From c79f18ff9a04a7534dba3c288bc9606f17786b16 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Mon, 2 Dec 2013 23:46:01 +0100 Subject: Rename the role 'mx' into 'MX'. Other abreviations are upper case. --- MX.yml | 2 +- .../files/etc/postfix/virtual/mailbox_domains.cf | 2 +- .../IMAP/files/etc/postfix/virtual/mailbox_maps.cf | 2 +- .../etc/postfix/virtual/alias_catchall_maps.cf | 7 + roles/MX/files/etc/postfix/virtual/alias_maps.cf | 6 + roles/MX/files/etc/postfix/virtual/lists_maps.cf | 7 + .../files/etc/postfix/virtual/mailbox_domains.cf | 8 ++ roles/MX/files/etc/postfix/virtual/mailbox_maps.cf | 8 ++ .../files/etc/postfix/virtual/reserved_maps.pcre | 5 + .../etc/postfix/virtual/reserved_transport_maps | 2 + .../etc/postfix/virtual/transport_lists_maps.cf | 11 ++ roles/MX/files/usr/local/sbin/reserved-alias.pl | 110 ++++++++++++++++ roles/MX/handlers/main.yml | 9 ++ roles/MX/tasks/main.yml | 74 +++++++++++ roles/MX/templates/etc/postfix/main.cf.j2 | 142 +++++++++++++++++++++ .../etc/postfix/virtual/alias_catchall_maps.cf | 7 - roles/mx/files/etc/postfix/virtual/alias_maps.cf | 6 - roles/mx/files/etc/postfix/virtual/lists_maps.cf | 7 - .../files/etc/postfix/virtual/mailbox_domains.cf | 8 -- roles/mx/files/etc/postfix/virtual/mailbox_maps.cf | 8 -- .../files/etc/postfix/virtual/reserved_maps.pcre | 5 - .../etc/postfix/virtual/reserved_transport_maps | 2 - .../etc/postfix/virtual/transport_lists_maps.cf | 11 -- roles/mx/files/usr/local/sbin/reserved-alias.pl | 110 ---------------- roles/mx/handlers/main.yml | 9 -- roles/mx/tasks/main.yml | 74 ----------- roles/mx/templates/etc/postfix/main.cf.j2 | 142 --------------------- 27 files changed, 392 insertions(+), 392 deletions(-) create mode 100644 roles/MX/files/etc/postfix/virtual/alias_catchall_maps.cf create mode 100644 roles/MX/files/etc/postfix/virtual/alias_maps.cf create mode 100644 roles/MX/files/etc/postfix/virtual/lists_maps.cf create mode 100644 roles/MX/files/etc/postfix/virtual/mailbox_domains.cf create mode 100644 roles/MX/files/etc/postfix/virtual/mailbox_maps.cf create mode 100644 roles/MX/files/etc/postfix/virtual/reserved_maps.pcre create mode 100644 roles/MX/files/etc/postfix/virtual/reserved_transport_maps create mode 100644 roles/MX/files/etc/postfix/virtual/transport_lists_maps.cf create mode 100755 roles/MX/files/usr/local/sbin/reserved-alias.pl create mode 100644 roles/MX/handlers/main.yml create mode 100644 roles/MX/tasks/main.yml create mode 100644 roles/MX/templates/etc/postfix/main.cf.j2 delete mode 100644 roles/mx/files/etc/postfix/virtual/alias_catchall_maps.cf delete mode 100644 roles/mx/files/etc/postfix/virtual/alias_maps.cf delete mode 100644 roles/mx/files/etc/postfix/virtual/lists_maps.cf delete mode 100644 roles/mx/files/etc/postfix/virtual/mailbox_domains.cf delete mode 100644 roles/mx/files/etc/postfix/virtual/mailbox_maps.cf delete mode 100644 roles/mx/files/etc/postfix/virtual/reserved_maps.pcre delete mode 100644 roles/mx/files/etc/postfix/virtual/reserved_transport_maps delete mode 100644 roles/mx/files/etc/postfix/virtual/transport_lists_maps.cf delete mode 100755 roles/mx/files/usr/local/sbin/reserved-alias.pl delete mode 100644 roles/mx/handlers/main.yml delete mode 100644 roles/mx/tasks/main.yml delete mode 100644 roles/mx/templates/etc/postfix/main.cf.j2 diff --git a/MX.yml b/MX.yml index 11c1b0c..dc1ace5 100644 --- a/MX.yml +++ b/MX.yml @@ -2,7 +2,7 @@ - name: Configure the MX:es hosts: MX roles: - - { role: mx, inst: MX } + - { role: MX, inst: MX } tags: - mail - postfix diff --git a/roles/IMAP/files/etc/postfix/virtual/mailbox_domains.cf b/roles/IMAP/files/etc/postfix/virtual/mailbox_domains.cf index 7e8c163..54363e6 120000 --- a/roles/IMAP/files/etc/postfix/virtual/mailbox_domains.cf +++ b/roles/IMAP/files/etc/postfix/virtual/mailbox_domains.cf @@ -1 +1 @@ -../../../../../mx/files/etc/postfix/virtual/mailbox_domains.cf \ No newline at end of file +../../../../../MX/files/etc/postfix/virtual/mailbox_domains.cf \ No newline at end of file diff --git a/roles/IMAP/files/etc/postfix/virtual/mailbox_maps.cf b/roles/IMAP/files/etc/postfix/virtual/mailbox_maps.cf index 763b30e..3a4d118 