Commit 06dd4eac authored by Lars Beckers's avatar Lars Beckers
Browse files

Merge branch 'fsmpi' into 'master'

Minimal Viable FSMPI Deployment

Only commits with messages identifying fsmpi-specifics need to be refactored and removed after the upgrade. Other commits may introduce variables that are documented not to be relied upon in availability and functionality. However, we may decide to keep them (probably slightly repurposed) later on.

See merge request !16
parents 63701a03 7a107269
Pipeline #3028 passed with stage
in 36 seconds
......@@ -31,3 +31,22 @@ dovecot_dsync_host_attribute: ansible_host
dovecot_content_filter: false
dovecot_spam_folder: Spam
dovecot_spam_user: "${1}" # debian-spamd
dovecot_sieve: 'file:~/sieve;active=~/.dovecot.sieve'
# These variables were introduced for compatibility to a certain setup.
# They may disappear without prior notice and/or may not work as expected.
dovecot_process_limit: 100
dovecot_client_limit: 1000
dovecot_disable_imap_starttls: false
dovecot_postfix_public_private_partnership: true
dovecot_imap_idle_interval: '29 mins'
dovecot_imap_max_userip_connections: 40
dovecot_lda_mailbox_autocreate: false
dovecot_lda_mailbox_autosubscribe: false
dovecot_auth_realms: []
dovecot_auth_default_realm: ''
dovecot_auth_krb5_keytab: ''
dovecot_auth_mechanisms:
- plain
dovecot_mail_namespaces: []
dovecot_special_mailbox_auto_subscribe: false
......@@ -28,15 +28,18 @@
- dovecot.conf
- deny-users
- conf.d/10-auth.conf
- conf.d/10-director.conf
- conf.d/10-mail.conf
- conf.d/10-master.conf
- conf.d/10-ssl.conf
- conf.d/15-lda.conf
- conf.d/20-managesieve.conf
- conf.d/15-mailboxes.conf
- conf.d/20-imap.conf
- conf.d/20-lmtp.conf
- conf.d/20-managesieve.conf
- conf.d/90-sieve.conf
- conf.d/auth-passwdfile.conf.ext
- conf.d/auth-system.conf.ext
notify:
- restart dovecot
tags:
......
......@@ -26,11 +26,11 @@ disable_plaintext_auth = yes
# them. You can leave it empty if you don't want to support multiple realms.
# Many clients simply use the first one listed here, so keep the default realm
# first.
#auth_realms =
auth_realms = {{ dovecot_auth_realms|join(" ") }}
# Default realm/domain to use if none was specified. This is used for both
# SASL realms and appending @domain to username in plaintext logins.
#auth_default_realm =
auth_default_realm = {{ dovecot_auth_default_realm }}
# List of allowed characters in username. If the user-given username contains
# a character not listed in here, the login automatically fails. This is just
......@@ -77,7 +77,7 @@ auth_username_format = %Ln
# Kerberos keytab to use for the GSSAPI mechanism. Will use the system
# default (usually /etc/krb5.keytab) if not specified. You may need to change
# the auth service to run as root to be able to read this file.
#auth_krb5_keytab =
auth_krb5_keytab = {{ dovecot_auth_krb5_keytab }}
# Do NTLM and GSS-SPNEGO authentication using Samba's winbind daemon and
# ntlm_auth helper. <doc/wiki/Authentication/Mechanisms/Winbind.txt>
......@@ -101,7 +101,7 @@ auth_username_format = %Ln
# plain login digest-md5 cram-md5 ntlm rpa apop anonymous gssapi otp
# gss-spnego
# NOTE: See also disable_plaintext_auth setting.
auth_mechanisms = plain
auth_mechanisms = {{ dovecot_auth_mechanisms|join(" ") }}
##
## Password and user databases
......
