From 90ae486805896af8dc9ed1423a25b47dfd3cf1fa Mon Sep 17 00:00:00 2001 From: Rico Ullmann Date: Wed, 29 Dec 2021 23:26:51 +0100 Subject: [PATCH 1/9] postfix: initial bundle --- bundles/postfix/files/main.cf | 11 +++++++++++ bundles/postfix/items.py | 25 +++++++++++++++++++++++++ 2 files changed, 36 insertions(+) create mode 100644 bundles/postfix/files/main.cf create mode 100644 bundles/postfix/items.py diff --git a/bundles/postfix/files/main.cf b/bundles/postfix/files/main.cf new file mode 100644 index 0000000..7c944aa --- /dev/null +++ b/bundles/postfix/files/main.cf @@ -0,0 +1,11 @@ +smtpd_banner = $myhostname ESMTP + +disable_vrfy_command = yes + +smtp_use_tls = yes +smtp_tls_CApath = /etc/pki/tls/certs +smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt +smtp_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1 +smtp_tls_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1 +smtp_tls_security_level = may +smtp_tls_mandatory_ciphers = high diff --git a/bundles/postfix/items.py b/bundles/postfix/items.py new file mode 100644 index 0000000..ee26d26 --- /dev/null +++ b/bundles/postfix/items.py @@ -0,0 +1,25 @@ +pkg_apt = { + 'postfix': {}, +} + +svc_systemd = { + 'postfix': { + 'needs': ['pkg_apt:postfix', 'file:/etc/postfix/main.cf'], + } +} + +files = { + '/etc/postfix/main.cf': { + 'content_type': 'mako', + 'needs': ['pkg_apt:postfix'], + 'triggers': ['svc_systemd:postfix:restart'], + }, +} + +directories = { + '/etc/postfix': { + 'owner': 'root', + 'mode': '1755', + 'needs': ['pkg_apt:postfix'], + }, +} From e03fedc7ec5516c316c7367fd1d01ae574254861 Mon Sep 17 00:00:00 2001 From: Rico Ullmann Date: Wed, 29 Dec 2021 23:27:02 +0100 Subject: [PATCH 2/9] qzwi: add postfix bundle --- nodes/qzwi.toml | 1 + 1 file changed, 1 insertion(+) diff --git a/nodes/qzwi.toml b/nodes/qzwi.toml index 722318b..e99ce46 100644 --- a/nodes/qzwi.toml +++ b/nodes/qzwi.toml @@ -6,6 +6,7 @@ bundles = [ "nginx", "nextcloud", "openldap", + "postfix", "php", "postgresql", "redis", From 9385b71fbb18abdf05cf4774a64b6f08b63d1dcf Mon Sep 17 00:00:00 2001 From: Rico Ullmann Date: Wed, 29 Dec 2021 23:33:49 +0100 Subject: [PATCH 3/9] postfix: add smtpd_relay_restrictions parameter --- bundles/postfix/files/main.cf | 1 + 1 file changed, 1 insertion(+) diff --git a/bundles/postfix/files/main.cf b/bundles/postfix/files/main.cf index 7c944aa..e0a3952 100644 --- a/bundles/postfix/files/main.cf +++ b/bundles/postfix/files/main.cf @@ -1,6 +1,7 @@ smtpd_banner = $myhostname ESMTP disable_vrfy_command = yes +smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, defer_unauth_destination smtp_use_tls = yes smtp_tls_CApath = /etc/pki/tls/certs From 9fa03363d2bd8538ad0399605f80c5edf2f6df7b Mon Sep 17 00:00:00 2001 From: Rico Ullmann Date: Wed, 29 Dec 2021 23:36:48 +0100 Subject: [PATCH 4/9] postfix: adjust tls_CA* options to Debian --- bundles/postfix/files/main.cf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/bundles/postfix/files/main.cf b/bundles/postfix/files/main.cf index e0a3952..70904cb 100644 --- a/bundles/postfix/files/main.cf +++ b/bundles/postfix/files/main.cf @@ -4,8 +4,8 @@ disable_vrfy_command = yes smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, defer_unauth_destination smtp_use_tls = yes -smtp_tls_CApath = /etc/pki/tls/certs -smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt +smtp_tls_CApath = /etc/ssl/certs +smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt smtp_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1 smtp_tls_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1 smtp_tls_security_level = may From 1266e86e754f3db4fa10b5348e81b8e85dee6252 Mon Sep 17 00:00:00 2001 From: Rico Ullmann Date: Sun, 2 Jan 2022 23:10:21 +0100 Subject: [PATCH 5/9] openldap: add initial schema for qzwiperson this scheme extends the schema by adding the externalmail attribute. it can be adjusted in future --- data/openldap/files/qzwiperson.schema | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 data/openldap/files/qzwiperson.schema diff --git a/data/openldap/files/qzwiperson.schema b/data/openldap/files/qzwiperson.schema