120000 --- a/roles/IMAP/files/etc/postfix/virtual/mailbox_maps.cf +++ b/roles/IMAP/files/etc/postfix/virtual/mailbox_maps.cf @@ -1 +1 @@ -../../../../../mx/files/etc/postfix/virtual/mailbox_maps.cf \ No newline at end of file +../../../../../MX/files/etc/postfix/virtual/mailbox_maps.cf \ No newline at end of file diff --git a/roles/MX/files/etc/postfix/virtual/alias_catchall_maps.cf b/roles/MX/files/etc/postfix/virtual/alias_catchall_maps.cf new file mode 100644 index 0000000..c405f47 --- /dev/null +++ b/roles/MX/files/etc/postfix/virtual/alias_catchall_maps.cf @@ -0,0 +1,7 @@ +server_host = ldapi://%2Fprivate%2Fldapi/ +version = 3 +search_base = fvd=%d,ou=virtual,o=mailHosting,dc=fripost,dc=org +scope = base +bind = none +query_filter = (&(ObjectClass=FripostVirtualDomain)(fvd=%d)(fripostOptionalMaildrop=*)) +result_attribute = fripostOptionalMaildrop diff --git a/roles/MX/files/etc/postfix/virtual/alias_maps.cf b/roles/MX/files/etc/postfix/virtual/alias_maps.cf new file mode 100644 index 0000000..9265d0b --- /dev/null +++ b/roles/MX/files/etc/postfix/virtual/alias_maps.cf @@ -0,0 +1,6 @@ +server_host = ldapi://%2Fprivate%2Fldapi/ +version = 3 +search_base = fvl=%u,fvd=%d,ou=virtual,o=mailHosting,dc=fripost,dc=org +scope = base +query_filter = (&(ObjectClass=FripostVirtualAlias)(fvl=%u)) +result_attribute = fripostMaildrop diff --git a/roles/MX/files/etc/postfix/virtual/lists_maps.cf b/roles/MX/files/etc/postfix/virtual/lists_maps.cf new file mode 100644 index 0000000..b60dcf6 --- /dev/null +++ b/roles/MX/files/etc/postfix/virtual/lists_maps.cf @@ -0,0 +1,7 @@ +server_host = ldapi://%2Fprivate%2Fldapi/ +version = 3 +search_base = fvl=%u,fvd=%d,ou=virtual,o=mailHosting,dc=fripost,dc=org +scope = base +bind = none +query_filter = (&(|(ObjectClass=FripostVirtualList)(ObjectClass=FripostVirtualListCommand))(fvl=%u)(fripostLocalAlias=%u#%d)) +result_attribute = fripostLocalAlias diff --git a/roles/MX/files/etc/postfix/virtual/mailbox_domains.cf b/roles/MX/files/etc/postfix/virtual/mailbox_domains.cf new file mode 100644 index 0000000..22d6be3 --- /dev/null +++ b/roles/MX/files/etc/postfix/virtual/mailbox_domains.cf @@ -0,0 +1,8 @@ +server_host = ldapi://%2Fprivate%2Fldapi/ +version = 3 +search_base = fvd=%s,ou=virtual,o=mailHosting,dc=fripost,dc=org +scope = base +bind = none +query_filter = (&(ObjectClass=FripostVirtualDomain)(fvd=%s)) +result_attribute = fvd +result_format = OK diff --git a/roles/MX/files/etc/postfix/virtual/mailbox_maps.cf b/roles/MX/files/etc/postfix/virtual/mailbox_maps.cf new file mode 100644 index 0000000..dc97177 --- /dev/null +++ b/roles/MX/files/etc/postfix/virtual/mailbox_maps.cf @@ -0,0 +1,8 @@ +server_host = ldapi://%2Fprivate%2Fldapi/ +version = 3 +search_base = fvl=%u,fvd=%d,ou=virtual,o=mailHosting,dc=fripost,dc=org +scope = base +bind = none +query_filter = (&(ObjectClass=FripostVirtualUser)(fvl=%u)) +result_attribute = fvl +result_format = OK diff --git a/roles/MX/files/etc/postfix/virtual/reserved_maps.pcre b/roles/MX/files/etc/postfix/virtual/reserved_maps.pcre new file mode 100644 index 0000000..58572d1 --- /dev/null +++ b/roles/MX/files/etc/postfix/virtual/reserved_maps.pcre @@ -0,0 +1,5 @@ +# These reserved aliases will always be redirected to us and the domain +# owner. +# TODO: check 'postmaster+test@fripost.org' +/^(?:postmaster|abuse)(?:\+.*)?@fripost\.org$/ admin@fripost.org +/^((?:postmaster|abuse)(?:\+.*)?)@/ $1 diff --git a/roles/MX/files/etc/postfix/virtual/reserved_transport_maps b/roles/MX/files/etc/postfix/virtual/reserved_transport_maps new file mode 100644 index 0000000..dce8710 --- /dev/null +++ b/roles/MX/files/etc/postfix/virtual/reserved_transport_maps @@ -0,0 +1,2 @@ +abuse reserved-alias: +postmaster reserved-alias: diff --git a/roles/MX/files/etc/postfix/virtual/transport_lists_maps.cf b/roles/MX/files/etc/postfix/virtual/transport_lists_maps.cf new file mode 100644 index 0000000..9a7bca0 --- /dev/null +++ b/roles/MX/files/etc/postfix/virtual/transport_lists_maps.cf @@ -0,0 +1,11 @@ +# Despite the index on 'fripostLocalAlias' it's a bit more inefficient, +# but more precise, than the alternative of using regexes