Commit 58c86966 authored by Joanne Hugé's avatar Joanne Hugé

WIP: dovecot and postfix

parent 3f75274b
......@@ -15,31 +15,31 @@
[template]
filename = instance.cfg.in
md5sum = 9d1d98a0b67791e3fd40618c8f41764c
md5sum = 48fd5311b030105457faf3e869aa70a7
[template-default]
_update_hash_filename_ = instance-default.cfg.in
md5sum = 7aa7f16772318e6e33e504bb9e61a935
[template-postfix]
_update_hash_filename_ = instance-postfix.cfg.jinja2.in
md5sum = cfea5b89b15081da3a836483e930621b
[template-postfix-master-cf]
_update_hash_filename_ = postfix_master.cf.jinja2.in
md5sum = ef164517e3f7170d03499967d625c3bb
[template-postfix-main-cf]
_update_hash_filename_ = postfix_main.cf.jinja2.in
md5sum = e9f03c66627beb4054d45123450162d2
[template-postfix-aliases]
_update_hash_filename_ = postfix_aliases.jinja2.in
md5sum = 0969fbb25b05c02ef3c2d437b2f4e1a0
md5sum = 68adfeefdf1a73c10a6cea118d0ddd8e
[dovecot.jinja2.conf]
_update_hash_filename_ = dovecot.jinja2.conf
md5sum = 3ce2ba2449c36c48b411c2c89872af7f
md5sum = 9455f13427e304bffca614cc96871d22
[dovecot-passwd.jinja2]
_update_hash_filename_ = dovecot-passwd.jinja2
md5sum = e93c6661a80135b763db27e47786107c
[postfix_main.jinja2.cf]
_update_hash_filename_ = postfix_main.jinja2.cf
md5sum = 1a778e4b71b3ee9cbcc4d4c7c442d2f5
[postfix_alias.jinja2]
_update_hash_filename_ = postfix_alias.jinja2
md5sum = 170fcb64781e966fa1a9718b5a925535
[postfix_mailname.jinja2]
_update_hash_filename_ = postfix_mailname.jinja2
md5sum = b52d8233637368f488a1287ef28db1b1
[postfix_vmailbox.jinja2]
_update_hash_filename_ = postfix_vmailbox.jinja2
md5sum = 2b9cac9517f2a5504d6dafde1844ebbc
[postfix_virtual.jinja2]
_update_hash_filename_ = postfix_virtual.jinja2
md5sum = 281440a544e5a2ca142c97336e1cd71c
protocols = imap
listen = *, ::
protocols = " imap lmtp pop3"
auth_debug = yes
auth_mechanisms = plain login
auth_username_format = %n
auth_verbose = yes
base_dir = {{ directory['run'] }}
# https://wiki.dovecot.org/HowTo/Rootless
default_internal_user = {{ slap_configuration.['user-name'] }}
default_login_user = {{ slap_configuration.['user-name'] }}
default_internal_group = {{ slap_configuration.['user-name'] }}
disable_plaintext_auth = no
mail_location = maildir:~/Maildir
mail_debug = yes
service anvil {
chroot =
chroot =
}
service imap-login {
chroot =
chroot =
}
service pop3-login {
chroot =
chroot =
}
service imap-login {
inet_listener imap {
......@@ -25,11 +30,27 @@ service imap-login {
port = 10993
}
}
service auth {
unix_listener /var/spool/postfix/private/auth {
mode = 0660
# Assuming the default Postfix user and group
user = postfix
group = postfix
}
}
service lmtp {
unix_listener /var/spool/postfix/private/dovecot-lmtp {
group = postfix
mode = 0600
user = postfix
}
}
log_path = {{ directory['log'] }}/dovecot.log
namespace inbox {
inbox = yes
location =
location =
mailbox Drafts {
special_use = \Drafts
}
......@@ -45,15 +66,16 @@ namespace inbox {
mailbox Trash {
special_use = \Trash
}
prefix =
prefix =
}
ssl = no
passdb {
driver = passwd-file
args = {{ dovecot_passwd }}
driver = passwd-file
}
userdb {
driver = passwd
args = uid={{ slap_configuration.['user-name'] }} gid={{ slap_configuration.['user-name'] }} home=/home/%u
