WMDE
/
wmdeit-cf-wmdelib
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
wmdeit-cf-wmdelib/mailserver.cf

677 lines
21 KiB
CFEngine3
Raw Blame History

#
#
# aia_mailserver
# mandatory params:
#
# vimb_domain: domain where vimbadmin is accessable
# webmail_domain: domain where roundcube is
# smtp_domain: domain to use for smtp
# imap_domain: domain for imap
# rspamd_domain: domain for rspamd web interface
# vimb_server_email_address: email adress vimbadmin uses to send mails
# vimb_security_salt: security sallt to install vimbadmin installer
# backup_dir: a directory where backups are store, it has to exist
# vmail_dir: where to store mails for virtual domains
# dkim_selector: the dkim-selector used for all mails
# dkim_private_key_file: path to dkim key
#
bundle agent aia_mailserver(param_cfg)
{
vars:
any::
"default_cfg" data => '{
"pam_auth":true,
"vimb_auth":true,
"imap":true,
"submission":true,
"smtp":true,
"pop3":false,
"sieve":false,
"ssl":false,
"sympa":false,
"opendkim":false,
"myhostname":"$(sys.host)",
"mynetworks":"",
"myorigin":"$myhostname",
"mydestination":"$myhostname, localhost",
"mail_location" : "mbox:~/mail:LAYOUT=maildir++:INBOX=/var/mail/%u:INDEX=~/mail/index:CONTROL=~/mail/control"
"vmail_location" : "maildir:~/Maildir:LAYOUT=maildir++:INBOX=~/Maildir/.INBOX:CONTROL=~/Mail/control:INDEX=~/Mail/index",
"alias_maps":"$(postfix.default_alias_maps)",
"db_host":"127.0.0.1",
"vimb_db_pass":"vimbdb-secret",
"vimb_server_email_name":"Vimbadmin $(param_cfg[vimb_domain])",
"roundcube_db_pass":"roundcube-secret",
"roundcube_version":"1.6.4",
"roundcube_password_recovery":false,
"roundcube_settings":"",
"vimb_rememberme_salt":"Xa])o3GwVe-$8>-vz}y<uR/@Nr*tMwA!^O,D~Npj/JBq8:kM=mLLF(UlFhPntV.(",
"vimb_password_salt":"1M;C&Mn{4}){:f=VH*99S%dp)lnKdaQ8#;g>~+&D\C!2Ni+_AeocxD^ZhGQz-H/8",
"rspamd_bind_socket":"127.0.0.1:11332",
"vmail_user":"vmail",
"vmail_uid":"5000",
"vmail_gid":"5000",
"vmail_dir":"/var/vmail",
"vimb_src_tgz":"$(sys.workdir)/data/public/vimbadmin-3.4.1.tar.gz",
"php_handler":"$(apache.default_php_handler)",
"postmaster_mail":"postmaster@$(sys.host)",
"webmaster_mail":"webmaster@$(sys.host)",
"sympa_listmaster":"tobias.herre@wikimedia.de, sandro.halank@wikimedia.de",
"sympa_dir":"/var/mail/sympa",
"sympa_db_pass":"sympa-db-secret"
}';
"cfg" data => mergedata(@(default_cfg),@(param_cfg));
"roundcube_plugins" string => ifelse(strcmp("$(cfg[roundcube_password_recovery])","true"),
"['acl', 'archive', 'attachment_reminder', 'emoticons', 'hide_blockquote', 'identicon', 'jqueryui', 'managesieve', 'markasjunk', 'newmail_notifier', 'password', 'password_recovery', 'vcard_attachments', 'zipdownload']",
"['acl', 'archive', 'attachment_reminder', 'emoticons', 'hide_blockquote', 'identicon', 'jqueryui', 'managesieve', 'markasjunk', 'newmail_notifier', 'password', 'vcard_attachments', 'zipdownload']");
"mysql_cfg" data => '{
