Page MenuHomeDevCentral

D3242.diff
No OneTemporary

D3242.diff

diff --git a/pillar/credentials/vault.sls b/pillar/credentials/vault.sls
--- a/pillar/credentials/vault.sls
+++ b/pillar/credentials/vault.sls
@@ -111,6 +111,7 @@
mailserver:
- ops/secrets/dbserver/cluster-A/users/mailManagement
- ops/secrets/dbserver/cluster-A/users/dovecot
+ - ops/secrets/dbserver/cluster-A/users/postfix
- ops/secrets/mailserver/security
opensearch:
diff --git a/roles/mailserver/init.sls b/pillar/mailserver/postfix.sls
copy from roles/mailserver/init.sls
copy to pillar/mailserver/postfix.sls
--- a/roles/mailserver/init.sls
+++ b/pillar/mailserver/postfix.sls
@@ -1,8 +1,12 @@
# -------------------------------------------------------------
-# Salt — Mail
+# Salt — postfix Configuration
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
-# This state is left intentionally blank.
+postfix_config:
+ db:
+ service: db-A
+ database: mail
+ credential: dbserver/cluster-A/users/postfix
diff --git a/pillar/top.sls b/pillar/top.sls
--- a/pillar/top.sls
+++ b/pillar/top.sls
@@ -53,6 +53,7 @@
hervil:
- mailserver.vimbadmin
- mailserver.dovecot
+ - mailserver.postfix
ysul:
- devserver.repos
diff --git a/roles/mailserver/init.sls b/roles/mailserver/init.sls
--- a/roles/mailserver/init.sls
+++ b/roles/mailserver/init.sls
@@ -5,4 +5,5 @@
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
-# This state is left intentionally blank.
+include:
+ - .postfix
diff --git a/roles/mailserver/map.jinja b/roles/mailserver/map.jinja
new file mode 100644
--- /dev/null
+++ b/roles/mailserver/map.jinja
@@ -0,0 +1,16 @@
+{% set postfix_dirs = salt['grains.filter_by']({
+ 'FreeBSD' : {
+ 'daemon': '/usr/local/libexec/postfix',
+ 'queue': '/var/spool/postfix',
+ 'data': '/var/db/postfix',
+ 'shlib': '/usr/local/lib/postfix',
+ 'cacerts': '/etc/ssl/certs',
+ },
+ 'Debian' : {
+ 'daemon': '/usr/lib/postfix',
+ 'queue': '/var/spool/postfix',
+ 'data': '/var/lib/postfix',
+ 'shlib': '/usr/lib/postfix',
+ 'cacerts': '/etc/ssl/certs',
+ }
+}, default='Debian') %}
diff --git a/roles/mailserver/postfix/files/dynamicmaps.cf b/roles/mailserver/postfix/files/dynamicmaps.cf
new file mode 100644
--- /dev/null
+++ b/roles/mailserver/postfix/files/dynamicmaps.cf
@@ -0,0 +1,20 @@
+# -------------------------------------------------------------
+# Postfix main configuration
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+# Project: Nasqueron
+# License: Trivial work, not eligible to copyright
+# Source file: roles/mailserver/postfix/files/dynamicmaps.cf
+# -------------------------------------------------------------
+#
+# <auto-generated>
+# This file is managed by our rOPS SaltStack repository.
+#
+# Changes to this file may cause incorrect behavior
+# and will be lost if the state is redeployed.
+# </auto-generated>
+
+# Postfix dynamic maps configuration file.
+#
+#type location of .so file open function (mkmap func)
+#==== ================================ ============= ============
+pgsql {{ dirs.lib }}/postfix/postfix-pgsql.so dict_pgsql_open
diff --git a/roles/mailserver/postfix/files/main.cf b/roles/mailserver/postfix/files/main.cf
new file mode 100644
--- /dev/null
+++ b/roles/mailserver/postfix/files/main.cf
@@ -0,0 +1,123 @@
+# -------------------------------------------------------------
+# Postfix main configuration
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+# Project: Nasqueron
+# License: Trivial work, not eligible to copyright
+# Source file: roles/mailserver/postfix/files/main.cf
+# -------------------------------------------------------------
+#
+# <auto-generated>
+# This file is managed by our rOPS SaltStack repository.
+#
+# Changes to this file may cause incorrect behavior
+# and will be lost if the state is redeployed.
