diff options
11 files changed, 18 insertions, 18 deletions
diff --git a/roles/IMAP/templates/etc/postfix/main.cf.j2 b/roles/IMAP/templates/etc/postfix/main.cf.j2 index 2ccbe6a..2da85e9 100644 --- a/roles/IMAP/templates/etc/postfix/main.cf.j2 +++ b/roles/IMAP/templates/etc/postfix/main.cf.j2 @@ -24,38 +24,38 @@ queue_directory = /var/spool/postfix-{{ postfix_instance[inst].name }} data_directory = /var/lib/postfix-{{ postfix_instance[inst].name }} multi_instance_group = {{ postfix_instance[inst].group | default('') }} multi_instance_name = postfix-{{ postfix_instance[inst].name }} multi_instance_enable = yes # This server is a Mail Delivery Agent mynetworks_style = host inet_interfaces = 172.16.0.1 {% if 'MX' in group_names %} 127.0.0.1 {% endif %} inet_protocols = ipv4 # No local delivery mydestination = local_transport = error:5.1.1 Mailbox unavailable alias_maps = alias_database = local_recipient_maps = -message_size_limit = 67108864 -recipient_delimiter = + +message_size_limit = 67108864 +recipient_delimiter = + # No relay: this server is inbound-only relay_transport = error:5.1.1 Relay unavailable default_transport = error:5.1.1 Transport unavailable # Virtual transport (the alias resolution is already done by the MX:es) virtual_transport = lmtp:unix:private/dovecot-lmtpd lmtp_bind_address = 127.0.0.1 virtual_mailbox_domains = ldap:$config_directory/virtual/mailbox_domains.cf virtual_mailbox_maps = ldap:$config_directory/virtual/mailbox_maps.cf transport_maps = ldap:$config_directory/virtual/transport_content_filter_maps.cf # Don't rewrite remote headers local_header_rewrite_clients = # Tolerate occasional high latency smtpd_timeout = 1200s diff --git a/roles/MSA/templates/etc/postfix/main.cf.j2 b/roles/MSA/templates/etc/postfix/main.cf.j2 index 7d27909..b182f9e 100644 --- a/roles/MSA/templates/etc/postfix/main.cf.j2 +++ b/roles/MSA/templates/etc/postfix/main.cf.j2 @@ -21,42 +21,42 @@ append_dot_mydomain = no master_service_disable = !submission.inet inet queue_directory = /var/spool/postfix-{{ postfix_instance[inst].name }} data_directory = /var/lib/postfix-{{ postfix_instance[inst].name }} multi_instance_group = {{ postfix_instance[inst].group | default('') }} multi_instance_name = postfix-{{ postfix_instance[inst].name }} multi_instance_enable = yes # This server is a Mail Submission Agent mynetworks_style = host inet_interfaces = all inet_protocols = all # No local delivery mydestination = local_transport = error:5.1.1 Mailbox unavailable alias_maps = alias_database = local_recipient_maps = -message_size_limit = 67108864 -recipient_delimiter = + +message_size_limit = 67108864 +recipient_delimiter = + # Forward everything to our internal mailhub {% if 'MTA-out' in group_names %} relayhost = [127.0.0.1]:{{ MTA_out.port }} {% else %} relayhost = [{{ MTA_out.IPv4 }}]:{{ MTA_out.port }} {% endif %} relay_domains = # Don't rewrite remote headers local_header_rewrite_clients = # Pass the client information along to the content filter smtp_send_xforward_command = yes # Avoid splitting the envelope and scanning messages multiple times smtp_destination_recipient_limit = 1000 # Tolerate occasional high latency smtp_data_done_timeout = 1200s # Anonymize the (authenticated) sender; pass the mail to the