"settings":{
"mysqld":{
"bind-address":"$(cfg[db_host])",
"lower_case_table_names":"1",
"default-authentication-plugin":"mysql_native_password"
}
},
"mariadb":false,
"bind_address":"$(cfg[db_host])",
"backup_dir":"/tank/backups/mysql_backups"
}';
"vimb_db" data => '{
"db_name":"vimbadmin",
"db_user":"vimbadmin",
"db_host":"$(cfg[db_host])",
"db_pass":"$(cfg[vimb_db_pass])",
"db_user_host":"%"
}';
"vimb_site" data => '{
"domain":"$(cfg[vimb_domain])",
"aliases":[ ],
"email":"$(cfg[webmaster_mail])",
"disable":false,
"doc_root":"$(apache.www_dir)/$(cfg[vimb_domain])/public",
"php_handler":"$(cfg[php_handler])",
"ssl":true,
"raw":"
Alias /vimbadmin $(apache.www_dir)/$(cfg[vimb_domain])/public
"
}';
"vimb_cfg" data => '{
"src_tgz":"$(cfg[vimb_src_tgz])",
"install_dir":"$(apache.www_dir)/$(cfg[vimb_domain])",
"restore_db_file":"$(cfg[backup_dir])/vimbdb.sql",
"db_driver":"pdo_mysql",
"db_user":"$(vimb_db[db_user])",
"db_pass":"$(vimb_db[db_pass])",
"db_host":"$(vimb_db[db_host])",
"db_name":"$(vimb_db[db_name])",
"server_email_name":"$(cfg[vimb_server_email_name])",
"server_email_address":"$(cfg[vimb_server_email_address])",
"security_salt":"$(cfg[vimb_security_salt])",
"rememberme_salt":"$(cfg[vimb_rememberme_salt])",
"password_salt":"$(cfg[vimb_password_salt])",
"skin":"wmde"
}';
"roundcube_site" data => '{
"domain":"$(cfg[webmail_domain])",
"aliases":[ ],
"email":"$(cfg[webmaster_mail])",
"disable":false,
"xxphp_handler":"$(cfg[php_handler])",
"aaaphp_handler":"proxy:unix:$(php.fpm_socket)|fcgi://localhost/",
"php_handler":"proxy:unix:/run/php/php8.2-fpm.sock|fcgi://localhost/",
"doc_root":"$(apache.www_dir)/$(cfg[webmail_domain])/public/",
"ssl":true,
"raw":"
"
}'; #, depends_on => {"aia_php_installed"} ;
"roundcube_cfg" data =>'{
"db_host":"$(cfg[db_host])",
"db_user":"roundcube",
"db_pass":"$(cfg[roundcube_db_pass])",
"db_user_host":"%",
"db_name":"roundcube",
"www_user":"$(apache.www_user)",
"www_group":"$(apache.www_group)",
"install_dir":"$(apache.www_dir)/$(cfg[webmail_domain])",
"version":"$(cfg[roundcube_version])",
"backup_dir":"$(cfg[backup_dir])/roundcube",
"settings":{
"imap_host":"\'tls://$(cfg[imap_domain]):143\'",
"smtp_host":"\'tls://$(cfg[smtp_domain]):587\'",
"plugins":"$(roundcube_plugins)",
"skin":"\'wmde\'",
},
"keep_installer":true
}';
"roundcube_password_recover_cfg" data => '{
"db_host":"$(vimb_cfg[db_host])",
"db_user":"$(vimb_cfg[db_user])",
"db_pass":"$(vimb_cfg[db_pass])",
"db_name":"$(vimb_cfg[db_name])",
"settings":{
"pr_admin_email":"\'$(cfg[postmaster_mail])\'",
"pr_replyto_email":"\'$(cfg[postmaster_mail])\'"
}
}';
"rspamd_site" data => '{
"domain" : "$(cfg[rspamd_domain])",
"aliases" : [ ],
"email": "$(cfg[webmaster_mail])",
"disable": false,
"ssl": true,
"doc_root":"$(apache.www_dir)/$(cfg[rspamd_domain])",
"php_handler":"proxy:unix:$(php.fpm_socket)|fcgi://localhost/",
"raw": "
<Location / >
