Configure Postfix

mit-scripts · dehnert · May 23, 2019 · May 23, 2019 · May 23, 2019 · May 23, 2019
commit ffe8bf61adb9ca181702e9a8a53b4252afce554c
diff --git a/ansible/roles/real-postfix/files/postfix/blocked_users b/ansible/roles/real-postfix/files/postfix/blocked_users
@@ -0,0 +1,28 @@
+raskar
+maoting
+bsu
+delian
+buechley
+cssa
+mitlti
+paxters
+crhie
+baker-foundation
+11.309j
+kgsa
+jains
+unfolding
+4.332
+asme
+alisono
+laublab
+eltahirgroup
+early-warning
+blackhistory
+seek
+braintrust
+newmanlab
+game
+lebanon
+crpg
+scioly
diff --git a/ansible/roles/real-postfix/files/postfix/mailbox-command-maps-ldap.cf b/ansible/roles/real-postfix/files/postfix/mailbox-command-maps-ldap.cf
@@ -0,0 +1,6 @@
+server_host = ldapi://%2fvar%2frun%2fslapd-scripts.socket/
+search_base = ou=People,dc=scripts,dc=mit,dc=edu
+query_filter = (&(objectClass=posixAccount)(uid=%s))
+result_attribute = scriptsMailboxCommand
+bind = no
+version = 3
diff --git a/ansible/roles/real-postfix/files/postfix/mailbox_command_maps b/ansible/roles/real-postfix/files/postfix/mailbox_command_maps
@@ -0,0 +1 @@
+root		/usr/bin/procmail /etc/scripts/root-procmailrc
diff --git a/ansible/roles/real-postfix/files/postfix/mailq_users b/ansible/roles/real-postfix/files/postfix/mailq_users
@@ -0,0 +1,2 @@
+nrpe
+munin
diff --git a/ansible/roles/real-postfix/files/postfix/main.cf b/ansible/roles/real-postfix/files/postfix/main.cf
@@ -0,0 +1,45 @@
+#biff = no
+
+# appending .domain is the MUA's job.
+#append_dot_mydomain = no
+
+# Uncomment the next line to generate "delayed mail" warnings
+#delay_warning_time = 4h
+
+alias_maps = hash:/etc/aliases
+alias_database = hash:/etc/aliases
+myorigin = scripts.mit.edu
+mydestination = scripts.mit.edu, scripts, $myhostname, scripts-test.mit.edu, scripts-test, localhost
+relayhost =
+mynetworks_style = host
+mailbox_command_maps =
+    texthash:/etc/postfix/mailbox_command_maps,
+    ldap:/etc/postfix/mailbox-command-maps-ldap.cf
+mailbox_size_limit = 0
+message_size_limit = 41943040
+recipient_delimiter = +
+inet_interfaces = $myhostname, scripts.mit.edu, scripts-vhosts.mit.edu
+readme_directory = /usr/share/doc/postfix/README_FILES
+sample_directory = /usr/share/doc/postfix/samples
+sendmail_path = /usr/sbin/sendmail
+html_directory = no
+setgid_group = postdrop
+command_directory = /usr/sbin
+manpage_directory = /usr/share/man
+daemon_directory = /usr/libexec/postfix
+newaliases_path = /usr/bin/newaliases
+mailq_path = /usr/bin/mailq
+queue_directory = /var/spool/postfix
+mail_owner = postfix
+virtual_alias_domains = !scripts.mit.edu, !scripts, !$myhostname, !scripts-test.mit.edu, !scripts-test, !localhost, scripts-vhosts.mit.edu, ldap:/etc/postfix/virtual-alias-domains-ldap.cf
+virtual_alias_maps = ldap:/etc/postfix/virtual-alias-maps-ldap-reserved.cf, ldap:/etc/postfix/virtual-alias-maps-ldap.cf
+data_directory = /var/lib/postfix
+authorized_flush_users = fail
+authorized_mailq_users = /etc/postfix/mailq_users
+authorized_submit_users = !/etc/postfix/blocked_users, static:all
+non_smtpd_milters = unix:/run/spamass-milter/postfix/sock
+# "all" is the default, but if we do not specify it, Fedora's packaging
+# will add the wrong value here.
