From 95408a240959b2ea4d838aaf9de31bbfe1f775a4 Mon Sep 17 00:00:00 2001 From: Gregory Colpart Date: Tue, 3 Oct 2017 22:58:49 +0200 Subject: [PATCH 01/51] Improve ldap role --- ldap/defaults/main.yml | 3 +- ldap/tasks/main.yml | 64 ++++++++++++++++++++++++++++ ldap/templates/config_ldapvi.j2 | 8 ++++ ldap/templates/first-entries.ldif.j2 | 30 +++++++++++++ ldap/templates/ldapvirc.j2 | 6 +++ 5 files changed, 110 insertions(+), 1 deletion(-) create mode 100644 ldap/templates/config_ldapvi.j2 create mode 100644 ldap/templates/first-entries.ldif.j2 create mode 100644 ldap/templates/ldapvirc.j2 diff --git a/ldap/defaults/main.yml b/ldap/defaults/main.yml index 1e90583f..2f208f98 100644 --- a/ldap/defaults/main.yml +++ b/ldap/defaults/main.yml @@ -1,4 +1,5 @@ --- ldap_domain: "{{ ansible_fqdn }}" ldap_organization: "{{ ansible_domain }}" -#ldap_password=$(apg -n1 -m 12 -c cl_seed) +ldap_suffix: "dc=example,dc=com" +ldap_suffix_dc: "example" diff --git a/ldap/tasks/main.yml b/ldap/tasks/main.yml index c28c01fe..be3a8bd1 100644 --- a/ldap/tasks/main.yml +++ b/ldap/tasks/main.yml @@ -6,8 +6,72 @@ - slapd - ldap-utils - ldapvi + - shelldap + +- name: "Is /root/.ldapvirc present ?" + stat: + path: /root/.ldapvirc + check_mode: no + register: root_ldapvirc_path - name: apg package is installed apt: name: apg state: present + when: not root_ldapvirc_path.stat.exists + +- name: create a password for cn=admin + command: "apg -n 1 -m 16 -M lcN" + register: ldap_admin_password + changed_when: False + when: not root_ldapvirc_path.stat.exists + +- name: create a password for cn=nagios + command: "apg -n 1 -m 16 -M lcN" + register: ldap_nagios_password + changed_when: False + when: not root_ldapvirc_path.stat.exists + +- name: hash password for cn=admin + command: "slappasswd -s {{ ldap_admin_password.stdout }}" + register: ldap_admin_password_ssha + changed_when: False + when: not root_ldapvirc_path.stat.exists + +- name: hash password for cn=nagios + command: "slappasswd -s {{ ldap_nagios_password.stdout }}" + register: ldap_nagios_password_ssha + changed_when: False + when: not root_ldapvirc_path.stat.exists + +- name: create ldapvirc config + template: + src: ldapvirc.j2 + dest: /root/.ldapvirc + mode: "0640" + when: not root_ldapvirc_path.stat.exists + +- name: upload ldap initial config + template: + src: config_ldapvi.j2 + dest: /root/evolinux_ldap_config.ldapvi + mode: "0640" + when: not root_ldapvirc_path.stat.exists + +- name: upload ldap initial entries + template: + src: first-entries.ldif.j2 + dest: /root/evolinux_ldap_first-entries.ldif + mode: "0640" + when: not root_ldapvirc_path.stat.exists + +- name: inject config + command: ldapvi -Y EXTERNAL -h ldapi:// --ldapmodify /root/evolinux_ldap_config.ldapvi + environment: + TERM: xterm + when: not root_ldapvirc_path.stat.exists + +- name: inject first entries + command: slapadd -l /root/evolinux_ldap_first-entries.ldif + when: not root_ldapvirc_path.stat.exists + diff --git a/ldap/templates/config_ldapvi.j2 b/ldap/templates/config_ldapvi.j2 new file mode 100644 index 00000000..9be8044c --- /dev/null +++ b/ldap/templates/config_ldapvi.j2 @@ -0,0 +1,8 @@ +modify: olcDatabase={1}mdb,cn=config +olcSuffix: {{ ldap_suffix }} +olcRootDN: cn=admin,{{ ldap_suffix }} +olcRootPW: {{ ldap_admin_password_ssha.stdout }} +olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break +olcAccess: {1}to attrs=userPassword by self write by anonymous auth by dn="cn=admin,{{ ldap_suffix }}" write by dn="cn=perl,ou=ldapusers,{{ ldap_suffix }}" write by * none +olcAccess: {2}to attrs=shadowLastChange by self write by dn="cn=admin,{{ ldap_suffix }}" write by dn="cn=perl,ou=ldapusers,{{ ldap_suffix }}" write by * read +olcAccess: {3}to * by self write by dn="cn=admin,{{ ldap_suffix }}" write by dn="cn=perl,ou=ldapusers,{{ ldap_suffix }}" write by * read diff --git a/ldap/templates/first-entries.ldif.j2 b/ldap/templates/first-entries.ldif.j2 new file mode 100644 index 00000000..56828636 --- /dev/null +++ b/ldap/templates/first-entries.ldif.j2 @@ -0,0 +1,30 @@ +dn: {{ ldap_suffix }} +objectClass: top +objectClass: dcObject +objectClass: organization +o: {{ ldap_suffix_dc }} +dc: {{ ldap_suffix_dc }} + +dn: cn=admin,{{ ldap_suffix }} +objectClass: simpleSecurityObject +objectClass: organizationalRole +cn: admin +description: LDAP administrator +userPassword: {{ ldap_admin_password_ssha.stdout }} + +dn: ou=ldapusers,{{ ldap_suffix }} +objectClass: top +objectClass: organizationalUnit +ou: ldapusers + +dn: cn=perl,ou=ldapusers,{{ ldap_suffix }} +objectClass: simpleSecurityObject +objectClass: organizationalRole +cn: perl +userPassword: {{ ldap_admin_password_ssha.stdout }} + +dn: cn=nagios,ou=ldapusers,{{ ldap_suffix }} +objectClass: simpleSecurityObject +objectClass: organizationalRole +cn: nagios +userPassword: {{ ldap_nagios_password_ssha.stdout }} diff --git a/ldap/templates/ldapvirc.j2 b/ldap/templates/ldapvirc.j2 new file mode 100644 index 00000000..e61a7524 --- /dev/null +++ b/ldap/templates/ldapvirc.j2 @@ -0,0 +1,6 @@ +profile default +host: ldap://127.0.0.1 +base: {{ ldap_suffix }} +user: cn=admin,{{ ldap_suffix }} +bind: simple +password: {{ ldap_admin_password.stdout }} From 1d7d45eb44263ba2808d523c03c66c76ac9aa0ab Mon Sep 17 00:00:00 2001 From: Gregory Colpart Date: Tue, 10 Oct 2017 00:03:22 +0200 Subject: [PATCH 02/51] Add dovecot role, evoadmin-mail role and packmail role --- dovecot/.kitchen.yml | 36 +++++ dovecot/README.md | 11 ++ dovecot/defaults/main.yml | 2 + dovecot/files/munin_plugin | 126 ++++++++++++++++++ dovecot/handlers/main.yml | 5 + dovecot/tasks/main.yml | 11 ++ dovecot/tasks/munin.yml | 20 +++ packmail/README.md | 15 +++ packmail/defaults/main.yml | 5 + packmail/files/cn4evolix.ldif | 63 +++++++++ packmail/handlers/main.yml | 10 ++ packmail/tasks/apache.yml | 21 +++ packmail/tasks/main.yml | 46 +++++++ webapps/evoadmin-mail/defaults/main.yml | 23 ++++ webapps/evoadmin-mail/handlers/main.yml | 6 + webapps/evoadmin-mail/tasks/config.yml | 17 +++ webapps/evoadmin-mail/tasks/main.yml | 19 +++ webapps/evoadmin-mail/tasks/packages.yml | 16 +++ .../evoadmin-mail/tasks/remount_usr_rw.yml | 15 +++ webapps/evoadmin-mail/tasks/ssl.yml | 24 ++++ webapps/evoadmin-mail/tasks/user.yml | 67 ++++++++++ webapps/evoadmin-mail/tasks/web.yml | 39 ++++++ .../templates/config.local.php.j2 | 8 ++ .../templates/evoadminmail.conf.j2 | 58 ++++++++ webapps/evoadmin-mail/templates/sudoers.j2 | 3 + .../evoadmin-mail/templates/web-add.conf.j2 | 2 + .../evoadmin-mail/templates/web-mail.tpl.j2 | 86 ++++++++++++ webapps/evoadmin-web/tasks/web.yml | 4 +- 28 files changed, 756 insertions(+), 2 deletions(-) create mode 100644 dovecot/.kitchen.yml create mode 100644 dovecot/README.md create mode 100644 dovecot/defaults/main.yml create mode 100755 dovecot/files/munin_plugin create mode 100644 dovecot/handlers/main.yml create mode 100644 dovecot/tasks/main.yml create mode 100644 dovecot/tasks/munin.yml create mode 100644 packmail/README.md create mode 100644 packmail/defaults/main.yml create mode 100644 packmail/files/cn4evolix.ldif create mode 100644 packmail/handlers/main.yml create mode 100644 packmail/tasks/apache.yml create mode 100644 packmail/tasks/main.yml create mode 100644 webapps/evoadmin-mail/defaults/main.yml create mode 100644 webapps/evoadmin-mail/handlers/main.yml create mode 100644 webapps/evoadmin-mail/tasks/config.yml create mode 100644 webapps/evoadmin-mail/tasks/main.yml create mode 100644 webapps/evoadmin-mail/tasks/packages.yml create mode 100644 webapps/evoadmin-mail/tasks/remount_usr_rw.yml create mode 100644 webapps/evoadmin-mail/tasks/ssl.yml create mode 100644 webapps/evoadmin-mail/tasks/user.yml create mode 100644 webapps/evoadmin-mail/tasks/web.yml create mode 100644 webapps/evoadmin-mail/templates/config.local.php.j2 create mode 100644 webapps/evoadmin-mail/templates/evoadminmail.conf.j2 create mode 100644 webapps/evoadmin-mail/templates/sudoers.j2 create mode 100644 webapps/evoadmin-mail/templates/web-add.conf.j2 create mode 100644 webapps/evoadmin-mail/templates/web-mail.tpl.j2 diff --git a/dovecot/.kitchen.yml b/dovecot/.kitchen.yml new file mode 100644 index 00000000..687c2033 --- /dev/null +++ b/dovecot/.kitchen.yml @@ -0,0 +1,36 @@ +--- +driver: + name: docker + privileged: true + use_sudo: false + +provisioner: + name: ansible_playbook + hosts: test-kitchen + roles_path: ../ + ansible_verbose: true + require_ansible_source: false + require_chef_for_busser: false + idempotency_test: true + +platforms: + - name: debian + driver_config: + image: evolix/ansible:2.2.1 + +verifier: + name: serverspec + +suites: + - name: default + provisioner: + name: ansible_playbook + playbook: ./tests/test.yml + verifier: + patterns: + - nginx/tests/spec/memcached_spec.rb + bundler_path: '/usr/local/bin' + rspec_path: '/usr/local/bin' + +transport: + max_ssh_sessions: 6 diff --git a/dovecot/README.md b/dovecot/README.md new file mode 100644 index 00000000..736b95dc --- /dev/null +++ b/dovecot/README.md @@ -0,0 +1,11 @@ +# Dovecot + +Installation and basic configuration of dovecot + +## Tasks + +Minimal configuration is in `tasks/main.yml` + +## Available variables + +The full list of variables (with default values) can be found in `defaults/main.yml`. diff --git a/dovecot/defaults/main.yml b/dovecot/defaults/main.yml new file mode 100644 index 00000000..884bc1ca --- /dev/null +++ b/dovecot/defaults/main.yml @@ -0,0 +1,2 @@ +--- +dovecot_foo: bar diff --git a/dovecot/files/munin_plugin b/dovecot/files/munin_plugin new file mode 100755 index 00000000..e5a6d1d1 --- /dev/null +++ b/dovecot/files/munin_plugin @@ -0,0 +1,126 @@ +#! /bin/bash +# +# Munin Plugin +# to count logins to your dovecot mailserver +# +# Created by Dominik Schulz +# http://developer.gauner.org/munin/ +# Contributions by: +# - Stephane Enten +# - Steve Schnepp +# +# Parameters understood: +# +# config (required) +# autoconf (optional - used by munin-config) +# +# Config variables: +# +# logfile - Where to find the syslog file +# +# Add the following line to a file in /etc/munin/plugin-conf.d: +# env.logfile /var/log/your/logfile.log +# +# Magic markers (optional - used by munin-config and installation scripts): +# +#%# family=auto +#%# capabilities=autoconf + +###################### +# Configuration +###################### +EXPR_BIN=/usr/bin/expr +LOGFILE=${logfile:-/var/log/mail.log} +###################### + +if [ "$1" = "autoconf" ]; then + echo yes + exit 0 +fi + +if [ "$1" = "config" ]; then + echo 'graph_title Dovecot Logins' + echo 'graph_category Mail' + echo 'graph_args --base 1000 -l 0' + echo 'graph_vlabel Login Counters' + + for t in Total TLS SSL IMAP POP3 + do + field=$(echo $t | tr '[:upper:]' '[:lower:]') + echo "login_$field.label $t Logins" + echo "login_$field.type DERIVE" + echo "login_$field.min 0" + done + + echo 'connected.label Connected Users' + + exit 0 +fi + +###################### +# Total Logins +###################### +echo -en "login_total.value " +VALUE=$(egrep -c '[dovecot]?.*Login' $LOGFILE) +if [ ! -z "$VALUE" ]; then + echo "$VALUE" +else + echo "0" +fi +echo -n +###################### +# Connected Users +###################### +DISCONNECTS=$(egrep -c '[dovecot]?.*Disconnected' $LOGFILE) +CONNECTS=$(egrep -c '[dovecot]?.*Login' $LOGFILE) +VALUE=$($EXPR_BIN $CONNECTS - $DISCONNECTS) +if [ -z "$VALUE" ] || [ "$VALUE" -lt 0 ]; then + VALUE=0 +fi +echo -en "connected.value " +echo $VALUE +echo -n +###################### +# TLS Logins +###################### +echo -en "login_tls.value " +VALUE=$(egrep -c '[dovecot]?.*Login.*TLS' $LOGFILE) +if [ ! -z "$VALUE" ]; then + echo "$VALUE" +else + echo "0" +fi +echo -n +###################### +# SSL Logins +###################### +echo -en "login_ssl.value " +VALUE=$(egrep -c '[dovecot]?.*Login.*SSL' $LOGFILE) +if [ ! -z "$VALUE" ]; then + echo "$VALUE" +else + echo "0" +fi +echo -n +###################### +# IMAP Logins +###################### +echo -en "login_imap.value " +VALUE=$(egrep -c '[dovecot]?.*imap.*Login' $LOGFILE) +if [ ! -z "$VALUE" ]; then + echo "$VALUE" +else + echo "0" +fi +echo -n +###################### +# POP3 Logins +###################### +echo -en "login_pop3.value " +VALUE=$(egrep -c '[dovecot]?.*pop3.*Login' $LOGFILE) +if [ ! -z "$VALUE" ]; then + echo "$VALUE" +else + echo "0" +fi +echo -n diff --git a/dovecot/handlers/main.yml b/dovecot/handlers/main.yml new file mode 100644 index 00000000..0ea64b61 --- /dev/null +++ b/dovecot/handlers/main.yml @@ -0,0 +1,5 @@ +--- +- name: restart dovecot + service: + name: dovecot + state: restarted diff --git a/dovecot/tasks/main.yml b/dovecot/tasks/main.yml new file mode 100644 index 00000000..8909aea6 --- /dev/null +++ b/dovecot/tasks/main.yml @@ -0,0 +1,11 @@ +- name: ensure packages are installed + apt: + name: '{{ item }}' + state: present + with_items: + - dovecot-ldap + - dovecot-imapd + - dovecot-pop3d + - dovecot-sieve + +- include: munin.yml diff --git a/dovecot/tasks/munin.yml b/dovecot/tasks/munin.yml new file mode 100644 index 00000000..7f5003f0 --- /dev/null +++ b/dovecot/tasks/munin.yml @@ -0,0 +1,20 @@ +--- + +- name: is Munin present ? + stat: + path: /etc/munin/plugin-conf.d/munin-node + check_mode: no + register: munin_node_plugins_config + +- block: + - name: Install munin plugin + copy: + src: munin_plugin + dest: /etc/munin/plugins/dovecot + mode: "0755" + +# TODO : add in /etc/munin/plugin-conf.d/munin-node +# [dovecot] +# group adm + + when: munin_node_plugins_config.stat.exists diff --git a/packmail/README.md b/packmail/README.md new file mode 100644 index 00000000..f4cbbee3 --- /dev/null +++ b/packmail/README.md @@ -0,0 +1,15 @@ +# packmail + +Install the mail pack, with Postfix/Dovecot/LDAP/evoadmin-mail. + +## Tasks + +See `tasks/main.yml`. + +## Available variables + +Main variables are : + +* `packmail_enable_evoadmin_vhost` : enable VirtualHost for evoadmin (web interface to create mail accounts) + +The full list of variables (with default values) can be found in `defaults/main.yml`. diff --git a/packmail/defaults/main.yml b/packmail/defaults/main.yml new file mode 100644 index 00000000..fc1d2a9f --- /dev/null +++ b/packmail/defaults/main.yml @@ -0,0 +1,5 @@ +--- +# defaults file for packmail +general_alert_email: "root@localhost" + +packmail_enable_evoadmin_vhost: True diff --git a/packmail/files/cn4evolix.ldif b/packmail/files/cn4evolix.ldif new file mode 100644 index 00000000..d92d0414 --- /dev/null +++ b/packmail/files/cn4evolix.ldif @@ -0,0 +1,63 @@ +dn: cn={4}evolix,cn=config +objectClass: olcSchemaConfig +cn: {4}evolix +olcAttributeTypes: {0}( 1.3.6.1.4.1.24331.22.1.1 NAME 'maildrop' DESC 'mail fo + rward' SUP mail ) +olcAttributeTypes: {1}( 1.3.6.1.4.1.24331.22.1.2 NAME 'mailacceptinggeneralid' + DESC 'mail alias' SUP mail ) +olcAttributeTypes: {2}( 1.3.6.1.4.1.24331.22.1.3 NAME 'isActive' DESC 'boolean + to verify an global account is active or not' EQUALITY booleanMatch SYNTAX 1 + .3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) +olcAttributeTypes: {3}( 1.3.6.1.4.1.24331.22.1.4 NAME 'accountActive' DESC 'bo + olean to verify if an mail account is active' EQUALITY booleanMatch SYNTAX 1. + 3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) +olcAttributeTypes: {4}( 1.3.6.1.4.1.24331.22.1.5 NAME 'authsmtpActive' DESC 'b + oolean to verify if SMTP-AUTH is enabled for entry' EQUALITY booleanMatch SYN + TAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) +olcAttributeTypes: {5}( 1.3.6.1.4.1.24331.22.1.6 NAME 'courierActive' DESC 'bo + olean to verify if Courier POP/IMAP is enabled for entry' EQUALITY booleanMat + ch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) +olcAttributeTypes: {6}( 1.3.6.1.4.1.24331.22.1.7 NAME 'webmailActive' DESC 'bo + olean to verify if webmail is enabled for entry' EQUALITY booleanMatch SYNTAX + 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) +olcAttributeTypes: {7}( 1.3.6.1.4.1.24331.22.1.8 NAME 'isAdmin' DESC 'boolean + to verify if entry is admin for entry' EQUALITY booleanMatch SYNTAX 1.3.6.1.4 + .1.1466.115.121.1.7 SINGLE-VALUE ) +olcAttributeTypes: {8}( 1.3.6.1.4.1.24331.22.1.9 NAME 'postfixTransport' DESC + 'transport for Postfix' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.11 + 5.121.1.26{20} SINGLE-VALUE ) +olcAttributeTypes: {9}( 1.3.6.1.4.1.24331.22.1.10 NAME 'domain' DESC 'Postfix + domain' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTA + X 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) +olcAttributeTypes: {10}( 1.3.6.1.4.1.24331.22.1.11 NAME 'quota' DESC 'Courier + maildir quota' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1. + 26 SINGLE-VALUE ) +olcAttributeTypes: {11}( 1.3.6.1.4.1.24331.22.1.16 NAME 'vacationActive' DESC + 'A flag, for marking the user as being away' EQUALITY booleanMatch SYNTAX 1.3 + .6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) +olcAttributeTypes: {12}( 1.3.6.1.4.1.24331.22.1.17 NAME 'vacationInfo' DESC 'A + bsentee note to leave behind, while on vacation' EQUALITY octetStringMatch SY + NTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE ) +olcAttributeTypes: {13}( 1.3.6.1.4.1.24331.22.1.18 NAME 'vacationStart' DESC ' + Beginning of vacation' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115. + 121.1.40 SINGLE-VALUE ) +olcAttributeTypes: {14}( 1.3.6.1.4.1.24331.22.1.19 NAME 'vacationEnd' DESC 'En + d of vacation' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 + SINGLE-VALUE ) +olcAttributeTypes: {15}( 1.3.6.1.4.1.24331.22.1.20 NAME 'vacationForward' DESC + 'Where to forward mails to, while on vacation' EQUALITY caseIgnoreIA5Match S + UBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} + ) +olcAttributeTypes: {16}( 1.3.6.1.4.1.24331.22.1.21 NAME 'smbActive' DESC 'bool + ean to verify if an Samba account is active' EQUALITY booleanMatch SYNTAX 1.3 + .6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) +olcObjectClasses: {0}( 1.3.6.1.4.1.24331.22.2.1 NAME 'mailAccount' DESC 'LDAP/ + Unix mail account or virtual account' SUP top AUXILIARY MUST ( uid $ mailacce + ptinggeneralid ) MAY ( accountActive $ authsmtpActive $ quota $ isActive $ co + urierActive $ webmailActive $ isAdmin $ vacationActive $ vacationInfo $ vacat + ionStart $ vacationEnd $ vacationForward $ maildrop ) ) +olcObjectClasses: {1}( 1.3.6.1.4.1.24331.22.2.2 NAME 'mailAlias' DESC 'Mail al + iasing/forwarding entry' SUP top STRUCTURAL MUST ( mailacceptinggeneralid $ m + aildrop ) MAY ( cn $ isActive ) ) +olcObjectClasses: {2}( 1.3.6.1.4.1.24331.22.2.4 NAME 'postfixDomain' DESC 'Pos + tfix domain' SUP posixGroup STRUCTURAL MAY ( postfixTransport $ isActive ) ) diff --git a/packmail/handlers/main.yml b/packmail/handlers/main.yml new file mode 100644 index 00000000..92228e1c --- /dev/null +++ b/packmail/handlers/main.yml @@ -0,0 +1,10 @@ +--- +- name: restart postfix + service: + name: postfix + state: restarted + +- name: restart dovecot + service: + name: dovecot + state: restarted diff --git a/packmail/tasks/apache.yml b/packmail/tasks/apache.yml new file mode 100644 index 00000000..aebae199 --- /dev/null +++ b/packmail/tasks/apache.yml @@ -0,0 +1,21 @@ +--- + +- name: Additional packages are installed + apt: + name: '{{ item }}' + state: present + with_items: + - libapache2-mod-security2 + - modsecurity-crs + - apg + +- name: Additional modules are enabled + apache2_module: + name: '{{ item }}' + state: present + with_items: + - ssl + - include + - negotiation + - alias + diff --git a/packmail/tasks/main.yml b/packmail/tasks/main.yml new file mode 100644 index 00000000..24543d19 --- /dev/null +++ b/packmail/tasks/main.yml @@ -0,0 +1,46 @@ +--- + +- fail: + msg: only compatible with Debian >= 9 + when: + - ansible_distribution != "Debian" or ansible_distribution_major_version | version_compare('9', '<') + +- name: Include ldap role + include_role: + name: ldap + +- name: upload evolix schema + copy: + src: cn4evolix.ldif + dest: /root/cn4evolix.ldif + mode: "0640" + +- name: inject evolix schema + command: ldapadd -Y EXTERNAL -H ldapi:/// -f /root/cn4evolix.ldif + +- name: Include postfix role + include_role: + name: postfix + +- name: Include dovecot role + include_role: + name: dovecot + +- name: Include apache role + include_role: + name: apache + +- name: Include PHP role + include_role: + name: php + vars: + php_apache_enable: True + +- include: apache.yml + +- name: Install Evoadmin + include_role: + name: webapps/evoadmin-mail + vars: + evoadminmail_enable_vhost: '{{ packmail_enable_evoadmin_vhost }}' + diff --git a/webapps/evoadmin-mail/defaults/main.yml b/webapps/evoadmin-mail/defaults/main.yml new file mode 100644 index 00000000..000be699 --- /dev/null +++ b/webapps/evoadmin-mail/defaults/main.yml @@ -0,0 +1,23 @@ +--- +general_alert_email: "root@localhost" +evoadminmail_contact_email: Null +evoadminmail_bounce_email: "{{ evoadminmail_contact_email }}" + +evoadminmail_username: evoadmin-mail +evoadminmail_home_dir: "/home/{{ evoadminmail_username }}" +evoadminmail_document_root: "{{ evoadminmail_home_dir }}/www" +evoadminmail_log_dir: "{{ evoadminmail_home_dir }}/log" +evoadminmail_scripts_dir: /usr/share/scripts/ +evoadminmail_host: "evoadminmail.{{ ansible_fqdn }}" + +evoadminmail_enable_vhost: True + +evoadminmail_tpl_servername: "{{ ansible_fqdn }}" +evoadminmail_tpl_address: "{{ ansible_default_ipv4.address }}" +evoadminmail_tpl_phpmyadmin_url: Null +evoadminmail_tpl_cgi_suffix: Null +evoadminmail_tpl_signature: evoadmin +evoadminmail_tpl_mail_from: root@localhost +evoadminmail_tpl_mail_bcc: Null +evoadminmail_tpl_mail_standard: "{{ general_alert_email }}" +evoadminmail_tpl_mail_urgent: "{{ general_alert_email }}" diff --git a/webapps/evoadmin-mail/handlers/main.yml b/webapps/evoadmin-mail/handlers/main.yml new file mode 100644 index 00000000..c4cdb576 --- /dev/null +++ b/webapps/evoadmin-mail/handlers/main.yml @@ -0,0 +1,6 @@ +--- + +- name: reload apache2 + service: + name: apache2 + state: reloaded diff --git a/webapps/evoadmin-mail/tasks/config.yml b/webapps/evoadmin-mail/tasks/config.yml new file mode 100644 index 00000000..00e342f3 --- /dev/null +++ b/webapps/evoadmin-mail/tasks/config.yml @@ -0,0 +1,17 @@ +--- + +- name: "Create /etc/evolinux" + file: + dest: "/etc/evolinux" + recurse: yes + state: directory + +#- name: Configure web-add config file +# template: +# src: web-add.conf.j2 +# dest: /etc/evolinux/web-add.conf +# +#- name: Configure web-add template file for mail +# template: +# src: web-mail.tpl.j2 +# dest: "{{ evoadminmail_scripts_dir }}/web-mail.tpl" diff --git a/webapps/evoadmin-mail/tasks/main.yml b/webapps/evoadmin-mail/tasks/main.yml new file mode 100644 index 00000000..f5e84d0b --- /dev/null +++ b/webapps/evoadmin-mail/tasks/main.yml @@ -0,0 +1,19 @@ +--- + +- include: packages.yml + +- include: user.yml + +- include: config.yml + +- include: ssl.yml + +- include: web.yml + +- name: enable evoadmin-mail link in default site index + blockinfile: + dest: /var/www/index.html + marker: "" + block: | +
