From 55922ca6362c72e5ba382eb090e34d75b9a5fab7 Mon Sep 17 00:00:00 2001 From: Slash Date: Sat, 4 Jun 2016 22:46:04 +0200 Subject: [PATCH] [WIP] Postfix+Dovecot --- mail_server.yaml | 10 ++ roles/postfix/handlers/main.yml | 5 + roles/postfix/tasks/main.yaml | 115 ++++++++++++++ .../templates/dovecot-ldap.conf.ext.j2 | 41 +++++ roles/postfix/templates/ldap-accounts.cf.j2 | 9 ++ roles/postfix/templates/ldap-aliases.cf.j2 | 9 ++ roles/postfix/templates/ldap-domains.cf.j2 | 8 + roles/postfix/templates/newldap.ldif | 144 ++++++++++++++++++ 8 files changed, 341 insertions(+) create mode 100644 mail_server.yaml create mode 100644 roles/postfix/handlers/main.yml create mode 100644 roles/postfix/tasks/main.yaml create mode 100644 roles/postfix/templates/dovecot-ldap.conf.ext.j2 create mode 100644 roles/postfix/templates/ldap-accounts.cf.j2 create mode 100644 roles/postfix/templates/ldap-aliases.cf.j2 create mode 100644 roles/postfix/templates/ldap-domains.cf.j2 create mode 100644 roles/postfix/templates/newldap.ldif diff --git a/mail_server.yaml b/mail_server.yaml new file mode 100644 index 0000000..8cce310 --- /dev/null +++ b/mail_server.yaml @@ -0,0 +1,10 @@ +--- +- hosts: biff + roles: + - role: lxc_guest + vm_name: mail +- hosts: mail + roles: + - role: postfix + ldap_server: "{{ hostvars['ldap'].ansible_host }}" + fqdn_domain: "lilik.it" diff --git a/roles/postfix/handlers/main.yml b/roles/postfix/handlers/main.yml new file mode 100644 index 0000000..138b6e5 --- /dev/null +++ b/roles/postfix/handlers/main.yml @@ -0,0 +1,5 @@ +- name: restart_postfix + service: name=postfix state=restarted + +- name: restart_dovecot + service: name=dovecot state=restarted diff --git a/roles/postfix/tasks/main.yaml b/roles/postfix/tasks/main.yaml new file mode 100644 index 0000000..13cbd05 --- /dev/null +++ b/roles/postfix/tasks/main.yaml @@ -0,0 +1,115 @@ +- name: configure Postfix (domain) + debconf: + name: 'postfix' + question: 'postfix/domainpostfix/main_mailer_type' + vtype: 'string' + value: 'Internet Site' +- name: configure Postfix (organization) + debconf: + name: 'postfix' + question: 'postfix/mailname' + vtype: 'string' + value: 'lilik.it' +- name: install postfix packages + apt: + name: '{{ item }}' + state: latest + install_recommends: false + with_items: + - postfix +# - postfix-ldap + - dovecot-ldap + - dovecot-imapd + - rsyslog + - dovecot-lmtpd +# - amavisd-new +# - postgrey #TODO +# - spamassassin +# - clamav-daemon + +#- name: upload ldap-aliases.cf +# template: +# src: ldap-aliases.cf.j2 +# dest: "/etc/postfix/ldap-aliases.cf" +# notify: restart_postfix +#- lineinfile: dest=/etc/postfix/main.cf line="virtual_alias_maps = proxy:ldap:/etc/postfix/ldap-aliases.cf" +# notify: restart_postfix + +#- name: upload ldap-domains.cf +# template: +# src: ldap-domains.cf.j2 +# dest: "/etc/postfix/ldap-domains.cf" +# notify: restart_postfix +#- lineinfile: dest=/etc/postfix/main.cf line="virtual_mailbox_domains = proxy:ldap:/etc/postfix/ldap-domains.cf" +# notify: restart_postfix + +#- name: upload ldap-accounts.cf +# template: +# src: ldap-accounts.cf.j2 +# dest: "/etc/postfix/ldap-accounts.cf" +# notify: restart_postfix +#- lineinfile: dest=/etc/postfix/main.cf line="virtual_mailbox_maps = proxy:ldap:/etc/postfix/ldap-accounts.cf" +# notify: restart_postfix + +- lineinfile: dest=/etc/postfix/main.cf line="virtual_transport = lmtp:unix:private/dovecot-lmtp" state=present + notify: restart_postfix + +- name: create postman group + group: name=postman state=present gid=800 + +- name: create postman user + user: name=postman state=present uid=800 shell=/dev/null + +- lineinfile: dest=/etc/dovecot/conf.d/10-mail.conf regexp='^mail_location' state=absent + notify: restart_dovecot + +- lineinfile: dest=/etc/dovecot/conf.d/10-mail.conf line='mail_location = maildir:/home/postman/%d/%n' state=present + notify: restart_dovecot + +- lineinfile: dest=/etc/dovecot/conf.d/10-mail.conf line='mail_gid = 800' state=present + notify: restart_dovecot + +- lineinfile: dest=/etc/dovecot/conf.d/10-mail.conf line='mail_uid = 800' state=present + notify: restart_dovecot + +- lineinfile: dest=/etc/dovecot/conf.d/10-auth.conf line="!include auth-system.conf.ext" state=absent + notify: restart_dovecot + +- lineinfile: dest=/etc/dovecot/conf.d/10-auth.conf line="!include auth-ldap.conf.ext" state=present + notify: restart_dovecot + +- lineinfile: dest=/etc/dovecot/conf.d/10-auth.conf line="auth_default_realm = {{ fqdn_domain }}" + +- template: src=dovecot-ldap.conf.ext.j2 dest=/etc/dovecot/dovecot-ldap.conf.ext + notify: restart_dovecot + +#- lineinfile: dest=/etc/postfix/main.cf line="content_filter=smtp-amavis:[127.0.0.1]:10024" state=present +# notify: restart_postfix + +#- blockinfile: | +# dest=/etc/postfix/master.cf +# content=" smtp-amavis unix - - n - 2 smtp +# -o smtp_data_done_timeout=1200 +# -o smtp_send_xforward_command=yes +# -o disable_dns_lookups=yes +# -o max_use=20 +# +# 127.0.0.1:10025 inet n - n - - smtpd +# -o content_filter= +# -o smtpd_delay_reject=no +# -o smtpd_client_restrictions=permit_mynetworks,reject +# -o smtpd_helo_restrictions= +# -o smtpd_sender_restrictions= +# -o smtpd_recipient_restrictions=permit_mynetworks,reject +# -o smtpd_data_restrictions=reject_unauth_pipelining +# -o smtpd_end_of_data_restrictions= +# -o smtpd_restriction_classes= +# -o mynetworks=127.0.0.0/8 +# -o smtpd_error_sleep_time=0 +# -o smtpd_soft_error_limit=1001 +# -o smtpd_hard_error_limit=1000 +# -o smtpd_client_connection_count_limit=0 +# -o smtpd_client_connection_rate_limit=0 +# -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters +# -o local_header_rewrite_clients=" +# notify: restart_postfix diff --git a/roles/postfix/templates/dovecot-ldap.conf.ext.j2 b/roles/postfix/templates/dovecot-ldap.conf.ext.j2 new file mode 100644 index 0000000..7924ee1 --- /dev/null +++ b/roles/postfix/templates/dovecot-ldap.conf.ext.j2 @@ -0,0 +1,41 @@ +uris = ldap://{{ ldap_server }} + +# choose bind method instead of simple authentication +auth_bind = yes + +# pass_attrs +# specifies a comma-separated list of attributes that are returned from the LDAP. +# If you set it to empty, all the attributes are returned. +# http://wiki2.dovecot.org/AuthDatabase/LDAP/PasswordLookups +# pass_attrs = user=mail, + +# http://wiki.dovecot.org/PasswordDatabase +# Returning a user field can be used to change the username. Typically used only for case changes (e.g. "UseR" -> "user"). +# username: Like user, but doesn't drop existing domain name (e.g. "username=foo" for "user@domain" gives "foo@domain"). +# domain: Updates the domain part of the username; domain=%{ldap:vd} +pass_attrs = disableUser=user + +# pass_filter +# specifies the LDAP filter how user is found from the LDAP. +# You can use all the normal variables like %u in the filter. +pass_filter = (&(objectClass=VirtualMailAccount)(mail=%n)(accountActive=TRUE)(delete=FALSE)) + +ldap_version = 3 + +# search in vd=domain,o=hosting,dc=lilik,dc=it +base = vd=%d,o=hosting,dc=lilik,dc=it + +deref = always + +scope = subtree + +# ldap filter, return an entity that is a virtual mail account +user_filter = (&(objectClass=VirtualMailAccount)(mail=%n)(accountActive=TRUE)(delete=FALSE)) + +# to prevent the uid and gid mappings from the ldap object to +# dovecot mailbox, we map them to unused ldap fields +# the sytnax is: "ldap_attribute = dovecot_attribute" +# this is done because otherwise dovecot will deliver +# emails to the user directory instead of the maildir directory +# handled by the user postman +user_attrs = disablehomeDirectory=home,disableuidNumber=uid,disablegidNumber=gid diff --git a/roles/postfix/templates/ldap-accounts.cf.j2 b/roles/postfix/templates/ldap-accounts.cf.j2 new file mode 100644 index 0000000..546cbe9 --- /dev/null +++ b/roles/postfix/templates/ldap-accounts.cf.j2 @@ -0,0 +1,9 @@ +server_host = {{ ldap_server }} +search_base = vd=%D,o=hosting,dc=lilik,dc=it +#query_filter = (&(objectClass=simpleSecurityObject)(mail=%s)) +query_filter = (&(objectClass=VirtualMailAccount)(mail=%u)(accountActive=TRUE)(delete=FALSE)) +result_attribute = mail +#result_attribute = uid +#result_format = %D/%s/ +dereference = 3 +version = 3 diff --git a/roles/postfix/templates/ldap-aliases.cf.j2 b/roles/postfix/templates/ldap-aliases.cf.j2 new file mode 100644 index 0000000..7d36c78 --- /dev/null +++ b/roles/postfix/templates/ldap-aliases.cf.j2 @@ -0,0 +1,9 @@ +server_host = {{ ldap_server }} +search_base = vd=%D,o=hosting,dc=lilik,dc=it +#query_filter = (&(objectClass=simpleSecurityObject)(mail=%s)) +query_filter = (&(objectClass=VirtualMailAlias)(mail=%u)(accountActive=TRUE)) +result_attribute = maildrop +#result_attribute = uid +#result_format = %D/%s/ +dereference = 3 +version = 3 diff --git a/roles/postfix/templates/ldap-domains.cf.j2 b/roles/postfix/templates/ldap-domains.cf.j2 new file mode 100644 index 0000000..9b1396d --- /dev/null +++ b/roles/postfix/templates/ldap-domains.cf.j2 @@ -0,0 +1,8 @@ +server_host = {{ ldap_server }} +search_base = o=hosting,dc=lilik,dc=it +query_filter = (&(vd=%s)(objectClass=VirtualDomain)) +result_attribute = vd +#scope = one +#cache = yes +dereference = 3 +version = 3 diff --git a/roles/postfix/templates/newldap.ldif b/roles/postfix/templates/newldap.ldif new file mode 100644 index 0000000..8a17d2d --- /dev/null +++ b/roles/postfix/templates/newldap.ldif @@ -0,0 +1,144 @@ +# LDIF Export for dc=lilik,dc=it +# Server: My LDAP Server (127.0.0.1) +# Search Scope: sub +# Search Filter: (objectClass=*) +# Total Entries: 611 +# +# Generated by phpLDAPadmin (http://phpldapadmin.sourceforge.net) on February 19, 2016 7:30 pm +# Version: 1.2.2 + +# Entry 4: o=Group,dc=lilik,dc=it +dn: o=Group,dc=lilik,dc=it +hassubordinates: TRUE +o: Group +objectclass: organization +objectclass: top +structuralobjectclass: organization +subschemasubentry: cn=Subschema + +# Entry 10: cn=stdusers,o=Group,dc=lilik,dc=it +dn: cn=stdusers,o=Group,dc=lilik,dc=it +cn: stdusers +gidnumber: 9000 +hassubordinates: FALSE +objectclass: posixGroup +objectclass: top +structuralobjectclass: posixGroup +subschemasubentry: cn=Subschema + +# Entry 12: cn=users_sites,o=Group,dc=lilik,dc=it +dn: cn=users_sites,o=Group,dc=lilik,dc=it +cn: users_sites +gidnumber: 500 +hassubordinates: FALSE +memberuid: tommyblue +objectclass: posixGroup +objectclass: top +structuralobjectclass: posixGroup +subschemasubentry: cn=Subschema + + +# Entry 14: o=hosting,dc=lilik,dc=it +dn: o=hosting,dc=lilik,dc=it +description: mail.lilik.it hosting root +hassubordinates: TRUE +o: hosting +objectclass: top +objectclass: organization +structuralobjectclass: organization +subschemasubentry: cn=Subschema + +# Entry 22: vd=lilik.it,o=hosting,dc=lilik,dc=it +dn: vd=lilik.it,o=hosting,dc=lilik,dc=it +accountactive: TRUE +delete: FALSE +editav: FALSE +hassubordinates: TRUE +maxalias: 20 +maxmail: 11 +maxquota: 250 +objectclass: top +objectclass: VirtualDomain +postfixtransport: maildrop: +structuralobjectclass: VirtualDomain +subschemasubentry: cn=Subschema +vd: lilik.it +lastChange: 1228821387 + +# Entry 23: cn=postmaster,vd=lilik.it,o=hosting,dc=lilik,dc=it +dn: cn=postmaster,vd=lilik.it,o=hosting,dc=lilik,dc=it +accountactive: TRUE +cn: postmaster +editaccounts: TRUE +hassubordinates: FALSE +mail: postmaster +maildrop: postmaster +objectclass: top +objectclass: VirtualMailAlias +sn: postmaster +structuralobjectclass: VirtualMailAlias +subschemasubentry: cn=Subschema +userpassword: {SSHA}4IuBxQNWgMNPX/lCtP2GgbJeiYX+u4ud +lastChange: 1228821387 + +# Entry 24: mail=abuse,vd=lilik.it,o=hosting,dc=lilik,dc=it +dn: mail=abuse,vd=lilik.it,o=hosting,dc=lilik,dc=it +accountactive: TRUE +cn: NONAME +givenname: NONAME +hassubordinates: FALSE +mail: abuse +maildrop: root +objectclass: top +objectclass: VirtualMailAlias +smtpauth: FALSE +sn: NONAME +structuralobjectclass: VirtualMailAlias +subschemasubentry: cn=Subschema +userpassword: {CRYPT}! +lastChange: 1228821387 + +dn: mail=tommyblue,vd=lilik.it,o=hosting,dc=lilik,dc=it +objectclass: alias +objectclass: extensibleObject +uid: alias +aliasedobjectname: uid=tommyblue,o=People,dc=lilik,dc=it + + +# Entry 319: o=People,dc=lilik,dc=it +dn: o=People,dc=lilik,dc=it +hassubordinates: TRUE +o: People +objectclass: organization +objectclass: top +structuralobjectclass: organization +subschemasubentry: cn=Subschema + +dn: uid=tommyblue,o=People,dc=lilik,dc=it +accountactive: TRUE +cn: Tommaso Visconti +delete: FALSE +gidnumber: 100 +givenname: Tommaso +hassubordinates: FALSE +homedirectory: /home/tommyblue +loginshell: /bin/sh +mail: tommyblue +mailbox: lilik.it/tommyblue/ +objectclass: top +objectclass: inetOrgPerson +objectclass: VirtualMailAccount +objectclass: posixAccount +objectclass: shadowAccount +othertransport: phamm: +quota: 1024000 +shadowlastchange: 14281 +smtpauth: FALSE +sn: Visconti +structuralobjectclass: VirtualMailAccount +subschemasubentry: cn=Subschema +uid: tommyblue +uidnumber: 10001 +userpassword: {CRYPT}$1$8jnl0tRQ$YiKqohvCe8M63Zmlx5T/h1 +vdhome: /home/mail_deliver/lilik.it/tommyblue +lastChange: 1228821387