here, and a +# plain hash on the list managers' side. +server_host = ldapi://%2Fprivate%2Fldapi/ +version = 3 +search_base = ou=virtual,o=mailHosting,dc=fripost,dc=org +scope = sub +bind = none +query_filter = (&(|(ObjectClass=FripostVirtualList)(ObjectClass=FripostVirtualListCommand))(fripostLocalAlias=%s)) +result_attribute = fripostLocalAlias +result_format = smtp:[127.0.0.1]:2345 diff --git a/roles/MX/files/usr/local/sbin/reserved-alias.pl b/roles/MX/files/usr/local/sbin/reserved-alias.pl new file mode 100755 index 0000000..c122c6d --- /dev/null +++ b/roles/MX/files/usr/local/sbin/reserved-alias.pl @@ -0,0 +1,110 @@ +#!/usr/bin/perl + +# Copyright © 2013 Guilhem Moulin +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +use warnings; +use strict; +use Net::LDAPI; +use Net::LDAP::Util qw/escape_filter_value ldap_explode_dn escape_dn_value/; +use Authen::SASL; + +if (!@ARGV or grep { $_ eq '-h' or $_ eq '--help' } @ARGV) { + # Help + print STDERR "Usage: $0 [original recipient] [additional recipient ...]\n"; + print STDERR "\n"; + print STDERR "The message read from the standard input is redirected to 'additional recipient',\n"; + print STDERR "and also forwarded to the domain owner if any. If the 'additional recipient' begins\n"; + print STDERR "with '\@', the localpart of 'original recipient' is prepended.\n"; + print STDERR "\n"; + print STDERR "This is mostly useful to comply to RFC 822 section 6.3 and RFC 2142 section\n"; + print STDERR "4 (to forward mails to 'admin\@' and 'postmaster\@' to the site admin in\n"; + print STDERR "addition to the virtual domain manager).\n"; + exit; +} + +# The original recipient +my $orig = shift; +$orig =~ /^([^@]+)\@(.+)$/ + or warn "Non fully qualified: $orig"; +my ($local,$domain) = ($1,$2); + +# The new recipient (typically, the admin site) +my @recipients = grep { $_ and $orig ne $_ } + # add localparts to domain + map { my $x = $_; + if ($x =~ /^\@/) { + if ($local) { + $x = $local.$x; + } + else { + undef $x; + } + } + $x + } + @ARGV; +# Die if we can't deliver to site admins +die "Error: Aborted delivery to '$orig' in attempt to break an alias expansion loop.\n" + unless @recipients; + +my @sendmail = ('/usr/sbin/sendmail', '-i', '-bm'); + +if (defined $domain) { + # Look for the domain owner/postmaster + my $ldap = Net::LDAPI->new(); + $ldap->bind( sasl => Authen::SASL->new(mechanism => 'EXTERNAL') ) + or die "Couldn't bind"; + + my @attrs = ( 'fripostPostmaster', 'fripostOwner' ); + my $mesg = $ldap->search( base => 'fvd='.escape_dn_value($domain).',' + .'ou=virtual,o=mailHosting,dc=fripost,dc=org' + , scope => 'base' + , deref => 'never' + , filter => '(&(objectClass=FripostVirtualDomain)' + .'(fvd='.escape_filter_value($domain).')'. + ')' + , attrs => \@attrs + ); + if ($mesg->code) { + warn $mesg->error; + } + elsif ($mesg->count != 1) { + # Note: this may happen for "$mydestination", but these mails + # are unlikely. We'll get a harmless warning at worst. + warn "Something weird happened when looking up domain '".$domain. + "'. Check your ACL."; + } + else { + my $entry = $mesg->pop_entry() // die "Cannot pop entry."; + foreach (@attrs) { + my $v = $entry->get_value($_, asref => 1) or next; + foreach my $dn (@$v) { + my $dn2 = ldap_explode_dn($dn, casefold => 'lower'); + my $l = $dn2->[0]->{fvl}; + my $d = $dn2->[1]->{fvd}; + if ($l and $d) { + push @recipients, $l.'@'.$d; + } + else { + warn "Invalid DN: $dn" + } + } + } + } + $ldap->unbind; +} + +exec (@sendmail, @recipients); diff --git a/roles/MX/handlers/main.yml b/roles/MX/handlers/main.yml new file mode 100644 index 0000000..21c736a --- /dev/null +++ b/roles/MX/handlers/main.yml @@ -0,0 +1,9 @@ +--- +- name: Restart Postgrey + service: name=postgrey state=restarted + +- name: Restart Postfix + service: name=postfix state=restarted + +- name: Reload Postfix + service: name=postfix state=reloaded diff --git a/roles/MX/tasks/main.yml b/roles/MX/tasks/main.yml new file mode 100644 index 0000000..e2da61e --- /dev/null +++ b/roles/MX/tasks/main.yml @@ -0,0 +1,74 @@ +- name: Install Postfix & Postgrey + apt: pkg={{ item }} + with_items: + - postfix + - postfix-pcre + - postfix-ldap + - postfix-cdb + - postgrey + - libnet-ldap-perl + - libauthen-sasl-perl + +- name: Configure Postgrey + lineinfile: dest=/etc/default/postgrey + regexp='^POSTGREY_OPTS=' + line='POSTGREY_OPTS="--privacy --unix=/var/spool/postfix-{{ postfix_instance[inst].name }}/private/postgrey"' + owner=root group=root + mode=0644 + register: r + notify: + - Restart Postgrey + +- name: Start Postgrey + service: name=postgrey state=started + when: not r.changed + +- meta: flush_handlers + +- name: Configure Postfix + template: src=etc/postfix/main.cf.j2 + dest=/etc/postfix-{{ postfix_instance[inst].name }}/main.cf + owner=root group=root + mode=0644 + register: r + notify: + - Restart Postfix + +- name: Create directory /etc/postfix-.../virtual + file: path=/etc/postfix-{{ postfix_instance[inst].name }}/virtual + owner=root group=root + state=directory + mode=0755 + +- name: Copy lookups tables + copy: src=etc/postfix/virtual/{{ item }} + dest=/etc/postfix-{{ postfix_instance[inst].name }}/virtual/{{ item }} + owner=root group=root + mode=0644 + with_items: + - mailbox_domains.cf + - reserved_maps.pcre + - alias_maps.cf + - lists_maps.cf + - alias_catchall_maps.cf + - mailbox_maps.cf + - reserved_transport_maps + - transport_lists_maps.cf + +- name: Compile the Reserved Transport Maps + postmap: cmd=postalias instance={{ postfix_instance[inst].name }} + src=/etc/postfix-{{ postfix_instance[inst].name }}/virtual/reserved_transport_maps db=cdb + owner=root group=root + mode=0644 + +- name: Copy reserved-alias.pl + copy: src=usr/local/sbin/reserved-alias.pl + dest=/usr/local/sbin/reserved-alias.pl + owner=root group=root + mode=0755 + +- name: Start Postfix + service: name=postfix state=started + when: not r.changed + +- meta: flush_handlers diff --git a/roles/MX/templates/etc/postfix/main.cf.j2 b/roles/MX/templates/etc/postfix/main.cf.j2 new file mode 100644 index 0000000..0aa91b3 --- /dev/null +++ b/roles/MX/templates/etc/postfix/main.cf.j2 @@ -0,0 +1,142 @@ +######################################################################## +# MX configuration +# +# {{ ansible_managed }} +# Do NOT edit this file directly! + +smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU) +biff = no +readme_directory = no +mail_owner = postfix + +delay_warning_time = 4h +maximal_queue_lifetime = 5d + +myorigin = /etc/mailname +myhostname = mx{{ mxno | default('') }}.$mydomain +mydomain = {{ ansible_domain }} +append_dot_mydomain = no + +# Turn off all TCP/IP listener ports except that necessary for the mail +# exchange. +master_service_disable = !smtp.inet inet + +queue_directory = /var/spool/postfix-{{ postfix_instance[inst].name }} +data_directory = /var/lib/postfix-{{ postfix_instance[inst].name }} +multi_instance_group = {{ postfix_instance[inst].group | default('') }} +multi_instance_name = postfix-{{ postfix_instance[inst].name }} +multi_instance_enable = yes + +# This server is a Mail eXchange +mynetworks_style = host +inet_interfaces = all +inet_protocols = all + +# No local delivery +mydestination = +local_transport = error:5.1.1 Mailbox unavailable +alias_maps = +alias_database = +local_recipient_maps = + +message_size_limit = 67108864 +recipient_delimiter = + + +# Forward everything to our internal mailhub +{% if 'MTA-out' in group_names %} +relayhost = [127.0.0.1]:{{ MTA_out.port }} +{% else %} +relayhost = [{{ MTA_out.IPv4 }}]:{{ MTA_out.port }} +{% endif %} +relay_domains = + +# Virtual transport +{% if 'LDA' in group_names %} +virtual_transport = smtp:[127.0.0.1]:{{ LDA.port }} +{% else %} +virtual_transport = smtp:[{{ LDA.IPv4 }}]:{{ LDA.port }} +{% endif %} + +virtual_mailbox_domains = ldap:$config_directory/virtual/mailbox_domains.cf +virtual_alias_maps = pcre:$config_directory/virtual/reserved_maps.pcre + ldap:$config_directory/virtual/alias_maps.cf + ldap:$config_directory/virtual/lists_maps.cf + ldap:$config_directory/virtual/alias_catchall_maps.cf +virtual_mailbox_maps = ldap:$config_directory/virtual/mailbox_maps.cf +mailbox_transport_maps = cdb:$config_directory/virtual/reserved_transport_maps + ldap:$config_directory/virtual/transport_lists_maps.cf + +# Don't rewrite