aia_mailserver for all in a machine

2023-11-06 09:21:06 +01:00 · 2023-11-06 09:21:06 +01:00 · 215c81f3ee
parent 577366e195
commit 215c81f3ee
1 changed files with 508 additions and 6 deletions
--- a/mailserver.cf
+++ b/mailserver.cf
@ -6,9 +6,15 @@
 bundle agent install_mailserver(param_cfg)
 {
 vars:
+	
+	"default_alias_maps" string => "hash:/etc/aliases";
+	freebsd::
+		"default_alias_maps" string => "hash:/etc/mail/aliases";
+
+	any::
 	"default_cfg" data => '{
 		"pam_auth":true,
-		"vimb_auth":false,
+		"vimb_auth":true,
 		"imap":true,
 		"submission":true,
 		"smtp":true,
@ -21,7 +27,7 @@ vars:
 		"mydestination":"$myhostname, localhost",
 		"mail_location" : "maildir:~/Maildir:LAYOUT=maildir++:INBOX=~/Maildir/.INBOX:CONTROL=~/Mail/control:INDEX=~/Mail/index",
 		"vmail_location" : "maildir:~/Maildir:LAYOUT=maildir++:INBOX=~/Maildir/.INBOX:CONTROL=~/Mail/control:INDEX=~/Mail/index",
-
+		"alias_maps":"$(default_alias_maps)"

 	}';

@ -155,19 +161,24 @@ vars:
 				"maxproc":"-",
 				"command":"smtpd",
 				"args":[
+					"{ -o smtpd_relay_restrictions = permit_mynetworks reject_unauth_destination }",
 					"{ -o smtpd_recipient_restrictions = permit_mynetworks reject_unauth_destination }"
-					"{ -o smtpd_client_restrictions = permit_mynetworks reject }",
-					"{ -o smtpd_relay_restrictions = permit_mynetworks reject }",
-					"{ -o smtpd_sender_restrictions = permit_mynetworks }"	
+					"#{ -o smtpd_client_restrictions = permit_mynetworks }",
+					"#{ -o smtpd_sender_restrictions = }"	
 				]
 			}

 		]
 		,
 		"main_raw":"
+#debug_peer_level=4
+#debug_peer_list= 5.9.7.163
+
 myhostname=$(cfg[myhostname])
 mydestination=$(cfg[mydestination])
+alias_maps=$(cfg[alias_maps])
 myorigin=$(cfg[myorigin])
+local_recipient_maps = unix:passwd.byname $alias_maps
 "
 		,
 		"master_raw":""
@ -180,7 +191,7 @@ myorigin=$(cfg[myorigin])

 methods:
 	"any" usebundle => install_postfix_pkgs;
-	"any" usebundle => install_dovecot_pkgs;	
+#	"any" usebundle => install_dovecot_pkgs;	

 	"any" usebundle => dovecot(@(dovecot_cfg));
 	"any" usebundle => postfix(@(postfix_cfg));
@ -188,3 +199,494 @@ reports:
 #	"DCP: $(dovecot_protos)";
 #	"DBS: $(dbs)";
 }
+
+
+bundle agent aia_install_dbs
+{
+methods:
+	"any" usebundle => install_mysql_server(@(aia_mailserver.mysql_cfg)),
+		handle => "aia_mysql_installed";
+
+	"any" usebundle => create_mysql_db(@(aia_mailserver.vimb_db)),
+		depends_on => {"aia_mysql_installed"};
+
+	"any" usebundle => create_mysql_db(@(aia_mailserver.roundcube_cfg)),
+		depends_on => {"aia_mysql_installed"};
+	
+}
+
+bundle agent aia_install_apache
+{
+
+methods:
+	"any" usebundle => apache;
+	"any" usebundle => install_apache,
+			depends_on  => {"aia_php_installed"};
+
+	"any" usebundle => install_php_fpm,handle=>"aia_php_installed";
+}
+
+bundle agent aia_install_sites
+{
+vars:
+        "mail_site" data => '{
+                "domain":"$(aia_mailserver.cfg[imap_domain])",
+                "aliases":[
+			"$(aia_mailserver.cfg[smtp_domain])" 
+		],
+                "email":"7u83@mail.ru",
+                "disable":false,
+        }';
+
+
+methods:
+	"any" usebundle => apache_vhost(@(aia_mailserver.vimb_site));
+	"any" usebundle => apache_vhost(@(aia_mailserver.roundcube_site));
+	"any" usebundle => apache_vhost(@(aia_mailserver.rspamd_site));
+
+	"any" usebundle => certbot_cert(@(mail_site),"$(apache.web_root)");
+	
+}
+
+bundle agent aia_mailserver(param_cfg)
+{
+vars:
+	any::
+	"default_cfg" data => '{
+		"pam_auth":true,
+		"vimb_auth":true,
+		"imap":true,
+		"submission":true,
+		"smtp":true,