  • Interface admin mail (EvoAdmin-mail)
    • + diff --git a/webapps/evoadmin-mail/tasks/packages.yml b/webapps/evoadmin-mail/tasks/packages.yml new file mode 100644 index 00000000..ea9b176e --- /dev/null +++ b/webapps/evoadmin-mail/tasks/packages.yml @@ -0,0 +1,16 @@ +--- + +- include_role: + name: apt + tasks_from: evolix_public.yml + +- meta: flush_handlers + +- name: Install PHP packages + apt: + name: '{{ item }}' + state: present + with_items: + - php-pear + - php-log + - php-crypt-chap diff --git a/webapps/evoadmin-mail/tasks/remount_usr_rw.yml b/webapps/evoadmin-mail/tasks/remount_usr_rw.yml new file mode 100644 index 00000000..8c51aee2 --- /dev/null +++ b/webapps/evoadmin-mail/tasks/remount_usr_rw.yml @@ -0,0 +1,15 @@ +--- +- name: Get mount options for partitions + shell: "mount | grep 'on /usr type'" + args: + warn: no + register: mount + changed_when: False + failed_when: False + when: not ansible_check_mode + +- name: Remount /usr if it is a partition and it is not mounted in rw + command: "mount -o remount,rw /usr" + when: mount.rc == 0 and not mount.stdout_lines.0 | search("rw") + args: + warn: no diff --git a/webapps/evoadmin-mail/tasks/ssl.yml b/webapps/evoadmin-mail/tasks/ssl.yml new file mode 100644 index 00000000..3dd91590 --- /dev/null +++ b/webapps/evoadmin-mail/tasks/ssl.yml @@ -0,0 +1,24 @@ +--- + + +- name: ssl-cert package is installed + apt: + name: ssl-cert + state: present + +- name: Create private key and csr for default site ({{ ansible_fqdn }}) + command: openssl req -newkey rsa:2048 -sha256 -nodes -keyout /etc/ssl/private/{{ evoadminmail_host }}.key -out /etc/ssl/{{ evoadminmail_host }}.csr -batch -subj "/CN={{ evoadminmail_host }}" + args: + creates: "/etc/ssl/private/{{ evoadminmail_host }}.key" + +- name: Adjust rights on private key + file: + path: /etc/ssl/private/{{ evoadminmail_host }}.key + owner: root + group: ssl-cert + mode: "0640" + +- name: Create certificate for default site + command: openssl x509 -req -days 3650 -sha256 -in /etc/ssl/{{ evoadminmail_host }}.csr -signkey /etc/ssl/private/{{ evoadminmail_host }}.key -out /etc/ssl/certs/{{ evoadminmail_host }}.crt + args: + creates: "/etc/ssl/certs/{{ evoadminmail_host }}.crt" diff --git a/webapps/evoadmin-mail/tasks/user.yml b/webapps/evoadmin-mail/tasks/user.yml new file mode 100644 index 00000000..67b2fdcd --- /dev/null +++ b/webapps/evoadmin-mail/tasks/user.yml @@ -0,0 +1,67 @@ +--- + +- name: Create evoadmin account + user: + name: "{{ evoadminmail_username }}" + comment: "Evoadmin Web Account" + home: "{{ evoadminmail_home_dir}}" + password: "!" + +- name: Create log/ directory + file: + path: "{{ evoadminmail_home_dir}}/log" + state: directory + owner: "{{ evoadminmail_username }}" + group: "{{ evoadminmail_username }}" + mode: "0750" + +- name: Create www-evoadminmail group + group: + name: "www-{{ evoadminmail_username }}" + state: present + +- name: "Create www-evoadmin (Debian 9 or later)" + user: + name: "www-{{ evoadminmail_username }}" + when: ansible_distribution_major_version | version_compare('9', '>=') + +- name: Install Git + apt: + name: git + state: present + +- name: "Clone evoadmin repository (Debian 9 or later)" + git: + repo: https://forge.evolix.org/evoadmin-mail.git + dest: "{{ evoadminmail_document_root}}" + version: master + update: yes + # Warning: Need sudo! + become_user: "{{ evoadminmail_username }}" + when: ansible_distribution_major_version | version_compare('9', '>=') + +- include: remount_usr_rw.yml + when: evoadminmail_scripts_dir | search ("/usr") + +- name: "Create {{ evoadminmail_scripts_dir }}" + file: + dest: "{{ evoadminmail_scripts_dir }}" + # recurse: yes + mode: "0700" + state: directory + +# we use a shell command to have a "changed" thet really reflects the result. +- name: Fix permissions + shell: "chmod -R --verbose u=rwX,g=rX,o= {{ item }}" + register: command_result + changed_when: "'changed' in command_result.stdout" + # failed_when: False + with_items: + - "{{ evoadminmail_home_dir}}/www" + +#- name: Add evoadmin sudoers file +# template: +# src: sudoers.j2 +# dest: /etc/sudoers.d/evoadmin +# mode: "0600" +# validate: "visudo -cf %s" diff --git a/webapps/evoadmin-mail/tasks/web.yml b/webapps/evoadmin-mail/tasks/web.yml new file mode 100644 index 00000000..95eabe1d --- /dev/null +++ b/webapps/evoadmin-mail/tasks/web.yml @@ -0,0 +1,39 @@ +--- + +- name: "Set custom values for PHP config (Debian 9 or later)" + ini_file: + dest: /etc/php/7.0/apache2/conf.d/zzz-evolinux-custom.ini + section: PHP + option: "disable_functions" + value: "shell-exec,system,passthru,putenv,popen,pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority" + notify: reload apache2 + when: ansible_distribution_major_version | version_compare('9', '>=') + +- name: Install evoadminmail VHost + template: + src: evoadminmail.conf.j2 + dest: /etc/apache2/sites-available/evoadminmail.conf + notify: reload apache2 + +- name: Enable evoadminmail vhost + command: "a2ensite evoadminmail.conf" + register: cmd_a2ensite + changed_when: "'Enabling site' in cmd_a2ensite.stdout" + notify: reload apache2 + when: evoadminmail_enable_vhost + +- name: Disable evoadminmail vhost + command: "a2dissite evoadminmail.conf" + register: cmd_a2dissite + changed_when: "'Disabling site' in cmd_a2dissite.stdout" + notify: reload apache2 + when: not evoadminmail_enable_vhost + +#- name: Copy config file for evoadmin +# template: +# src: config.local.php.j2 +# dest: "{{ evoadminmail_document_root}}/conf/config.local.php" +# mode: "0644" +# owner: evoadmin +# group: evoadmin +# force: no diff --git a/webapps/evoadmin-mail/templates/config.local.php.j2 b/webapps/evoadmin-mail/templates/config.local.php.j2 new file mode 100644 index 00000000..3e159bcd --- /dev/null +++ b/webapps/evoadmin-mail/templates/config.local.php.j2 @@ -0,0 +1,8 @@ + + ServerName {{ evoadminmail_host }} + Redirect permanent / https://{{ evoadminmail_host }}/ + + + + + # FQDN principal + ServerName {{ evoadminmail_host }} + #ServerAlias {{ evoadminmail_host }} + + # Repertoire principal + DocumentRoot {{ evoadminmail_document_root }}/evoadmin/htdocs/ + + # SSL + SSLEngine on + SSLCertificateFile /etc/ssl/certs/{{ evoadminmail_host }}.crt + SSLCertificateKeyFile /etc/ssl/private/{{ evoadminmail_host }}.key + SSLProtocol all -SSLv2 -SSLv3 + + # Propriete du repertoire + + #Options Indexes SymLinksIfOwnerMatch + Options SymLinksIfOwnerMatch + AllowOverride AuthConfig Limit FileInfo + Require all granted + + + # user - group (thanks to sesse@debian.org) + AssignUserID www-{{ evoadminmail_username }} {{ evoadminmail_username }} + + # LOG + CustomLog /var/log/apache2/access.log combined + CustomLog {{ evoadminmail_log_dir }}/access.log combined + ErrorLog {{ evoadminmail_log_dir }}/error.log + + # AWSTATS + SetEnv AWSTATS_FORCE_CONFIG {{ evoadminmail_username }} + + # REWRITE + UseCanonicalName On + RewriteEngine On + RewriteCond %{HTTP_HOST} !^{{ evoadminmail_host }}$ + RewriteRule ^/(.*) https://%{SERVER_NAME}/$1 [L,R] + + # PHP + #php_admin_flag engine off + #AddType text/html .html + #php_admin_flag display_errors On + #php_flag short_open_tag On + #php_flag register_globals On + #php_admin_value memory_limit 256M + #php_admin_value max_execution_time 60 + #php_admin_value upload_max_filesize 8M + #php_admin_flag allow_url_fopen Off + php_admin_value sendmail_path "/usr/sbin/sendmail -t -i -f www-{{ evoadminmail_username }}" + php_admin_value open_basedir "none" + diff --git a/webapps/evoadmin-mail/templates/sudoers.j2 b/webapps/evoadmin-mail/templates/sudoers.j2 new file mode 100644 index 00000000..4dfd71c1 --- /dev/null +++ b/webapps/evoadmin-mail/templates/sudoers.j2 @@ -0,0 +1,3 @@ +User_Alias EVOADMIN = www-evoadmin +Cmnd_Alias EVOADMIN_WEB = {{ evoadmin_scripts_dir | mandatory }}/web-*.sh, {{ evoadmin_scripts_dir | mandatory }}/ftpadmin.sh +EVOADMIN ALL=NOPASSWD: EVOADMIN_WEB diff --git a/webapps/evoadmin-mail/templates/web-add.conf.j2 b/webapps/evoadmin-mail/templates/web-add.conf.j2 new file mode 100644 index 00000000..86eabd29 --- /dev/null +++ b/webapps/evoadmin-mail/templates/web-add.conf.j2 @@ -0,0 +1,2 @@ +CONTACT_MAIL="{{ evoadmin_contact_email or general_alert_email | mandatory }}" +WWWBOUNCE_MAIL="{{ evoadmin_bounce_email or general_alert_email | mandatory }}" diff --git a/webapps/evoadmin-mail/templates/web-mail.tpl.j2 b/webapps/evoadmin-mail/templates/web-mail.tpl.j2 new file mode 100644 index 00000000..262995c3 --- /dev/null +++ b/webapps/evoadmin-mail/templates/web-mail.tpl.j2 @@ -0,0 +1,86 @@ +From: {{ evoadmin_tpl_mail_from }} +To: RCPTTO +Bcc: {{ evoadmin_tpl_mail_bcc }} +Subject: Parametres hebergement web : LOGIN + +Bonjour, + +Votre compte d'hebergement web a ete cree. + +********************************** +* CONNEXION SFTP/SSH +********************************** + +NOM DU SERVEUR : {{ evoadmin_tpl_servername }} +USER : LOGIN +PASSWORD : PASSE1 + +***************************************** +* Details sur l'environnement Apache/PHP +***************************************** + +URL du site : +http://{{ evoadmin_tpl_servername }} + +URL des stats : +http://{{ evoadmin_tpl_servername }}/cgi-RANDOM/awstats.pl +(acces par IP ou login a demander !) + +Repertoire de connexion : HOME_DIR/LOGIN/ +Repertoire pour site web : HOME_DIR/LOGIN/www/ + +Apache/PHP tourne en www-LOGIN:LOGIN c'est-a-dire qu'il a acces +uniquement *en lecture* aux differents fichiers/repertoires +(a condition d'avoir 'g=rx' sur les repertoires et 'g=r' sur les +fichiers ce qui est le comportement par defaut). + +Lorsqu'on a besoin d'autoriser *l'ecriture* pour certains +fichiers/repertoires, il suffit d'ajouter le droit 'g+w'. + +*********************************** +* MySQL +*********************************** + +SERVEUR : 127.0.0.1 +PORT DU SERVEUR : 3306 +USER : LOGIN +PASSWORD : PASSE2 +NOM BASE : DBNAME +URL interface d'admin : +{{ evoadmin_tpl_phpmyadmin_url }} + +*********************************** +* Rappels divers +*********************************** + +Votre nom de domaine doit etre configure pour pointer +sur l'adresse IP {{ evoadmin_tpl_address }} (enregistrement DNS A) +ou etre un alias de {{ evoadmin_tpl_servername }} (enregistrement DNS CNAME). + +Si vous avez besoin de faire des tests, vous devez +ajouter la ligne suivante au fichier "/etc/hosts" sous Linux/Unix +ou au fichier "system32\drivers\etc\hosts" sous Windows NT/XP : +{{ evoadmin_tpl_address }} {{ evoadmin_tpl_servername }} + +Attention, par defaut, toutes les connexions vers l'exterieur +sont bloquees. Si vous avez besoin de recuperer des donnees +a l'exterieur (flux RSS, BDD externe, etc.), contactez nous +afin de mettre en oeuvre les autorisations necessaires. + +Afin de securiser au maximum le serveur, certaines URL +particulieres sont non autorisees pour eviter diverses +attaques (XSS, robots, trojans, injections, etc.). +Exemple d'URL refusee : +http://{{ evoadmin_tpl_servername }}/cmd32.exe +En cas de soucis avec votre application, prevenez-nous. + +Si vous desirez mettre en place des parametres particuliers +pour votre site (PHP, etc.) ou pour tout autre demande (scripts en crontab, +etc.), n'hesitez pas a nous contacter a l'adresse +{{ evoadmin_tpl_mail_standard }} (ou {{ evoadmin_tpl_mail_urgent }} si votre demande est +urgente). + + +Cordialement, +-- +{{ evoadmin_tpl_signature }} diff --git a/webapps/evoadmin-web/tasks/web.yml b/webapps/evoadmin-web/tasks/web.yml index 0944c2cd..59c41582 100644 --- a/webapps/evoadmin-web/tasks/web.yml +++ b/webapps/evoadmin-web/tasks/web.yml @@ -6,7 +6,7 @@ section: PHP option: "disable_functions" value: "shell-exec,system,passthru,putenv,popen" - notify: reload apache + notify: reload apache2 when: ansible_distribution_release == "jessie" - name: "Set custom values for PHP config (Debian 9 or later)" @@ -15,7 +15,7 @@ section: PHP option: "disable_functions" value: "shell-exec,system,passthru,putenv,popen" - notify: reload apache + notify: reload apache2 when: ansible_distribution_major_version | version_compare('9', '>=') - name: Install evoadmin VHost From 0640a9f8fd9cb36459789d0bc7025765a3bfba7c Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Tue, 10 Oct 2017 16:12:08 +0200 Subject: [PATCH 03/51] ldap: custom schema can be passed with ldap_schema --- ldap/tasks/main.yml | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/ldap/tasks/main.yml b/ldap/tasks/main.yml index be3a8bd1..b1554725 100644 --- a/ldap/tasks/main.yml +++ b/ldap/tasks/main.yml @@ -75,3 +75,13 @@ command: slapadd -l /root/evolinux_ldap_first-entries.ldif when: not root_ldapvirc_path.stat.exists +- name: upload custom schema + copy: + src: "{{ ldap_schema }}" + dest: "/root/{{ ldap_schema }}" + mode: "0640" + when: ldap_schema is defined + +- name: inject custom schema + command: "ldapadd -Y EXTERNAL -H ldapi:/// -f /root/{{ ldap_schema }}" + when: ldap_schema is defined From a6499b67128dc594eb38aff7f1b2547da7a444c0 Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Tue, 10 Oct 2017 16:13:12 +0200 Subject: [PATCH 04/51] packmail: use role dependencies instead of include_role --- packmail/meta/main.yml | 7 ++++++ packmail/tasks/apache.yml | 21 ----------------- packmail/tasks/main.yml | 49 ++++++++++++++------------------------- 3 files changed, 24 insertions(+), 53 deletions(-) create mode 100644 packmail/meta/main.yml delete mode 100644 packmail/tasks/apache.yml diff --git a/packmail/meta/main.yml b/packmail/meta/main.yml new file mode 100644 index 00000000..65101536 --- /dev/null +++ b/packmail/meta/main.yml @@ -0,0 +1,7 @@ +--- +dependencies: + - { role: ldap, ldap_schema: 'cn4evolix.ldif' } + - { role: postfix } + - { role: dovecot } + - { role: apache } + - { role: php, php_apache_enable: True } diff --git a/packmail/tasks/apache.yml b/packmail/tasks/apache.yml deleted file mode 100644 index aebae199..00000000 --- a/packmail/tasks/apache.yml +++ /dev/null @@ -1,21 +0,0 @@ ---- - -- name: Additional packages are installed - apt: - name: '{{ item }}' - state: present - with_items: - - libapache2-mod-security2 - - modsecurity-crs - - apg - -- name: Additional modules are enabled - apache2_module: - name: '{{ item }}' - state: present - with_items: - - ssl - - include - - negotiation - - alias - diff --git a/packmail/tasks/main.yml b/packmail/tasks/main.yml index 24543d19..214d8d77 100644 --- a/packmail/tasks/main.yml +++ b/packmail/tasks/main.yml @@ -1,42 +1,27 @@ --- - - fail: msg: only compatible with Debian >= 9 when: - ansible_distribution != "Debian" or ansible_distribution_major_version | version_compare('9', '<') -- name: Include ldap role - include_role: - name: ldap +- name: Additional packages are installed + apt: + name: '{{ item }}' + state: present + with_items: + - libapache2-mod-security2 + - modsecurity-crs + - apg -- name: upload evolix schema - copy: - src: cn4evolix.ldif - dest: /root/cn4evolix.ldif - mode: "0640" - -- name: inject evolix schema - command: ldapadd -Y EXTERNAL -H ldapi:/// -f /root/cn4evolix.ldif - -- name: Include postfix role - include_role: - name: postfix - -- name: Include dovecot role - include_role: - name: dovecot - -- name: Include apache role - include_role: - name: apache - -- name: Include PHP role - include_role: - name: php - vars: - php_apache_enable: True - -- include: apache.yml +- name: Additional modules are enabled + apache2_module: + name: '{{ item }}' + state: present + with_items: + - ssl + - include + - negotiation + - alias - name: Install Evoadmin include_role: From 251299cee637082bbcab1e3f51a2636553fdc626 Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Tue, 10 Oct 2017 16:14:18 +0200 Subject: [PATCH 05/51] evoadmin-mail: fix git clone of evoadmin-mail repo --- webapps/evoadmin-mail/tasks/user.yml | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/webapps/evoadmin-mail/tasks/user.yml b/webapps/evoadmin-mail/tasks/user.yml index 67b2fdcd..efbebf72 100644 --- a/webapps/evoadmin-mail/tasks/user.yml +++ b/webapps/evoadmin-mail/tasks/user.yml @@ -36,10 +36,15 @@ dest: "{{ evoadminmail_document_root}}" version: master update: yes - # Warning: Need sudo! - become_user: "{{ evoadminmail_username }}" when: ansible_distribution_major_version | version_compare('9', '>=') +- name: "Change perms on evoadminmail document root" + file: + dest: "{{ evoadminmail_document_root}}" + owner: "www-{{ evoadminmail_username }}" + group: "{{ evoadminmail_username }}" + recurse: yes + - include: remount_usr_rw.yml when: evoadminmail_scripts_dir | search ("/usr") From a0006a1318e33e7ed7bd3c83d54df2a465081b56 Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Tue, 10 Oct 2017 17:25:50 +0200 Subject: [PATCH 06/51] dovecot: default conf for packmail --- dovecot/handlers/main.yml | 5 ++ dovecot/tasks/main.yml | 49 +++++++++++++++++ dovecot/templates/z-evolinux-defaults.conf.j2 | 53 +++++++++++++++++++ 3 files changed, 107 insertions(+) create mode 100644 dovecot/templates/z-evolinux-defaults.conf.j2 diff --git a/dovecot/handlers/main.yml b/dovecot/handlers/main.yml index 0ea64b61..8d1b78d8 100644 --- a/dovecot/handlers/main.yml +++ b/dovecot/handlers/main.yml @@ -3,3 +3,8 @@ service: name: dovecot state: restarted + +- name: reload dovecot + service: + name: dovecot + state: reloaded diff --git a/dovecot/tasks/main.yml b/dovecot/tasks/main.yml index 8909aea6..5e9968e0 100644 --- a/dovecot/tasks/main.yml +++ b/dovecot/tasks/main.yml @@ -7,5 +7,54 @@ - dovecot-imapd - dovecot-pop3d - dovecot-sieve + - dovecot-managesieved + tags: + - dovecot + +- name: update ldap auth + lineinfile: + dest: /etc/dovecot/dovecot-ldap.conf.ext + line: "{{ item.key }} = {{ item.value }}" + regexp: "^#*{{ item.key }}" + state: present + with_items: + - { key: 'hosts', value: '127.0.0.1' } + - { key: 'auth_bind', value: 'yes' } + - { key: 'ldap_version', value: 3 } + - { key: 'base', value: "{{ ldap_suffix }}" } + - { key: 'user_attrs', value: 'homeDirectory=home' } + - { key: 'user_filter', value: '(&(isActive=TRUE)(uid=%u))' } + - { key: 'pass_attrs', value: 'uid=user,userPassword=password' } + when: ldap_suffix is defined + notify: reload dovecot + tags: + - dovecot + +- name: create vmail group + group: + name: vmail + gid: 5000 + tags: + - dovecot + +- name: create vmail user + user: + name: vmail + group: vmail + uid: 5000 + shell: /bin/false + tags: + - dovecot + +- name: deploy evolix config + template: + src: z-evolinux-defaults.conf.j2 + dest: /etc/dovecot/conf.d/z-evolinux-defaults.conf + mode: "0644" + notify: reload dovecot + tags: + - dovecot - include: munin.yml + tags: + - dovecot diff --git a/dovecot/templates/z-evolinux-defaults.conf.j2 b/dovecot/templates/z-evolinux-defaults.conf.j2 new file mode 100644 index 00000000..8fe84694 --- /dev/null +++ b/dovecot/templates/z-evolinux-defaults.conf.j2 @@ -0,0 +1,53 @@ +# {{ ansible_managed }} + +disable_plaintext_auth = no +auth_mechanisms = plain login +!include auth-ldap.conf.ext +service auth { + unix_listener auth-userdb { + mode = 0600 + user = vmail + group = vmail + } + unix_listener /var/spool/postfix/private/auth-client { + mode = 0666 + user = postfix + group = postfix + } +} + +mail_location = maildir:/home/vmail/%d/%n +mail_uid = 5000 +mail_gid = 5000 + +protocol lda { + mail_plugins = sieve +} + +service managesieve-login { + inet_listener sieve { + port = 4190 + } + + inet_listener sieve_deprecated { + port = 2000 + } + service_count = 1 + process_min_avail = 0 + vsz_limit = 64M +} + +service managesieve { + +} + +protocol sieve { + managesieve_max_line_length = 65536 + mail_max_userip_connections = 10 + mail_plugins = + managesieve_logout_format = bytes=%i/%o + managesieve_implementation_string = Dovecot Pigeonhole + managesieve_sieve_capability = + managesieve_notify_capability = + managesieve_max_compile_errors = 5 +} From 3f77c0cb2449c9944402d9fa73b7b64b382084ad Mon Sep 17 00:00:00 2001 From: Gregory Colpart Date: Wed, 11 Oct 2017 02:28:49 +0200 Subject: [PATCH 07/51] Fix: argh, forgot cn=schema in DN :( --- packmail/files/cn4evolix.ldif | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packmail/files/cn4evolix.ldif b/packmail/files/cn4evolix.ldif index d92d0414..a17532ad 100644 --- a/packmail/files/cn4evolix.ldif +++ b/packmail/files/cn4evolix.ldif @@ -1,4 +1,4 @@ -dn: cn={4}evolix,cn=config +dn: cn={4}evolix,cn=schema,cn=config objectClass: olcSchemaConfig cn: {4}evolix olcAttributeTypes: {0}( 1.3.6.1.4.1.24331.22.1.1 NAME 'maildrop' DESC 'mail fo From a4c4de21a8c259cc985df6a12eccbbf7485631c2 Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Wed, 11 Oct 2017 11:04:47 +0200 Subject: [PATCH 08/51] evoadmin-mail: fix evoadmin-mail link insertion --- webapps/evoadmin-mail/tasks/main.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/webapps/evoadmin-mail/tasks/main.yml b/webapps/evoadmin-mail/tasks/main.yml index f5e84d0b..0647bbcb 100644 --- a/webapps/evoadmin-mail/tasks/main.yml +++ b/webapps/evoadmin-mail/tasks/main.yml @@ -11,9 +11,9 @@ - include: web.yml - name: enable evoadmin-mail link in default site index - blockinfile: + lineinfile: dest: /var/www/index.html - marker: "" - block: | -
  • Interface admin mail (EvoAdmin-mail)
    • - + state: present + regexp: "EvoAdmin-mail" + line: '
  • Interface admin mail (EvoAdmin-mail)
    • ' + insertbefore: "" From e0c9de352bf6604da2e7ca6db0c4169b4d366eba Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Wed, 11 Oct 2017 11:10:43 +0200 Subject: [PATCH 09/51] postfix: add config for packmail --- packmail/meta/main.yml | 2 +- postfix/defaults/main.yml | 2 + postfix/tasks/main.yml | 68 +++- postfix/tasks/slow_transport.yml | 23 +- postfix/templates/evolinux_main.cf.j2 | 16 + postfix/templates/packmail_main.cf.j2 | 415 ++++++++++++++++++++++ postfix/templates/virtual_aliases.cf.j2 | 5 + postfix/templates/virtual_domains.cf.j2 | 5 + postfix/templates/virtual_mailboxes.cf.j2 | 5 + 9 files changed, 507 insertions(+), 34 deletions(-) create mode 100644 postfix/templates/packmail_main.cf.j2 create mode 100644 postfix/templates/virtual_aliases.cf.j2 create mode 100644 postfix/templates/virtual_domains.cf.j2 create mode 100644 postfix/templates/virtual_mailboxes.cf.j2 diff --git a/packmail/meta/main.yml b/packmail/meta/main.yml index 65101536..f9138046 100644 --- a/packmail/meta/main.yml +++ b/packmail/meta/main.yml @@ -1,7 +1,7 @@ --- dependencies: - { role: ldap, ldap_schema: 'cn4evolix.ldif' } - - { role: postfix } + - { role: postfix, postfix_packmail: True, postfix_force_main_cf: True, postfix_slow_transport_include: True } - { role: dovecot } - { role: apache } - { role: php, php_apache_enable: True } diff --git a/postfix/defaults/main.yml b/postfix/defaults/main.yml index f0673d65..7aac9a2d 100644 --- a/postfix/defaults/main.yml +++ b/postfix/defaults/main.yml @@ -1,3 +1,5 @@ --- postfix_hostname: "{{ ansible_fqdn }}" postfix_slow_transport_include: False +postfix_force_main_cf: False +postfix_packmail: False diff --git a/postfix/tasks/main.yml b/postfix/tasks/main.yml index 77a4fb95..8e24ad54 100644 --- a/postfix/tasks/main.yml +++ b/postfix/tasks/main.yml @@ -5,26 +5,72 @@ with_items: - postfix - mailgraph + tags: + - postfix + +- name: ensure ldap packages are installed + apt: + name: "postfix-ldap" + state: present + when: postfix_packmail == True + tags: + - postfix - name: check if main.cf is default shell: grep -v -E "^(myhostname|mydestination|mailbox_command)" /etc/postfix/main.cf | md5sum - changed_when: False check_mode: no register: default_main_cf + tags: + - postfix -- name: create minimal main.cf - template: - src: evolinux_main.cf.j2 - dest: /etc/postfix/main.cf - owner: root - group: root - mode: "0644" - force: yes - when: default_main_cf.stdout == "5450c05d65878e99dad696c7c722e511 -" or +- block: + + - name: create minimal main.cf + template: + src: evolinux_main.cf.j2 + dest: /etc/postfix/main.cf + owner: root + group: root + mode: "0644" + force: yes + when: postfix_packmail != True + notify: restart postfix + tags: + - postfix + + - name: create packmail main.cf + template: + src: packmail_main.cf.j2 + dest: /etc/postfix/main.cf + owner: root + group: root + mode: "0644" + force: yes + when: postfix_packmail == True + notify: restart postfix + tags: + - postfix + + when: postfix_force_main_cf == True or + default_main_cf.stdout == "5450c05d65878e99dad696c7c722e511 -" or default_main_cf.stdout == "30022953f1f61f002bfb72e163ecb27e -" - notify: restart postfix -- meta: flush_handlers +- name: deploy ldap postfix config + template: + src: "{{ item }}.j2" + dest: "/etc/postfix/{{ item }}" + mode: "0644" + with_items: + - virtual_aliases.cf + - virtual_domains.cf + - virtual_mailboxes.cf + when: postfix_packmail == True + notify: restart postfix + tags: + - postfix - include: slow_transport.yml when: postfix_slow_transport_include + tags: + - postfix diff --git a/postfix/tasks/slow_transport.yml b/postfix/tasks/slow_transport.yml index 3bf8ae6d..d5566bdb 100644 --- a/postfix/tasks/slow_transport.yml +++ b/postfix/tasks/slow_transport.yml @@ -1,10 +1,10 @@ --- - - name: slow transport is defined in master.cf lineinfile: dest: /etc/postfix/master.cf regexp: "^slow " line: "slow unix - - n - - smtp" + notify: restart postfix - name: list of providers for slow transport lineinfile: @@ -21,24 +21,3 @@ - "hotmail.fr slow:" - "hotmail.com slow:" notify: postmap transport - -- name: main.cf is configured for slow transports - blockinfile: - dest: /etc/postfix/main.cf - marker: "# {mark} Slow transports configuration (installed by Ansible)" - block: | - minimal_backoff_time = 2h - maximal_backoff_time = 6h - maximal_queue_lifetime = 4d - queue_run_delay = 100s - bounce_queue_lifetime = 1d - initial_destination_concurrency = 5 - default_destination_concurrency_limit = 20 - slow_destination_rate_delay = 0 - slow_destination_concurrency_limit = 1 - slow_destination_concurrency_failed_cohort_limit = 100 - slow_destination_recipient_limit = 25 - transport_maps = hash:$config_directory/transport - notify: restart postfix - -- meta: flush_handlers diff --git a/postfix/templates/evolinux_main.cf.j2 b/postfix/templates/evolinux_main.cf.j2 index 429e6602..e42a413f 100644 --- a/postfix/templates/evolinux_main.cf.j2 +++ b/postfix/templates/evolinux_main.cf.j2 @@ -13,3 +13,19 @@ recipient_delimiter = + inet_interfaces = all inet_protocols = ipv4 disable_vrfy_command = yes + +{% if postfix_slow_transport_include == True %} +# Slow transports configuration +minimal_backoff_time = 2h +maximal_backoff_time = 6h +maximal_queue_lifetime = 4d +queue_run_delay = 100s +bounce_queue_lifetime = 1d +initial_destination_concurrency = 5 +default_destination_concurrency_limit = 20 +slow_destination_rate_delay = 0 +slow_destination_concurrency_limit = 1 +slow_destination_concurrency_failed_cohort_limit = 100 +slow_destination_recipient_limit = 25 +transport_maps = hash:$config_directory/transport +{% endif %} diff --git a/postfix/templates/packmail_main.cf.j2 b/postfix/templates/packmail_main.cf.j2 new file mode 100644 index 00000000..a5700cb9 --- /dev/null +++ b/postfix/templates/packmail_main.cf.j2 @@ -0,0 +1,415 @@ +## fichier principal de configuration de Postfix +## commentaires de Gregory Colpart reg AT evolix DOT fr +## version 1.0 : 1ere version publique (05.04.2010) + +######################## +# Section : Emplacements +######################## + +# Repertoire ou se trouvent les commandes de postfix [OBLIGATOIRE] +#par defaut, = $program_directory +command_directory = /usr/sbin + +# Repertoire ou se trouvent les demons de postfix [OBLIGATOIRE] +#par defaut, = $program_directory +daemon_directory = /usr/lib/postfix + +# Variable pour indiquer les emplacements des commandes et demons de postfix +#program_directory = /usr/lib/postfix + +# Repertoire contenant les fichiers de boites aux lettres +#par defaut, = /var/mail +#mail_spool_directory = + +# Repertoire de la file d'attente de postfix +#par defaut, = /var/spool/postfix +#queue_directory = + +# Boites aux lettres +#par defaut, = +home_mailbox = Maildir/ + +# Transmettre les mails a un MDA +#par defaut, = +#mailbox_command = /usr/bin/procmail + +# Separateur entre noms d'utilisateur et extensions d'adresse +# mettre + pour integration avec amavis +#par defaut, = +recipient_delimiter = + + +# Controle si le repertoire existe (souvent pour les systemes de fichiers montes) +#par defaut, = no +#require_home_directory = + +# Commande pour transmettre le courrier a un MDA +#par defaut, = +#mailbox_command = /usr/bin/procmail + +# Banniere SMTP affichee +#par default, = $myhostname ESMTP $mail_name +smtpd_banner = $myhostname ESMTP mail server + +# Groupe des commandes set-gid ayant des acces en ecriture +#par defaut, = postdrop +# setgid_group = postdrop + +# Produire des "biff notifications" aux utilisateurs pour +# prevenir de l'arrivee de nouveaux mails +# par default, = yes +#biff = no + + +#################### +# Section : domaines +#################### + +# Indique le nom d'hote pleinement qualifie ou se trouve postfix [OBLIGATOIRE] +#par defaut, = [retour de la commande Unix hostname] +myhostname = {{ ansible_fqdn }} + +# Variable indiquant le domaine dans lequel se trouve la machine +#par defaut, = [partie domain de la variable $myhostname] +#mydomain = + +# Liste des noms de domaine (ou IP) consideres comme local +#par defaut, = $myhostname, localhost.$mydomain, localhost +mydestination = $myhostname + +# Indique le domaine apparaissant dans le courrier envoye +#par defaut, = $myhostname +myorigin = {{ ansible_fqdn }} + +# Liste de domaine fonctionnant UNIQUEMENT avec des alias virtuels +#par defaut, = $virtual_alias_maps +#virtual_alias_domains = [ domaines avec alias virtuels ] + +# Liste de domaine fonctionnant avec des comptes virtuels +#par defaut, = $virtual_mailbox_maps +virtual_mailbox_domains = ldap:$config_directory/virtual_domains.cf + +# Repertoire de base de l'espace de stockage +#par defaut, = +virtual_mailbox_base = / + +# Ajoute $mydomain aux adresse ne compoirtant que la partie hote sans le domaine +#par defaut, = yes +#append_dot_mydomain = no + +# Ajoute $myorigin aux adresses ne comportant pas de composante de domaine +#par defaut, = yes +#append_at_myorigin = no + +# Liste de domaines cachant des sous-domaines internes +#par defaut, = +#masquerade_domains = + +# A l'exception de certains comptes : +#par defaut, = +#masquerade_exceptions = root, admin + +# Champs d'application de la reecriture des sous-domaines caches +#par defaut, = envelope_sender, header_sender, header_recipient +#masquerade_classes = + +# Sites eligibles pour un vidage rapide (postqueue -s [domain.tld]) +#par defaut, = $relay_domains +#fast_flush_domains = + +# Interfaces sur lesquelles ecoutent postfix +#par defaut, = all +#inet_interfaces = all + +# Adresse IP externe du firewall/proxy si derriere NAT ou proxy +# evite principalement les boucles si MX secondaire et MX primaire indisponible +#par defaut, = +#proxy_interfaces = [adresse IP] + +# Domaines acceptes pour faire relai (MX 2aire) +#relay_domains = [domaine a relayer] + + +########################### +# Section : base de donnees +########################### + +# Liste des bases de donnees utilisees par l'agent de distribution locale +# Pour regenerer une base de donnees : postalias /etc/aliases (par ex) +#par defaut, = hash:/etc/aliases, nis:mail.aliases +alias_maps = hash:/etc/aliases + +# Liste des bases de donnees locales +# Pour regenerer avec newaliases +#par defaut, = hash:/etc/aliases +alias_database = hash:/etc/aliases + +# Chemin vers la commande newaliases +#par defaut, = /usr/bin/newaliases +#newaliases_path = + +# Base de donnes d'alias virtuels +# ne pas oublier : postmap /etc/postfix/virtual +#par defaut, = $virtual_maps +virtual_alias_maps = hash:$config_directory/virtual, ldap:$config_directory/virtual_aliases.cf + +# Base de donners des boites virtuelles +# ne pas oublier : postmap /etc/postfix/vmailbox +#par defaut, = +virtual_mailbox_maps = ldap:$config_directory/virtual_mailboxes.cf + +virtual_uid_maps = static:5000 +virtual_gid_maps = static:5000 +virtual_transport = dovecot +dovecot_destination_recipient_limit = 1 + +# Reecriture des adresses +#par defaut, = +#canonical_maps = hash:/etc/postfix/canonical + +# Reecriture des adresses a l'arrivee (ecrase $canonical_maps) +#par defaut, = +#recipient_canonical_maps = hash:/etc/postfix/canonical + +# Reecriture des adresses au depart +#par defaut, = +#sender_canonical_maps = hash:/etc/postfix/canonical + +# Adresses changees +#relocated_maps = hash:/etc/postfix/relocated + +# Boite pour receptionner tous les utilisateurs inconnus +#luser_relay = spam + +# Liste de base de donnees contenant les adresses locales permettant de rejeter les messages aux utilisateurs inconnus +# (sera nulle pour recuperer les courriels vers les utilisateurs inconnus) +#par defaut, = proxy:unix:passwd.byname $alias_maps +#local_recipient_maps = + +# MAILING-LIST nommee xx +# dans le fichier /etc/aliases : +# xx: user1@domain1 user2@domain2 etc. +# owner-xx: admin@domain +# Utiliser ou non l'alias xx-owner comme adresse d'enveloppe d'expedition +#par defaut, = yes +#owner_request_special = + +# Utiliser l'adresse relle de l'admin au lieu de xx-owner +#par defaut, = no +#expand_owner_alias = + + +########################################### +# Section : parametres de la file d'attente +########################################### + +# Lorsqu'un message n'a pas ete delivre, Postfix adjoint une marque indiquant le moment ou la prochaine tentaive pourra avoir lieu + +# Delai au-dela duquel les messages non delivres seront renvoyes a l'expediteur +#par defaut, = 5d +#maximal_queue_lifetime = + +# Delai au-dela duquel les *bounces* non delivres ne seront plus envoyes +#par defaut, = 5d +bounce_queue_lifetime = 1d + +# Intervalle de temps ou postfix examinera la file +# Il examine notamment la file deferred pour voir si de NOUVEAUX messages sont arrives +# Il faut aussi que la marque indique qu'ils soient prets +#par defaut, = 1000s +#queue_run_delay = + +# A chaque echec, le delai de la prochaine distribution double, avec les restrictions suivantes : +# Delai minimal +#par defaut, = 1000s +#minimal_backoff_time = +# Delai maximal +#par defaut, = 4000s +#maximal_backoff_time = + +# Si maxproc est vide (master.cf), nombre maximal est : +#par defaut, = 100 +#default_process_limit = + +# Nombre maximal de destinataires stockes en memoire par qmgr pour un transport particulier +#par defaut, = 10000 +#default_recipient_limit = + +# Nombre limitant de messages envoyes simultanement INITIALEMENT pour une destination particuliere +# (forcement majoree par maxproc du master.cf ou $default_process_limit) +#par defaut, = 5 +#initial_destination_concurrency = + +# Une fois ces messages distribues, si il reste des messages dans la file d'attente pour cette destination +# particuliere, postfix augmente le nombre de tentative tant qu'il ne detecte pas de probleme avec +# la destination, avec la limite suivante : +#par defaut, = 20 +#default_destination_concurrency_limit = + +# Cette limite peut etre differente selon le type de transport utilise : +#par defaut, = $default_destination_concurrency_limit +#lmtp_destination_concurrency_limit = +#par defaut, = 2 +#local_destination_concurrency_limit = +#par defaut, = $default_destination_concurrency_limit +#relay_destination_concurrency_limit = +#par defaut, = $default_destination_concurrency_limit +#smtp_destination_concurrency_limit = +#par defaut, = $default_destination_concurrency_limit +#virtual_destination_concurrency_limit = + +# On peut aussi limiter le nombre maximum de destinataire pour un meme message +# Si le nombre de destinataire depasse la limite, postfix divise en groupe d'adresses plus petites et envoie des copies distinctes du message +#par defaut, = 10000 +#default_destination_recipient_limit = +#par defaut, = $default_destination_recipient_limit +#lmtp_destination_recipient_limit = +#par defaut, = 1 +#local_destination_recipient_limit = +#par defaut, = 20000 +#qmgr_message_recipient_limit = +#par defaut, = $default_destination_recipient_limit +#relay_destination_recipient_limit = +#par defaut, = $default_destination_recipient_limit +#smtp_destination_recipient_limit = +#par defaut, = 1000 +#smtpd_recipient_limit = +#par defaut, = $default_destination_recipient_limit +#virtual_destination_recipient_limit = + +# Nombre maximum de destinataires pour un transport lorsque priorite superieure de transport +#par defaut, = 1000 +#default_extra_recipient_limit = + +slow_destination_rate_delay = 0 +slow_destination_concurrency_limit = 1 +slow_destination_recipient_limit = 25 +slow_destination_concurrency_failed_cohort_limit = 100 + +# Types d'incidents a rapporter +# resource : message non delivre pour probleme de ressource +# software : message non delivre pour probleme de logiciels +# policy : envoie le transcription smtp d'un message rejete par restrictions +# protocol : envoie toute transcription smtp erronee +# delay : envoie les entetes de messages differes +# bounce : envoie les entetes de tous les message renvoyes +# 2bounce : envoie les entetes de tous les messages renvoyes non delivres +#par defaut, = resource, software +notify_classes = resource, software, bounce, 2bounce, delay, policy, protocol + +# A qui les reporter ? +#Pour delay +#par defaut, = postmaster +delay_notice_recipient = delay +#Pour policy, protocol, resource, software +#par defaut, = postmaster +error_notice_recipient = error +#Pour bounce +#par defaut, = postmaster +bounce_notice_recipient = bounce +#Pour 2bounce +#par defaut, = postmaster +2bounce_notice_recipient = bounce + + +######################## +# Section : restrictions +######################## + +# Restrictions au depart de la conversation +#par defaut, = +smtpd_client_restrictions = + permit_mynetworks, + permit_sasl_authenticated, + cidr:$config_directory/spamd.cidr, + +# Restrictions au niveau de la commande HELO/EHLO +#par defaut, = +smtpd_helo_restrictions = + reject_invalid_hostname + +# Restrictions au niveau de la commande MAIL FROM +#par defaut, = +smtpd_sender_restrictions = + permit_mynetworks, + check_sender_access hash:$config_directory/sa-blacklist.access + +# Restrictions au niveau de la commande MAIL FROM +#par defaut, = permit_mynetworks, reject_unauth_destination +smtpd_recipient_restrictions = + permit_mynetworks, + permit_sasl_authenticated, + reject_unauth_destination, + check_client_access hash:$config_directory/client.access_local, + check_client_access hash:$config_directory/client.access, + check_sender_access hash:$config_directory/sender.access_local, + check_sender_access hash:$config_directory/sender.access, + check_recipient_access hash:$config_directory/recipient.access_local, + check_recipient_access hash:$config_directory/recipient.access, + reject_unlisted_recipient, + reject_unknown_sender_domain, + reject_non_fqdn_sender, + reject_unauth_pipelining, + +header_checks = + regexp:$config_directory/header_kill_local, + regexp:$config_directory/header_kill + +transport_maps = hash:$config_directory/transport + +# Attendre la commande 'RCPT TO' avant d'evaluer les restrictions ? +# (peut poser pb avec certains clients et permet d'avoir renseignements suppl) +#par defaut, = yes +#smtpd_delay_reject = + +# Definition des plages IP appartenant a mynetworks +#par defaut, toutes les plages d'adresses IPv4 (et IPv6) des interfaces +mynetworks = 127.0.0.0/8,[::1]/128,10.0.0.0/16 + +# Exiger la commande HELO/EHLO +#par defaut, = no +smtpd_helo_required = yes + +# Exiger syntaxe conforme dans les commandes MAIL FROM ou RCPT TO +#par defaut, = no +strict_rfc821_envelopes = yes + +# Rejeter le courrier provenant d'une adresse inexistante ? +#par defaut, = no +#smtpd_reject_unlisted_sender = + +# Rejeter le courrier a destination d'une adresse inexistante ? +#par defaut, = yes +#smtpd_reject_unlisted_recipient = + + +####################### +# Section : Chiffrement +####################### + +smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem +smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key +smtpd_use_tls=yes +smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache +smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache + +# SASL +smtpd_sasl_auth_enable = yes +broken_sasl_auth_clients = yes +smtpd_sasl_type = dovecot +smtpd_sasl_path = private/auth-client + +{% if postfix_slow_transport_include == True %} +# Slow transports configuration +minimal_backoff_time = 2h +maximal_backoff_time = 6h +maximal_queue_lifetime = 4d +queue_run_delay = 100s +bounce_queue_lifetime = 1d +initial_destination_concurrency = 5 +default_destination_concurrency_limit = 20 +slow_destination_rate_delay = 0 +slow_destination_concurrency_limit = 1 +slow_destination_concurrency_failed_cohort_limit = 100 +slow_destination_recipient_limit = 25 +transport_maps = hash:$config_directory/transport +{% endif %} diff --git a/postfix/templates/virtual_aliases.cf.j2 b/postfix/templates/virtual_aliases.cf.j2 new file mode 100644 index 00000000..1a6e5f9c --- /dev/null +++ b/postfix/templates/virtual_aliases.cf.j2 @@ -0,0 +1,5 @@ +search_base = {{ ldap_suffix }} +query_filter = (&(mailacceptinggeneralid=%u@%d)(isActive=TRUE)) +result_attribute = maildrop +version = 3 +aliases_scope = sub diff --git a/postfix/templates/virtual_domains.cf.j2 b/postfix/templates/virtual_domains.cf.j2 new file mode 100644 index 00000000..97e9ebb3 --- /dev/null +++ b/postfix/templates/virtual_domains.cf.j2 @@ -0,0 +1,5 @@ +search_base = {{ ldap_suffix }} +query_filter = (&(cn=%s)(objectClass=postfixDomain)(isActive=TRUE)) +result_attribute = cn +scope = sub +version = 3 diff --git a/postfix/templates/virtual_mailboxes.cf.j2 b/postfix/templates/virtual_mailboxes.cf.j2 new file mode 100644 index 00000000..0796bdf6 --- /dev/null +++ b/postfix/templates/virtual_mailboxes.cf.j2 @@ -0,0 +1,5 @@ +search_base = {{ ldap_suffix }} +query_filter = (&(mailacceptinggeneralid=%s)(objectClass=mailAccount)(isActive=TRUE)(accountActive=TRUE)) +result_attribute = homeDirectory +scope = sub +version = 3 From 556311a60799d954a9134511070246697d776398 Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Wed, 11 Oct 2017 15:17:58 +0200 Subject: [PATCH 10/51] evoadmin-mail: fix default config and evoadmin user --- webapps/evoadmin-mail/tasks/user.yml | 39 ++++++++++++- webapps/evoadmin-mail/tasks/web.yml | 9 --- webapps/evoadmin-mail/templates/conf.php.j2 | 56 +++++++++++++++++++ .../templates/config.local.php.j2 | 8 --- .../evoadmin-mail/templates/connect.php.j2 | 28 ++++++++++ .../evoadmin-mail/templates/evoadmin.ldif.j2 | 12 ++++ 6 files changed, 134 insertions(+), 18 deletions(-) create mode 100644 webapps/evoadmin-mail/templates/conf.php.j2 delete mode 100644 webapps/evoadmin-mail/templates/config.local.php.j2 create mode 100644 webapps/evoadmin-mail/templates/connect.php.j2 create mode 100644 webapps/evoadmin-mail/templates/evoadmin.ldif.j2 diff --git a/webapps/evoadmin-mail/tasks/user.yml b/webapps/evoadmin-mail/tasks/user.yml index efbebf72..cf260c4f 100644 --- a/webapps/evoadmin-mail/tasks/user.yml +++ b/webapps/evoadmin-mail/tasks/user.yml @@ -40,11 +40,48 @@ - name: "Change perms on evoadminmail document root" file: - dest: "{{ evoadminmail_document_root}}" + dest: "{{ evoadminmail_document_root }}" owner: "www-{{ evoadminmail_username }}" group: "{{ evoadminmail_username }}" recurse: yes +- name: "Copy connect.php" + template: + src: connect.php.j2 + dest: "{{ evoadminmail_document_root }}/evoadmin/htdocs/connect.php" + owner: "www-{{ evoadminmail_username }}" + group: "{{ evoadminmail_username }}" + when: ldap_admin_password is defined + +- name: "Copy conf.php" + template: + src: conf.php.j2 + dest: "{{ evoadminmail_document_root }}/evoadmin/htdocs/config/conf.php" + owner: "www-{{ evoadminmail_username }}" + group: "{{ evoadminmail_username }}" + +- name: create a password for evoadmin user + command: "apg -n 1 -m 16 -M lcN" + register: evoadminmail_admin_password + changed_when: False + +- name: upload ldif for evoadmin user + template: + src: evoadmin.ldif.j2 + dest: /root/evolinux_evoadminmail_admin.ldif + mode: "0640" + +- name: inject config + command: slapadd -l /root/evolinux_evoadminmail_admin.ldif + +- name: create log file + file: + dest: /var/log/evoadmin-mail.log + state: touch + owner: "www-{{ evoadminmail_username }}" + group: "adm" + mode: "0640" + - include: remount_usr_rw.yml when: evoadminmail_scripts_dir | search ("/usr") diff --git a/webapps/evoadmin-mail/tasks/web.yml b/webapps/evoadmin-mail/tasks/web.yml index 95eabe1d..e7d915a3 100644 --- a/webapps/evoadmin-mail/tasks/web.yml +++ b/webapps/evoadmin-mail/tasks/web.yml @@ -28,12 +28,3 @@ changed_when: "'Disabling site' in cmd_a2dissite.stdout" notify: reload apache2 when: not evoadminmail_enable_vhost - -#- name: Copy config file for evoadmin -# template: -# src: config.local.php.j2 -# dest: "{{ evoadminmail_document_root}}/conf/config.local.php" -# mode: "0644" -# owner: evoadmin -# group: evoadmin -# force: no diff --git a/webapps/evoadmin-mail/templates/conf.php.j2 b/webapps/evoadmin-mail/templates/conf.php.j2 new file mode 100644 index 00000000..b534d0d0 --- /dev/null +++ b/webapps/evoadmin-mail/templates/conf.php.j2 @@ -0,0 +1,56 @@ + + * @version 1.0 + */ + +define("LDAP_URI","ldap://127.0.0.1"); +$ldap_servers = array('ldap://127.0.0.1'); +define("LDAP_BASE","{{ ldap_suffix }}"); +define("LDAP_ADMIN_DN","cn=admin,{{ ldap_suffix }}"); +define("LDAP_ADMIN_PASS","{{ ldap_admin_password.stdout }}"); + +define("SUDOBIN","/usr/bin/sudo"); +define("SUDOSCRIPT","/usr/share/scripts/evoadmin.sh"); +define("SUDOPASS","xxxxxx"); + +define('SERVEUR','localhost'); +define('SERVEURPORT',3306); +define('BASE','horde'); +define('NOM', 'horde'); +define('PASSE', 'xxxx'); + +?> diff --git a/webapps/evoadmin-mail/templates/evoadmin.ldif.j2 b/webapps/evoadmin-mail/templates/evoadmin.ldif.j2 new file mode 100644 index 00000000..389fdff9 --- /dev/null +++ b/webapps/evoadmin-mail/templates/evoadmin.ldif.j2 @@ -0,0 +1,12 @@ +dn: uid=evoadmin,{{ ldap_suffix }} +uid: evoadmin +cn: Evoadmin ADM +uidNumber: 4242 +gidNumber: 4242 +homeDirectory: /dev/null +isAdmin: TRUE +mailacceptinggeneralid: evoadmin@{{ ansible_fqdn }} +objectClass: mailAccount +objectClass: organizationalRole +objectClass: posixAccount +userPassword: {{ evoadminmail_admin_password.stdout }} From fbd1761cc23500cbca549e5f2599b9e0e4d35b0a Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Wed, 11 Oct 2017 16:36:49 +0200 Subject: [PATCH 11/51] postfix: fix daemon_directory var --- postfix/templates/packmail_main.cf.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/postfix/templates/packmail_main.cf.j2 b/postfix/templates/packmail_main.cf.j2 index a5700cb9..a81a991b 100644 --- a/postfix/templates/packmail_main.cf.j2 +++ b/postfix/templates/packmail_main.cf.j2 @@ -12,7 +12,7 @@ command_directory = /usr/sbin # Repertoire ou se trouvent les demons de postfix [OBLIGATOIRE] #par defaut, = $program_directory -daemon_directory = /usr/lib/postfix +daemon_directory = /usr/lib/postfix/sbin # Variable pour indiquer les emplacements des commandes et demons de postfix #program_directory = /usr/lib/postfix From 6d2dee033875980006add45c0594fed268a696c3 Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Wed, 11 Oct 2017 18:05:04 +0200 Subject: [PATCH 12/51] evoadmin-mail: use / instead of /evoadmin by default --- webapps/evoadmin-mail/templates/conf.php.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/webapps/evoadmin-mail/templates/conf.php.j2 b/webapps/evoadmin-mail/templates/conf.php.j2 index b534d0d0..8927a476 100644 --- a/webapps/evoadmin-mail/templates/conf.php.j2 +++ b/webapps/evoadmin-mail/templates/conf.php.j2 @@ -18,7 +18,7 @@ $conf['admin']['quota'] = true; // compatibilite LDAP $conf['evoadmin']['version'] = 3; -$conf['url']['webroot'] = '/evoadmin'; +$conf['url']['webroot'] = '/'; $conf['domaines']['onlyone'] = false; $conf['domaines']['driver'] = 'ldap'; From b6761213f921970a5d38050dbc080e728f6dc119 Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Wed, 11 Oct 2017 18:07:19 +0200 Subject: [PATCH 13/51] evoadmin-mail: fix mail var --- webapps/evoadmin-mail/templates/conf.php.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/webapps/evoadmin-mail/templates/conf.php.j2 b/webapps/evoadmin-mail/templates/conf.php.j2 index 8927a476..54fda585 100644 --- a/webapps/evoadmin-mail/templates/conf.php.j2 +++ b/webapps/evoadmin-mail/templates/conf.php.j2 @@ -1,7 +1,7 @@ Date: Thu, 12 Oct 2017 10:00:16 +0200 Subject: [PATCH 14/51] evoadmin-mail: Fix default title --- webapps/evoadmin-mail/templates/conf.php.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/webapps/evoadmin-mail/templates/conf.php.j2 b/webapps/evoadmin-mail/templates/conf.php.j2 index 54fda585..bac22bfd 100644 --- a/webapps/evoadmin-mail/templates/conf.php.j2 +++ b/webapps/evoadmin-mail/templates/conf.php.j2 @@ -42,7 +42,7 @@ $conf['unix']['uid'] = 5000; $conf['unix']['minuid'] = 1000; $conf['unix']['mingid'] = 1000; -$conf['html']['title'] = "Interface d'administration XXX"; +$conf['html']['title'] = "Evoadmin Mail"; // gestion des logs $conf['log']['priority'] = PEAR_LOG_DEBUG; From 9aaf4fe0588a3247fdaf695f2b3eaa3df083445f Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Fri, 13 Oct 2017 12:30:02 +0200 Subject: [PATCH 15/51] evoadmin-mail: fix document root path --- webapps/evoadmin-mail/tasks/user.yml | 4 ++-- webapps/evoadmin-mail/templates/evoadminmail.conf.j2 | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/webapps/evoadmin-mail/tasks/user.yml b/webapps/evoadmin-mail/tasks/user.yml index cf260c4f..7c0d593a 100644 --- a/webapps/evoadmin-mail/tasks/user.yml +++ b/webapps/evoadmin-mail/tasks/user.yml @@ -48,7 +48,7 @@ - name: "Copy connect.php" template: src: connect.php.j2 - dest: "{{ evoadminmail_document_root }}/evoadmin/htdocs/connect.php" + dest: "{{ evoadminmail_document_root }}/htdocs/config/connect.php" owner: "www-{{ evoadminmail_username }}" group: "{{ evoadminmail_username }}" when: ldap_admin_password is defined @@ -56,7 +56,7 @@ - name: "Copy conf.php" template: src: conf.php.j2 - dest: "{{ evoadminmail_document_root }}/evoadmin/htdocs/config/conf.php" + dest: "{{ evoadminmail_document_root }}/htdocs/config/conf.php" owner: "www-{{ evoadminmail_username }}" group: "{{ evoadminmail_username }}" diff --git a/webapps/evoadmin-mail/templates/evoadminmail.conf.j2 b/webapps/evoadmin-mail/templates/evoadminmail.conf.j2 index d65a64ef..026fe00d 100644 --- a/webapps/evoadmin-mail/templates/evoadminmail.conf.j2 +++ b/webapps/evoadmin-mail/templates/evoadminmail.conf.j2 @@ -10,7 +10,7 @@ #ServerAlias {{ evoadminmail_host }} # Repertoire principal - DocumentRoot {{ evoadminmail_document_root }}/evoadmin/htdocs/ + DocumentRoot {{ evoadminmail_document_root }}/htdocs/ # SSL SSLEngine on From 2f7192536341c6d0859052c36f8a93373783be01 Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Fri, 13 Oct 2017 12:44:37 +0200 Subject: [PATCH 16/51] dovecot: disable pam auth --- dovecot/tasks/main.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/dovecot/tasks/main.yml b/dovecot/tasks/main.yml index 5e9968e0..1a835160 100644 --- a/dovecot/tasks/main.yml +++ b/dovecot/tasks/main.yml @@ -11,6 +11,14 @@ tags: - dovecot +- name: disable pam auth + replace: + dest: /etc/dovecot/conf.d/10-auth.conf + regexp: "[^#]!include auth-system.conf.ext" + replace: "#!include auth-system.conf.ext" + tags: + - dovecot + - name: update ldap auth lineinfile: dest: /etc/dovecot/dovecot-ldap.conf.ext From 3ac2a9b73073a2083ddd1340fe8c384f759ecaf4 Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Fri, 13 Oct 2017 12:45:53 +0200 Subject: [PATCH 17/51] dovecot: update default config --- dovecot/templates/z-evolinux-defaults.conf.j2 | 35 +++++-------------- 1 file changed, 8 insertions(+), 27 deletions(-) diff --git a/dovecot/templates/z-evolinux-defaults.conf.j2 b/dovecot/templates/z-evolinux-defaults.conf.j2 index 8fe84694..10fefcf2 100644 --- a/dovecot/templates/z-evolinux-defaults.conf.j2 +++ b/dovecot/templates/z-evolinux-defaults.conf.j2 @@ -1,7 +1,10 @@ # {{ ansible_managed }} +# Autorise les mécanismes PLAIN/LOGIN même sans SSL/TLS disable_plaintext_auth = no auth_mechanisms = plain login + +# Authentification LDAP + intégration avec Postfix pour l'auth SMTP !include auth-ldap.conf.ext service auth { unix_listener auth-userdb { @@ -16,38 +19,16 @@ service auth { } } +# Stockage des emails dans /home/mail avec UID/GID 5000/5000 mail_location = maildir:/home/vmail/%d/%n mail_uid = 5000 mail_gid = 5000 +# Activation Sieve protocol lda { mail_plugins = sieve } -service managesieve-login { - inet_listener sieve { - port = 4190 - } - - inet_listener sieve_deprecated { - port = 2000 - } - service_count = 1 - process_min_avail = 0 - vsz_limit = 64M -} - -service managesieve { - -} - -protocol sieve { - managesieve_max_line_length = 65536 - mail_max_userip_connections = 10 - mail_plugins = - managesieve_logout_format = bytes=%i/%o - managesieve_implementation_string = Dovecot Pigeonhole - managesieve_sieve_capability = - managesieve_notify_capability = - managesieve_max_compile_errors = 5 -} +# Optimisations +login_max_processes_count = 256 +mail_max_userip_connections = 42 From d5ffb3c472f1cafec2785c59925f297dd5b2156b Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Tue, 17 Oct 2017 11:59:07 +0200 Subject: [PATCH 18/51] evoadmin-mail: fix shell and home for evoadmin-mail users --- webapps/evoadmin-mail/tasks/user.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/webapps/evoadmin-mail/tasks/user.yml b/webapps/evoadmin-mail/tasks/user.yml index 7c0d593a..7e4cb90c 100644 --- a/webapps/evoadmin-mail/tasks/user.yml +++ b/webapps/evoadmin-mail/tasks/user.yml @@ -5,6 +5,7 @@ name: "{{ evoadminmail_username }}" comment: "Evoadmin Web Account" home: "{{ evoadminmail_home_dir}}" + shell: /bin/bash password: "!" - name: Create log/ directory @@ -23,6 +24,9 @@ - name: "Create www-evoadmin (Debian 9 or later)" user: name: "www-{{ evoadminmail_username }}" + home: "{{ evoadminmail_home_dir}}/www" + shell: /bin/bash + createhome: no when: ansible_distribution_major_version | version_compare('9', '>=') - name: Install Git From dee2e2296c1faab57b3d9b1b80d2fe38b746bf11 Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Tue, 17 Oct 2017 13:27:05 +0200 Subject: [PATCH 19/51] postfix: deploy packmail master.cf and filter files --- postfix/files/filter | 1 + postfix/files/packmail_master.cf | 132 +++++++++++++++++++++++++++++++ postfix/tasks/main.yml | 50 ++++++++++++ 3 files changed, 183 insertions(+) create mode 100644 postfix/files/filter create mode 100644 postfix/files/packmail_master.cf diff --git a/postfix/files/filter b/postfix/files/filter new file mode 100644 index 00000000..586574a1 --- /dev/null +++ b/postfix/files/filter @@ -0,0 +1 @@ +# Default empty file diff --git a/postfix/files/packmail_master.cf b/postfix/files/packmail_master.cf new file mode 100644 index 00000000..2043f488 --- /dev/null +++ b/postfix/files/packmail_master.cf @@ -0,0 +1,132 @@ +# +# Postfix master process configuration file. For details on the format +# of the file, see the master(5) manual page (command: "man 5 master" or +# on-line: http://www.postfix.org/master.5.html). +# +# Do not forget to execute "postfix reload" after editing this file. +# +# ========================================================================== +# service type private unpriv chroot wakeup maxproc command + args +# (yes) (yes) (no) (never) (100) +# ========================================================================== +smtp inet n - y - - smtpd +#smtp inet n - y - 1 postscreen +#smtpd pass - - y - - smtpd +#dnsblog unix - - y - 0 dnsblog +#tlsproxy unix - - y - 0 tlsproxy +submission inet n - y - - smtpd + -o syslog_name=postfix/submission + -o smtpd_tls_security_level=encrypt + -o smtpd_sasl_auth_enable=yes + -o smtpd_client_restrictions=permit_sasl_authenticated,reject + -o milter_macro_daemon_name=ORIGINATING +smtps inet n - y - - smtpd + -o syslog_name=postfix/smtps + -o smtpd_tls_wrappermode=yes + -o smtpd_sasl_auth_enable=yes + -o smtpd_client_restrictions=permit_sasl_authenticated,reject + -o milter_macro_daemon_name=ORIGINATING +#628 inet n - y - - qmqpd +pickup unix n - y 60 1 pickup +cleanup unix n - y - 0 cleanup +qmgr unix n - n 300 1 qmgr +#qmgr unix n - n 300 1 oqmgr +tlsmgr unix - - y 1000? 1 tlsmgr +rewrite unix - - y - - trivial-rewrite +bounce unix - - y - 0 bounce +defer unix - - y - 0 bounce +trace unix - - y - 0 bounce +verify unix - - y - 1 verify +flush unix n - y 1000? 