From cbf0e0a22ef3a397aca9d2af19ec0b6d85516d88 Mon Sep 17 00:00:00 2001 From: Nicolas Iooss Date: Mon, 9 Nov 2015 21:20:16 +0100 Subject: [PATCH] Start writing postfix configuration --- test-vagrant-salt/NOTES.rst | 4 + test-vagrant-salt/Vagrantfile | 1 + test-vagrant-salt/salt/gateway/forwarding.sls | 6 +- test-vagrant-salt/salt/testvm/init.sls | 3 + test-vagrant-salt/salt/testvm/postfix/aliases | 71 ++++++ test-vagrant-salt/salt/testvm/postfix/init.sls | 55 +++++ test-vagrant-salt/salt/testvm/postfix/main.cf | 267 +++++++++++++++++++++ test-vagrant-salt/salt/testvm/postfix/master.cf | 296 ++++++++++++++++++++++++ test-vagrant-salt/salt/testvm/users.sls | 25 ++ test-vagrant-salt/salt/top.sls | 4 +- test-vagrant-salt/saltconfig | 9 + test-vagrant-salt/saltpillar/postfix.sls | 16 ++ test-vagrant-salt/saltpillar/top.sls | 3 + 13 files changed, 754 insertions(+), 6 deletions(-) create mode 100644 test-vagrant-salt/salt/testvm/init.sls create mode 100644 test-vagrant-salt/salt/testvm/postfix/aliases create mode 100644 test-vagrant-salt/salt/testvm/postfix/init.sls create mode 100644 test-vagrant-salt/salt/testvm/postfix/main.cf create mode 100644 test-vagrant-salt/salt/testvm/postfix/master.cf create mode 100644 test-vagrant-salt/salt/testvm/users.sls create mode 100644 test-vagrant-salt/saltpillar/postfix.sls create mode 100644 test-vagrant-salt/saltpillar/top.sls diff --git a/test-vagrant-salt/NOTES.rst b/test-vagrant-salt/NOTES.rst index 04ab60e..59aa4f1 100644 --- a/test-vagrant-salt/NOTES.rst +++ b/test-vagrant-salt/NOTES.rst @@ -37,6 +37,10 @@ Quick commands sudo salt-call --local grains.ls sudo salt-call --local grains.items +* List the current pillar items:: + + sudo salt-call --local pillar.items + Random notes during the development of the project -------------------------------------------------- diff --git a/test-vagrant-salt/Vagrantfile b/test-vagrant-salt/Vagrantfile index 1b3de82..46c7514 100644 --- a/test-vagrant-salt/Vagrantfile +++ b/test-vagrant-salt/Vagrantfile @@ -30,6 +30,7 @@ Vagrant.configure(2) do |config| testvm_config.vm.host_name = "testvm" testvm_config.vm.network "private_network", ip: "192.168.33.10" testvm_config.vm.synced_folder "salt/", "/srv/salt" + testvm_config.vm.synced_folder "saltpillar/", "/srv/saltpillar" # Change the default route to the gateway VM testvm_config.vm.provision "shell", diff --git a/test-vagrant-salt/salt/gateway/forwarding.sls b/test-vagrant-salt/salt/gateway/forwarding.sls index 762b822..5c5b2e3 100644 --- a/test-vagrant-salt/salt/gateway/forwarding.sls +++ b/test-vagrant-salt/salt/gateway/forwarding.sls @@ -9,15 +9,15 @@ netfilter-persistent: /etc/iptables/rules.v4: file.managed: - - source : salt://gateway/iptables.rules + - source: salt://gateway/iptables.rules - makedirs: True - watch_in: - service: netfilter-persistent /etc/iptables/rules.v6: file.symlink: - - target : rules.v4 - - force : True + - target: rules.v4 + - force: True - watch_in: - service: netfilter-persistent diff --git a/test-vagrant-salt/salt/testvm/init.sls b/test-vagrant-salt/salt/testvm/init.sls new file mode 100644 index 0000000..44acbea --- /dev/null +++ b/test-vagrant-salt/salt/testvm/init.sls @@ -0,0 +1,3 @@ +include: + - .users + - .postfix diff --git a/test-vagrant-salt/salt/testvm/postfix/aliases b/test-vagrant-salt/salt/testvm/postfix/aliases new file mode 100644 index 0000000..23b4e5e --- /dev/null +++ b/test-vagrant-salt/salt/testvm/postfix/aliases @@ -0,0 +1,71 @@ +# The program "postalias /etc/aliases" must be run after changing this file. + +# account +x2042blah: => .forward + +root: x2042blah@hruid.polytechnique.org + +# postfix notices (high throughput) +postfix: /var/mail/postfix +# antivirus notices (high throughput) +virusalert: /dev/null +# poisonous mails -- always considered spam +poisonous: /dev/null + +# Nagios notifications +nagios: root+nagios + +# timestamps logs pour djali +timestamp: log@hruid.polytechnique.org + +# RFC 2821 and 2142 / postmaster and abuse must be monitored +postmaster: abuse +abuse: hotliners, root + +# clamav update notifications +clamav: root + +mailer-daemon: postfix + +clamav-virusdb: clamav +mailcheck: |/etc/postfix/bin/mailcheck +spam: spam@bogo.polytechnique.org +nonspam: nonspam@bogo.polytechnique.org +nospam: nonspam +spam-dev: spam@imap.polytechnique.org +nonspam-dev: nonspam@imap.polytechnique.org + +# standard aliases +daemon: root +adm: root +operator: root +nobody: root +mysql: root +save: root +usenet: news +hostmaster: root + +# To test sending emails +null: /dev/null + +# For domain renewals +contact+crt: root, tresorier +contact+ovh: root, tresorier +contact+gdi: root, tresorier +domaines: root, tresorier + +# mailling list for bounces and other dirty things +web: www-data +webmestre: web +webmaster: web + +# newsletter : + +# Newsletter +info+newsletter: otrs.platal+newsletter +info+nlp: otrs.platal+newsletter + +# bounces of the NL +retour-nl: /var/mail/retour-nl +#info+newsletter: retour-nl@mx1.polytechnique.org +#info+nlp: retour-nl@mx1.polytechnique.org diff --git a/test-vagrant-salt/salt/testvm/postfix/init.sls b/test-vagrant-salt/salt/testvm/postfix/init.sls new file mode 100644 index 0000000..c1180a9 --- /dev/null +++ b/test-vagrant-salt/salt/testvm/postfix/init.sls @@ -0,0 +1,55 @@ +no-other-mta: + pkg.removed: + - pkg: exim4 + - pkg: ssmtp + +postfix-pkg: + pkg.installed: + - name: postfix + - require: + - pkg: no-other-mta + +postfix-permissions: + # fix all permission issues + cmd.run: + - name: postfix set-permissions || /bin/true + - require : + - pkg: postfix-pkg + +postfix-daemon: + service.running: + - name: postfix + - reload: true + - enable: true + - require : + - pkg: postfix-pkg + +/etc/postfix/aliases: + file.managed: + - source: salt://testvm/postfix/aliases + - template: jinja + - file_mode: 640 + - dir_mode: 755 + - user: root + - group: root + - watch_in: + - service: postfix-daemon + cmd.run: + - name: postalias /etc/aliases + - require: + - pkg: postfix-pkg + - file: /etc/postfix/aliases + +/etc/postfix/main.cf: + file.managed: + - source: salt://testvm/postfix/main.cf + - template: jinja + - watch_in: + - service: postfix-daemon + +/etc/postfix/master.cf: + file.managed: + - source: salt://testvm/postfix/master.cf + - template: jinja + - watch_in: + - service: postfix-daemon diff --git a/test-vagrant-salt/salt/testvm/postfix/main.cf b/test-vagrant-salt/salt/testvm/postfix/main.cf new file mode 100644 index 0000000..e969ae6 --- /dev/null +++ b/test-vagrant-salt/salt/testvm/postfix/main.cf @@ -0,0 +1,267 @@ +# Does the server accept emails from a public IP address? Has Mailman? Has IMAP? +{% set is_mx = not not pillar['postfix']['ipaddr'].get('mx4') %} +{% set has_imap = not not pillar['postfix'].get('has_imap') %} +{% set has_mailman = not not pillar['postfix'].get('has_mailman') %} +{% set has_smtps = not not pillar['postfix'].get('has_smtps') %} + +### +### Server