From 2a2333cdfb016bb884887f46fbcbfdce6e064d74 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Wed, 25 Jun 2014 02:37:48 +0200 Subject: Assume a DNS entry for each role. E.g., ldap.fripost.org, ntp.fripost.org, etc. (Ideally the DNS zone would be provisioned by ansible, too.) It's a bit unclear how to index the subdomains (mx{1,2,3}, etc), though. --- group_vars/all.yml | 20 ++++++-------------- .../files/etc/dovecot/conf.d/20-imapc.conf | 18 ++++++++++++++++++ .../files/etc/dovecot/conf.d/auth-imap.conf.ext | 17 +++++++++++++++++ roles/IMAP-proxy/tasks/main.yml | 16 +++------------- .../templates/etc/dovecot/conf.d/20-imapc.conf.j2 | 18 ------------------ .../etc/dovecot/conf.d/auth-imap.conf.ext.j2 | 17 ----------------- roles/IMAP/templates/etc/amavis/conf.d/50-user.j2 | 4 ++-- roles/IMAP/templates/etc/postfix/main.cf.j2 | 2 +- roles/MSA/templates/etc/postfix/main.cf.j2 | 8 ++++---- roles/MX/templates/etc/postfix/main.cf.j2 | 6 +++--- roles/MX/templates/etc/postfix/virtual/list.cf.j2 | 2 +- roles/MX/templates/etc/postfix/virtual/mailbox.cf.j2 | 2 +- roles/MX/templates/etc/postfix/virtual/transport.j2 | 8 ++++---- .../common-LDAP/templates/etc/ldap/database.ldif.j2 | 4 ++-- roles/common/templates/etc/ntp.conf.j2 | 2 +- roles/common/templates/etc/postfix/main.cf.j2 | 4 ++-- roles/lists/templates/etc/postfix/main.cf.j2 | 6 +++--- roles/webmail/templates/etc/postfix/main.cf.j2 | 6 +++--- .../roundcube/plugins/managesieve/config.inc.php.j2 | 2 +- .../roundcube/plugins/password/config.inc.php.j2 | 2 +- 20 files changed, 73 insertions(+), 91 deletions(-) create mode 100644 roles/IMAP-proxy/files/etc/dovecot/conf.d/20-imapc.conf create mode 100644 roles/IMAP-proxy/files/etc/dovecot/conf.d/auth-imap.conf.ext delete mode 100644 roles/IMAP-proxy/templates/etc/dovecot/conf.d/20-imapc.conf.j2 delete mode 100644 roles/IMAP-proxy/templates/etc/dovecot/conf.d/auth-imap.conf.ext.j2 diff --git a/group_vars/all.yml b/group_vars/all.yml index 0dee19d..351aa09 100644 --- a/group_vars/all.yml +++ b/group_vars/all.yml @@ -3,17 +3,9 @@ postfix_instance: # The keys are the group names associated with a Postfix role, and the # values are the name and group (optional) of the instance dedicated # to that role. - IMAP: { name: mda } - MX: { name: mx, group: mta } - MTA-out: { name: mta-out,group: mta } - MSA: { name: msa } - webmail: { name: webmail } - lists: { name: lists } - -MTA_out: { host: outgoing.fripost.org, port: 2525 } -LDA: { host: lda.fripost.org, port: 2526 } -lists: { host: lists.fripost.org, port: 2527 } - -LDAP_provider: host1.libvirt.guilhem.org -NTP_master: host1.libvirt.guilhem.org -IMAP: host1.libvirt.guilhem.org + IMAP: { name: mda, port: 2526 } + MX: { name: mx, group: mta } + MTA-out: { name: mta-out,group: mta, port: 2525 } + MSA: { name: msa } + webmail: { name: webmail } + lists: { name: lists, port: 2527 } diff --git a/roles/IMAP-proxy/files/etc/dovecot/conf.d/20-imapc.conf b/roles/IMAP-proxy/files/etc/dovecot/conf.d/20-imapc.conf