}
## Dovecot configuration file
# If you're in a hurry, see http://wiki2.dovecot.org/QuickConfiguration
# Enable installed protocols
!include_try /usr/share/dovecot/protocols.d/*.protocol
# A comma separated list of IPs or hosts where to listen in for connections.
# "*" listens in all IPv4 interfaces, "::" listens in all IPv6 interfaces.
# If you want to specify non-default ports or anything more complex,
# edit conf.d/master.conf.
listen = *, ::
# Most of the actual configuration gets included below. The filenames are
# first sorted by their ASCII value and parsed in that order. The 00-prefixes
# in filenames are intended to make it easier to understand the ordering.
!include conf.d/*.conf
......@@ -3,6 +3,8 @@ parts =
directory
dovecot-conf
dovecot-service
postfix-conf
postftix-service
eggs-directory = {{ eggs_directory }}
develop-eggs-directory = {{ develop_eggs_directory }}
offline= true
......@@ -20,6 +22,27 @@ script = ${:etc}/run
service = ${:etc}/service
promise = ${:etc}/promise
log = ${:var}/log
var-log = ${:var}/log
var-lib = ${:var}/lib
var-lib-postfix = ${:var-lib}/postfix
var-spool = ${:var}/spool
var-spool-postfix = ${:var-spool}/postfix
vhosts = ${:home}/vhosts
# Not used at buildout level, presence needed by postfix.
var-spool-postfix-active = ${:var-spool-postfix}/active
var-spool-postfix-bounce = ${:var-spool-postfix}/bounce
var-spool-postfix-corrupt = ${:var-spool-postfix}/corrupt
var-spool-postfix-defer = ${:var-spool-postfix}/defer
var-spool-postfix-deferred = ${:var-spool-postfix}/deferred
var-spool-postfix-flush = ${:var-spool-postfix}/flush
var-spool-postfix-hold = ${:var-spool-postfix}/hold
var-spool-postfix-incoming = ${:var-spool-postfix}/incoming
var-spool-postfix-maildrop = ${:var-spool-postfix}/maildrop
var-spool-postfix-pid = ${:var-spool-postfix}/pid
var-spool-postfix-private = ${:var-spool-postfix}/private
var-spool-postfix-public = ${:var-spool-postfix}/public
var-spool-postfix-saved = ${:var-spool-postfix}/saved
var-spool-postfix-trace = ${:var-spool-postfix}/trace
[slap-configuration]
recipe = slapos.cookbook:slapconfiguration
......@@ -37,6 +60,7 @@ context =
section directory directory
# section slap_configuration slap-configuration
${:extra-context}
[dovecot-conf]
<= config-base
url = {{ dovecot_conf_template }}
......@@ -48,6 +72,46 @@ extra-context =
url = {{ dovecot_passwd_template }}
output = ${directory:etc}/dovecot-passwd
[userinfo]
recipe = slapos.cookbook:userinfo
[postfix-conf]
<= config-base
url = {{ postfix_main_template }}
output = ${directory:etc}/postfix_main.cf
extra-context =
key postfix_alias postfix-alias:output
key postfix_mailname postfix-mailname:output
key postfix_vhosts postfix-vhosts:output
key postfix_vmailbox postfix-vmailbox:output
key postfix_virtual postfix-virtual:output
key bin_directory directory:bin
key usr_directory directory:usr
key queue_directory directory:var-spool-postfix
key data_directory directory:var-lib-postfix
key spool_directory directory:var-spool
key vhosts_directory directory:vhosts
key mail_owner userinfo:pw-name
key setgid_group userinfo:gr-name
raw postfix_location {{ postfix_location }}
[postfix-alias]
<= config-base
url = {{ postfix_alias_template }}
output = ${directory:etc}/postfix-alias
[postfix-mailname]
<= config-base
url = {{ postfix_mailname_template }}
output = ${directory:etc}/postfix-mailname
[postfix-vmailbox]
<= config-base
url = {{ postfix_vmailbox_template }}
output = ${directory:etc}/postfix-vmailbox
[postfix-virtual]
<= config-base