ProxyPass http://localhost:11334/
ProxyPassReverse http://localhost:11334/
</Location>
"
}';
"rspamd_cfg" data => '{
"worker_normal":"
#bind_socket = \\"localhost:12222\\"
"
,
"worker_proxy":"
upstream \\"local\\" {
self_scan = yes
}
bind_socket = \\"$(cfg[rspamd_bind_socket])\\"
",
"password":"hallorspamd",
"enable-password":"hallorspamd-enable"
}';
"opendkim_cfg" data => '{
"mynetworks":[
"127.0.0.1",
],
"keyfile":"$(cfg[dkim_private_key_file])",
"selector":"$(cfg[dkim_selector])",
"uid":"$(postfix.user)",
"gid":"$(postfix.group)",
"milter_sock":"$(postfix.queue_dir)/private/opendkim"
}';
"dbs" string => string_mustache('
"userdbs":[
{{#cfg.vimb_auth}}
{
"driver":"sql",
"args":"$(dovecot_vimbadmin_sql.cfg_file)"
},
{{/cfg.vimb_auth}}
{{#cfg.pam_auth}}
{
"driver":"passwd",
"args":""
},
{{/cfg.pam_auth}}
],
"passdbs":[
{{#cfg.vimb_auth}}
{
"driver":"sql",
"args":"$(dovecot_vimbadmin_sql.cfg_file)"
} ,
{{/cfg.vimb_auth}}
{{#cfg.pam_auth}}
{
"driver":"pam",
"args":"dovecot"
},
{{/cfg.pam_auth}}
],',
bundlestate("$(this.bundle)"));
"dovecot_cfg" data => '{
"protocols":["imap","sieve","lmtp"],
"ssl":true,
"imap_cert":"$(certbot.certbot_dir)/live/$(cfg[imap_domain])/fullchain.pem",
"imap_key":"$(certbot.certbot_dir)/live/$(cfg[imap_domain])/privkey.pem",
"submission_cert":"$(certbot.certbot_dir)/live/$(cfg[imap_domain])/fullchain.pem",
"submission_key":"$(certbot.certbot_dir)/live/$(cfg[imap_domain])/privkey.pem",
"rspamd_scripts":true,
"global_sieve_after":true,
"default_imap_folders":true,
"vmail_dir":"$(cfg[vmail_dir])",
"vmail_uid":"$(cfg[vmail_uid])",
"vmail_gid":"$(cfg[vmail_gid])",
"raw":"
mail_location = $(cfg[mail_location])
mail_privileged_group=mail
log_path = /var/log/dovecot.log
#mail_debug=yes
#auth_debug=yes
protocol sieve {
managesieve_max_line_length = 65536
}
",
$(dbs)
"services":{
"imap-login":{
"raw":"
inet_listener imap {
port = 143
}
inet_listener imaps {
port = 993
ssl = yes
}
"
}
,
"pop3-login":{
"raw":"
inet_listener pop3 {
port = 110
}
inet_listener pop3s {
port = 995
ssl = yes
}
"
}
,
"auth":{
"raw":"
unix_listener $(postfix.queue_dir)/private/auth {
user = postfix
group = postfix
mode = 0666
}
"
}
,
"lmtp":{
"raw":"
unix_listener $(postfix.queue_dir)/private/dovecot-lmtp {
group = postfix
mode = 0600
user = postfix
}
"
}
}
}';
"postfix_cfg" data => '{
"non_smtpd_milters":[
"unix:$ (postfix.queue_dir)/private/opendkim"
]
,
"services" : [
{
"name":"submission"
"comment": "Submission service"
"enable":$(cfg[submission]),
"type":"inet",
"private":"n",
"unpriv":"-",
"chroot":"n",
"wakeup":"-",
"maxproc":"-",
"command":"smtpd",
"args":[
"{ -o smtpd_sender_restrictions = permit_sasl_authenticated reject }",
"{ -o smtpd_recipient_restrictions = reject_unknown_recipient_domain permit_sasl_authenticated reject }",
"{ -o smtpd_client_restrictions = permit_sasl_authenticated reject }",
"{ -o smtpd_helo_restrictions = permit_sasl_authenticated reject }",