0 flush +proxymap unix - - n - - proxymap +proxywrite unix - - n - 1 proxymap +smtp unix - - y - - smtp +# When relaying mail as backup MX, disable fallback_relay to avoid MX loops +relay unix - - y - - smtp + -o smtp_fallback_relay= +# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5 +showq unix n - y - - showq +error unix - - y - - error +retry unix - - y - - error +discard unix - - y - - discard +local unix - n n - - local +virtual unix - n n - - virtual +lmtp unix - - y - - lmtp +anvil unix - - y - 1 anvil +scache unix - - y - 1 scache +# +# ==================================================================== +# Interfaces to non-Postfix software. Be sure to examine the manual +# pages of the non-Postfix software to find out what options it wants. +# +# Many of the following services use the Postfix pipe(8) delivery +# agent. See the pipe(8) man page for information about ${recipient} +# and other message envelope options. +# ==================================================================== +# +# maildrop. See the Postfix MAILDROP_README file for details. +# Also specify in main.cf: maildrop_destination_recipient_limit=1 +# +maildrop unix - n n - - pipe + flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient} +# +# ==================================================================== +# +# Recent Cyrus versions can use the existing "lmtp" master.cf entry. +# +# Specify in cyrus.conf: +# lmtp cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4 +# +# Specify in main.cf one or more of the following: +# mailbox_transport = lmtp:inet:localhost +# virtual_transport = lmtp:inet:localhost +# +# ==================================================================== +# +# Cyrus 2.1.5 (Amos Gouaux) +# Also specify in main.cf: cyrus_destination_recipient_limit=1 +# +#cyrus unix - n n - - pipe +# user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user} +# +# ==================================================================== +# Old example of delivery via Cyrus. +# +#old-cyrus unix - n n - - pipe +# flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user} +# +# ==================================================================== +# +# See the Postfix UUCP_README file for configuration details. +# +uucp unix - n n - - pipe + flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient) +# +# Other external delivery methods. +# +ifmail unix - n n - - pipe + flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient) +bsmtp unix - n n - - pipe + flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient +scalemail-backend unix - n n - 2 pipe + flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension} +mailman unix - n n - - pipe + flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py + ${nexthop} ${user} + +slow unix - - n - - smtp + +dovecot unix - n n - - pipe + flags=DRhu user=vmail:vmail argv=/usr/lib/dovecot/deliver -f ${sender} -d ${recipient} + +scan unix - - y - 10 smtp +localhost:10026 inet n - y - 10 smtpd + -o content_filter= + -o local_recipient_maps= + -o relay_recipient_maps= + -o myhostname=filter.mynetwork.local + -o smtpd_helo_restrictions= + -o smtpd_client_restrictions= + -o smtpd_sender_restrictions= + -o smtpd_recipient_restrictions=permit_mynetworks,reject + -o mynetworks=127.0.0.0/8 diff --git a/postfix/tasks/main.yml b/postfix/tasks/main.yml index 8e24ad54..99111a23 100644 --- a/postfix/tasks/main.yml +++ b/postfix/tasks/main.yml @@ -56,6 +56,56 @@ default_main_cf.stdout == "5450c05d65878e99dad696c7c722e511 -" or default_main_cf.stdout == "30022953f1f61f002bfb72e163ecb27e -" +- name: deploy packmail master.cf + copy: + src: packmail_master.cf + dest: /etc/postfix/master.cf + mode: "0644" + when: postfix_packmail == True + notify: restart postfix + tags: + - postfix + +- name: copy default filter files + copy: + src: filter + dest: "/etc/postfix/{{ item }}" + force: no + with_items: + - virtual + - client.access + - client.access_local + - header_kill + - header_kill_local + - recipient.access + - recipient.access_local + - sa-blacklist.access + - sender.access + - sender.access_local + - spamd.cidr + when: postfix_packmail == True + register: postfix_copy_filter + tags: + - postfix + +- name: postmap filter files + command: "postmap /etc/postfix/{{ item }}" + with_items: + - virtual + - client.access + - client.access_local + - header_kill + - header_kill_local + - recipient.access + - recipient.access_local + - sa-blacklist.access + - sender.access + - sender.access_local + - spamd.cidr + when: postfix_packmail == True and postfix_copy_filter.changed + tags: + - postfix + - name: deploy ldap postfix config template: src: "{{ item }}.j2" From 10ff2747e2dc78154840ed90a22930f59e20dc11 Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Tue, 24 Oct 2017 15:09:14 +0200 Subject: [PATCH 20/51] Add amavis, clamav and spamassasin roles --- amavis/defaults/main.yml | 2 + amavis/files/spam.sh | 87 +++++++++++++ amavis/handlers/main.yml | 5 + amavis/tasks/main.yml | 43 +++++++ amavis/templates/amavis.conf.j2 | 57 +++++++++ clamav/handlers/main.yml | 5 + clamav/meta/main.yml | 3 + clamav/tasks/main.yml | 111 +++++++++++++++++ packmail/meta/main.yml | 3 + postfix/tasks/main.yml | 4 +- postfix/templates/packmail_main.cf.j2 | 4 + .../packmail_master.cf.j2} | 37 ++++++ spamassasin/files/sa-update.sh | 68 ++++++++++ spamassasin/files/spamassassin.cf | 117 ++++++++++++++++++ spamassasin/handlers/main.yml | 5 + spamassasin/meta/main.yml | 3 + spamassasin/tasks/main.yml | 51 ++++++++ 17 files changed, 603 insertions(+), 2 deletions(-) create mode 100644 amavis/defaults/main.yml create mode 100644 amavis/files/spam.sh create mode 100644 amavis/handlers/main.yml create mode 100644 amavis/tasks/main.yml create mode 100644 amavis/templates/amavis.conf.j2 create mode 100644 clamav/handlers/main.yml create mode 100644 clamav/meta/main.yml create mode 100644 clamav/tasks/main.yml rename postfix/{files/packmail_master.cf => templates/packmail_master.cf.j2} (83%) create mode 100644 spamassasin/files/sa-update.sh create mode 100644 spamassasin/files/spamassassin.cf create mode 100644 spamassasin/handlers/main.yml create mode 100644 spamassasin/meta/main.yml create mode 100644 spamassasin/tasks/main.yml diff --git a/amavis/defaults/main.yml b/amavis/defaults/main.yml new file mode 100644 index 00000000..5c727eff --- /dev/null +++ b/amavis/defaults/main.yml @@ -0,0 +1,2 @@ +--- +amavis_is_active: True diff --git a/amavis/files/spam.sh b/amavis/files/spam.sh new file mode 100644 index 00000000..10d5e62a --- /dev/null +++ b/amavis/files/spam.sh @@ -0,0 +1,87 @@ +#!/bin/bash + +#set -x + +umask 022 + +tmp_file=$(mktemp) + +tmp=$(mktemp -d) + +if [ -f $tmp_file ] ; + then rm $tmp_file ; +fi + +sleep $[ $RANDOM / 1024 ] + +# Postfix +cd $tmp + +wget -q -t 3 http://antispam00.evolix.org/spam/client.access -O $tmp_file +cp $tmp_file /etc/postfix/client.access +rm $tmp_file + +wget -q -t 3 http://antispam00.evolix.org/spam/sender.access -O $tmp_file +cp $tmp_file /etc/postfix/sender.access +rm $tmp_file + +wget -q -t 3 http://antispam00.evolix.org/spam/recipient.access -O $tmp_file +cp $tmp_file /etc/postfix/recipient.access +rm $tmp_file + +wget -q -t 3 http://antispam00.evolix.org/spam/header_kill -O $tmp_file +cp $tmp_file /etc/postfix/header_kill +rm $tmp_file + +wget -q -t 3 http://antispam00.evolix.org/spam/sa-blacklist.access -O sa-blacklist.access +wget -q -t 3 http://antispam00.evolix.org/spam/sa-blacklist.access.md5 -O $tmp_file +if md5sum -c $tmp_file > /dev/null && [ -s sa-blacklist.access ] ; then + cp sa-blacklist.access /etc/postfix/sa-blacklist.access +fi +rm sa-blacklist.access +rm $tmp_file + +/usr/sbin/postmap hash:/etc/postfix/client.access +/usr/sbin/postmap hash:/etc/postfix/sender.access +/usr/sbin/postmap hash:/etc/postfix/recipient.access +/usr/sbin/postmap -r hash:/etc/postfix/sa-blacklist.access + +wget -q -t 3 http://antispam00.evolix.org/spam/spamd.cidr -O spamd.cidr +wget -q -t 3 http://antispam00.evolix.org/spam/spamd.cidr.md5 -O $tmp_file +if md5sum -c $tmp_file > /dev/null && [ -s spamd.cidr ] ; then + cp spamd.cidr /etc/postfix/spamd.cidr +fi +rm spamd.cidr +rm $tmp_file + + +# SpamAssassin +cd $tmp +wget -q -t 3 http://antispam00.evolix.org/spam/evolix_rules.cf -O evolix_rules.cf +wget -q -t 3 http://antispam00.evolix.org/spam/evolix_rules.cf.md5 -O $tmp_file +if md5sum -c $tmp_file > /dev/null && [ -s evolix_rules.cf ] ; then + dpkg -l spamassassin 2>&1 | grep -v "no packages found matching" | grep -q ^ii && cp evolix_rules.cf /etc/spamassassin + dpkg -l spamassassin 2>&1 | grep -v "no packages found matching" | grep -q ^ii && /etc/init.d/spamassassin reload > /dev/null + if [ -d /etc/spamassassin/sa-update-hooks.d ]; then + run-parts --lsbsysinit /etc/spamassassin/sa-update-hooks.d + fi +fi + +# ClamAV +cd $tmp +wget -q -t 3 http://antispam00.evolix.org/spam/evolix.ndb -O evolix.ndb +wget -q -t 3 http://antispam00.evolix.org/spam/evolix.ndb.md5 -O $tmp_file +dpkg -l clamav-daemon 2>&1 | grep -v "no packages found matching" | grep -q ^ii && chown clamav: evolix.ndb +if md5sum -c $tmp_file > /dev/null && [ -s evolix.ndb ] ; then + dpkg -l clamav-daemon 2>&1 | grep -v "no packages found matching" | grep -q ^ii && cp -a evolix.ndb /var/lib/clamav/ +fi +wget -q -t 3 http://antispam00.evolix.org/spam/evolix.hsb -O evolix.hsb +wget -q -t 3 http://antispam00.evolix.org/spam/evolix.hsb.md5 -O $tmp_file +dpkg -l clamav-daemon 2>&1 | grep -v "no packages found matching" | grep -q ^ii && chown clamav: evolix.hsb +if md5sum -c $tmp_file > /dev/null && [ -s evolix.hsb ] ; then + dpkg -l clamav-daemon 2>&1 | grep -v "no packages found matching" | grep -q ^ii && cp -a evolix.hsb /var/lib/clamav/ +fi +dpkg -l clamav-daemon 2>&1 | grep -v "no packages found matching" | grep -q ^ii && /etc/init.d/clamav-daemon reload-database > /dev/null +rm $tmp_file + +rm -rf $tmp diff --git a/amavis/handlers/main.yml b/amavis/handlers/main.yml new file mode 100644 index 00000000..62049999 --- /dev/null +++ b/amavis/handlers/main.yml @@ -0,0 +1,5 @@ +--- +- name: restart amavis + service: + name: amavis + state: restarted diff --git a/amavis/tasks/main.yml b/amavis/tasks/main.yml new file mode 100644 index 00000000..880c3a66 --- /dev/null +++ b/amavis/tasks/main.yml @@ -0,0 +1,43 @@ +--- +- name: install Amavis + apt: + name: "{{ item }}" + state: present + with_items: + - postgrey + - amavisd-new + tags: + - amavis + +- name: configure Amavis + template: + src: amavis.conf.j2 + dest: /etc/amavis/conf.d/49-evolinux-defaults.conf + mode: "0644" + notify: restart amavis + tags: + - amavis + +- name: copy spam.sh script + copy: + src: spam.sh + dest: /usr/share/scripts/spam.sh + mode: "0700" + tags: + - amavis + +- name: enable spam.sh cron + lineinfile: + dest: /etc/cron.d/spam + line: "42 * * * * /usr/share/scripts/spam.sh" + create: yes + state: present + mode: "0640" + tags: + - amavis + +- name: update antispam list + command: /usr/share/scripts/spam.sh + changed_when: false + tags: + - amavis diff --git a/amavis/templates/amavis.conf.j2 b/amavis/templates/amavis.conf.j2 new file mode 100644 index 00000000..cbe597a2 --- /dev/null +++ b/amavis/templates/amavis.conf.j2 @@ -0,0 +1,57 @@ +use strict; + +## Liste des domaines considérés comme locaux +#@local_domains_acl = qw(.); +@local_domains_acl = (".example.net","example.com"); + +# On customise la ligne ajoutée dans les entêtes +$X_HEADER_LINE = "by Amavis at $mydomain"; + +# On precise les FROM pour etre (bugs dans certaines version d'Amavis) +$mailfrom_notify_admin = "postmaster\@$mydomain"; +$mailfrom_notify_recip = "postmaster\@$mydomain"; +$mailfrom_notify_spamadmin = "postmaster\@$mydomain"; + +# Notifications de fichiers bannis / virus +$virus_admin = "postmaster\@$mydomain"; +# Ne pas recevoir des notifications pour les mails UNCHECKED +delete $admin_maps_by_ccat{&CC_UNCHECKED}; + +# Que faire avec les messages détectés +$final_virus_destiny = D_DISCARD; +$final_banned_destiny = D_BOUNCE; +$final_spam_destiny = D_BOUNCE; +$final_bad_header_destiny = D_PASS; + +# Pour recevoir des bounces (mails originals) des fichiers bloqués / virus +#$banned_quarantine_to = "banned\@$mydomain"; +#$virus_quarantine_to = "virus\@$mydomain"; + +# Note tueuse +$sa_tag2_level_deflt = 6.31; +# Pour un comportement "normal" de SA +$sa_tag_level_deflt = -1999; +$sa_kill_level_deflt = 1999; +$sa_dsn_cutoff_level = -99; +$sa_spam_subject_tag = '[SPAM]'; + +# log +$log_level = 2; + +# En fonction besoin/ressources, on a juste le nbre de process +$max_servers = 2; + +$enable_ldap = 1; +$default_ldap = { + hostname => '127.0.0.1', tls => 0, + base => '{{ ldap_suffix }}', scope => 'sub', + query_filter => '(&(mailacceptinggeneralid=%m)(isActive=TRUE))' +}; + +# Activer l'antivirus et antivirus +@bypass_virus_checks_maps = ( + \%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re); +@bypass_spam_checks_maps = ( + \%bypass_spam_checks, \@bypass_spam_checks_acl, \$bypass_spam_checks_re); + +1; # ensure a defined return diff --git a/clamav/handlers/main.yml b/clamav/handlers/main.yml new file mode 100644 index 00000000..e053f01a --- /dev/null +++ b/clamav/handlers/main.yml @@ -0,0 +1,5 @@ +--- +- name: restart clamav + service: + name: clamav-daemon + state: restarted diff --git a/clamav/meta/main.yml b/clamav/meta/main.yml new file mode 100644 index 00000000..510b6855 --- /dev/null +++ b/clamav/meta/main.yml @@ -0,0 +1,3 @@ +--- +dependencies: + - { role: amavis } diff --git a/clamav/tasks/main.yml b/clamav/tasks/main.yml new file mode 100644 index 00000000..c6cd16a4 --- /dev/null +++ b/clamav/tasks/main.yml @@ -0,0 +1,111 @@ +--- +- name: install ClamAV + apt: + name: "{{ item }}" + state: present + with_items: + - clamav-daemon + - clamav + - clamdscan + - clamav-freshclam + - arc + - arj + - zoo + - pax + - bzip2 + - cabextract + - rpm + - lzop + - razor + tags: + - clamav + +- name: add clamav user to amavis group + user: + name: clamav + groups: amavis + append: True + tags: + - clamav + +- name: allow supplementary groups + replace: + dest: /etc/clamav/clamd.conf + regexp: 'AllowSupplementaryGroups false' + replace: 'AllowSupplementaryGroups true' + notify: restart clamav + tags: + - clamav + +- name: configure clamav-daemon + debconf: + name: clamav-daemon + question: "{{ item.key }}" + value: "{{ item.value }}" + vtype: "{{ item.type }}" + with_items: + - { key: 'clamav-daemon/debconf', type: 'boolean', value: 'true' } + - { key: 'clamav-daemon/MaxHTMLNormalize', type: 'string', value: '10M' } + - { key: 'clamav-daemon/StatsPEDisabled', type: 'boolean', value: 'true' } + - { key: 'clamav-daemon/FollowDirectorySymlinks', type: 'boolean', value: 'false' } + - { key: 'clamav-daemon/StreamMaxLength', type: 'string', value: '25' } + - { key: 'clamav-daemon/ReadTimeout', type: 'string', value: '180' } + - { key: 'clamav-daemon/StatsEnabled', type: 'boolean', value: 'false' } + - { key: 'clamav-daemon/MaxConnectionQueueLength', type: 'string', value: '15' } + - { key: 'clamav-daemon/LogRotate', type: 'boolean', value: 'true' } + - { key: 'clamav-daemon/AllowAllMatchScan', type: 'boolean', value: 'true' } + - { key: 'clamav-daemon/ScanOnAccess', type: 'boolean', value: 'false' } + - { key: 'clamav-daemon/LogFile', type: 'string', value: '/var/log/clamav/clamav.log' } + - { key: 'clamav-daemon/ScanMail', type: 'boolean', value: 'true' } + - { key: 'clamav-daemon/BytecodeTimeout', type: 'string', value: '60000' } + - { key: 'clamav-daemon/LogTime', type: 'boolean', value: 'true' } + - { key: 'clamav-daemon/OnAccessMaxFileSize', type: 'string', value: '5M' } + - { key: 'clamav-daemon/TcpOrLocal', type: 'select', value: 'UNIX' } + - { key: 'clamav-daemon/MaxEmbeddedPE', type: 'string', value: '10M' } + - { key: 'clamav-daemon/FixStaleSocket', type: 'boolean', value: 'true' } + - { key: 'clamav-daemon/User', type: 'string', value: 'clamav' } + - { key: 'clamav-daemon/BytecodeSecurity', type: 'select', value: 'TrustSigned' } + - { key: 'clamav-daemon/ScanSWF', type: 'boolean', value: 'true' } + - { key: 'clamav-daemon/MaxDirectoryRecursion', type: 'string', value: '0' } + - { key: 'clamav-daemon/MaxThreads', type: 'string', value: '12' } + - { key: 'clamav-daemon/LocalSocketGroup', type: 'string', value: 'clamav' } + - { key: 'clamav-daemon/MaxScriptNormalize', type: 'string', value: '5M' } + - { key: 'clamav-daemon/ForceToDisk', type: 'boolean', value: 'false' } + - { key: 'clamav-daemon/StatsHostID', type: 'string', value: 'auto' } + - { key: 'clamav-daemon/FollowFileSymlinks', type: 'boolean', value: 'false' } + - { key: 'clamav-daemon/TCPSocket', type: 'string', value: '3310' } + - { key: 'clamav-daemon/TCPAddr', type: 'string', value: 'any' } + - { key: 'clamav-daemon/DisableCertCheck', type: 'boolean', value: 'false' } + - { key: 'clamav-daemon/SelfCheck', type: 'string', value: '3600' } + - { key: 'clamav-daemon/LocalSocket', type: 'string', value: '/var/run/clamav/clamd.ctl' } + - { key: 'clamav-daemon/LocalSocketMode', type: 'string', value: '666' } + - { key: 'clamav-daemon/StatsTimeout', type: 'string', value: '10' } + - { key: 'clamav-daemon/MaxZipTypeRcg', type: 'string', value: '1M' } + - { key: 'clamav-daemon/MaxHTMLNoTags', type: 'string', value: '2M' } + - { key: 'clamav-daemon/LogSyslog', type: 'boolean', value: 'false' } + - { key: 'clamav-daemon/AddGroups', type: 'string', value: '' } + - { key: 'clamav-daemon/Bytecode', type: 'boolean', value: 'true' } + - { key: 'clamav-daemon/ScanArchive', type: 'boolean', value: 'true' } + tags: + - clamav + +- name: configure clamav-freshclam + debconf: + name: clamav-freshclam + question: "{{ item.key }}" + value: "{{ item.value }}" + vtype: "{{ item.type }}" + with_items: + - { key: 'clamav-freshclam/autoupdate_freshclam', type: 'select', value: 'daemon' } + - { key: 'clamav-freshclam/proxy_user', type: 'string', value: '' } + - { key: 'clamav-freshclam/NotifyClamd', type: 'boolean', value: 'true' } + - { key: 'clamav-freshclam/local_mirror', type: 'select', value: 'db.fr.clamav.net' } + - { key: 'clamav-freshclam/http_proxy', type: 'string', value: '' } + - { key: 'clamav-freshclam/LogRotate', type: 'boolean', value: 'true' } + - { key: 'clamav-freshclam/Bytecode', type: 'boolean', value: 'true' } + - { key: 'clamav-freshclam/update_interval', type: 'string', value: '24' } + - { key: 'clamav-freshclam/SafeBrowsing', type: 'boolean', value: 'false' } + - { key: 'clamav-freshclam/PrivateMirror', type: 'string', value: '' } + - { key: 'clamav-freshclam/internet_interface', type: 'string', value: '' } + tags: + - clamav diff --git a/packmail/meta/main.yml b/packmail/meta/main.yml index f9138046..9b144692 100644 --- a/packmail/meta/main.yml +++ b/packmail/meta/main.yml @@ -2,6 +2,9 @@ dependencies: - { role: ldap, ldap_schema: 'cn4evolix.ldif' } - { role: postfix, postfix_packmail: True, postfix_force_main_cf: True, postfix_slow_transport_include: True } + - { role: amavis } + - { role: spamassasin } + - { role: clamav } - { role: dovecot } - { role: apache } - { role: php, php_apache_enable: True } diff --git a/postfix/tasks/main.yml b/postfix/tasks/main.yml index 99111a23..bc4f2240 100644 --- a/postfix/tasks/main.yml +++ b/postfix/tasks/main.yml @@ -57,8 +57,8 @@ default_main_cf.stdout == "30022953f1f61f002bfb72e163ecb27e -" - name: deploy packmail master.cf - copy: - src: packmail_master.cf + template: + src: packmail_master.cf.j2 dest: /etc/postfix/master.cf mode: "0644" when: postfix_packmail == True diff --git a/postfix/templates/packmail_main.cf.j2 b/postfix/templates/packmail_main.cf.j2 index a81a991b..86a03768 100644 --- a/postfix/templates/packmail_main.cf.j2 +++ b/postfix/templates/packmail_main.cf.j2 @@ -413,3 +413,7 @@ slow_destination_concurrency_failed_cohort_limit = 100 slow_destination_recipient_limit = 25 transport_maps = hash:$config_directory/transport {% endif %} + +{% if amavis_is_active is defined and amavis_is_active == True %} +content_filter = smtp-amavis:[127.0.0.1]:10024 +{% endif %} diff --git a/postfix/files/packmail_master.cf b/postfix/templates/packmail_master.cf.j2 similarity index 83% rename from postfix/files/packmail_master.cf rename to postfix/templates/packmail_master.cf.j2 index 2043f488..69964605 100644 --- a/postfix/files/packmail_master.cf +++ b/postfix/templates/packmail_master.cf.j2 @@ -130,3 +130,40 @@ localhost:10026 inet n - y - 10 smtpd -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o mynetworks=127.0.0.0/8 + +{% if amavis_is_active is defined and amavis_is_active == True %} +smtp-amavis unix - - y - 2 lmtp + -o lmtp_data_done_timeout=1200 + -o lmtp_send_xforward_command=yes + +127.0.0.1:10025 inet n - y - - smtpd + -o content_filter= + -o local_recipient_maps= + -o relay_recipient_maps= + -o smtpd_restriction_classes= + -o smtpd_delay_reject=no + -o smtpd_client_restrictions=permit_mynetworks,reject + -o smtpd_helo_restrictions= + -o smtpd_sender_restrictions= + -o smtpd_recipient_restrictions=permit_mynetworks,reject + -o smtpd_data_restrictions=reject_unauth_pipelining + -o smtpd_end_of_data_restrictions= + -o mynetworks=127.0.0.0/8 + -o strict_rfc821_envelopes=yes + -o smtpd_error_sleep_time=0 + -o smtpd_soft_error_limit=1001 + -o smtpd_hard_error_limit=1000 + -o smtpd_client_connection_count_limit=0 + -o smtpd_client_connection_rate_limit=0 + -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks + +pre-cleanup unix n - n - 0 cleanup + -o virtual_alias_maps= + -o canonical_maps= + -o sender_canonical_maps= + -o recipient_canonical_maps= + -o masquerade_domains= + -o always_bcc= + -o sender_bcc_maps= + -o recipient_bcc_maps= +{% endif %} diff --git a/spamassasin/files/sa-update.sh b/spamassasin/files/sa-update.sh new file mode 100644 index 00000000..b138c285 --- /dev/null +++ b/spamassasin/files/sa-update.sh @@ -0,0 +1,68 @@ +#!