From d363522c15b1d1ce61b2780a539dd09e2e679d34 Mon Sep 17 00:00:00 2001
From: Guilhem Moulin <guilhem@fripost.org>
Date: Sun, 1 Dec 2013 23:51:28 +0100
Subject: Configure the MX:es.
---
.../templates/etc/ldap/database.ldif.j2 | 4 +-
roles/common/files/etc/postfix/master.cf | 2 +
roles/common/templates/etc/fail2ban/jail.local.j2 | 14 +++
roles/common/templates/etc/iptables/services.j2 | 8 +-
roles/common/templates/etc/postfix/main.cf.j2 | 4 +
.../etc/postfix/virtual/alias_catchall_maps.cf | 8 ++
roles/mx/files/etc/postfix/virtual/alias_maps.cf | 7 ++
roles/mx/files/etc/postfix/virtual/lists_maps.cf | 8 ++
.../files/etc/postfix/virtual/mailbox_domains.cf | 9 ++
roles/mx/files/etc/postfix/virtual/mailbox_maps.cf | 9 ++
.../files/etc/postfix/virtual/reserved_maps.pcre | 5 +
.../etc/postfix/virtual/reserved_transport_maps | 2 +
.../etc/postfix/virtual/transport_lists_maps.cf | 12 ++
roles/mx/files/usr/local/sbin/reserved-alias.pl | 110 ++++++++++++++++
roles/mx/handlers/main.yml | 9 ++
roles/mx/templates/etc/postfix/main.cf.j2 | 139 +++++++++++++++++++++
16 files changed, 347 insertions(+), 3 deletions(-)
create mode 100644 roles/mx/files/etc/postfix/virtual/alias_catchall_maps.cf
create mode 100644 roles/mx/files/etc/postfix/virtual/alias_maps.cf
create mode 100644 roles/mx/files/etc/postfix/virtual/lists_maps.cf
create mode 100644 roles/mx/files/etc/postfix/virtual/mailbox_domains.cf
create mode 100644 roles/mx/files/etc/postfix/virtual/mailbox_maps.cf
create mode 100644 roles/mx/files/etc/postfix/virtual/reserved_maps.pcre
create mode 100644 roles/mx/files/etc/postfix/virtual/reserved_transport_maps
create mode 100644 roles/mx/files/etc/postfix/virtual/transport_lists_maps.cf
create mode 100755 roles/mx/files/usr/local/sbin/reserved-alias.pl
create mode 100644 roles/mx/handlers/main.yml
create mode 100644 roles/mx/templates/etc/postfix/main.cf.j2
(limited to 'roles')
diff --git a/roles/common-LDAP/templates/etc/ldap/database.ldif.j2 b/roles/common-LDAP/templates/etc/ldap/database.ldif.j2
index 1970a99..8333032 100644
--- a/roles/common-LDAP/templates/etc/ldap/database.ldif.j2
+++ b/roles/common-LDAP/templates/etc/ldap/database.ldif.j2
@@ -106,11 +106,12 @@ olcAccess: to dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=org"
attrs=entry,objectClass,fvd,fvl,fripostMaildrop,fripostOptionalMaildrop,fripostLocalAlias
filter=(&(|(objectClass=FripostVirtualDomain)(objectClass=FripostVirtualUser)(objectClass=FripostVirtualAlias)(objectClass=FripostVirtualList)(objectClass=FripostVirtualListCommand))(!(objectClass=FripostPendingEntry))(!(fripostIsStatusActive=FALSE)))
by dn.exact="cn=Postfix,ou=services,o=mailHosting,dc=fripost,dc=org" =rsd
+ by dn.exact="username=postfix,cn=peercred,cn=external,cn=auth" =rsd
by users =0 break
+#
# Search lists and domain owners
olcAccess: to dn.exact="ou=virtual,o=mailHosting,dc=fripost,dc=org"
attrs=entry
- by dn.exact="cn=Postfix,ou=services,o=mailHosting,dc=fripost,dc=org" =s
