diff options
Diffstat (limited to 'roles/IMAP/files')
6 files changed, 182 insertions, 0 deletions
diff --git a/roles/IMAP/files/etc/cron.d/doveadm b/roles/IMAP/files/etc/cron.d/doveadm index 1cb0ed8..b0551e4 100644 --- a/roles/IMAP/files/etc/cron.d/doveadm +++ b/roles/IMAP/files/etc/cron.d/doveadm @@ -1,3 +1,4 @@ MAILTO=root 59 * * * * vmail test -x /usr/bin/doveadm && nice -n 19 /usr/bin/doveadm sis deduplicate /home/mail/attachments /home/mail/attachments/queue +37 5 * * * vmail test -x /usr/bin/doveadm && nice -n 19 /usr/bin/doveadm purge -A diff --git a/roles/IMAP/files/etc/dovecot/conf.d/auth-ldap.conf.ext b/roles/IMAP/files/etc/dovecot/conf.d/auth-ldap.conf.ext index 360727e..9917753 100644 --- a/roles/IMAP/files/etc/dovecot/conf.d/auth-ldap.conf.ext +++ b/roles/IMAP/files/etc/dovecot/conf.d/auth-ldap.conf.ext @@ -37,3 +37,11 @@ userdb { # so we can skip the passdb lookup here. args = home=/home/mail/virtual/%d/%n allow_all_users=yes } + +# Used only for iteration as the static userdb above always succeeds +userdb { + driver = dict + skip = found + result_internalfail = return-fail + args = /etc/dovecot/dovecot-dict-auth.conf.ext +} diff --git a/roles/IMAP/files/etc/dovecot/dovecot-dict-auth.conf.ext b/roles/IMAP/files/etc/dovecot/dovecot-dict-auth.conf.ext new file mode 100644 index 0000000..ecd7134 --- /dev/null +++ b/roles/IMAP/files/etc/dovecot/dovecot-dict-auth.conf.ext @@ -0,0 +1,12 @@ +# This file is commonly accessed via passdb {} or userdb {} section in +# conf.d/auth-dict.conf.ext + +# Dictionary URI +uri = proxy:/var/run/dovecot/auth-proxy: + +# Username iteration prefix. Keys under this are assumed to contain usernames. +iterate_prefix = userdb/ + +# Should iteration be disabled for this userdb? If this userdb acts only as a +# cache there's no reason to try to iterate the (partial & duplicate) users. +iterate_disable = no diff --git a/roles/IMAP/files/etc/systemd/system/dovecot-auth-proxy.service b/roles/IMAP/files/etc/systemd/system/dovecot-auth-proxy.service new file mode 100644 index 0000000..ea5895c --- /dev/null +++ b/roles/IMAP/files/etc/systemd/system/dovecot-auth-proxy.service @@ -0,0 +1,23 @@ +[Unit] +Description=Dovecot authentication proxy +After=dovecot.target +Requires=dovecot-auth-proxy.socket + +[Service] +User=vmail +Group=vmail +StandardInput=null +SyslogFacility=mail +ExecStart=/usr/local/bin/dovecot-auth-proxy.pl + +# Hardening +NoNewPrivileges=yes +PrivateDevices=yes +ProtectSystem=full +ProtectHome=read-only +ReadOnlyDirectories=/ +RestrictAddressFamilies= + +[Install] +WantedBy=multi-user.target +Also=postfix-sender-login.socket diff --git a/roles/IMAP/files/etc/systemd/system/dovecot-auth-proxy.socket b/roles/IMAP/files/etc/systemd/system/dovecot-auth-proxy.socket new file mode 100644 index 0000000..6dee91a --- /dev/null +++ b/roles/IMAP/files/etc/systemd/system/dovecot-auth-proxy.socket @@ -0,0 +1,8 @@ +[Socket] +SocketUser=dovecot +SocketGroup=dovecot +SocketMode=0600 +ListenStream=/run/dovecot/auth-proxy + +[Install] +WantedBy=sockets.target diff --git a/roles/IMAP/files/usr/local/bin/dovecot-auth-proxy.pl b/roles/IMAP/files/usr/local/bin/dovecot-auth-proxy.pl new file mode 100755 index 0000000..cc52dbf --- /dev/null +++ b/roles/IMAP/files/usr/local/bin/dovecot-auth-proxy.pl @@ -0,0 +1,130 @@ +#!