##
## Director-specific settings.
##
# Director can be used by Dovecot proxy to keep a temporary user -> mail server
# mapping. As long as user has simultaneous connections, the user is always
# redirected to the same server. Each proxy server is running its own director
# process, and the directors are communicating the state to each others.
# Directors are mainly useful with NFS-like setups.
# List of IPs or hostnames to all director servers, including ourself.
# Ports can be specified as ip:port. The default port is the same as
# what director service's inet_listener is using.
#director_servers =
# List of IPs or hostnames to all backend mail servers. Ranges are allowed
# too, like 10.0.0.10-10.0.0.30.
#director_mail_servers =
# How long to redirect users to a specific server after it no longer has
# any connections.
#director_user_expire = 15 min
# How the username is translated before being hashed. Useful values include
# %Ln if user can log in with or without @domain, %Ld if mailboxes are shared
# within domain.
#director_username_hash = %Lu
# To enable director service, uncomment the modes and assign a port.
service director {
unix_listener login/director {
#mode = 0666
}
fifo_listener login/proxy-notify {
#mode = 0666
}
unix_listener director-userdb {
#mode = 0600
}
inet_listener {
#port =
}
}
# Enable director for the wanted login services by telling them to
# connect to director socket instead of the default login socket:
service imap-login {
#executable = imap-login director
}
#service submission-login {
# #executable = submission-login director
#}
# Enable director for LMTP proxying:
protocol lmtp {
#auth_socket_path = director-userdb
}
......@@ -79,6 +79,14 @@ namespace inbox {
# See 15-mailboxes.conf for definitions of special mailboxes.
}
{% for namespace in dovecot_mail_namespaces %}
namespace {
{% for key, value in namespace.items() %}
{{ key }} = {{ value }}
{% endfor %}
}
{% endfor %}
# Example shared namespace configuration
#namespace {
#type = shared
......
#default_process_limit = 100
#default_client_limit = 1000
default_process_limit = {{ dovecot_process_limit }}
default_client_limit = {{ dovecot_client_limit }}
# Default VSZ (virtual memory size) limit for service processes. This is mainly
# intended to catch and kill processes that leak memory before they eat up
......@@ -15,9 +15,11 @@
#default_internal_user = dovecot
service imap-login {
{% if not dovecot_disable_imap_starttls %}
inet_listener imap {
port = 143
}
{% endif %}
inet_listener imaps {
port = 993
ssl = yes
......@@ -42,10 +44,10 @@ service imap-login {
#}
service lmtp {
unix_listener /var/spool/postfix/private/dovecot-lmtp {
group = postfix
mode = 0600
user = postfix
unix_listener /var/spool/postfix/private/dovecot-lmtp {
mode = 0600
user = postfix
group = postfix
}
# Create inet listener only if you can't use the above UNIX socket
......@@ -92,14 +94,26 @@ service auth {
# Postfix smtp-auth
unix_listener /var/spool/postfix/private/auth {
{% if dovecot_postfix_public_private_partnership %}
mode = 0666
{% else %}
mode = 0660
{% endif %}
user = postfix
group = postfix
}
# Auth process is run as this user.
# user = $default_internal_user
user = dovecot
group = dovecot
#user = $default_internal_user
{% if dovecot_client_limit != 1000 %}
client_limit = {{ dovecot_client_limit * 2 }}
{% endif %}
}
{% if dovecot_client_limit != 1000 %}
service anvil {
client_limit = {{ dovecot_client_limit + 500 }}
}
{% endif %}
service auth-worker {
# Auth worker process is run as root by default, so that it can access
......
......@@ -37,10 +37,10 @@
#lda_original_recipient_header =
# Should saving a mail to a nonexistent mailbox automatically create it?
#lda_mailbox_autocreate = no
lda_mailbox_autocreate = {{ 'yes' if dovecot_lda_mailbox_autocreate else 'no' }}
# Should automatically created mailboxes be also automatically subscribed?
#lda_mailbox_autosubscribe = no
lda_mailbox_autosubscribe = {{ 'yes' if dovecot_lda_mailbox_autosubscribe else 'no' }}
protocol lda {
# Space separated list of plugins to load (default is global mail_plugins).
......
