From ed429d71833e4ba5804087a22dc537ec79892074 Mon Sep 17 00:00:00 2001 From: Lari Huttunen Date: Thu, 28 Feb 2013 16:34:30 +0100 Subject: [PATCH 01/33] postfix: Add post grey support. --- postfix/manifests/init.pp | 31 +++++++++++++++++++++++++++++++ postfix/templates/main.cf.erb | 3 +++ 2 files changed, 34 insertions(+) diff --git a/postfix/manifests/init.pp b/postfix/manifests/init.pp index 892e625..8764574 100644 --- a/postfix/manifests/init.pp +++ b/postfix/manifests/init.pp @@ -29,6 +29,11 @@ # $postfix_cert: # Path to SSL certificate. Defaults to puppet client certificate. # +# $postgrey: +# Whether to run postgrey or not. +# +# $submission: +# Whether to enable submission (and sasl::saslauthd). class postfix { include ssl @@ -60,6 +65,17 @@ class postfix { $postfix_interfaces = "localhost" } + if $postgrey { + case $::operatingsystem { + "debian","ubuntu": { + package {"postgrey": ensure => installed,} + } + default: { + fail("Postgrey module not yet supported in ${::operatingsystem}.") + } + } + } + package { "postfix": ensure => installed, } @@ -97,6 +113,20 @@ class postfix { require => Package["postfix"], } + if $submission { + include sasl::saslauthd + } + + file { "/etc/postfix/master.cf": + ensure => present, + mode => "0644", + owner => "root", + group => "root", + content => template("postfix/master.cf.erb"), + notify => Service["postfix"], + require => Package["postfix"], + } + file { "/etc/aliases": ensure => present, source => [ @@ -132,3 +162,4 @@ class postfix { } } + diff --git a/postfix/templates/main.cf.erb b/postfix/templates/main.cf.erb index 4f0c6ac..c0fe546 100644 --- a/postfix/templates/main.cf.erb +++ b/postfix/templates/main.cf.erb @@ -565,6 +565,9 @@ smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination, check_relay_domains +<% if has_variable?("postgrey") -%> + check_policy_service inet:127.0.0.1:10023 +<% end -%> # The header_checks parameter specifies an optional table with patterns # that each logical message header is matched against, including From 7fed52107c399285be6990b665dc4f6fdc091bc0 Mon Sep 17 00:00:00 2001 From: Lari Huttunen Date: Fri, 1 Mar 2013 15:21:05 +0100 Subject: [PATCH 02/33] postfix: Trying to get the combo postfix + submission + saslauthd + postgrey + cyrus lmtp delivery working. --- postfix/manifests/init.pp | 22 ++++++ postfix/templates/main.cf.erb | 7 ++ postfix/templates/master.cf.erb | 114 ++++++++++++++++++++++++++++++++ 3 files changed, 143 insertions(+) create mode 100644 postfix/templates/master.cf.erb diff --git a/postfix/manifests/init.pp b/postfix/manifests/init.pp index 8764574..d14d27f 100644 --- a/postfix/manifests/init.pp +++ b/postfix/manifests/init.pp @@ -5,6 +5,9 @@ # $mail_domain: # SMTP domain name. # +# $mydestination: +# Destinations we will accept and relay mail for. +# # $mail_server: # Optional smarthost used for sending mail. # @@ -34,6 +37,9 @@ # # $submission: # Whether to enable submission (and sasl::saslauthd). +# +# $cyrus_lmtp: +# Whether to enable cyrus-lmtp delivery. class postfix { include ssl @@ -65,6 +71,7 @@ class postfix { $postfix_interfaces = "localhost" } + if $postgrey { case $::operatingsystem { "debian","ubuntu": { @@ -115,6 +122,21 @@ class postfix { if $submission { include sasl::saslauthd + mount { "/var/spool/postfix/var/run/saslauthd": + name => $sasl_authdir ? { + undef => "/var/run/saslauthd", + default => "/var/run/saslauthd", + }, + ensure => mounted, + atboot => true, + device => "none", + fstype => "tmpfs", + options => "uid=postfix,gid=postfix,mode=0710", + dump => "0", + pass => "0", + require => File["/var/spool/postfix/var/run/saslauthd"], + before => Service["postfix"], + }, } file { "/etc/postfix/master.cf": diff --git a/postfix/templates/main.cf.erb b/postfix/templates/main.cf.erb index c0fe546..9a57404 100644 --- a/postfix/templates/main.cf.erb +++ b/postfix/templates/main.cf.erb @@ -167,7 +167,11 @@ inet_protocols = all # # See also below, section "REJECTING MAIL FOR UNKNOWN LOCAL USERS". # +<% if has_variable?("mydestination") -%> +mydestination = <%= mydestination %> +<% else -%> mydestination = $myhostname, localhost.$mydomain, localhost +<% end -%> #mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain #mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain, # mail.$mydomain, www.$mydomain, ftp.$mydomain @@ -480,6 +484,9 @@ mail_spool_directory = /var/mail # non-UNIX accounts with "User unknown in local recipient table". # #mailbox_transport = lmtp:unix:/var/lib/imap/socket/lmtp +<% if has_variable?("cyrus_lmtp") -%> +mailbox_transport = lmtp:unix:/var/run/cyrus/socket/lmtp +<% end -%> # If using the cyrus-imapd IMAP server deliver local mail to the IMAP # server using LMTP (Local Mail Transport Protocol), this is prefered diff --git a/postfix/templates/master.cf.erb b/postfix/templates/master.cf.erb new file mode 100644 index 0000000..2d6c4f0 --- /dev/null +++ b/postfix/templates/master.cf.erb @@ -0,0 +1,114 @@ +# +# Postfix master process configuration file. For details on the format +# of the file, see the master(5) manual page (command: "man 5 master"). +# +# Do not forget to execute "postfix reload" after editing this file. +# +# ========================================================================== +# service type private unpriv chroot wakeup maxproc command + args +# (yes) (yes) (yes) (never) (100) +# ========================================================================== +smtp inet n - - - - smtpd +#smtp inet n - - - 1 postscreen +#smtpd pass - - - - - smtpd +#dnsblog unix - - - - 0 dnsblog +#tlsproxy unix - - - - 0 tlsproxy +<% if has_variable?("submission") -%> +submission inet n - - - - smtpd + -o syslog_name=postfix/submission + -o smtpd_tls_security_level=encrypt + -o smtpd_sasl_auth_enable=yes + -o smtpd_client_restrictions=permit_sasl_authenticated,reject + -o milter_macro_daemon_name=ORIGINATING +<% end -%> +#smtps inet n - - - - smtpd +# -o syslog_name=postfix/smtps +# -o smtpd_tls_wrappermode=yes +# -o smtpd_sasl_auth_enable=yes +# -o smtpd_client_restrictions=permit_sasl_authenticated,reject +# -o milter_macro_daemon_name=ORIGINATING +#628 inet n - - - - qmqpd +pickup fifo n - - 60 1 pickup +cleanup unix n - - - 0 cleanup +qmgr fifo n - n 300 1 qmgr +#qmgr fifo n - n 300 1 oqmgr +tlsmgr unix - - - 1000? 1 tlsmgr +rewrite unix - - - - - trivial-rewrite +bounce unix - - - - 0 bounce +defer unix - - - - 0 bounce +trace unix - - - - 0 bounce +verify unix - - - - 1 verify +flush unix n - - 1000? 