diff options
18 files changed, 67 insertions, 53 deletions
diff --git a/roles/IMAP/files/etc/postfix/virtual/mailbox_maps.cf b/roles/IMAP/files/etc/postfix/virtual/mailbox_maps.cf index da1b2cf..009dd98 100644 --- a/roles/IMAP/files/etc/postfix/virtual/mailbox_maps.cf +++ b/roles/IMAP/files/etc/postfix/virtual/mailbox_maps.cf @@ -1,6 +1,7 @@ server_host = ldapi://%2Fprivate%2Fldapi/ version = 3 search_base = fvl=%u,fvd=%d,ou=virtual,o=mailHosting,dc=fripost,dc=org +domain = static:all scope = base bind = none query_filter = (&(objectClass=FripostVirtualUser)(fvl=%u)) diff --git a/roles/IMAP/files/etc/postfix/virtual/transport_content_filter_maps.cf b/roles/IMAP/files/etc/postfix/virtual/transport_content_filter_maps.cf index 3a97841..b082f69 100644 --- a/roles/IMAP/files/etc/postfix/virtual/transport_content_filter_maps.cf +++ b/roles/IMAP/files/etc/postfix/virtual/transport_content_filter_maps.cf @@ -1,6 +1,7 @@ server_host = ldapi://%2Fprivate%2Fldapi/ version = 3 search_base = fvl=%u,fvd=%d,ou=virtual,o=mailHosting,dc=fripost,dc=org +domain = static:all scope = base bind = none query_filter = (&(objectClass=FripostVirtualUser)(objectClass=AmavisAccount)(fvl=%u)) diff --git a/roles/IMAP/templates/etc/postfix/main.cf.j2 b/roles/IMAP/templates/etc/postfix/main.cf.j2 index df2e9fb..2da85e9 100644 --- a/roles/IMAP/templates/etc/postfix/main.cf.j2 +++ b/roles/IMAP/templates/etc/postfix/main.cf.j2 @@ -18,7 +18,7 @@ mydomain = {{ ansible_domain }} append_dot_mydomain = no # Turn off all TCP/IP listener ports except that necessary for the MDA. -master_service_disable = !127.0.0.1:2526.inet inet +master_service_disable = !2526.inet inet queue_directory = /var/spool/postfix-{{ postfix_instance[inst].name }} data_directory = /var/lib/postfix-{{ postfix_instance[inst].name }} diff --git a/roles/MX/tasks/main.yml b/roles/MX/tasks/main.yml index 2ffe08d..e8dadb1 100644 --- a/roles/MX/tasks/main.yml +++ b/roles/MX/tasks/main.yml @@ -47,17 +47,18 @@ mode=0644 with_items: - mailbox_domains.cf - - reserved_alias_maps - - alias_maps.cf - - catchall_maps.cf - - transport_reserved_maps.pcre - - transport_mailbox_maps.cf - - transport_lists_maps.cf - - transport_catchall_maps.cf + - reserved_alias.pcre + - alias.cf + - mailbox.cf + - list.cf + - alias_domains.cf + - catchall.cf + - transport_reserved_alias + - transport_list.cf - name: Compile the Reserved Transport Maps postmap: instance={{ postfix_instance[inst].name }} - src=/etc/postfix-{{ postfix_instance[inst].name }}/virtual/reserved_alias_maps db=cdb + src=/etc/postfix-{{ postfix_instance[inst].name }}/virtual/transport_reserved_alias db=cdb owner=root group=root mode=0644 diff --git a/roles/MX/templates/etc/postfix/main.cf.j2 b/roles/MX/templates/etc/postfix/main.cf.j2 index 9f88eef..6c2004a 100644 --- a/roles/MX/templates/etc/postfix/main.cf.j2 +++ b/roles/MX/templates/etc/postfix/main.cf.j2 @@ -19,7 +19,7 @@ append_dot_mydomain = no # Turn off all TCP/IP listener ports except that necessary for the mail # exchange. -master_service_disable = !smtp.inet !127.0.0.1:2599.inet inet +master_service_disable = !smtp.inet inet queue_directory = /var/spool/postfix-{{ postfix_instance[inst].name }} data_directory = /var/lib/postfix-{{ postfix_instance[inst].name }} @@ -56,19 +56,20 @@ virtual_transport = smtpl:[127.0.0.1]:{{ LDA.port }} {% else %} virtual_transport = smtps:[{{ LDA.host }}]:{{ LDA.port }} {% endif %} -# It's a bit stupid to include part of the virtual_mailbox_maps here, -# but we need to tell postfix to accept the recipient -# (virtual_mailbox_maps) *before* sending away to the right machine -# (transport_maps) -transport_maps = pcre:$config_directory/virtual/transport_reserved_maps.pcre - ldap:$config_directory/virtual/transport_mailbox_maps.cf - ldap:$config_directory/virtual/transport_lists_maps.cf - ldap:$config_directory/virtual/transport_catchall_maps.cf virtual_mailbox_domains = ldap:$config_directory/virtual/mailbox_domains.cf -virtual_alias_maps = cdb:$config_directory/virtual/reserved_alias_maps - ldap:$config_directory/virtual/alias_maps.cf -virtual_mailbox_maps = $transport_maps +virtual_alias_maps = pcre:$config_directory/virtual/reserved_alias.pcre + ldap:$config_directory/virtual/alias.cf + # stop the alias resolution (by making finding + # an A -> A alias) before searching for + # catch-alls and domain aliases + $virtual_mailbox_maps + ldap:$config_directory/virtual/alias_domains.cf + ldap:$config_directory/virtual/catchall.cf +virtual_mailbox_maps = ldap:$config_directory/virtual/mailbox.cf + ldap:$config_directory/virtual/list.cf +transport_maps = cdb:$config_directory/virtual/transport_reserved_alias + ldap:$config_directory/virtual/transport_list.cf # Don't rewrite remote headers local_header_rewrite_clients = diff --git a/roles/MX/templates/etc/postfix/virtual/alias_maps.cf.j2 b/roles/MX/templates/etc/postfix/virtual/alias.cf.j2 index 8e3a778..c7d2f0a 100644 --- a/roles/MX/templates/etc/postfix/virtual/alias_maps.cf.j2 +++ b/roles/MX/templates/etc/postfix/virtual/alias.cf.j2 @@ -1,6 +1,8 @@ server_host = ldapi://%2Fprivate%2Fldapi/ version = 3 search_base = fvl=%u,fvd=%d,ou=virtual,o=mailHosting,dc=fripost,dc=org +domain = static:all scope = base +bind = none query_filter = (&(objectClass=FripostVirtualAlias)(fvl=%u)) result_attribute = fripostMaildrop diff --git a/roles/MX/templates/etc/postfix/virtual/transport_catchall_maps.cf.j2 b/roles/MX/templates/etc/postfix/virtual/alias_domains.cf.j2 index cc189cf..dec8bce 100644 --- a/roles/MX/templates/etc/postfix/virtual/transport_catchall_maps.cf.j2 +++ b/roles/MX/templates/etc/postfix/virtual/alias_domains.cf.j2 @@ -1,8 +1,9 @@ server_host = ldapi://%2Fprivate%2Fldapi/ version = 3 search_base = fvd=%d,ou=virtual,o=mailHosting,dc=fripost,dc=org +domain = static:all scope = base bind = none -query_filter = (&(objectClass=FripostVirtualDomain)(fvd=%d)(fripostOptionalMaildrop=*)) -result_attribute = fvd -result_format = smtpl:[127.0.0.1]:2599 +query_filter = (&(objectClass=FripostVirtualAliasDomain)(fvd=%d)) +result_attribute = fripostMaildrop +result_format = %U@%s diff --git a/roles/MX/templates/etc/postfix/virtual/catchall_maps.cf.j2 b/roles/MX/templates/etc/postfix/virtual/catchall.cf.j2 index f8324f6..8ac40fd 100644 --- a/roles/MX/templates/etc/postfix/virtual/catchall_maps.cf.j2 +++ b/roles/MX/templates/etc/postfix/virtual/catchall.cf.j2 @@ -1,7 +1,8 @@ server_host = ldapi://%2Fprivate%2Fldapi/ version = 3 search_base = fvd=%d,ou=virtual,o=mailHosting,dc=fripost,dc=org +domain = static:all scope = base bind = none -query_filter = (&(objectClass=FripostVirtualDomain)(fvd=%d)(fripostOptionalMaildrop=*)) +query_filter = (&(objectClass=FripostVirtualDomain)(!