+# </auto-generated>
+
+compatibility_level = 3.8
+
+# -------------------------------------------------------------
+# Postfix directories
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+command_directory = {{ dirs.sbin }}
+daemon_directory = {{ postfix_dirs.daemon }}
+data_directory = {{ postfix_dirs.data }}
+html_directory = {{ dirs.share }}/doc/postfix
+manpage_directory = {{ dirs.man }}
+meta_directory = {{ dirs.etc }}/postfix
+queue_directory = {{ postfix_dirs.queue }}
+readme_directory = {{ dirs.share }}/doc/postfix
+sample_directory = {{ dirs.etc }}/postfix
+shlib_directory = {{ postfix_dirs.shlib }}
+
+virtual_mailbox_base = /var/mail/_virtual
+virtual_uid_maps = static:6000
+virtual_gid_maps = static:6000
+
+virtual_mailbox_domains=pgsql:{{ dirs.etc }}/postfix/pgsql-virtual-mailbox-domains.cf
+virtual_mailbox_maps=pgsql:{{ dirs.etc }}/postfix/pgsql-virtual-mailbox-maps.cf
+virtual_alias_maps=pgsql:{{ dirs.etc }}/postfix/pgsql-virtual-alias-maps.cf
+
+alias_maps = hash:/etc/mail/aliases
+alias_database = hash:/etc/mail/aliases
+
+myhostname = mail.nasqueron.org
+
+# -------------------------------------------------------------
+# External utilities
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+mailq_path = /usr/bin/mailq
+newaliases_path = /usr/bin/newaliases
+sendmail_path = /usr/bin/sendmail
+
+# -------------------------------------------------------------
+# UNIX users and groups
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+mail_owner = postfix
+setgid_group = maildrop
+
+# -------------------------------------------------------------
+# Debug
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+debug_peer_level = 2
+
+debugger_command =
+ PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
+ ddd $daemon_directory/$process_name $process_id & sleep 5
+
+# -------------------------------------------------------------
+# Network
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+inet_protocols = all
+mynetworks_style = host
+
+# -------------------------------------------------------------
+# Mail
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+mydestination = localhost
+unknown_local_recipient_reject_code = 550
+
+# -------------------------------------------------------------
+# TLS certificates
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+smtp_tls_CApath = {{ postfix_dirs.cacerts }}
+
+smtpd_tls_security_level=may
+smtpd_tls_cert_file=/usr/local/etc/letsencrypt/live/mail.nasqueron.org/fullchain.pem
+smtpd_tls_key_file=/usr/local/etc/letsencrypt/live/mail.nasqueron.org/privkey.pem
+
+smtpd_tls_mandatory_ciphers = high
+smtpd_tls_mandatory_exclude_ciphers = aNULL,MD5
+smtpd_tls_security_level = may
+smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3
+
+# -------------------------------------------------------------
+# Handle mail storage with dovecot
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+virtual_transport = lmtp:unix:private/dovecot-lmtp
+
+# -------------------------------------------------------------
+# Handle SMTP authentication using Dovecot
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+smtpd_sasl_type = dovecot
+smtpd_sasl_path = private/auth
+smtpd_sasl_auth_enable = yes
+
+smtpd_recipient_restrictions =
+ permit_sasl_authenticated,
+ permit_mynetworks,
+ reject_unauth_destination,
+ reject_rbl_client zen.spamhaus.org,
+ reject_rbl_client bl.spamcop.net,
+ reject_rbl_client cbl.abuseat.org,
+ check_policy_service unix:private/policy-spf
+
+smtpd_relay_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net, reject_rbl_client cbl.abuseat.org
diff --git a/roles/mailserver/postfix/files/master.cf b/roles/mailserver/postfix/files/master.cf
new file mode 100644
--- /dev/null
+++ b/roles/mailserver/postfix/files/master.cf
@@ -0,0 +1,77 @@
+# -------------------------------------------------------------
+# Postfix main configuration
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+# Project: Nasqueron
+# License: Trivial work, not eligible to copyright
+# Source file: roles/mailserver/postfix/files/master.cf
+# -------------------------------------------------------------
+#
+# <auto-generated>
+# This file is managed by our rOPS SaltStack repository.
+#
+# Changes to this file may cause incorrect behavior
+# and will be lost if the state is redeployed.