+		"pop3":false,
+		"sieve":false,
+		"ssl":false,
+		"opendkim":false,
+		"myhostname":"$(sys.host)",
+		"myorigin":"$myhostname",
+		"mydestination":"$myhostname, localhost",
+		"mail_location" : "mbox:~/mail:LAYOUT=maildir++:INBOX=/var/mail/%u:INDEX=~/mail/index:CONTROL=~/mail/control"
+		"vmail_location" : "maildir:~/Maildir:LAYOUT=maildir++:INBOX=~/Maildir/.INBOX:CONTROL=~/Mail/control:INDEX=~/Mail/index",
+		"alias_maps":"$(postfix.default_alias_maps)",
+
+		"db_host":"127.0.0.1",
+		"vimb_db_pass":"vimbdb-secret",
+		"vimb_server_email_name":"Vimbadmin $(param_cfg[vimb_domain])",
+
+		"roundcube_db_pass":"roundcube-secret",
+		"roundcube_version":"1.6.4",
+
+                "vimb_rememberme_salt":"Xa])o3GwVe-$8>-vz}y<uR/@Nr*tMwA!^O,D~Npj/JBq8:kM=mLLF(UlFhPntV.(",
+                "vimb_password_salt":"1M;C&Mn{4}){:f=VH*99S%dp)lnKdaQ8#;g>~+&D\C!2Ni+_AeocxD^ZhGQz-H/8",
+		
+		"rspamd_bind_socket":"127.0.0.1:11332",
+		
+		"vmail_user":"vmail",
+		"vmail_uid":"5000",
+		"vmail_gid":"5000",		
+		"vmail_dir":"/var/vmail",
+	}';
+
+	"cfg" data => mergedata(@(default_cfg),@(param_cfg));	
+
+        "mysql_cfg" data => '{
+		"settings":{
+			"mysqld":{
+				"bind-address":"$(cfg[db_host])",
+				"lower_case_table_names":"1",
+				"default-authentication-plugin":"mysql_native_password"
+			}
+		},
+
+                "bind_address":"$(cfg[db_host])",
+                "backup_dir":"/tank/backups/mysql_backups"
+        }';
+
+	"vimb_db" data => '{
+		"db_name":"vimbadmin",
+		"db_user":"vimbadmin",
+		"db_host":"$(cfg[db_host])",
+		"db_pass":"$(cfg[vimb_db_pass])",
+		"db_user_host":"%"
+	}';
+
+        "vimb_site" data => '{
+                "domain":"$(cfg[vimb_domain])",
+                "aliases":[ ],
+                "email":"7u83@mail.ru",
+                "disable":false,
+		"doc_root":"$(apache.www_dir)/$(cfg[vimb_domain])/public",
+                "ssl":true,
+                "raw":"
+Alias /vimbadmin $(apache.www_dir)/$(cfg[vimb_domain])/public
+		"
+        }';
+
+        "vimb_cfg" data => '{
+                "src_tgz":"$(sys.workdir)/data/public/vimbadmin-3.4.1.tar.gz",
+                "install_dir":"$(apache.www_dir)/$(cfg[vimb_domain])",
+
+                "restore_db_file":"$(cfg[backup_dir])/vimbdb.sql",
+
+                "db_driver":"pdo_mysql",
+                "db_user":"$(vimb_db[db_user])",
+                "db_pass":"$(vimb_db[db_pass])",
+                "db_host":"$(vimb_db[db_host])",
+                "db_name":"$(vimb_db[db_name])",
+                "server_email_name":"$(cfg[vimb_server_email_name])",
+                "server_email_address":"$(cfg[vimb_server_email_address])",
+
+                
+                "security_salt":"$(cfg[vimb_security_salt])",
+                "rememberme_salt":"$(cfg[vimb_rememberme_salt])",
+                "password_salt":"$(cfg[vimb_password_salt])",
+        }';
+
+
+
+        "roundcube_site" data => '{
+                "domain":"$(cfg[webmail_domain])",
+                "aliases":[ ],
+                "email":"7u83@mail.ru",
+                "disable":false,
+		"doc_root":"$(apache.www_dir)/$(cfg[webmail_domain])/public",
+                "ssl":true,
+                "raw":"
+		"
+        }';
+
+      "roundcube_cfg" data =>'{
+                "db_host":"$(cfg[db_host])",
+		"db_user":"roundcube",
+		"db_pass":"$(cfg[roundcube_db_pass])",
+		"db_user_host":"%",
+		"db_name":"roundcube",
+		"www_user":"$(apache.www_user)",
+		"www_group":"$(apache.www_group)",
+		
+                "install_dir":"$(apache.www_dir)/$(cfg[webmail_domain])",