new file mode 100644 index 0000000..47785a4 --- /dev/null +++ b/roles/IMAP-proxy/files/etc/dovecot/conf.d/20-imapc.conf @@ -0,0 +1,18 @@ +# Smart IMAP proxying with imapc storage +# +# http://dovecot.org/pipermail/dovecot/2011-January/056975.html +# http://wiki2.dovecot.org/HowTo/ImapcProxy +# http://wiki2.dovecot.org/Migration/Dsync + +imapc_host = imap.fripost.org +imapc_port = 143 +imapc_user = %u + +# Read multiple mails in parallel, improves performance +mail_prefetch_count = 20 + +# The list of valid features can be found there +# http://hg.dovecot.org/dovecot-2.1/file/f572fbafb445/src/lib-storage/index/imapc/imapc-settings.c +# (in the struct 'imapc_feature_list imapc_feature_list') +imapc_features = rfc822.size + diff --git a/roles/IMAP-proxy/files/etc/dovecot/conf.d/auth-imap.conf.ext b/roles/IMAP-proxy/files/etc/dovecot/conf.d/auth-imap.conf.ext new file mode 100644 index 0000000..7478889 --- /dev/null +++ b/roles/IMAP-proxy/files/etc/dovecot/conf.d/auth-imap.conf.ext @@ -0,0 +1,17 @@ +# Authentication via remote IMAP server. Included from auth.conf. +# +# + +passdb { + driver = imap + args = host=imap.fripost.org port=143 + default_fields = userdb_imapc_user=%u userdb_imapc_password=%w +} + +# "prefetch" user database means that the passdb already provided the +# needed information and there's no need to do a separate userdb lookup. +# +userdb { + driver = prefetch + default_fields = home=/home/imapproxy/%d/%n +} diff --git a/roles/IMAP-proxy/tasks/main.yml b/roles/IMAP-proxy/tasks/main.yml index c630cfd..f76ee72 100644 --- a/roles/IMAP-proxy/tasks/main.yml +++ b/roles/IMAP-proxy/tasks/main.yml @@ -17,28 +17,18 @@ owner=imapproxy group=imapproxy mode=0700 -- name: Configure Dovecot (1) +- name: Configure Dovecot copy: src=etc/dovecot/conf.d/{{ item }} dest=/etc/dovecot/conf.d/{{ item }} owner=root group=root mode=0644 - register: r1 + register: r with_items: - 10-auth.conf - 10-logging.conf - 10-mail.conf - 10-master.conf - 15-mailboxes.conf - notify: - - Restart Dovecot - -- name: Configure Dovecot (2) - template: src=etc/dovecot/conf.d/{{ item }}.j2 - dest=/etc/dovecot/conf.d/{{ item }} - owner=root group=root - mode=0644 - register: r2 - with_items: - 20-imapc.conf - auth-imap.conf.ext notify: @@ -46,6 +36,6 @@ - name: Start Dovecot service: name=dovecot state=started - when: not (r1.changed or r2.changed) + when: not r.changed - meta: flush_handlers diff --git a/roles/IMAP-proxy/templates/etc/dovecot/conf.d/20-imapc.conf.j2 b/roles/IMAP-proxy/templates/etc/dovecot/conf.d/20-imapc.conf.j2 deleted file mode 100644 index a6b70c6..0000000 --- a/roles/IMAP-proxy/templates/etc/dovecot/conf.d/20-imapc.conf.j2 +++ /dev/null @@ -1,18 +0,0 @@ -# Smart IMAP proxying with imapc storage -# -# http://dovecot.org/pipermail/dovecot/2011-January/056975.html -# http://wiki2.dovecot.org/HowTo/ImapcProxy -# http://wiki2.dovecot.org/Migration/Dsync - -imapc_host = {{ IMAP }} -imapc_port = 143 -imapc_user = %u - -# Read multiple mails in parallel, improves performance -mail_prefetch_count = 20 - -# The list of valid features can be found there -# http://hg.dovecot.org/dovecot-2.1/file/f572fbafb445/src/lib-storage/index/imapc/imapc-settings.c -# (in the struct 'imapc_feature_list imapc_feature_list') -imapc_features = rfc822.size - diff --git a/roles/IMAP-proxy/templates/etc/dovecot/conf.d/auth-imap.conf.ext.j2 b/roles/IMAP-proxy/templates/etc/dovecot/conf.d/auth-imap.conf.ext.j2 deleted file mode 100644 index 5e2b28c..0000000 --- a/roles/IMAP-proxy/templates/etc/dovecot/conf.d/auth-imap.conf.ext.j2 +++ /dev/null @@ -1,17 +0,0 @@ -# Authentication via remote IMAP server. Included from auth.conf. -# -# - -passdb { - driver = imap - args = host={{ IMAP }} port=143 - default_fields = userdb_imapc_user=%u userdb_imapc_password=%w -} - -# "prefetch" user database means that the passdb already provided the -# needed information and there's no need to do a separate userdb lookup. -# -userdb { - driver = prefetch - default_fields = home=/home/imapproxy/%d/%n -} diff --git a/roles/IMAP/templates/etc/amavis/conf.d/50-user.j2 b/roles/IMAP/templates/etc/amavis/conf.d/50-user.j2 index 00a82ce..503907e 100644 --- a/roles/IMAP/templates/etc/amavis/conf.d/50-user.j2 +++ b/roles/IMAP/templates/etc/amavis/conf.d/50-user.j2 @@ -111,9 +111,9 @@ $inet_socket_port = 10041; $interface_policy{'10041'} = 'INBOUND'; {% if 'MTA-out' in group_names %} -$notify_method = 'smtp:[127.0.0.1]:{{ MTA_out.port }}'; +$notify_method = 'smtp:[127.0.0.1]:{{ postfix_instance["MTA-out"].port }}'; {% else %} -$notify_method = 'smtp:[{{ MTA_out.host }}]:{{ MTA_out.port }}'; +$notify_method = 'smtp:[outgoing.fripost.org]:{{ postfix_instance["MTA-out"].port }}'; {% endif %} $forward_method = 'lmtp:/var/run/dovecot/lmtp'; $requeue_method = $forward_method; diff --git a/roles/IMAP/templates/etc/postfix/main.cf.j2 b/roles/IMAP/templates/etc/postfix/main.cf.j2 index d0421ce..46f64aa 100644 --- a/roles/IMAP/templates/etc/postfix/main.cf.j2 +++ b/roles/IMAP/templates/etc/postfix/main.cf.j2 @@ -14,7 +14,7 @@ maximal_queue_lifetime = 5d myorigin = /etc/mailname myhostname = mda{{ imapno | default('') }}.$mydomain -mydomain = {{ ansible_domain }} +mydomain = fripost.org append_dot_mydomain = no # Turn off all TCP/IP listener ports except that necessary for the MDA. diff --git a/roles/MSA/templates/etc/postfix/main.cf.j2 b/roles/MSA/templates/etc/postfix/main.cf.j2 index 88cb3be..b15b907 100644 --- a/roles/MSA/templates/etc/postfix/main.cf.j2 +++ b/roles/MSA/templates/etc/postfix/main.cf.j2 @@ -13,8 +13,8 @@ delay_warning_time = 4h maximal_queue_lifetime = 5d myorigin = /etc/mailname -myhostname = smtp{{ mdano | default('') }}.$mydomain -mydomain = {{ ansible_domain }} +myhostname = smtp{{ msano | default('') }}.