/bin/sh + +# Evolix sa-update, based on: +# Duncan Findlay +# duncf@debian.org + +mail=$(grep EVOMAINTMAIL /etc/evomaintenance.cf | cut -d'=' -f2) +test -x /usr/bin/sa-update || exit 0 +test -x /etc/init.d/spamassassin || exit 0 + +# If there's a problem with the ruleset or configs, print the output +# of spamassassin --lint (which will typically get emailed to root) +# and abort. +die_with_lint() { + su debian-spamd -c "spamassassin --lint -D 2>&1" + exit 1 +} + +do_compile() { +# Compile, if rules have previously been compiled, and it's possible + if [ -x /usr/bin/re2c -a -x /usr/bin/sa-compile \ + -a -d /var/lib/spamassassin/compiled ]; then + su debian-spamd -c "sa-compile --quiet" + # Fixup perms -- group and other should be able to + # read and execute, but never write. Works around + # sa-compile's failure to obey umask. + chmod -R go-w,go+rX /var/lib/spamassassin/compiled + fi +} + +# Tell a running spamd to reload its configs and rules. +reload() { + # Reload + if which invoke-rc.d >/dev/null 2>&1; then + invoke-rc.d spamassassin reload > /dev/null + else + /etc/init.d/spamassassin reload > /dev/null + fi + if [ -d /etc/spamassassin/sa-update-hooks.d ]; then + run-parts --lsbsysinit /etc/spamassassin/sa-update-hooks.d + fi +} + +# Update +umask 022 +su debian-spamd -c "sa-update --gpghomedir /var/lib/spamassassin/sa-update-keys" + +case $? in + 0) + # got updates! + su debian-spamd -c "spamassassin --lint" || die_with_lint + do_compile + reload + echo -e "Les règles SpamAsassin ont été mises à jour. Merci de reporter toute anomalie." | \ + mail -s "SpamAsassin's rules updated." $mail + ;; + 1) + # no updates + exit 0 + ;; + 2) + # lint failed! + die_with_lint + ;; + *) + echo "sa-update failed for unknown reasons" 1>&2 + ;; +esac diff --git a/spamassasin/files/spamassassin.cf b/spamassasin/files/spamassassin.cf new file mode 100644 index 00000000..821f51d4 --- /dev/null +++ b/spamassasin/files/spamassassin.cf @@ -0,0 +1,117 @@ +#required_score 5 -> assure par Amavis +report_safe 0 +#rewrite_header Subject [SPAM] -> assure par Amavis +add_header all Report _REPORT_ + +# filtre bayesien +# mkdir -p /var/spool/spam/ && chown amavis /var/spool/spam/ +use_bayes 1 +bayes_auto_learn 1 +bayes_path /var/spool/spam/bayes +bayes_file_mode 0777 + +# AWL : AutoWhitelist +# mkdir -p /var/spool/spam/ && chown amavis /var/spool/spam/ +loadplugin Mail::SpamAssassin::Plugin::AWL +use_auto_whitelist 1 +auto_whitelist_path /var/spool/spam/auto_whitelist +auto_whitelist_file_mode 0666 + +# LANG TESTS +loadplugin Mail::SpamAssassin::Plugin::TextCat +ok_languages en fr es it +ok_locales en fr es it + +score BODY_8BITS 1.500 +score CHARSET_FARAWAY 3.200 +score CHARSET_FARAWAY_HEADER 3.200 +score HTML_CHARSET_FARAWAY 0.500 +score MIME_CHARSET_FARAWAY 2.450 +score UNWANTED_LANGUAGE_BODY 2.800 + +# DCC +# use_dcc 1 => un plugin maintenant... +score DCC_CHECK 2.9 + +# RAZOR : http://razor.sourceforge.net +use_razor2 1 +score RAZOR2_CHECK 2.9 +score RAZOR2_CF_RANGE_51_100 1.3 + +# pyzor : http://pyzor.sourceforge.net/ +use_pyzor 0 + +# RBL (Realtime Blackhole List) +skip_rbl_checks 0 +score RCVD_IN_BL_SPAMCOP_NET 3 + +# misc +score HELO_DYNAMIC_IPADDR 0.3 +score BIZ_TLD 0.1 +score PRIORITY_NO_NAME 0.2 + +# disable HTML tests + +score HTML_MESSAGE 0 +score HTML_00_10 0 +score HTML_10_20 0 +score HTML_20_30 0 +score HTML_30_40 0 +score HTML_40_50 0 +score HTML_50_60 0 +score HTML_60_70 0 +score HTML_70_80 0 +score HTML_80_90 0 +score HTML_90_100 0 +#score HTML_COMMENT_8BITS 0 +score UPPERCASE_25_50 0 +score UPPERCASE_50_75 0 +score UPPERCASE_75_100 0 +score MIME_HTML_ONLY 0.1 +# From http://maxime.ritter.eu.org/Spam/user_prefs +# Trop de faux negatifs avec BAYES_(0|1|2|3|4)* +score BAYES_00 0 0 -0.01 -0.01 +score BAYES_01 0 0 -0.01 -0.01 +score BAYES_10 0 0 -0.01 -0.01 +score BAYES_20 0 0 -0.01 -0.01 +score BAYES_30 0 0 -0.01 -0.01 +score BAYES_40 0 0 -0.01 -0.01 +score BAYES_44 0 0 -0.01 -0.01 +score BAYES_50 0 0 0.1 0.1 +score BAYES_56 0 0 0.5 0.5 +score BAYES_60 0 0 1.0 1.0 +score BAYES_70 0 0 2.5 2.5 +score BAYES_80 0 0 3.5 3.5 +score BAYES_90 0 0 4.5 4.5 +score BAYES_99 0 0 8.0 8.0 + +score RCVD_IN_SORBS_DUL 0.3 +score SUBJ_ILLEGAL_CHARS 0 +score RCVD_IN_NJABL_DUL 0.3 + +score ADDRESS_IN_SUBJECT 0.1 + +score HELO_LH_HOME 1.0 + +#internal_networks 192.168.XXX/24 +trusted_networks 62.212.111.216 88.179.18.233 85.118.59.50 31.170.8.0/21 +#score ALL_TRUSTED 0.3 +score HELO_DYNAMIC_IPADDR 0.3 + +score FORGED_MUA_OUTLOOK 0.5 + +# Eudora sucks +score EXTRA_MPART_TYPE 0.1 +score MIME_BOUND_EQ_REL 0.1 +score MIME_QP_LONG_LINE 0.1 + +# SMTP senders *have* dynamic IP addresses +# A.B.C.D.dnsbl.sorbs.net -> 127.0.0.10 +score RCVD_IN_DYNABLOCK 0 +score HELO_DYNAMIC_IPADDR 0.3 +score RCVD_IN_SORBS 0.1 +score RCVD_IN_PBL 0.1 +score RCVD_IN_SORBS_DUL 0 + +# old bug... +score FH_DATE_PAST_20XX 0.0 diff --git a/spamassasin/handlers/main.yml b/spamassasin/handlers/main.yml new file mode 100644 index 00000000..7479d736 --- /dev/null +++ b/spamassasin/handlers/main.yml @@ -0,0 +1,5 @@ +--- +- name: restart spamassassin + service: + name: spamassassin + state: restarted diff --git a/spamassasin/meta/main.yml b/spamassasin/meta/main.yml new file mode 100644 index 00000000..510b6855 --- /dev/null +++ b/spamassasin/meta/main.yml @@ -0,0 +1,3 @@ +--- +dependencies: + - { role: amavis } diff --git a/spamassasin/tasks/main.yml b/spamassasin/tasks/main.yml new file mode 100644 index 00000000..ba6d7c3c --- /dev/null +++ b/spamassasin/tasks/main.yml @@ -0,0 +1,51 @@ +--- +- name: install SpamAssasin + apt: + name: "{{ item }}" + state: present + with_items: + - spamassassin + tags: + - spamassassin + +- name: configure SpamAssasin + copy: + src: spamassassin.cf + dest: /etc/spamassassin/local_evolix.cf + mode: "0644" + notify: restart spamassassin + tags: + - spamassassin + +- name: enable SpamAssasin + replace: + dest: /etc/default/spamassassin + regexp: 'ENABLED=0' + replace: 'ENABLED=1' + notify: restart spamassassin + tags: + - spamassassin + +- name: copy sa-update.sh script + copy: + src: sa-update.sh + dest: /usr/share/scripts/sa-update.sh + mode: "0750" + tags: + - spamassassin + +- name: enable sa-update.sh cron + lineinfile: + dest: /etc/cron.d/sa-update + line: "42 6 5 1,4,7,10 * /usr/share/scripts/sa-update.sh" + create: yes + state: present + mode: "0640" + tags: + - spamassassin + +- name: update SpamAssasin's rules + command: /usr/share/scripts/sa-update.sh + changed_when: false + tags: + - spamassassin From 82cf150c05c55d8161da229bf41aa769f8a57e02 Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Tue, 24 Oct 2017 15:23:52 +0200 Subject: [PATCH 21/51] postfix: move spam.sh script from amavis role --- amavis/tasks/main.yml | 24 ------------------------ packmail/meta/main.yml | 2 +- {amavis => postfix}/files/spam.sh | 0 postfix/tasks/main.yml | 27 +++++++++++++++++++++++++++ 4 files changed, 28 insertions(+), 25 deletions(-) rename {amavis => postfix}/files/spam.sh (100%) diff --git a/amavis/tasks/main.yml b/amavis/tasks/main.yml index 880c3a66..810ba505 100644 --- a/amavis/tasks/main.yml +++ b/amavis/tasks/main.yml @@ -17,27 +17,3 @@ notify: restart amavis tags: - amavis - -- name: copy spam.sh script - copy: - src: spam.sh - dest: /usr/share/scripts/spam.sh - mode: "0700" - tags: - - amavis - -- name: enable spam.sh cron - lineinfile: - dest: /etc/cron.d/spam - line: "42 * * * * /usr/share/scripts/spam.sh" - create: yes - state: present - mode: "0640" - tags: - - amavis - -- name: update antispam list - command: /usr/share/scripts/spam.sh - changed_when: false - tags: - - amavis diff --git a/packmail/meta/main.yml b/packmail/meta/main.yml index 9b144692..b86b35e9 100644 --- a/packmail/meta/main.yml +++ b/packmail/meta/main.yml @@ -1,10 +1,10 @@ --- dependencies: - { role: ldap, ldap_schema: 'cn4evolix.ldif' } - - { role: postfix, postfix_packmail: True, postfix_force_main_cf: True, postfix_slow_transport_include: True } - { role: amavis } - { role: spamassasin } - { role: clamav } + - { role: postfix, postfix_packmail: True, postfix_force_main_cf: True, postfix_slow_transport_include: True } - { role: dovecot } - { role: apache } - { role: php, php_apache_enable: True } diff --git a/amavis/files/spam.sh b/postfix/files/spam.sh similarity index 100% rename from amavis/files/spam.sh rename to postfix/files/spam.sh diff --git a/postfix/tasks/main.yml b/postfix/tasks/main.yml index bc4f2240..628e0eab 100644 --- a/postfix/tasks/main.yml +++ b/postfix/tasks/main.yml @@ -120,6 +120,33 @@ tags: - postfix +- name: copy spam.sh script + copy: + src: spam.sh + dest: /usr/share/scripts/spam.sh + mode: "0700" + when: postfix_packmail == True + tags: + - postfix + +- name: enable spam.sh cron + lineinfile: + dest: /etc/cron.d/spam + line: "42 * * * * /usr/share/scripts/spam.sh" + create: yes + state: present + mode: "0640" + when: postfix_packmail == True + tags: + - postfix + +- name: update antispam list + command: /usr/share/scripts/spam.sh + changed_when: false + when: postfix_packmail == True + tags: + - postfix + - include: slow_transport.yml when: postfix_slow_transport_include tags: From 64928db22b70d5737b6d8911a7adc0aea5fa6a80 Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Tue, 24 Oct 2017 15:25:55 +0200 Subject: [PATCH 22/51] postfix: add slow transport for packmail by default --- packmail/meta/main.yml | 2 +- postfix/defaults/main.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/packmail/meta/main.yml b/packmail/meta/main.yml index b86b35e9..06186051 100644 --- a/packmail/meta/main.yml +++ b/packmail/meta/main.yml @@ -4,7 +4,7 @@ dependencies: - { role: amavis } - { role: spamassasin } - { role: clamav } - - { role: postfix, postfix_packmail: True, postfix_force_main_cf: True, postfix_slow_transport_include: True } + - { role: postfix, postfix_packmail: True, postfix_force_main_cf: True } - { role: dovecot } - { role: apache } - { role: php, php_apache_enable: True } diff --git a/postfix/defaults/main.yml b/postfix/defaults/main.yml index 7aac9a2d..55ab72cd 100644 --- a/postfix/defaults/main.yml +++ b/postfix/defaults/main.yml @@ -1,5 +1,5 @@ --- postfix_hostname: "{{ ansible_fqdn }}" -postfix_slow_transport_include: False postfix_force_main_cf: False postfix_packmail: False +postfix_slow_transport_include: "{{ postfix_packmail }}" From 71f64d2c2476da78009c54d953448175cff021b7 Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Tue, 24 Oct 2017 17:00:10 +0200 Subject: [PATCH 23/51] clamav: configure debconf before install packages --- clamav/tasks/main.yml | 76 +++++++++++++++++++++---------------------- 1 file changed, 38 insertions(+), 38 deletions(-) diff --git a/clamav/tasks/main.yml b/clamav/tasks/main.yml index c6cd16a4..6e3058dd 100644 --- a/clamav/tasks/main.yml +++ b/clamav/tasks/main.yml @@ -1,42 +1,4 @@ --- -- name: install ClamAV - apt: - name: "{{ item }}" - state: present - with_items: - - clamav-daemon - - clamav - - clamdscan - - clamav-freshclam - - arc - - arj - - zoo - - pax - - bzip2 - - cabextract - - rpm - - lzop - - razor - tags: - - clamav - -- name: add clamav user to amavis group - user: - name: clamav - groups: amavis - append: True - tags: - - clamav - -- name: allow supplementary groups - replace: - dest: /etc/clamav/clamd.conf - regexp: 'AllowSupplementaryGroups false' - replace: 'AllowSupplementaryGroups true' - notify: restart clamav - tags: - - clamav - - name: configure clamav-daemon debconf: name: clamav-daemon @@ -109,3 +71,41 @@ - { key: 'clamav-freshclam/internet_interface', type: 'string', value: '' } tags: - clamav + +- name: install ClamAV + apt: + name: "{{ item }}" + state: present + with_items: + - clamav-daemon + - clamav + - clamdscan + - clamav-freshclam + - arc + - arj + - zoo + - pax + - bzip2 + - cabextract + - rpm + - lzop + - razor + tags: + - clamav + +- name: add clamav user to amavis group + user: + name: clamav + groups: amavis + append: True + tags: + - clamav + +- name: allow supplementary groups + replace: + dest: /etc/clamav/clamd.conf + regexp: 'AllowSupplementaryGroups false' + replace: 'AllowSupplementaryGroups true' + notify: restart clamav + tags: + - clamav From 77b8a807535eb112066bf0ff0dcba7950afafaed Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Tue, 24 Oct 2017 17:00:44 +0200 Subject: [PATCH 24/51] Add roundcube role --- packmail/tasks/main.yml | 3 ++ webapps/roundcube/defaults/main.yml | 2 + webapps/roundcube/tasks/main.yml | 43 +++++++++++++++++++++ webapps/roundcube/templates/apache2.conf.j2 | 41 ++++++++++++++++++++ 4 files changed, 89 insertions(+) create mode 100644 webapps/roundcube/defaults/main.yml create mode 100644 webapps/roundcube/tasks/main.yml create mode 100644 webapps/roundcube/templates/apache2.conf.j2 diff --git a/packmail/tasks/main.yml b/packmail/tasks/main.yml index 214d8d77..36d23365 100644 --- a/packmail/tasks/main.yml +++ b/packmail/tasks/main.yml @@ -29,3 +29,6 @@ vars: evoadminmail_enable_vhost: '{{ packmail_enable_evoadmin_vhost }}' +- name: Install Roundcube + include_role: + name: webapps/roundcube diff --git a/webapps/roundcube/defaults/main.yml b/webapps/roundcube/defaults/main.yml new file mode 100644 index 00000000..220720e3 --- /dev/null +++ b/webapps/roundcube/defaults/main.yml @@ -0,0 +1,2 @@ +--- +roundcube_host: "roundcube.{{ ansible_fqdn }}" diff --git a/webapps/roundcube/tasks/main.yml b/webapps/roundcube/tasks/main.yml new file mode 100644 index 00000000..4832043e --- /dev/null +++ b/webapps/roundcube/tasks/main.yml @@ -0,0 +1,43 @@ +--- +- name: configure roundcube-core + debconf: + name: roundcube-core + question: "{{ item.key }}" + value: "{{ item.value }}" + vtype: "{{ item.type }}" + with_items: + - { key: 'roundcube/dbconfig-reinstall', type: 'boolean', value: 'true' } + - { key: 'roundcube/language', type: 'select', value: 'fr_FR' } + - { key: 'roundcube/hosts', type: 'string', value: '127.0.0.1' } + - { key: 'roundcube/database-type', type: 'select', value: 'sqlite3' } + - { key: 'roundcube/db/basepath', type: 'string', value: '/var/lib/roundcube/' } + tags: + - roundcube + +- name: install Roundcube + apt: + name: "{{ item }}" + state: present + with_items: + - roundcube + - roundcube-sqlite3 + tags: + - roundcube + +- name: deploy roundcube vhost + template: + src: apache2.conf.j2 + dest: /etc/apache2/sites-available/rouncube.conf + mode: "0640" + notify: reload apache2 + tags: + - roundcube + +- name: enable roundcube vhost + file: + src: /etc/apache2/sites-available/rouncube.conf + dest: /etc/apache2/sites-enabled/rouncube.conf + state: link + notify: reload apache2 + tags: + - roundcube diff --git a/webapps/roundcube/templates/apache2.conf.j2 b/webapps/roundcube/templates/apache2.conf.j2 new file mode 100644 index 00000000..23868992 --- /dev/null +++ b/webapps/roundcube/templates/apache2.conf.j2 @@ -0,0 +1,41 @@ + + ServerName {{ roundcube_host }} + Redirect permanent / https://{{ roundcube_host }} + + + + + # FQDN principal + ServerName {{ roundcube_host }} + + # Repertoire principal + DocumentRoot /var/lib/roundcube/ + + Include /etc/roundcube/apache.conf + + # LOG + CustomLog /var/log/apache2/access.log vhost_combined + CustomLog /var/lib/roundcube/logs/access.log combined + ErrorLog /var/lib/roundcube/logs/error.log + + # REWRITE + UseCanonicalName On + RewriteEngine On + RewriteCond %{HTTP_HOST} !^{{ roundcube_host }}$ + RewriteRule ^/(.*) http://%{SERVER_NAME}/$1 [L,R] + + # PHP + #php_admin_flag engine off + #AddType text/html .html + #php_admin_flag display_errors On + #php_flag short_open_tag On + #php_flag register_globals On + #php_admin_value memory_limit 256M + #php_admin_value max_execution_time 60 + #php_admin_value upload_max_filesize 8M + #php_admin_flag allow_url_fopen Off + php_admin_value sendmail_path "/usr/sbin/sendmail -t -i -f www-roundcube" + php_admin_value error_log "/home/roundcube/log/php.log" + #php_admin_value open_basedir "/usr/share/php:/home/roundcube:/tmp" + + From 8e6d7ed56890af768830094d35557191457b6185 Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Tue, 24 Oct 2017 17:42:58 +0200 Subject: [PATCH 25/51] roundcube: install default plugins --- webapps/roundcube/tasks/main.yml | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/webapps/roundcube/tasks/main.yml b/webapps/roundcube/tasks/main.yml index 4832043e..cf5a10b7 100644 --- a/webapps/roundcube/tasks/main.yml +++ b/webapps/roundcube/tasks/main.yml @@ -21,6 +21,25 @@ with_items: - roundcube - roundcube-sqlite3 + - roundcube-plugins + - php-net-sieve + tags: + - roundcube + +- name: configure managesieve plugin + copy: + src: /usr/share/roundcube/plugins/managesieve/config.inc.php.dist + dest: /etc/roundcube/plugins/managesieve/config.inc.php + mode: "0644" + remote_src: True + tags: + - roundcube + +- name: enable default plugins + replace: + dest: /etc/roundcube/config.inc.php + regexp: "^\\$config\\['plugins'\\] array($" + replace: "$config['plugins'] = array('zipdownload','managesieve'" tags: - roundcube From 628a043ba7801e4284229b30ad51b3a775f057eb Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Tue, 24 Oct 2017 17:55:57 +0200 Subject: [PATCH 26/51] dovecot: login_max_processes_count is obsolete --- dovecot/templates/z-evolinux-defaults.conf.j2 | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/dovecot/templates/z-evolinux-defaults.conf.j2 b/dovecot/templates/z-evolinux-defaults.conf.j2 index 10fefcf2..b6d8d5e5 100644 --- a/dovecot/templates/z-evolinux-defaults.conf.j2 +++ b/dovecot/templates/z-evolinux-defaults.conf.j2 @@ -30,5 +30,7 @@ protocol lda { } # Optimisations -login_max_processes_count = 256 +service login { + process_limit = 256 +} mail_max_userip_connections = 42 From e10166249dced04443fb05227f63eb460c34c76c Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Tue, 24 Oct 2017 18:53:22 +0200 Subject: [PATCH 27/51] roundcube: use imapproxy --- imapproxy/tasks/main.yml | 15 +++++++++++++++ webapps/roundcube/meta/main.yml | 3 +++ webapps/roundcube/tasks/main.yml | 1 + 3 files changed, 19 insertions(+) create mode 100644 imapproxy/tasks/main.yml create mode 100644 webapps/roundcube/meta/main.yml diff --git a/imapproxy/tasks/main.yml b/imapproxy/tasks/main.yml new file mode 100644 index 00000000..0dc62a60 --- /dev/null +++ b/imapproxy/tasks/main.yml @@ -0,0 +1,15 @@ +--- +- name: install imapproxy + apt: + name: imapproxy + state: present + tags: + - imapproxy + +- name: enable imapproxy + service: + name: imapproxy + state: started + enabled: True + tags: + - imapproxy diff --git a/webapps/roundcube/meta/main.yml b/webapps/roundcube/meta/main.yml new file mode 100644 index 00000000..ddd0e27c --- /dev/null +++ b/webapps/roundcube/meta/main.yml @@ -0,0 +1,3 @@ +--- +dependencies: + - { role: imapproxy } diff --git a/webapps/roundcube/tasks/main.yml b/webapps/roundcube/tasks/main.yml index cf5a10b7..4b793967 100644 --- a/webapps/roundcube/tasks/main.yml +++ b/webapps/roundcube/tasks/main.yml @@ -8,6 +8,7 @@ with_items: - { key: 'roundcube/dbconfig-reinstall', type: 'boolean', value: 'true' } - { key: 'roundcube/language', type: 'select', value: 'fr_FR' } + - { key: 'roundcube/remote/port', type: 'string', value: '1143' } - { key: 'roundcube/hosts', type: 'string', value: '127.0.0.1' } - { key: 'roundcube/database-type', type: 'select', value: 'sqlite3' } - { key: 'roundcube/db/basepath', type: 'string', value: '/var/lib/roundcube/' } From ee58a845886ee9e9205d2ec9e366a8c65ad0c60f Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Wed, 25 Oct 2017 10:17:13 +0200 Subject: [PATCH 28/51] roundcube: fix regex for enabling plugins --- webapps/roundcube/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/webapps/roundcube/tasks/main.yml b/webapps/roundcube/tasks/main.yml index 4b793967..aa92d1f5 100644 --- a/webapps/roundcube/tasks/main.yml +++ b/webapps/roundcube/tasks/main.yml @@ -39,7 +39,7 @@ - name: enable default plugins replace: dest: /etc/roundcube/config.inc.php - regexp: "^\\$config\\['plugins'\\] array($" + regexp: "^\\$config\\['plugins'\\] = array\\($" replace: "$config['plugins'] = array('zipdownload','managesieve'" tags: - roundcube From 33fccf3b5142602c0aa938160ef2199c311fede2 Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Wed, 