+# </auto-generated>
+
+# ==========================================================================
+# service type private unpriv chroot wakeup maxproc command + args
+# (yes) (yes) (yes) (never) (100)
+# ==========================================================================
+smtp inet n - - - - smtpd
+submission inet n - - - - smtpd
+ -o syslog_name=postfix/submission
+ -o smtpd_tls_security_level=encrypt
+ -o smtpd_sasl_auth_enable=yes
+ -o smtpd_sasl_type=dovecot
+ -o smtpd_sasl_path=private/auth
+ -o smtpd_sasl_security_options=noanonymous
+ -o smtpd_sasl_local_domain=$myhostname
+ -o smtpd_client_restrictions=permit_sasl_authenticated,reject
+ -o smtpd_recipient_restrictions=reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,reject
+smtps inet n - - - - smtpd
+pickup fifo n - - 60 1 pickup
+cleanup unix n - - - 0 cleanup
+qmgr fifo n - n 300 1 qmgr
+tlsmgr unix - - - 1000? 1 tlsmgr
+rewrite unix - - - - - trivial-rewrite
+bounce unix - - - - 0 bounce
+defer unix - - - - 0 bounce
+trace unix - - - - 0 bounce
+verify unix - - - - 1 verify
+flush unix n - - 1000? 0 flush
+proxymap unix - - n - - proxymap
+proxywrite unix - - n - 1 proxymap
+smtp unix - - - - - smtp
+relay unix - - - - - smtp
+showq unix n - - - - showq
+error unix - - - - - error
+retry unix - - - - - error
+discard unix - - - - - discard
+local unix - n n - - local
+virtual unix - n n - - virtual
+lmtp unix - - - - - lmtp
+anvil unix - - - - 1 anvil
+scache unix - - - - 1 scache
+#
+# ====================================================================
+# Interfaces to non-Postfix software. Be sure to examine the manual
+# pages of the non-Postfix software to find out what options it wants.
+#
+# Many of the following services use the Postfix pipe(8) delivery
+# agent. See the pipe(8) man page for information about ${recipient}
+# and other message envelope options.
+# ====================================================================
+#
+# maildrop. See the Postfix MAILDROP_README file for details.
+# Also specify in main.cf: maildrop_destination_recipient_limit=1
+#
+maildrop unix - n n - - pipe
+ flags=DRhu user=mailbox argv=/usr/local/bin/maildrop -d ${recipient}
+#
+# Other external delivery methods.
+#
+mailman unix - n n - - pipe
+ flags=FR user=list argv=/usr/local/etc/postfix/postfix-to-mailman.py
+ ${nexthop} ${user}
+policy-spf unix - n n - - spawn
+ user=nobody argv=/usr/local/libexec/postfix-policyd-spf-perl
diff --git a/roles/mailserver/postfix/files/pgsql-virtual-alias-maps.cf b/roles/mailserver/postfix/files/pgsql-virtual-alias-maps.cf
new file mode 100644
--- /dev/null
+++ b/roles/mailserver/postfix/files/pgsql-virtual-alias-maps.cf
@@ -0,0 +1,19 @@
+# -------------------------------------------------------------
+# Postfix main configuration
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+# Project: Nasqueron
+# License: Trivial work, not eligible to copyright
+# Source file: roles/mailserver/postfix/files/pgsql-virtual-mailbox-domains.cf
+# -------------------------------------------------------------
+#
+# <auto-generated>
+# This file is managed by our rOPS SaltStack repository.
+#
+# Changes to this file may cause incorrect behavior
+# and will be lost if the state is redeployed.
+# </auto-generated>
+user = {{ db.username }}
+password = {{ db.password }}
+hosts = {{ db.host }}
+dbname = {{ db.database }}
+query = SELECT goto FROM alias WHERE address = '%s' AND active = '1'
diff --git a/roles/mailserver/postfix/files/pgsql-virtual-mailbox-domains.cf b/roles/mailserver/postfix/files/pgsql-virtual-mailbox-domains.cf
new file mode 100644
--- /dev/null
+++ b/roles/mailserver/postfix/files/pgsql-virtual-mailbox-domains.cf
@@ -0,0 +1,19 @@
+# -------------------------------------------------------------
+# Postfix main configuration
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+# Project: Nasqueron
+# License: Trivial work, not eligible to copyright
+# Source file: roles/mailserver/postfix/files/pgsql-virtual-mailbox-domains.cf
+# -------------------------------------------------------------
+#
+# <auto-generated>
+# This file is managed by our rOPS SaltStack repository.
+#
+# Changes to this file may cause incorrect behavior
+# and will be lost if the state is redeployed.