antivirus header_checks = pcre:$config_directory/anonymize_sender.pcre diff --git a/roles/MX/files/etc/postfix/virtual/alias_catchall_maps.cf b/roles/MX/files/etc/postfix/virtual/alias_catchall_maps.cf index c405f47..f8324f6 100644 --- a/roles/MX/files/etc/postfix/virtual/alias_catchall_maps.cf +++ b/roles/MX/files/etc/postfix/virtual/alias_catchall_maps.cf @@ -1,7 +1,7 @@ server_host = ldapi://%2Fprivate%2Fldapi/ version = 3 search_base = fvd=%d,ou=virtual,o=mailHosting,dc=fripost,dc=org scope = base bind = none -query_filter = (&(ObjectClass=FripostVirtualDomain)(fvd=%d)(fripostOptionalMaildrop=*)) +query_filter = (&(objectClass=FripostVirtualDomain)(fvd=%d)(fripostOptionalMaildrop=*)) result_attribute = fripostOptionalMaildrop diff --git a/roles/MX/files/etc/postfix/virtual/alias_maps.cf b/roles/MX/files/etc/postfix/virtual/alias_maps.cf index 9265d0b..8e3a778 100644 --- a/roles/MX/files/etc/postfix/virtual/alias_maps.cf +++ b/roles/MX/files/etc/postfix/virtual/alias_maps.cf @@ -1,6 +1,6 @@ server_host = ldapi://%2Fprivate%2Fldapi/ version = 3 search_base = fvl=%u,fvd=%d,ou=virtual,o=mailHosting,dc=fripost,dc=org scope = base -query_filter = (&(ObjectClass=FripostVirtualAlias)(fvl=%u)) +query_filter = (&(objectClass=FripostVirtualAlias)(fvl=%u)) result_attribute = fripostMaildrop diff --git a/roles/MX/files/etc/postfix/virtual/lists_maps.cf b/roles/MX/files/etc/postfix/virtual/lists_maps.cf index b60dcf6..da0e4a9 100644 --- a/roles/MX/files/etc/postfix/virtual/lists_maps.cf +++ b/roles/MX/files/etc/postfix/virtual/lists_maps.cf @@ -1,7 +1,7 @@ server_host = ldapi://%2Fprivate%2Fldapi/ version = 3 search_base = fvl=%u,fvd=%d,ou=virtual,o=mailHosting,dc=fripost,dc=org scope = base bind = none -query_filter = (&(|(ObjectClass=FripostVirtualList)(ObjectClass=FripostVirtualListCommand))(fvl=%u)(fripostLocalAlias=%u#%d)) +query_filter = (&(|(objectClass=FripostVirtualList)(objectClass=FripostVirtualListCommand))(fvl=%u)(fripostLocalAlias=%u#%d)) result_attribute = fripostLocalAlias diff --git a/roles/MX/files/etc/postfix/virtual/mailbox_domains.cf b/roles/MX/files/etc/postfix/virtual/mailbox_domains.cf index 22d6be3..74304a4 100644 --- a/roles/MX/files/etc/postfix/virtual/mailbox_domains.cf +++ b/roles/MX/files/etc/postfix/virtual/mailbox_domains.cf @@ -1,8 +1,8 @@ server_host = ldapi://%2Fprivate%2Fldapi/ version = 3 search_base = fvd=%s,ou=virtual,o=mailHosting,dc=fripost,dc=org scope = base bind = none -query_filter = (&(ObjectClass=FripostVirtualDomain)(fvd=%s)) +query_filter = (&(objectClass=FripostVirtualDomain)(fvd=%s)) result_attribute = fvd result_format = OK diff --git a/roles/MX/files/etc/postfix/virtual/mailbox_maps.cf b/roles/MX/files/etc/postfix/virtual/mailbox_maps.cf index dc97177..da1b2cf 100644 --- a/roles/MX/files/etc/postfix/virtual/mailbox_maps.cf +++ b/roles/MX/files/etc/postfix/virtual/mailbox_maps.cf @@ -1,8 +1,8 @@ server_host = ldapi://%2Fprivate%2Fldapi/ version = 3 search_base = fvl=%u,fvd=%d,ou=virtual,o=mailHosting,dc=fripost,dc=org scope = base bind = none -query_filter = (&(ObjectClass=FripostVirtualUser)(fvl=%u)) +query_filter = (&(objectClass=FripostVirtualUser)(fvl=%u)) result_attribute = fvl result_format = OK diff --git a/roles/MX/files/etc/postfix/virtual/transport_lists_maps.cf