0 flush +proxymap unix - - n - - proxymap +proxywrite unix - - n - 1 proxymap +smtp unix - - - - - smtp +relay unix - - - - - smtp +# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5 +showq unix n - - - - showq +error unix - - - - - error +retry unix - - - - - error +discard unix - - - - - discard +local unix - n n - - local +virtual unix - n n - - virtual +lmtp unix - - - - - lmtp +anvil unix - - - - 1 anvil +scache unix - - - - 1 scache +# +# ==================================================================== +# Interfaces to non-Postfix software. Be sure to examine the manual +# pages of the non-Postfix software to find out what options it wants. +# +# Many of the following services use the Postfix pipe(8) delivery +# agent. See the pipe(8) man page for information about ${recipient} +# and other message envelope options. +# ==================================================================== +# +# maildrop. See the Postfix MAILDROP_README file for details. +# Also specify in main.cf: maildrop_destination_recipient_limit=1 +# +maildrop unix - n n - - pipe + flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient} +# +# ==================================================================== +# +# Recent Cyrus versions can use the existing "lmtp" master.cf entry. +# +# Specify in cyrus.conf: +# lmtp cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4 +# +# Specify in main.cf one or more of the following: +# mailbox_transport = lmtp:inet:localhost +# virtual_transport = lmtp:inet:localhost +# +# ==================================================================== +# +# Cyrus 2.1.5 (Amos Gouaux) +# Also specify in main.cf: cyrus_destination_recipient_limit=1 +# +#cyrus unix - n n - - pipe +# user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user} +# +# ==================================================================== +# Old example of delivery via Cyrus. +# +#old-cyrus unix - n n - - pipe +# flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user} +# +# ==================================================================== +# +# See the Postfix UUCP_README file for configuration details. +# +uucp unix - n n - - pipe + flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient) +# +# Other external delivery methods. +# +ifmail unix - n n - - pipe + flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient) +bsmtp unix - n n - - pipe + flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient +scalemail-backend unix - n n - 2 pipe + flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension} +mailman unix - n n - - pipe + flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py + ${nexthop} ${user} From 60878130c2c4bf996d2ac27ac1bebce643406a06 Mon Sep 17 00:00:00 2001 From: Lari Huttunen Date: Fri, 1 Mar 2013 15:35:30 +0100 Subject: [PATCH 03/33] postfix.init.pp: Fixed a syntax error and simplified the parameters. --- postfix/manifests/init.pp | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/postfix/manifests/init.pp b/postfix/manifests/init.pp index d14d27f..314dafc 100644 --- a/postfix/manifests/init.pp +++ b/postfix/manifests/init.pp @@ -123,10 +123,7 @@ class postfix { if $submission { include sasl::saslauthd mount { "/var/spool/postfix/var/run/saslauthd": - name => $sasl_authdir ? { - undef => "/var/run/saslauthd", - default => "/var/run/saslauthd", - }, + name => "/var/run/saslauthd", ensure => mounted, atboot => true, device => "none", @@ -136,7 +133,7 @@ class postfix { pass => "0", require => File["/var/spool/postfix/var/run/saslauthd"], before => Service["postfix"], - }, + } } file { "/etc/postfix/master.cf": From 88ffbbb8328e6e10c1f5201d570088ac81f848a5 Mon Sep 17 00:00:00 2001 From: Lari Huttunen Date: Fri, 1 Mar 2013 15:48:03 +0100 Subject: [PATCH 04/33] postfix.init.pp: Make sure the necessary directories for the bind mount are created. --- postfix/manifests/init.pp | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/postfix/manifests/init.pp b/postfix/manifests/init.pp index 314dafc..09a1676 100644 --- a/postfix/manifests/init.pp +++ b/postfix/manifests/init.pp @@ -122,6 +122,18 @@ class postfix { if $submission { include sasl::saslauthd + file { "/var/spool/postfix/var": + ensure => directory, + mode => "0755", + owner => "root", + group => "root", + } + file { "/var/spool/postfix/var/run": + ensure => directory, + mode => "0755", + owner => "root", + group => "root", + } mount { "/var/spool/postfix/var/run/saslauthd": name => "/var/run/saslauthd", ensure => mounted, From 36a5afa30378d3a2405534bcba5cd5815066a4dd Mon Sep 17 00:00:00 2001 From: Lari Huttunen Date: Fri, 1 Mar 2013 15:50:53 +0100 Subject: [PATCH 05/33] postfix.init.pp: One more for the road. --- postfix/manifests/init.pp | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/postfix/manifests/init.pp b/postfix/manifests/init.pp index 09a1676..90272fd 100644 --- a/postfix/manifests/init.pp +++ b/postfix/manifests/init.pp @@ -134,6 +134,12 @@ class postfix { owner => "root", group => "root", } + file { "/var/spool/postfix/var/run/saslauthd": + ensure => directory, + mode => "0755", + owner => "root", + group => "root", + } mount { "/var/spool/postfix/var/run/saslauthd": name => "/var/run/saslauthd", ensure => mounted, From 488327bc916a6021d85bacdf7de8eb37881713e3 Mon Sep 17 00:00:00 2001 From: Lari Huttunen Date: Fri, 1 Mar 2013 16:34:33 +0100 Subject: [PATCH 06/33] postfix.init.pp: Finally found the right options for the bind mount. --- postfix/manifests/init.pp | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/postfix/manifests/init.pp b/postfix/manifests/init.pp index 90272fd..54366d2 100644 --- a/postfix/manifests/init.pp +++ b/postfix/manifests/init.pp @@ -141,16 +141,13 @@ class postfix { group => "root", } mount { "/var/spool/postfix/var/run/saslauthd": - name => "/var/run/saslauthd", ensure => mounted, atboot => true, - device => "none", - fstype => "tmpfs", - options => "uid=postfix,gid=postfix,mode=0710", + device => "/var/run/saslauthd", + options => "bind", + fstype => "bind", dump => "0", pass => "0", - require => File["/var/spool/postfix/var/run/saslauthd"], - before => Service["postfix"], } } From d991e710b69d5ac999ddcc5c29a66e6e35068d35 Mon Sep 17 00:00:00 2001 From: Lari Huttunen Date: Fri, 1 Mar 2013 16:38:08 +0100 Subject: [PATCH 07/33] postfix.main.cf.erb: Template syntax fix. --- postfix/templates/main.cf.erb | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/postfix/templates/main.cf.erb b/postfix/templates/main.cf.erb index 9a57404..a3e0488 100644 --- a/postfix/templates/main.cf.erb +++ b/postfix/templates/main.cf.erb @@ -571,9 +571,11 @@ smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, - check_relay_domains <% if has_variable?("postgrey") -%> + check_relay_domains, check_policy_service inet:127.0.0.1:10023 +<% else -%> + check_relay_domains <% end -%> # The header_checks parameter specifies an optional table with patterns From e3b91bb844e6465f4046f60e14c86594002a6d43 Mon Sep 17 00:00:00 2001 From: Lari Huttunen Date: Fri, 1 Mar 2013 16:50:35 +0100 Subject: [PATCH 08/33] postfix.main.cf.erb: Postgrey debugging. --- postfix/templates/main.cf.erb | 1 - 1 file changed, 1 deletion(-) diff --git a/postfix/templates/main.cf.erb b/postfix/templates/main.cf.erb index a3e0488..81ff2ea 100644 --- a/postfix/templates/main.cf.erb +++ b/postfix/templates/main.cf.erb @@ -572,7 +572,6 @@ smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination, <% if has_variable?