+		"version":"$(cfg[roundcube_version])",
+		"backup_dir":"$(cfg[backup_dir])/roundcube",
+		"settings":{
+			"imap_host":"\'tls://$(cfg[imap_domain]):143\'",
+			"smtp_host":"\'tls://$(cfg[smtp_domain]):587\'"	
+		}
+
+        }';
+
+
+        "rspamd_site" data => '{
+                "domain" : "$(cfg[rspamd_domain])",
+                "aliases" : [ ],
+                "email": "7u83@mail.ru",
+                "disable": false,
+                "ssl": true,
+                "doc_root":"$(apache.www_dir)/$(cfg[rspamd_domain])",
+                "php_handler":"proxy:unix:$(php.fpm_socket)|fcgi://localhost/",
+                "raw": "
+<Location / >
+        ProxyPass http://localhost:11334/
+        ProxyPassReverse http://localhost:11334/
+</Location>
+
+"
+        }';
+
+        "rspamd_cfg" data => '{
+                "worker_normal":"
+                        #bind_socket = \\"localhost:12222\\"
+                "
+                ,
+                "worker_proxy":"
+                        upstream \\"local\\" {
+                                self_scan = yes
+                        }
+                        bind_socket = \\"$(cfg[rspamd_bind_socket])\\"
+                ",
+                "password":"hallorspamd",
+                "enable-password":"hallorspamd-enable"
+        }';
+  
+        "opendkim_cfg" data => '{
+                "mynetworks":[
+                        "127.0.0.1",
+                ],
+                "keyfile":"$(cfg[dkim_private_key_file])",
+                "selector":"$(cfg[dkim_selector])",
+                "uid":"$(postfix.user)",
+                "gid":"$(postfix.group)",
+                "milter_sock":"$(postfix.queue_dir)/private/opendkim"
+        }';
+
+
+
+	"dbs" string => string_mustache('
+		"userdbs":[
+			{{#cfg.vimb_auth}}
+			{
+				"driver":"sql",
+				"args":"$(dovecot_vimbadmin_sql.cfg_file)"
+			},
+			{{/cfg.vimb_auth}}
+			{{#cfg.pam_auth}}
+			{
+				"driver":"passwd",
+				"args":""
+			},
+			{{/cfg.pam_auth}}
+		],
+		"passdbs":[
+			{{#cfg.vimb_auth}}
+			{
+				"driver":"sql",
+				"args":"$(dovecot_vimbadmin_sql.cfg_file)"
+			} ,
+			{{/cfg.vimb_auth}}
+			{{#cfg.pam_auth}}
+			{
+				"driver":"pam",
+				"args":"dovecot"
+			}, 
+			{{/cfg.pam_auth}}
+		],',
+	bundlestate("$(this.bundle)"));
+	
+
+	"dovecot_cfg" data => '{
+		"protocols":["imap","sieve","lmtp"],
+		"ssl":true,
+		"imap_cert":"$(certbot.certbot_dir)/live/$(cfg[imap_domain])/fullchain.pem",
+		"imap_key":"$(certbot.certbot_dir)/live/$(cfg[imap_domain])/privkey.pem",
+		"submission_cert":"$(certbot.certbot_dir)/live/$(cfg[imap_domain])/fullchain.pem",
+		"submission_key":"$(certbot.certbot_dir)/live/$(cfg[imap_domain])/privkey.pem",
+                "rspamd_scripts":true,
+		"global_sieve_after":true,
+                "default_imap_folders":true,
+		"vmail_dir":"$(cfg[vmail_dir])",
+                "vmail_uid":"$(cfg[vmail_uid])", 
+                "vmail_gid":"$(cfg[vmail_gid])",
+
+		"raw":"
+			mail_location = $(cfg[mail_location])
+			mail_privileged_group=mail
+log_path = /var/log/dovecot.log
+mail_debug=yes
+auth_debug=yes
+
+
+				protocol sieve {
+managesieve_max_line_length = 65536
+}
+				",
+		$(dbs)
+		"services":{
+			"imap-login":{
+				"raw":"
+				inet_listener imap {
+					port = 143
+				}
+				inet_listener imaps {
+					port = 993
+					ssl = yes
+				}
+			"
+			}
+			,
+			"pop3-login":{
+				"raw":"
+				inet_listener pop3 {
+					port = 110
+				}
+				inet_listener pop3s {
+					port = 995
+					ssl = yes
+				}
+			"
+			}
+			,
+			"auth":{
+				"raw":"