25 Oct 2017 10:46:30 +0200 Subject: [PATCH 29/51] roundcube: use lineinfile for configure IMAP server and port --- webapps/roundcube/tasks/main.yml | 21 +++++++++++++++++---- 1 file changed, 17 insertions(+), 4 deletions(-) diff --git a/webapps/roundcube/tasks/main.yml b/webapps/roundcube/tasks/main.yml index aa92d1f5..3baf6a74 100644 --- a/webapps/roundcube/tasks/main.yml +++ b/webapps/roundcube/tasks/main.yml @@ -6,10 +6,6 @@ value: "{{ item.value }}" vtype: "{{ item.type }}" with_items: - - { key: 'roundcube/dbconfig-reinstall', type: 'boolean', value: 'true' } - - { key: 'roundcube/language', type: 'select', value: 'fr_FR' } - - { key: 'roundcube/remote/port', type: 'string', value: '1143' } - - { key: 'roundcube/hosts', type: 'string', value: '127.0.0.1' } - { key: 'roundcube/database-type', type: 'select', value: 'sqlite3' } - { key: 'roundcube/db/basepath', type: 'string', value: '/var/lib/roundcube/' } tags: @@ -27,6 +23,23 @@ tags: - roundcube +- name: configure roundcube imap host + lineinfile: + dest: /etc/roundcube/config.inc.php + regexp: "\\$config\\['default_host'\\]" + line: "$config['default_host'] = array('127.0.0.1');" + tags: + - roundcube + +- name: configure roudcube imap port + lineinfile: + dest: /etc/roundcube/config.inc.php + regexp: "\\$config\\['default_port'\\]" + insertafter: "\\$config\\['default_host'\\]" + line: "$config['default_port'] = 1143;" + tags: + - roundcube + - name: configure managesieve plugin copy: src: /usr/share/roundcube/plugins/managesieve/config.inc.php.dist From 1ea40127362f4217202288653c273498b105ec05 Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Wed, 25 Oct 2017 11:05:52 +0200 Subject: [PATCH 30/51] spamassasin: custom sa-update nead evomaintenance package --- spamassasin/tasks/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/spamassasin/tasks/main.yml b/spamassasin/tasks/main.yml index ba6d7c3c..2e5cd4cc 100644 --- a/spamassasin/tasks/main.yml +++ b/spamassasin/tasks/main.yml @@ -5,6 +5,7 @@ state: present with_items: - spamassassin + - evomaintenance tags: - spamassassin From 302fc2ffcc31e70d02932d35b28bfe817d35a3d9 Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Wed, 25 Oct 2017 11:07:38 +0200 Subject: [PATCH 31/51] roundcube: zipdownload plugin nead php-zip --- webapps/roundcube/tasks/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/webapps/roundcube/tasks/main.yml b/webapps/roundcube/tasks/main.yml index 3baf6a74..474fffb0 100644 --- a/webapps/roundcube/tasks/main.yml +++ b/webapps/roundcube/tasks/main.yml @@ -20,6 +20,7 @@ - roundcube-sqlite3 - roundcube-plugins - php-net-sieve + - php-zip tags: - roundcube From d0cceb7e808d7fbc2d4236926f36aa15e0d0da75 Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Wed, 25 Oct 2017 11:32:44 +0200 Subject: [PATCH 32/51] roundcube: return 503 if imapproxy doesn't run --- webapps/roundcube/templates/apache2.conf.j2 | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/webapps/roundcube/templates/apache2.conf.j2 b/webapps/roundcube/templates/apache2.conf.j2 index 23868992..47865c01 100644 --- a/webapps/roundcube/templates/apache2.conf.j2 +++ b/webapps/roundcube/templates/apache2.conf.j2 @@ -11,6 +11,11 @@ # Repertoire principal DocumentRoot /var/lib/roundcube/ + # Return 503 if imapproxy doesn't run + + Redirect 503 / + + Include /etc/roundcube/apache.conf # LOG From f1349816ced90a9cdbec0739d025fe436cc0b8ca Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Wed, 25 Oct 2017 11:41:53 +0200 Subject: [PATCH 33/51] nagios-nrpe: add check for imapproxy --- nagios-nrpe/templates/evolix.cfg.j2 | 1 + 1 file changed, 1 insertion(+) diff --git a/nagios-nrpe/templates/evolix.cfg.j2 b/nagios-nrpe/templates/evolix.cfg.j2 index 45223167..d85f9844 100644 --- a/nagios-nrpe/templates/evolix.cfg.j2 +++ b/nagios-nrpe/templates/evolix.cfg.j2 @@ -28,6 +28,7 @@ command[check_ldap]=/usr/lib/nagios/plugins/check_ldap -3 -H localhost -D cn=nag command[check_ldaps]=/usr/lib/nagios/plugins/check_ldaps -3 -H localhost -b {{ nagios_nrpe_ldap_dc }} command[check_imap]=/usr/lib/nagios/plugins/check_imap -H localhost command[check_imaps]=/usr/lib/nagios/plugins/check_imap -S -H localhost -p 993 +command[check_imapproxy]=/usr/lib/nagios/plugins/check_imap -H localhost -p 1143 command[check_pop]=/usr/lib/nagios/plugins/check_pop -H localhost command[check_pops]=/usr/lib/nagios/plugins/check_pop -S -H localhost -p 995 command[check_ftp]=/usr/lib/nagios/plugins/check_ftp -H localhost From 8f7004c977b92d00c8fc2821563e11c412cc31f0 Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Wed, 25 Oct 2017 12:11:46 +0200 Subject: [PATCH 34/51] fail2ban: install filter before package --- fail2ban/tasks/main.yml | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/fail2ban/tasks/main.yml b/fail2ban/tasks/main.yml index fbed85eb..886b454b 100644 --- a/fail2ban/tasks/main.yml +++ b/fail2ban/tasks/main.yml @@ -22,14 +22,6 @@ tags: - fail2ban -- name: package is installed - apt: - name: fail2ban - state: present - tags: - - fail2ban - - packages - - name: custom filters are installed copy: src: "{{ item }}" @@ -43,3 +35,12 @@ notify: restart fail2ban tags: - fail2ban + +- name: package is installed + apt: + name: fail2ban + state: present + tags: + - fail2ban + - packages + From 206e2e8a0ae6201cec0c1ed0218c463b933dcd38 Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Wed, 25 Oct 2017 12:12:18 +0200 Subject: [PATCH 35/51] fail2ban: add roundcube filter --- fail2ban/defaults/main.yml | 1 + fail2ban/files/roundcube.conf | 2 ++ fail2ban/tasks/main.yml | 1 + fail2ban/templates/jail.local.j2 | 9 +++++++++ 4 files changed, 13 insertions(+) create mode 100644 fail2ban/files/roundcube.conf diff --git a/fail2ban/defaults/main.yml b/fail2ban/defaults/main.yml index 5c4df4f0..d0716d95 100644 --- a/fail2ban/defaults/main.yml +++ b/fail2ban/defaults/main.yml @@ -3,3 +3,4 @@ general_alert_email: "root@localhost" fail2ban_alert_email: Null fail2ban_ignore_ips: [] fail2ban_wordpress: False +fail2ban_roundcube: False diff --git a/fail2ban/files/roundcube.conf b/fail2ban/files/roundcube.conf new file mode 100644 index 00000000..d4ad016a --- /dev/null +++ b/fail2ban/files/roundcube.conf @@ -0,0 +1,2 @@ +[Definition] +failregex = Login failed for .*. from diff --git a/fail2ban/tasks/main.yml b/fail2ban/tasks/main.yml index 886b454b..6a9a6ff7 100644 --- a/fail2ban/tasks/main.yml +++ b/fail2ban/tasks/main.yml @@ -32,6 +32,7 @@ - sasl-evolix.conf - wordpress-soft.conf - wordpress-hard.conf + - roundcube.conf notify: restart fail2ban tags: - fail2ban diff --git a/fail2ban/templates/jail.local.j2 b/fail2ban/templates/jail.local.j2 index b336e535..73b5f21f 100644 --- a/fail2ban/templates/jail.local.j2 +++ b/fail2ban/templates/jail.local.j2 @@ -44,3 +44,12 @@ logpath = /var/log/auth.log maxretry = 5 findtime = 300 {% endif %} + +{% if fail2ban_roundcube %} +[roundcube] +enabled = true +port = http,https +filter = roundcube +logpath = /var/lib/roundcube/logs/errors +maxretry = 5 +{% endif %} From a3744bbe59acd93bca32e1bbf3fba7bd5b94b693 Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Fri, 27 Oct 2017 11:41:31 +0200 Subject: [PATCH 36/51] Add opendkim role --- opendkim/defaults/main.yml | 2 + opendkim/files/opendkim.conf | 18 +++++++ opendkim/handlers/main.yml | 10 ++++ opendkim/tasks/main.yml | 67 +++++++++++++++++++++++++++ packmail/meta/main.yml | 1 + postfix/templates/packmail_main.cf.j2 | 5 ++ 6 files changed, 103 insertions(+) create mode 100644 opendkim/defaults/main.yml create mode 100644 opendkim/files/opendkim.conf create mode 100644 opendkim/handlers/main.yml create mode 100644 opendkim/tasks/main.yml diff --git a/opendkim/defaults/main.yml b/opendkim/defaults/main.yml new file mode 100644 index 00000000..582c19d6 --- /dev/null +++ b/opendkim/defaults/main.yml @@ -0,0 +1,2 @@ +--- +opendkim_is_active: True diff --git a/opendkim/files/opendkim.conf b/opendkim/files/opendkim.conf new file mode 100644 index 00000000..e881694b --- /dev/null +++ b/opendkim/files/opendkim.conf @@ -0,0 +1,18 @@ +UserID opendkim +Socket inet:54321:127.0.0.1 +PidFile /var/run/opendkim/opendkim.pid +OversignHeaders From +TrustAnchorFile /usr/share/dns/root.key +Selector default +Canonicalization relaxed/relaxed +ExternalIgnoreList refile:/etc/opendkim/TrustedHosts +InternalHosts refile:/etc/opendkim/TrustedHosts +KeyTable refile:/etc/opendkim/KeyTable +LogResults Yes +LogWhy Yes +Mode sv +SigningTable refile:/etc/opendkim/SigningTable +Syslog Yes +SyslogSuccess Yes +TemporaryDirectory /var/tmp +UMask 007 diff --git a/opendkim/handlers/main.yml b/opendkim/handlers/main.yml new file mode 100644 index 00000000..ccf166a8 --- /dev/null +++ b/opendkim/handlers/main.yml @@ -0,0 +1,10 @@ +--- +- name: reload opendkim + systemd: + name: opendkim + state: reloaded + +- name: restart opendkim + systemd: + name: opendkim + state: restarted diff --git a/opendkim/tasks/main.yml b/opendkim/tasks/main.yml new file mode 100644 index 00000000..c5d6fb8e --- /dev/null +++ b/opendkim/tasks/main.yml @@ -0,0 +1,67 @@ +--- +- name: install OpenDKIM + apt: + name: "{{ item }}" + state: present + with_items: + - opendkim + - opendkim-tools + tags: + - opendkim + +- name: create keys directory + file: + name: "{{ item }}" + state: directory + owner: opendkim + group: opendkim + mode: "0750" + with_items: + - '/etc/opendkim' + - '/etc/opendkim/keys' + tags: + - opendkim + +- name: add 127.0.0.1 to TrustedHosts + lineinfile: + dest: '/etc/opendkim/TrustedHosts' + line: '127.0.0.1' + create: True + owner: opendkim + group: opendkim + mode: "0640" + notify: reload opendkim + tags: + - opendkim + +- name: create config files + file: + name: "/etc/opendkim/{{ item }}" + state: touch + owner: opendkim + group: opendkim + mode: "0640" + with_items: + - 'KeyTable' + - 'SigningTable' + changed_when: False + tags: + - opendkim + +- name: copy OpenDKIM config + copy: + src: opendkim.conf + dest: /etc/opendkim.conf + mode: "0644" + force: yes + notify: restart opendkim + tags: + - opendkim + +- name: ensure opendkim is started and enabled + systemd: + name: opendkim + state: started + enabled: True + tags: + - opendkim diff --git a/packmail/meta/main.yml b/packmail/meta/main.yml index 06186051..2f99ef2c 100644 --- a/packmail/meta/main.yml +++ b/packmail/meta/main.yml @@ -4,6 +4,7 @@ dependencies: - { role: amavis } - { role: spamassasin } - { role: clamav } + - { role: opendkim } - { role: postfix, postfix_packmail: True, postfix_force_main_cf: True } - { role: dovecot } - { role: apache } diff --git a/postfix/templates/packmail_main.cf.j2 b/postfix/templates/packmail_main.cf.j2 index 86a03768..2f0fb75f 100644 --- a/postfix/templates/packmail_main.cf.j2 +++ b/postfix/templates/packmail_main.cf.j2 @@ -417,3 +417,8 @@ transport_maps = hash:$config_directory/transport {% if amavis_is_active is defined and amavis_is_active == True %} content_filter = smtp-amavis:[127.0.0.1]:10024 {% endif %} + +{% if opendkim_is_active is defined and opendkim_is_active == True %} +smtpd_milters = inet:127.0.0.1:54321 +non_smtpd_milters = inet:127.0.0.1:54321 +{% endif %} From 0cdae8b246f32365ee49deab9c1a10dea161a12e Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Fri, 27 Oct 2017 11:52:03 +0200 Subject: [PATCH 37/51] postfix: split main task into minimal and packmail --- postfix/tasks/main.yml | 144 +------------------------------ postfix/tasks/minimal.yml | 24 ++++++ postfix/tasks/packmail.yml | 111 ++++++++++++++++++++++++ postfix/tasks/slow_transport.yml | 4 + 4 files changed, 143 insertions(+), 140 deletions(-) create mode 100644 postfix/tasks/minimal.yml create mode 100644 postfix/tasks/packmail.yml diff --git a/postfix/tasks/main.yml b/postfix/tasks/main.yml index 628e0eab..714787d6 100644 --- a/postfix/tasks/main.yml +++ b/postfix/tasks/main.yml @@ -1,21 +1,4 @@ -- name: ensure packages are installed - apt: - name: '{{ item }}' - state: present - with_items: - - postfix - - mailgraph - tags: - - postfix - -- name: ensure ldap packages are installed - apt: - name: "postfix-ldap" - state: present - when: postfix_packmail == True - tags: - - postfix - +--- - name: check if main.cf is default shell: grep -v -E "^(myhostname|mydestination|mailbox_command)" /etc/postfix/main.cf | md5sum - changed_when: False @@ -24,130 +7,11 @@ tags: - postfix -- block: +- include: minimal.yml + when: postfix_packmail == False - - name: create minimal main.cf - template: - src: evolinux_main.cf.j2 - dest: /etc/postfix/main.cf - owner: root - group: root - mode: "0644" - force: yes - when: postfix_packmail != True - notify: restart postfix - tags: - - postfix - - - name: create packmail main.cf - template: - src: packmail_main.cf.j2 - dest: /etc/postfix/main.cf - owner: root - group: root - mode: "0644" - force: yes - when: postfix_packmail == True - notify: restart postfix - tags: - - postfix - - when: postfix_force_main_cf == True or - default_main_cf.stdout == "5450c05d65878e99dad696c7c722e511 -" or - default_main_cf.stdout == "30022953f1f61f002bfb72e163ecb27e -" - -- name: deploy packmail master.cf - template: - src: packmail_master.cf.j2 - dest: /etc/postfix/master.cf - mode: "0644" +- include: packmail.yml when: postfix_packmail == True - notify: restart postfix - tags: - - postfix - -- name: copy default filter files - copy: - src: filter - dest: "/etc/postfix/{{ item }}" - force: no - with_items: - - virtual - - client.access - - client.access_local - - header_kill - - header_kill_local - - recipient.access - - recipient.access_local - - sa-blacklist.access - - sender.access - - sender.access_local - - spamd.cidr - when: postfix_packmail == True - register: postfix_copy_filter - tags: - - postfix - -- name: postmap filter files - command: "postmap /etc/postfix/{{ item }}" - with_items: - - virtual - - client.access - - client.access_local - - header_kill - - header_kill_local - - recipient.access - - recipient.access_local - - sa-blacklist.access - - sender.access - - sender.access_local - - spamd.cidr - when: postfix_packmail == True and postfix_copy_filter.changed - tags: - - postfix - -- name: deploy ldap postfix config - template: - src: "{{ item }}.j2" - dest: "/etc/postfix/{{ item }}" - mode: "0644" - with_items: - - virtual_aliases.cf - - virtual_domains.cf - - virtual_mailboxes.cf - when: postfix_packmail == True - notify: restart postfix - tags: - - postfix - -- name: copy spam.sh script - copy: - src: spam.sh - dest: /usr/share/scripts/spam.sh - mode: "0700" - when: postfix_packmail == True - tags: - - postfix - -- name: enable spam.sh cron - lineinfile: - dest: /etc/cron.d/spam - line: "42 * * * * /usr/share/scripts/spam.sh" - create: yes - state: present - mode: "0640" - when: postfix_packmail == True - tags: - - postfix - -- name: update antispam list - command: /usr/share/scripts/spam.sh - changed_when: false - when: postfix_packmail == True - tags: - - postfix - include: slow_transport.yml when: postfix_slow_transport_include - tags: - - postfix diff --git a/postfix/tasks/minimal.yml b/postfix/tasks/minimal.yml new file mode 100644 index 00000000..99b99003 --- /dev/null +++ b/postfix/tasks/minimal.yml @@ -0,0 +1,24 @@ +--- +- name: ensure packages are installed + apt: + name: '{{ item }}' + state: present + with_items: + - postfix + tags: + - postfix + +- name: create minimal main.cf + template: + src: evolinux_main.cf.j2 + dest: /etc/postfix/main.cf + owner: root + group: root + mode: "0644" + force: yes + notify: restart postfix + when: postfix_force_main_cf == True or + default_main_cf.stdout == "5450c05d65878e99dad696c7c722e511 -" or + default_main_cf.stdout == "30022953f1f61f002bfb72e163ecb27e -" + tags: + - postfix diff --git a/postfix/tasks/packmail.yml b/postfix/tasks/packmail.yml new file mode 100644 index 00000000..e485d6b1 --- /dev/null +++ b/postfix/tasks/packmail.yml @@ -0,0 +1,111 @@ +--- +- name: ensure packages are installed + apt: + name: '{{ item }}' + state: present + with_items: + - postfix + - postfix-ldap + - mailgraph + tags: + - postfix + +- name: create packmail main.cf + template: + src: packmail_main.cf.j2 + dest: /etc/postfix/main.cf + owner: root + group: root + mode: "0644" + force: yes + notify: restart postfix + when: postfix_force_main_cf == True or + default_main_cf.stdout == "5450c05d65878e99dad696c7c722e511 -" or + default_main_cf.stdout == "30022953f1f61f002bfb72e163ecb27e -" + tags: + - postfix + +- name: deploy packmail master.cf + template: + src: packmail_master.cf.j2 + dest: /etc/postfix/master.cf + mode: "0644" + notify: restart postfix + tags: + - postfix + +- name: copy default filter files + copy: + src: filter + dest: "/etc/postfix/{{ item }}" + force: no + with_items: + - virtual + - client.access + - client.access_local + - header_kill + - header_kill_local + - recipient.access + - recipient.access_local + - sa-blacklist.access + - sender.access + - sender.access_local + - spamd.cidr + register: postfix_copy_filter + tags: + - postfix + +- name: postmap filter files + command: "postmap /etc/postfix/{{ item }}" + with_items: + - virtual + - client.access + - client.access_local + - header_kill + - header_kill_local + - recipient.access + - recipient.access_local + - sa-blacklist.access + - sender.access + - sender.access_local + - spamd.cidr + when: postfix_copy_filter.changed + tags: + - postfix + +- name: deploy ldap postfix config + template: + src: "{{ item }}.j2" + dest: "/etc/postfix/{{ item }}" + mode: "0644" + with_items: + - virtual_aliases.cf + - virtual_domains.cf + - virtual_mailboxes.cf + notify: restart postfix + tags: + - postfix + +- name: copy spam.sh script + copy: + src: spam.sh + dest: /usr/share/scripts/spam.sh + mode: "0700" + tags: + - postfix + +- name: enable spam.sh cron + lineinfile: + dest: /etc/cron.d/spam + line: "42 * * * * /usr/share/scripts/spam.sh" + create: yes + state: present + mode: "0640" + tags: + - postfix + +- name: update antispam list + command: /usr/share/scripts/spam.sh + changed_when: false + tags: + - postfix diff --git a/postfix/tasks/slow_transport.yml b/postfix/tasks/slow_transport.yml index d5566bdb..2f4cab1e 100644 --- a/postfix/tasks/slow_transport.yml +++ b/postfix/tasks/slow_transport.yml @@ -5,6 +5,8 @@ regexp: "^slow " line: "slow unix - - n - - smtp" notify: restart postfix + tags: + - postfix - name: list of providers for slow transport lineinfile: @@ -21,3 +23,5 @@ - "hotmail.fr slow:" - "hotmail.com slow:" notify: postmap transport + tags: + - postfix From 7413ebdd2b73ebab1f4f0435d83ade8660108731 Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Fri, 27 Oct 2017 12:02:27 +0200 Subject: [PATCH 38/51] postfix: add spf verification to packmail config --- postfix/tasks/packmail.yml | 1 + postfix/templates/packmail_main.cf.j2 | 3 +++ postfix/templates/packmail_master.cf.j2 | 3 +++ 3 files changed, 7 insertions(+) diff --git a/postfix/tasks/packmail.yml b/postfix/tasks/packmail.yml index e485d6b1..d7c37611 100644 --- a/postfix/tasks/packmail.yml +++ b/postfix/tasks/packmail.yml @@ -6,6 +6,7 @@ with_items: - postfix - postfix-ldap + - postfix-policyd-spf-python - mailgraph tags: - postfix diff --git a/postfix/templates/packmail_main.cf.j2 b/postfix/templates/packmail_main.cf.j2 index 2f0fb75f..5e80dbf5 100644 --- a/postfix/templates/packmail_main.cf.j2 +++ b/postfix/templates/packmail_main.cf.j2 @@ -339,6 +339,7 @@ smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, + check_policy_service unix:private/policyd-spf, check_client_access hash:$config_directory/client.access_local, check_client_access hash:$config_directory/client.access, check_sender_access hash:$config_directory/sender.access_local, @@ -350,6 +351,8 @@ smtpd_recipient_restrictions = reject_non_fqdn_sender, reject_unauth_pipelining, +policyd-spf_time_limit = 3600 + header_checks = regexp:$config_directory/header_kill_local, regexp:$config_directory/header_kill diff --git a/postfix/templates/packmail_master.cf.j2 b/postfix/templates/packmail_master.cf.j2 index 69964605..6f693c8a 100644 --- a/postfix/templates/packmail_master.cf.j2 +++ b/postfix/templates/packmail_master.cf.j2 @@ -116,6 +116,9 @@ mailman unix - n n - - pipe slow unix - - n - - smtp +policyd-spf unix - n n - 0 spawn + user=policyd-spf argv=/usr/bin/policyd-spf + dovecot unix - n n - - pipe