by dn.exact="username=postfix,cn=peercred,cn=external,cn=auth" =s
by users =0 break
#
@@ -118,6 +119,7 @@ olcAccess: to dn.exact="ou=virtual,o=mailHosting,dc=fripost,dc=org"
olcAccess: to dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=org"
attrs=entry,objectClass,fvd,fvl,fripostPostmaster,fripostOwner
filter=(&(objectClass=FripostVirtualDomain)(!(objectClass=FripostPendingEntry))(!(fripostIsStatusActive=FALSE)))
+ by dn.exact="cn=Postfix,ou=services,o=mailHosting,dc=fripost,dc=org" =rsd
by dn.exact="username=postfix,cn=peercred,cn=external,cn=auth" =rsd
by users =0 break
#
diff --git a/roles/common/files/etc/postfix/master.cf b/roles/common/files/etc/postfix/master.cf
index d9722ef..b8bc458 100644
--- a/roles/common/files/etc/postfix/master.cf
+++ b/roles/common/files/etc/postfix/master.cf
@@ -34,3 +34,5 @@ lmtp unix - - - - - lmtp
anvil unix - - - - 1 anvil
scache unix - - - - 1 scache
16132 inet n - - - - smtpd
+reserved-alias unix - n n - - pipe
+ flags=Rhu user=mail argv=/usr/local/sbin/reserved-alias.pl ${original_recipient} @fripost.org
diff --git a/roles/common/templates/etc/fail2ban/jail.local.j2 b/roles/common/templates/etc/fail2ban/jail.local.j2
index 0dcab8d..b92cb7a 100644
--- a/roles/common/templates/etc/fail2ban/jail.local.j2
+++ b/roles/common/templates/etc/fail2ban/jail.local.j2
@@ -16,6 +16,10 @@ action = %(action_)s
#
# JAILS
#
+# There is no risk to lock ourself out, since traffic between our machines goes
+# through IPSec, and these packets are accepted before having a chance to enter
+# fail2ban's chain.
+#
[ssh]
@@ -47,3 +51,13 @@ banaction = iptables-allports
port = anyport
logpath = /var/log/auth.log
maxretry = 6
+
+{% if 'MX' in group_names %}
+[postfix]
+
+enabled = true
+port = smtp
+filter = postfix
+logpath = /var/log/mail.log
+maxretry = 10
+{% endif %}
diff --git a/roles/common/templates/etc/iptables/services.j2 b/roles/common/templates/etc/iptables/services.j2
index b1b7f0f..8a9409d 100644
--- a/roles/common/templates/etc/iptables/services.j2
+++ b/roles/common/templates/etc/iptables/services.j2
@@ -5,9 +5,13 @@
# (in|out|inout)[46]? (tcp|udp|..) (port|port:port|port,port) (port|port:port|port,port)
inout udp 500 500 # ISAKMP
-
-in tcp {{ ansible_ssh_port|default('22') }} # SSH
+#inout udp 4500 4500 # IPSec NAT Traversal
out tcp 80,443 # HTTP/HTTPS
out udp 53 # DNS
out udp 67 # DHCP
+
+in tcp {{ ansible_ssh_port|default('22') }} # SSH
+{% if 'MX' in group_names %}
+in tcp 25 # SMTP
+{% endif %}
diff --git a/roles/common/templates/etc/postfix/main.cf.j2 b/roles/common/templates/etc/postfix/main.cf.j2
index 59bf0ba..a856843 100644
--- a/roles/common/templates/etc/postfix/main.cf.j2
+++ b/roles/common/templates/etc/postfix/main.cf.j2
@@ -1,9 +1,13 @@
########################################################################
# Nullmailer configuration
+#
+# {{ ansible_managed }}
+# Do NOT edit this file directly!