url = {{ postfix_virtual_template }}
output = ${directory:etc}/postfix-virtual
[dovecot-wrapper]
recipe = slapos.recipe.template
output = ${directory:bin}/${:_buildout_section_name_}
......@@ -64,3 +128,20 @@ pidfile = ${directory:run}/dovecot.pid
hash-files =
${dovecot-conf:output}
${dovecot-wrapper:output}
[postfix-wrapper]
recipe = slapos.recipe.template
output = ${directory:bin}/${:_buildout_section_name_}
inline =
#!/bin/sh
{{ postfix_binary }}
[postfix-service]
recipe = slapos.cookbook:wrapper
command-line = ${postfix-wrapper:output}
wrapper-path = ${directory:service}/postfix
mode = 0775
pidfile = ${directory:run}/postfix.pid
hash-files =
${postfix-conf:output}
${postfix-wrapper:output}
{
"$schema": "http://json-schema.org/draft-04/schema#",
"description": "",
"type": "object",
"additionalProperties": false,
"properties": {
"tcpv4-port": {
"allOf": [
{
"$ref": "./schemas-definitions.json#/tcpv4port"
},
{
"description": "Start allocating ports at this value, going upward"
}
]
},
"postmaster": {
"description": "Mail address to send technical mails to. Non-empty value required for smptd relay service to be deployed. Values will be put in alias-dict as 'postmaster' key (alias-dict takes precedence)",
"default": "",
"type": "string"
},
"alias-dict": {
"description": "Mail alias support",
"default": {},
"patternProperties": {
".*": {
"description": "List of addresses alias expands to",
"type": "array"
}
},
"type": "object"
},
"relay": {
"description": "Forward outgoing mails to a specific relay. If enabled, relay must support TLS-encrypted SASL authentication.",
"dependencies": {
"host": [
"sasl-credential"
]
},
"properties": {
"host": {
"description": "Host name or address of relay, with optional port (ex: '[example.com]:submission'). Enclosing hostname with [] prevents MX lookup.",
"type": "string"
},
"sasl-credential": {
"description": "SASL credential, in the login:password form",
"type": "string"
}
},
"default": {},
"type": "object"
},
"divert": {
"description": "Intercept all mails and send them to given addresses instead of original recipient",
"type": "array",
"items": {
"type": "string"
},
"uniqueItems": true
}
}
}
{
"$schema": "http://json-schema.org/draft-04/schema#",
"description": "",
"type": "object",
"additionalProperties": false,
"properties": {
"tcpv4-port": {
"allOf": [
{
"$ref": "./schemas-definitions.json#/tcpv4port"
},
{
"description": "Start allocating ports at this value, going upward"
}
]
},
"postmaster": {
"description": "Mail address to send technical mails to. Non-empty value required for smptd relay service to be deployed. Values will be put in alias-dict as 'postmaster' key (alias-dict takes precedence)",
"type": "string"
},
"alias-dict": {
"description": "Mail alias support",
"patternProperties": {
".*": {
"description": "List of addresses alias expands to",
"type": "array"
}
},
"type": "object"
},
"relay": {
"description": "Forward outgoing mails to a specific relay. If enabled, relay must support TLS-encrypted SASL authentication.",
"dependencies": {
"host": [
"sasl-credential"
]
},
"properties": {
"host": {
"description": "Host name or address of relay, with optional port (ex: '[example.com]:submission'). Enclosing hostname with [] prevents MX lookup.",
"type": "string"
},
"sasl-credential": {
"description": "SASL credential, in the login:password form",
"type": "string"
}
},
"default": {},
"type": "object"
},
"divert": {
"description": "Intercept all mails and send them to given addresses instead of original recipient",
