From c08931882aeffc5e41d24ff33544403434830157 Mon Sep 17 00:00:00 2001 From: Morre Date: Sun, 5 Jul 2020 16:44:54 +0200 Subject: [PATCH] WIP: configure postfix to use SASL to auth senders --- README.md | 9 ++++- defaults/main.yml | 7 ---- files/saslauthd-defaults | 3 ++ files/smtpd.conf | 2 + handlers/main.yml | 3 ++ tasks/main.yml | 50 ++++++++++++++++++++++-- templates/main.cf.j2 | 61 +++++++++++++++++++++++++++--- templates/saslauthd.conf.j2 | 10 +++++ templates/virtual-aliases.cf.j2 | 9 +++++ templates/virtual-mailboxes.cf.j2 | 9 +++++ templates/virtual-recipients.cf.j2 | 12 ------ templates/virtual-senders.cf.j2 | 11 ------ 12 files changed, 147 insertions(+), 39 deletions(-) create mode 100644 files/saslauthd-defaults create mode 100644 files/smtpd.conf create mode 100644 templates/saslauthd.conf.j2 create mode 100644 templates/virtual-aliases.cf.j2 create mode 100644 templates/virtual-mailboxes.cf.j2 delete mode 100644 templates/virtual-recipients.cf.j2 delete mode 100644 templates/virtual-senders.cf.j2 diff --git a/README.md b/README.md index 8f20082..94800ed 100644 --- a/README.md +++ b/README.md @@ -1,9 +1,16 @@ -# dovecot +# postfix ## Parameters and defaults All configuration is to be placed inside the `postfix` and `postfixmaps` dicts. +## LDAP + +This role supports LDAP as configuration source for: + +* TODO: finish list + +Note that only ldap**s** connections are supported. **postfix** ``` diff --git a/defaults/main.yml b/defaults/main.yml index 6e2bf6c..1c424ea 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -17,12 +17,5 @@ postfix: mydestination: [] ldap: enable: false - server_host: ldap.example.com - senders: - search_base: "ou=users,dc=example,dc=com" - query_filter: "" - recipients: - search_base: "ou=users,dc=example,dc=com" - query_filter: "" postfixmaps: [] diff --git a/files/saslauthd-defaults b/files/saslauthd-defaults new file mode 100644 index 0000000..62259cc --- /dev/null +++ b/files/saslauthd-defaults @@ -0,0 +1,3 @@ +START=yes +MECHANISMS="ldap" +OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd" diff --git a/files/smtpd.conf b/files/smtpd.conf new file mode 100644 index 0000000..18d7308 --- /dev/null +++ b/files/smtpd.conf @@ -0,0 +1,2 @@ +pwcheck_method: saslauthd +mech_list: plain login diff --git a/handlers/main.yml b/handlers/main.yml index 6cdc4d4..395ba07 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -1,2 +1,5 @@ - name: restart postfix service: name=postfix state=restarted + +- name: restart saslauthd + service: name=saslauthd state=restarted diff --git a/tasks/main.yml b/tasks/main.yml index 80bc2fc..0ee6091 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -2,13 +2,57 @@ apt: pkg: - postfix - - postfix-ldap + +- name: Install and setup utilities for LDAP + when: postfix.ldap.enable + block: + - name: install utility packages for LDAP auth & config + apt: + pkg: + - postfix-ldap + - sasl2-bin + + - name: Configure saslauthd + template: + src: saslauthd.conf.j2 + dest: /etc/saslauthd.conf + notify: + - restart saslauthd + + - name: Copy saslauthd defaults + copy: + src: saslauthd-defaults + dest: /etc/default/saslauthd + notify: + - restart saslauthd + + - name: Copy smtpd.conf + copy: + src: smtpd.conf + dest: /etc/postfix/sasl/smtpd.conf + notify: + - restart postfix + + - name: Add postfix to sasl group + user: + name: postfix + append: yes + groups: sasl + notify: + - restart postfix - name: remove exim4 package apt: name: exim4 state: absent +# We need to configure postfix's virtual UID and GID map. Those are set to the vmail users UID and GID as vmail holds all mail +# Used in templates/main.cf.j2 +- name: "get vmail user data" + user: + name: vmail + register: vmail_user + - name: copy postfix config template: src: "{{ item.src }}" @@ -16,8 +60,8 @@ with_items: - { src: "main.cf.j2", dest: "/etc/postfix/main.cf" } - { src: "master.cf.j2", dest: "/etc/postfix/master.cf" } - - { src: "virtual-senders.cf.j2", dest: "/etc/postfix/virtual-senders.cf" } - - { src: "virtual-recipients.cf.j2", dest: "/etc/postfix/virtual-recipients.cf" } + - { src: "virtual-aliases.cf.j2", dest: "/etc/postfix/virtual-aliases.cf" } + - { src: "virtual-mailboxes.cf.j2", dest: "/etc/postfix/virtual-mailboxes.cf" } notify: - restart postfix diff --git a/templates/main.cf.j2 b/templates/main.cf.j2 index 9085096..210f52f 100644 --- a/templates/main.cf.j2 +++ b/templates/main.cf.j2 @@ -47,8 +47,6 @@ relayhost = {{ postfix.relayhost }} relay_domains = {{ postfix.relay_domains|join(', ') }} relay_transport = {{ postfix.relay_transport }} sender_dependent_relayhost_maps = {{ postfix.sender_dependent_relayhost_maps }} -virtual_alias_maps = {{ postfix.virtual_alias_maps }} -virtual_mailbox_domains = {{ postfix.virtual_mailbox_domains|join(' ') }} mailbox_size_limit = 0 recipient_delimiter = + @@ -69,11 +67,64 @@ dovecot_destination_recipient_limit = 1 virtual_transport = dovecot {% endif %} +# Virtual maps +virtual_alias_maps = {{ postfix.virtual_alias_maps }} +virtual_mailbox_domains = {{ postfix.virtual_mailbox_domains|join(' ') }} + {% if postfix.ldap.enable %} # LDAP config -smtpd_sender_login_maps = ldap:/etc/postfix/virtual-senders.cf -virtual_mailbox_maps = ldap:/etc/postfix/virtual-recipients.cf -local_recipient_maps = $virtual_mailbox_maps +## Virtual maps +# virtual_mailbox_maps = ldap:/etc/postfix/ldap/virtual_mailboxes.cf +# virtual_mailbox_base = /home/vmail +# virtual_uid_maps = ldap:/etc/postfix/ldap/virtual_uid.cf # TODO: Do we need this? +# virtual_gid_maps = ldap:/etc/postfix/ldap/virtual_gid.cf # TODO: Do we need this? + +# virtual_uid_maps = static:{{ vmail_user.uid }} +# virtual_gid_maps = static:{{ vmail_user.group }} + +## Transport maps +### None so far + +# TLS +# TODO: This is already enabled when using dovecot as transport +smtpd_sasl_auth_enable = yes +smtpd_sasl_security_options = noanonymous + +# Restrictions +smtpd_helo_required = yes +strict_rfc821_envelopes = yes +disable_vrfy_command = yes + +smtpd_helo_restrictions = permit_mynetworks, + permit_sasl_authenticated, + reject_invalid_hostname, + reject_invalid_helo_hostname, + reject_non_fqdn_helo_hostname + +# TODO: This is already enabled when using dovecot as transport +smtpd_sender_restrictions = reject_non_fqdn_sender, + reject_unknown_sender_domain, + permit_mynetworks, + permit_sasl_authenticated + +# TODO: This is already enabled when using dovecot as transport +smtpd_recipient_restrictions = permit_mynetworks, + permit_sasl_authenticated, + reject_unlisted_sender, + reject_unlisted_recipient, + reject_unknown_sender_domain, + reject_unknown_recipient_domain, + reject_invalid_hostname, + reject_unauth_destination, + reject_non_fqdn_hostname, + reject_non_fqdn_sender, + reject_non_fqdn_recipient, + permit + +smtpd_client_restrictions = permit_mynetworks, + permit_sasl_authenticated, + permit + {% endif %} # opendkim diff --git a/templates/saslauthd.conf.j2 b/templates/saslauthd.conf.j2 new file mode 100644 index 0000000..6983faf --- /dev/null +++ b/templates/saslauthd.conf.j2 @@ -0,0 +1,10 @@ +{% if postfix.ldap.enable %} +ldap_servers: {{ postfix.ldap.server.host }} +ldap_version: 3 +ldap_search_base: {{ postfix.ldap.search_base }} +ldap_scope: sub +ldap_filter: mail=%u +ldap_auth_method: bind +{% else %} +# LDAP is not configured for this server. +{% endif %} diff --git a/templates/virtual-aliases.cf.j2 b/templates/virtual-aliases.cf.j2 new file mode 100644 index 0000000..0842d64 --- /dev/null +++ b/templates/virtual-aliases.cf.j2 @@ -0,0 +1,9 @@ +{% if postfix.ldap.enable %} +server_host = {{ postfix.ldap.server.host }} +server_port = {{ postfix.ldap.server.port }} +search_base = {{ postfix.ldap.search_base }} +query_filter = {{ postfix.ldap.query_filter }} +result_attribute = {{ postfix.ldap.result_attributes.aliases }} +{% else %} +# LDAP is not configured for this server. +{% endif %} diff --git a/templates/virtual-mailboxes.cf.j2 b/templates/virtual-mailboxes.cf.j2 new file mode 100644 index 0000000..9855048 --- /dev/null +++ b/templates/virtual-mailboxes.cf.j2 @@ -0,0 +1,9 @@ +{% if postfix.ldap.enable %} +server_host = {{ postfix.ldap.server.host }} +server_port = {{ postfix.ldap.server.port }} +search_base = {{ postfix.ldap.search_base }} +query_filter = {{ postfix.ldap.query_filter }} +result_attribute = {{ postfix.ldap.result_attributes.mailboxes }} +{% else %} +# LDAP is not configured for this server. +{% endif %} diff --git a/templates/virtual-recipients.cf.j2 b/templates/virtual-recipients.cf.j2 deleted file mode 100644 index cc78874..0000000 --- a/templates/virtual-recipients.cf.j2 +++ /dev/null @@ -1,12 +0,0 @@ -{% if postfix.ldap.enable %} -bind = yes -# bind_dn = -# bind_pw = -server_host = {{ postfix.ldap.server_host }} -search_base = {{ postfix.ldap.recipients.search_base }} -query_filter = {{ postfix.ldap.recipients.query_filter }} -result_attribute = cn -result_format =%s -{% else %} -# LDAP is not configured for this server. -{% endif %} diff --git a/templates/virtual-senders.cf.j2 b/templates/virtual-senders.cf.j2 deleted file mode 100644 index ded45f2..0000000 --- a/templates/virtual-senders.cf.j2 +++ /dev/null @@ -1,11 +0,0 @@ -{% if postfix.ldap.enable %} -bind = yes -# bind_dn = -# bind_pw = -server_host = {{ postfix.ldap.server_host }} -search_base = {{ postfix.ldap.senders.search_base }} -query_filter = {{ postfix.ldap.senders.query_filter }} -result_attribute = uid -{% else %} -# LDAP is not configured for this server. -{% endif %}