remote headers +local_header_rewrite_clients = +# Pass the client information along to the content filter +smtp_send_xforward_command = yes +# Avoid splitting the envelope and scanning messages multiple times +smtp_destination_recipient_limit = 1000 +# Tolerate occasional high latency +smtp_data_done_timeout = 1200s + +# Tunnel everything through IPSec +smtp_tls_security_level = none +smtp_bind_address = 172.16.0.1 + +# TLS +smtpd_tls_security_level = may +smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem +smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key +smtpd_tls_CApath = /etc/ssl/certs/ +smtpd_tls_session_cache_database= btree:$data_directory/smtpd_tls_session_cache +smtpd_tls_received_header = yes +smtpd_tls_ask_ccert = yes +smtpd_tls_fingerprint_digest = sha1 +smtpd_tls_eecdh_grade = strong +tls_random_source = dev:/dev/urandom + + +# http://en.linuxreviews.org/HOWTO_Stop_spam_using_Postfix +# http://www.howtoforge.com/block_spam_at_mta_level_postfix + +strict_rfc821_envelopes = yes +smtpd_delay_reject = yes +disable_vrfy_command = yes + +# UCE control +invalid_hostname_reject_code = 554 +multi_recipient_bounce_reject_code = 554 +non_fqdn_reject_code = 554 +relay_domains_reject_code = 554 +unknown_address_reject_code = 554 +unknown_client_reject_code = 554 +unknown_hostname_reject_code = 554 +unknown_local_recipient_reject_code = 554 +unknown_relay_recipient_reject_code = 554 +unknown_virtual_alias_reject_code = 554 +unknown_virtual_mailbox_reject_code = 554 +unverified_recipient_reject_code = 554 +unverified_sender_reject_code = 554 + + +smtpd_client_restrictions = + permit_mynetworks + reject_rbl_client zen.spamhaus.org + reject_rbl_client bl.spamcop.net + +smtpd_helo_required = yes +smtpd_helo_restrictions = + permit_mynetworks + reject_non_fqdn_helo_hostname + reject_invalid_helo_hostname + +smtpd_sender_restrictions = + reject_non_fqdn_sender + reject_unknown_sender_domain + +smtpd_recipient_restrictions = + # RFC requirements + reject_non_fqdn_recipient + reject_unknown_recipient_domain + permit_mynetworks + reject_unauth_destination + check_policy_service unix:private/postgrey + +smtpd_data_restrictions = + reject_unauth_pipelining diff --git a/roles/mx/files/etc/postfix/virtual/alias_catchall_maps.cf b/roles/mx/files/etc/postfix/virtual/alias_catchall_maps.cf deleted file mode 100644 index c405f47..0000000 --- a/roles/mx/files/etc/postfix/virtual/alias_catchall_maps.cf +++ /dev/null @@ -1,7 +0,0 @@ -server_host = ldapi://%2Fprivate%2Fldapi/ -version = 3 -search_base = fvd=%d,ou=virtual,o=mailHosting,dc=fripost,dc=org -scope = base -bind = none -query_filter = (&(ObjectClass=FripostVirtualDomain)(fvd=%d)(fripostOptionalMaildrop=*)) -result_attribute = fripostOptionalMaildrop diff --git a/roles/mx/files/etc/postfix/virtual/alias_maps.cf b/roles/mx/files/etc/postfix/virtual/alias_maps.cf deleted file mode 100644 index 9265d0b..0000000 --- a/roles/mx/files/etc/postfix/virtual/alias_maps.cf +++ /dev/null @@ -1,6 +0,0 @@ -server_host = ldapi://%2Fprivate%2Fldapi/ -version = 3 -search_base = fvl=%u,fvd=%d,ou=virtual,o=mailHosting,dc=fripost,dc=org -scope = base -query_filter = (&(ObjectClass=FripostVirtualAlias)(fvl=%u)) -result_attribute = fripostMaildrop diff --git a/roles/mx/files/etc/postfix/virtual/lists_maps.cf b/roles/mx/files/etc/postfix/virtual/lists_maps.cf deleted file mode 100644 index b60dcf6..0000000 --- a/roles/mx/files/etc/postfix/virtual/lists_maps.cf +++ /dev/null @@ -1,7 +0,0 @@ -server_host = ldapi://%2Fprivate%2Fldapi/ -version = 3 -search_base = fvl=%u,fvd=%d,ou=virtual,o=mailHosting,dc=fripost,dc=org -scope = base -bind = none -query_filter = (&(|(ObjectClass=FripostVirtualList)(ObjectClass=FripostVirtualListCommand))(fvl=%u)(fripostLocalAlias=%u#%d)) -result_attribute = fripostLocalAlias diff --git a/roles/mx/files/etc/postfix/virtual/mailbox_domains.cf b/roles/mx/files/etc/postfix/virtual/mailbox_domains.cf deleted file mode 100644 index 22d6be3..0000000 --- a/roles/mx/files/etc/postfix/virtual/mailbox_domains.cf +++ /dev/null @@ -1,8 +0,0 @@ -server_host = ldapi://%2Fprivate%2Fldapi/ -version = 3 -search_base = fvd=%s,ou=virtual,o=mailHosting,dc=fripost,dc=org -scope = base -bind = none -query_filter = (&(ObjectClass=FripostVirtualDomain)(fvd=%s)) -result_attribute = fvd -result_format = OK diff --git a/roles/mx/files/etc/postfix/virtual/mailbox_maps.cf b/roles/mx/files/etc/postfix/virtual/mailbox_maps.cf deleted file mode 100644 index dc97177..0000000 --- a/roles/mx/files/etc/postfix/virtual/mailbox_maps.cf +++ /dev/null @@ -1,8 +0,0 @@ -server_host = ldapi://%2Fprivate%2Fldapi/ -version = 3 -search_base = fvl=%u,fvd=%d,ou=virtual,o=mailHosting,dc=fripost,dc=org -scope = base -bind = none -query_filter = (&(ObjectClass=FripostVirtualUser)(fvl=%u)) -result_attribute = fvl -result_format = OK diff --git a/roles/mx/files/etc/postfix/virtual/reserved_maps.pcre b/roles/mx/files/etc/postfix/virtual/reserved_maps.pcre deleted file mode 100644 index 58572d1..0000000 --- a/roles/mx/files/etc/postfix/virtual/reserved_maps.pcre +++ /dev/null @@ -1,5 +0,0 @@ -# These reserved aliases will always be redirected to us and the domain -# owner. -# TODO: check 'postmaster+test@fripost.org' -/^(?:postmaster|abuse)(?:\+.*)?@fripost\.org$/ admin@fripost.org -/^((?:postmaster|abuse)(?:\+.*)?)@/ $1 diff --git a/roles/mx/files/etc/postfix/virtual/reserved_transport_maps b/roles/mx/files/etc/postfix/virtual/reserved_transport_maps deleted file mode 100644 index dce8710..0000000 --- a/roles/mx/files/etc/postfix/virtual/reserved_transport_maps +++ /dev/null @@ -1,2 +0,0 @@ -abuse reserved-alias: -postmaster reserved-alias: diff --git a/roles/mx/files/etc/postfix/virtual/transport_lists_maps.cf b/roles/mx/files/etc/postfix/virtual/transport_lists_maps.cf deleted file mode 100644 index 9a7bca0..0000000 --- a/roles/mx/files/etc/postfix/virtual/transport_lists_maps.cf +++ /dev/null @@ -1,11 +0,0 @@ -# Despite the index on 'fripostLocalAlias' it's a bit more inefficient, -# but more precise, than the alternative of using regexes here, and a -# plain hash on the list managers' side. -server_host = ldapi://%2Fprivate%2Fldapi/ -version = 3 -search_base = ou=virtual,o=mailHosting,dc=fripost,dc=org -scope = sub -bind = none -query_filter = (&(|(ObjectClass=FripostVirtualList)(ObjectClass=FripostVirtualListCommand))(fripostLocalAlias=%s)) -result_attribute = fripostLocalAlias -result_format = smtp:[127.0.0.1]:2345 diff --git a/roles/mx/files/usr/local/sbin/reserved-alias.pl b/roles/mx/files/usr/local/sbin/reserved-alias.pl deleted file mode 100755 index c122c6d..0000000 --- a/roles/mx/files/usr/local/sbin/reserved-alias.pl +++ /dev/null @@ -1,110 +0,0 @@ -#!/usr/bin/perl - -# Copyright © 2013 Guilhem Moulin -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . - -use warnings; -use strict; -use Net::LDAPI; -use Net::LDAP::Util qw/escape_filter_value ldap_explode_dn escape_dn_value/; -use Authen::SASL; - -if (!@ARGV or grep { $_ eq '-h' or $_ eq '--help' } @ARGV) { - # Help - print STDERR "Usage: $0 [original recipient] [additional recipient ...]\n"; - print STDERR "\n"; - print STDERR "The message read from the standard input is redirected to 'additional recipient',\n"; - print STDERR "and also forwarded to the domain owner if any. If the 'additional recipient' begins\n"; - print STDERR "with '\@', the localpart of 'original recipient' is prepended.\n"; - print STDERR "\n"; - print STDERR "This is mostly useful to comply to RFC 822 section 6.3 and RFC 2142 section\n"; - print STDERR "4 (to forward mails to 'admin\@' and 'postmaster\@' to the site admin in\n"; - print STDERR "addition to the virtual domain manager).\n"; - exit; -} - -# The original recipient -my $orig = shift; -$orig =~ /^([^@]+)\@(.+)$/ - or warn "Non fully qualified: $orig"; -my ($local,$domain) = ($1,$2); - -# The new recipient (typically, the admin site) -my @recipients = grep { $_ and $orig ne $_ } - # add localparts to domain - map { my $x = $_; - if ($x =~ /^\@/) { - if ($local) { - $x = $local.$x; - } - else { - undef $x; - } - } - $x - } - @ARGV; -# Die if we can't deliver to site admins -die "Error: Aborted delivery to '$orig' in attempt to break an alias expansion loop.