("postgrey") -%> - check_relay_domains, check_policy_service inet:127.0.0.1:10023 <% else -%> check_relay_domains From 79ca80a4a246e562d2f9cdd63c828e9b215b765f Mon Sep 17 00:00:00 2001 From: Lari Huttunen Date: Fri, 1 Mar 2013 17:52:04 +0100 Subject: [PATCH 09/33] cyrus: Started working on a basic support for cyrus imapd. --- cyrus/files/cyrus.conf | 87 +++++++++ cyrus/manifests/init.pp | 80 ++++++++ cyrus/templates/imapd.conf.erb | 322 +++++++++++++++++++++++++++++++++ 3 files changed, 489 insertions(+) create mode 100644 cyrus/files/cyrus.conf create mode 100644 cyrus/manifests/init.pp create mode 100644 cyrus/templates/imapd.conf.erb diff --git a/cyrus/files/cyrus.conf b/cyrus/files/cyrus.conf new file mode 100644 index 0000000..12c3a9f --- /dev/null +++ b/cyrus/files/cyrus.conf @@ -0,0 +1,87 @@ +# Debian defaults for Cyrus IMAP server/cluster implementation +# see cyrus.conf(5) for more information +# +# All the tcp services are tcpd-wrapped. see hosts_access(5) + +START { + # do not delete this entry! + recover cmd="/usr/sbin/cyrus ctl_cyrusdb -r" + + # this is only necessary if idlemethod is set to "idled" in imapd.conf + #idled cmd="idled" + + # this is useful on backend nodes of a Murder cluster + # it causes the backend to syncronize its mailbox list with + # the mupdate master upon startup + #mupdatepush cmd="/usr/sbin/cyrus ctl_mboxlist -m" + + # this is recommended if using duplicate delivery suppression + delprune cmd="/usr/sbin/cyrus expire -E 3" + # this is recommended if caching TLS sessions + tlsprune cmd="/usr/sbin/cyrus tls_prune" +} + +# UNIX sockets start with a slash and are absolute paths +# you can use a maxchild=# to limit the maximum number of forks of a service +# you can use babysit=true and maxforkrate=# to keep tight tabs on the service +# most services also accept -U (limit number of reuses) and -T (timeout) +SERVICES { + # --- Normal cyrus spool, or Murder backends --- + # add or remove based on preferences + imap cmd="imapd -U 30" listen="imap" prefork=0 maxchild=100 + imaps cmd="imapd -s -U 30" listen="imaps" prefork=0 maxchild=100 + #pop3 cmd="pop3d -U 30" listen="pop3" prefork=0 maxchild=50 + #pop3s cmd="pop3d -s -U 30" listen="pop3s" prefork=0 maxchild=50 + #nntp cmd="nntpd -U 30" listen="nntp" prefork=0 maxchild=100 + #nntps cmd="nntpd -s -U 30" listen="nntps" prefork=0 maxchild=100 + + # At least one form of LMTP is required for delivery + # (you must keep the Unix socket name in sync with imap.conf) + #lmtp cmd="lmtpd" listen="localhost:lmtp" prefork=0 maxchild=20 + lmtpunix cmd="lmtpd" listen="/var/run/cyrus/socket/lmtp" prefork=0 maxchild=20 + # ---------------------------------------------- + + # useful if you need to give users remote access to sieve + # by default, we limit this to localhost in Debian + sieve cmd="timsieved" listen="localhost:sieve" prefork=0 maxchild=100 + + # this one is needed for the notification services + notify cmd="notifyd" listen="/var/run/cyrus/socket/notify" proto="udp" prefork=1 + + # --- Murder frontends ------------------------- + # enable these and disable the matching services above, + # except for sieve (which deals automatically with Murder) + + # mupdate database service - must prefork at least 1 + # (mupdate slaves) + #mupdate cmd="mupdate" listen=3905 prefork=1 + # (mupdate master, only one in the entire cluster) + #mupdate cmd="mupdate -m" listen=3905 prefork=1 + + # proxies that will connect to the backends + #imap cmd="proxyd" listen="imap" prefork=0 maxchild=100 + #imaps cmd="proxyd -s" listen="imaps" prefork=0 maxchild=100 + #pop3 cmd="pop3proxyd" listen="pop3" prefork=0 maxchild=50 + #pop3s cmd="pop3proxyd -s" listen="pop3s" prefork=0 maxchild=50 + #lmtp cmd="lmtpproxyd" listen="lmtp" prefork=1 maxchild=20 + # ---------------------------------------------- +} + +EVENTS { + # this is required + checkpoint cmd="/usr/sbin/cyrus ctl_cyrusdb -c" period=30 + + # this is only necessary if using duplicate delivery suppression + delprune cmd="/usr/sbin/cyrus expire -E 3" at=0401 + + # this is only necessary if caching TLS sessions + tlsprune cmd="/usr/sbin/cyrus tls_prune" at=0401 + + # indexing of mailboxes for server side fulltext searches + + # reindex changed mailboxes (fulltext) approximately every other hour + #squatter_1 cmd="/usr/bin/nice -n 19 /usr/sbin/cyrus squatter -s" period=120 + + # reindex all mailboxes (fulltext) daily + #squatter_a cmd="/usr/sbin/cyrus squatter" at=0517 +} diff --git a/cyrus/manifests/init.pp b/cyrus/manifests/init.pp new file mode 100644 index 0000000..0163567 --- /dev/null +++ b/cyrus/manifests/init.pp @@ -0,0 +1,80 @@ +# By default we want to run an IMAP(s) server and disabled pop3 + nntp. +# +# $cyrus_key: +# Path to SSL private key. Defaults to puppet client key. +# +# $cyrus_cert: +# Path to SSL certificate. Defaults to puppet client certificate. +# +class cyrus { + + case $::operatingsystem { + "ubuntu","debian": {} + default: { + fail("cyrus not supported on ${::operatingsystem}") + } + } + + include ssl + + if !$cyrus_key { + $postfix_key = "${puppet_ssldir}/private_keys/${homename}.pem" + } + + if !$cyrus_cert { + $postfix_cert = "${puppet_ssldir}/certs/${homename}.pem" + } + + package { [ + "cyrus-imapd-2.4", + "cyrus-clients-2.4", + "cyrus-admin-2.4", + "cyrus-doc-2.4", ]: + ensure => present, + } + + service { "cyrus-imapd": + ensure => running, + enable => true, + require => Package["cyrus-imapd-2.4"], + } + + file { "${ssl::certs}/cyrus.crt": + ensure => present, + source => $cyrus_cert, + mode => "0644", + owner => "root", + group => "root", + notify => Service["cyrus-imapd"], + } + + file { "${ssl::private}/cyrus.key": + ensure => present, + source => $cyrus_key, + mode => "0600", + owner => "root", + group => "root", + notify => Service["cyrus-imapd"], + } + + file { "/etc/cyrus.conf": + ensure => present, + mode => "0644", + owner => "root", + group => "root", + source => "puppet:///files/cyrus.conf" + notify => Service["cyrus-imapd"], + require => Package["cyrus-imapd-2.4"], + } + + file { "/etc/imapd.conf": + ensure => present, + mode => "0644", + owner => "root", + group => "root", + content => template("cyrus/imapd.conf.erb"), + notify => Service["cyrus-imapd"], + require => Package["cyrus-imapd-2.4"], + } + +} \ No newline at end of file diff --git a/cyrus/templates/imapd.conf.erb b/cyrus/templates/imapd.conf.erb new file mode 100644 index 0000000..092709f --- /dev/null +++ b/cyrus/templates/imapd.conf.erb @@ -0,0 +1,322 @@ +# Debian Cyrus imapd.conf +# See imapd.conf(5) for more information and more options + +# Configuration directory +configdirectory: /var/lib/cyrus + +# Directories for proc and lock files +proc_path: /run/cyrus/proc +mboxname_lockpath: /run/cyrus/lock + +# Which partition to use for default mailboxes +defaultpartition: default +partition-default: /var/spool/cyrus/mail + +# News setup +partition-news: /var/spool/cyrus/news +newsspool: /var/spool/news + +# Alternate namespace +# If enabled, activate the