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no
readme_directory = no
+mail_owner = postfix
myorigin = /etc/mailname
myhostname = {{ ansible_fqdn }}
diff --git a/roles/mx/files/etc/postfix/virtual/alias_catchall_maps.cf b/roles/mx/files/etc/postfix/virtual/alias_catchall_maps.cf
new file mode 100644
index 0000000..2de4667
--- /dev/null
+++ b/roles/mx/files/etc/postfix/virtual/alias_catchall_maps.cf
@@ -0,0 +1,8 @@
+server_host = ldapi://%2Fprivate%2Fldapi/
+version = 3
+search_base = fvd=%d,ou=virtual,o=mailHosting,dc=fripost,dc=org
+scope = base
+bind = sasl
+sasl_mechs = EXTERNAL
+query_filter = (&(ObjectClass=FripostVirtualDomain)(fvd=%d)(fripostOptionalMaildrop=*))
+result_attribute = fripostOptionalMaildrop
diff --git a/roles/mx/files/etc/postfix/virtual/alias_maps.cf b/roles/mx/files/etc/postfix/virtual/alias_maps.cf
new file mode 100644
index 0000000..aa26e18
--- /dev/null
+++ b/roles/mx/files/etc/postfix/virtual/alias_maps.cf
@@ -0,0 +1,7 @@
+server_host = ldapi://%2Fprivate%2Fldapi/
+version = 3
+search_base = fvl=%u,fvd=%d,ou=virtual,o=mailHosting,dc=fripost,dc=org
+bind = sasl
+sasl_mechs = EXTERNAL
+query_filter = (&(ObjectClass=FripostVirtualAlias)(fvl=%u))
+result_attribute = fripostMaildrop
diff --git a/roles/mx/files/etc/postfix/virtual/lists_maps.cf b/roles/mx/files/etc/postfix/virtual/lists_maps.cf
new file mode 100644
index 0000000..a4657ec
--- /dev/null
+++ b/roles/mx/files/etc/postfix/virtual/lists_maps.cf
@@ -0,0 +1,8 @@
+server_host = ldapi://%2Fprivate%2Fldapi/
+version = 3
+search_base = fvl=%u,fvd=%d,ou=virtual,o=mailHosting,dc=fripost,dc=org
+scope = base
+bind = sasl
+sasl_mechs = EXTERNAL
+query_filter = (&(|(ObjectClass=FripostVirtualList)(ObjectClass=FripostVirtualListCommand))(fvl=%u)(fripostLocalAlias=%u#%d))
+result_attribute = fripostLocalAlias
diff --git a/roles/mx/files/etc/postfix/virtual/mailbox_domains.cf b/roles/mx/files/etc/postfix/virtual/mailbox_domains.cf
new file mode 100644
index 0000000..d580cb9
--- /dev/null
+++ b/roles/mx/files/etc/postfix/virtual/mailbox_domains.cf
@@ -0,0 +1,9 @@
+server_host = ldapi://%2Fprivate%2Fldapi/
+version = 3
+search_base = fvd=%s,ou=virtual,o=mailHosting,dc=fripost,dc=org
+scope = base
+bind = sasl
+sasl_mechs = EXTERNAL
+query_filter = (&(ObjectClass=FripostVirtualDomain)(fvd=%s))
+result_attribute = fvd
+result_format = OK
diff --git a/roles/mx/files/etc/postfix/virtual/mailbox_maps.cf b/roles/mx/files/etc/postfix/virtual/mailbox_maps.cf
new file mode 100644
index 0000000..0f0e0e4
--- /dev/null
+++ b/roles/mx/files/etc/postfix/virtual/mailbox_maps.cf
@@ -0,0 +1,9 @@
+server_host = ldapi://%2Fprivate%2Fldapi/
+version = 3
+search_base = fvl=%u,fvd=%d,ou=virtual,o=mailHosting,dc=fripost,dc=org
+scope = base
+bind = sasl
+sasl_mechs = EXTERNAL
+query_filter = (&(ObjectClass=FripostVirtualUser)(fvl=%u))
+result_attribute = fvl
+result_format = OK
diff --git a/roles/mx/files/etc/postfix/virtual/reserved_maps.pcre b/roles/mx/files/etc/postfix/virtual/reserved_maps.pcre
new file mode 100644
index 0000000..58572d1
--- /dev/null
+++ b/roles/mx/files/etc/postfix/virtual/reserved_maps.pcre
@@ -0,0 +1,5 @@
+# These reserved aliases will always be redirected to us and the domain
+# owner.