$mydomain +mydomain = fripost.org append_dot_mydomain = no # Turn off all TCP/IP listener ports except that necessary for the MSA. @@ -43,9 +43,9 @@ recipient_delimiter = + # Forward everything to our internal mailhub {% if 'MTA-out' in group_names %} -relayhost = [127.0.0.1]:{{ MTA_out.port }} +relayhost = [127.0.0.1]:{{ postfix_instance["MTA-out"].port }} {% else %} -relayhost = [{{ MTA_out.host }}]:{{ MTA_out.port }} +relayhost = [outgoing.fripost.org]:{{ postfix_instance["MTA-out"].port }} {% endif %} relay_domains = diff --git a/roles/MX/templates/etc/postfix/main.cf.j2 b/roles/MX/templates/etc/postfix/main.cf.j2 index 8bed701..e842537 100644 --- a/roles/MX/templates/etc/postfix/main.cf.j2 +++ b/roles/MX/templates/etc/postfix/main.cf.j2 @@ -14,7 +14,7 @@ maximal_queue_lifetime = 5d myorigin = /etc/mailname myhostname = mx{{ mxno | default('') }}.$mydomain -mydomain = {{ ansible_domain }} +mydomain = fripost.org append_dot_mydomain = no # Turn off all TCP/IP listener ports except that necessary for the mail @@ -44,9 +44,9 @@ recipient_delimiter = + # Forward everything to our internal mailhub {% if 'MTA-out' in group_names %} -relayhost = [127.0.0.1]:{{ MTA_out.port }} +relayhost = [127.0.0.1]:{{ postfix_instance["MTA-out"].port }} {% else %} -relayhost = [{{ MTA_out.host }}]:{{ MTA_out.port }} +relayhost = [outgoing.fripost.org]:{{ postfix_instance["MTA-out"].port }} {% endif %} relay_domains = diff --git a/roles/MX/templates/etc/postfix/virtual/list.cf.j2 b/roles/MX/templates/etc/postfix/virtual/list.cf.j2 index 6100c01..5988159 100644 --- a/roles/MX/templates/etc/postfix/virtual/list.cf.j2 +++ b/roles/MX/templates/etc/postfix/virtual/list.cf.j2 @@ -8,4 +8,4 @@ query_filter = (&(objectClass=FripostVirtualList)(fvl=%u)) result_attribute = fvl # Use a dedicated "virtual" domain to decongestion potential bottlenecks # on trivial_rewrite(8) due to slow LDAP lookups in tranport_maps. -result_format = %D/%U@lists.guilhem.org +result_format = %D/%U@lists.fripost.org diff --git a/roles/MX/templates/etc/postfix/virtual/mailbox.cf.j2 b/roles/MX/templates/etc/postfix/virtual/mailbox.cf.j2 index fe27124..a108c0d 100644 --- a/roles/MX/templates/etc/postfix/virtual/mailbox.cf.j2 +++ b/roles/MX/templates/etc/postfix/virtual/mailbox.cf.j2 @@ -8,4 +8,4 @@ query_filter = (&(objectClass=FripostVirtualUser)(fvl=%u)) result_attribute = fvl # Use a dedicated "virtual" domain to decongestion potential bottlenecks # on trivial_rewrite(8) due to slow LDAP lookups in tranport_maps. -result_format = %D/%U@mda.guilhem.org +result_format = %D/%U@mda.fripost.org diff --git a/roles/MX/templates/etc/postfix/virtual/transport.j2 b/roles/MX/templates/etc/postfix/virtual/transport.j2 index 6d244dc..2250a71 100644 --- a/roles/MX/templates/etc/postfix/virtual/transport.j2 +++ b/roles/MX/templates/etc/postfix/virtual/transport.j2 @@ -1,13 +1,13 @@ reserved.locahost.localdomain reserved-alias: {% if 'LDA' in group_names %} -mda.guilhem.org smtpl:[127.0.0.1]:{{ LDA.port }} +mda.fripost.org smtpl:[127.0.0.1]:{{ postfix_instance.IMAP.port }} {% else %} -mda.guilhem.org smtps:[{{ LDA.host }}]:{{ LDA.port }} +mda.fripost.org