new file mode 100644 index 0000000..26d45ba --- /dev/null +++ b/data/openldap/files/qzwiperson.schema @@ -0,0 +1,21 @@ +attributetype ( 1.3.6.1.4.1.0.1 + NAME 'externalMail' + DESC 'external mail address for communication outside the org' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{128} + SINGLE-VALUE ) + +objectclass ( 1.3.6.1.4.1.0.2 + NAME 'qzwiperson' + DESC 'own object schema to add custom values' + SUP top + AUXILIARY + MUST (cn $ sn $ uid $ externalMail) + MAY + ( displayName $ givenName $ homePhone $ homePostalAddress $ + mail $ mobile $ o $ photo $ userCertificate $ + x500uniqueIdentifier $ preferredLanguage $ + userSMIMECertificate $ userPKCS12 $ userPassword $ + telephoneNumber $ description ) ) + From e7cfcb7b2db5c2f8e3ad1326fc3eeeb094bf3640 Mon Sep 17 00:00:00 2001 From: Rico Ullmann Date: Sun, 2 Jan 2022 23:10:41 +0100 Subject: [PATCH 6/9] qzwi: use qzwiperson schema with openldap bundle --- nodes/qzwi.toml | 1 + 1 file changed, 1 insertion(+) diff --git a/nodes/qzwi.toml b/nodes/qzwi.toml index e99ce46..fc56ae9 100644 --- a/nodes/qzwi.toml +++ b/nodes/qzwi.toml @@ -53,6 +53,7 @@ backup = [ ] schemas = [ "openssh-lpk_openldap", + "qzwiperson", ] [metadata.openldap.access."ou=Users,dc=qzwi,dc=de"] From b40e2b21e1542a6a01288f0d0b290fc0a6e11294 Mon Sep 17 00:00:00 2001 From: Rico Ullmann Date: Mon, 3 Jan 2022 11:30:36 +0100 Subject: [PATCH 7/9] qzwi: adjust search queries for ldap-frontend --- nodes/qzwi.toml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/nodes/qzwi.toml b/nodes/qzwi.toml index fc56ae9..a580fc1 100644 --- a/nodes/qzwi.toml +++ b/nodes/qzwi.toml @@ -56,6 +56,12 @@ schemas = [ "qzwiperson", ] +[metadata.ldap-frontend.template] +"group_admin" = "(&(objectclass=qzwiperson)(uid={})(memberOf=ou=qzwi-admins,ou=Groups,dc=qzwi,dc=de))" +"group_members" = "(&(objectclass=qzwiperson)(memberOf=ou={},ou=Groups,dc=qzwi,dc=de))" +"group_nonmembers" = "(&(objectclass=qzwiperson)(!(memberOf=ou={},ou=Groups,dc=qzwi,dc=de)))" +"user_search" = "(&(objectclass=qzwiperson)(uid={}))" + [metadata.openldap.access."ou=Users,dc=qzwi,dc=de"] manage = [ "uid=ldap-frontend,ou=Applications,dc=qzwi,dc=de", From b442d54746d60d0cee7ef9f15a3ec64a13bb696a Mon Sep 17 00:00:00 2001 From: Rico Ullmann Date: Mon, 3 Jan 2022 13:44:59 +0100 Subject: [PATCH 8/9] postfix: install postfix apt package via metadata default rather than via items.py --- bundles/postfix/items.py | 4 ---- bundles/postfix/metadata.py | 7 +++++++ 2 files changed, 7 insertions(+), 4 deletions(-) create mode 100644 bundles/postfix/metadata.py diff --git a/bundles/postfix/items.py b/bundles/postfix/items.py index ee26d26..6277212 100644 --- a/bundles/postfix/items.py +++ b/bundles/postfix/items.py @@ -1,7 +1,3 @@ -pkg_apt = { - 'postfix': {}, -} - svc_systemd = { 'postfix': { 'needs': ['pkg_apt:postfix', 'file:/etc/postfix/main.cf'], diff --git a/bundles/postfix/metadata.py b/bundles/postfix/metadata.py new file mode 100644 index 0000000..266fcb1 --- /dev/null +++ b/bundles/postfix/metadata.py @@ -0,0 +1,7 @@ +defaults = { + 'apt': { + 'packages': { + 'postfix': {}, + }, + }, +} \ No newline at end of file From d67869aaf62790129304ff4aa65e444bb9397853 Mon Sep 17 00:00:00 2001 From: Rico Ullmann Date: Mon, 3 Jan 2022 13:47:07 +0100 Subject: [PATCH 9/9] postfix: update set formatting in items.py --- bundles/postfix/items.py | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/bundles/postfix/items.py b/bundles/postfix/items.py index 6277212..db856d0 100644 --- a/bundles/postfix/items.py +++ b/bundles/postfix/items.py @@ -1,6 +1,9 @@ svc_systemd = { 'postfix': { - 'needs': ['pkg_apt:postfix', 'file:/etc/postfix/main.cf'], + 'needs': [ + 'pkg_apt:postfix', + 'file:/etc/postfix/main.cf', + ], } } @@ -8,7 +11,9 @@ files = { '/etc/postfix/main.cf': { 'content_type': 'mako', 'needs': ['pkg_apt:postfix'], - 'triggers': ['svc_systemd:postfix:restart'], + 'triggers': [ + 'svc_systemd:postfix:restart', + ], }, } @@ -16,6 +21,8 @@ directories = { '/etc/postfix': { 'owner': 'root', 'mode': '1755', - 'needs': ['pkg_apt:postfix'], + 'needs': [ + 'pkg_apt:postfix', + ], }, }