"type": "array",
"items": {
"type": "string"
},
"uniqueItems": true
}
}
}
{% set part_list = [] -%}
{% macro section(name) %}{% do part_list.append(name) %}{{ name }}{% endmacro -%}
{% if slapparameter_dict.get('use-ipv6', True) -%}
{% set ip = '[' ~ (ipv6_set | list)[0] ~ ']' -%}
{% else -%}
{% set ip = (ipv4_set | list)[0] -%}
{% endif -%}
{% set tcpv4_port = slapparameter_dict.get('tcpv4-port', 2025) -%}
{% set relay = slapparameter_dict.get('relay', {}) -%}
{% set alias_dict = slapparameter_dict.get('alias-dict', {}) -%}
{# do alias_dict.setdefault('postmaster', [slapparameter_dict['postmaster']]) -#}
{% do alias_dict.setdefault('postmaster', [""]) -%}
{# set smtpd_sasl_user = slapparameter_dict['smtpd-sasl-user'] -#}
{% set smtpd_sasl_user = slapparameter_dict.get('smtpd-sasl-user', "vmail@nowhere") -%}
{# set smtpd_sasl_password = slapparameter_dict['smtpd-sasl-password'] -#}
{% set smtpd_sasl_password = slapparameter_dict.get('smtpd-sasl-password', "1234") -%}
{% set milter_list = [] %}
[jinja2-template-base]
recipe = slapos.recipe.template:jinja2
[smtpd-password]
recipe = slapos.cookbook:generate.password
storage-path =
[{{ section('publish') }}]
recipe = slapos.cookbook:publish.serialised
url = {{ dumps('smtp://' ~ urllib.parse.quote_plus(smtpd_sasl_user) ~ ':' ~ urllib.parse.quote_plus(smtpd_sasl_password) ~ '@' ~ ip ~ ':' ~ tcpv4_port) }}
[directory]
recipe = slapos.cookbook:mkdirectory
etc = $${buildout:directory}/etc
plugin = $${:etc}/plugin
etc-postfix = $${:etc}/postfix
etc-dovecot = $${:etc}/dovecot
etc-cyrus = $${:etc}/cyrus
run = $${:etc}/run
bin = $${buildout:directory}/bin
usr = $${buildout:directory}/usr
srv = $${buildout:directory}/srv
var = $${buildout:directory}/var
var-log = $${:var}/log
var-lib = $${:var}/lib
var-lib-postfix = $${:var-lib}/postfix
var-spool = $${:var}/spool
var-spool-postfix = $${:var-spool}/postfix
# Not used at buildout level, presence needed by postfix.
var-spool-postfix-active = $${:var-spool-postfix}/active
var-spool-postfix-bounce = $${:var-spool-postfix}/bounce
var-spool-postfix-corrupt = $${:var-spool-postfix}/corrupt
var-spool-postfix-defer = $${:var-spool-postfix}/defer
var-spool-postfix-deferred = $${:var-spool-postfix}/deferred
var-spool-postfix-flush = $${:var-spool-postfix}/flush
var-spool-postfix-hold = $${:var-spool-postfix}/hold
var-spool-postfix-incoming = $${:var-spool-postfix}/incoming
var-spool-postfix-maildrop = $${:var-spool-postfix}/maildrop
var-spool-postfix-pid = $${:var-spool-postfix}/pid
var-spool-postfix-private = $${:var-spool-postfix}/private
var-spool-postfix-public = $${:var-spool-postfix}/public
var-spool-postfix-saved = $${:var-spool-postfix}/saved
var-spool-postfix-trace = $${:var-spool-postfix}/trace
# Used for ERP5 resiliency or (more probably)
# webrunner resiliency with erp5 inside.
[{{ section("resiliency-exclude-file") }}]
# Generate rdiff exclude file
recipe = slapos.recipe.template
inline = {{ '{{ "**\\n" }}' }}
output = $${directory:srv}/exporter.exclude
[configuration]
smtp = {{ dumps(tcpv4_port) }}
inet-interfaces = {{ dumps(ip) }}
alias-dict = {{ dumps(alias_dict) }}
relayhost = {{ dumps(relay.get('host')) }}
relay-sasl-credential = {{ dumps(relay.get('sasl-credential')) }}
cyrus-sasldb = $${directory:etc-cyrus}/postfix.gdbm
milter-list = {{ dumps(milter_list) }}
xz-utils-location = {{ dumps(parameter_dict['xz-utils-location']) }}
[userinfo]
recipe = slapos.cookbook:userinfo
[smtp-sasl-passwd]
< = jinja2-template-base
output = $${directory:etc-postfix}/sasl_passwd
