From 55e9b2a0ebc87a353f9c9496a77b313e41e47bd4 Mon Sep 17 00:00:00 2001
From: Guilhem Moulin <guilhem@fripost.org>
Date: Wed, 9 Jul 2014 01:23:01 +0200
Subject: Perform the alias resolution and address validation solely on the
 MX:es.

We can therefore spare some lookups on the MDA, and use static:all
instead.
---
 roles/IMAP/files/etc/postfix/transport             |  1 +
 roles/IMAP/files/etc/postfix/virtual/mailbox.cf    |  9 ------
 .../files/etc/postfix/virtual/mailbox_domains.cf   |  1 -
 .../postfix/virtual/transport_content_filter.cf    |  9 ------
 roles/IMAP/tasks/mda.yml                           | 33 +++++++++-------------
 roles/IMAP/templates/etc/postfix/main.cf.j2        | 11 ++++----
 roles/MX/tasks/main.yml                            |  5 +++-
 roles/MX/templates/etc/postfix/main.cf.j2          |  2 +-
 roles/MX/templates/etc/postfix/virtual/alias.cf.j2 |  2 +-
 .../etc/postfix/virtual/alias_domains.cf.j2        |  1 +
 .../templates/etc/postfix/virtual/catchall.cf.j2   |  1 +
 roles/MX/templates/etc/postfix/virtual/list.cf.j2  |  2 +-
 .../MX/templates/etc/postfix/virtual/mailbox.cf.j2 |  2 +-
 .../etc/postfix/virtual/mailbox_domains.cf.j2      |  2 +-
 .../etc/postfix/virtual/reserved_alias.pcre.j2     |  2 +-
 .../MX/templates/etc/postfix/virtual/transport.j2  |  2 +-
 roles/common/templates/etc/iptables/services.j2    |  2 ++
 17 files changed, 36 insertions(+), 51 deletions(-)
 create mode 100644 roles/IMAP/files/etc/postfix/transport
 delete mode 100644 roles/IMAP/files/etc/postfix/virtual/mailbox.cf
 delete mode 120000 roles/IMAP/files/etc/postfix/virtual/mailbox_domains.cf
 delete mode 100644 roles/IMAP/files/etc/postfix/virtual/transport_content_filter.cf

diff --git a/roles/IMAP/files/etc/postfix/transport b/roles/IMAP/files/etc/postfix/transport
new file mode 100644
index 0000000..d40ac5d
--- /dev/null
+++ b/roles/IMAP/files/etc/postfix/transport
@@ -0,0 +1 @@
+filter.mda.fripost.org  amavisfeed:[127.0.0.1]:10041
diff --git a/roles/IMAP/files/etc/postfix/virtual/mailbox.cf b/roles/IMAP/files/etc/postfix/virtual/mailbox.cf
deleted file mode 100644
index e69343b..0000000
--- a/roles/IMAP/files/etc/postfix/virtual/mailbox.cf
+++ /dev/null
@@ -1,9 +0,0 @@
-server_host      = ldapi://%2Fprivate%2Fldapi/
-version          = 3
-search_base      = fvl=%u,fvd=%d,ou=virtual,dc=fripost,dc=org
-domain           = static:all
-scope            = base
-bind             = none
-query_filter     = (&(objectClass=FripostVirtualUser)(fvl=%u))
-result_attribute = fvl
-result_format    = OK
diff --git a/roles/IMAP/files/etc/postfix/virtual/mailbox_domains.cf b/roles/IMAP/files/etc/postfix/virtual/mailbox_domains.cf
deleted file mode 120000
index 05f7ed9..0000000
--- a/roles/IMAP/files/etc/postfix/virtual/mailbox_domains.cf
+++ /dev/null
@@ -1 +0,0 @@
-../../../../../MX/templates/etc/postfix/virtual/mailbox_domains.cf.j2
\ No newline at end of file
diff --git a/roles/IMAP/files/etc/postfix/virtual/transport_content_filter.cf b/roles/IMAP/files/etc/postfix/virtual/transport_content_filter.cf
deleted file mode 100644
index 642b722..0000000
--- a/roles/IMAP/files/etc/postfix/virtual/transport_content_filter.cf
+++ /dev/null
@@ -1,9 +0,0 @@
-server_host      = ldapi://%2Fprivate%2Fldapi/
-version          = 3
-search_base      = fvl=%u,fvd=%d,ou=virtual,dc=fripost,dc=org
-domain           = static:all
-scope            = base
-bind             = none
-query_filter     = (&(objectClass=FripostVirtualUser)(objectClass=AmavisAccount)(fvl=%u))
-result_attribute = fvl
-result_format    = amavisfeed:[127.0.0.1]:10041
diff --git a/roles/IMAP/tasks/mda.yml b/roles/IMAP/tasks/mda.yml
index 698fd4f..897a61d 100644
--- a/roles/IMAP/tasks/mda.yml
+++ b/roles/IMAP/tasks/mda.yml
@@ -12,28 +12,15 @@
   notify:
     - Reload Postfix
 