##
## Mailbox definitions
##
# Each mailbox is specified in a separate mailbox section. The section name
# specifies the mailbox name. If it has spaces, you can put the name
# "in quotes". These sections can contain the following mailbox settings:
#
# auto:
# Indicates whether the mailbox with this name is automatically created
# implicitly when it is first accessed. The user can also be automatically
# subscribed to the mailbox after creation. The following values are
# defined for this setting:
#
# no - Never created automatically.
# create - Automatically created, but no automatic subscription.
# subscribe - Automatically created and subscribed.
#
# special_use:
# A space-separated list of SPECIAL-USE flags (RFC 6154) to use for the
# mailbox. There are no validity checks, so you could specify anything
# you want in here, but it's not a good idea to use flags other than the
# standard ones specified in the RFC:
#
# \All - This (virtual) mailbox presents all messages in the
# user's message store.
# \Archive - This mailbox is used to archive messages.
# \Drafts - This mailbox is used to hold draft messages.
# \Flagged - This (virtual) mailbox presents all messages in the
# user's message store marked with the IMAP \Flagged flag.
# \Junk - This mailbox is where messages deemed to be junk mail
# are held.
# \Sent - This mailbox is used to hold copies of messages that
# have been sent.
# \Trash - This mailbox is used to hold messages that have been
# deleted.
#
# comment:
# Defines a default comment or note associated with the mailbox. This
# value is accessible through the IMAP METADATA mailbox entries
# "/shared/comment" and "/private/comment". Users with sufficient
# privileges can override the default value for entries with a custom
# value.
# NOTE: Assumes "namespace inbox" has been defined in 10-mail.conf.
namespace inbox {
# These mailboxes are widely used and could perhaps be created automatically:
mailbox Drafts {
special_use = \Drafts
{% if dovecot_special_mailbox_auto_subscribe %}
auto = subscribe
{% endif %}
}
mailbox {{ dovecot_spam_folder }} {
special_use = \Junk
{% if dovecot_special_mailbox_auto_subscribe %}
auto = subscribe
{% endif %}
}
mailbox Trash {
special_use = \Trash
{% if dovecot_special_mailbox_auto_subscribe %}
auto = subscribe
{% endif %}
}
# For \Sent mailboxes there are two widely used names. We'll mark both of
# them as \Sent. User typically deletes one of them if duplicates are created.
mailbox Sent {
special_use = \Sent
{% if dovecot_special_mailbox_auto_subscribe %}
auto = subscribe
{% endif %}
}
mailbox "Sent Messages" {
special_use = \Sent
}
# If you have a virtual "All messages" mailbox:
#mailbox virtual/All {
# special_use = \All
# comment = All my messages
#}
# If you have a virtual "Flagged" mailbox:
#mailbox virtual/Flagged {
# special_use = \Flagged
# comment = All my flagged messages
#}
}
......@@ -39,8 +39,7 @@
# How long to wait between "OK Still here" notifications when client is
# IDLEing.
#imap_idle_notify_interval = 2 mins
imap_idle_notify_interval = 29 mins
imap_idle_notify_interval = {{ dovecot_imap_idle_interval }}
# ID field names and values to send to clients. Using * as the value makes
# Dovecot use the default value. The following fields have default values
......@@ -92,12 +91,11 @@ imap_idle_notify_interval = 29 mins
protocol imap {
# Space separated list of plugins to load (default is global mail_plugins).
#mail_plugins = $mail_plugins
mail_plugins = $mail_plugins
# Maximum number of IMAP connections allowed for a user from each IP address.
# NOTE: The username is compared case-sensitively.
#mail_max_userip_connections = 10
mail_max_userip_connections = 40
mail_max_userip_connections = {{ dovecot_imap_max_userip_connections }}
}
{% if dovecot_content_filter %}
......
......@@ -36,7 +36,7 @@ plugin {
# active script symlink is located.
# For other types: use the ';name=' parameter to specify the name of the
# default/active script.
sieve = file:~/sieve;active=~/.dovecot.sieve
sieve = {{ dovecot_sieve }}
# The default Sieve script when the user has none. This is the location of a
# global sieve script file, which gets executed ONLY if user's personal Sieve
......
# Authentication for system users. Included from 10-auth.conf.
#
# <doc/wiki/PasswordDatabase.txt>
# <doc/wiki/UserDatabase.txt>
# PAM authentication. Preferred nowadays by most systems.
# PAM is typically used with either userdb passwd or userdb static.
# REMEMBER: You'll need /etc/pam.d/dovecot file created for PAM
# authentication to actually work. <doc/wiki/PasswordDatabase.PAM.txt>
passdb {
driver = pam
# [session=yes] [setcred=yes] [failure_show_msg=yes] [max_requests=<n>]
# [cache_key=<key>] [<service name>]
#args = dovecot
}
# System users (NSS, /etc/passwd, or similar).
# In many systems nowadays this uses Name Service Switch, which is
# configured in /etc/nsswitch.conf. <doc/wiki/AuthDatabase.Passwd.txt>
#passdb {
#driver = passwd
# [blocking=no]
#args =
#}
# Shadow passwords for system users (NSS, /etc/shadow or similar).
# Deprecated by PAM nowadays.
# <doc/wiki/PasswordDatabase.Shadow.txt>
#passdb {
#driver = shadow
# [blocking=no]
#args =
#}
# PAM-like authentication for OpenBSD.
# <doc/wiki/PasswordDatabase.BSDAuth.txt>
#passdb {
#driver = bsdauth
# [blocking=no] [cache_key=<key>]
#args =
#}
##
## User databases
##
# System users (NSS, /etc/passwd, or similar). In many systems nowadays this
# uses Name Service Switch, which is configured in /etc/nsswitch.conf.
userdb {
# <doc/wiki/AuthDatabase.Passwd.txt>
driver = passwd
# [blocking=no]
#args =
# Override fields from passwd
#override_fields = home=/home/virtual/%u
}
# Static settings generated from template <doc/wiki/UserDatabase.Static.txt>
#userdb {
#driver = static
# Can return anything a userdb could normally return. For example:
#
# args = uid=500 gid=500 home=/var/mail/%u
#
# LDA and LMTP needs to look up users only from the userdb. This of course
# doesn't work with static userdb because there is no list of users.
# Normally static userdb handles this by doing a passdb lookup. This works
# with most passdbs, with PAM being the most notable exception. If you do
# the user verification another way, you can add allow_all_users=yes to
# the args in which case the passdb lookup is skipped.
#
#args =
#}
......@@ -3,6 +3,7 @@
postfix_domains:
- "{{ domain }}"
postfix_virtual_domains: []
postfix_mailname: "{{ domain }}"
postfix_tls_cert: /etc/ssl/private/fullchain.pem
postfix_tls_key: /etc/ssl/private/privkey.pem
......@@ -16,6 +17,24 @@ postfix_enable_dovecot: true
postfix_enable_submission: true
postfix_enable_smtps: false
postfix_sasl_auth_header: false
postfix_enable_long_queue_ids: false
postfix_tls_received_header: false
# These variables were introduced for compatibility to a certain setup.
# They may disappear without prior notice and/or may not work as expected.
postfix_smtpd_recipient_limit: 1000
postfix_minimal_backoff_time: 300s
postfix_maximal_backoff_time: 4000s
postfix_mailbox_command: '/usr/lib/dovecot/dovecot-lda -f "$SENDER" -a "$RECIPIENT"'
postfix_relay_domains: []
postfix_alias_maps:
- cdb:/etc/aliases
postfix_virtual_alias_maps:
- cdb:/etc/postfix/virtual
postfix_sender_login_maps:
- proxy:pcre:/etc/postfix/login_maps.pcre
postfix_enable_postscreen: true
postfix_enable_memcached: false
postfix_login_suffix: ''
......@@ -34,6 +53,7 @@ postfix_network_access:
postfix_content_filter: false # or: spamassassin
postfix_message_size_limit: 10240000 # 10M
postfix_aliases_rt_url: ''
postfix_aliases_rt: []
# - queue: IT
# url: https://rt.example.com
......
......@@ -32,10 +32,35 @@
src: "{{ item }}.j2"
dest: "/etc/postfix/{{ item }}"
with_items:
- login_maps.pcre
- master.cf
- main.cf
- postscreen_access.cidr
notify:
- restart postfix
tags:
- postfix
- mail
- name: ensure login maps list is present
template:
src: "login_maps.pcre.j2"
dest: "/etc/postfix/login_maps.pcre"
when:
- not postfix_satellite_only
- postfix_enable_dovecot
- not postfix_fsmpi|default(false)
notify:
- restart postfix
tags:
- postfix
- mail
- name: ensure postscreen access list is present
template:
src: "postscreen_access.cidr.j2"
dest: "/etc/postfix/postscreen_access.cidr"
when:
- not postfix_satellite_only
- postfix_enable_postscreen
notify:
- restart postfix
tags:
......@@ -105,7 +130,7 @@
template:
src: virtual.j2
dest: /etc/postfix/virtual
when: virtual_aliases is defined or postfix_virtual_domains|count > 0
when: virtual_aliases|default([])|count > 0 or postfix_virtual_domains|count > 0
notify:
- postmap virtual
tags:
......