+  				unix_listener $(postfix.queue_dir)/private/auth {
+						user = postfix
+						group = postfix
+						mode = 0666
+				}
+				"
+			}
+			,
+			"lmtp":{
+				"raw":"
+				unix_listener $(postfix.queue_dir)/private/dovecot-lmtp {
+   					group = postfix
+					mode = 0600
+					user = postfix
+				}
+				"
+			}
+
+		}
+	}';
+
+
+	"postfix_cfg" data => '{
+		"non_smtpd_milters":[
+			"unix:$ (postfix.queue_dir)/private/opendkim"
+		]
+		,
+		"services" : [
+			{
+				"name":"submission" 
+				"comment": "Submission service"
+				"enable":$(cfg[submission]),
+				"type":"inet",
+				"private":"n",
+				"unpriv":"-",
+				"chroot":"n",
+				"wakeup":"-",
+				"maxproc":"-",
+				"command":"smtpd",
+				"args":[
+					"{ -o smtpd_sender_restrictions = permit_sasl_authenticated reject }",
+					"{ -o smtpd_recipient_restrictions = reject_unknown_recipient_domain permit_sasl_authenticated reject  }",
+					"{ -o smtpd_client_restrictions = permit_sasl_authenticated reject }",
+                                        "{ -o smtpd_helo_restrictions = permit_sasl_authenticated reject }",
+                                        "{ -o smtpd_relay_restrictions = permit_sasl_authenticated reject }",
+                                        "{ -o smtpd_sasl_auth_enable = yes }",
+                                        "{ -o smtpd_sasl_type = dovecot }",
+                                        "{ -o smtpd_sasl_path = $(postfix.queue_dir)/private/auth }",
+                                        "{ -o smtpd_tls_security_level = encrypt }",
+                                        "{ -o smtpd_tls_key_file = $(certbot.certbot_dir)/live/$(cfg[imap_domain])/privkey.pem }",
+                                        "{ -o smtpd_tls_cert_file = $(certbot.certbot_dir)/live/$(cfg[imap_domain])/fullchain.pem }",
+                                        "{ -o smtpd_tls_loglevel = 1 }",
+                                        "{ -o smtpd_tls_received_header = yes }",
+                                        "{ -o smtpd_tls_session_cache_timeout = 3600s }",
+                                        "{ -o smtpd_tls_mandatory_ciphers = high}",
+                                        "{ -o tls_ssl_options = 0x40000000}",
+                                        "{ -o tls_preempt_cipherlist = yes}",
+                                        "{ -o smtpd_tls_eecdh_grade = ultra}",
+                                        "{ -o smtpd_tls_auth_only = yes }",
+                                        "{ -o smtp_tls_note_starttls_offer = yes }",
+                                        "{ -o smtpd_milters = unix:/var/spool/postfix/private/opendkim }",
+
+
+
+				],
+			}
+			,
+			{
+				"name":"smtp",
+				"comment": "SMTP service",
+				"enable":$(cfg[smtp]),
+				"type":"inet",
+				"private":"n",
+				"unpriv":"-",
+				"chroot":"n",
+				"wakeup":"-",
+				"maxproc":"-",
+				"command":"smtpd",
+                                "args":[
+					"{ -o smtpd_relay_restrictions = permit_mynetworks reject_unauth_destination }",
+					"{ -o smtpd_recipient_restrictions = permit_mynetworks reject_unauth_destination }"
+                                        "{ -o smtpd_recipient_restrictions = permit_mynetworks reject_unlisted_recipient reject_unauth_destination reject_unknown_recipient_domain reject_rbl_client ix.dnsbl.manitu.net reject_rbl_client zen.spamhaus.org }",
+                                        "{ -o smtpd_client_restrictions = permit_mynetworks reject_unknown_reverse_client_hostname reject_unauth_pipelining }",
