198 lines
		
	
	
		
			6.4 KiB
		
	
	
	
		
			Ruby
		
	
	
	
	
	
			
		
		
	
	
			198 lines
		
	
	
		
			6.4 KiB
		
	
	
	
		
			Ruby
		
	
	
	
	
	
| #
 | |
| # Cookbook:: kosmos_email
 | |
| # Recipe:: postfix
 | |
| #
 | |
| 
 | |
| %w[
 | |
|   postfix
 | |
|   postfix-ldap
 | |
| ].each do |pkg|
 | |
|   apt_package pkg
 | |
| end
 | |
| 
 | |
| domain   = node["email"]["domain"]
 | |
| hostname = node["email"]["hostname"]
 | |
| root_dir = node["email"]["root_directory"]
 | |
| ip_addr  = node["knife_zero"]["host"]
 | |
| 
 | |
| ldap_host        = node["email"]["ldap_host"]
 | |
| ldap_search_base = node["email"]["ldap_search_base"]
 | |
| 
 | |
| credentials = Chef::EncryptedDataBagItem.load('credentials', 'email')
 | |
| 
 | |
| node.normal["postfix"]["mail_type"] = "master"
 | |
| node.normal["postfix"]["use_relay_restrictions_maps"] = true
 | |
| node.normal["postfix"]["relay_restrictions"] = { domain => "OK", hostname => "OK" }
 | |
| 
 | |
| node.normal['postfix']['main']['myhostname'] = hostname
 | |
| node.normal['postfix']['main']['mydomain'] = "$myhostname"
 | |
| node.normal['postfix']['main']['myorigin'] = "$myhostname"
 | |
| node.normal['postfix']['main']['mynetworks'] = ["10.1.1.0/24", "127.0.0.0/8"]
 | |
| node.normal['postfix']['main']['smtp_use_tls'] = "yes"
 | |
| node.normal['postfix']['main']['smtp_tls_security_level'] = "may"
 | |
| node.normal['postfix']['main']['smtpd_use_tls'] = "yes"
 | |
| node.normal['postfix']['main']['smtpd_tls_cert_file'] = "/etc/letsencrypt/live/#{hostname}/fullchain.pem"
 | |
| node.normal['postfix']['main']['smtpd_tls_key_file'] = "/etc/letsencrypt/live/#{hostname}/privkey.pem"
 | |
| node.normal['postfix']['main']['smtpd_peername_lookup'] = "no"
 | |
| node.normal['postfix']['main']['mailbox_transport'] = "lmtp:unix:private/dovecot-lmtp"
 | |
| node.normal['postfix']['main']['virtual_transport'] = "lmtp:unix:private/dovecot-lmtp"
 | |
| node.normal['postfix']['main']['smtputf8_enable'] = "no"
 | |
| node.normal['postfix']['main']['recipient_delimiter'] = "+"
 | |
| node.normal['postfix']['main']['virtual_alias_maps'] = "hash:#{root_dir}/aliases, ldap:/etc/postfix/ldap-virtual_alias_maps.cf"
 | |
| node.normal['postfix']['main']['virtual_mailbox_domains'] = "ldap:/etc/postfix/ldap-virtual_mailbox_domains.cf"
 | |
| node.normal['postfix']['main']['virtual_mailbox_maps'] = "ldap:/etc/postfix/ldap-virtual_mailbox_maps.cf"
 | |
| node.normal['postfix']['main']['smtpd_sender_login_maps'] = "ldap:/etc/postfix/ldap-smtpd_sender_login_maps.cf"
 | |
| node.normal['postfix']['main']['milter_protocol'] = "6"
 | |
| node.normal['postfix']['main']['milter_default_action'] = "accept"
 | |
| node.normal['postfix']['main']['smtpd_milters'] = "inet:localhost:12301 local:spamass/spamass.sock"
 | |
| node.normal['postfix']['main']['non_smtpd_milters'] = "inet:localhost:12301"
 | |
| 
 | |
| node.normal['postfix']['master'] = {
 | |
|   "#{ip_addr}:2525": {
 | |
|     "active": true,
 | |
|     "order": 1,
 | |
|     "type": "inet",
 | |
|     "private": false,
 | |
|     "maxproc": "1",
 | |
|     "command": "postscreen",
 | |
|     "args": [
 | |
|       "-o postscreen_upstream_proxy_protocol=haproxy",
 | |
|       "-o postscreen_cache_map=btree:$data_directory/postscreen_2525_cache",
 | |
|       "-o syslog_name=postfix/2525"
 | |
|     ]
 | |
|   },
 | |
|   "#{ip_addr}:10587": {
 | |
|     "active": true,
 | |
|     "order": 2,
 | |
|     "type": "inet",
 | |
|     "private": false,
 | |
|     "chroot": true,
 | |
|     "command": "smtpd",
 | |
|     "args": [
 | |
|       "-o syslog_name=postfix/10587",
 | |
|       "-o smtpd_tls_security_level=encrypt",
 | |
|       "-o smtpd_tls_wrappermode=no",
 | |
|       "-o smtpd_sasl_auth_enable=yes",
 | |
|       "-o smtpd_sender_restrictions=reject_sender_login_mismatch",
 | |
|       "-o smtpd_relay_restrictions=permit_sasl_authenticated,reject",
 | |
|       "-o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject",
 | |
|       "-o smtpd_sasl_type=dovecot",
 | |
|       "-o smtpd_sasl_path=private/auth",
 | |
|       "-o smtpd_upstream_proxy_protocol=haproxy",
 | |
|     ]
 | |
|   },
 | |
|   "#{ip_addr}:10465": {
 | |
|     "active": true,
 | |
|     "order": 3,
 | |
|     "type": "inet",
 | |
|     "private": false,
 | |
|     "chroot": true,
 | |
|     "command": "smtpd",
 | |
|     "args": [
 | |
|       "-o syslog_name=postfix/10465",
 | |
|       "-o smtpd_tls_wrappermode=yes",
 | |
|       "-o smtpd_sasl_auth_enable=yes",
 | |
|       "-o smtpd_relay_restrictions=permit_sasl_authenticated,reject",
 | |
|       "-o smtpd_sender_restrictions=reject_sender_login_mismatch",
 | |
|       "-o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject",
 | |
|       "-o smtpd_sasl_type=dovecot",
 | |
|       "-o smtpd_sasl_path=private/auth",
 | |
|       "-o smtpd_upstream_proxy_protocol=haproxy",
 | |
|     ]
 | |
|   },
 | |
|   "smtpd": {
 | |
|     "active": true,
 | |
|     "order": 100,
 | |
|     "type": "pass",
 | |
|     "chroot": true,
 | |
|     "command": "smtpd",
 | |
|     "args": []
 | |
|   },
 | |
|   "dnsblog": {
 | |
|     "active": true,
 | |
|     "order": 101,
 | |
|     "type": "unix",
 | |
|     "chroot": true,
 | |
|     "maxproc": "0",
 | |
|     "command": "dnsblog",
 | |
|     "args": []
 | |
|   },
 | |
|   "tlsproxy": {
 | |
|     "active": true,
 | |
|     "order": 102,
 | |
|     "type": "unix",
 | |
|     "chroot": true,
 | |
|     "maxproc": "0",
 | |
|     "command": "tlsproxy",
 | |
|     "args": []
 | |
|   }
 | |
| }
 | |
| 
 | |
| bash "compile_postfix_aliases" do
 | |
|   cwd root_dir
 | |
|   code "postmap #{root_dir}/aliases"
 | |
|   action :nothing
 | |
|   notifies :restart, "service[postfix]", :delayed
 | |
| end
 | |
| 
 | |
| template "#{root_dir}/aliases" do
 | |
|   source    "virtual-aliases.erb"
 | |
|   mode      0755
 | |
|   variables aliases: node["email"]["virtual_aliases"]
 | |
|   notifies :run, "bash[compile_postfix_aliases]", :immediately
 | |
| end
 | |
| 
 | |
| ldap_default_variables = {
 | |
|   server_host: ldap_host,
 | |
|   bind_dn: credentials['ldap_dn'],
 | |
|   bind_pw: credentials['ldap_dnpass'],
 | |
|   search_base: ldap_search_base
 | |
| }
 | |
| 
 | |
| template "/etc/postfix/ldap-virtual_mailbox_domains.cf" do
 | |
|   source    "postfix_ldap-map.cf.erb"
 | |
|   mode      0600
 | |
|   variables ldap_default_variables.merge({
 | |
|               query_filter: "mailRoutingAddress=*@%s",
 | |
|               result_attribute: "mailRoutingAddress",
 | |
|               result_format: "%d"
 | |
|             })
 | |
|   notifies :restart, "service[postfix]", :delayed
 | |
| end
 | |
| 
 | |
| template "/etc/postfix/ldap-virtual_alias_maps.cf" do
 | |
|   source    "postfix_ldap-map.cf.erb"
 | |
|   mode      0600
 | |
|   variables ldap_default_variables.merge({
 | |
|               query_filter: "(&(mailRoutingAddress=%s)(mailForwardingAddress=*))",
 | |
|               result_attribute: "mailForwardingAddress"
 | |
|             })
 | |
|   notifies :restart, "service[postfix]", :delayed
 | |
| end
 | |
| 
 | |
| template "/etc/postfix/ldap-virtual_mailbox_maps.cf" do
 | |
|   source    "postfix_ldap-map.cf.erb"
 | |
|   mode      0600
 | |
|   variables ldap_default_variables.merge({
 | |
|               query_filter: "mailRoutingAddress=%s",
 | |
|               result_attribute: "mailRoutingAddress"
 | |
|             })
 | |
|   notifies :restart, "service[postfix]", :delayed
 | |
| end
 | |
| 
 | |
| template "/etc/postfix/ldap-smtpd_sender_login_maps.cf" do
 | |
|   source    "postfix_ldap-map.cf.erb"
 | |
|   mode      0600
 | |
|   variables ldap_default_variables.merge({
 | |
|               query_filter: "mailRoutingAddress=%s",
 | |
|               result_attribute: "mailRoutingAddress, mailForwardingAddress"
 | |
|             })
 | |
|   notifies :restart, "service[postfix]", :delayed
 | |
| end
 | |
| 
 | |
| include_recipe 'postfix::server'
 | |
| 
 | |
| service "postfix" do
 | |
|   action [:enable, :start]
 | |
| end
 |