+inet_protocols = all
+# note: as of 21 Oct 2015, our IPv6 addresses do not have rDNS and are rejected by Gmail
+smtp_address_preference = ipv4
diff --git a/ansible/roles/real-postfix/files/postfix/virtual b/ansible/roles/real-postfix/files/postfix/virtual
diff --git a/ansible/roles/real-postfix/files/postfix/virtual-alias-domains-ldap.cf b/ansible/roles/real-postfix/files/postfix/virtual-alias-domains-ldap.cf
@@ -0,0 +1,21 @@
+# Find any vhost with a name or alias matching the domain of the e-mail
+# address.  We're queried with only the domain portion to determine whether
+# we accept mail at all for a given domain.  If we have no matching vhost
+# and return no records, Postfix will reject mail with a "Relay access denied"
+# error, unless the domain is configured in $mydestination.  We don't match
+# the scripts.mit.edu vhost here because otherwise it'll be treated as a
+# virtual alias domain and once we resolve an address to a scripts account,
+# we'll end up resolving the locker@scripts.mit.edu address to go to the
+# owners of the scripts.mit.edu vhost.  The value we return (if we return
+# anything at all) is supposedly arbitrary.  We choose to return the same
+# value we were queried with (the domain whose mail we host).  Protocol
+# version 3 is necessary to use ldapi.
+
+server_host = ldapi://%2fvar%2frun%2fslapd-scripts.socket/
+search_base = ou=VirtualHosts,dc=scripts,dc=mit,dc=edu
+query_filter = (&(objectClass=scriptsVhost)(|(scriptsVhostName=%s)(scriptsVhostAlias=%s))(!(scriptsVhostName=scripts.mit.edu)))
+result_attribute = scriptsVhostName
+result_format = %S
+bind = no
+version = 3
+
diff --git a/ansible/roles/real-postfix/files/postfix/virtual-alias-maps-ldap-reserved.cf b/ansible/roles/real-postfix/files/postfix/virtual-alias-maps-ldap-reserved.cf
@@ -0,0 +1,7 @@
+server_host = ldapi://%2fvar%2frun%2fslapd-scripts.socket/
+search_base = ou=VirtualHosts,dc=scripts,dc=mit,dc=edu
+query_filter = (&(objectClass=scriptsVhost)(|(scriptsVhostName=%d)(scriptsVhostAlias=%d))(!(scriptsVhostName=scripts.mit.edu))(scriptsReservedMail=%u))
+result_attribute = scriptsVhostName
+result_format = %U
+bind = no
+version = 3
diff --git a/ansible/roles/real-postfix/files/postfix/virtual-alias-maps-ldap.cf b/ansible/roles/real-postfix/files/postfix/virtual-alias-maps-ldap.cf
@@ -0,0 +1,22 @@
+# Find any vhost with a name or alias matching the domain of the
+# e-mail address.  We're queried with an entire e-mail address, but
+# are only interested in checking whether the domain portion
+# corresponds to a vhost; we'll simply deliver any mail for the vhost
+# to its owner, appending the original lefthand side of the address as
+# an extension.  %d extracts only the domain.  We don't match the
+# scripts.mit.edu vhost here because we don't want to first resolve an
+# arbitrary address to a scripts account, and then end up sending
+# their mail to the owners of the scripts.mit.edu vhost.  The uid
+# attribute, generated by the CoS template
+# cn=vhostOwnerCoS,ou=VirtualHosts,dc=scripts,dc=mit,dc=edu, is the
+# name of the locker that owns the vhost.  Protocol version 3 is
+# necessary to use ldapi.
+
+server_host = ldapi://%2fvar%2frun%2fslapd-scripts.socket/
+search_base = ou=VirtualHosts,dc=scripts,dc=mit,dc=edu
+query_filter = (&(objectClass=scriptsVhost)(|(scriptsVhostName=%d)(scriptsVhostAlias=%d))(!(scriptsVhostName=scripts.mit.edu)))
+result_attribute = uid
+result_format = %s+%U
+bind = no
+version = 3
+
diff --git a/ansible/roles/real-postfix/handlers/main.yml b/ansible/roles/real-postfix/handlers/main.yml
@@ -0,0 +1,2 @@
+- name: reload postfix
+  service: name=postfix state=reloaded
diff --git a/ansible/roles/real-postfix/tasks/main.yml b/ansible/roles/real-postfix/tasks/main.yml
@@ -0,0 +1,13 @@
+---
+- name: Install postfix
+  dnf: name=postfix state=present
+- name: Install postfix configuration files
+  copy:
+    src: postfix/
+    dest: /etc/postfix/
+  notify: reload postfix
+- name: Install root's procmailrc
+  template:
+    src: root-procmailrc.j2
+    dest: /etc/scripts/root-procmailrc
+# TODO: Move blocked users from /etc/aliases into LDAP as scriptsMailboxCommand: /bin/false
diff --git a/ansible/roles/real-postfix/templates/root-procmailrc.j2 b/ansible/roles/real-postfix/templates/root-procmailrc.j2
@@ -0,0 +1,4 @@
+:0
+! {% for maintainer in maintainers|rejectattr('root_mail', 'none') -%}
+{{ maintainer.root_mail|default(maintainer.username + '@mit.edu') }}{{ '' if loop.last else ', ' }}
+{%- endfor %}
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		root /usr/bin/procmail /etc/scripts/root-procmailrc
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		- name: reload postfix
		service: name=postfix state=reloaded