"{ -o smtpd_relay_restrictions = permit_sasl_authenticated reject }",
"{ -o smtpd_sasl_auth_enable = yes }",
"{ -o smtpd_sasl_type = dovecot }",
"{ -o smtpd_sasl_path = $(postfix.queue_dir)/private/auth }",
"{ -o smtpd_tls_security_level = encrypt }",
"{ -o smtpd_tls_key_file = $(certbot.certbot_dir)/live/$(cfg[imap_domain])/privkey.pem }",
"{ -o smtpd_tls_cert_file = $(certbot.certbot_dir)/live/$(cfg[imap_domain])/fullchain.pem }",
"{ -o smtpd_tls_loglevel = 1 }",
"{ -o smtpd_tls_received_header = yes }",
"{ -o smtpd_tls_session_cache_timeout = 3600s }",
"{ -o smtpd_tls_mandatory_ciphers = high}",
"{ -o tls_ssl_options = 0x40000000}",
"{ -o tls_preempt_cipherlist = yes}",
"{ -o smtpd_tls_eecdh_grade = ultra}",
"{ -o smtpd_tls_auth_only = yes }",
"{ -o smtp_tls_note_starttls_offer = yes }",
"{ -o smtpd_milters = unix:/var/spool/postfix/private/opendkim }",
"{ -o message_size_limit = 30971520 }",
],
}
,
{
"name":"smtp",
"comment": "SMTP service",
"enable":$(cfg[smtp]),
"type":"inet",
"private":"n",
"unpriv":"-",
"chroot":"n",
"wakeup":"-",
"maxproc":"-",
"command":"smtpd",
"args":[
"{ -o smtpd_relay_restrictions = permit_mynetworks reject_unauth_destination }",
"{ -o smtpd_recipient_restrictions = permit_mynetworks reject_unauth_destination }"
"{ -o smtpd_recipient_restrictions = permit_mynetworks reject_unlisted_recipient reject_unauth_destination reject_unknown_recipient_domain reject_rbl_client ix.dnsbl.manitu.net }",
"{ -o smtpd_client_restrictions = permit_mynetworks reject_unknown_reverse_client_hostname reject_unauth_pipelining }",
"{ -o smtpd_helo_restrictions = permit_mynetworks reject_invalid_hostname reject_unknown_hostname reject_non_fqdn_hostname }",
"{ -o smtpd_relay_restrictions = permit_mynetworks defer_unauth_destination }",
"{ -o smtpd_milters = inet:$(cfg[rspamd_bind_socket]) }",
"{ -o smtpd_use_tls = yes }",
"{ -o smtpd_tls_mandatory_ciphers = high }",
"{ -o tls_preempt_cipherlist = yes }",
"{ -o smtpd_tls_eecdh_grade = ultra }",
"{ -o smtpd_tls_security_level = may }",
"{ -o smtp_tls_note_starttls_offer = yes }",
"{ -o smtpd_sasl_auth_enable = no }",
"{ -o smtpd_tls_loglevel = 1 }",
"{ -o smtpd_tls_received_header = yes }",
"{ -o smtpd_tls_session_cache_timeout = 3600s }",
"{ -o smtpd_tls_key_file = $(certbot.certbot_dir)/live/$(cfg[imap_domain])/privkey.pem }",
"{ -o smtpd_tls_cert_file = $(certbot.certbot_dir)/live/$(cfg[imap_domain])/fullchain.pem }",
"{ -o message_size_limit = 30971520 }",
],
}
]
,
"main_raw":"
debug_peer_level=4
debug_peer_list=128.140.41.19
#compatibility_level = 3.8
myhostname=$(cfg[myhostname])
mydestination=$(cfg[mydestination])
alias_maps=$(cfg[alias_maps])
myorigin=$(cfg[myorigin])
mynetworks=$(cfg[mynetworks])
local_recipient_maps = unix:passwd.byname $alias_maps
virtual_transport = lmtp:unix:private/dovecot-lmtp
virtual_alias_maps = mysql:$(postfix_vimbadmin_sql.virtual_alias_maps) hash:/etc/postfix/fwd.tsv
