From b7a7ceb88ed5b44959920cde170bc6aaa83026bb Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Fri, 2 Jun 2017 14:25:21 +0200 Subject: dovecot: enable user iteration and add a cronjob for `doveadm purge -A` --- roles/IMAP/files/etc/cron.d/doveadm | 1 + .../files/etc/dovecot/conf.d/auth-ldap.conf.ext | 8 ++ .../files/etc/dovecot/dovecot-dict-auth.conf.ext | 12 ++ .../etc/systemd/system/dovecot-auth-proxy.service | 23 ++++ .../etc/systemd/system/dovecot-auth-proxy.socket | 8 ++ .../IMAP/files/usr/local/bin/dovecot-auth-proxy.pl | 130 +++++++++++++++++++++ 6 files changed, 182 insertions(+) create mode 100644 roles/IMAP/files/etc/dovecot/dovecot-dict-auth.conf.ext create mode 100644 roles/IMAP/files/etc/systemd/system/dovecot-auth-proxy.service create mode 100644 roles/IMAP/files/etc/systemd/system/dovecot-auth-proxy.socket create mode 100755 roles/IMAP/files/usr/local/bin/dovecot-auth-proxy.pl (limited to 'roles/IMAP/files') diff --git a/roles/IMAP/files/etc/cron.d/doveadm b/roles/IMAP/files/etc/cron.d/doveadm index 1cb0ed8..b0551e4 100644 --- a/roles/IMAP/files/etc/cron.d/doveadm +++ b/roles/IMAP/files/etc/cron.d/doveadm @@ -1,3 +1,4 @@ MAILTO=root 59 * * * * vmail test -x /usr/bin/doveadm && nice -n 19 /usr/bin/doveadm sis deduplicate /home/mail/attachments /home/mail/attachments/queue +37 5 * * * vmail test -x /usr/bin/doveadm && nice -n 19 /usr/bin/doveadm purge -A diff --git a/roles/IMAP/files/etc/dovecot/conf.d/auth-ldap.conf.ext b/roles/IMAP/files/etc/dovecot/conf.d/auth-ldap.conf.ext index 360727e..9917753 100644 --- a/roles/IMAP/files/etc/dovecot/conf.d/auth-ldap.conf.ext +++ b/roles/IMAP/files/etc/dovecot/conf.d/auth-ldap.conf.ext @@ -37,3 +37,11 @@ userdb { # so we can skip the passdb lookup here. args = home=/home/mail/virtual/%d/%n allow_all_users=yes } + +# Used only for iteration as the static userdb above always succeeds +userdb { + driver = dict + skip = found + result_internalfail = return-fail + args = /etc/dovecot/dovecot-dict-auth.conf.ext +} diff --git a/roles/IMAP/files/etc/dovecot/dovecot-dict-auth.conf.ext b/roles/IMAP/files/etc/dovecot/dovecot-dict-auth.conf.ext new file mode 100644 index 0000000..ecd7134 --- /dev/null +++ b/roles/IMAP/files/etc/dovecot/dovecot-dict-auth.conf.ext @@ -0,0 +1,12 @@ +# This file is commonly accessed via passdb {} or userdb {} section in +# conf.d/auth-dict.conf.ext + +# Dictionary URI +uri = proxy:/var/run/dovecot/auth-proxy: + +# Username iteration prefix. Keys under this are assumed to contain usernames. +iterate_prefix = userdb/ + +# Should iteration be disabled for this userdb? If this userdb acts only as a +# cache there's no reason to try to iterate the (partial & duplicate) users. +iterate_disable = no diff --git a/roles/IMAP/files/etc/systemd/system/dovecot-auth-proxy.service b/roles/IMAP/files/etc/systemd/system/dovecot-auth-proxy.service new file mode 100644 index 0000000..ea5895c --- /dev/null +++ b/roles/IMAP/files/etc/systemd/system/dovecot-auth-proxy.service @@ -0,0 +1,23 @@ +[Unit] +Description=Dovecot authentication proxy +After=dovecot.target +Requires=dovecot-auth-proxy.socket + +[Service] +User=vmail +Group=vmail +StandardInput=null +SyslogFacility=mail +ExecStart=/usr/local/bin/dovecot-auth-proxy.pl + +# Hardening +NoNewPrivileges=yes +PrivateDevices=yes +ProtectSystem=full +ProtectHome=read-only +ReadOnlyDirectories=/ +RestrictAddressFamilies= + +[Install] +WantedBy=multi-user.target +Also=postfix-sender-login.socket diff --git a/roles/IMAP/files/etc/systemd/system/dovecot-auth-proxy.socket