From e2ddcfc51f66c2a52a401064eab005e793f148ee Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Sun, 9 Dec 2018 18:41:06 +0100 Subject: Update 'IMAP', 'MSA' and 'LDAP-provider' roles to Debian Stretch. --- lib/action_plugins/openldap.py | 7 +- roles/IMAP/files/etc/dovecot/conf.d/10-auth.conf | 6 +- .../IMAP/files/etc/dovecot/conf.d/10-logging.conf | 9 +- roles/IMAP/files/etc/dovecot/conf.d/10-mail.conf | 28 +++- roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf | 8 +- roles/IMAP/files/etc/dovecot/conf.d/15-lda.conf | 4 +- .../files/etc/dovecot/conf.d/15-mailboxes.conf | 53 +++++-- roles/IMAP/files/etc/dovecot/conf.d/20-imap.conf | 20 ++- roles/IMAP/files/etc/dovecot/conf.d/20-lmtp.conf | 7 + roles/IMAP/files/etc/dovecot/conf.d/90-plugin.conf | 10 +- roles/IMAP/files/etc/dovecot/conf.d/90-sieve.conf | 165 +++++++++++++++++---- .../files/etc/dovecot/conf.d/auth-ldap.conf.ext | 3 - roles/IMAP/files/etc/dovecot/dovecot-ldap.conf.ext | 3 +- .../IMAP/files/usr/local/bin/dovecot-auth-proxy.pl | 14 +- .../templates/etc/dovecot/conf.d/10-master.conf.j2 | 17 ++- roles/IMAP/templates/etc/postfix/main.cf.j2 | 8 +- roles/MSA/templates/etc/postfix/main.cf.j2 | 9 +- .../templates/etc/ldap/database.ldif.j2 | 2 +- .../files/etc/fail2ban/filter.d/dovecot.conf | 34 +++++ .../etc/logcheck/ignore.d.server/dovecot-local | 33 ++--- .../etc/logcheck/ignore.d.server/postfix-local | 7 +- roles/common/tasks/fail2ban.yml | 1 + roles/common/templates/etc/fail2ban/jail.local.j2 | 2 +- roles/common/templates/etc/iptables/services.j2 | 1 + .../lacme/templates/etc/lacme/lacme-certs.conf.j2 | 2 +- 25 files changed, 337 insertions(+), 116 deletions(-) create mode 100644 roles/common/files/etc/fail2ban/filter.d/dovecot.conf diff --git a/lib/action_plugins/openldap.py b/lib/action_plugins/openldap.py index ae4992a..b94a822 100644 --- a/lib/action_plugins/openldap.py +++ b/lib/action_plugins/openldap.py @@ -63,7 +63,10 @@ class ActionModule(ActionBase): result['msg'] = type(e).__name__ + ": " + str(e) return result - # transfer the file and run the module remotely - self._transfer_data(new_module_args['target'], target) + # transfer the file and run the module remotely + self._transfer_data(new_module_args['target'], target) + elif local == 'file': + self._transfer_file(target, new_module_args['target']) + result.update(self._execute_module(module_args=new_module_args, task_vars=task_vars)) return result diff --git a/roles/IMAP/files/etc/dovecot/conf.d/10-auth.conf b/roles/IMAP/files/etc/dovecot/conf.d/10-auth.conf index d4f323d..7213fbb 100644 --- a/roles/IMAP/files/etc/dovecot/conf.d/10-auth.conf +++ b/roles/IMAP/files/etc/dovecot/conf.d/10-auth.conf @@ -73,7 +73,7 @@ auth_username_format = %Lu # Kerberos keytab to use for the GSSAPI mechanism. Will use the system # default (usually /etc/krb5.keytab) if not specified. You may need to change # the auth service to run as root to be able to read this file. -#auth_krb5_keytab = +#auth_krb5_keytab = # Do NTLM and GSS-SPNEGO authentication using Samba's winbind daemon and # ntlm_auth helper. @@ -88,9 +88,9 @@ auth_username_format = %Lu # Require a valid SSL client certificate or the authentication fails. #auth_ssl_require_client_cert = no -# Take the username from client's SSL certificate, using +# Take the username from client's SSL certificate, using # X509_NAME_get_text_by_NID() which returns the subject's DN's -# CommonName. +# CommonName. #auth_ssl_username_from_cert = no # Space separated list of wanted authentication mechanisms: diff --git a/roles/IMAP/files/etc/dovecot/conf.d/10-logging.conf b/roles/IMAP/files/etc/dovecot/conf.d/10-logging.conf index c611bfc..848fe69 100644 --- a/roles/IMAP/files/etc/dovecot/conf.d/10-logging.conf +++ b/roles/IMAP/files/etc/dovecot/conf.d/10-logging.conf @@ -7,9 +7,9 @@ #log_path = syslog # Log file to use for informational messages. Defaults to log_path. -#info_log_path = +#info_log_path = # Log file to use for debug messages. Defaults to info_log_path. -#debug_log_path = +#debug_log_path = # Syslog facility to use if you're logging to syslog. Usually if you don't # want to use "mail", you'll use local0..local7. Also other standard @@ -69,12 +69,13 @@ log_timestamp = "%Y-%m-%d %H:%M:%S " # Login log format. %s contains login_log_format_elements string, %$ contains # the data we want to