{% if relay -%}
inline = {{ "{{ host }} {{ sasl_credential }}" }}
{%- else -%}
inline = " "
{%- endif %}
context =
key host configuration:relayhost
key sasl_credential configuration:relay-sasl-credential
[{{ section('cyrus-smtpd-conf') }}]
< = jinja2-template-base
output = $${directory:etc-cyrus}/smtpd.conf
inline =
pwcheck_method: auxprop
mech_list: PLAIN LOGIN
sasldb_path: {{ '{{ sasldb }}' }}
context =
key sasldb configuration:cyrus-sasldb
[{{ section('cyrus-smtpd-password') }}]
recipe = plone.recipe.command
stop-on-error = true
command =
rm -f '$${configuration:cyrus-sasldb}' &&
echo '{{ smtpd_sasl_password }}' | '$${wrapper-postfix-saslpasswd2:wrapper-path}' -pc '{{ smtpd_sasl_user }}'
update-command = $${:command}
[smtpd-ssl]
recipe = plone.recipe.command
stop-on-error = true
openssl = '{{ parameter_dict['openssl'] }}/bin/openssl'
cert = $${directory:etc-postfix}/smtpd.crt
key = $${directory:etc-postfix}/smtpd.pem
dh-512 = $${directory:etc-postfix}/dh512.pem
dh-2048 = $${directory:etc-postfix}/dh2048.pem
command =
$${:openssl} dhparam -out '$${:dh-512}' 512 &&
$${:openssl} dhparam -out '$${:dh-2048}' 2048 &&
$${:update}
update =
$${:openssl} req -newkey rsa -batch -new -x509 -days 3650 -nodes -keyout '$${:key}' -out '$${:cert}'
[{{ section('postfix-logrotate') }}]
recipe = slapos.cookbook:cron.d
cron-entries = $${cron:cron-entries}
name = postfix-logrotate
frequency = 0 0 * * *
command = $${directory:bin}/postfix logrotate
[postfix-main-cf-parameter]
postfix-location = {{ parameter_dict['postfix-location'] }}
[{{ section('postfix-main-cf') }}]
< = jinja2-template-base
output = $${directory:etc-postfix}/main.cf
url = {{ parameter_dict['template-postfix-main-cf'] }}
context =
key bin_directory directory:bin
key usr_directory directory:usr
key queue_directory directory:var-spool-postfix
key data_directory directory:var-lib-postfix
key spool_directory directory:var-spool
key mail_owner userinfo:pw-name
key setgid_group userinfo:gr-name
key inet_interfaces configuration:inet-interfaces
key relayhost configuration:relayhost
key sasl_passwd typed-paths:smtp-sasl-passwd
key aliases typed-paths:aliases
key milter_list configuration:milter-list
key cyrus_directory directory:etc-cyrus
key cert smtpd-ssl:cert
key key smtpd-ssl:key
key dh_512 smtpd-ssl:dh-512
key dh_2048 smtpd-ssl:dh-2048
key log_directory directory:var-log
key xz_utils_location configuration:xz-utils-location
key postfix_location postfix-main-cf-parameter:postfix-location
key etc_postfix directory:etc-postfix
[{{ section('postfix-master-cf') }}]
< = jinja2-template-base
output = $${directory:etc-postfix}/master.cf
url = {{ parameter_dict['template-postfix-master-cf'] }}
context = key smtp configuration:smtp
[aliases]
< = jinja2-template-base
url = {{ parameter_dict['template-postfix-aliases'] }}
output = $${directory:etc-postfix}/aliases
context =
key alias_dict configuration:alias-dict
[typed-paths]
# Postfix-friendly rendering of file paths, prefixed with database type.
aliases = hash:$${aliases:output}
smtp-sasl-passwd = hash:$${smtp-sasl-passwd:output}
[{{ section('postalias-db') }}]
recipe = plone.recipe.command
stop-on-error = true
command = '$${wrapper-postalias:wrapper-path}' '$${typed-paths:aliases}' '$${typed-paths:smtp-sasl-passwd}'
update-command = $${:command}
[wrapper-postfix-saslpasswd2]
recipe = slapos.cookbook:wrapper
command-line = '{{ parameter_dict['cyrus-sasl-location'] }}/sbin/saslpasswd2' -f '$${configuration:cyrus-sasldb}'
wrapper-path = $${directory:bin}/saslpasswd2