+                                        "{ -o smtpd_helo_restrictions = permit_mynetworks reject_invalid_hostname reject_unknown_hostname reject_non_fqdn_hostname }",
+                                        "{ -o smtpd_relay_restrictions = permit_mynetworks defer_unauth_destination }",
+                                        "{ -o smtpd_milters = inet:$(cfg[rspamd_bind_socket]) }",
+                                        "{ -o smtpd_use_tls = yes }",
+                                        "{ -o smtpd_tls_mandatory_ciphers = high }",
+                                        "{ -o tls_preempt_cipherlist = yes }",
+                                        "{ -o smtpd_tls_eecdh_grade = ultra }",
+                                        "{ -o smtpd_tls_security_level = may }",
+                                        "{ -o smtp_tls_note_starttls_offer = yes }",
+                                        "{ -o smtpd_sasl_auth_enable = no }",
+                                        "{ -o smtpd_tls_loglevel = 1 }",
+                                        "{ -o smtpd_tls_received_header = yes }",
+                                        "{ -o smtpd_tls_session_cache_timeout = 3600s }",
+                                        "{ -o smtpd_tls_key_file = $(certbot.certbot_dir)/live/$(cfg[imap_domain])/privkey.pem }",
+                                        "{ -o smtpd_tls_cert_file = $(certbot.certbot_dir)/live/$(cfg[imap_domain])/fullchain.pem }",
+                                ],
+
+			}
+
+		]
+		,
+		"main_raw":"
+#debug_peer_level=4
+#debug_peer_list= 5.9.7.163
+#compatibility_level = 3.8
+myhostname=$(cfg[myhostname])
+mydestination=$(cfg[mydestination])
+alias_maps=$(cfg[alias_maps])
+myorigin=$(cfg[myorigin])
+local_recipient_maps = unix:passwd.byname $alias_maps
+
+virtual_transport =  lmtp:unix:private/dovecot-lmtp     
+virtual_alias_maps = mysql:$(postfix_vimbadmin_sql.virtual_alias_maps)
+virtual_mailbox_domains = mysql:$(postfix_vimbadmin_sql.virtual_domains_maps)
+virtual_mailbox_maps = mysql:$(postfix_vimbadmin_sql.virtual_mailbox_maps) 
+
+"
+		,
+		"master_raw":""
+
+	}
+	';
+
+
+
+reports:
+
+users:          
+        "$(cfg[vmail_user])" 
+        policy => "present",
+        description => "Vmail user",
+        uid => "$(cfg[vmail_uid])";
+
+
+methods:
+	"any" usebundle => aia_install_dbs,
+		handle => "aia_dbs_installed";
+
+	"any" usebundle => aia_install_apache,
+		handle=> "aia_apache_installed";
+
+	"any" usebundle => aia_install_sites,
+		handle => "aia_sites_installed",
+		depends_on => {"aia_apache_installed"};	
+
+      	"any" usebundle => vimbadmin(@(vimb_cfg)),
+		depends_on => {"aia_sites_installed"};
+
+
+      	"any" usebundle => roundcube(@(roundcube_cfg)),
+		handle => "aia_roundcube_installed",
+		depends_on => {
+			"aia_sites_installed",
+			"aia_roundcube_backup_dir_created"
+		};
+
+	"any" usebundle => configure_roundcube(@(roundcube_cfg)),
+		depends_on => {"aia_roundcube_installed"};
+
+	"any" usebundle => install_postfix_pkgs;
+	"any" usebundle => install_dovecot_pkgs;	
+	"any" usebundle => install_redis;
+	"any" usebundle => install_rspamd_pkgs;
+	
+
+	"any" usebundle => dovecot(@(dovecot_cfg));
+	"any" usebundle => postfix(@(postfix_cfg));
+	"any" usebundle => rspamd(@(rspamd_cfg));
+
+        "any" usebundle => dovecot_vimbadmin_sql(@(vimb_cfg),@(dovecot_cfg));
+        "any" usebundle => postfix_vimbadmin_sql(@(vimb_db));
+
+	"any" usebundle => opendkim(@(opendkim_cfg));
+
+files:
+	"$(roundcube_cfg[backup_dir])/."
+	create=>"true",
+	handle => "aia_roundcube_backup_dir_created";
+
+}
+