-- name: Create directory /etc/postfix-.../virtual
-  file: path=/etc/postfix-{{ postfix_instance[inst].name }}/virtual
-        state=directory
-        owner=root group=root
-        mode=0755
-
-- name: Copy lookup tables
-  copy: src=etc/postfix/virtual/{{ item }}
-        dest=/etc/postfix-{{ postfix_instance[inst].name }}/virtual/{{ item }}
+- name: Copy the transport and recipient canonical maps
+  copy: src=etc/postfix/{{ item }}
+        dest=/etc/postfix-{{ postfix_instance[inst].name }}/{{ item }}
         owner=root group=root
         mode=0644
   with_items:
-    - mailbox_domains.cf
-    - mailbox.cf
-    - transport_content_filter.cf
-
-- name: Copy recipient canonical
-  # no need to reload upon change, as cleanup(8) is short-running
-  copy: src=etc/postfix/recipient_canonical.pcre
-        dest=/etc/postfix-{{ postfix_instance[inst].name }}/recipient_canonical.pcre
-        owner=root group=root
-        mode=0644
+    # no need to reload upon change, as cleanup(8) is short-running
+    - recipient_canonical.pcre
+    - transport
 
 - name: Build the Postfix relay clientcerts map
   sudo: False
@@ -60,6 +47,14 @@
   tags:
     - tls_policy
 
+- name: Compile the Postfix transport maps
+  # trivial-rewrite(8) is a long-running process, so it's safer to reload
+  postmap: cmd=postmap src=/etc/postfix-{{ postfix_instance[inst].name }}/transport db=cdb
+           owner=root group=root
+           mode=0644
+  notify:
+    - Reload Postfix
+
 - meta: flush_handlers
 
 - name: Start Postfix
diff --git a/roles/IMAP/templates/etc/postfix/main.cf.j2 b/roles/IMAP/templates/etc/postfix/main.cf.j2
index 5758146..5a17fe2 100644
--- a/roles/IMAP/templates/etc/postfix/main.cf.j2
+++ b/roles/IMAP/templates/etc/postfix/main.cf.j2
@@ -45,15 +45,16 @@ recipient_delimiter = +
 relay_transport   = error:5.1.1 Relay unavailable
 default_transport = error:5.1.1 Transport unavailable
 
-# Virtual transport (the alias resolution is already done by the MX:es)
+# Virtual transport (the alias resolution and address validation is
+# performed on the MX:es only)
 virtual_transport       = lmtp:unix:private/dovecot-lmtpd
 lmtp_bind_address       = 127.0.0.1
-virtual_mailbox_domains = ldap:$config_directory/virtual/mailbox_domains.cf
-virtual_mailbox_maps    = ldap:$config_directory/virtual/mailbox.cf
-transport_maps          = ldap:$config_directory/virtual/transport_content_filter.cf
+virtual_mailbox_domains = static:all
+virtual_mailbox_maps    = static:all
+#transport_maps          = cdb:$config_directory/transport
 
 # Restore the original envelope recipient
-relay_domains               = $myhostname
+relay_domains               =
 recipient_canonical_classes = envelope_recipient
 recipient_canonical_maps    = pcre:$config_directory/recipient_canonical.pcre
 
diff --git a/roles/MX/tasks/main.yml b/roles/MX/tasks/main.yml
index a372cf4..a6c68f6 100644
--- a/roles/MX/tasks/main.yml
+++ b/roles/MX/tasks/main.yml
@@ -55,11 +55,14 @@
     - catchall.cf
     - transport
 
-- name: Compile the Reserved Transport Maps
+- name: Compile the Postfix transport maps
+  # trivial-rewrite(8) is a long-running process, so it's safer to reload
   postmap: instance={{ postfix_instance[inst].name }}
            src=/etc/postfix-{{ postfix_instance[inst].name }}/virtual/transport db=cdb
            owner=root group=root
            mode=0644
+  notify:
+    - Reload Postfix
 