+# TODO: check 'postmaster+test@fripost.org'
+/^(?:postmaster|abuse)(?:\+.*)?@fripost\.org$/ admin@fripost.org
+/^((?:postmaster|abuse)(?:\+.*)?)@/ $1
diff --git a/roles/mx/files/etc/postfix/virtual/reserved_transport_maps b/roles/mx/files/etc/postfix/virtual/reserved_transport_maps
new file mode 100644
index 0000000..dce8710
--- /dev/null
+++ b/roles/mx/files/etc/postfix/virtual/reserved_transport_maps
@@ -0,0 +1,2 @@
+abuse reserved-alias:
+postmaster reserved-alias:
diff --git a/roles/mx/files/etc/postfix/virtual/transport_lists_maps.cf b/roles/mx/files/etc/postfix/virtual/transport_lists_maps.cf
new file mode 100644
index 0000000..3cca999
--- /dev/null
+++ b/roles/mx/files/etc/postfix/virtual/transport_lists_maps.cf
@@ -0,0 +1,12 @@
+# Despite the index on 'fripostLocalAlias' it's a bit more inefficient,
+# but more precise, than the alternative of using regexes here, and a
+# plain hash on the list managers' side.
+server_host = ldapi://%2Fprivate%2Fldapi/
+version = 3
+search_base = ou=virtual,o=mailHosting,dc=fripost,dc=org
+scope = sub
+bind = sasl
+sasl_mechs = EXTERNAL
+query_filter = (&(|(ObjectClass=FripostVirtualList)(ObjectClass=FripostVirtualListCommand))(fripostLocalAlias=%s))
+result_attribute = fripostLocalAlias
+result_format = smtp:[127.0.0.1]:2345
diff --git a/roles/mx/files/usr/local/sbin/reserved-alias.pl b/roles/mx/files/usr/local/sbin/reserved-alias.pl
new file mode 100755
index 0000000..c122c6d
--- /dev/null
+++ b/roles/mx/files/usr/local/sbin/reserved-alias.pl
@@ -0,0 +1,110 @@
+#!/usr/bin/perl
+
+# Copyright © 2013 Guilhem Moulin <guilhem@fripost.org>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+use warnings;
+use strict;
+use Net::LDAPI;
+use Net::LDAP::Util qw/escape_filter_value ldap_explode_dn escape_dn_value/;
+use Authen::SASL;
+
+if (!@ARGV or grep { $_ eq '-h' or $_ eq '--help' } @ARGV) {
+ # Help
+ print STDERR "Usage: $0 [original recipient] [additional recipient ...]\n";
+ print STDERR "\n";
+ print STDERR "The message read from the standard input is redirected to 'additional recipient',\n";
+ print STDERR "and also forwarded to the domain owner if any. If the 'additional recipient' begins\n";
+ print STDERR "with '\@', the localpart of 'original recipient' is prepended.\n";
+ print STDERR "\n";
+ print STDERR "This is mostly useful to comply to RFC 822 section 6.3 and RFC 2142 section\n";
+ print STDERR "4 (to forward mails to 'admin\@' and 'postmaster\@' to the site admin in\n";
+ print STDERR "addition to the virtual domain manager).\n";
+ exit;
+}
+
+# The original recipient
+my $orig = shift;
+$orig =~ /^([^@]+)\@(.+)$/
+ or warn "Non fully qualified: $orig";
+my ($local,$domain) = ($1,$2);
+
+# The new recipient (typically, the admin site)
+my @recipients = grep { $_ and $orig ne $_ }
+ # add localparts to domain
+ map { my $x = $_;
+ if ($x =~ /^\@/) {
+ if ($local) {
+ $x = $local.$x;
+ }
+ else {
+ undef $x;
+ }
+ }
+ $x
+ }
+ @ARGV;
+# Die if we can't deliver to site admins
+die "Error: Aborted delivery to '$orig' in attempt to break an alias expansion loop.\n"
+ unless @recipients;
+
+my @sendmail = ('/usr/sbin/sendmail', '-i', '-bm');
+
+if (defined $domain) {
+ # Look for the domain owner/postmaster
+ my $ldap = Net::LDAPI->new();
+ $ldap->bind( sasl => Authen::SASL->new(mechanism => 'EXTERNAL') )
+ or die "Couldn't bind";
+
+ my @attrs = ( 'fripostPostmaster', 'fripostOwner' );
+ my $mesg = $ldap->search( base => 'fvd='.escape_dn_value($domain).','
+ .'ou=virtual,o=mailHosting,dc=fripost,dc=org'
+ , scope => 'base'
+ , deref => 'never'
+ , filter => '(&(objectClass=FripostVirtualDomain)'
+ .'(fvd='.escape_filter_value($domain).')'.