b/roles/IMAP/files/etc/systemd/system/dovecot-auth-proxy.socket new file mode 100644 index 0000000..6dee91a --- /dev/null +++ b/roles/IMAP/files/etc/systemd/system/dovecot-auth-proxy.socket @@ -0,0 +1,8 @@ +[Socket] +SocketUser=dovecot +SocketGroup=dovecot +SocketMode=0600 +ListenStream=/run/dovecot/auth-proxy + +[Install] +WantedBy=sockets.target diff --git a/roles/IMAP/files/usr/local/bin/dovecot-auth-proxy.pl b/roles/IMAP/files/usr/local/bin/dovecot-auth-proxy.pl new file mode 100755 index 0000000..cc52dbf --- /dev/null +++ b/roles/IMAP/files/usr/local/bin/dovecot-auth-proxy.pl @@ -0,0 +1,130 @@ +#!/usr/bin/perl + +#---------------------------------------------------------------------- +# socketmap lookup table returning the SASL login name(s) owning a given +# sender address +# Copyright © 2017 Guilhem Moulin +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +#---------------------------------------------------------------------- + +use warnings; +use strict; + +use Errno 'EINTR'; + +# clean up PATH +$ENV{PATH} = join ':', qw{/usr/bin /bin}; +delete @ENV{qw/IFS CDPATH ENV BASH_ENV/}; + +# number of pre-forked servers +my $nProc = 1; +sub server(); + +# fdopen(3) the file descriptor FD +die "This service must be socket-activated.\n" + unless defined $ENV{LISTEN_PID} and $ENV{LISTEN_PID} == $$ + and defined $ENV{LISTEN_FDS} and $ENV{LISTEN_FDS} == 1; +open my $S, '+<&=', 3 or die "fdopen: $!"; + +do { + my $dir = (getpwnam('vmail'))[7] // die "No such user: vmail"; + $dir .= '/virtual'; + chdir($dir) or die "chdir($dir): $!"; +}; + +my @CHILDREN; +for (my $i = 0; $i < $nProc-1; $i++) { + my $pid = fork() // die "fork: $!"; + if ($pid) { + push @CHILDREN, $pid; + } else { + server(); # child, never return + exit; + } +} +server(); +waitpid $_ => 0 foreach @CHILDREN; +exit $?; + + +############################################################################# + +sub server() { + for (my $n = 0; $n < 1; $n++) { + accept(my $conn, $S) or do { + next if $! == EINTR; + die "accept: $!"; + }; + + my $hello = $conn->getline() // ''; + unless ($hello =~ /\AH(\d+)\t(\d+)\t(\d+)(?:\t.*)?\n\z/) { + warn "Invalid greeting line: $hello\n"; + close $conn or warn "Can't close: $!"; + next; + } + # + unless ($1 == 2 and $2 == 0 and $3 == 0) { + warn "Unsupported protocol version $1.$2 (or value type $3)\n"; + close $conn or warn "Can't close: $!"; + next; + } + + my $cmd = $conn->getline() // ''; + if ($cmd =~ /\AI(\d+)\t(.*)\n\z/) { + iterate($conn, $1, $2); + } + else { + fail($conn => "Unknown command line: $cmd"); + } + close $conn or warn "Can't close: $!"; + } +} + +sub fail($;$) { + my ($fh, $msg) = @_; + $fh->printflush("F\n"); + warn "$msg\n" if defined $msg; +} + +# list all users, even the inactive ones +sub iterate($$$) { + my ($fh, $flags, $prefix) = @_; + unless ($flags == 0) { + fail($fh => "Unsupported iterate flags $flags"); + return; + } + + opendir my $dh, '.' or do { + fail($fh => "opendir: $!"); + return; + }; + while (defined (my $d = readdir $dh)) { + next if $d eq '.' or $d eq '..'; + opendir my $dh, $d or do { + fail($fh => "opendir: $!"); + return; + }; + while (defined (my $l = readdir $dh)) { + next if $l eq '.' or $l eq '..'; + my $user = $l.'@'.$d; + next unless $user =~ /\A[a-zA-Z0-9\.\-_@]+\z/; # skip invalid user names + $fh->printf("O%s%s\t\n", $prefix, $user); + } + closedir $dh or warn "closedir: $!"; + } + closedir $dh or warn "closedir: $!"; + + $fh->printflush("\n"); +} -- cgit v1.2.3