alternate namespace as documented in +# /usr/share/doc/cyrus-doc-2.4/html/altnamespace.html, where an user's +# subfolders are in the same level as the INBOX +# See also userprefix and sharedprefix on imapd.conf(5) +altnamespace: no + +# UNIX Hierarchy Convention +# Set to yes, and cyrus will accept dots in names, and use the forward +# slash "/" to delimit levels of the hierarchy. This is done by converting +# internally all dots to "^", and all "/" to dots. So the "rabbit.holes" +# mailbox of user "helmer.fudd" is stored in "user.elmer^fud.rabbit^holes" +unixhierarchysep: no + +# Rejecting illegal characters in headers +# Headers of RFC2882 messages must not have characters with the 8th bit +# set. However, too many badly-written MUAs generate this, including most +# spamware. Enable this to reject such messages. +#reject8bit: yes + +# Munging illegal characters in headers +# Headers of RFC2882 messages must not have characters with the 8th bit +# set. However, too many badly-written MUAs generate this, including most +# spamware. If you kept reject8bit disabled, you can choose to leave the +# crappage untouched by disabling this (if you don't care that IMAP SEARCH +# won't work right anymore. +#munge8bit: no + +# Forcing recipient user to lowercase +# Cyrus IMAPD is case-sensitive. If all your mail users are in lowercase, it is +# probably a very good idea to set lmtp_downcase_rcpt to true. This is set by +# default, per RFC2821. This was not set by default in debian versions up to +# and including 2.2.12-4. +lmtp_downcase_rcpt: yes + +# Uncomment the following and add the space-separated users who +# have admin rights for all services. +#admins: cyrus + +# Space-separated list of users that have lmtp "admin" status (i.e. that +# can deliver email through TCP/IP lmtp). If specified, this parameter +# overrides the "admins" parameter above +#lmtp_admins: postman + +# Space-separated list of users that have mupdate "admin" status, in +# addition to those in the admins: entry above. Note that mupdate slaves and +# backends in a Murder cluster need to autenticate against the mupdate master +# as admin users. +#mupdate_admins: mupdateman + +# Space-separated list of users that have imapd "admin" status, in +# addition to those in the admins: entry above +#imap_admins: cyrus + +# Space-separated list of users that have sieve "admin" status, in +# addition to those in the admins: entry above +#sieve_admins: cyrus + +# List of users and groups that are allowed to proxy for other users, +# seperated by spaces. Any user listed in this will be allowed to login +# for any other user. Like "admins:" above, you can have imap_proxyservers +# and sieve_proxyservers. +#proxyservers: cyrus + +# No anonymous logins +allowanonymouslogin: no + +# Minimum time between POP mail fetches in minutes +popminpoll: 1 + +# If nonzero, normal users may create their own IMAP accounts by creating +# the mailbox INBOX. The user's quota is set to the value if it is positive, +# otherwise the user has unlimited quota. +autocreatequota: 0 + +# umask used by Cyrus programs +umask: 077 + +# Sendmail binary location +# DUE TO A BUG, Cyrus sends CRLF EOLs to this program. This breaks Exim 3. +# For now, to work around the bug, set this to a wrapper that calls +# /usr/sbin/sendmail -dropcr instead if you use Exim 3. +#sendmail: /usr/sbin/sendmail + +# If enabled, cyrdeliver will look for Sieve scripts in user's home +# directories: ~user/.sieve. +sieveusehomedir: false + +# If sieveusehomedir is false, this directory is searched for Sieve scripts. +sievedir: /var/spool/sieve + +# notifyd(8) method to use for "MAIL" notifications. If not set, "MAIL" +# notifications are disabled. Valid methods are: null, log, zephyr +#mailnotifier: zephyr + +# notifyd(8) method to use for "SIEVE" notifications. If not set, "SIEVE" +# notifications are disabled. This method is only used when no method is +# specified in the script. Valid methods are null, log, zephyr, mailto +#sievenotifier: zephyr + +# DRAC (pop-before-smtp, imap-before-smtp) support +# Set dracinterval to the time in minutes to call DRAC while a user is +# connected to the imap/pop services. Set to 0 to disable DRAC (default) +# Set drachost to the host where the rpc drac service is running +#dracinterval: 0 +#drachost: localhost + +# If enabled, the partitions will also be hashed, in addition to the hashing +# done on configuration directories. This is recommended if one partition has a +# very bushy mailbox tree. +hashimapspool: true + +# Allow plaintext logins by default (SASL PLAIN) +allowplaintext: yes + +# Force PLAIN/LOGIN authentication only +# (you need to uncomment this if you are not using an auxprop-based SASL +# mechanism. saslauthd users, that means you!). And pay attention to +# sasl_minimum_layer and allowapop below, too. +#sasl_mech_list: PLAIN + +# Allow use of the POP3 APOP authentication command. +# Note that this command requires that the plaintext passwords are +# available in a SASL auxprop backend (eg. sasldb), and that the system +# can provide enough entropy (eg. from /dev/urandom) to create a challenge +# in the banner. +#allowapop: no + +# The minimum SSF that the server will allow a client to negotiate. A +# value of 1 requires integrity protection; any higher value requires some +# amount of encryption. +#sasl_minimum_layer: 0 + +# The maximum SSF that the server will allow a client to negotiate. A +# value of 1 requires integrity protection; any higher value requires some +# amount of encryption. +#sasl_maximum_layer: 256 + +# List of remote realms whose users may log in using cross-realm +# authentications. Seperate each realm name by a space. A cross-realm +# identity is considered any identity returned by SASL with an "@" in it. +# NOTE: To support multiple virtual domains on the same interface/IP, +# you need to list them all as loginreals. If you don't list them here, +# (most of) your users probably won't be able to log in. +#loginrealms: example.com + +# Enable virtual domain support. If enabled, the user's domain will +# be determined by splitting a fully qualified userid at the last '@' +# or '%' symbol. If the userid is unqualified, and the virtdomains +# option is set to "on", then the domain will be determined by doing +# a reverse lookup on the IP address of the incoming network +# interface, otherwise the user is assumed to be in the default +# domain (if set). +#virtdomains: userid + +# The default domain for virtual domain support +# If the domain of a user can't be taken from its login and it can't +# be determined by doing a reverse lookup on the interface IP, this +# domain is used. +#defaultdomain: + +# +# SASL library options (these are handled directly by the SASL libraries, +# refer to SASL documentation for an up-to-date list of these) +# + +# The mechanism(s) used by the server to verify plaintext passwords. Possible +# values are "saslauthd", "auxprop", "pwcheck" and "alwaystrue". They +# are tried in order, you can specify more than one, separated by spaces. +# +# Do note that, since sasl will be run as user cyrus, you may have a lot of +# trouble to set this up right. +sasl_pwcheck_method: auxprop + +# What auxpropd plugins to load, if using sasl_pwcheck_method: auxprop +# by default, all plugins are tried (which is probably NOT what you want). +#sasl_auxprop_plugin: sasldb + +# If enabled, the SASL library will automatically create authentication secrets +# when given a plaintext password. Refer to SASL documentation +sasl_auto_transition: no + +# +# SSL/TLS Options +# + +# File containing the global certificate used for ALL services (imap, pop3, +# lmtp, sieve) +tls_cert_file: <%= scope.lookupvar('ssl::certs') %>/cyrus.crt + +# File containing the private key belonging to the global server certificate. +tls_key_file: <%= scope.lookupvar('ssl::private') %>/cyrus.key + +# File containing the certificate used for imap. If not specified, the global +# certificate is used. A value of "disabled" will disable SSL/TLS for imap. +#imap_tls_cert_file: /etc/ssl/certs/cyrus-imap.pem + +# File containing the private key belonging to the imap-specific server +# certificate. If not specified, the global private key is used. A value of +# "disabled" will disable SSL/TLS for imap. +#imap_tls_key_file: /etc/ssl/private/cyrus-imap.key + +# File containing the certificate used for pop3. If not specified, the global +# certificate is used. A value of "disabled" will disable SSL/TLS for pop3. +#pop3_tls_cert_file: /etc/ssl/certs/cyrus-pop3.pem + +# File containing the private key belonging to the pop3-specific server +# certificate. If not specified, the global private key is used. A value of +# "disabled" will disable SSL/TLS for pop3. +#pop3_tls_key_file: /etc/ssl/private/cyrus-pop3.key + +# File containing the certificate used for lmtp. If not specified, the global +# certificate is used. A value of "disabled" will disable SSL/TLS for lmtp. +#lmtp_tls_cert_file: /etc/ssl/certs/cyrus-lmtp.pem + +# File containing the private key belonging to the lmtp-specific server +# certificate. If not specified, the global private key is used. A value of +# "disabled" will disable SSL/TLS for lmtp. +#lmtp_tls_key_file: /etc/ssl/private/cyrus-lmtp.key + +# File containing the certificate used for sieve. If not specified, the global +# certificate is used. A value of "disabled" will disable SSL/TLS for sieve. +#sieve_tls_cert_file: /etc/ssl/certs/cyrus-sieve.pem + +# File containing the private key belonging to the sieve-specific server +# certificate. If not specified, the global private key is used. A value of +# "disabled" will disable SSL/TLS for sieve. +#sieve_tls_key_file: /etc/ssl/private/cyrus-sieve.key + +# File containing one or more Certificate Authority (CA) certificates. +#tls_ca_file: /etc/ssl/certs/cyrus-imapd-ca.pem + +# Path to directory with certificates of CAs. +tls_ca_path: /etc/ssl/certs + +# The length of time (in minutes) that a TLS session will be cached for later +# reuse. The maximum value is 1440 (24 hours), the default. A value of 0 will +# disable session caching. +tls_session_timeout: 1440 + +# The list of SSL/TLS ciphers to allow, in decreasing order of precedence. +# The format of the string is described in ciphers(1). The Debian default +# selects TLSv1 high-security ciphers only, and removes all anonymous ciphers +# from the list (because they provide no defense against man-in-the-middle +# attacks). It also orders the list so that stronger ciphers come first. +tls_cipher_list: TLSv1+HIGH:!aNULL:@STRENGTH + +# Require a client certificate for ALL services (imap, pop3, lmtp, sieve). +#tls_require_cert: false + +# Require a client certificate for imap ONLY. +#imap_tls_require_cert: false + +# Require a client certificate for pop3 ONLY. +#pop3_tls_require_cert: false + +# Require a client certificate for lmtp ONLY. +#lmtp_tls_require_cert: false + +# Require a client certificate for sieve ONLY. +#sieve_tls_require_cert: false + +# +# Cyrus Murder cluster configuration +# +# Set the following options to the values needed for this server to +# autenticate against the mupdate master server: +# mupdate_server +# mupdate_port +# mupdate_username +# mupdate_authname +# mupdate_realm +# mupdate_password +# mupdate_retry_delay + +## +## KEEP THESE IN SYNC WITH cyrus.conf +## +# Unix domain socket that lmtpd listens on. +lmtpsocket: /var/run/cyrus/socket/lmtp + +# Unix domain socket that idled listens on. +idlesocket: /var/run/cyrus/socket/idle + +# Unix domain socket that the new mail notification daemon listens on. +notifysocket: /var/run/cyrus/socket/notify + +# Syslog prefix. Defaults to cyrus (so logging is done as cyrus/imap etc.) +syslog_prefix: cyrus + +## +## DEBUGGING +## +# Debugging hook. See /usr/share/doc/cyrus-common-2.4/README.Debian.debug +# Keep the hook disabled when it is not in use +# +# gdb Back-traces +#debug_command: /usr/bin/gdb -batch -cd=/tmp -x /usr/lib/cyrus/get-backtrace.gdb /usr/lib/cyrus/bin/%s %d >/tmp/gdb-backtrace.cyrus.%1$s.%2$d <&- 2>&1 & +# +# system-call traces +#debug_command: /usr/bin/strace -tt -o /tmp/strace.cyrus.%s.%d -p %2$d <&- 2>&1 & +# +# library traces +#debug_command: /usr/bin/ltrace -tt -n 2 -o /tmp/ltrace.cyrus.%s.%d -p %2$d <&- 2>&1 & From b843891fac3e69b331e5637db1973a4ddd2e261e Mon Sep 17 00:00:00 2001 From: Lari Huttunen Date: Fri, 1 Mar 2013 17:56:36 +0100 Subject: [PATCH 10/33] cyrus.init.pp: Fixed a typo. --- cyrus/manifests/init.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cyrus/manifests/init.pp b/cyrus/manifests/init.pp index 0163567..82d8452 100644 --- a/cyrus/manifests/init.pp +++ b/cyrus/manifests/init.pp @@ -62,7 +62,7 @@ class cyrus { mode => "0644", owner => "root", group => "root", - source => "puppet:///files/cyrus.conf" + source => "puppet:///files/cyrus/cyrus.conf", notify => Service["cyrus-imapd"], require => Package["cyrus-imapd-2.4"], } From 7d8041e8599ff993f7e435585bec5d0d07cdaf01 Mon Sep 17 00:00:00 2001 From: Lari Huttunen Date: Fri, 1 Mar 2013 17:59:21 +0100 Subject: [PATCH 11/33] cyrus.init.pp: Reference under modules. --- cyrus/manifests/init.