 - name: Copy reserved-alias.pl
   copy: src=usr/local/sbin/reserved-alias.pl
diff --git a/roles/MX/templates/etc/postfix/main.cf.j2 b/roles/MX/templates/etc/postfix/main.cf.j2
index 8785c5a..b0da1bc 100644
--- a/roles/MX/templates/etc/postfix/main.cf.j2
+++ b/roles/MX/templates/etc/postfix/main.cf.j2
@@ -54,7 +54,7 @@ relay_domains =
 # We use a dedicated "virtual" domain to decongestion potential
 # bottlenecks on trivial_rewrite(8) due to slow LDAP lookups in
 # tranport_maps.
-virtual_transport = error:5.1.1 Virtual transport unavailable
+virtual_transport       = error:5.1.1 Virtual transport unavailable
 virtual_mailbox_domains = ldap:$config_directory/virtual/mailbox_domains.cf
 virtual_alias_maps      = pcre:$config_directory/virtual/reserved_alias.pcre
                           # first we do the alias resolution...
diff --git a/roles/MX/templates/etc/postfix/virtual/alias.cf.j2 b/roles/MX/templates/etc/postfix/virtual/alias.cf.j2
index 31a23ce..c0ab405 100644
--- a/roles/MX/templates/etc/postfix/virtual/alias.cf.j2
+++ b/roles/MX/templates/etc/postfix/virtual/alias.cf.j2
@@ -6,5 +6,5 @@ scope            = one
 bind             = yes
 bind_dn          = cn=postfix,ou=services,dc=fripost,dc=org
 bind_pw          = FIXME
-query_filter     = (&(objectClass=FripostVirtualAlias)(fvl=%u))
+query_filter     = (&(objectClass=FripostVirtualAlias)(fvl=%u)(fripostIsStatusActive=TRUE))
 result_attribute = fripostMaildrop
diff --git a/roles/MX/templates/etc/postfix/virtual/alias_domains.cf.j2 b/roles/MX/templates/etc/postfix/virtual/alias_domains.cf.j2
index b338c8c..7679a9c 100644
--- a/roles/MX/templates/etc/postfix/virtual/alias_domains.cf.j2
+++ b/roles/MX/templates/etc/postfix/virtual/alias_domains.cf.j2
@@ -6,6 +6,7 @@ scope            = one
 bind             = yes
 bind_dn          = cn=postfix,ou=services,dc=fripost,dc=org
 bind_pw          = FIXME
+# The domain has already been validated (it's active and not pending)
 query_filter     = (&(objectClass=FripostVirtualAliasDomain)(fvd=%d))
 result_attribute = fripostMaildrop
 result_format    = %U@%s
diff --git a/roles/MX/templates/etc/postfix/virtual/catchall.cf.j2 b/roles/MX/templates/etc/postfix/virtual/catchall.cf.j2
index 3d86ecf..818ad02 100644
--- a/roles/MX/templates/etc/postfix/virtual/catchall.cf.j2
+++ b/roles/MX/templates/etc/postfix/virtual/catchall.cf.j2
@@ -6,5 +6,6 @@ scope            = one
 bind             = yes
 bind_dn          = cn=postfix,ou=services,dc=fripost,dc=org
 bind_pw          = FIXME
+# The domain has already been validated (it's active and not pending)
 query_filter     = (&(objectClass=FripostVirtualDomain)(!(objectClass=FripostVirtualAliasDomain))(fvd=%d)(fripostOptionalMaildrop=*))
 result_attribute = fripostOptionalMaildrop
diff --git a/roles/MX/templates/etc/postfix/virtual/list.cf.j2 b/roles/MX/templates/etc/postfix/virtual/list.cf.j2
index a39343b..a2ff325 100644
--- a/roles/MX/templates/etc/postfix/virtual/list.cf.j2
+++ b/roles/MX/templates/etc/postfix/virtual/list.cf.j2
@@ -6,7 +6,7 @@ scope            = one
 bind             = yes
 bind_dn          = cn=postfix,ou=services,dc=fripost,dc=org
 bind_pw          = FIXME
-query_filter     = (&(objectClass=FripostVirtualList)(fvl=%u))
+query_filter     = (&(objectClass=FripostVirtualList)(!(objectClass=FripostPendingEntry))(fvl=%u)(fripostIsStatusActive=TRUE))
