diff --git a/mailserver.cf b/mailserver.cf index 3cc242c..ad0b798 100644 --- a/mailserver.cf +++ b/mailserver.cf @@ -6,9 +6,15 @@ bundle agent install_mailserver(param_cfg) { vars: + + "default_alias_maps" string => "hash:/etc/aliases"; + freebsd:: + "default_alias_maps" string => "hash:/etc/mail/aliases"; + + any:: "default_cfg" data => '{ "pam_auth":true, - "vimb_auth":false, + "vimb_auth":true, "imap":true, "submission":true, "smtp":true, @@ -21,7 +27,7 @@ vars: "mydestination":"$myhostname, localhost", "mail_location" : "maildir:~/Maildir:LAYOUT=maildir++:INBOX=~/Maildir/.INBOX:CONTROL=~/Mail/control:INDEX=~/Mail/index", "vmail_location" : "maildir:~/Maildir:LAYOUT=maildir++:INBOX=~/Maildir/.INBOX:CONTROL=~/Mail/control:INDEX=~/Mail/index", - + "alias_maps":"$(default_alias_maps)" }'; @@ -155,19 +161,24 @@ vars: "maxproc":"-", "command":"smtpd", "args":[ + "{ -o smtpd_relay_restrictions = permit_mynetworks reject_unauth_destination }", "{ -o smtpd_recipient_restrictions = permit_mynetworks reject_unauth_destination }" - "{ -o smtpd_client_restrictions = permit_mynetworks reject }", - "{ -o smtpd_relay_restrictions = permit_mynetworks reject }", - "{ -o smtpd_sender_restrictions = permit_mynetworks }" + "#{ -o smtpd_client_restrictions = permit_mynetworks }", + "#{ -o smtpd_sender_restrictions = }" ] } ] , "main_raw":" +#debug_peer_level=4 +#debug_peer_list= 5.9.7.163 + myhostname=$(cfg[myhostname]) mydestination=$(cfg[mydestination]) +alias_maps=$(cfg[alias_maps]) myorigin=$(cfg[myorigin]) +local_recipient_maps = unix:passwd.byname $alias_maps " , "master_raw":"" @@ -180,7 +191,7 @@ myorigin=$(cfg[myorigin]) methods: "any" usebundle => install_postfix_pkgs; - "any" usebundle => install_dovecot_pkgs; +# "any" usebundle => install_dovecot_pkgs; "any" usebundle => dovecot(@(dovecot_cfg)); "any" usebundle => postfix(@(postfix_cfg)); @@ -188,3 +199,494 @@ reports: # "DCP: $(dovecot_protos)"; # "DBS: $(dbs)"; } + + +bundle agent aia_install_dbs +{ +methods: + "any" usebundle => install_mysql_server(@(aia_mailserver.mysql_cfg)), + handle => "aia_mysql_installed"; + + "any" usebundle => create_mysql_db(@(aia_mailserver.vimb_db)), + depends_on => {"aia_mysql_installed"}; + + "any" usebundle => create_mysql_db(@(aia_mailserver.roundcube_cfg)), + depends_on => {"aia_mysql_installed"}; + +} + +bundle agent aia_install_apache +{ + +methods: + "any" usebundle => apache; + "any" usebundle => install_apache, + depends_on => {"aia_php_installed"}; + + "any" usebundle => install_php_fpm,handle=>"aia_php_installed"; +} + +bundle agent aia_install_sites +{ +vars: + "mail_site" data => '{ + "domain":"$(aia_mailserver.cfg[imap_domain])", + "aliases":[ + "$(aia_mailserver.cfg[smtp_domain])" + ], + "email":"7u83@mail.ru", + "disable":false, + }'; + + +methods: + "any" usebundle => apache_vhost(@(aia_mailserver.vimb_site)); + "any" usebundle => apache_vhost(@(aia_mailserver.roundcube_site)); + "any" usebundle => apache_vhost(@(aia_mailserver.rspamd_site)); + + "any" usebundle => certbot_cert(@(mail_site),"$(apache.web_root)"); + +} + +bundle agent aia_mailserver(param_cfg) +{ +vars: + any:: + "default_cfg" data => '{ + "pam_auth":true, + "vimb_auth":true, + "imap":true, + "submission":true, + "smtp":true, + "pop3":false, + "sieve":false, + "ssl":false, + "opendkim":false, + "myhostname":"$(sys.host)", + "myorigin":"$myhostname", + "mydestination":"$myhostname, localhost", + "mail_location" : "mbox:~/mail:LAYOUT=maildir++:INBOX=/var/mail/%u:INDEX=~/mail/index:CONTROL=~/mail/control" + "vmail_location" : "maildir:~/Maildir:LAYOUT=maildir++:INBOX=~/Maildir/.INBOX:CONTROL=~/Mail/control:INDEX=~/Mail/index", + "alias_maps":"$(postfix.default_alias_maps)", + + "db_host":"127.0.0.1", + "vimb_db_pass":"vimbdb-secret", + "vimb_server_email_name":"Vimbadmin $(param_cfg[vimb_domain])", + + "roundcube_db_pass":"roundcube-secret", + "roundcube_version":"1.6.4", + + "vimb_rememberme_salt":"Xa])o3GwVe-$8>-vz}y~+&D\C!2Ni+_AeocxD^ZhGQz-H/8", + + "rspamd_bind_socket":"127.0.0.1:11332", + + "vmail_user":"vmail", + "vmail_uid":"5000", + "vmail_gid":"5000", + "vmail_dir":"/var/vmail", + }'; + + "cfg" data => mergedata(@(default_cfg),@(param_cfg)); + + "mysql_cfg" data => '{ + "settings":{ + "mysqld":{ + "bind-address":"$(cfg[db_host])", + "lower_case_table_names":"1", + "default-authentication-plugin":"mysql_native_password" + } + }, + + "bind_address":"$(cfg[db_host])", + "backup_dir":"/tank/backups/mysql_backups" + }'; + + "vimb_db" data => '{ + "db_name":"vimbadmin", + "db_user":"vimbadmin", + "db_host":"$(cfg[db_host])", + "db_pass":"$(cfg[vimb_db_pass])", + "db_user_host":"%" + }'; + + "vimb_site" data => '{ + "domain":"$(cfg[vimb_domain])", + "aliases":[ ], + "email":"7u83@mail.ru", + "disable":false, + "doc_root":"$(apache.www_dir)/$(cfg[vimb_domain])/public", + "ssl":true, + "raw":" +Alias /vimbadmin $(apache.www_dir)/$(cfg[vimb_domain])/public + " + }'; + + "vimb_cfg" data => '{ + "src_tgz":"$(sys.workdir)/data/public/vimbadmin-3.4.1.tar.gz", + "install_dir":"$(apache.www_dir)/$(cfg[vimb_domain])", + + "restore_db_file":"$(cfg[backup_dir])/vimbdb.sql", + + "db_driver":"pdo_mysql", + "db_user":"$(vimb_db[db_user])", + "db_pass":"$(vimb_db[db_pass])", + "db_host":"$(vimb_db[db_host])", + "db_name":"$(vimb_db[db_name])", + "server_email_name":"$(cfg[vimb_server_email_name])", + "server_email_address":"$(cfg[vimb_server_email_address])", + + + "security_salt":"$(cfg[vimb_security_salt])", + "rememberme_salt":"$(cfg[vimb_rememberme_salt])", + "password_salt":"$(cfg[vimb_password_salt])", + }'; + + + + "roundcube_site" data => '{ + "domain":"$(cfg[webmail_domain])", + "aliases":[ ], + "email":"7u83@mail.ru", + "disable":false, + "doc_root":"$(apache.www_dir)/$(cfg[webmail_domain])/public", + "ssl":true, + "raw":" + " + }'; + + "roundcube_cfg" data =>'{ + "db_host":"$(cfg[db_host])", + "db_user":"roundcube", + "db_pass":"$(cfg[roundcube_db_pass])", + "db_user_host":"%", + "db_name":"roundcube", + "www_user":"$(apache.www_user)", + "www_group":"$(apache.www_group)", + + "install_dir":"$(apache.www_dir)/$(cfg[webmail_domain])", + "version":"$(cfg[roundcube_version])", + "backup_dir":"$(cfg[backup_dir])/roundcube", + "settings":{ + "imap_host":"\'tls://$(cfg[imap_domain]):143\'", + "smtp_host":"\'tls://$(cfg[smtp_domain]):587\'" + } + + }'; + + + "rspamd_site" data => '{ + "domain" : "$(cfg[rspamd_domain])", + "aliases" : [ ], + "email": "7u83@mail.ru", + "disable": false, + "ssl": true, + "doc_root":"$(apache.www_dir)/$(cfg[rspamd_domain])", + "php_handler":"proxy:unix:$(php.fpm_socket)|fcgi://localhost/", + "raw": " + + ProxyPass http://localhost:11334/ + ProxyPassReverse http://localhost:11334/ + + +" + }'; + + "rspamd_cfg" data => '{ + "worker_normal":" + #bind_socket = \\"localhost:12222\\" + " + , + "worker_proxy":" + upstream \\"local\\" { + self_scan = yes + } + bind_socket = \\"$(cfg[rspamd_bind_socket])\\" + ", + "password":"hallorspamd", + "enable-password":"hallorspamd-enable" + }'; + + "opendkim_cfg" data => '{ + "mynetworks":[ + "127.0.0.1", + ], + "keyfile":"$(cfg[dkim_private_key_file])", + "selector":"$(cfg[dkim_selector])", + "uid":"$(postfix.user)", + "gid":"$(postfix.group)", + "milter_sock":"$(postfix.queue_dir)/private/opendkim" + }'; + + + + "dbs" string => string_mustache(' + "userdbs":[ + {{#cfg.vimb_auth}} + { + "driver":"sql", + "args":"$(dovecot_vimbadmin_sql.cfg_file)" + }, + {{/cfg.vimb_auth}} + {{#cfg.pam_auth}} + { + "driver":"passwd", + "args":"" + }, + {{/cfg.pam_auth}} + ], + "passdbs":[ + {{#cfg.vimb_auth}} + { + "driver":"sql", + "args":"$(dovecot_vimbadmin_sql.cfg_file)" + } , + {{/cfg.vimb_auth}} + {{#cfg.pam_auth}} + { + "driver":"pam", + "args":"dovecot" + }, + {{/cfg.pam_auth}} + ],', + bundlestate("$(this.bundle)")); + + + "dovecot_cfg" data => '{ + "protocols":["imap","sieve","lmtp"], + "ssl":true, + "imap_cert":"$(certbot.certbot_dir)/live/$(cfg[imap_domain])/fullchain.pem", + "imap_key":"$(certbot.certbot_dir)/live/$(cfg[imap_domain])/privkey.pem", + "submission_cert":"$(certbot.certbot_dir)/live/$(cfg[imap_domain])/fullchain.pem", + "submission_key":"$(certbot.certbot_dir)/live/$(cfg[imap_domain])/privkey.pem", + "rspamd_scripts":true, + "global_sieve_after":true, + "default_imap_folders":true, + "vmail_dir":"$(cfg[vmail_dir])", + "vmail_uid":"$(cfg[vmail_uid])", + "vmail_gid":"$(cfg[vmail_gid])", + + "raw":" + mail_location = $(cfg[mail_location]) + mail_privileged_group=mail +log_path = /var/log/dovecot.log +mail_debug=yes +auth_debug=yes + + + protocol sieve { +managesieve_max_line_length = 65536 +} + ", + $(dbs) + "services":{ + "imap-login":{ + "raw":" + inet_listener imap { + port = 143 + } + inet_listener imaps { + port = 993 + ssl = yes + } + " + } + , + "pop3-login":{ + "raw":" + inet_listener pop3 { + port = 110 + } + inet_listener pop3s { + port = 995 + ssl = yes + } + " + } + , + "auth":{ + "raw":" + unix_listener $(postfix.queue_dir)/private/auth { + user = postfix + group = postfix + mode = 0666 + } + " + } + , + "lmtp":{ + "raw":" + unix_listener $(postfix.queue_dir)/private/dovecot-lmtp { + group = postfix + mode = 0600 + user = postfix + } + " + } + + } + }'; + + + "postfix_cfg" data => '{ + "non_smtpd_milters":[ + "unix:$ (postfix.queue_dir)/private/opendkim" + ] + , + "services" : [ + { + "name":"submission" + "comment": "Submission service" + "enable":$(cfg[submission]), + "type":"inet", + "private":"n", + "unpriv":"-", + "chroot":"n", + "wakeup":"-", + "maxproc":"-", + "command":"smtpd", + "args":[ + "{ -o smtpd_sender_restrictions = permit_sasl_authenticated reject }", + "{ -o smtpd_recipient_restrictions = reject_unknown_recipient_domain permit_sasl_authenticated reject }", + "{ -o smtpd_client_restrictions = permit_sasl_authenticated reject }", + "{ -o smtpd_helo_restrictions = permit_sasl_authenticated reject }", + "{ -o smtpd_relay_restrictions = permit_sasl_authenticated reject }", + "{ -o smtpd_sasl_auth_enable = yes }", + "{ -o smtpd_sasl_type = dovecot }", + "{ -o smtpd_sasl_path = $(postfix.queue_dir)/private/auth }", + "{ -o smtpd_tls_security_level = encrypt }", + "{ -o smtpd_tls_key_file = $(certbot.certbot_dir)/live/$(cfg[imap_domain])/privkey.pem }", + "{ -o smtpd_tls_cert_file = $(certbot.certbot_dir)/live/$(cfg[imap_domain])/fullchain.pem }", + "{ -o smtpd_tls_loglevel = 1 }", + "{ -o smtpd_tls_received_header = yes }", + "{ -o smtpd_tls_session_cache_timeout = 3600s }", + "{ -o smtpd_tls_mandatory_ciphers = high}", + "{ -o tls_ssl_options = 0x40000000}", + "{ -o tls_preempt_cipherlist = yes}", + "{ -o smtpd_tls_eecdh_grade = ultra}", + "{ -o smtpd_tls_auth_only = yes }", + "{ -o smtp_tls_note_starttls_offer = yes }", + "{ -o smtpd_milters = unix:/var/spool/postfix/private/opendkim }", + + + + ], + } + , + { + "name":"smtp", + "comment": "SMTP