configuration +### + +queue_directory = /var/spool/postfix +command_directory = /usr/sbin +daemon_directory = /usr/lib/postfix +mail_owner = postfix +default_privs = mail + +defer_transports = deferred + +hash_queue_depth = 1 +hash_queue_names = active,deferred,bounce,defer,flush + +### +### receiving and distributing emails +### + +{% if not is_mx %} +inet_protocols = all +inet_interfaces = 127.0.0.1 +{% elif pillar['postfix']['ipaddr'].get('mx6') %} +inet_protocols = all +inet_interfaces = {{ pillar['postfix']['ipaddr'].mx4 }},{{ pillar['postfix']['ipaddr'].mx6 }} +smtp_bind_address6 = {{ pillar['postfix']['ipaddr'].mx6 }} +#smtp_address_preference = ipv4 +{% else %} +inet_protocols = ipv4 +inet_interfaces = {{ pillar['postfix']['ipaddr'].mx4 }} +{% endif %} + +myhostname = {{ grains["host"] }}.polytechnique.org + +{% if not is_mx %} +mydomain = $myhostname +{% else %} +mydomain = polytechnique.org +{% endif %} +myorigin = $myhostname + + +mydestination = + hruid.polytechnique.org + {{ grains["host"] }}.polytechnique.org + {{ grains["host"] }}.m4x.org + {% for dest in pillar['postfix']['dest_domains'] %}{{ dest }}{% endfor %} + +virtual_alias_domains = + hash:/etc/postfix/virtual + {% if is_mx %}proxy:mysql:/etc/postfix/mysql-virtual_domains.cf{% endif %} + +mynetworks = 127.0.0.1/32 + +relay_domains = bounces.m4x.org + +transport_maps = + {% if is_mx %}hash:/etc/postfix/transport{% endif %} + hash:/etc/postfix/transport-{{ grains["host"] }} + {% if has_mailman %}regexp:/etc/postfix/mailman-transport.regex{% endif %} + +recipient_delimiter = + + +append_dot_mydomain = no + +# local distribution +#local_recipient_maps = $alias_maps unix:passwd.byname +mailbox_command = /usr/bin/procmail -a "$EXTENSION" +mailbox_size_limit = 0 + +### +### forwarding +### + +relocated_maps = hash:/etc/postfix/renamed_lists + +alias_maps = + hash:/etc/postfix/aliases + {% if is_mx %}mysql:/etc/postfix/mysql-redirect_account.cf{% endif %} + {% if is_mx %}mysql:/etc/postfix/mysql-redirect_other.cf{% endif %} + +alias_database = + hash:/etc/postfix/aliases + +# used for all domains other than hruid.polytechnique.org, which is local +virtual_alias_maps = + {% if is_mx %}hash:/etc/postfix/virtual-aliases{% endif %} + {% if is_mx %}hash:/etc/postfix/virtual-poisonous{% endif %} + {% if has_mailman %}regexp:/etc/postfix/mailman.regex{% endif %} + {% if is_mx %}proxy:mysql:/etc/postfix/mysql-source_account.cf{% endif %} + {% if is_mx %}proxy:mysql:/etc/postfix/mysql-source_other.cf{% endif %} + {% if is_mx %}proxy:mysql:/etc/postfix/mysql-redirect_direct.cf{% endif %} + hash:/etc/postfix/virtual + +{% if has_imap %} +virtual_mailbox_domains = imap.polytechnique.org +virtual_transport = deliver_imap: +{% endif %} + +### +### rewriting +### + +{% if is_mx %} +local_header_rewrite_clients=static:all +{% endif %} + +# NOTE: We use some different cleanups in function of when is it called. In order +# to know which canonicals are applied when please refer to the master.cf + +# Possible transformation of the From in an adress in m4x.org or polytechnique.org +{% if is_mx %} +sender_canonical_maps = proxy:mysql:/etc/postfix/mysql-canonical-rewrite.cf +sender_canonical_classes = envelope_sender, header_sender +{% endif %} + +# transform the _ into + but for jaune_rouge@ and SRS decoding +recipient_canonical_maps = + {% if is_mx %}tcp:127.0.0.1:10002{% endif %} + regexp:/etc/postfix/conversion_underscore.regex + +recipient_canonical_classes = envelope_recipient + +{% if has_mailman %} +canonical_maps = regexp:/etc/postfix/mailman-reecriture.regex +pipemm_destination_recipient_limit = 1 +{% endif %} + +# when rewriting, we have to keep the '+toto@' +propagate_unmatched_extensions = canonical + +# We keep bounces that are not deliverable in queue only 36h +bounce_queue_lifetime = 36h + +# Maximum message size 26MiB (cf infra 18/12/2009) +message_size_limit = 27262976 + +### +### anti-spam mesures +### + +# limits at the level of SMTP commands received in a session: +# - maximum 100 recipients per email, mandatory HELO, forbidden VRFY +# - slow down after 2 false commands (VRFY...) or 2 unknown commands +# - slow down to 1 command every 10s, then stop after 20 errors +smtpd_banner = $myhostname ESMTP +smtpd_helo_required = yes +disable_vrfy_command = yes +smtpd_recipient_limit = 100 +smtpd_junk_command_limit = 2 +smtpd_soft_error_limit = 2 +smtpd_error_sleep_time = 10s +smtpd_hard_error_limit = 20 +message_reject_characters = \0 +smtpd_discard_ehlo_keywords = silent-discard, dsn + +smtpd_recipient_restrictions = + {% if is_mx %}check_client_access hash:/etc/postfix/client_access{% endif %} + permit_mynetworks + check_recipient_access hash:/etc/postfix/recipient_access + reject_invalid_hostname + check_helo_access hash:/etc/postfix/helo_access + reject_non_fqdn_sender + reject_unknown_sender_domain + reject_unauth_pipelining + reject_unauth_destination + {% if is_mx %}check_sender_access proxy:mysql:/etc/postfix/mysql-blacklist.cf{% endif %} + reject_unlisted_sender + {% if is_mx %}check_recipient_access mysql:/etc/postfix/mysql-disabled-accounts.cf{% endif %} + + # Postlicyd (instead of whitelister + postgrey) + {% if is_mx %}check_policy_service inet:127.0.0.1:60001{% endif %} + + check_helo_access regexp:/etc/postfix/helo_access.regexp + permit + +{% if is_mx %} +smtpd_recipient_restrictions_sasl = + reject_non_fqdn_sender + reject_unknown_sender_domain + reject_unlisted_sender + check_policy_service inet:127.0.0.1:60001 + permit_sasl_authenticated + reject +{% endif %} + +# Add two smtpd_data_restrictions (11/8/2005), does not seem very useful +# but it does not cost anything and there is no possible false positives. +# Then, Postlicyd performs the check at "DATA"-time for the honeypots. +smtpd_data_restrictions = + reject_unauth_pipelining + reject_multi_recipient_bounce + {% if is_mx %}check_policy_service inet:127.0.0.1:60001{% endif %} + permit + +# reject of mails according of their content +strict_rfc821_envelopes = yes +nested_header_checks = +mime_header_checks = regexp:/etc/postfix/header_checks/mime +header_checks = + regexp:/etc/postfix/header_checks/xorg + regexp:/etc/postfix/header_checks/antispam + regexp:/etc/postfix/header_checks/clean_self + +smtp_header_checks = regexp:/etc/postfix/header_checks/outgoing + +### +### not categorized +### + +# Make the requests stop at owner-alias for each alias +owner_request_special = no + +parent_domain_matches_subdomains = + +# TLS server +# paths of files: +{% if is_mx %} +smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt +smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key +{% endif %} +{% if has_smtps %} +smtpd_tls_session_cache_database=sdbm:/var/spool/postfix/smtpd_scache +smtpd_tls_session_cache_timeout=3600 +{% endif %} +smtpd_tls_CAfile = /etc/postfix/ssl/ca.crt +# the serveur proposes (STARTTLS): +smtpd_tls_security_level = may +smtpd_tls_loglevel = 1 +# we add headers if TLS has been used +smtpd_tls_received_header = yes +# we ask the client if she can provide a certificated, but we do not require it +smtpd_tls_ask_ccert = yes + +# TLS client +{% if is_mx %} +smtp_tls_cert_file = /etc/postfix/ssl/smtp.crt +smtp_tls_key_file = /etc/postfix/ssl/smtp.key +{% endif %} +smtp_tls_CAfile = /etc/postfix/ssl/ca.crt +smtp_tls_policy_maps = hash:/etc/postfix/tls_policy +smtp_tls_security_level = may +smtp_tls_loglevel = 1 + +# Choose which information is sent to postmaster... +notify_classes = resource,software +error_notice_recipient = root + +setgid_group = postdrop +biff = no + +# Default value, to which we add $smtpd_recipient_restrictions, necessary so that we can use proxy: in this section +{% if is_mx %} +proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $smtpd_recipient_restrictions +{% endif %} + +# The following line allow blocking every outgoing email, when doing tests or server migrations +# source: https://groups.google.com/forum/#!topic/mailing.postfix.users/kPyh5euz33g +#default_transport = retry:waiting for more stability + +# vim:set syntax=pfmain: diff --git a/test-vagrant-salt/salt/testvm/postfix/master.cf b/test-vagrant-salt/salt/testvm/postfix/master.cf new file mode 100644 index 0000000..787851d --- /dev/null +++ b/test-vagrant-salt/salt/testvm/postfix/master.cf @@ -0,0 +1,296 @@ +{% set is_mx = not not pillar['postfix']['ipaddr'].get('mx4') %} +{% set has_imap = not not pillar['postfix'].get('has_imap') %} +{% set has_mailman = not not pillar['postfix'].get('has_mailman') %} +{% set has_smtps = not not pillar['postfix'].get('has_smtps') %} + +# ========================================================================== +# service type private unpriv chroot wakeup maxproc command + args +# (yes) (yes) (yes) (never) (100) +# ========================================================================== + + +{% if has_smtps %} +{% for addr in (pillar['postfix']['ipaddr'].get('mx4'), pillar['postfix']['ipaddr'].get('mx6')) %} +{% if addr %} +# SMTP +{{ addr }}:2525 inet n - n - - smtpd + -o myhostname=ssl.polytechnique.org + -o smtpd_recipient_restrictions=$smtpd_recipient_restrictions_sasl + -o smtpd_recipient_limit=1000 + -o smtpd_sasl_auth_enable=yes + -o broken_sasl_auth_clients=yes + -o smtpd_tls_key_file=/etc/postfix/ssl/smtpd.key + -o smtpd_tls_cert_file=/etc/postfix/ssl/smtpd.crt +# -o smtpd_tls_CAfile=/etc/postfix/ssl/ca.crt + -o smtpd_tls_security_level=encrypt + -o smtpd_tls_loglevel=1 + -o smtpd_tls_received_header=yes + -o smtpd_tls_ask_ccert=no + -o content_filter=localsmtp:[127.0.0.1]:10024 + -o cleanup_service_name=cleanup-in + +# smtps (TCP port 465) is the same config, with enforce_tls and tls_wrappermode +{{ addr }}::smtps inet n - n - - smtpd + -o myhostname=ssl.polytechnique.org + -o smtpd_recipient_restrictions=$smtpd_recipient_restrictions_sasl + -o smtpd_recipient_limit=1000 + -o smtpd_sasl_auth_enable=yes + -o broken_sasl_auth_clients=yes + -o smtpd_tls_key_file=/etc/postfix/ssl/smtpd.key + -o smtpd_tls_cert_file=/etc/postfix/ssl/smtpd.crt +# -o smtpd_tls_CAfile=/etc/postfix/ssl/ca.crt + -o smtpd_tls_security_level=encrypt + -o smtpd_tls_loglevel=1 + -o smtpd_tls_received_header=yes + -o smtpd_tls_ask_ccert=no + -o smtpd_tls_wrappermode=yes + -o content_filter=localsmtp:[127.0.0.1]:10024 + -o cleanup_service_name=cleanup-in + +# submission (TCP port 587) is the same config, with only enforce_tls +{{ addr }}:587 inet n - n - - smtpd + -o myhostname=ssl.polytechnique.org + -o smtpd_recipient_restrictions=$smtpd_recipient_restrictions_sasl + -o smtpd_recipient_limit=1000 + -o smtpd_sasl_auth_enable=yes + -o broken_sasl_auth_clients=yes + -o smtpd_tls_key_file=/etc/postfix/ssl/smtpd.key + -o smtpd_tls_cert_file=/etc/postfix/ssl/smtpd.crt +# -o smtpd_tls_CAfile=/etc/postfix/ssl/ca.crt + -o smtpd_tls_security_level=encrypt + -o smtpd_tls_loglevel=1 + -o smtpd_tls_received_header=yes + -o smtpd_tls_ask_ccert=no + -o content_filter=localsmtp:[127.0.0.1]:10024 + -o cleanup_service_name=cleanup-in +{% endif %} +{% endfor %} +{% endif %} + +{% if is_mx %} +# input smtpd +{% for addr in (pillar['postfix']['ipaddr'].get('mx4'), pillar['postfix']['ipaddr'].get('mx6')) %} +{% if addr %} +{{ addr }}:smtp inet n - n - 200 smtpd + -o myhostname={{ pillar['postfix']['mx_name'] }} + -o content_filter=localsmtp:[127.0.0.1]:10024 + -o smtpd_client_recipient_rate_limit=300 + -o smtpd_client_message_rate_limit=120 + -o cleanup_service_name=cleanup-in + +{% endif %} +{% endfor %} + +# local smtpd (bounces) +# 10027: decode the bounces directly produced by the system +127.0.0.1:10027 inet n - n - 200 smtpd + -o myhostname=bounces.m4x.org + -o content_filter=localsmtp:[127.0.0.1]:10024 + -o smtpd_client_connection_count_limit=4 + -o smtpd_client_connection_rate_limit=30 + -o smtpd_client_recipient_rate_limit=120 + -o smtpd_client_message_rate_limit=60 + -o cleanup_service_name=cleanup-bounce + +# 10025: receive mails given by clamsmtp +127.0.0.1:10025 inet n - n - - smtpd.local + -o content_filter=bogofilter:$myhostname + -o local_recipient_maps= + -o relay_recipient_maps= + -o smtpd_restriction_classes= + -o smtpd_recipient_limit=1000 + -o smtpd_client_restrictions= + -o smtpd_helo_restrictions= + -o smtpd_sender_restrictions= + -o smtpd_recipient_restrictions=permit_mynetworks,reject + -o smtpd_data_restrictions= + -o receive_override_options=no_unknown_recipient_checks + -o strict_rfc821_envelopes=yes + -o smtpd_error_sleep_time=0 + -o smtpd_soft_error_limit=1001 + -o smtpd_hard_error_limit=1000 + -o smtpd_tls_security_level=none + -o smtpd_authorized_xforward_hosts=127.0.0.0/8 + -o cleanup_service_name=cleanup-mid + +# 10026: receive mails from other hosts WITHOUT filtering +127.0.0.1:10026 inet n - n - - smtpd.local + -o content_filter= + -o local_recipient_maps= + -o relay_recipient_maps= + -o smtpd_restriction_classes= + -o smtpd_recipient_limit=1000 + -o smtpd_client_restrictions= + -o smtpd_helo_restrictions= + -o smtpd_sender_restrictions= + -o smtpd_recipient_restrictions=permit_mynetworks,reject + -o smtpd_data_restrictions= + -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks + -o strict_rfc821_envelopes=yes + -o smtpd_error_sleep_time=0 + -o smtpd_soft_error_limit=1001 + -o smtpd_hard_error_limit=1000 + -o smtpd_tls_security_level=none + -o smtpd_authorized_xforward_hosts=127.0.0.0/8 + -o cleanup_service_name=cleanup-out + +# 20000: receive mails to @g.polytechnique.org and SRS-decode +127.0.0.1:20000 inet n - n - - smtpd + -o syslog_name=postfix-nosrs + -o queue_directory=/var/spool/postfix-nosrs + -o content_filter= + -o local_recipient_maps= + -o relay_recipient_maps= + -o virtual_alias_maps= + -o smtpd_restriction_classes= + -o smtpd_recipient_limit=1000 + -o mynetworks=127.0.0.1/32 + -o smtpd_client_restrictions=permit_mynetworks,reject + -o smtpd_helo_restrictions= + -o smtpd_sender_restrictions= + -o mydestination=g.polytechnique.org + -o virtual_alias_domains= + -o smtpd_recipient_restrictions=permit_mynetworks,reject + -o smtpd_data_restrictions= + -o receive_override_options=no_unknown_recipient_checks + -o strict_rfc821_envelopes=yes + -o smtpd_error_sleep_time=0 + -o smtpd_soft_error_limit=1001 + -o smtpd_hard_error_limit=1000 + -o smtpd_tls_security_level=none + -o smtpd_authorized_xforward_hosts=127.0.0.0/8 + -o cleanup_service_name=cleanup-nosrs + +# bogofilter +bogofilter unix - n n - 10 pipe + flags=R user=filter argv=/etc/postfix/bin/filter-postfix-bogo.sh -f ${sender} -- ${recipient} + +{% endif %} + +# localsmtp +# This transport is usued for local submission +# The timeout on end_of_data is increased because ClamAV takes a little bit too much times, occasionally +localsmtp unix - - n - 20 smtp + -o smtp_bind_address=127.0.0.1 + -o myhostname=local.polytechnique.org + -o smtp_data_done_timeout=1200 + -o smtp_send_xforward_command=yes + -o smtp_tls_security_level=none + +{% if has_mailman %} +pipemm unix - n n - - pipe + flags=R user=list argv=/var/lib/mailman/mail/mailman ${extension} ${user} +{% endif %} + +{% if has_imap %} +deliver_imap unix - n n - 10 pipe + user=vmail argv=/etc/postfix/bin/deliver_imap.sh ${user} +{% endif %} + +{% if not is_mx %} +# default daemons +smtp inet n - - - - smtpd +pickup fifo n - n 60 1 pickup +bounce unix - - n - 0 bounce +cleanup unix n - n - 0 cleanup + -o queue_service_name=qmgr +{% endif %} + +# Base +qmgr fifo n - n 300 1 qmgr +#qmgr fifo n - - 300 1 nqmgr +tlsmgr unix - - n 300 1 tlsmgr +rewrite unix - - n - - trivial-rewrite +defer unix - - n - 0 bounce +smtp unix - - n - 150 smtp + -o myhostname={{ pillar['postfix']['mx_name'] }} +smtp-low unix - - n - 3 smtp + -o myhostname={{ pillar['postfix']['mx_name'] }} +showq unix n - n - - showq +error unix - - n - - error +local unix - n n - - local +#virtual unix - n n - - virtual +#lmtp unix - - n - - lmtp +flush unix n - - 1000? 0 flush +relay unix - - - - - smtp +proxymap unix - - n - - proxymap +trace unix - - - - 0 bounce +verify unix - - - - 1 verify +anvil unix - - - - 1 anvil +scache unix - - - - 1 scache +discard unix - - - - - discard +deferred unix - - n - - smtp +retry unix - - - - - error +relay unix - - n - - smtp -o smtp_fallback_relay= +# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5 + + +{% if is_mx %} +# Special cleanup +pickup fifo n - n 60 1 pickup + -o cleanup_service_name=cleanup-out +bounce unix - - n - 0 bounce + -o cleanup_service_name=cleanup-bounce + +cleanup unix n - n - 0 cleanup + -o sender_canonical_maps= + -o queue_service_name=qmgr + +cleanup-bounce unix n - n - 0 cleanup + -o syslog_name=postfix-bounce + -o sender_canonical_maps= + -o recipient_canonical_maps=tcp:127.0.0.1:10002 + -o recipient_canonical_classes=header_recipient,envelope_recipient + -o queue_service_name=qmgr + +cleanup-nosrs unix n - n - 0 cleanup + -o syslog_name=postfix-nosrs + -o queue_directory=/var/spool/postfix-nosrs + -o virtual_alias_maps= + -o sender_canonical_maps=tcp:127.0.0.1:10002 + -o sender_canonical_classes=envelope_sender + -o recipient_canonical_maps= + -o queue_service_name=qmgr-nosrs +qmgr-nosrs fifo n - n 300 1 qmgr + -o syslog_name=postfix-nosrs + -o queue_directory=/var/spool/postfix-nosrs + -o rewrite_service_name=rewrite-nosrs +rewrite-nosrs unix - - n - - trivial-rewrite + -o syslog_name=postfix-nosrs + -o queue_directory=/var/spool/postfix-nosrs + -o transport_maps= + -o default_transport=smtp-nosrs +smtp-nosrs unix - - n - 20 smtp + -o syslog_name=postfix-nosrs + -o queue_directory=/var/spool/postfix-nosrs + -o myhostname={{ pillar['postfix']['mx_name'] }} + +cleanup-out unix n - n - 0 cleanup + -o syslog_name=postfix-out + -o sender_canonical_maps= + -o recipient_canonical_maps=regexp:/etc/postfix/conversion_underscore.regex + -o recipient_canonical_classes=envelope_recipient + -o queue_service_name=qmgr + +cleanup-mid unix n - n - 0 cleanup + -o syslog_name=postfix-mid + -o virtual_alias_maps= + -o sender_canonical_maps=tcp:127.0.0.1:10001 + -o sender_canonical_classes=envelope_sender + -o recipient_canonical_maps= + -o canonical_maps= + -o header_checks=regexp:/etc/postfix/header_checks/bouncediscard + -o queue_service_name=qmgr + +cleanup-in unix n - n - 0 cleanup + -o syslog_name=postfix-in + -o virtual_alias_maps= + -o sender_canonical_maps=proxy:mysql:/etc/postfix/mysql-canonical-rewrite.cf + -o sender_canonical_classes=envelope_sender,header_sender + -o recipient_canonical_maps=tcp:127.0.0.1:10002 + -o recipient_canonical_classes=header_recipient,envelope_recipient + -o canonical_maps= + -o queue_service_name=qmgr +{% endif %} + +# vim:set noet sw=8 sts=8 ts=8 syntax=pfmain: diff --git a/test-vagrant-salt/salt/testvm/users.sls b/test-vagrant-salt/salt/testvm/users.sls new file mode 100644 index 0000000..ee9e237 --- /dev/null +++ b/test-vagrant-salt/salt/testvm/users.sls @@ -0,0 +1,25 @@ +# Fake admin user account with a .forward file +x2042blah: + user.present: + - fullname: Blah + - gid: 100 + - shell: /bin/sh + - createhome: true + - groups: + - adm + +/home/x2042blah/: + file.directory: + - user: x2042blah + - group: users + - makedirs: True + - requires: + - user: x2042blah + +/home/x2042blah/.forward: + file.managed: + - user: x2042blah + - group: users + - contents: x2042blah-forwarded@hruid.polytechnique.org + - requires: + - user: x2042blah diff --git a/test-vagrant-salt/salt/top.sls b/test-vagrant-salt/salt/top.sls index 294daf9..117184b 100644 --- a/test-vagrant-salt/salt/top.sls +++ b/test-vagrant-salt/salt/top.sls @@ -1,6 +1,4 @@ base: '*': - common - {% if grains['fqdn'] == 'gateway' %} - - gateway - {% endif %} + - {{ grains['fqdn'] }} diff --git a/test-vagrant-salt/saltconfig b/test-vagrant-salt/saltconfig index 2e0c5b0..a5952a2 100644 --- a/test-vagrant-salt/saltconfig +++ b/test-vagrant-salt/saltconfig @@ -2,3 +2,12 @@ id: masterless-salt # Do not fetch resources from a master file_client: local + +# Specify the path of salt forumulas and pillars +file_roots: + base: + - /srv/salt + +pillar_roots: + base: + - /srv/saltpillar diff --git a/test-vagrant-salt/saltpillar/postfix.sls b/test-vagrant-salt/saltpillar/postfix.sls new file mode 100644 index 0000000..a0575f2 --- /dev/null +++ b/test-vagrant-salt/saltpillar/postfix.sls @@ -0,0 +1,16 @@ +postfix: + ipaddr: + mx4: 192.168.33.10 + #mx6: 2001:db8::1 + dest_domains: + localhost.polytechnique.org + mx1.polytechnique.org + mx1.m4x.org + ssl.polytechnique.org + ssl.m4x.org + bogo.polytechnique.org + localhost.polytechnique.org + mx_name: mx1.polytechnique.org + has_imap: True + has_mailman: True + has_smtps: True diff --git a/test-vagrant-salt/saltpillar/top.sls b/test-vagrant-salt/saltpillar/top.sls new file mode 100644 index 0000000..2dde5d6 --- /dev/null +++ b/test-vagrant-salt/saltpillar/top.sls @@ -0,0 +1,3 @@ +base: + '*': + - postfix -- 2.1.4