+ ')'
+ , attrs => \@attrs
+ );
+ if ($mesg->code) {
+ warn $mesg->error;
+ }
+ elsif ($mesg->count != 1) {
+ # Note: this may happen for "$mydestination", but these mails
+ # are unlikely. We'll get a harmless warning at worst.
+ warn "Something weird happened when looking up domain '".$domain.
+ "'. Check your ACL.";
+ }
+ else {
+ my $entry = $mesg->pop_entry() // die "Cannot pop entry.";
+ foreach (@attrs) {
+ my $v = $entry->get_value($_, asref => 1) or next;
+ foreach my $dn (@$v) {
+ my $dn2 = ldap_explode_dn($dn, casefold => 'lower');
+ my $l = $dn2->[0]->{fvl};
+ my $d = $dn2->[1]->{fvd};
+ if ($l and $d) {
+ push @recipients, $l.'@'.$d;
+ }
+ else {
+ warn "Invalid DN: $dn"
+ }
+ }
+ }
+ }
+ $ldap->unbind;
+}
+
+exec (@sendmail, @recipients);
diff --git a/roles/mx/handlers/main.yml b/roles/mx/handlers/main.yml
new file mode 100644
index 0000000..21c736a
--- /dev/null
+++ b/roles/mx/handlers/main.yml
@@ -0,0 +1,9 @@
+---
+- name: Restart Postgrey
+ service: name=postgrey state=restarted
+
+- name: Restart Postfix
+ service: name=postfix state=restarted
+
+- name: Reload Postfix
+ service: name=postfix state=reloaded
diff --git a/roles/mx/templates/etc/postfix/main.cf.j2 b/roles/mx/templates/etc/postfix/main.cf.j2
new file mode 100644
index 0000000..5c44781
--- /dev/null
+++ b/roles/mx/templates/etc/postfix/main.cf.j2
@@ -0,0 +1,139 @@
+########################################################################
+# MX configuration
+#
+# {{ ansible_managed }}
+# Do NOT edit this file directly!
+
+smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
+biff = no
+readme_directory = no
+mail_owner = postfix
+
+delay_warning_time = 4h
+maximal_queue_lifetime = 5d
+
+myorigin = /etc/mailname
+myhostname = mx{{ mxno | default('') }}.$mydomain
+mydomain = {{ ansible_domain }}
+append_dot_mydomain = no
+
+# Turn off all TCP/IP listener ports except that necessary for the mail
+# exchange.