transport_maps = hash:/etc/sympa/sympa_transport hash:$(sympa_general_transport)
virtual_mailbox_domains = mysql:$(postfix_vimbadmin_sql.virtual_domains_maps)
virtual_mailbox_maps = hash:$(sympa.conf_dir)/sympa_transport hash:$(sympa_general_transport) mysql:$(postfix_vimbadmin_sql.virtual_mailbox_maps)
inet_protocols = ipv4
smtp_tls_security_level = may
message_size_limit = 26214400
"
,
"master_raw":"
#
# Sympa
#
$(sympa.postfix_master_cfg)
#
",
}
';
"sympa_db" data => '{
"db_name":"sympa",
"db_user":"sympa",
"db_host":"$(cfg[db_host])",
"db_pass":"$(cfg[sympa_db_pass])",
"db_user_host":"%",
"db_type":"mysql"
}';
"sympa_db_json" string => storejson(@(sympa_db));
"sympa_dir" string => "$(cfg[sympa_dir])";
"sympa_arc_dir" string => "$(sympa_dir)/arc";
"sympa_home_dir" string => "$(sympa_dir)/list_data";
"sympa_bounce_dir" string => "$(sympa_dir)/bounce";
"sympa_domain" string => "$(cfg[sympa_domain])";
"sympa_site" data => '{
"domain" : "$(sympa_domain)",
"aliases" : [],
"email": "$(cfg[postmaster_mail])",
"disable": false,
"ssl": true,
"raw": "
$(sympa.apache_cfg)
"
}';
"sympa_site_json" string => storejson(@(sympa_site));
"cfg_json" string => storejson(@(cfg));
"sympa_domains_json" string => storejson( @(cfg[sympa_domains]));
"sympa_cfg" data => '{
"version":"6.2.72",
"backup_dir":"$(cfg[backup_dir])/sympa",
"db_settings":$(sympa_db_json),
"settings": {
"domain":"$(cfg[sympa_domain])",
"wwsympa_url":"$(cfg[wwsympa_url])",
"listmaster":"$(cfg[sympa_listmaster])",
"sendmail_aliases":"$(sympa.conf_dir)/sympa_transport",
"aliases_program":"/usr/sbin/postmap",
"db_type":"$(sympa_db[db_type])",
"db_name":"$(sympa_db[db_name])",
"db_host":"$(sympa_db[db_host])",
"db_passwd":"$(sympa_db[db_pass])",
"db_user":"$(sympa_db[db_user])",
"home":"$(sympa_home_dir)",
"bounce_path":"$(sympa_bounce_dir)",
"arc_path":"$(sympa_arc_dir)",
"etc":"/mnt/mail-vol/sympa/etc"
}
,
"domains": $(sympa_domains_json)
}',
handle => "wmde_mail_sympa_cfg_ready";
"sympa_general_transport" string => "$(postfix.maps_dir)/sympa_general";
"sympa_cfg_json" string => storejson(@(sympa_cfg));
reports:
# "SYMPA DOMAIN $(sympa_domain)";
# "SYMPA_DB_JSON: $(sympa_db_json)";
# "SYMPA_CFG_JSON: $(sympa_cfg_json)";
# "SYMPA_DOMAINS_JSON $(sympa_domains_json)";
# "SYMPA_SITE $(sympa_site_json)";
# "CFG $(cfg_json)";
users:
"$(cfg[vmail_user])"
policy => "present",
description => "Vmail user",
uid => "$(cfg[vmail_uid])";
reports:
methods:
"any" usebundle => install_system_repos;
"any" usebundle => aia_install_dbs,
handle => "aia_dbs_installed";
"any" usebundle => aia_install_apache,
handle=> "aia_apache_installed";
"any" usebundle => aia_install_sites,
handle => "aia_sites_installed",
depends_on => {"aia_apache_installed"};
"any" usebundle => vimbadmin(@(vimb_cfg)),
depends_on => {"aia_sites_installed"};
"any" usebundle => roundcube(@(roundcube_cfg)),