+# </auto-generated>
+user = {{ db.username }}
+password = {{ db.password }}
+hosts = {{ db.host }}
+dbname = {{ db.database }}
+query = SELECT domain FROM domain WHERE domain = '%s' AND backupmx = '0' AND active = '1'
diff --git a/roles/mailserver/postfix/files/pgsql-virtual-mailbox-maps.cf b/roles/mailserver/postfix/files/pgsql-virtual-mailbox-maps.cf
new file mode 100644
--- /dev/null
+++ b/roles/mailserver/postfix/files/pgsql-virtual-mailbox-maps.cf
@@ -0,0 +1,21 @@
+# -------------------------------------------------------------
+# Postfix main configuration
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+# Project: Nasqueron
+# License: Trivial work, not eligible to copyright
+# Source file: roles/mailserver/postfix/files/pgsql-virtual-mailbox-maps.cf
+# -------------------------------------------------------------
+#
+# <auto-generated>
+# This file is managed by our rOPS SaltStack repository.
+#
+# Changes to this file may cause incorrect behavior
+# and will be lost if the state is redeployed.
+# </auto-generated>
+user = {{ db.username }}
+password = {{ db.password }}
+hosts = {{ db.host }}
+dbname = {{ db.database }}
+table = mailbox
+select_field = maildir
+where_field = username
diff --git a/roles/mailserver/postfix/files/postfix-to-mailman.py b/roles/mailserver/postfix/files/postfix-to-mailman.py
new file mode 100644
--- /dev/null
+++ b/roles/mailserver/postfix/files/postfix-to-mailman.py
@@ -0,0 +1,134 @@
+#!/usr/bin/env python3
+
+# -------------------------------------------------------------
+# Mailman transport for postfix
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+# Project: Nasqueron
+# Source: postfix-to-mailman-2.1.py
+# Description: Interface mailman to a postfix with a mailman transport.
+# Does not require the creation of _any_ aliases to connect
+# lists to the mail system.
+# License: GPLv2
+# Authors: Original script for qmail by Bruce Perens, March 1999
+#
+# Dax Kelson, dkelson@gurulabs.com, Sept 2002.
+# Converted from qmail to postfix interface
+#
+# Jan 2003: Fixes for Mailman 2.1
+# Thanks to Simen E. Sandberg <senilix@gallerbyen.net>
+#
+# Feb 2003: Change the suggested postfix transport to support VERP
+# Thanks to Henrique de Moraes Holschuh <henrique.holschuh@ima.sp.gov.br>
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+# README
+#
+# It catches all mail to a virtual domain, eg "lists.example.com".
+# It looks at the recipient for each mail message and decides if the mail is
+# addressed to a valid list or not, and bounces the message with a helpful
+# suggestion if it's not addressed to a list. It decides if it is a posting,
+# a list command, or mail to the list administrator, by checking for the
+# -admin, -owner, and -request addresses. It will recognize a list as soon
+# as the list is created, there is no need to add _any_ aliases for any list.
+# It recognizes mail to postmaster, mailman-owner, abuse, mailer-daemon, root,
+# and owner, and routes those mails to MailmanOwner as defined in the
+# configuration variables, above.
+# -------------------------------------------------------------
+
+
+import os
+import sys
+import re
+import string
+
+
+# -------------------------------------------------------------
+# Configuration
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+
+# Mailman home directory.
+MailmanHome = "/usr/local/mailman"
+
+# Postmaster and abuse mail recipient.
+MailmanOwner = "{{ mailmanAbuse }}"
+
+# Where mailman scripts reside
+MailmanScripts = "/usr/local/mailman"
+
+
+# -------------------------------------------------------------
+# Postfix / mailman transport methods
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+
+def main():
+ os.nice(5) # Handle mailing lists at non-interactive priority.
+ # delete this if you wish
+
+ os.chdir(MailmanHome + "/lists")
+
+ try:
+ local = sys.argv[2]
+ except IndexError:
+ # This might happen if we're not using Postfix
+ sys.stderr.write("LOCAL not set?\n")
+ sys.exit(1)
+
+ local = string.lower(local)
+ local = re.sub("^mailman-", "", local)
+
+ names = ("root", "postmaster", "mailer-daemon", "mailman-owner", "owner", "abuse")
+ for name in names:
+ if name == local:
+ os.execv("/usr/sbin/sendmail", ("/usr/sbin/sendmail", MailmanOwner))
+ sys.exit(0)
+
+ type = "post"
+ types = (
+ ("-admin$", "admin"),
+ ("-owner$", "owner"),
+ ("-request$", "request"),
+ ("-bounces$", "bounces"),
+ ("-confirm$", "confirm"),
+ ("-join$", "join"),
+ ("-leave$", "leave"),
+ ("-subscribe$", "subscribe"),
+ ("-unsubscribe$", "unsubscribe"),
+ )
+
+ for i in types:
+ if re.search(i[0], local):
+ type = i[1]
+ local = re.sub(i[0], "", local)
+
+ if os.path.exists(local):
+ os.execv(
+ MailmanScripts + "/mail/mailman",
+ (MailmanScripts + "/mail/mailman", type, local),
+ )
+ else:
+ bounce()
+ sys.exit(75)
+
+
+def bounce():
+ bounce_message = """\
+TO ACCESS THE MAILING LIST SYSTEM: Start your web browser on
+http://%s/
+That web page will help you subscribe or unsubscribe, and will
+give you directions on how to post to each mailing list.\n"""
+ sys.stderr.write(bounce_message % (sys.argv[1]))
+ sys.exit(1)
+
+
+try:
+ sys.exit(main())
+except SystemExit as argument:
+ sys.exit(argument)
+
+except Exception as argument:
+ info = sys.exc_info()
+ trace = info[2]
+ sys.stderr.write("%s %s\n" % (sys.exc_info()[0], argument))
+ sys.stderr.write("Line %d\n" % (trace.tb_lineno))
+ sys.exit(75) # Soft failure, try again later.