b/roles/MX/files/etc/postfix/virtual/transport_lists_maps.cf index 9a7bca0..860c4e6 100644 --- a/roles/MX/files/etc/postfix/virtual/transport_lists_maps.cf +++ b/roles/MX/files/etc/postfix/virtual/transport_lists_maps.cf @@ -1,11 +1,11 @@ # Despite the index on 'fripostLocalAlias' it's a bit more inefficient, # but more precise, than the alternative of using regexes here, and a # plain hash on the list managers' side. server_host = ldapi://%2Fprivate%2Fldapi/ version = 3 search_base = ou=virtual,o=mailHosting,dc=fripost,dc=org scope = sub bind = none -query_filter = (&(|(ObjectClass=FripostVirtualList)(ObjectClass=FripostVirtualListCommand))(fripostLocalAlias=%s)) +query_filter = (&(|(objectClass=FripostVirtualList)(objectClass=FripostVirtualListCommand))(fripostLocalAlias=%s)) result_attribute = fripostLocalAlias result_format = smtp:[127.0.0.1]:2345 diff --git a/roles/MX/templates/etc/postfix/main.cf.j2 b/roles/MX/templates/etc/postfix/main.cf.j2 index 0aa91b3..6b32634 100644 --- a/roles/MX/templates/etc/postfix/main.cf.j2 +++ b/roles/MX/templates/etc/postfix/main.cf.j2 @@ -22,42 +22,42 @@ append_dot_mydomain = no master_service_disable = !smtp.inet inet queue_directory = /var/spool/postfix-{{ postfix_instance[inst].name }} data_directory = /var/lib/postfix-{{ postfix_instance[inst].name }} multi_instance_group = {{ postfix_instance[inst].group | default('') }} multi_instance_name = postfix-{{ postfix_instance[inst].name }} multi_instance_enable = yes # This server is a Mail eXchange mynetworks_style = host inet_interfaces = all inet_protocols = all # No local delivery mydestination = local_transport = error:5.1.1 Mailbox unavailable alias_maps = alias_database = local_recipient_maps = -message_size_limit = 67108864 -recipient_delimiter = + +message_size_limit = 67108864 +recipient_delimiter = + # Forward everything to our internal mailhub {% if 'MTA-out' in group_names %} relayhost = [127.0.0.1]:{{ MTA_out.port }} {% else %} relayhost = [{{ MTA_out.IPv4 }}]:{{ MTA_out.port }} {% endif %} relay_domains = # Virtual transport {% if 'LDA' in group_names %} virtual_transport = smtp:[127.0.0.1]:{{ LDA.port }} {% else %} virtual_transport = smtp:[{{ LDA.IPv4 }}]:{{ LDA.port }} {% endif %} virtual_mailbox_domains = ldap:$config_directory/virtual/mailbox_domains.cf virtual_alias_maps = pcre:$config_directory/virtual/reserved_maps.pcre ldap:$config_directory/virtual/alias_maps.cf ldap:$config_directory/virtual/lists_maps.cf diff --git a/roles/common-LDAP/files/etc/ldap/schema/fripost.ldif b/roles/common-LDAP/files/etc/ldap/schema/fripost.ldif index 851988e..2e5bb1f 100644 --- a/roles/common-LDAP/files/etc/ldap/schema/fripost.ldif +++ b/roles/common-LDAP/files/etc/ldap/schema/fripost.ldif @@ -39,41 +39,41 @@ # # References: # - http://courier.svn.sourceforge.net/svnroot/courier/trunk/courier-authlib/authldap.schema # - http://www.qmail-ldap.org/wiki/index.php/Qmail.schema # - http://www.wanderingbarque.com/howtos/mailserver/mailserver.html # 1.3.6.1.4.1.40011 Fripost's OID # 1.3.6.1.4.1.40011.1 # 1.3.6.1.4.1.40011.1.2 fripost LDAP Elements # 1.3.6.1.4.1.40011.1.2.1 AttributeTypes # 1.3.6.1.4.1.40011.1.2.2 ObjectClasses # 1.3.6.1.4.1.40011.1.2.3 Syntax Definitions # This schema depends on: # - core.schema # - cosine.schema # - nis.schema -dn: cn=fripost-master,cn=schema,cn=config +dn: cn=fripost,cn=schema,cn=config objectClass: olcSchemaConfig # # Attributes: 1.3.6.1.4.1.40011.1.1 # olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.1 NAME 'fvd' DESC 'A virtual mail domain' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} SINGLE-VALUE ) # olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.2 NAME 'fvl' DESC 'The local part of a virtual user, alias, list or list command' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} SINGLE-VALUE ) # # This is redundant since we always use DNs of the form # fvl=localpart,fvd=domainpart.tld,... # (But Postfix doesn't allow the use of '%u' and '%d' from the query in # its 'result_format'.) diff --git a/roles/common-LDAP/templates/etc/ldap/database.ldif.j2 b/roles/common-LDAP/templates/etc/ldap/database.ldif.j2 index f76eb78..c7a4379 100644 --- a/roles/common-LDAP/templates/etc/ldap/database.ldif.j2 +++ b/roles/common-LDAP/templates/etc/ldap/database.ldif.j2 @@ -72,115 +72,115 @@ olcDbIndex: entryCSN,entryUUID eq # References: # - http://www.openldap.org/doc/admin24/replication.html#Syncrepl # - http://www.zytrax.com/books/ldap/ch7/#ol-syncrepl-rap # {% if 'LDAP-provider' in group_names %} olcLimits: dn.exact="cn=MX-replicate,ou=services,o=mailHosting,dc=fripost,dc=org" time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited {% elif 'MX' in group_names %} olcSyncrepl: rid=000 provider=ldap://{{ LDAP_provider }} type=refreshAndPersist retry="5 5 300 +" searchbase="ou=virtual,o=mailHosting,dc=fripost,dc=org" attrs=objectClass,fvd,fvl,fripostMaildrop,fripostOptionalMaildrop,fripostLocalAlias,fripostPostmaster,fripostOwner scope=sub schemachecking=off bindmethod=simple - binddn="cn=Postfix,ou=services,o=mailHosting,dc=fripost,dc=org" - credentials=postfix + binddn="cn=MX-replicate,ou=services,o=mailHosting,dc=fripost,dc=org" + credentials=mx {% endif %} # # ######################################################################## ######################################################################## # Access control # /!\ WARN: All modification to the ACL should be reflected to the test # /!\ suite as well! # # References: # - http://www.openldap.org/doc/admin24/access-control.html # - http://www.openldap.org/faq/data/cache/189.html # - http://www.openldap.org/faq/data/cache/1140.html # - http://www.openldap.org/faq/data/cache/1133.html # - man 5 slapd.access # # ######################################################################## # Most common services: Postfix, Amavis, Dovecot # (Most used ACLs are cheaper when written first.) # # Postfix have read access to the attribute it needs when eg, doing # alias resolution. olcAccess: to dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=org" attrs=entry,objectClass,fvd,fvl,fripostMaildrop,fripostOptionalMaildrop,fripostLocalAlias filter=(&(|(objectClass=FripostVirtualDomain)(objectClass=FripostVirtualUser)(objectClass=FripostVirtualAlias)(objectClass=FripostVirtualList)(objectClass=FripostVirtualListCommand))(!(objectClass=FripostPendingEntry))(!