WIP: configure postfix to use SASL to auth senders

README.md

@@ -1,9 +1,16 @@
-# dovecot
+# postfix
 
 ## Parameters and defaults
 
 All configuration is to be placed inside the `postfix` and `postfixmaps` dicts.
 
+## LDAP
+
+This role supports LDAP as configuration source for:
+
+* TODO: finish list
+
+Note that only ldap**s** connections are supported.
 
 **postfix**
 ```

defaults/main.yml

@@ -17,12 +17,5 @@ postfix:
   mydestination: []
   ldap:
     enable: false
-    server_host: ldap.example.com
-    senders:
-      search_base: "ou=users,dc=example,dc=com"
-      query_filter: ""
-    recipients:
-      search_base: "ou=users,dc=example,dc=com"
-      query_filter: ""
 
 postfixmaps: []

files/saslauthd-defaults

@@ -0,0 +1,3 @@
+START=yes
+MECHANISMS="ldap"
+OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd"

files/smtpd.conf

@@ -0,0 +1,2 @@
+pwcheck_method: saslauthd
+mech_list: plain login

handlers/main.yml

@@ -1,2 +1,5 @@
 - name: restart postfix
   service: name=postfix state=restarted
+
+- name: restart saslauthd
+  service: name=saslauthd state=restarted

tasks/main.yml

@@ -2,13 +2,57 @@
   apt:
     pkg:
       - postfix
-      - postfix-ldap
+
+- name: Install and setup utilities for LDAP
+  when: postfix.ldap.enable
+  block:
+    - name: install utility packages for LDAP auth & config
+      apt:
+        pkg:
+          - postfix-ldap
+          - sasl2-bin
+
+    - name: Configure saslauthd
+      template:
+        src: saslauthd.conf.j2
+        dest: /etc/saslauthd.conf
+      notify:
+      - restart saslauthd
+
+    - name: Copy saslauthd defaults
+      copy:
+        src: saslauthd-defaults
+        dest: /etc/default/saslauthd
+      notify:
+        - restart saslauthd
+
+    - name: Copy smtpd.conf
+      copy:
+        src: smtpd.conf
+        dest: /etc/postfix/sasl/smtpd.conf
+      notify:
+        - restart postfix
+
+    - name: Add postfix to sasl group
+      user:
+        name: postfix
+        append: yes
+        groups: sasl
+      notify:
+        - restart postfix
 
 - name: remove exim4 package
   apt:
     name: exim4
     state: absent
 
+# We need to configure postfix's virtual UID and GID map. Those are set to the vmail users UID and GID as vmail holds all mail
+# Used in templates/main.cf.j2
+- name: "get vmail user data"
+  user:
+    name: vmail
+  register: vmail_user
+
 - name: copy postfix config
   template:
     src: "{{ item.src }}"
@@ -16,8 +60,8 @@
   with_items:
     - { src: "main.cf.j2", dest: "/etc/postfix/main.cf" }
     - { src: "master.cf.j2", dest: "/etc/postfix/master.cf" }
-    - { src: "virtual-senders.cf.j2", dest: "/etc/postfix/virtual-senders.cf" }
+    - { src: "virtual-aliases.cf.j2", dest: "/etc/postfix/virtual-aliases.cf" }
-    - { src: "virtual-recipients.cf.j2", dest: "/etc/postfix/virtual-recipients.cf" }
+    - { src: "virtual-mailboxes.cf.j2", dest: "/etc/postfix/virtual-mailboxes.cf" }
   notify:
   - restart postfix
 

templates/main.cf.j2

@@ -47,8 +47,6 @@ relayhost = {{ postfix.relayhost }}
 relay_domains = {{ postfix.relay_domains|join(', ') }}
 relay_transport = {{ postfix.relay_transport }}
 sender_dependent_relayhost_maps = {{ postfix.sender_dependent_relayhost_maps }}
-virtual_alias_maps = {{ postfix.virtual_alias_maps }}
-virtual_mailbox_domains = {{ postfix.virtual_mailbox_domains|join(' ') }}
 
 mailbox_size_limit = 0
 recipient_delimiter = +
@@ -69,11 +67,64 @@ dovecot_destination_recipient_limit = 1
 virtual_transport = dovecot
 {% endif %}
 
+# Virtual maps
+virtual_alias_maps = {{ postfix.virtual_alias_maps }}
+virtual_mailbox_domains = {{ postfix.virtual_mailbox_domains|join(' ') }}
+
 {% if postfix.ldap.enable %}
 # LDAP config
-smtpd_sender_login_maps = ldap:/etc/postfix/virtual-senders.cf
+## Virtual maps
-virtual_mailbox_maps = ldap:/etc/postfix/virtual-recipients.cf
+# virtual_mailbox_maps = ldap:/etc/postfix/ldap/virtual_mailboxes.cf
-local_recipient_maps = $virtual_mailbox_maps
