summaryrefslogtreecommitdiffstats
path: root/roles/MSA
diff options
context:
space:
mode:
Diffstat (limited to 'roles/MSA')
-rw-r--r--roles/MSA/files/etc/systemd/system/postfix-sender-login.service6
-rwxr-xr-xroles/MSA/files/usr/local/bin/postfix-sender-login.pl13
-rw-r--r--roles/MSA/tasks/main.yml16
3 files changed, 25 insertions, 10 deletions
diff --git a/roles/MSA/files/etc/systemd/system/postfix-sender-login.service b/roles/MSA/files/etc/systemd/system/postfix-sender-login.service
index f5e6d89..d652f75 100644
--- a/roles/MSA/files/etc/systemd/system/postfix-sender-login.service
+++ b/roles/MSA/files/etc/systemd/system/postfix-sender-login.service
@@ -1,27 +1,25 @@
[Unit]
Description=Postfix sender login socketmap
After=mail-transport-agent.target
Requires=postfix-sender-login.socket
[Service]
-User=postfix
-Group=postfix
+User=_postfix-sender-login
StandardInput=null
SyslogFacility=mail
ExecStart=/usr/local/bin/postfix-sender-login.pl
# Hardening
NoNewPrivileges=yes
PrivateDevices=yes
+PrivateNetwork=yes
ProtectHome=yes
ProtectSystem=strict
-PrivateDevices=yes
-PrivateNetwork=yes
ProtectControlGroups=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
RestrictAddressFamilies=AF_UNIX
[Install]
WantedBy=multi-user.target
Also=postfix-sender-login.socket
diff --git a/roles/MSA/files/usr/local/bin/postfix-sender-login.pl b/roles/MSA/files/usr/local/bin/postfix-sender-login.pl
index 374cc70..a37f872 100755
--- a/roles/MSA/files/usr/local/bin/postfix-sender-login.pl
+++ b/roles/MSA/files/usr/local/bin/postfix-sender-login.pl
@@ -1,89 +1,90 @@
#!/usr/bin/perl -T
#----------------------------------------------------------------------
# socketmap lookup table returning the SASL login name(s) owning a given
# sender address
-# Copyright © 2017 Guilhem Moulin <guilhem@fripost.org>
+# Copyright © 2017,2020 Guilhem Moulin <guilhem@fripost.org>
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#----------------------------------------------------------------------
use warnings;
use strict;
use Errno 'EINTR';
use Net::LDAPI ();
use Net::LDAP::Util qw/ldap_explode_dn escape_dn_value escape_filter_value/;
use Net::LDAP::Constant qw/LDAP_NO_SUCH_OBJECT/;
use Authen::SASL ();
# clean up PATH
$ENV{PATH} = join ':', qw{/usr/bin /bin};
delete @ENV{qw/IFS CDPATH ENV BASH_ENV/};
-my $nProc = 2; # number of pre-forked servers
-my $POSTMASTER = 'postmaster@fripost.org'; # returned for forbidden envelope sender addresses
+my $nProc = 2; # number of pre-forked servers
+my $maxRequests = 32; # maximum number of requests per worker
+my $POSTMASTER = 'postmaster@fripost.org'; # returned for forbidden envelope sender addresses
-my $BASEDN = 'ou=virtual,dc=fripost,dc=org';
+my $BASEDN = "ou=virtual,dc=fripost,dc=org";
my $BUFSIZE = 65536; # try to read that many bytes at the time
-my $LDAPI = 'ldapi://%2Fvar%2Fspool%2Fpostfix-msa%2Fprivate%2Fldapi/';
+my $LDAPI = "ldapi://";
sub server();
# fdopen(3) the file descriptor FD
die "This service must be socket-activated.\n"
unless defined $ENV{LISTEN_PID} and $ENV{LISTEN_PID} == $$
and defined $ENV{LISTEN_FDS} and $ENV{LISTEN_FDS} == 1;
open my $S, '+<&=', 3 or die "fdopen: $!";
my @CHILDREN;
for (my $i = 0; $i < $nProc-1; $i++) {
my $pid = fork() // die "fork: $!";
if ($pid) {
push @CHILDREN, $pid;
} else {
server(); # child, never return
exit;
}
}
server();
waitpid $_ => 0 foreach @CHILDREN;
exit $?;
#############################################################################
sub server() {
- for (my $n = 0; $n < 32; $n++) {
+ for (my $n = 0; $n < $maxRequests; $n++) {
accept(my $conn, $S) or do {
next if $! == EINTR;
die "accept: $!";
};
my $reply = process_request($conn);
# encode the reply as a netstring and send it back
# https://cr.yp.to/proto/netstrings.txt
$reply = length($reply).':'.$reply.',';
my $len = length($reply);
for (my $i = 0; $i < $len;) {
my $n = syswrite($conn, $reply, $len-$i, $i) // do {
next if $! == EINTR;
warn "Can't write: $!";
last;
};
$i += $n;
}
close $conn or warn "Can't close: $!";
diff --git a/roles/MSA/tasks/main.yml b/roles/MSA/tasks/main.yml
index c78139a..2eee925 100644
--- a/roles/MSA/tasks/main.yml
+++ b/roles/MSA/tasks/main.yml
@@ -1,34 +1,50 @@
- name: Install Postfix
apt: pkg={{ packages }}
vars:
packages:
- postfix
- postfix-pcre
- postfix-policyd-spf-python
+- name: Install Net::LDAP and Authen::SASL
+ apt: pkg={{ packages }}
+ vars:
+ packages:
+ - libnet-ldap-perl
+ - libauthen-sasl-perl
+
- name: Copy Postfix sender login socketmap
copy: src=usr/local/bin/postfix-sender-login.pl
dest=/usr/local/bin/postfix-sender-login.pl
owner=root group=staff
mode=0755
+- name: Create '_postfix-sender-login' user
+ user: name=_postfix-sender-login system=yes
+ group=nogroup
+ createhome=no
+ home=/nonexistent
+ shell=/usr/sbin/nologin
+ password=!
+ state=present
+
- name: Copy Postfix sender login socketmap systemd unit files
copy: src=etc/systemd/system/{{ item }}
dest=/etc/systemd/system/{{ item }}
owner=root group=root
mode=0644
with_items:
- postfix-sender-login.service
- postfix-sender-login.socket
notify:
- systemctl daemon-reload
- meta: flush_handlers
- name: Enable Postfix sender login socketmap
service: name=postfix-sender-login.socket state=started enabled=yes
- name: Configure Postfix
template: src=etc/postfix/{{ item }}.j2
dest=/etc/postfix-{{ postfix_instance[inst].name }}/{{ item }}
owner=root group=root
generated by cgit v1.2.3 (git 2.25.1) at 2025-05-21 10:42:15 +0000