[base-wrapper]
recipe = slapos.cookbook:wrapper
environment =
MAIL_CONFIG=$${directory:etc-postfix}
SASL_CONF_PATH=$${directory:etc-cyrus}
[base-bin-wrapper]
< = base-wrapper
command-line = $${:path}/$${:basename}
wrapper-path = $${directory:bin}/$${:basename}
[base-bin-bin-wrapper]
< = base-bin-wrapper
path = {{ parameter_dict['postfix-location'] }}/usr/bin
[base-sbin-bin-wrapper]
< = base-bin-wrapper
path = {{ parameter_dict['postfix-location'] }}/usr/sbin
{% for extend, basename_list in (
(
'base-bin-bin-wrapper',
(
'mailq',
'newaliases',
),
),
(
'base-sbin-bin-wrapper',
(
'postalias',
'postcat',
'postconf',
'postdrop',
'postfix',
'postkick',
'postlock',
'postlog',
'postmap',
'postmulti',
'postqueue',
'postsuper',
'sendmail',
),
),
) %}
{% for basename in basename_list -%}
[{{ section('wrapper-' ~ basename) }}]
< = {{ extend }}
basename = {{ basename }}
{% endfor %}
{% endfor %}
[{{ section('postfix-symlinks-libexec') }}]
recipe = slapos.cookbook:symbolic.link
target-directory = $${directory:usr}
link-binary =
{{ parameter_dict['postfix-location'] }}/usr/libexec
[{{ section('service-postfix-master') }}]
< = base-wrapper
command-line = $${directory:usr}/libexec/postfix/master
wrapper-path = $${directory:run}/postfix-master
[{{ section('service-dovecot') }}]
recipe = slapos.cookbook:wrapper
environment =
DOVE_CONFIG= $${directory:etc-dovecot}
command-line = $${directory:usr}/dovecot
wrapper-path = $${directory:run}/dovecot
[{{ section('dovecot-symlinks-libexec') }}]
recipe = slapos.cookbook:symbolic.link
target-directory = $${directory:usr}
link-binary =
{{ parameter_dict['dovecot-location'] }}/libexec/dovecot
[monitor-instance-parameter]
monitor-httpd-ipv6 = {{ (ipv6_set | list)[0] }}
monitor-httpd-port = {{ tcpv4_port + 2 }}
monitor-title = {{ slapparameter_dict.get('name', "Dovecot") }}
password = {{ slapparameter_dict.get('monitor-passwd', "pwd") }}
[buildout]
extends =
{{ template_monitor }}
parts =
{{ part_list | join('\n ') }}
eggs-directory = ${buildout:eggs-directory}
develop-eggs-directory = ${buildout:develop-eggs-directory}
......@@ -24,6 +24,12 @@ context =
raw dovecot_conf_template ${dovecot.jinja2.conf:target}
raw dovecot_passwd_template ${dovecot-passwd.jinja2:target}
raw dovecot_binary ${dovecot:location}/sbin/dovecot
raw postfix_main_template ${postfix_main_jinja2.cf}
raw postfix_alias_template ${postfix_alias_jinja2}
raw postfix_mailname_template ${postfix_mailname_jinja2}
raw postfix_vmailbox_template ${postfix_vmailbox_jinja2}
raw postfix_binary ${postfix:location}/usr/libexec/sbin/master
raw postfix_location ${postfix:location}
[slap-configuration]
recipe = slapos.cookbook:slapconfiguration.serialised
......
# http://www.postfix.org/STANDARD_CONFIGURATION_README.html
# http://www.postfix.org/postconf.5.html
queue_directory = {{ queue_directory }}
command_directory = {{ bin_directory }}
daemon_directory = {{ usr_directory }}/libexec/postfix
data_directory = {{ data_directory }}
mail_owner = {{ mail_owner }}
alias_maps = {{ aliases }}
alias_database = {{ aliases }}
mail_spool_directory = {{ spool_directory }}
sendmail_path = {{ bin_directory }}/sendmail
newaliases_path = {{ bin_directory }}/newaliases
mailq_path = {{ bin_directory }}/mailq
setgid_group = {{ setgid_group }}
html_directory = no
manpage_directory = {{ postfix_location }}/usr/local/man
sample_directory = {{ postfix_location }}/etc/postfix
readme_directory = no
inet_interfaces = {{ inet_interfaces }}
smtp_bind_address = 0.0.0.0
smtp_bind_address6 = ::