flags=DRhu user=vmail:vmail argv=/usr/lib/dovecot/deliver -f ${sender} -d ${recipient} From 3c1416cf280c1a55dc4998a004fc5e475e23c1a0 Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Fri, 27 Oct 2017 14:16:08 +0200 Subject: [PATCH 39/51] opendkim: fix UserID and Socket --- opendkim/files/opendkim.conf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/opendkim/files/opendkim.conf b/opendkim/files/opendkim.conf index e881694b..c8c4d385 100644 --- a/opendkim/files/opendkim.conf +++ b/opendkim/files/opendkim.conf @@ -1,5 +1,5 @@ -UserID opendkim -Socket inet:54321:127.0.0.1 +UserID opendkim:opendkim +Socket inet:54321@127.0.0.1 PidFile /var/run/opendkim/opendkim.pid OversignHeaders From TrustAnchorFile /usr/share/dns/root.key From 210b0095b6139aaddb2775c3d9eb48dae064dd95 Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Fri, 27 Oct 2017 14:23:35 +0200 Subject: [PATCH 40/51] postfix: always include amavis and opendkim config when packmail --- amavis/defaults/main.yml | 2 -- opendkim/defaults/main.yml | 2 -- postfix/templates/packmail_main.cf.j2 | 14 +++++--------- postfix/templates/packmail_master.cf.j2 | 2 -- 4 files changed, 5 insertions(+), 15 deletions(-) delete mode 100644 amavis/defaults/main.yml delete mode 100644 opendkim/defaults/main.yml diff --git a/amavis/defaults/main.yml b/amavis/defaults/main.yml deleted file mode 100644 index 5c727eff..00000000 --- a/amavis/defaults/main.yml +++ /dev/null @@ -1,2 +0,0 @@ ---- -amavis_is_active: True diff --git a/opendkim/defaults/main.yml b/opendkim/defaults/main.yml deleted file mode 100644 index 582c19d6..00000000 --- a/opendkim/defaults/main.yml +++ /dev/null @@ -1,2 +0,0 @@ ---- -opendkim_is_active: True diff --git a/postfix/templates/packmail_main.cf.j2 b/postfix/templates/packmail_main.cf.j2 index 5e80dbf5..9f14ec50 100644 --- a/postfix/templates/packmail_main.cf.j2 +++ b/postfix/templates/packmail_main.cf.j2 @@ -401,6 +401,11 @@ broken_sasl_auth_clients = yes smtpd_sasl_type = dovecot smtpd_sasl_path = private/auth-client +# Amavis and OpenDKIM +content_filter = smtp-amavis:[127.0.0.1]:10024 +smtpd_milters = inet:[127.0.0.1]:54321 +non_smtpd_milters = inet:[127.0.0.1]:54321 + {% if postfix_slow_transport_include == True %} # Slow transports configuration minimal_backoff_time = 2h @@ -416,12 +421,3 @@ slow_destination_concurrency_failed_cohort_limit = 100 slow_destination_recipient_limit = 25 transport_maps = hash:$config_directory/transport {% endif %} - -{% if amavis_is_active is defined and amavis_is_active == True %} -content_filter = smtp-amavis:[127.0.0.1]:10024 -{% endif %} - -{% if opendkim_is_active is defined and opendkim_is_active == True %} -smtpd_milters = inet:127.0.0.1:54321 -non_smtpd_milters = inet:127.0.0.1:54321 -{% endif %} diff --git a/postfix/templates/packmail_master.cf.j2 b/postfix/templates/packmail_master.cf.j2 index 6f693c8a..c3d0e40e 100644 --- a/postfix/templates/packmail_master.cf.j2 +++ b/postfix/templates/packmail_master.cf.j2 @@ -134,7 +134,6 @@ localhost:10026 inet n - y - 10 smtpd -o smtpd_recipient_restrictions=permit_mynetworks,reject -o mynetworks=127.0.0.0/8 -{% if amavis_is_active is defined and amavis_is_active == True %} smtp-amavis unix - - y - 2 lmtp -o lmtp_data_done_timeout=1200 -o lmtp_send_xforward_command=yes @@ -169,4 +168,3 @@ pre-cleanup unix n - n - 0 cleanup -o always_bcc= -o sender_bcc_maps= -o recipient_bcc_maps= -{% endif %} From 6b620f4877b236ab3cb05ad5ee1867a32c935c93 Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Fri, 27 Oct 2017 14:34:43 +0200 Subject: [PATCH 41/51] postfix/packmail: fix dependencies --- packmail/meta/main.yml | 5 ----- postfix/meta/main.yml | 9 +++++---- 2 files changed, 5 insertions(+), 9 deletions(-) diff --git a/packmail/meta/main.yml b/packmail/meta/main.yml index 2f99ef2c..c98ef251 100644 --- a/packmail/meta/main.yml +++ b/packmail/meta/main.yml @@ -1,11 +1,6 @@ --- dependencies: - { role: ldap, ldap_schema: 'cn4evolix.ldif' } - - { role: amavis } - - { role: spamassasin } - - { role: clamav } - - { role: opendkim } - { role: postfix, postfix_packmail: True, postfix_force_main_cf: True } - - { role: dovecot } - { role: apache } - { role: php, php_apache_enable: True } diff --git a/postfix/meta/main.yml b/postfix/meta/main.yml index a4cc6bd0..d9c76f96 100644 --- a/postfix/meta/main.yml +++ b/postfix/meta/main.yml @@ -13,7 +13,8 @@ galaxy_info: versions: - jessie -dependencies: [] - # List your role dependencies here, one per line. - # Be sure to remove the '[]' above if you add dependencies - # to this list. +dependencies: + - { role: spamassasin, when: postfix_packmail == True } + - { role: clamav, when: postfix_packmail == True } + - { role: opendkim, when: postfix_packmail == True } + - { role: dovecot, when: postfix_packmail == True } From b31110fb850bef822ad870d4ae947a51de4a1f1f Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Fri, 27 Oct 2017 14:47:01 +0200 Subject: [PATCH 42/51] postfix: merge packmail role into postfix role --- packmail/README.md | 15 ---------- packmail/defaults/main.yml | 5 ---- packmail/handlers/main.yml | 10 ------- packmail/meta/main.yml | 6 ---- packmail/tasks/main.yml | 34 ---------------------- {packmail => postfix}/files/cn4evolix.ldif | 0 postfix/meta/main.yml | 1 + 7 files changed, 1 insertion(+), 70 deletions(-) delete mode 100644 packmail/README.md delete mode 100644 packmail/defaults/main.yml delete mode 100644 packmail/handlers/main.yml delete mode 100644 packmail/meta/main.yml delete mode 100644 packmail/tasks/main.yml rename {packmail => postfix}/files/cn4evolix.ldif (100%) diff --git a/packmail/README.md b/packmail/README.md deleted file mode 100644 index f4cbbee3..00000000 --- a/packmail/README.md +++ /dev/null @@ -1,15 +0,0 @@ -# packmail - -Install the mail pack, with Postfix/Dovecot/LDAP/evoadmin-mail. - -## Tasks - -See `tasks/main.yml`. - -## Available variables - -Main variables are : - -* `packmail_enable_evoadmin_vhost` : enable VirtualHost for evoadmin (web interface to create mail accounts) - -The full list of variables (with default values) can be found in `defaults/main.yml`. diff --git a/packmail/defaults/main.yml b/packmail/defaults/main.yml deleted file mode 100644 index fc1d2a9f..00000000 --- a/packmail/defaults/main.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -# defaults file for packmail -general_alert_email: "root@localhost" - -packmail_enable_evoadmin_vhost: True diff --git a/packmail/handlers/main.yml b/packmail/handlers/main.yml deleted file mode 100644 index 92228e1c..00000000 --- a/packmail/handlers/main.yml +++ /dev/null @@ -1,10 +0,0 @@ ---- -- name: restart postfix - service: - name: postfix - state: restarted - -- name: restart dovecot - service: - name: dovecot - state: restarted diff --git a/packmail/meta/main.yml b/packmail/meta/main.yml deleted file mode 100644 index c98ef251..00000000 --- a/packmail/meta/main.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -dependencies: - - { role: ldap, ldap_schema: 'cn4evolix.ldif' } - - { role: postfix, postfix_packmail: True, postfix_force_main_cf: True } - - { role: apache } - - { role: php, php_apache_enable: True } diff --git a/packmail/tasks/main.yml b/packmail/tasks/main.yml deleted file mode 100644 index 36d23365..00000000 --- a/packmail/tasks/main.yml +++ /dev/null @@ -1,34 +0,0 @@ ---- -- fail: - msg: only compatible with Debian >= 9 - when: - - ansible_distribution != "Debian" or ansible_distribution_major_version | version_compare('9', '<') - -- name: Additional packages are installed - apt: - name: '{{ item }}' - state: present - with_items: - - libapache2-mod-security2 - - modsecurity-crs - - apg - -- name: Additional modules are enabled - apache2_module: - name: '{{ item }}' - state: present - with_items: - - ssl - - include - - negotiation - - alias - -- name: Install Evoadmin - include_role: - name: webapps/evoadmin-mail - vars: - evoadminmail_enable_vhost: '{{ packmail_enable_evoadmin_vhost }}' - -- name: Install Roundcube - include_role: - name: webapps/roundcube diff --git a/packmail/files/cn4evolix.ldif b/postfix/files/cn4evolix.ldif similarity index 100% rename from packmail/files/cn4evolix.ldif rename to postfix/files/cn4evolix.ldif diff --git a/postfix/meta/main.yml b/postfix/meta/main.yml index d9c76f96..3c7b219a 100644 --- a/postfix/meta/main.yml +++ b/postfix/meta/main.yml @@ -14,6 +14,7 @@ galaxy_info: - jessie dependencies: + - { role: ldap, ldap_schema: 'cn4evolix.ldif', when: postfix_packmail == True } - { role: spamassasin, when: postfix_packmail == True } - { role: clamav, when: postfix_packmail == True } - { role: opendkim, when: postfix_packmail == True } From 2d1504ddf68eb6bcebf0a62e6fde8fc65fe5873f Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Fri, 27 Oct 2017 15:01:06 +0200 Subject: [PATCH 43/51] apache: add somes modules by defaults --- apache/tasks/main.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/apache/tasks/main.yml b/apache/tasks/main.yml index ed99fe5a..35ffcf44 100644 --- a/apache/tasks/main.yml +++ b/apache/tasks/main.yml @@ -38,6 +38,10 @@ - expires - headers - cgi + - ssl + - include + - negotiation + - alias notify: reload apache tags: - apache From 79e6c5526574aac7fe280e2c442e8e11e23349be Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Fri, 27 Oct 2017 15:29:41 +0200 Subject: [PATCH 44/51] postfix: update README --- postfix/README.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/postfix/README.md b/postfix/README.md index 67f56298..04bf879a 100644 --- a/postfix/README.md +++ b/postfix/README.md @@ -4,9 +4,10 @@ Installation and basic configuration of Postfix. ## Tasks -Minimal configuration is in `tasks/main.yml` and optional customization in : +Minimal configuration is in `tasks/minimal.yml` and optional customization in : * `slow_transport.yml` : slow transport to specific destination. +* `packmail.yml` : config for virtual mail accounts with OpenLDAP ## Available variables @@ -14,5 +15,7 @@ Main variables are : * `postfix_hostname` : hostname for Postfix ; * `postfix_slow_transport` : enable customization for delivrability. +* `postfix_force_main_cf` : force copy of main.cf +* `postfix_packmail` : install an Evolix Packmail instead of lite postfix config The full list of variables (with default values) can be found in `defaults/main.yml`. From 91d2cce7d4cee70d3db400e8a5b680e8dcd9a739 Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Fri, 27 Oct 2017 16:04:59 +0200 Subject: [PATCH 45/51] opendkim: deploy script for add DKIM domain --- opendkim/files/opendkim-add.sh | 46 ++++++++++++++++++++++++++++++++++ opendkim/tasks/main.yml | 28 +++++++++++++++++++++ 2 files changed, 74 insertions(+) create mode 100644 opendkim/files/opendkim-add.sh diff --git a/opendkim/files/opendkim-add.sh b/opendkim/files/opendkim-add.sh new file mode 100644 index 00000000..a7da1ce0 --- /dev/null +++ b/opendkim/files/opendkim-add.sh @@ -0,0 +1,46 @@ +#!/bin/sh + +if [ "$#" -ne 1 ]; then + echo "Usage : $0 example.com" >&2 + exit 1 +fi + +domain="$(echo "$1"|xargs)" + +mkdir -pm 0750 "/etc/opendkim/keys/${domain}" +chown opendkim:opendkim "/etc/opendkim/keys/${domain}" + +if [ ! -f "/etc/opendkim/keys/${domain}/default.private" ]; then + cd "/etc/opendkim/keys/${domain}" + echo "Generate DKIM keys ..." + sudo -u opendkim opendkim-genkey -r -d "${domain}" + chmod 640 /etc/opendkim/keys/${domain}/* +fi + +grep -q "${domain}" /etc/opendkim/TrustedHosts +if [ "$?" -ne 0 ]; then + echo "Add ${domain} to TrustedHosts ..." + echo "${domain}" >> /etc/opendkim/TrustedHosts +fi + +grep -q "${domain}" /etc/opendkim/KeyTable +if [ "$?" -ne 0 ]; then + echo "Add ${domain} to KeyTable ..." + echo "default._domainkey.${domain} ${domain}:default:/etc/opendkim/keys/${domain}/default.private" >> /etc/opendkim/KeyTable +fi + +grep -q "${domain}" /etc/opendkim/SigningTable +if [ "$?" -ne 0 ]; then + echo "Add ${domain} to SigningTable ..." + echo "*@${domain} default._domainkey.${domain}" >> /etc/opendkim/SigningTable +fi + +systemctl reload opendkim +if [ "$?" -eq 0 ]; then + echo "OpenDKIM successfully reloaded" + echo "Public key is in : /etc/opendkim/keys/${domain}/default.txt" + exit 0 +else + echo "An error has occurred while opendkim reload, please FIX configuration !" >&2 + exit 1 +fi diff --git a/opendkim/tasks/main.yml b/opendkim/tasks/main.yml index c5d6fb8e..d491cd39 100644 --- a/opendkim/tasks/main.yml +++ b/opendkim/tasks/main.yml @@ -65,3 +65,31 @@ enabled: True tags: - opendkim + +- name: check if /usr is a partition + shell: "mount | grep 'on /usr type'" + args: + warn: no + changed_when: False + failed_when: False + register: usr_partition + check_mode: no + tags: + - opendkim + +- name: mount /usr in rw + command: mount -o remount,rw /usr + args: + warn: no + changed_when: False + when: usr_partition.rc == 0 + tags: + - opendkim + +- name: deploy opendkim-add.sh script + copy: + src: opendkim-add.sh + dest: /usr/share/scripts/opendkim-add.sh + mode: "0750" + tags: + - opendkim From 940be65acbe535c57c4fcef8da7a654761f291b2 Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Fri, 27 Oct 2017 17:59:15 +0200 Subject: [PATCH 46/51] roundcube: merge imapproxy role into roundcube --- imapproxy/tasks/main.yml | 15 --------------- webapps/roundcube/defaults/main.yml | 2 ++ webapps/roundcube/handlers/main.yml | 5 +++++ webapps/roundcube/meta/main.yml | 3 --- webapps/roundcube/tasks/main.yml | 27 +++++++++++++++++++++++++++ 5 files changed, 34 insertions(+), 18 deletions(-) delete mode 100644 imapproxy/tasks/main.yml create mode 100644 webapps/roundcube/handlers/main.yml delete mode 100644 webapps/roundcube/meta/main.yml diff --git a/imapproxy/tasks/main.yml b/imapproxy/tasks/main.yml deleted file mode 100644 index 0dc62a60..00000000 --- a/imapproxy/tasks/main.yml +++ /dev/null @@ -1,15 +0,0 @@ ---- -- name: install imapproxy - apt: - name: imapproxy - state: present - tags: - - imapproxy - -- name: enable imapproxy - service: - name: imapproxy - state: started - enabled: True - tags: - - imapproxy diff --git a/webapps/roundcube/defaults/main.yml b/webapps/roundcube/defaults/main.yml index 220720e3..5e0c1a81 100644 --- a/webapps/roundcube/defaults/main.yml +++ b/webapps/roundcube/defaults/main.yml @@ -1,2 +1,4 @@ --- roundcube_host: "roundcube.{{ ansible_fqdn }}" +roundcube_imap_host: "localhost" +roundcube_imap_port: 143 diff --git a/webapps/roundcube/handlers/main.yml b/webapps/roundcube/handlers/main.yml new file mode 100644 index 00000000..bdba6e6b --- /dev/null +++ b/webapps/roundcube/handlers/main.yml @@ -0,0 +1,5 @@ +--- +- name: restart imapproxy + systemd: + name: imapproxy + state: restarted diff --git a/webapps/roundcube/meta/main.yml b/webapps/roundcube/meta/main.yml deleted file mode 100644 index ddd0e27c..00000000 --- a/webapps/roundcube/meta/main.yml +++ /dev/null @@ -1,3 +0,0 @@ ---- -dependencies: - - { role: imapproxy } diff --git a/webapps/roundcube/tasks/main.yml b/webapps/roundcube/tasks/main.yml index 474fffb0..37ef1afe 100644 --- a/webapps/roundcube/tasks/main.yml +++ b/webapps/roundcube/tasks/main.yml @@ -16,6 +16,7 @@ name: "{{ item }}" state: present with_items: + - imapproxy - roundcube - roundcube-sqlite3 - roundcube-plugins @@ -24,6 +25,32 @@ tags: - roundcube +- name: configure imapproxy imap host + lineinfile: + dest: /etc/imapproxy.conf + regexp: "^server_hostname" + line: "server_hostname {{ roundcube_imap_host }}" + notify: restart imapproxy + tags: + - roundcube + +- name: configure imapproxy imap port + lineinfile: + dest: /etc/imapproxy.conf + regexp: "^server_port" + line: "server_port {{ roundcube_imap_port }}" + notify: reload imapproxy + tags: + - roundcube + +- name: enable and start imapproxy + service: + name: imapproxy + state: started + enabled: True + tags: + - roundcube + - name: configure roundcube imap host lineinfile: dest: /etc/roundcube/config.inc.php From 69aa3ab8b8f5354eb26c7ac1cecd3d0b7932a5ce Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Tue, 31 Oct 2017 10:36:18 +0100 Subject: [PATCH 47/51] ldap: don't inject custom schema if ldap is already configured --- ldap/tasks/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ldap/tasks/main.yml b/ldap/tasks/main.yml index b1554725..84bed58d 100644 --- a/ldap/tasks/main.yml +++ b/ldap/tasks/main.yml @@ -80,8 +80,8 @@ src: "{{ ldap_schema }}" dest: "/root/{{ ldap_schema }}" mode: "0640" - when: ldap_schema is defined + when: not root_ldapvirc_path.stat.exists and ldap_schema is defined - name: inject custom schema command: "ldapadd -Y EXTERNAL -H ldapi:/// -f /root/{{ ldap_schema }}" - when: ldap_schema is defined + when: not root_ldapvirc_path.stat.exists and ldap_schema is defined From be3d3c97ef8cd0e4c604c886c0ced1110e53ddb6 Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Tue, 31 Oct 2017 12:25:26 +0100 Subject: [PATCH 48/51] postfix: don't use milter with amavis --- postfix/templates/packmail_master.cf.j2 | 1 + 1 file changed, 1 insertion(+) diff --git a/postfix/templates/packmail_master.cf.j2 b/postfix/templates/packmail_master.cf.j2 index c3d0e40e..7326cb35 100644 --- a/postfix/templates/packmail_master.cf.j2 +++ b/postfix/templates/packmail_master.cf.j2 @@ -140,6 +140,7 @@ smtp-amavis unix - - y - 2 lmtp 127.0.0.1:10025 inet n - y - - smtpd -o content_filter= + -o smtpd_milters= -o local_recipient_maps= -o relay_recipient_maps= -o smtpd_restriction_classes= From 1f70b148963f82a29406ab00a4a1c65a58d33ef7 Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Tue, 31 Oct 2017 15:13:52 +0100 Subject: [PATCH 49/51] spamassasin: mount usr in rw before copy sa-update.sh --- spamassasin/tasks/main.yml | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/spamassasin/tasks/main.yml b/spamassasin/tasks/main.yml index 2e5cd4cc..4f010650 100644 --- a/spamassasin/tasks/main.yml +++ b/spamassasin/tasks/main.yml @@ -27,6 +27,22 @@ tags: - spamassassin +- name: update ansible_mounts facts + setup: + filter: ansible_mounts + tags: + - spamassassin + +- name: mount /usr in rw + command: mount -o remount,rw /usr + args: + warn: no + changed_when: false + when: item.mount == '/usr' and item.options | match(".*ro.*") + with_items: "{{ ansible_mounts }}" + tags: + - spamassassin + - name: copy sa-update.sh script copy: src: sa-update.sh From bee42c57d2e48c660b94b3a05df9833edc531ef0 Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Tue, 31 Oct 2017 15:17:18 +0100 Subject: [PATCH 50/51] postfix: mount usr in rw before copy spam.sh --- postfix/tasks/packmail.yml | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/postfix/tasks/packmail.yml b/postfix/tasks/packmail.yml index d7c37611..69d41581 100644 --- a/postfix/tasks/packmail.yml +++ b/postfix/tasks/packmail.yml @@ -87,6 +87,22 @@ tags: - postfix +- name: update ansible_mounts facts + setup: + filter: ansible_mounts + tags: + - postfix + +- name: mount /usr in rw + command: mount -o remount,rw /usr + args: + warn: no + changed_when: false + when: item.mount == '/usr' and item.options | match(".*ro.*") + with_items: "{{ ansible_mounts }}" + tags: + - postfix + - name: copy spam.sh script copy: src: spam.sh From ce89d5c5a59df5cc1832716286fe44be2002ffe4 Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Tue, 31 Oct 2017 15:28:42 +0100 Subject: [PATCH 51/51] apache: fix usr rw remount --- apache/tasks/remount_usr_rw.yml | 23 ++++++++--------------- 1 file changed, 8 insertions(+), 15 deletions(-) diff --git a/apache/tasks/remount_usr_rw.yml b/apache/tasks/remount_usr_rw.yml index 60162607..1f6d064d 100644 --- a/apache/tasks/remount_usr_rw.yml +++ b/apache/tasks/remount_usr_rw.yml @@ -1,19 +1,12 @@ --- -- name: Get mount options for partitions - shell: "mount | grep 'on /usr type'" - args: - warn: no - register: mount - changed_when: False - failed_when: False - when: not ansible_check_mode +- name: update ansible_mounts facts + setup: + filter: ansible_mounts -- name: Remount /usr if it is a partition and it is not mounted in rw - command: "mount -o remount,rw /usr" - when: - - not ansible_check_mode - - mount.rc == 0 - - not mount.stdout_lines.0 | search("rw") - check_mode: yes +- name: mount /usr in rw + command: mount -o remount,rw /usr args: warn: no + changed_when: false + when: item.mount == '/usr' and item.options | match(".*ro.*") + with_items: "{{ ansible_mounts }}"