\n" - unless @recipients; - -my @sendmail = ('/usr/sbin/sendmail', '-i', '-bm'); - -if (defined $domain) { - # Look for the domain owner/postmaster - my $ldap = Net::LDAPI->new(); - $ldap->bind( sasl => Authen::SASL->new(mechanism => 'EXTERNAL') ) - or die "Couldn't bind"; - - my @attrs = ( 'fripostPostmaster', 'fripostOwner' ); - my $mesg = $ldap->search( base => 'fvd='.escape_dn_value($domain).',' - .'ou=virtual,o=mailHosting,dc=fripost,dc=org' - , scope => 'base' - , deref => 'never' - , filter => '(&(objectClass=FripostVirtualDomain)' - .'(fvd='.escape_filter_value($domain).')'. - ')' - , attrs => \@attrs - ); - if ($mesg->code) { - warn $mesg->error; - } - elsif ($mesg->count != 1) { - # Note: this may happen for "$mydestination", but these mails - # are unlikely. We'll get a harmless warning at worst. - warn "Something weird happened when looking up domain '".$domain. - "'. Check your ACL."; - } - else { - my $entry = $mesg->pop_entry() // die "Cannot pop entry."; - foreach (@attrs) { - my $v = $entry->get_value($_, asref => 1) or next; - foreach my $dn (@$v) { - my $dn2 = ldap_explode_dn($dn, casefold => 'lower'); - my $l = $dn2->[0]->{fvl}; - my $d = $dn2->[1]->{fvd}; - if ($l and $d) { - push @recipients, $l.'@'.$d; - } - else { - warn "Invalid DN: $dn" - } - } - } - } - $ldap->unbind; -} - -exec (@sendmail, @recipients); diff --git a/roles/mx/handlers/main.yml b/roles/mx/handlers/main.yml deleted file mode 100644 index 21c736a..0000000 --- a/roles/mx/handlers/main.yml +++ /dev/null @@ -1,9 +0,0 @@ ---- -- name: Restart Postgrey - service: name=postgrey state=restarted - -- name: Restart Postfix - service: name=postfix state=restarted - -- name: Reload Postfix - service: name=postfix state=reloaded diff --git a/roles/mx/tasks/main.yml b/roles/mx/tasks/main.yml deleted file mode 100644 index e2da61e..0000000 --- a/roles/mx/tasks/main.yml +++ /dev/null @@ -1,74 +0,0 @@ -- name: Install Postfix & Postgrey - apt: pkg={{ item }} - with_items: - - postfix - - postfix-pcre - - postfix-ldap - - postfix-cdb - - postgrey - - libnet-ldap-perl - - libauthen-sasl-perl - -- name: Configure Postgrey - lineinfile: dest=/etc/default/postgrey - regexp='^POSTGREY_OPTS=' - line='POSTGREY_OPTS="--privacy --unix=/var/spool/postfix-{{ postfix_instance[inst].name }}/private/postgrey"' - owner=root group=root - mode=0644 - register: r - notify: - - Restart Postgrey - -- name: Start Postgrey - service: name=postgrey state=started - when: not r.changed - -- meta: flush_handlers - -- name: Configure Postfix - template: src=etc/postfix/main.cf.j2 - dest=/etc/postfix-{{ postfix_instance[inst].name }}/main.cf - owner=root group=root - mode=0644 - register: r - notify: - - Restart Postfix - -- name: Create directory /etc/postfix-.../virtual - file: path=/etc/postfix-{{ postfix_instance[inst].name }}/virtual - owner=root group=root - state=directory - mode=0755 - -- name: Copy lookups tables - copy: src=etc/postfix/virtual/{{ item }} - dest=/etc/postfix-{{ postfix_instance[inst].name }}/virtual/{{ item }} - owner=root group=root - mode=0644 - with_items: - - mailbox_domains.cf - - reserved_maps.pcre - - alias_maps.cf - - lists_maps.cf - - alias_catchall_maps.cf - - mailbox_maps.cf - - reserved_transport_maps - - transport_lists_maps.cf - -- name: Compile the Reserved Transport Maps - postmap: cmd=postalias instance={{ postfix_instance[inst].name }} - src=/etc/postfix-{{ postfix_instance[inst].name }}/virtual/reserved_transport_maps db=cdb - owner=root group=root - mode=0644 - -- name: Copy reserved-alias.pl - copy: src=usr/local/sbin/reserved-alias.pl - dest=/usr/local/sbin/reserved-alias.pl - owner=root group=root - mode=0755 - -- name: Start Postfix - service: name=postfix state=started - when: not r.changed - -- meta: flush_handlers diff --git a/roles/mx/templates/etc/postfix/main.cf.j2 b/roles/mx/templates/etc/postfix/main.cf.j2 deleted file mode 100644 index 0aa91b3..0000000 --- a/roles/mx/templates/etc/postfix/main.cf.j2 +++ /dev/null @@ -1,142 +0,0 @@ -######################################################################## -# MX configuration -# -# {{ ansible_managed }} -# Do NOT edit this file directly! - -smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU) -biff = no -readme_directory = no -mail_owner = postfix - -delay_warning_time = 4h -maximal_queue_lifetime = 5d - -myorigin = /etc/mailname -myhostname = mx{{ mxno | default('') }}.