From 368540caee8fff8aa90b1542897188e9f98ac585 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Wed, 9 Jul 2014 01:08:02 +0200 Subject: Ensure Postfix's LDAP searchBase exists when doing a lookup. Postfix interprets Error Code 32 (No Such Object) as lookup failures, but that's ugly... Also, make Postfix simple bind against cn=postfix,ou=services,dc=fripost,dc=org. --- roles/MX/templates/etc/postfix/virtual/alias.cf.j2 | 8 +++--- .../etc/postfix/virtual/alias_domains.cf.j2 | 8 +++--- .../templates/etc/postfix/virtual/catchall.cf.j2 | 8 +++--- roles/MX/templates/etc/postfix/virtual/list.cf.j2 | 8 +++--- .../MX/templates/etc/postfix/virtual/mailbox.cf.j2 | 8 +++--- .../etc/postfix/virtual/mailbox_domains.cf.j2 | 8 +++--- roles/common-LDAP/templates/etc/default/slapd.j2 | 2 +- .../templates/etc/ldap/database.ldif.j2 | 31 ++++++++++++++-------- 8 files changed, 51 insertions(+), 30 deletions(-) diff --git a/roles/MX/templates/etc/postfix/virtual/alias.cf.j2 b/roles/MX/templates/etc/postfix/virtual/alias.cf.j2 index 2e80d45..31a23ce 100644 --- a/roles/MX/templates/etc/postfix/virtual/alias.cf.j2 +++ b/roles/MX/templates/etc/postfix/virtual/alias.cf.j2 @@ -1,8 +1,10 @@ server_host = ldapi://%2Fprivate%2Fldapi/ version = 3 -search_base = fvl=%u,fvd=%d,ou=virtual,dc=fripost,dc=org +search_base = fvd=%d,ou=virtual,dc=fripost,dc=org domain = static:all -scope = base -bind = none +scope = one +bind = yes +bind_dn = cn=postfix,ou=services,dc=fripost,dc=org +bind_pw = FIXME query_filter = (&(objectClass=FripostVirtualAlias)(fvl=%u)) result_attribute = fripostMaildrop diff --git a/roles/MX/templates/etc/postfix/virtual/alias_domains.cf.j2 b/roles/MX/templates/etc/postfix/virtual/alias_domains.cf.j2 index bdfa802..b338c8c 100644 --- a/roles/MX/templates/etc/postfix/virtual/alias_domains.cf.j2 +++ b/roles/MX/templates/etc/postfix/virtual/alias_domains.cf.j2 @@ -1,9 +1,11 @@ server_host = ldapi://%2Fprivate%2Fldapi/ version = 3 -search_base = fvd=%d,ou=virtual,dc=fripost,dc=org +search_base = ou=virtual,dc=fripost,dc=org domain = static:all -scope = base -bind = none +scope = one +bind = yes +bind_dn = cn=postfix,ou=services,dc=fripost,dc=org +bind_pw = FIXME query_filter = (&(objectClass=FripostVirtualAliasDomain)(fvd=%d)) result_attribute = fripostMaildrop result_format = %U@%s diff --git a/roles/MX/templates/etc/postfix/virtual/catchall.cf.j2 b/roles/MX/templates/etc/postfix/virtual/catchall.cf.j2 index 398e530..3d86ecf 100644 --- a/roles/MX/templates/etc/postfix/virtual/catchall.cf.j2 +++ b/roles/MX/templates/etc/postfix/virtual/catchall.cf.j2 @@ -1,8 +1,10 @@ server_host = ldapi://%2Fprivate%2Fldapi/ version = 3 -search_base = fvd=%d,ou=virtual,dc=fripost,dc=org +search_base = ou=virtual,dc=fripost,dc=org domain = static:all -scope = base -bind = none +scope = one +bind = yes +bind_dn = cn=postfix,ou=services,dc=fripost,dc=org +bind_pw = FIXME query_filter = (&(objectClass=FripostVirtualDomain)(!(objectClass=FripostVirtualAliasDomain))(fvd=%d)(fripostOptionalMaildrop=*)) result_attribute = fripostOptionalMaildrop diff --git a/roles/MX/templates/etc/postfix/virtual/list.cf.j2 b/roles/MX/templates/etc/postfix/virtual/list.cf.j2 index 4020b42..a39343b 100644 --- a/roles/MX/templates/etc/postfix/virtual/list.cf.j2 +++ b/roles/MX/templates/etc/postfix/virtual/list.cf.j2 @@ -1,9 +1,11 @@ server_host = ldapi://%2Fprivate%2Fldapi/ version = 3 -search_base = fvl=%u,fvd=%d,ou=virtual,dc=fripost,dc=org +search_base = fvd=%d,ou=virtual,dc=fripost,dc=org domain = static:all -scope = base -bind = none +scope = one +bind = yes +bind_dn = cn=postfix,ou=services,dc=fripost,dc=org +bind_pw = FIXME query_filter = (&(objectClass=FripostVirtualList)(fvl=%u)) result_attribute = fvl # Use a dedicated "virtual" domain to decongestion potential bottlenecks diff --git a/roles/MX/templates/etc/postfix/virtual/mailbox.cf.j2 b/roles/MX/templates/etc/postfix/virtual/mailbox.cf.j2 index 118e17a..083b638 100644 --- a/roles/MX/templates/etc/postfix/virtual/mailbox.cf.j2 +++ b/roles/MX/templates/etc/postfix/virtual/mailbox.cf.j2 @@ -1,9 +1,11 @@ server_host = ldapi://%2Fprivate%2Fldapi/ version = 3 -search_base = fvl=%u,fvd=%d,ou=virtual,dc=fripost,dc=org +search_base = fvd=%d,ou=virtual,dc=fripost,dc=org domain = static:all -scope = base -bind = none +scope = one +bind = yes +bind_dn = cn=postfix,ou=services,dc=fripost,dc=org +bind_pw = FIXME query_filter = (&(objectClass=FripostVirtualUser)(fvl=%u)) result_attribute = fvl # Use a dedicated "virtual" domain to decongestion potential bottlenecks diff --git a/roles/MX/templates/etc/postfix/virtual/mailbox_domains.cf.j2 b/roles/MX/templates/etc/postfix/virtual/mailbox_domains.cf.j2 index 43b7f3a..fde355e 100644 --- a/roles/MX/templates/etc/postfix/virtual/mailbox_domains.cf.j2 +++ b/roles/MX/templates/etc/postfix/virtual/mailbox_domains.cf.j2 @@ -1,8 +1,10 @@ server_host = ldapi://%2Fprivate%2Fldapi/ version = 3 -search_base = fvd=%s,ou=virtual,dc=fripost,dc=org -scope = base -bind = none +search_base = ou=virtual,dc=fripost,dc=org +scope = one +bind = yes +bind_dn = cn=postfix,ou=services,dc=fripost,dc=org +bind_pw = FIXME query_filter = (&(objectClass=FripostVirtualDomain)(fvd=%s)) result_attribute = fvd result_format = OK diff --git a/roles/common-LDAP/templates/etc/default/slapd.j2 b/roles/common-LDAP/templates/etc/default/slapd.j2 index f652f9a..80c1be1 100644 --- a/roles/common-LDAP/templates/etc/default/slapd.j2 +++ b/roles/common-LDAP/templates/etc/default/slapd.j2 @@ -20,7 +20,7 @@ SLAPD_PIDFILE= # service requests on TCP-port 636 (ldaps) and requests via unix # sockets. SLAPD_SERVICES="ldapi:///" -{% for i in ['IMAP','MX','lists'] | intersect(group_names) | sort %} +{% for i in group_names | intersect(['MX','lists']) | sort %} SLAPD_SERVICES="$SLAPD_SERVICES ldapi://%2Fvar%2Fspool%2Fpostfix-{{ postfix_instance[i].name }}%2Fprivate%2Fldapi/" {% endfor %} {% if 'LDAP-provider' in group_names %} diff --git a/roles/common-LDAP/templates/etc/ldap/database.ldif.j2 b/roles/common-LDAP/templates/etc/ldap/database.ldif.j2 index d3915df..4c45219 100644 --- a/roles/common-LDAP/templates/etc/ldap/database.ldif.j2 +++ b/roles/common-LDAP/templates/etc/ldap/database.ldif.j2 @@ -264,16 +264,22 @@ olcAccess: to dn.subtree="ou=virtual,dc=fripost,dc=org" by users =0 break {% endif -%} # -# * Dovecot may use the base as a searchBase on the MDA (for the iterate -# filter), when SASL-binding using the EXTERNAL mechanism and -# connecting to a local ldapi:// socket. -{% if 'MDA' in group_names -%} +# * Postfix may use the base as a searchBase on the MX:es, when +# connecting a local ldapi:// socket from the 'private' directory in +# one of the non-default instance's chroot. +# * So may Dovecot on the MDA (needed for the iterate filter), when +# SASL-binding using the EXTERNAL mechanism and connecting to a local +# ldapi:// socket. olcAccess: to dn.exact="ou=virtual,dc=fripost,dc=org" attrs=entry,objectClass filter=(objectClass=FripostVirtual) - by dn.exact="username=dovecot,cn=peercred,cn=external,cn=auth" sockurl.regex="^ldapi://" =sd - by users =0 break -{% endif -%} + {% if 'MDA' in group_names -%} + by dn.exact="username=dovecot,cn=peercred,cn=external,cn=auth" sockurl.regex="^ldapi://" =sd + {% endif -%} + {% if 'MX' in group_names -%} + by dn.exact="cn=postfix,ou=services,dc=fripost,dc=org" sockurl.regex="^ldapi://%2Fvar%2Fspool%2Fpostfix-[-[:alnum:]]+%2Fprivate%2F" =sd + {% endif -%} + by users =0 break # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # Domain entries @@ -335,13 +341,16 @@ olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,dc=fripost,dc=org$" # the MX:es, when SASL-binding using the EXTERNAL mechanism and # connecting to a local ldapi:// socket. This is required for the # 'reserved-alias.pl' script. -{% if 'MX' in group_names %} olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,dc=fripost,dc=org$" attrs=fripostOwner,fripostPostmaster filter=(&(objectClass=FripostVirtualDomain)(!(objectClass=FripostPendingEntry))) - by dn.exact="username=nobody,cn=peercred,cn=external,cn=auth" sockurl.regex="^ldapi://" =rsd - by users =0 break -{% endif %} + {% if 'LDAP-provider' in group_names and groups.MX | difference([inventory_hostname]) -%} + by dn.exact="cn=mX,ou=syncRepl,dc=fripost,dc=org" tls_ssf=128 =rsd + {% endif -%} + {% if 'MX' in group_names %} + by dn.exact="username=nobody,cn=peercred,cn=external,cn=auth" sockurl.regex="^ldapi://" =rsd + {% endif -%} + by users =0 break # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # Alias domain entries -- cgit v1.2.3