diff --git a/roles/mailserver/postfix/init.sls b/roles/mailserver/postfix/init.sls
new file mode 100644
--- /dev/null
+++ b/roles/mailserver/postfix/init.sls
@@ -0,0 +1,89 @@
+# -------------------------------------------------------------
+# Mail - Postfix
+# -------------------------------------------------------------
+# Project: Nasqueron
+# License: Trivial work, not eligible to copyright
+# Source file: roles/mailserver/postfix.sls
+# -------------------------------------------------------------
+
+{% from "map.jinja" import dirs with context %}
+{% from "roles/mailserver/map.jinja" import postfix_dirs with context %}
+{% set db = pillar["postfix_config"]["db"] %}
+
+# -------------------------------------------------------------
+# Software
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+postfix_install:
+ pkg.installed:
+ - pkgs:
+ - maildrop
+ - mailman
+ - postfix-pgsql
+ - postfix-policyd-spf-perl
+
+# -------------------------------------------------------------
+# Configuration
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+{{ dirs.etc }}/postfix/main.cf:
+ file.managed:
+ - source: salt://roles/mailserver/postfix/files/main.cf
+ - template: jinja
+ - context:
+ dirs: {{ dirs }}
+ postfix_dirs: {{ postfix_dirs }}
+
+{{ dirs.etc }}/postfix/postfix-to-mailman.py:
+ file.managed:
+ - source: salt://roles/mailserver/postfix/files/postfix-to-mailman.py
+ - template: jinja
+ - context:
+ dirs: {{ dirs }}
+ mailmanAbuse: postmaster@nasqueron.org
+
+/usr/local/etc/postfix/postfix-files:
+ file.symlink:
+ - target: /usr/local/libexec/postfix/postfix-files
+
+{{ dirs.etc }}/postfix/pgsql-virtual-mailbox-domains.cf:
+ file.managed:
+ - source: salt://roles/mailserver/postfix/files/pgsql-virtual-mailbox-domains.cf
+ - template: jinja
+ - context:
+ db: &dbcontext
+ database: {{ db["database"] }}
+ username: {{ salt["credentials.get_username"](db["credential"]) }}
+ password: {{ salt["credentials.get_password"](db["credential"]) }}
+ host: {{ pillar["nasqueron_services"][db["service"]] }}
+
+{{ dirs.etc }}/postfix/pgsql-virtual-mailbox-maps.cf:
+ file.managed:
+ - source: salt://roles/mailserver/postfix/files/pgsql-virtual-mailbox-maps.cf
+ - template: jinja
+ - context:
+ db: *dbcontext
+
+{{ dirs.etc }}/postfix/pgsql-virtual-alias-maps.cf:
+ file.managed:
+ - source: salt://roles/mailserver/postfix/files/pgsql-virtual-alias-maps.cf
+ - template: jinja
+ - context:
+ db: *dbcontext
+
+{{ dirs.etc }}/postfix/master.cf:
+ file.managed:
+ - source: salt://roles/mailserver/postfix/files/master.cf
+ - template: jinja
+
+{{ dirs.etc }}/postfix/dynamicmaps.cf:
+ file.managed:
+ - source: salt://roles/mailserver/postfix/files/dynamicmaps.cf
+ - template: jinja
+ - context:
+ dirs: {{ dirs }}
+
+postfix_running:
+ service.running:
+ - name: postfix
+ - enable: True

File Metadata

Mime Type
text/plain
Expires
Tue, Nov 26, 01:43 (2 h, 3 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
2263701
Default Alt Text
D3242.diff (22 KB)

Event Timeline