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cyrus/manifests/init.pp b/cyrus/manifests/init.pp index 82d8452..f7fba6f 100644 --- a/cyrus/manifests/init.pp +++ b/cyrus/manifests/init.pp @@ -62,7 +62,7 @@ class cyrus { mode => "0644", owner => "root", group => "root", - source => "puppet:///files/cyrus/cyrus.conf", + source => "puppet:///modules/cyrus/cyrus.conf", notify => Service["cyrus-imapd"], require => Package["cyrus-imapd-2.4"], } From 6a83350f630cf12a93ae2b25b5d460ad78a9db20 Mon Sep 17 00:00:00 2001 From: Lari Huttunen Date: Fri, 1 Mar 2013 18:05:59 +0100 Subject: [PATCH 12/33] postfix.init.pp: Make sure the postfix user is in the mail group. --- postfix/manifests/init.pp | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/postfix/manifests/init.pp b/postfix/manifests/init.pp index 54366d2..be8e5f3 100644 --- a/postfix/manifests/init.pp +++ b/postfix/manifests/init.pp @@ -76,6 +76,11 @@ class postfix { case $::operatingsystem { "debian","ubuntu": { package {"postgrey": ensure => installed,} + exec { "usermod-postfix": + path => "/bin:/usr/bin:/sbin:/usr/sbin", + command => "usermod -a -G mail postfix", + unless => "id -n -G openldap | grep '\\bmail\\b'", + } } default: { fail("Postgrey module not yet supported in ${::operatingsystem}.") From 8856cd0f31deee752ae85c6e722344821e1b93a7 Mon Sep 17 00:00:00 2001 From: Lari Huttunen Date: Fri, 1 Mar 2013 18:18:59 +0100 Subject: [PATCH 13/33] postfix.master.cf.erb: Enable lmtp to escape the chroot for lmtp UNIX socket access. --- postfix/templates/master.cf.erb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/postfix/templates/master.cf.erb b/postfix/templates/master.cf.erb index 2d6c4f0..320ad14 100644 --- a/postfix/templates/master.cf.erb +++ b/postfix/templates/master.cf.erb @@ -50,7 +50,7 @@ retry unix - - - - - error discard unix - - - - - discard local unix - n n - - local virtual unix - n n - - virtual -lmtp unix - - - - - lmtp +lmtp unix - - n - - lmtp anvil unix - - - - 1 anvil scache unix - - - - 1 scache # From 39eac24088eda6adc459ac3c13c403250c7f5f13 Mon Sep 17 00:00:00 2001 From: Lari Huttunen Date: Fri, 1 Mar 2013 18:38:13 +0100 Subject: [PATCH 14/33] cyrus.imapd.conf.erb: SASL authd requires PLAIN to be used as mech. --- cyrus/templates/imapd.conf.erb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cyrus/templates/imapd.conf.erb b/cyrus/templates/imapd.conf.erb index 092709f..e8618f7 100644 --- a/cyrus/templates/imapd.conf.erb +++ b/cyrus/templates/imapd.conf.erb @@ -135,7 +135,7 @@ allowplaintext: yes # (you need to uncomment this if you are not using an auxprop-based SASL # mechanism. saslauthd users, that means you!). And pay attention to # sasl_minimum_layer and allowapop below, too. -#sasl_mech_list: PLAIN +sasl_mech_list: PLAIN LOGIN # Allow use of the POP3 APOP authentication command. # Note that this command requires that the plaintext passwords are From 7aa827178161b15d5ef48164131b06f35590354a Mon Sep 17 00:00:00 2001 From: Lari Huttunen Date: Fri, 1 Mar 2013 18:47:15 +0100 Subject: [PATCH 15/33] cyrus.imapd.conf.erb: Change the sasl password check mechanism to saslauthd. --- cyrus/templates/imapd.conf.erb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cyrus/templates/imapd.conf.erb b/cyrus/templates/imapd.conf.erb index e8618f7..d8decb1 100644 --- a/cyrus/templates/imapd.conf.erb +++ b/cyrus/templates/imapd.conf.erb @@ -188,7 +188,7 @@ sasl_mech_list: PLAIN LOGIN # # Do note that, since sasl will be run as user cyrus, you may have a lot of # trouble to set this up right. -sasl_pwcheck_method: auxprop +sasl_pwcheck_method: saslauthd # What auxpropd plugins to load, if using sasl_pwcheck_method: auxprop # by default, all plugins are tried (which is probably NOT what you want). From e8081b57fc7916ed0abcbc79d2c0e91b3f73c8f8 Mon Sep 17 00:00:00 2001 From: Lari Huttunen Date: Fri, 1 Mar 2013 19:03:57 +0100 Subject: [PATCH 16/33] cyrus: Added support for setting the cyrus admin users. --- cyrus/manifests/init.pp | 6 ++++++ cyrus/templates/imapd.conf.erb | 2 +- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/cyrus/manifests/init.pp b/cyrus/manifests/init.pp index f7fba6f..ac17729 100644 --- a/cyrus/manifests/init.pp +++ b/cyrus/manifests/init.pp @@ -6,6 +6,8 @@ # $cyrus_cert: # Path to SSL certificate. Defaults to puppet client certificate. # +# $cyrus_admins: +# List of users "user1 user2", which have admin rights on the IMAP server. class cyrus { case $::operatingsystem { @@ -25,6 +27,10 @@ class cyrus { $postfix_cert = "${puppet_ssldir}/certs/${homename}.pem" } + if !$cyrus_admins { + $cyrus_admins = "admin" + } + package { [ "cyrus-imapd-2.4", "cyrus-clients-2.4", diff --git a/cyrus/templates/imapd.conf.erb b/cyrus/templates/imapd.conf.erb index d8decb1..d7243ff 100644 --- a/cyrus/templates/imapd.conf.erb +++ b/cyrus/templates/imapd.conf.erb @@ -53,7 +53,7 @@ lmtp_downcase_rcpt: yes # Uncomment the following and add the space-separated users who # have admin rights for all services. -#admins: cyrus +admins: <%= cyrus_admins %> # Space-separated list of users that have lmtp "admin" status (i.e. that # can deliver email through TCP/IP lmtp). If specified, this parameter From 03cc2175899e4c524ad0735e7691508aefc112b4 Mon Sep 17 00:00:00 2001 From: Lari Huttunen Date: Mon, 4 Mar 2013 13:53:00 +0100 Subject: [PATCH 17/33] postfix.init.pp: Changed mount options for the saslauthd bind mount. --- postfix/manifests/init.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/postfix/manifests/init.pp b/postfix/manifests/init.pp index be8e5f3..8c6078a 100644 --- a/postfix/manifests/init.pp +++ b/postfix/manifests/init.pp @@ -149,7 +149,7 @@ class postfix { ensure => mounted, atboot => true, device => "/var/run/saslauthd", - options => "bind", + options => "bind, errors=continue", fstype => "bind", dump => "0", pass => "0", From b8dae490fd95a93d21edafec8aec275f8b9f56a1 Mon Sep 17 00:00:00 2001 From: Lari Huttunen Date: Mon, 4 Mar 2013 15:39:49 +0100 Subject: [PATCH 18/33] postfix.init.pp: Fixed a copy&paste error and added "noauto" to mount options, since otherwise the saslauthd mount will hang at boot time. --- postfix/manifests/init.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/postfix/manifests/init.pp b/postfix/manifests/init.pp index 8c6078a..b99f6da 100644 --- a/postfix/manifests/init.pp +++ b/postfix/manifests/init.pp @@ -79,7 +79,7 @@ class postfix { exec { "usermod-postfix": path => "/bin:/usr/bin:/sbin:/usr/sbin", command => "usermod -a -G mail postfix", - unless => "id -n -G openldap | grep '\\bmail\\b'", + unless => "id -n -G postfix | grep '\\bmail\\b'", } } default: { @@ -149,7 +149,7 @@ class postfix { ensure => mounted, atboot => true, device => "/var/run/saslauthd", - options => "bind, errors=continue", + options => "bind,noauto", fstype => "bind", dump => "0", pass => "0", From 66fde79617057450c57561392299050cc264d81e Mon Sep 17 00:00:00 2001 From: Lari Huttunen Date: Mon, 4 Mar 2013 18:29:29 +0100 Subject: [PATCH 19/33] cyrus.init.pp: Fix broken Ubuntu packaging. --- cyrus/manifests/init.pp | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/cyrus/manifests/init.pp b/cyrus/manifests/init.pp index ac17729..a162d73 100644 --- a/cyrus/manifests/init.pp +++ b/cyrus/manifests/init.pp @@ -83,4 +83,19 @@ class cyrus { require => Package["cyrus-imapd-2.4"], } + # Fix broken ubuntu packaging + file { "/run/cyrus/lock": + ensure => directory, + mode => "0750", + owner => "cyrus", + group => "mail", + } + + # Fix broken ubuntu packaging + file { "/run/cyrus/proc": + ensure => directory, + mode => "0750", + owner => "cyrus", + group => "mail", + } } \ No newline at end of file From c0a3a300a85093282718c4f684132e76d244fb1a Mon Sep 17 00:00:00 2001 From: Lari Huttunen Date: Mon, 4 Mar 2013 19:33:36 +0100 Subject: [PATCH 20/33] hastymail.init.pp: Ensure that the necessary packages are installed, which are needed by hasty mail. --- hastymail/manifests/init.pp | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/hastymail/manifests/init.pp b/hastymail/manifests/init.pp index c567dfe..1426fb5 100644 --- a/hastymail/manifests/init.pp +++ b/hastymail/manifests/init.pp @@ -1,6 +1,21 @@ class hastymail { + case $::operatingsystem { + "ubuntu","debian": { + package { ["php5", "php5-cli", "php5-common", + "php5-imap", "php5-ldap", "php5-mcrypt"]: + ensure => installed, + } + } + "centos","redhat","fedora": { + + } + default: { + fail("cyrus not supported on ${::operatingsystem}") + } + } + if !