(objectClass=FripostVirtualAliasDomain))(fvd=%d)(fripostOptionalMaildrop=*)) result_attribute = fripostOptionalMaildrop diff --git a/roles/MX/templates/etc/postfix/virtual/list.cf.j2 b/roles/MX/templates/etc/postfix/virtual/list.cf.j2 new file mode 100644 index 0000000..8bcd5df --- /dev/null +++ b/roles/MX/templates/etc/postfix/virtual/list.cf.j2 @@ -0,0 +1,9 @@ +server_host = ldapi://%2Fprivate%2Fldapi/ +version = 3 +search_base = fvl=%u,fvd=%d,ou=virtual,o=mailHosting,dc=fripost,dc=org +domain = static:all +scope = base +bind = none +query_filter = (&(objectClass=FripostVirtualList)(fvl=%u)) +result_attribute = fvl +result_format = %S diff --git a/roles/MX/templates/etc/postfix/virtual/transport_mailbox_maps.cf.j2 b/roles/MX/templates/etc/postfix/virtual/mailbox.cf.j2 index 3e003db..b421e9a 100644 --- a/roles/MX/templates/etc/postfix/virtual/transport_mailbox_maps.cf.j2 +++ b/roles/MX/templates/etc/postfix/virtual/mailbox.cf.j2 @@ -1,12 +1,9 @@ server_host = ldapi://%2Fprivate%2Fldapi/ version = 3 search_base = fvl=%u,fvd=%d,ou=virtual,o=mailHosting,dc=fripost,dc=org +domain = static:all scope = base bind = none query_filter = (&(objectClass=FripostVirtualUser)(fvl=%u)) result_attribute = fvl -{% if 'LDA' in group_names %} -result_format = smtpl:[127.0.0.1]:{{ LDA.port }} -{% else %} -result_format = smtps:[{{ LDA.host }}]:{{ LDA.port }} -{% endif %} +result_format = %S diff --git a/roles/MX/templates/etc/postfix/virtual/transport_reserved_maps.pcre.j2 b/roles/MX/templates/etc/postfix/virtual/reserved_alias.pcre.j2 index e240e91..6f62a01 100644 --- a/roles/MX/templates/etc/postfix/virtual/transport_reserved_maps.pcre.j2 +++ b/roles/MX/templates/etc/postfix/virtual/reserved_alias.pcre.j2 @@ -1,6 +1,5 @@ -if !/@fripost\.org$/ +/^(?:postmaster|abuse)(?:\+.*)?@fripost\.org$/ admin@fripost.org # For other domains, RFC 822 section 6.3 and RFC 2142 section 4 # mandatory aliases are forwarded to OUR admin team and to the domain # owner or postmaster, if there are any. -/^(?:postmaster|abuse)(?:\+.*)?@/ reserved-alias: -endif +/^((?:postmaster|abuse)(?:\+.*)?@.*)/ $1@reserved.locahost.localdomain diff --git a/roles/MX/templates/etc/postfix/virtual/reserved_alias_maps.j2 b/roles/MX/templates/etc/postfix/virtual/reserved_alias_maps.j2 deleted file mode 100644 index fe04715..0000000 --- a/roles/MX/templates/etc/postfix/virtual/reserved_alias_maps.j2 +++ /dev/null @@ -1,4 +0,0 @@ -# RFC 822 section 6.3 and RFC 2142 section 4 mandatory aliases are -# forwarded to the admin team. -postmaster@fripost.org admin@fripost.org -abuse@fripost.org admin@fripost.org diff --git a/roles/MX/templates/etc/postfix/virtual/transport_lists_maps.cf.j2 b/roles/MX/templates/etc/postfix/virtual/transport_list.cf.j2 index 6a0965f..eb696db 100644 --- a/roles/MX/templates/etc/postfix/virtual/transport_lists_maps.cf.j2 +++ b/roles/MX/templates/etc/postfix/virtual/transport_list.cf.j2 @@ -1,9 +1,10 @@ server_host = ldapi://%2Fprivate%2Fldapi/ version = 3 search_base = fvl=%u,fvd=%d,ou=virtual,o=mailHosting,dc=fripost,dc=org +domain = static:all scope = base bind = none -query_filter = (&(|(objectClass=FripostVirtualList)(objectClass=FripostVirtualListCommand))(fvl=%u)) +query_filter = (&(objectClass=FripostVirtualList)(fvl=%u)) result_attribute = fvl {% if 'lists' in group_names %} result_format = smtpl:[127.0.0.1]:{{ lists.port }} diff --git a/roles/MX/templates/etc/postfix/virtual/transport_reserved_alias.j2 b/roles/MX/templates/etc/postfix/virtual/transport_reserved_alias.j2 new file mode 100644 index 0000000..4af5318 --- /dev/null +++ b/roles/MX/templates/etc/postfix/virtual/transport_reserved_alias.j2 @@ -0,0 +1 @@ +reserved.locahost.localdomain reserved-alias: diff --git a/roles/common-LDAP/files/etc/ldap/schema/fripost.ldif b/roles/common-LDAP/files/etc/ldap/schema/fripost.ldif index 72695ab..54f3037 100644 --- a/roles/common-LDAP/files/etc/ldap/schema/fripost.ldif +++ b/roles/common-LDAP/files/etc/ldap/schema/fripost.ldif @@ -83,7 +83,7 @@ olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.3 NAME 'fripostMaildrop' # users, because the presence index should *not* apply to the # mandatory attribute above. olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.4 NAME 'fripostOptionalMaildrop' - DESC 'An optional email address for catch-all aliases on domains and users' + DESC 'An optional email address for catch-all or domain aliases' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} ) @@ -145,26 +145,32 @@ olcObjectClasses: ( 1.3.6.1.4.1.40011.1.2.2 NAME 'FripostVirtualDomain' fripostOwner $ fripostPostmaster $ fripostOptionalMaildrop $ description ) ) # +# Domain alias (for the domain given by fripostMaildrop). Children are ignored. +olcObjectClasses: ( 1.3.6.1.4.1.40011.1.2.3 NAME 'FripostVirtualAliasDomain' + SUP FripostVirtualDomain STRUCTURAL + DESC 'Virtual alias domain' + MUST ( fripostMaildrop ) ) +# # | TODO: add limits here -olcObjectClasses: ( 1.3.6.1.4.1.40011.1.2.3 NAME 'FripostVirtualUser' +olcObjectClasses: ( 1.3.6.1.4.1.40011.1.2.4 NAME 'FripostVirtualUser' SUP top STRUCTURAL DESC 'Virtual user' MUST ( fvl $ userPassword $ fripostIsStatusActive ) - MAY ( fripostUserQuota $ fripostOptionalMaildrop $ description) ) + MAY ( fripostUserQuota $ description) ) # -olcObjectClasses: ( 1.3.6.1.4.1.40011.1.2.4 NAME 'FripostVirtualAlias' +olcObjectClasses: ( 1.3.6.1.4.1.40011.1.2.5 NAME 'FripostVirtualAlias' SUP top STRUCTURAL DESC 'Virtual alias' MUST ( fvl $ fripostMaildrop $ fripostIsStatusActive ) MAY ( fripostOwner $ description ) ) # -olcObjectClasses: ( 1.3.6.1.4.1.40011.1.2.5 NAME 'FripostVirtualList' +olcObjectClasses: ( 1.3.6.1.4.1.40011.1.2.6 NAME 'FripostVirtualList' SUP top STRUCTURAL DESC 'Virtual list' MUST ( fvl $ fripostListManager $ fripostIsStatusActive ) MAY ( fripostOwner $ description ) ) # -olcObjectClasses: ( 1.3.6.1.4.1.40011.1.2.6 NAME 'FripostPendingEntry' +olcObjectClasses: ( 1.3.6.1.4.1.40011.1.2.7 NAME 'FripostPendingEntry' SUP top AUXILIARY DESC 'Virtual pending entry' MAY ( fripostPendingToken ) ) diff --git a/roles/common-LDAP/templates/etc/ldap/database.ldif.j2 b/roles/common-LDAP/templates/etc/ldap/database.ldif.j2 index 6e5961b..33ef108 100644 --- a/roles/common-LDAP/templates/etc/ldap/database.ldif.j2 +++ b/roles/common-LDAP/templates/etc/ldap/database.ldif.j2 @@ -289,7 +289,7 @@ olcAccess: to dn.subtree="ou=virtual,o=mailHosting,dc=fripost,dc=org" # # We're giving away create/delete access on the children attributes, but we will be carefull # with the 'entry' permissions. -olcAccess: to dn.base="ou=virtual,o=mailHosting,dc=fripost,dc=org" +olcAccess: to dn.exact="ou=virtual,o=mailHosting,dc=fripost,dc=org" filter=(objectClass=FripostVirtual) attrs=children by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=org" =w @@ -300,7 +300,7 @@ olcAccess: to dn.one="ou=virtual,o=mailHosting,dc=fripost,dc=org" by dn.exact="cn=DeletePendingEntries,ou=services,o=mailHosting,dc=fripost,dc=org" =z by * break olcAccess: to dn.one="ou=virtual,o=mailHosting,dc=fripost,dc=org" - filter=(&(objectClass=FripostVirtualDomain)(!(objectClass=FripostPendingEntry))) + filter=(&(objectClass=FripostVirtualDomain)(!(objectClass=FripostPendingEntry))(!(objectClass=FripostVirtualAliasDomain))) attrs=children by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=org" =w # @@ -534,11 +534,11 @@ olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripos # # Users with "canAddDomain" access can see that they have the right # to create domains. -olcAccess: to dn.base="ou=virtual,o=mailHosting,dc=fripost,dc=org" +olcAccess: to dn.exact="ou=virtual,o=mailHosting,dc=fripost,dc=org" filter=(objectClass=FripostVirtual) attrs=entry by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=org" +rd -olcAccess: to dn.base="ou=virtual,o=mailHosting,dc=fripost,dc=org" +olcAccess: to dn.exact="ou=virtual,o=mailHosting,dc=fripost,dc=org" filter=(objectClass=FripostVirtual) attrs=fripostCanAddDomain by set.exact="this/fripostCanAddDomain & (user | user/-1)" =rscd diff --git a/roles/common/files/etc/postfix/master.cf b/roles/common/files/etc/postfix/master.cf index 3833446..4fdbff3 100644 --- a/roles/common/files/etc/postfix/master.cf +++ b/roles/common/files/etc/postfix/master.cf @@ -39,14 +39,10 @@ lmtp unix - - - - - lmtp anvil unix - - - - 1 anvil scache unix - - - - 1 scache 127.0.0.1:16132 inet n - - - - smtpd -127.0.0.1:2526 inet n - - - - smtpd +2526 inet n - - - - smtpd 2527 inet n - - - - smtpd -o mynetworks=0.0.0.0/0 127.0.0.1:2580 inet n - - - - smtpd -127.0.0.1:2599 inet n - - - - smtpd - -o cleanup_service_name=cleanup-catchall -cleanup-catchall unix n - - - 0 cleanup - -o virtual_alias_maps=cdb:$config_directory/virtual/reserved_alias_maps,ldap:$config_directory/virtual/alias_maps.cf,ldap:/etc/postfix-mx/virtual/catchall_maps.cf 127.0.0.1:smtp inet n - - - - smtpd -o inet_interfaces=127.0.0.1 reserved-alias unix - n n - - pipe diff --git a/roles/lists/files/etc/postfix/virtual/transport_lists_maps.cf b/roles/lists/files/etc/postfix/virtual/transport_lists_maps.cf index 50631e5..f85c4f8 100644 --- a/roles/lists/files/etc/postfix/virtual/transport_lists_maps.cf +++ b/roles/lists/files/etc/postfix/virtual/transport_lists_maps.cf @@ -1,6 +1,7 @@ server_host = ldapi://%2Fprivate%2Fldapi/ version = 3 search_base = fvl=%u,fvd=%d,ou=virtual,o=mailHosting,dc=fripost,dc=org +domain = static:all scope = base bind = none query_filter = (&(objectClass=FripostVirtualList)(fvl=%u)) |