{% for alias in system_aliases %}
{{ alias.src }}: {{ alias.dest }}
{% for alias in system_aliases|default([]) %}
{% if alias.src is string %}
{{ alias.src }}: {{ alias.dest if alias.dest is string else alias.dest|join(', ') }}
{% else %}
{% for src in alias.src %}
{{ src }}: {{ alias.dest if alias.dest is string else alias.dest|join(', ') }}
{% endfor %}
{% endif %}
{% endfor %}
{% for alias in postfix_aliases_rt|default([]) %}
{{ alias.address|default(alias.queue|lower) }}: "|/usr/bin/rt-mailgate --queue {{ alias.queue }} --action correspond --url {{ alias.url }}"
{{ alias.address|default(alias.queue|lower) }}-comment: "|/usr/bin/rt-mailgate --queue {{ alias.queue }} --action comment --url {{ alias.url }}"
{{ alias.address|default(alias.queue|lower) }}: "|/usr/bin/rt-mailgate --queue {{ alias.queue }} --action correspond --url {{ alias.url|default(postfix_aliases_rt_url) }}"
{{ alias.address|default(alias.queue|lower) }}-comment: "|/usr/bin/rt-mailgate --queue {{ alias.queue }} --action comment --url {{ alias.url|default(postfix_aliases_rt_url) }}"
{% endfor %}
{{ domain }}
{{ postfix_mailname }}
# See /usr/share/postfix/main.cf.dist for a commented, more complete version
inet_interfaces = {{ "loopback-only" if postfix_satellite_only else "all" }}
inet_protocols = all
inet_protocols = {{ "all" if not postfix_fsmpi|default(false) else "ipv4" }}
myhostname = {{ ansible_fqdn }}
myorigin = /etc/mailname
mydestination = $myhostname localhost {{ postfix_domains | join(" ") }}
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 {{ postfix_my_networks|join(" ") }}
relay_domains = {{ postfix_relay_domains|join(" ") }}
relayhost = {{ postfix_relay_host }}
{% if postfix_transport_maps|count > 0 %}
transport_maps = cdb:/etc/postfix/transport
{% elif postfix_fsmpi|default(false) and ansible_hostname == "mail" %}
transport_maps = pgsql:/etc/postfix/pgsql-transport.cf
{% endif %}
{% if postfix_luser_relay != "" %}
luser_relay = {{ postfix_luser_relay }}
......@@ -16,37 +20,38 @@ local_recipient_maps =
{% endif %}
{% if not postfix_satellite_only and postfix_enable_dovecot %}
{% if postfix_domains|count > 0 %}
{% if postfix_prefer_lmtp %}
{% if postfix_domains|count > 0 and postfix_prefer_lmtp %}
mailbox_transport = lmtp:unix:private/dovecot-lmtp
{% else %}
mailbox_command = /usr/lib/dovecot/dovecot-lda -f "$SENDER" -a "$RECIPIENT"
{% endif %}
{% elif postfix_domains|count > 0 and not postfix_prefer_lmtp %}
mailbox_command = {{ postfix_mailbox_command }}
{% endif %}
smtpd_sender_login_maps = proxy:pcre:/etc/postfix/login_maps.pcre
smtpd_sender_login_maps = {{ postfix_sender_login_maps|join(" ") }}
smtpd_sender_restrictions = reject_sender_login_mismatch
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_authenticated_header = {{ 'yes' if postfix_sasl_auth_header else 'no' }}
smtpd_sasl_local_domain = $myhostname
{% endif %}
append_dot_mydomain = no
biff = no
compatibility_level = 2
#delay_warning_time = 4h
append_dot_mydomain = no
readme_directory = no
disable_vrfy_command = yes
#enable_long_queue_ids = yes
mailbox_size_limit = 0
compatibility_level = 2
enable_long_queue_ids = {{ 'yes' if postfix_enable_long_queue_ids else 'no' }}
minimal_backoff_time = {{ postfix_minimal_backoff_time }}
maximal_backoff_time = {{ postfix_maximal_backoff_time }}
message_size_limit = {{ postfix_message_size_limit }}
readme_directory = no
mailbox_size_limit = 0
recipient_delimiter = +
#strict_rfc821_envelopes = no
smtpd_banner = $myhostname ESMTP $mail_name
smtpd_relay_restrictions =
permit_mynetworks
permit_sasl_authenticated
defer_unauth_destination
smtpd_recipient_limit = {{ postfix_smtpd_recipient_limit }}
{% if postfix_verify_spf %}
smtpd_recipient_restrictions=
permit_mynetworks
......@@ -65,6 +70,7 @@ smtp_tls_security_level = may
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtpd_tls_security_level = may
smtpd_tls_auth_only = yes
smtpd_tls_received_header = {{ 'yes' if postfix_tls_received_header else 'no' }}
smtpd_tls_cert_file = {{ postfix_tls_cert }}
smtpd_tls_key_file = {{ postfix_tls_key }}
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
......@@ -96,10 +102,10 @@ smtpd_tls_dh1024_param_file = /etc/postfix/dh.pem
tls_ssl_options = NO_COMPRESSION
{% endif %}
alias_maps = cdb:/etc/aliases
alias_maps = {{ postfix_alias_maps|join(" ") }}
alias_database = cdb:/etc/aliases
{% if virtual_aliases is defined or postfix_virtual_domains|count > 0 %}
virtual_alias_maps = cdb:/etc/postfix/virtual
{% if virtual_aliases|default([])|count > 0 or postfix_virtual_alias_maps != ['cdb:/etc/postfix/virtual'] %}
virtual_alias_maps = {{ postfix_virtual_alias_maps|join(" ") }}
{% endif %}