log. #login_log_format = %$: %s - + # Log prefix for mail processes. See doc/wiki/Variables.txt for list of # possible variables you can use. #mail_log_prefix = "%s(%u): " -# Format to use for logging mail deliveries. You can use variables: +# Format to use for logging mail deliveries. See doc/wiki/Variables.txt for +# list of all variables you can use. Some of the common ones include: # %$ - Delivery status message (e.g. "saved to INBOX") # %m - Message-ID # %s - Subject diff --git a/roles/IMAP/files/etc/dovecot/conf.d/10-mail.conf b/roles/IMAP/files/etc/dovecot/conf.d/10-mail.conf index 2e68df4..a781402 100644 --- a/roles/IMAP/files/etc/dovecot/conf.d/10-mail.conf +++ b/roles/IMAP/files/etc/dovecot/conf.d/10-mail.conf @@ -50,7 +50,7 @@ namespace inbox { # Prefix required to access this namespace. This needs to be different for # all namespaces. For example "Public/". - #prefix = + #prefix = # Physical location of the mailbox. This is in same format as # mail_location, which is also the default for it. @@ -133,10 +133,22 @@ mail_gid = vmail # or ~user/. #mail_full_filesystem_access = no -# Dictionary for key=value mailbox attributes. Currently used by URLAUTH, but -# soon intended to be used by METADATA as well. +# Dictionary for key=value mailbox attributes. This is used for example by +# URLAUTH and METADATA extensions. #mail_attribute_dict = +# A comment or note that is associated with the server. This value is +# accessible for authenticated users through the IMAP METADATA server +# entry "/shared/comment". +mail_server_comment = "fripost - demokratisk e-post" + +# Indicates a method for contacting the server administrator. According to +# RFC 5464, this value MUST be a URI (e.g., a mailto: or tel: URL), but that +# is currently not enforced. Use for example mailto:admin@example.com. This +# value is accessible for authenticated users through the IMAP METADATA server +# entry "/shared/admin". +mail_server_admin = mailto:postmaster@fripost.org + ## ## Mail processes ## @@ -188,7 +200,7 @@ first_valid_uid = 1 # WARNING: Never add directories here which local users can modify, that # may lead to root exploit. Usually this should be done only if you don't # allow shell access for users. -#valid_chroot_dirs = +#valid_chroot_dirs = # Default chroot directory for mail processes. This can be overridden for # specific users in user database by giving /./ in user's home directory @@ -196,7 +208,7 @@ first_valid_uid = 1 # need to do chrooting, Dovecot doesn't allow users to access files outside # their mail directory anyway. If your home directories are prefixed with # the chroot directory, append "/." to mail_chroot. -#mail_chroot = +#mail_chroot = # UNIX socket path to master authentication server to find users. # This is used by imap (for shared users) and lda. @@ -207,7 +219,7 @@ first_valid_uid = 1 # Space separated list of plugins to load for all services. Plugins specific to # IMAP, LDA, etc. are added to this list in their own .conf files. -mail_plugins = stats virtual zlib +mail_plugins = quota stats virtual zlib ## ## Mailbox handling optimizations @@ -224,7 +236,7 @@ mailbox_list_index = yes # When IDLE command is running, mailbox is checked once in a while to see if # there are any new mails or other changes. This setting defines the minimum -# time to wait between those checks. Dovecot can also use dnotify, inotify and +# time to wait between those checks. Dovecot can also use inotify and # kqueue to find out immediately when changes occur. #mailbox_idle_check_interval = 30 secs @@ -313,7 +325,7 @@ mailbox_list_index = yes # fallbacks to re-reading the whole mbox file whenever something in mbox isn't # how it's expected to be. The only real downside to this setting is that if # some other MUA changes message flags, Dovecot doesn't notice it immediately. -# Note that a full sync is done with SELECT, EXAMINE, EXPUNGE and CHECK +# Note that a full sync is done with SELECT, EXAMINE, EXPUNGE and CHECK # commands. #mbox_dirty_syncs = yes diff --git a/roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf b/roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf index dc0b5bf..250eec5 100644 --- a/roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf +++ b/roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf @@ -21,7 +21,7 @@ ssl_key = :]path[;