+# virtual_mailbox_base = /home/vmail
+# virtual_uid_maps = ldap:/etc/postfix/ldap/virtual_uid.cf # TODO: Do we need this?
+# virtual_gid_maps = ldap:/etc/postfix/ldap/virtual_gid.cf # TODO: Do we need this?
+
+# virtual_uid_maps = static:{{ vmail_user.uid }}
+# virtual_gid_maps = static:{{ vmail_user.group }}
+
+## Transport maps
+### None so far
+
+# TLS
+# TODO: This is already enabled when using dovecot as transport
+smtpd_sasl_auth_enable = yes
+smtpd_sasl_security_options = noanonymous
+
+# Restrictions
+smtpd_helo_required = yes
+strict_rfc821_envelopes = yes
+disable_vrfy_command = yes
+
+smtpd_helo_restrictions = permit_mynetworks,
+                          permit_sasl_authenticated,
+                          reject_invalid_hostname,
+                          reject_invalid_helo_hostname,
+                          reject_non_fqdn_helo_hostname
+
+# TODO: This is already enabled when using dovecot as transport
+smtpd_sender_restrictions = reject_non_fqdn_sender,
+                            reject_unknown_sender_domain,
+                            permit_mynetworks,
+                            permit_sasl_authenticated
+
+# TODO: This is already enabled when using dovecot as transport
+smtpd_recipient_restrictions =  permit_mynetworks,
+                                permit_sasl_authenticated,
+                                reject_unlisted_sender,
+                                reject_unlisted_recipient,
+                                reject_unknown_sender_domain,
+                                reject_unknown_recipient_domain,
+                                reject_invalid_hostname,
+                                reject_unauth_destination,
+                                reject_non_fqdn_hostname,
+                                reject_non_fqdn_sender,
+                                reject_non_fqdn_recipient,
+                                permit
+
+smtpd_client_restrictions = permit_mynetworks,
+                            permit_sasl_authenticated,
+                            permit
+
 {% endif %}
 
 # opendkim

templates/saslauthd.conf.j2

@@ -0,0 +1,10 @@
+{% if postfix.ldap.enable %}
+ldap_servers: {{ postfix.ldap.server.host }}
+ldap_version: 3
+ldap_search_base: {{ postfix.ldap.search_base }}
+ldap_scope: sub
+ldap_filter: mail=%u
+ldap_auth_method: bind
+{% else %}
+# LDAP is not configured for this server.
+{% endif %}

templates/virtual-aliases.cf.j2

@@ -0,0 +1,9 @@
+{% if postfix.ldap.enable %}
+server_host = {{ postfix.ldap.server.host }}
+server_port = {{ postfix.ldap.server.port }}
+search_base = {{ postfix.ldap.search_base }}
+query_filter = {{ postfix.ldap.query_filter }}
+result_attribute = {{ postfix.ldap.result_attributes.aliases }}
+{% else %}
+# LDAP is not configured for this server.
+{% endif %}

templates/virtual-mailboxes.cf.j2

@@ -0,0 +1,9 @@
+{% if postfix.ldap.enable %}
+server_host = {{ postfix.ldap.server.host }}
+server_port = {{ postfix.ldap.server.port }}
+search_base = {{ postfix.ldap.search_base }}
+query_filter = {{ postfix.ldap.query_filter }}
+result_attribute = {{ postfix.ldap.result_attributes.mailboxes }}
+{% else %}
+# LDAP is not configured for this server.
+{% endif %}

templates/virtual-recipients.cf.j2

@@ -1,12 +0,0 @@
-{% if postfix.ldap.enable %}
-bind = yes
-# bind_dn =
-# bind_pw =
-server_host = {{ postfix.ldap.server_host }}
-search_base = {{ postfix.ldap.recipients.search_base }}
-query_filter = {{ postfix.ldap.recipients.query_filter }}
-result_attribute = cn
-result_format =%s
-{% else %}
-# LDAP is not configured for this server.
-{% endif %}

templates/virtual-senders.cf.j2

@@ -1,11 +0,0 @@
-{% if postfix.ldap.enable %}
-bind = yes
-# bind_dn =
-# bind_pw =
-server_host = {{ postfix.ldap.server_host }}
-search_base = {{ postfix.ldap.senders.search_base }}
-query_filter = {{ postfix.ldap.senders.query_filter }}
-result_attribute = uid
-{% else %}
-# LDAP is not configured for this server.
-{% endif %}