 result_attribute = fvl
 # Use a dedicated "virtual" domain to decongestion potential bottlenecks
 # on trivial_rewrite(8) due to slow LDAP lookups in tranport_maps.
diff --git a/roles/MX/templates/etc/postfix/virtual/mailbox.cf.j2 b/roles/MX/templates/etc/postfix/virtual/mailbox.cf.j2
index 083b638..9b584c9 100644
--- a/roles/MX/templates/etc/postfix/virtual/mailbox.cf.j2
+++ b/roles/MX/templates/etc/postfix/virtual/mailbox.cf.j2
@@ -6,7 +6,7 @@ scope            = one
 bind             = yes
 bind_dn          = cn=postfix,ou=services,dc=fripost,dc=org
 bind_pw          = FIXME
-query_filter     = (&(objectClass=FripostVirtualUser)(fvl=%u))
+query_filter     = (&(objectClass=FripostVirtualUser)(fvl=%u)(fripostIsStatusActive=TRUE))
 result_attribute = fvl
 # Use a dedicated "virtual" domain to decongestion potential bottlenecks
 # on trivial_rewrite(8) due to slow LDAP lookups in tranport_maps.
diff --git a/roles/MX/templates/etc/postfix/virtual/mailbox_domains.cf.j2 b/roles/MX/templates/etc/postfix/virtual/mailbox_domains.cf.j2
index fde355e..1cb8add 100644
--- a/roles/MX/templates/etc/postfix/virtual/mailbox_domains.cf.j2
+++ b/roles/MX/templates/etc/postfix/virtual/mailbox_domains.cf.j2
@@ -5,6 +5,6 @@ scope            = one
 bind             = yes
 bind_dn          = cn=postfix,ou=services,dc=fripost,dc=org
 bind_pw          = FIXME
-query_filter     = (&(objectClass=FripostVirtualDomain)(fvd=%s))
+query_filter     = (&(objectClass=FripostVirtualDomain)(!(objectClass=FripostPendingEntry))(fvd=%s)(fripostIsStatusActive=TRUE))
 result_attribute = fvd
 result_format    = OK
diff --git a/roles/MX/templates/etc/postfix/virtual/reserved_alias.pcre.j2 b/roles/MX/templates/etc/postfix/virtual/reserved_alias.pcre.j2
index 6f62a01..f1c79c7 100644
--- a/roles/MX/templates/etc/postfix/virtual/reserved_alias.pcre.j2
+++ b/roles/MX/templates/etc/postfix/virtual/reserved_alias.pcre.j2
@@ -2,4 +2,4 @@
 # For other domains, RFC 822 section 6.3 and RFC 2142 section 4
 # mandatory aliases are forwarded to OUR admin team and to the domain
 # owner or postmaster, if there are any.
-/^((?:postmaster|abuse)(?:\+.*)?@.*)/   $1@reserved.locahost.localdomain
+/^(postmaster|abuse)(?:\+.*)?@(.*)/   $2/$1@reserved.fripost.org
diff --git a/roles/MX/templates/etc/postfix/virtual/transport.j2 b/roles/MX/templates/etc/postfix/virtual/transport.j2
index a34dcad..85715a0 100644
--- a/roles/MX/templates/etc/postfix/virtual/transport.j2
+++ b/roles/MX/templates/etc/postfix/virtual/transport.j2
@@ -1,4 +1,4 @@
-reserved.locahost.localdomain   reserved-alias:
+reserved.fripost.org    reserved-alias:
 
 {% if 'LDA' in group_names %}
 mda.fripost.org smtpl:[127.0.0.1]:{{ postfix_instance.IMAP.port }}
diff --git a/roles/common/templates/etc/iptables/services.j2 b/roles/common/templates/etc/iptables/services.j2
index 4e78d1e..d24b55d 100644
--- a/roles/common/templates/etc/iptables/services.j2
+++ b/roles/common/templates/etc/iptables/services.j2
@@ -20,6 +20,8 @@ out     tcp     636                                     # LDAPS
 {% endif %}
 {% if 'MX' in group_names %}
 in      tcp     25                                      # SMTP
+out     tcp     {{ postfix_instance.IMAP.port }}
+out     tcp     {{ postfix_instance.lists.port }}
 {% endif %}
 {% if 'out' in group_names %}
 in      tcp     {{ postfix_instance.out.port }}
-- 
cgit v1.2.3