service", + "enable":$(cfg[smtp]), + "type":"inet", + "private":"n", + "unpriv":"-", + "chroot":"n", + "wakeup":"-", + "maxproc":"-", + "command":"smtpd", + "args":[ + "{ -o smtpd_relay_restrictions = permit_mynetworks reject_unauth_destination }", + "{ -o smtpd_recipient_restrictions = permit_mynetworks reject_unauth_destination }" + "{ -o smtpd_recipient_restrictions = permit_mynetworks reject_unlisted_recipient reject_unauth_destination reject_unknown_recipient_domain reject_rbl_client ix.dnsbl.manitu.net reject_rbl_client zen.spamhaus.org }", + "{ -o smtpd_client_restrictions = permit_mynetworks reject_unknown_reverse_client_hostname reject_unauth_pipelining }", + "{ -o smtpd_helo_restrictions = permit_mynetworks reject_invalid_hostname reject_unknown_hostname reject_non_fqdn_hostname }", + "{ -o smtpd_relay_restrictions = permit_mynetworks defer_unauth_destination }", + "{ -o smtpd_milters = inet:$(cfg[rspamd_bind_socket]) }", + "{ -o smtpd_use_tls = yes }", + "{ -o smtpd_tls_mandatory_ciphers = high }", + "{ -o tls_preempt_cipherlist = yes }", + "{ -o smtpd_tls_eecdh_grade = ultra }", + "{ -o smtpd_tls_security_level = may }", + "{ -o smtp_tls_note_starttls_offer = yes }", + "{ -o smtpd_sasl_auth_enable = no }", + "{ -o smtpd_tls_loglevel = 1 }", + "{ -o smtpd_tls_received_header = yes }", + "{ -o smtpd_tls_session_cache_timeout = 3600s }", + "{ -o smtpd_tls_key_file = $(certbot.certbot_dir)/live/$(cfg[imap_domain])/privkey.pem }", + "{ -o smtpd_tls_cert_file = $(certbot.certbot_dir)/live/$(cfg[imap_domain])/fullchain.pem }", + ], + + } + + ] + , + "main_raw":" +#debug_peer_level=4 +#debug_peer_list= 5.9.7.163 +#compatibility_level = 3.8 +myhostname=$(cfg[myhostname]) +mydestination=$(cfg[mydestination]) +alias_maps=$(cfg[alias_maps]) +myorigin=$(cfg[myorigin]) +local_recipient_maps = unix:passwd.byname $alias_maps + +virtual_transport = lmtp:unix:private/dovecot-lmtp +virtual_alias_maps = mysql:$(postfix_vimbadmin_sql.virtual_alias_maps) +virtual_mailbox_domains = mysql:$(postfix_vimbadmin_sql.virtual_domains_maps) +virtual_mailbox_maps = mysql:$(postfix_vimbadmin_sql.virtual_mailbox_maps) + +" + , + "master_raw":"" + + } + '; + + + +reports: + +users: + "$(cfg[vmail_user])" + policy => "present", + description => "Vmail user", + uid => "$(cfg[vmail_uid])"; + + +methods: + "any" usebundle => aia_install_dbs, + handle => "aia_dbs_installed"; + + "any" usebundle => aia_install_apache, + handle=> "aia_apache_installed"; + + "any" usebundle => aia_install_sites, + handle => "aia_sites_installed", + depends_on => {"aia_apache_installed"}; + + "any" usebundle => vimbadmin(@(vimb_cfg)), + depends_on => {"aia_sites_installed"}; + + + "any" usebundle => roundcube(@(roundcube_cfg)), + handle => "aia_roundcube_installed", + depends_on => { + "aia_sites_installed", + "aia_roundcube_backup_dir_created" + }; + + "any" usebundle => configure_roundcube(@(roundcube_cfg)), + depends_on => {"aia_roundcube_installed"}; + + "any" usebundle => install_postfix_pkgs; + "any" usebundle => install_dovecot_pkgs; + "any" usebundle => install_redis; + "any" usebundle => install_rspamd_pkgs; + + + "any" usebundle => dovecot(@(dovecot_cfg)); + "any" usebundle => postfix(@(postfix_cfg)); + "any" usebundle => rspamd(@(rspamd_cfg)); + + "any" usebundle => dovecot_vimbadmin_sql(@(vimb_cfg),@(dovecot_cfg)); + "any" usebundle => postfix_vimbadmin_sql(@(vimb_db)); + + "any" usebundle => opendkim(@(opendkim_cfg)); + +files: + "$(roundcube_cfg[backup_dir])/." + create=>"true", + handle => "aia_roundcube_backup_dir_created"; + +} +