$hastymail_package { if $hastymail_package_latest { $hastymail_package = $hastymail_package_latest From 145d04530bc50bde4f4f2395958572516f71bc3d Mon Sep 17 00:00:00 2001 From: Lari Huttunen Date: Tue, 5 Mar 2013 15:22:18 +0100 Subject: [PATCH 21/33] postfix.init.pp: Had forgotten the placement spec for the X.509 files. --- postfix/manifests/init.pp | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/postfix/manifests/init.pp b/postfix/manifests/init.pp index b99f6da..d113c9b 100644 --- a/postfix/manifests/init.pp +++ b/postfix/manifests/init.pp @@ -71,6 +71,25 @@ class postfix { $postfix_interfaces = "localhost" } + file { "${ssl::certs}/postfix.crt": + ensure => present, + source => $postfix_cert, + mode => "0644", + owner => "root", + group => "root" + require => Package["postfix"], + notify => Service["postfix"], + } + + file { "${ssl::private}/postfix.key": + ensure => present, + source => $postfix_key, + mode => "0640", + owner => "root", + group => "root", + require => Package["postfix"], + notify => Service["postfix"], + } if $postgrey { case $::operatingsystem { From ce23d0334d87592703952f7fa57a20dcc6b03dc8 Mon Sep 17 00:00:00 2001 From: Lari Huttunen Date: Tue, 5 Mar 2013 15:49:26 +0100 Subject: [PATCH 22/33] postfix.init.pp: Fixed syntax error. --- postfix/manifests/init.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/postfix/manifests/init.pp b/postfix/manifests/init.pp index d113c9b..c09112a 100644 --- a/postfix/manifests/init.pp +++ b/postfix/manifests/init.pp @@ -76,7 +76,7 @@ class postfix { source => $postfix_cert, mode => "0644", owner => "root", - group => "root" + group => "root", require => Package["postfix"], notify => Service["postfix"], } From 69132d618c35d18ec5d9c5eddf14ddaa881f5edb Mon Sep 17 00:00:00 2001 From: Lari Huttunen Date: Tue, 5 Mar 2013 15:53:09 +0100 Subject: [PATCH 23/33] postfix.init.pp: Accidentally redefined the X.509 file resources. --- postfix/manifests/init.pp | 17 ----------------- 1 file changed, 17 deletions(-) diff --git a/postfix/manifests/init.pp b/postfix/manifests/init.pp index c09112a..cdac1ca 100644 --- a/postfix/manifests/init.pp +++ b/postfix/manifests/init.pp @@ -117,23 +117,6 @@ class postfix { require => Package["postfix"], } - file { "${ssl::certs}/postfix.crt": - ensure => present, - source => $postfix_cert, - mode => "0644", - owner => "root", - group => "root", - notify => Service["postfix"], - } - file { "${ssl::private}/postfix.key": - ensure => present, - source => $postfix_key, - mode => "0600", - owner => "root", - group => "root", - notify => Service["postfix"], - } - file { "/etc/postfix/main.cf": ensure => present, mode => "0644", From 7ad4fb5826976530fc193174ba545b9e2f1017e0 Mon Sep 17 00:00:00 2001 From: Lari Huttunen Date: Tue, 5 Mar 2013 16:23:37 +0100 Subject: [PATCH 24/33] postfix + cyrus: Fix key perms. --- cyrus/manifests/init.pp | 4 ++-- postfix/manifests/init.pp | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/cyrus/manifests/init.pp b/cyrus/manifests/init.pp index a162d73..46260c6 100644 --- a/cyrus/manifests/init.pp +++ b/cyrus/manifests/init.pp @@ -57,9 +57,9 @@ class cyrus { file { "${ssl::private}/cyrus.key": ensure => present, source => $cyrus_key, - mode => "0600", + mode => "0640", owner => "root", - group => "root", + group => "mail", notify => Service["cyrus-imapd"], } diff --git a/postfix/manifests/init.pp b/postfix/manifests/init.pp index cdac1ca..8dffa47 100644 --- a/postfix/manifests/init.pp +++ b/postfix/manifests/init.pp @@ -86,7 +86,7 @@ class postfix { source => $postfix_key, mode => "0640", owner => "root", - group => "root", + group => "postfix", require => Package["postfix"], notify => Service["postfix"], } From 1182b71d2b4fe0078ddcc080144ec74ec69af64f Mon Sep 17 00:00:00 2001 From: Lari Huttunen Date: Tue, 5 Mar 2013 16:30:42 +0100 Subject: [PATCH 25/33] postfix + cyrus: More permission fixes. --- cyrus/manifests/init.pp | 5 +++++ postfix/manifests/init.pp | 5 +++++ 2 files changed, 10 insertions(+) diff --git a/cyrus/manifests/init.pp b/cyrus/manifests/init.pp index 46260c6..9568daf 100644 --- a/cyrus/manifests/init.pp +++ b/cyrus/manifests/init.pp @@ -61,6 +61,11 @@ class cyrus { owner => "root", group => "mail", notify => Service["cyrus-imapd"], + exec { "usermod-cyrus-ssl-cert": + path => "/bin:/usr/bin:/sbin:/usr/sbin", + command => "usermod -a -G ssl-cert cyrus", + unless => "id -n -G cyrus | grep '\\bssl-cert\\b'", + } } file { "/etc/cyrus.conf": diff --git a/postfix/manifests/init.pp b/postfix/manifests/init.pp index 8dffa47..183c3b5 100644 --- a/postfix/manifests/init.pp +++ b/postfix/manifests/init.pp @@ -89,6 +89,11 @@ class postfix { group => "postfix", require => Package["postfix"], notify => Service["postfix"], + exec { "usermod-postfix-ssl-cert": + path => "/bin:/usr/bin:/sbin:/usr/sbin", + command => "usermod -a -G ssl-cert postfix", + unless => "id -n -G postfix | grep '\\bssl-cert\\b'", + } } if $postgrey { From ce1732d5b7486b08ad0c86ea197f7e16f2dd7c1b Mon Sep 17 00:00:00 2001 From: Lari Huttunen Date: Tue, 5 Mar 2013 16:35:40 +0100 Subject: [PATCH 26/33] cyrus + postfix: Where to put the exec, that is the question. --- cyrus/manifests/init.pp | 11 ++++++----- postfix/manifests/init.pp | 11 ++++++----- 2 files changed, 12 insertions(+), 10 deletions(-) diff --git a/cyrus/manifests/init.pp b/cyrus/manifests/init.pp index 9568daf..fe988ed 100644 --- a/cyrus/manifests/init.pp +++ b/cyrus/manifests/init.pp @@ -61,11 +61,12 @@ class cyrus { owner => "root", group => "mail", notify => Service["cyrus-imapd"], - exec { "usermod-cyrus-ssl-cert": - path => "/bin:/usr/bin:/sbin:/usr/sbin", - command => "usermod -a -G ssl-cert cyrus", - unless => "id -n -G cyrus | grep '\\bssl-cert\\b'", - } + } + + exec { "usermod-cyrus-ssl-cert": + path => "/bin:/usr/bin:/sbin:/usr/sbin", + command => "usermod -a -G ssl-cert cyrus", + unless => "id -n -G cyrus | grep '\\bssl-cert\\b'", } file { "/etc/cyrus.conf": diff --git a/postfix/manifests/init.pp b/postfix/manifests/init.pp index 183c3b5..82bbb59 100644 --- a/postfix/manifests/init.pp +++ b/postfix/manifests/init.pp @@ -89,11 +89,12 @@ class postfix { group => "postfix", require => Package["postfix"], notify => Service["postfix"], - exec { "usermod-postfix-ssl-cert": - path => "/bin:/usr/bin:/sbin:/usr/sbin", - command => "usermod -a -G ssl-cert postfix", - unless => "id -n -G postfix | grep '\\bssl-cert\\b'", - } + } + + exec { "usermod-postfix-ssl-cert": + path => "/bin:/usr/bin:/sbin:/usr/sbin", + command => "usermod -a -G ssl-cert postfix", + unless => "id -n -G postfix | grep '\\bssl-cert\\b'", } if $postgrey { From 5f3e6c481c0f3366e4db7bbedbc6e3c1803770d6 Mon Sep 17 00:00:00 2001 From: Lari Huttunen Date: Tue, 5 Mar 2013 16:39:19 +0100 Subject: [PATCH 27/33] cyrus + postfix: Notify the services if the user was modified. --- cyrus/manifests/init.pp | 1 + postfix/manifests/init.pp | 1 + 2 files changed, 2 insertions(+) diff --git a/cyrus/manifests/init.pp b/cyrus/manifests/init.pp index fe988ed..567e791 100644 --- a/cyrus/manifests/init.pp +++ b/cyrus/manifests/init.pp @@ -67,6 +67,7 @@ class cyrus { path => "/bin:/usr/bin:/sbin:/usr/sbin", command => "usermod -a -G ssl-cert cyrus", unless => "id -n -G cyrus | grep '\\bssl-cert\\b'", + notify => Service["cyrus-imapd"], } file { "/etc/cyrus.conf": diff --git a/postfix/manifests/init.pp b/postfix/manifests/init.pp index 82bbb59..db5f709 100644 --- a/postfix/manifests/init.pp +++ b/postfix/manifests/init.pp @@ -95,6 +95,7 @@ class postfix { path => "/bin:/usr/bin:/sbin:/usr/sbin", command => "usermod -a -G ssl-cert postfix", unless => "id -n -G postfix | grep '\\bssl-cert\\b'", + notify => Service["postfix"], } if $postgrey { From b20d06b37f99e4fd8015abf9f54422803ef86593 Mon Sep 17 00:00:00 2001 From: Lari Huttunen Date: Tue, 5 Mar 2013 17:03:29 +0100 Subject: [PATCH 28/33] postfix: Attempt a chain fix. --- postfix/manifests/init.pp | 15 +++++++++++++++ postfix/templates/main.cf.erb | 3 +++ 2 files changed, 18 insertions(+) diff --git a/postfix/manifests/init.pp b/postfix/manifests/init.pp index db5f709..bd42e6c 100644 --- a/postfix/manifests/init.pp +++ b/postfix/manifests/init.pp @@ -32,6 +32,9 @@ # $postfix_cert: # Path to SSL certificate. Defaults to puppet client certificate. # +# $postfix_chain: +# Path to intermediary CA cert. +# # $postgrey: # Whether to run postgrey or not. # @@ -81,6 +84,18 @@ class postfix { notify => Service["postfix"], } + if $postfix_chain { + file { "${ssl::certs}/chain.crt": + ensure => present, + source => $postfix_chain, + mode => "0644", + owner => "root", + group => "root", + require => Package["postfix"], + notify => Service["postfix"], + } + } + file { "${ssl::private}/postfix.key": ensure => present, source => $postfix_key, diff --git a/postfix/templates/main.cf.erb b/postfix/templates/main.cf.erb index 81ff2ea..99e7b23 100644 --- a/postfix/templates/main.cf.erb +++ b/postfix/templates/main.cf.erb @@ -731,6 +731,9 @@ smtpd_sasl_security_options = noanonymous # TLS # smtpd_use_tls=yes +<% if has_variable?("postfix_chain") -%> +smtpd_tls_CAfile = <%= postfix_chain %> +<% end -%> smtpd_tls_cert_file=<%= scope.lookupvar('ssl::certs') %>/postfix.crt smtpd_tls_key_file=<%= scope.lookupvar('ssl::private') %>/postfix.key smtpd_tls_received_header = yes From 940d74debc8fccd5ab108516a4978c5ea24efe89 Mon Sep 17 00:00:00 2001 From: Lari Huttunen Date: Tue, 5 Mar 2013 17:09:00 +0100 Subject: [PATCH 29/33] postfix: Wrong value for the chain cert. --- postfix/manifests/init.pp | 2 +- postfix/templates/main.cf.erb | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/postfix/manifests/init.pp b/postfix/manifests/init.pp index bd42e6c..becd6df 100644 --- a/postfix/manifests/init.pp +++ b/postfix/manifests/init.pp @@ -85,7 +85,7 @@ class postfix { } if $postfix_chain { - file { "${ssl::certs}/chain.crt": + file { "${ssl::certs}/postfix-chain.crt": ensure => present, source => $postfix_chain, mode => "0644", diff --git a/postfix/templates/main.cf.erb b/postfix/templates/main.cf.erb index 99e7b23..988ced7 100644 --- a/postfix/templates/main.cf.erb +++ b/postfix/templates/main.cf.erb @@ -732,7 +732,7 @@ smtpd_sasl_security_options = noanonymous # smtpd_use_tls=yes <% if has_variable?("postfix_chain") -%> -smtpd_tls_CAfile = <%= postfix_chain %> +smtpd_tls_CAfile = <%= scope.lookupvar('ssl::certs') %>/postfix-chain.crt <% end -%> smtpd_tls_cert_file=<%= scope.lookupvar('ssl::certs') %>/postfix.crt smtpd_tls_key_file=<%= scope.lookupvar('ssl::private') %>/postfix.key From 289ccdc6649372eba9a4234e81539cb6f2fe1c41 Mon Sep 17 00:00:00 2001 From: Lari Huttunen Date: Tue, 5 Mar 2013 18:29:27 +0100 Subject: [PATCH 30/33] cyrus: Even though postfix belongs to the mail group it cannot deliver unless the socket dir's group is postfix. Need to get the ubuntu package fixed. --- cyrus/manifests/init.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cyrus/manifests/init.pp b/cyrus/manifests/init.pp index 567e791..0810644 100644 --- a/cyrus/manifests/init.pp +++ b/cyrus/manifests/init.pp @@ -95,7 +95,7 @@ class cyrus { ensure => directory, mode => "0750", owner => "cyrus", - group => "mail", + group => "postfix", } # Fix broken ubuntu packaging From 43679193298c95ac6c7abd7a541574f636c8953f Mon Sep 17 00:00:00 2001 From: Lari Huttunen Date: Tue, 5 Mar 2013 18:33:40 +0100 Subject: [PATCH 31/33] cyrus: Changed the lmtp socket to group postfix, which is an ugly kludge. --- cyrus/manifests/init.pp | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/cyrus/manifests/init.pp b/cyrus/manifests/init.pp index 0810644..62fcb3c 100644 --- a/cyrus/manifests/init.pp +++ b/cyrus/manifests/init.pp @@ -90,12 +90,19 @@ class cyrus { require => Package["cyrus-imapd-2.4"], } + file { "/run/cyrus/socket": + ensure => directory, + mode => "0750", + owner => "cyrus", + group => "postfix", + } + # Fix broken ubuntu packaging file { "/run/cyrus/lock": ensure => directory, mode => "0750", owner => "cyrus", - group => "postfix", + group => "mail", } # Fix broken ubuntu packaging From 3e43a6c2e1cc9c0b2f847f9db124c6ec8cdbff58 Mon Sep 17 00:00:00 2001 From: Lari Huttunen Date: Tue, 5 Mar 2013 19:43:41 +0100 Subject: [PATCH 32/33] postfix: /etc/postfix/sasl/smtpd.conf needs to define the authentication method. --- postfix/manifests/init.pp | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/postfix/manifests/init.pp b/postfix/manifests/init.pp index becd6df..e0dab96 100644 --- a/postfix/manifests/init.pp +++ b/postfix/manifests/init.pp @@ -178,6 +178,15 @@ class postfix { dump => "0", pass => "0", } + file { "/etc/postfix/sasl/smtpd.conf": + ensure => present, + mode => "0644", + owner => "root", + group => "root", + source => "puppet:///modules/postfix/smtpd.conf", + notify => Service["postfix"], + } + } file { "/etc/postfix/master.cf": From 75a7bda8f6d2e16c12e873aa10a13b44a2360616 Mon Sep 17 00:00:00 2001 From: Lari Huttunen Date: Tue, 5 Mar 2013 19:44:04 +0100 Subject: [PATCH 33/33] postfix: The actual smtpf.conf file. --- postfix/files/smtpd.conf | 1 + 1 file changed, 1 insertion(+) create mode 100644 postfix/files/smtpd.conf diff --git a/postfix/files/smtpd.conf b/postfix/files/smtpd.conf new file mode 100644 index 0000000..d82ed6e --- /dev/null +++ b/postfix/files/smtpd.conf @@ -0,0 +1 @@ +pwcheck_method: saslauthd