/usr/bin/perl + +#---------------------------------------------------------------------- +# socketmap lookup table returning the SASL login name(s) owning a given +# sender address +# Copyright © 2017 Guilhem Moulin <guilhem@fripost.org> +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. +#---------------------------------------------------------------------- + +use warnings; +use strict; + +use Errno 'EINTR'; + +# clean up PATH +$ENV{PATH} = join ':', qw{/usr/bin /bin}; +delete @ENV{qw/IFS CDPATH ENV BASH_ENV/}; + +# number of pre-forked servers +my $nProc = 1; +sub server(); + +# fdopen(3) the file descriptor FD +die "This service must be socket-activated.\n" + unless defined $ENV{LISTEN_PID} and $ENV{LISTEN_PID} == $$ + and defined $ENV{LISTEN_FDS} and $ENV{LISTEN_FDS} == 1; +open my $S, '+<&=', 3 or die "fdopen: $!"; + +do { + my $dir = (getpwnam('vmail'))[7] // die "No such user: vmail"; + $dir .= '/virtual'; + chdir($dir) or die "chdir($dir): $!"; +}; + +my @CHILDREN; +for (my $i = 0; $i < $nProc-1; $i++) { + my $pid = fork() // die "fork: $!"; + if ($pid) { + push @CHILDREN, $pid; + } else { + server(); # child, never return + exit; + } +} +server(); +waitpid $_ => 0 foreach @CHILDREN; +exit $?; + + +############################################################################# + +sub server() { + for (my $n = 0; $n < 1; $n++) { + accept(my $conn, $S) or do { + next if $! == EINTR; + die "accept: $!"; + }; + + my $hello = $conn->getline() // ''; + unless ($hello =~ /\AH(\d+)\t(\d+)\t(\d+)(?:\t.*)?\n\z/) { + warn "Invalid greeting line: $hello\n"; + close $conn or warn "Can't close: $!"; + next; + } + # <major-version> <minor-version> <value type> + unless ($1 == 2 and $2 == 0 and $3 == 0) { + warn "Unsupported protocol version $1.$2 (or value type $3)\n"; + close $conn or warn "Can't close: $!"; + next; + } + + my $cmd = $conn->getline() // ''; + if ($cmd =~ /\AI(\d+)\t(.*)\n\z/) { + iterate($conn, $1, $2); + } + else { + fail($conn => "Unknown command line: $cmd"); + } + close $conn or warn "Can't close: $!"; + } +} + +sub fail($;$) { + my ($fh, $msg) = @_; + $fh->printflush("F\n"); + warn "$msg\n" if defined $msg; +} + +# list all users, even the inactive ones +sub iterate($$$) { + my ($fh, $flags, $prefix) = @_; + unless ($flags == 0) { + fail($fh => "Unsupported iterate flags $flags"); + return; + } + + opendir my $dh, '.' or do { + fail($fh => "opendir: $!"); + return; + }; + while (defined (my $d = readdir $dh)) { + next if $d eq '.' or $d eq '..'; + opendir my $dh, $d or do { + fail($fh => "opendir: $!"); + return; + }; + while (defined (my $l = readdir $dh)) { + next if $l eq '.' or $l eq '..'; + my $user = $l.'@'.$d; + next unless $user =~ /\A[a-zA-Z0-9\.\-_@]+\z/; # skip invalid user names + $fh->printf("O%s%s\t\n", $prefix, $user); + } + closedir $dh or warn "closedir: $!"; + } + closedir $dh or warn "closedir: $!"; + + $fh->printflush("\n"); +} |