(fripostIsStatusActive=FALSE))) - by dn.exact="cn=Postfix,ou=services,o=mailHosting,dc=fripost,dc=org" =rsd + by dn.exact="cn=MX-replicate,ou=services,o=mailHosting,dc=fripost,dc=org" =rsd by realanonymous =rsd by users =0 break # # Postfix needs to look up lists' local aliases. olcAccess: to dn.exact="ou=virtual,o=mailHosting,dc=fripost,dc=org" attrs=entry by realanonymous =s by users =0 break # # Search domain owners / postmasters (used by reserved-alias.pl). olcAccess: to dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=org" attrs=entry,objectClass,fvd,fvl,fripostPostmaster,fripostOwner filter=(&(objectClass=FripostVirtualDomain)(!(objectClass=FripostPendingEntry))(!(fripostIsStatusActive=FALSE))) - by dn.exact="cn=Postfix,ou=services,o=mailHosting,dc=fripost,dc=org" =rsd + by dn.exact="cn=MX-replicate,ou=services,o=mailHosting,dc=fripost,dc=org" =rsd by dn.exact="username=postfix,cn=peercred,cn=external,cn=auth" =rsd by users =0 break # # The following is required for the content filter {% if 'MDA' in group_names %} olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=org$" attrs=entry filter=(&(objectClass=FripostVirtualDomain)(fripostIsStatusActive=TRUE)) by dn.exact="username=amavis,cn=peercred,cn=external,cn=auth" =s by users =0 break olcAccess: to dn.regex="^fvl=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=org$" attrs=entry,objectClass,fvl,@AmavisAccount filter=(&(objectClass=FripostVirtualUser)(objectClass=AmavisAccount)(fripostIsStatusActive=TRUE)) by dn.exact="username=amavis,cn=peercred,cn=external,cn=auth" =rsd by users =0 break {% endif %} # # Anonymous can authenticate into the services. (But not read or write the password.) olcAccess: to dn.one="ou=services,o=mailHosting,dc=fripost,dc=org" attrs=userPassword by realanonymous =xd # # The following is required for SASL proxy Authorize the web application. olcAccess: to dn.exact="cn=AdminWebPanel,ou=services,o=mailHosting,dc=fripost,dc=org" attrs=entry,objectClass,authzTo by realanonymous =x # # The following is required for Sync Replication. {% if 'LDAP-provider' in group_names %} olcAccess: to dn.subtree="ou=virtual,o=mailHosting,dc=fripost,dc=org" attrs=entry,objectClass,structuralObjectClass,createTimestamp,creatorsName,entryDN,entryUUID,modifiersName,modifyTimestamp,hasSubordinates,subschemaSubentry - by dn.exact="cn=Postfix,ou=services,o=mailHosting,dc=fripost,dc=org" =rsd + by dn.exact="cn=MX-replicate,ou=services,o=mailHosting,dc=fripost,dc=org" =rsd by users =0 break {% endif %} # # 1. The WebPanel itself cannot bind, read or write passwords. This # guarantees that, if an attacker gains its priviledge, it will *not* be # able to change user passwords (which would allow him/her to read every # emails). This is a trick to tackle the absence of 'realgroup'. # 2. Anonymous users can bind. # 3. Users can change their password (but not read it). # 4. The postmaster of a domain can change (replace) his/her users' password (but not read it). olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=org)$" filter=(objectClass=FripostVirtualUser) attrs=userPassword by realdn.exact="uid=AdminWebPanel@fripost.org,cn=auth" =0 by realanonymous =xd by realself =w by group/FripostVirtualDomain/fripostPostmaster.expand="$1" =w by dn.onelevel="ou=managers,o=mailHosting,dc=fripost,dc=org" =w # # A catch-all, to be sure that noone else have access to the passwords. |