+master_service_disable = !smtp.inet inet
+
+queue_directory = /var/spool/postfix-{{ postfix_instance[inst].name }}
+data_directory = /var/lib/postfix-{{ postfix_instance[inst].name }}
+multi_instance_group = {{ postfix_instance[inst].group }}
+multi_instance_name = postfix-{{ postfix_instance[inst].name }}
+multi_instance_enable = yes
+
+# This server is a Mail eXchange
+mynetworks_style = host
+inet_interfaces = all
+inet_protocols = all
+
+# No local delivery
+mydestination =
+local_transport = error:5.1.1 Mailbox unavailable
+alias_maps =
+alias_database =
+local_recipient_maps =
+
+message_size_limit = 67108864
+recipient_delimiter = +
+
+# Forward everything to our internal mailhub
+{% if 'MTA-out' in group_names %}
+relay_transport = lmtp:unix:private/mta-out
+{% else %}
+relayhost = [{{ MTA_out.IPv4 }}]:{{ MTA_out.port }}
+{% endif %}
+relay_domains =
+
+{% if 'LDA' in group_names %}
+virtual_transport = lmtp:unix:private/lda
+{% else %}
+virtual_transport = smtp:[{{ LDA.IPv4 }}]:{{ LDA.port }}
+{% endif %}
+
+virtual_mailbox_domains = ldap:$config_directory/virtual/mailbox_domains.cf
+virtual_alias_maps = pcre:$config_directory/virtual/reserved_maps.pcre
+ ldap:$config_directory/virtual/alias_maps.cf
+ ldap:$config_directory/virtual/lists_maps.cf
+ ldap:$config_directory/virtual/alias_catchall_maps.cf
+virtual_mailbox_maps = ldap:$config_directory/virtual/mailbox_maps.cf
+mailbox_transport_maps = cdb:$config_directory/virtual/reserved_transport_maps
+ ldap:$config_directory/virtual/transport_lists_maps.cf
+
+# Pass the client information along to the content filter
+local_header_rewrite_clients =
+smtp_send_xforward_command = yes
+smtp_destination_recipient_limit = 1000
+smtp_data_done_timeout = 1200s
+
+# Tunnel everything through IPSec
+smtp_tls_security_level = none
+smtp_bind_address = 172.16.0.1
+
+# Virtual
+smtpd_tls_security_level = may
+smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
+smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
+smtpd_tls_CApath = /etc/ssl/certs/
+smtpd_tls_session_cache_database= btree:$data_directory/smtpd_tls_session_cache
+smtpd_tls_received_header = yes
+smtpd_tls_ask_ccert = yes
+smtpd_tls_fingerprint_digest = sha1
+smtpd_tls_eecdh_grade = strong
+
+tls_random_source = dev:/dev/urandom
+
+
+# http://en.linuxreviews.org/HOWTO_Stop_spam_using_Postfix
+# http://www.howtoforge.com/block_spam_at_mta_level_postfix
+
+strict_rfc821_envelopes = yes
+smtpd_delay_reject = yes
+disable_vrfy_command = yes
+
+# UCE control
+invalid_hostname_reject_code = 554
+multi_recipient_bounce_reject_code = 554
+non_fqdn_reject_code = 554
+relay_domains_reject_code = 554
+unknown_address_reject_code = 554
+unknown_client_reject_code = 554
+unknown_hostname_reject_code = 554
+unknown_local_recipient_reject_code = 554
+unknown_relay_recipient_reject_code = 554
+unknown_virtual_alias_reject_code = 554
+unknown_virtual_mailbox_reject_code = 554
+unverified_recipient_reject_code = 554
+unverified_sender_reject_code = 554
+
+
+smtpd_client_restrictions =
+ permit_mynetworks
+ reject_rbl_client zen.spamhaus.org
+ reject_rbl_client bl.spamcop.net
+
+smtpd_helo_required = yes
+smtpd_helo_restrictions =
+ permit_mynetworks
+ reject_non_fqdn_helo_hostname
+ reject_invalid_helo_hostname
+
+smtpd_sender_restrictions =
+ reject_non_fqdn_sender
+ reject_unknown_sender_domain
+
+smtpd_recipient_restrictions =
+ # RFC requirements
+ reject_non_fqdn_recipient
+ reject_unknown_recipient_domain
+ permit_mynetworks
+ reject_unauth_destination
+ check_policy_service unix:private/postgrey
+
+smtpd_data_restrictions =
+ reject_unauth_pipelining
--
cgit v1.2.3