handle => "aia_roundcube_installed",
depends_on => {
"aia_sites_installed",
"aia_roundcube_backup_dir_created"
};
"any" usebundle => configure_roundcube(@(roundcube_cfg)),
depends_on => {"aia_roundcube_installed"};
"any" usebundle => configure_roundcube_password_plugin(@(vimb_cfg));
"any" usebundle => roundcube_install_password_recovery_plugin(@(roundcube_password_recover_cfg));
"any" usebundle => install_postfix_pkgs;
"any" usebundle => install_dovecot_pkgs;
"any" usebundle => install_redis;
"any" usebundle => install_rspamd_pkgs;
"any" usebundle => dovecot(@(dovecot_cfg));
"any" usebundle => postfix(@(postfix_cfg));
"any" usebundle => rspamd(@(rspamd_cfg));
"any" usebundle => dovecot_vimbadmin_sql(@(vimb_cfg),@(dovecot_cfg));
"any" usebundle => postfix_vimbadmin_sql(@(vimb_db));
"any" usebundle => opendkim(@(opendkim_cfg));
"any" usebundle => sympa;
"any" usebundle => install_sympa(@(sympa_cfg)),
depends_on => {
# "wmde_mail_sympa_site_installed",
# "wmde_mail_sympa_cfg_ready"
},handle => "wmde_mail_sympa_installed";
"any" usebundle => sympa_postfix_sql(@(sympa_db));
"any" usebundle => sympa_create_postfix_general_maps(@(sympa_cfg),"$(aia_mailserver.sympa_general_transport)");
"any" usebundle => sympa_create_postfix_maps;
files:
"$(roundcube_cfg[backup_dir])/."
create=>"true",
handle => "aia_roundcube_backup_dir_created";
}
bundle agent aia_install_dbs
{
methods:
"any" usebundle => install_mysql_server(@(aia_mailserver.mysql_cfg)),
handle => "aia_mysql_installed";
"any" usebundle => create_mysql_db(@(aia_mailserver.vimb_db)),
depends_on => {"aia_mysql_installed"};
"any" usebundle => create_mysql_db(@(aia_mailserver.sympa_db)),
depends_on => {"aia_mysql_installed"};
"any" usebundle => create_mysql_db(@(aia_mailserver.roundcube_cfg)),
depends_on => {"aia_mysql_installed"};
}
bundle agent aia_install_apache
{
vars:
"php_settings"
data => '{
"upload_max_filesize":"20M",
"post_max_size":"20M",
}';
methods:
"any" usebundle => apache;
"any" usebundle => install_apache,
depends_on => {"aia_php_installed","aia_phpfpm_installed"};
"any" usebundle => php( "8.2", @(php_settings) ),
handle=>"aia_php_installed";
"any" usebundle => _install_php_fpm("8.2"),
handle=>"aia_phpfpm_installed";
}
bundle agent aia_install_sites
{
vars:
"aliasdoms_json" string => storejson( @(aia_mailserver.cfg[imap_alias_domains])) ;
"mail_site" data => '{
"domain":"$(aia_mailserver.cfg[imap_domain])",
"aliases": $(aliasdoms_json),
"email":"$(aia_mailserver.cfg[webmaster_mail])",
"disable":false,
}';
methods:
"any" usebundle => apache_vhost(@(aia_mailserver.vimb_site));
"any" usebundle => apache_vhost(@(aia_mailserver.roundcube_site));
"any" usebundle => apache_vhost(@(aia_mailserver.rspamd_site));
"any" usebundle => apache_vhost(@(aia_mailserver.sympa_site));
"any" usebundle => certbot_cert(@(mail_site),"$(apache.web_root)");
}
Reference in New Issue View Git Blame Copy Permalink