compatibility_level = 3.6
smtputf8_enable = no
# Compared to default:
# - remove X-related variables, irrelevant for slapos, to be concise
# - add SASL_CONF_PATH to have per-partition cyrus-sasl configuration
import_environment =
MAIL_CONFIG MAIL_DEBUG MAIL_LOGTAG TZ LANG=C
SASL_CONF_PATH
# Mandatory sasl auth over TLS
# XXX: no man-in-the-middle protection
smtpd_tls_cert_file = {{ cert }}
smtpd_tls_key_file = {{ key }}
smtpd_tls_dh512_param_file = {{ dh_512 }}
{#
Note: 1024 vs. 2048 is not a typo, but what is actually recommended in
postfix documentation
-#}
smtpd_tls_dh1024_param_file = {{ dh_2048 }}
smtpd_tls_security_level = encrypt
smtpd_sasl_auth_enable = yes
# Reject as many bogus cases as soon as possible, so errors are visible to ERP5
# developper rather than relying on bounces.
smtpd_recipient_restrictions =
reject_non_fqdn_recipient
reject_unknown_recipient_domain
permit_sasl_authenticated
reject
# Do not allow mynetworks to send mails, only authenticated clients.
smtpd_relay_restrictions =
permit_sasl_authenticated
defer_unauth_destination
# We do not pass mail address in command lines, so accept those starting with
# a dash.
allow_min_user = yes
# Disable local delivery
local_transport = error
smtpd_milters ={{ '\n '.join(milter_list) }}
{% if relayhost -%}
relayhost = {{ relayhost }}
smtp_tls_security_level = encrypt
smtp_tls_session_cache_database = btree:{{ data_directory }}/smtp_scache
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = {{ sasl_passwd }}
smtp_sasl_tls_security_options = noanonymous
{%- endif %}
maillog_file = {{ log_directory }}/postfix.log
maillog_file_compressor = {{ xz_utils_location }}/bin/xz
maillog_file_prefixes = {{ log_directory }}
queue_directory = {{ queue_directory }}
command_directory = {{ bin_directory }}
daemon_directory = {{ usr_directory }}/libexec/postfix
data_directory = {{ data_directory }}
mail_spool_directory = {{ spool_directory }}
sendmail_path = {{ bin_directory }}/sendmail
newaliases_path = {{ bin_directory }}/newaliases
mailq_path = {{ bin_directory }}/mailq
manpage_directory = {{ postfix_location }}/usr/local/man
sample_directory = {{ postfix_location }}/etc/postfix
biff = no
# appending .domain is the MUA's job.
append_dot_mydomain = no
# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h
readme_directory = no
# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on
# fresh installs.
compatibility_level = 2
home_mailbox = Maildir/
smtpd_tls_security_level = none
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
myhostname = mydomain.local
alias_maps = hash:{{ alias_file }}
alias_database = hash:{{ alias_file }}
myorigin = {{ mailname_file }}
#mydestination = ors64, localhost.localdomain, localhost
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 {{ ip_network }}
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = {{ ip_address }}
default_transport = error
relay_transport = error
inet_protocols = all
virtual_mailbox_domains = mydomain.local
virtual_mailbox_base = {{ vhosts_directory }}
virtual_mailbox_maps = hash:{{ vmailbox_file }}
virtual_minimum_uid = 100
virtual_uid_maps = static:1001
virtual_gid_maps = static:1022
virtual_alias_maps = hash:{{ virtual_file }}
virtual_transport = lmtp:unix:private/dovecot-lmtp
maillog_file = {{ directory['log'] }}/postfix.log
postmaster@mydomain.local test1@mydomain.local
hostmaster@mydomain.local test2@mydomain.local
test1@mydomain.local mydomain.local/test1
test2@mydomain.local mydomain.local/test2
......@@ -11,6 +11,7 @@ parts =
slapos-cookbook
template
dovecot
postfix
[template]
recipe = slapos.recipe.template
......@@ -24,15 +25,6 @@ url = ${:_profile_base_location_}/${:_update_hash_filename_}
[template-default]
<= download-base
[template-postfix-master-cf]
< = download-base
[template-postfix-main-cf]
< = download-base
[template-postfix-aliases]
< = download-base
[copy-to-instance]
recipe = slapos.recipe.build:download
url = ${:_profile_base_location_}/${:_buildout_section_name_}
......@@ -42,3 +34,14 @@ filename = ${:_buildout_section_name_}
< = copy-to-instance
[dovecot-passwd.jinja2]
< = copy-to-instance
[postfix_main.jinja2.cf]
< = copy-to-instance
[postfix_alias.jinja2]
< = copy-to-instance
[postfix_mailname.jinja2]
< = copy-to-instance
[postfix_vmailbox.jinja2]
< = copy-to-instance
[postfix_virtual.jinja2]
< = copy-to-instance
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment