Add postfix module, with sasl_auth secure authentication capability

attributes/postfix.rb

@@ -0,0 +1,19 @@
+postfix Mash.new unless attribute?("postfix")
+
+postfix[:mail_type] = "client" unless postfix.has_key?(:mail_type)
+postfix[:myhostname] = fqdn unless postfix.has_key?(:myhostname)
+postfix[:mydomain] = domain unless postfix.has_key?(:mydomain)
+postfix[:myorigin] = "$myhostname" unless postfix.has_key?(:myorigin)
+postfix[:relayhost] = "" unless postfix.has_key?(:relayhost)
+postfix[:mail_relay_networks] = "127.0.0.0/8" unless postfix.has_key?(:mail_relay_networks)
+
+postfix[:smtp_sasl_auth_enable] = "no" unless postfix.has_key?(:smtp_sasl_auth_enable)
+
+if postfix[:smtp_sasl_auth_enable] == "yes"
+  postfix[:smtp_sasl_password_maps] = "hash:/etc/postfix/sasl_passwd"
+  postfix[:smtp_sasl_security_options] = "noanonymous"
+  postfix[:smtp_tls_cafile] = "/etc/postfix/cacert.pem"
+  postfix[:smtp_use_tls] = "yes"
+  postfix[:smtp_sasl_user_name] = "" unless postfix.has_key?(:smtp_sasl_user_name)
+  postfix[:smtp_sasl_passwd] = "" unless postfix.has_key?(:smtp_sasl_passwd)
+end

recipes/default.rb

@@ -0,0 +1,37 @@
+#
+# Author:: Joshua Timberman(<joshua@opscode.com>)
+# Cookbook Name:: postfix
+# Recipe:: default
+#
+# Copyright 2009, Opscode, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+# 
+#     http://www.apache.org/licenses/LICENSE-2.0
+# 
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+package "postfix" do
+  action :install
+end
+
+service "postfix" do
+  action :enable
+end
+
+%w{main master}.each do |cfg|
+  template "/etc/postfix/#{cfg}.cf" do
+    source "#{cfg}.cf.erb"
+    owner "root"
+    group "root"
+    mode 0644
+    notifies :restart, resources(:service => "postfix")
+  end
+end

recipes/sasl_auth.rb

@@ -0,0 +1,40 @@
+#
+# Author:: Joshua Timberman(<joshua@opscode.com>)
+# Cookbook Name:: postfix
+# Recipe:: sasl_auth
+#
+# Copyright 2009, Opscode, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+# 
+#     http://www.apache.org/licenses/LICENSE-2.0
+# 
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+%w{ libsasl2-2  ca-certificates}.each do |pkg|
+  package pkg do
+    action :install
+  end
+end
+
+execute "postmap-sasl_passwd" do
+  command "postmap /etc/postfix/sasl_passwd"
+  action :nothing
+end
+
+template "/etc/postfix/sasl_passwd" do
+  source "sasl_passwd.erb"
+  owner "root"
+  group "root"
+  mode 0400
+  notifies :run, resources(:execute => "postmap-sasl_passwd")
+  notifies :restart, resources(:service => "postfix")
+end
+

templates/default/main.cf.erb

@@ -0,0 +1,37 @@
+###
+# Generated by Chef for <%= @node[:fqdn] %>
+# Configured as <%= @node[:postfix][:mail_type] %>
+###
+
+biff = no
+append_dot_mydomain = no
+smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
+smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
+smtpd_use_tls=yes
+smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
+smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache
+smtp_sasl_auth_enable = <%= @node[:postfix][:smtp_sasl_auth_enable] %>
+<% if @node[:postfix][:smtp_sasl_auth_enable] == "yes" -%>
+smtp_sasl_password_maps = <%= @node[:postfix][:smtp_sasl_password_maps] %>
+smtp_sasl_security_options = <%= @node[:postfix][:smtp_sasl_security_options] %>
+smtp_tls_CAfile = <%= @node[:postfix][:smtp_tls_cafile] %>
+smtp_use_tls = <%= @node[:postfix][:smtp_use_tls] %>
+<% end -%>
+myhostname = <%= @node[:postfix][:myhostname] %>
+mydomain = <%= @node[:postfix][:mydomain] %>
+myorigin = <%= @node[:postfix][:myorigin] %>
+smtpd_banner = $myhostname ESMTP $mail_name 
+alias_maps = hash:/etc/aliases
+alias_database = hash:/etc/aliases
+mydestination = <%= @node[:postfix][:myhostname] %>, <%= @node[:hostname] %>, localhost.localdomain, localhost
+<% if @node[:postfix][:mail_type] == "master" -%>
+relayhost = 
+mynetworks = <%= @node[:postfix][:mail_relay_networks] %>
+inet_interfaces = all
+<% else -%>
+relayhost = <%= @node[:postfix][:relayhost] %>
+mynetworks = <%= @node[:postfix][:mail_relay_networks] %>
+inet_interfaces = loopback-only
+<% end -%>
+mailbox_size_limit = 0
+recipient_delimiter = +

templates/default/master.cf.erb

@@ -0,0 +1,79 @@
+#
+# Postfix master process configuration file.  For details on the format
+# of the file, see the master(5) manual page (command: "man 5 master").
+#
+# ==========================================================================
+# service type  private unpriv  chroot  wakeup  maxproc command + args
+#               (yes)   (yes)   (yes)   (never) (100)
+# ==========================================================================
+smtp      inet  n       -       n       -       -       smtpd
+#submission inet n       -       n       -       -       smtpd
+#  -o smtpd_enforce_tls=yes
+#  -o smtpd_sasl_auth_enable=yes
+#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
+#smtps     inet  n       -       n       -       -       smtpd
+#  -o smtpd_tls_wrappermode=yes
+#  -o smtpd_sasl_auth_enable=yes
+#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
+#628      inet  n       -       n       -       -       qmqpd
+pickup    fifo  n       -       n       60      1       pickup
+cleanup   unix  n       -       n       -       0       cleanup
+qmgr      fifo  n       -       n       300     1       qmgr
+#qmgr     fifo  n       -       n       300     1       oqmgr
+tlsmgr    unix  -       -       n       1000?   1       tlsmgr
+rewrite   unix  -       -       n       -       -       trivial-rewrite
+bounce    unix  -       -       n       -       0       bounce
+defer     unix  -       -       n       -       0       bounce
+trace     unix  -       -       n       -       0       bounce
+verify    unix  -       -       n       -       1       verify
+flush     unix  n       -       n       1000?   0       flush
+proxymap  unix  -       -       n       -       -       proxymap
+smtp      unix  -       -       n       -       500     smtp
+# When relaying mail as backup MX, disable fallback_relay to avoid MX loops
+relay     unix  -       -       n       -       -       smtp
+	-o fallback_relay=
+#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
+showq     unix  n       -       n       -       -       showq
+error     unix  -       -       n       -       -       error
+discard   unix  -       -       n       -       -       discard
+local     unix  -       n       n       -       -       local
+virtual   unix  -       n       n       -       -       virtual
+lmtp      unix  -       -       n       -       -       lmtp
+anvil     unix  -       -       n       -       1       anvil
+scache	  unix	-	-	n	-	1	scache
+#
+# ====================================================================
+# Interfaces to non-Postfix software. Be sure to examine the manual
+# pages of the non-Postfix software to find out what options it wants.
+#
+# Many of the following services use the Postfix pipe(8) delivery
+# agent.  See the pipe(8) man page for information about ${recipient}
+# and other message envelope options.
+# ====================================================================
+#
+# maildrop. See the Postfix MAILDROP_README file for details.
+# Also specify in main.cf: maildrop_destination_recipient_limit=1
+#
+maildrop  unix  -       n       n       -       -       pipe
+  flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
+#
+# The Cyrus deliver program has changed incompatibly, multiple times.
+#
+old-cyrus unix  -       n       n       -       -       pipe
+  flags=R user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -m ${extension} ${user}
+# Cyrus 2.1.5 (Amos Gouaux)
+# Also specify in main.cf: cyrus_destination_recipient_limit=1
+cyrus     unix  -       n       n       -       -       pipe
+  user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -r ${sender} -m ${extension} ${user}
+#
+# See the Postfix UUCP_README file for configuration details.
+#
+uucp      unix  -       n       n       -       -       pipe
+  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
+#
+# Other external delivery methods.
+#
+ifmail    unix  -       n       n       -       -       pipe
+  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
+bsmtp     unix  -       n       n       -       -       pipe
+  flags=Fq. user=foo argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipient

templates/default/sasl_passwd.erb

@@ -0,0 +1 @@
+<%= @node[:postfix][:relayhost] %> <%= @node[:postfix][:smtp_sasl_user_name] %>:<%= @node[:postfix][:smtp_sasl_passwd] %>