# # Cookbook:: kosmos_email # Recipe:: postfix # %w[ postfix postfix-ldap ].each do |pkg| apt_package pkg end domain = node["email"]["domain"] hostname = node["email"]["hostname"] root_dir = node["email"]["root_directory"] ip_addr = node["knife_zero"]["host"] ldap_host = node["email"]["ldap_host"] ldap_search_base = node["email"]["ldap_search_base"] credentials = Chef::EncryptedDataBagItem.load('credentials', 'email') node.normal["postfix"]["mail_type"] = "master" node.normal["postfix"]["use_relay_restrictions_maps"] = true node.normal["postfix"]["relay_restrictions"] = { domain => "OK", hostname => "OK" } node.normal['postfix']['main']['myhostname'] = hostname node.normal['postfix']['main']['mydomain'] = "$myhostname" node.normal['postfix']['main']['myorigin'] = "$myhostname" node.normal['postfix']['main']['mynetworks'] = ["10.1.1.0/24", "127.0.0.0/8"] node.normal['postfix']['main']['smtp_use_tls'] = "yes" node.normal['postfix']['main']['smtp_tls_security_level'] = "may" node.normal['postfix']['main']['smtpd_use_tls'] = "yes" node.normal['postfix']['main']['smtpd_tls_cert_file'] = "/etc/letsencrypt/live/#{hostname}/fullchain.pem" node.normal['postfix']['main']['smtpd_tls_key_file'] = "/etc/letsencrypt/live/#{hostname}/privkey.pem" node.normal['postfix']['main']['smtpd_peername_lookup'] = "no" node.normal['postfix']['main']['mailbox_transport'] = "lmtp:unix:private/dovecot-lmtp" node.normal['postfix']['main']['virtual_transport'] = "lmtp:unix:private/dovecot-lmtp" node.normal['postfix']['main']['smtputf8_enable'] = "no" node.normal['postfix']['main']['recipient_delimiter'] = "+" node.normal['postfix']['main']['virtual_alias_maps'] = "hash:#{root_dir}/aliases, ldap:/etc/postfix/ldap-virtual_alias_maps.cf" node.normal['postfix']['main']['virtual_mailbox_domains'] = "ldap:/etc/postfix/ldap-virtual_mailbox_domains.cf" node.normal['postfix']['main']['virtual_mailbox_maps'] = "ldap:/etc/postfix/ldap-virtual_mailbox_maps.cf" node.normal['postfix']['main']['smtpd_sender_login_maps'] = "ldap:/etc/postfix/ldap-smtpd_sender_login_maps.cf" node.normal['postfix']['main']['milter_protocol'] = "6" node.normal['postfix']['main']['milter_default_action'] = "accept" node.normal['postfix']['main']['smtpd_milters'] = "inet:localhost:12301 local:spamass/spamass.sock" node.normal['postfix']['main']['non_smtpd_milters'] = "inet:localhost:12301" node.normal['postfix']['master'] = { "#{ip_addr}:2525": { "active": true, "order": 1, "type": "inet", "private": false, "maxproc": "1", "command": "postscreen", "args": [ "-o postscreen_upstream_proxy_protocol=haproxy", "-o postscreen_cache_map=btree:$data_directory/postscreen_2525_cache", "-o syslog_name=postfix/2525" ] }, "#{ip_addr}:10587": { "active": true, "order": 2, "type": "inet", "private": false, "chroot": true, "command": "smtpd", "args": [ "-o syslog_name=postfix/10587", "-o smtpd_tls_security_level=encrypt", "-o smtpd_tls_wrappermode=no", "-o smtpd_sasl_auth_enable=yes", "-o smtpd_sender_restrictions=reject_sender_login_mismatch", "-o smtpd_relay_restrictions=permit_sasl_authenticated,reject", "-o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject", "-o smtpd_sasl_type=dovecot", "-o smtpd_sasl_path=private/auth", "-o smtpd_upstream_proxy_protocol=haproxy", ] }, "#{ip_addr}:10465": { "active": true, "order": 3, "type": "inet", "private": false, "chroot": true, "command": "smtpd", "args": [ "-o syslog_name=postfix/10465", "-o smtpd_tls_wrappermode=yes", "-o smtpd_sasl_auth_enable=yes", "-o smtpd_relay_restrictions=permit_sasl_authenticated,reject", "-o smtpd_sender_restrictions=reject_sender_login_mismatch", "-o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject", "-o smtpd_sasl_type=dovecot", "-o smtpd_sasl_path=private/auth", "-o smtpd_upstream_proxy_protocol=haproxy", ] }, "smtpd": { "active": true, "order": 100, "type": "pass", "chroot": true, "command": "smtpd", "args": [] }, "dnsblog": { "active": true, "order": 101, "type": "unix", "chroot": true, "maxproc": "0", "command": "dnsblog", "args": [] }, "tlsproxy": { "active": true, "order": 102, "type": "unix", "chroot": true, "maxproc": "0", "command": "tlsproxy", "args": [] } } bash "compile_postfix_aliases" do cwd root_dir code "postmap #{root_dir}/aliases" action :nothing notifies :restart, "service[postfix]", :delayed end template "#{root_dir}/aliases" do source "virtual-aliases.erb" mode 0755 variables aliases: node["email"]["virtual_aliases"] notifies :run, "bash[compile_postfix_aliases]", :immediately end ldap_default_variables = { server_host: ldap_host, bind_dn: credentials['ldap_dn'], bind_pw: credentials['ldap_dnpass'], search_base: ldap_search_base } template "/etc/postfix/ldap-virtual_mailbox_domains.cf" do source "postfix_ldap-map.cf.erb" mode 0600 variables ldap_default_variables.merge({ query_filter: "mailRoutingAddress=*@%s", result_attribute: "mailRoutingAddress", result_format: "%d" }) notifies :restart, "service[postfix]", :delayed end template "/etc/postfix/ldap-virtual_alias_maps.cf" do source "postfix_ldap-map.cf.erb" mode 0600 variables ldap_default_variables.merge({ query_filter: "(&(mailRoutingAddress=%s)(mailForwardingAddress=*))", result_attribute: "mailForwardingAddress" }) notifies :restart, "service[postfix]", :delayed end template "/etc/postfix/ldap-virtual_mailbox_maps.cf" do source "postfix_ldap-map.cf.erb" mode 0600 variables ldap_default_variables.merge({ query_filter: "mailRoutingAddress=%s", result_attribute: "mailRoutingAddress" }) notifies :restart, "service[postfix]", :delayed end template "/etc/postfix/ldap-smtpd_sender_login_maps.cf" do source "postfix_ldap-map.cf.erb" mode 0600 variables ldap_default_variables.merge({ query_filter: "mailRoutingAddress=%s", result_attribute: "mailRoutingAddress, mailForwardingAddress" }) notifies :restart, "service[postfix]", :delayed end include_recipe 'postfix::server' service "postfix" do action [:enable, :start] end