$mydomain -mydomain = {{ ansible_domain }} -append_dot_mydomain = no - -# Turn off all TCP/IP listener ports except that necessary for the mail -# exchange. -master_service_disable = !smtp.inet inet - -queue_directory = /var/spool/postfix-{{ postfix_instance[inst].name }} -data_directory = /var/lib/postfix-{{ postfix_instance[inst].name }} -multi_instance_group = {{ postfix_instance[inst].group | default('') }} -multi_instance_name = postfix-{{ postfix_instance[inst].name }} -multi_instance_enable = yes - -# This server is a Mail eXchange -mynetworks_style = host -inet_interfaces = all -inet_protocols = all - -# No local delivery -mydestination = -local_transport = error:5.1.1 Mailbox unavailable -alias_maps = -alias_database = -local_recipient_maps = - -message_size_limit = 67108864 -recipient_delimiter = + - -# Forward everything to our internal mailhub -{% if 'MTA-out' in group_names %} -relayhost = [127.0.0.1]:{{ MTA_out.port }} -{% else %} -relayhost = [{{ MTA_out.IPv4 }}]:{{ MTA_out.port }} -{% endif %} -relay_domains = - -# Virtual transport -{% if 'LDA' in group_names %} -virtual_transport = smtp:[127.0.0.1]:{{ LDA.port }} -{% else %} -virtual_transport = smtp:[{{ LDA.IPv4 }}]:{{ LDA.port }} -{% endif %} - -virtual_mailbox_domains = ldap:$config_directory/virtual/mailbox_domains.cf -virtual_alias_maps = pcre:$config_directory/virtual/reserved_maps.pcre - ldap:$config_directory/virtual/alias_maps.cf - ldap:$config_directory/virtual/lists_maps.cf - ldap:$config_directory/virtual/alias_catchall_maps.cf -virtual_mailbox_maps = ldap:$config_directory/virtual/mailbox_maps.cf -mailbox_transport_maps = cdb:$config_directory/virtual/reserved_transport_maps - ldap:$config_directory/virtual/transport_lists_maps.cf - -# Don't rewrite remote headers -local_header_rewrite_clients = -# Pass the client information along to the content filter -smtp_send_xforward_command = yes -# Avoid splitting the envelope and scanning messages multiple times -smtp_destination_recipient_limit = 1000 -# Tolerate occasional high latency -smtp_data_done_timeout = 1200s - -# Tunnel everything through IPSec -smtp_tls_security_level = none -smtp_bind_address = 172.16.0.1 - -# TLS -smtpd_tls_security_level = may -smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem -smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key -smtpd_tls_CApath = /etc/ssl/certs/ -smtpd_tls_session_cache_database= btree:$data_directory/smtpd_tls_session_cache -smtpd_tls_received_header = yes -smtpd_tls_ask_ccert = yes -smtpd_tls_fingerprint_digest = sha1 -smtpd_tls_eecdh_grade = strong -tls_random_source = dev:/dev/urandom - - -# http://en.linuxreviews.org/HOWTO_Stop_spam_using_Postfix -# http://www.howtoforge.com/block_spam_at_mta_level_postfix - -strict_rfc821_envelopes = yes -smtpd_delay_reject = yes -disable_vrfy_command = yes - -# UCE control -invalid_hostname_reject_code = 554 -multi_recipient_bounce_reject_code = 554 -non_fqdn_reject_code = 554 -relay_domains_reject_code = 554 -unknown_address_reject_code = 554 -unknown_client_reject_code = 554 -unknown_hostname_reject_code = 554 -unknown_local_recipient_reject_code = 554 -unknown_relay_recipient_reject_code = 554 -unknown_virtual_alias_reject_code = 554 -unknown_virtual_mailbox_reject_code = 554 -unverified_recipient_reject_code = 554 -unverified_sender_reject_code = 554 - - -smtpd_client_restrictions = - permit_mynetworks - reject_rbl_client zen.spamhaus.org - reject_rbl_client bl.spamcop.net - -smtpd_helo_required = yes -smtpd_helo_restrictions = - permit_mynetworks - reject_non_fqdn_helo_hostname - reject_invalid_helo_hostname - -smtpd_sender_restrictions = - reject_non_fqdn_sender - reject_unknown_sender_domain - -smtpd_recipient_restrictions = - # RFC requirements - reject_non_fqdn_recipient - reject_unknown_recipient_domain - permit_mynetworks - reject_unauth_destination - check_policy_service unix:private/postgrey - -smtpd_data_restrictions = - reject_unauth_pipelining -- cgit v1.2.3