smtps:[mda.fripost.org]:{{ postfix_instance.IMAP.port }} {% endif %} {% if 'lists' in group_names %} -lists.guilhem.org smtpl:[127.0.0.1]:{{ lists.port }} +lists.fripost.org smtpl:[127.0.0.1]:{{ postfix_instance.lists.port }} {% else %} -lists.guilhem.org smtps:[{{ lists.host }}]:{{ lists.port }} +lists.fripost.org smtps:[lists.fripost.org]:{{ postfix_instance.lists.port }} {% endif %} diff --git a/roles/common-LDAP/templates/etc/ldap/database.ldif.j2 b/roles/common-LDAP/templates/etc/ldap/database.ldif.j2 index 33ef108..cde9069 100644 --- a/roles/common-LDAP/templates/etc/ldap/database.ldif.j2 +++ b/roles/common-LDAP/templates/etc/ldap/database.ldif.j2 @@ -86,7 +86,7 @@ olcLimits: dn.exact="cn=lists-replicate,ou=services,o=mailHosting,dc=fripost,dc= size.hard=unlimited {% elif 'MX' in group_names %} olcSyncrepl: rid=000 - provider=ldap://{{ LDAP_provider }} + provider=ldap://ldap.fripost.org type=refreshAndPersist retry="5 5 300 +" searchbase="ou=virtual,o=mailHosting,dc=fripost,dc=org" @@ -100,7 +100,7 @@ olcSyncrepl: rid=000 # XXX: mlmmj is not compatible with the MX, see # http://mlmmj.org/bugs/bug.php?id=51 olcSyncrepl: rid=001 - provider=ldap://{{ LDAP_provider }} + provider=ldap://ldap.fripost.org type=refreshAndPersist retry="5 5 300 +" searchbase="ou=virtual,o=mailHosting,dc=fripost,dc=org" diff --git a/roles/common/templates/etc/ntp.conf.j2 b/roles/common/templates/etc/ntp.conf.j2 index 2f70cef..96cc16c 100644 --- a/roles/common/templates/etc/ntp.conf.j2 +++ b/roles/common/templates/etc/ntp.conf.j2 @@ -24,7 +24,7 @@ server ntp2.sth.netnod.se iburst {% else %} # Sychronize to our (stratum 2) NTP server through IPSec, to ensure our # network has a consistent time. -server {{ NTP_master }} iburst +server ntp.fripost.org iburst {% endif %} diff --git a/roles/common/templates/etc/postfix/main.cf.j2 b/roles/common/templates/etc/postfix/main.cf.j2 index 83f97b4..169ad40 100644 --- a/roles/common/templates/etc/postfix/main.cf.j2 +++ b/roles/common/templates/etc/postfix/main.cf.j2 @@ -35,9 +35,9 @@ smtp_generic_maps = pcre:$config_directory/generic.pcre # Forward everything to our internal mailhub {% if 'MTA-out' in group_names %} -relayhost = [127.0.0.1]:{{ MTA_out.port }} +relayhost = [127.0.0.1]:{{ postfix_instance["MTA-out"].port }} {% else %} -relayhost = [{{ MTA_out.host }}]:{{ MTA_out.port }} +relayhost = [outgoing.fripost.org]:{{ postfix_instance["MTA-out"].port }} {% endif %} relay_domains = diff --git a/roles/lists/templates/etc/postfix/main.cf.j2 b/roles/lists/templates/etc/postfix/main.cf.j2 index 955b901..45e66aa 100644 --- a/roles/lists/templates/etc/postfix/main.cf.j2 +++ b/roles/lists/templates/etc/postfix/main.cf.j2 @@ -14,7 +14,7 @@ maximal_queue_lifetime = 5d myorigin = /etc/mailname myhostname = lists{{ listsno | default('') }}.