     = (&(objectClass=FripostVirtualUser)(fvl=%u)(fripostIsStatusActive=TRUE))
 result_attribute = fvl
 # Use a dedicated "virtual" domain to decongestion potential bottlenecks
 # on trivial_rewrite(8) due to slow LDAP lookups in tranport_maps.
 result_format    = %D/%U@mda.fripost.org
diff --git a/roles/common/templates/etc/postfix/master.cf.j2 b/roles/common/templates/etc/postfix/master.cf.j2
index 10fc303..4356363 100644
--- a/roles/common/templates/etc/postfix/master.cf.j2
+++ b/roles/common/templates/etc/postfix/master.cf.j2
@@ -1,54 +1,52 @@
 ########################################################################
 # Postfix master process configuration file.  For details on the format
 # of the file, see the master(5) manual page (command: "man 5 master").
 #
 # {{ ansible_managed }}
 # Do NOT edit this file directly!
 #
 # ==========================================================================
 # service type  private unpriv  chroot  wakeup  maxproc command + args
 #               (yes)   (yes)   (yes)   (never) (100)
 # ==========================================================================
 
 {% if inst is not defined %}
 [127.0.0.1]:16132 inet n -      y       -       -       smtpd
 {% elif inst == 'MX' %}
-smtpd     pass  -       -       n       -       -       smtpd
-  -o cleanup_service_name=cleanup_nochroot
-smtp      inet  n       -       n       -       1       postscreen
-tlsproxy  unix  -       -       n       -       0       tlsproxy
-dnsblog   unix  -       -       n       -       0       dnsblog
-cleanup_nochroot unix n -       n       -       0       cleanup
+smtpd     pass  -       -       y       -       -       smtpd
+smtp      inet  n       -       y       -       1       postscreen
+tlsproxy  unix  -       -       y       -       0       tlsproxy
+dnsblog   unix  -       -       y       -       0       dnsblog
 {% elif inst == 'MSA' %}
 submission inet n       -       y       -       -       smtpd
   -o tls_high_cipherlist=EECDH+AESGCM:!MEDIUM:!LOW:!EXP:!aNULL:!eNULL
 {% if groups.webmail | difference([inventory_hostname]) | length > 0 %}
-[{{ postfix_instance.MSA.addr }}]:{{ postfix_instance.MSA.port }} inet n       -       -       -       -       smtpd
+[{{ postfix_instance.MSA.addr }}]:{{ postfix_instance.MSA.port }} inet n       -       y       -       -       smtpd
   -o broken_sasl_auth_clients=no
   -o smtpd_tls_security_level=none
   -o smtpd_sasl_security_options=noanonymous
   -o smtpd_sasl_exceptions_networks=
   -o smtpd_authorized_xforward_hosts=127.0.0.0/8,[::1]/128{{ ipsec_subnet is defined | ternary(','+ipsec_subnet, '') }}
 {% endif %}
 {% elif inst in ['IMAP', 'out', 'lists'] %}
-[{{ postfix_instance[inst].addr }}]:{{ postfix_instance[inst].port }} inet n       -       -       -       -       smtpd
+[{{ postfix_instance[inst].addr }}]:{{ postfix_instance[inst].port }} inet n       -       y       -       -       smtpd
   -o smtpd_authorized_xforward_hosts=127.0.0.0/8,[::1]/128{{ ipsec_subnet is defined | ternary(','+ipsec_subnet, '') }}
 {% endif %}
 pickup    unix  n       -       y       60      1       pickup
 cleanup   unix  n       -       y       -       0       cleanup
 qmgr      unix  n       -       n       300     1       qmgr
 tlsmgr    unix  -       -       y       1000?   1       tlsmgr
 rewrite   unix  -       -       y       -       -       trivial-rewrite
 bounce    unix  -       -       y       -       0       bounce
 defer     unix  -       -       y       -       0       bounce
 trace     unix  -       -       y       -       0       bounce
 verify    unix  -       -       y       -       1       verify
 flush     unix  n       -       y       1000?   0       flush
 proxymap  unix  -       -       n       -       -       proxymap
 proxywrite unix -       -       n       -       1       proxymap
 smtp      unix  -       -       y       -       -       smtp
 #       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
 relay     unix  -       -       y       -       -       smtp
 showq     unix  n       -       y       -       -       showq
 error     unix  -       -       y       -       -       error
 retry     unix  -       -       y       -       -       error