$mydomain -mydomain = {{ ansible_domain }} +mydomain = fripost.org append_dot_mydomain = no # Turn off all TCP/IP listener ports except that necessary for the list server. @@ -48,9 +48,9 @@ recipient_delimiter = + # Forward everything to our internal mailhub {% if 'MTA-out' in group_names %} -relayhost = [127.0.0.1]:{{ MTA_out.port }} +relayhost = [127.0.0.1]:{{ postfix_instance["MTA-out"].port }} {% else %} -relayhost = [{{ MTA_out.host }}]:{{ MTA_out.port }} +relayhost = [outgoing.fripost.org]:{{ postfix_instance["MTA-out"].port }} {% endif %} relay_domains = diff --git a/roles/webmail/templates/etc/postfix/main.cf.j2 b/roles/webmail/templates/etc/postfix/main.cf.j2 index 2ee2849..5d678a1 100644 --- a/roles/webmail/templates/etc/postfix/main.cf.j2 +++ b/roles/webmail/templates/etc/postfix/main.cf.j2 @@ -14,7 +14,7 @@ maximal_queue_lifetime = 5d myorigin = /etc/mailname myhostname = webmail{{ webmailno | default('') }}.$mydomain -mydomain = {{ ansible_domain }} +mydomain = fripost.org append_dot_mydomain = no # Turn off all TCP/IP listener ports except that necessary for the webmail. @@ -43,9 +43,9 @@ recipient_delimiter = + # Forward everything to our internal mailhub {% if 'MTA-out' in group_names %} -relayhost = [127.0.0.1]:{{ MTA_out.port }} +relayhost = [127.0.0.1]:{{ postfix_instance["MTA-out"].port }} {% else %} -relayhost = [{{ MTA_out.host }}]:{{ MTA_out.port }} +relayhost = [outgoing.fripost.org]:{{ postfix_instance["MTA-out"].port }} {% endif %} relay_domains = diff --git a/roles/webmail/templates/usr/share/roundcube/plugins/managesieve/config.inc.php.j2 b/roles/webmail/templates/usr/share/roundcube/plugins/managesieve/config.inc.php.j2 index 27b5b44..c716ddc 100644 --- a/roles/webmail/templates/usr/share/roundcube/plugins/managesieve/config.inc.php.j2 +++ b/roles/webmail/templates/usr/share/roundcube/plugins/managesieve/config.inc.php.j2 @@ -9,7 +9,7 @@ $rcmail_config['managesieve_port'] = 4190; // %n - http hostname ($_SERVER['SERVER_NAME']) // %d - domain (http hostname without the first part) // For example %n = mail.domain.tld, %d = domain.tld -$rcmail_config['managesieve_host'] = '{{ IMAP }}'; +$rcmail_config['managesieve_host'] = 'imap.fripost.org'; // authentication method. Can be CRAM-MD5, DIGEST-MD5, PLAIN, LOGIN, EXTERNAL // or none. Optional, defaults to best method supported by server. diff --git a/roles/webmail/templates/usr/share/roundcube/plugins/password/config.inc.php.j2 b/roles/webmail/templates/usr/share/roundcube/plugins/password/config.inc.php.j2 index 35c73f9..a661909 100644 --- a/roles/webmail/templates/usr/share/roundcube/plugins/password/config.inc.php.j2 +++ b/roles/webmail/templates/usr/share/roundcube/plugins/password/config.inc.php.j2 @@ -28,7 +28,7 @@ $rcmail_config['password_log'] = false; // You can provide one or several hosts in an array in which case the hosts are tried from left to right. // Exemple: array('ldap1.exemple.com', 'ldap2.exemple.com'); // Default: 'localhost' -$rcmail_config['password_ldap_host'] = '{{ LDAP_provider }}'; +$rcmail_config['password_ldap_host'] = 'ldap.fripost.org'; // LDAP server port to connect to // Default: '389' -- cgit v1.2.3