From c13c419a784cf10234310ad9d7de2e4c8754b6c9 Mon Sep 17 00:00:00 2001
From: Alexander Kratzsch <klump@devrandom.se>
Date: Sat, 16 Nov 2019 21:16:48 +0100
Subject: [PATCH] Add mailserver module

---
 modules/mailmx.py                             |  27 +++++
 modules/mailmx/manifests/init.pp              | 109 ++++++++++++++++++
 modules/mailmx/metadata.json                  |  14 +++
 .../mailmx/templates/dovecot/dovecot.conf.erb |  41 +++++++
 .../mailmx/templates/dovecot/dovecot.pam.erb  |  10 ++
 .../templates/postfix/dynamicmaps.cf.erb      |  12 ++
 .../postfix/ldap-lists-stage1.cf.erb          |  27 +++++
 .../postfix/ldap-lists-stage2.cf.erb          |  18 +++
 .../templates/postfix/ldap-people.cf.erb      |  13 +++
 modules/mailmx/templates/postfix/main.cf.erb  |  48 ++++++++
 .../templates/postfix/pfix-no-srs.cf.erb      |  10 ++
 .../mailmx/templates/postfix/transport.erb    |   6 +
 12 files changed, 335 insertions(+)
 create mode 100644 modules/mailmx.py
 create mode 100644 modules/mailmx/manifests/init.pp
 create mode 100644 modules/mailmx/metadata.json
 create mode 100644 modules/mailmx/templates/dovecot/dovecot.conf.erb
 create mode 100644 modules/mailmx/templates/dovecot/dovecot.pam.erb
 create mode 100644 modules/mailmx/templates/postfix/dynamicmaps.cf.erb
 create mode 100644 modules/mailmx/templates/postfix/ldap-lists-stage1.cf.erb
 create mode 100644 modules/mailmx/templates/postfix/ldap-lists-stage2.cf.erb
 create mode 100644 modules/mailmx/templates/postfix/ldap-people.cf.erb
 create mode 100644 modules/mailmx/templates/postfix/main.cf.erb
 create mode 100644 modules/mailmx/templates/postfix/pfix-no-srs.cf.erb
 create mode 100644 modules/mailmx/templates/postfix/transport.erb

diff --git a/modules/mailmx.py b/modules/mailmx.py
new file mode 100644
index 00000000..7793da7a
--- /dev/null
+++ b/modules/mailmx.py
@@ -0,0 +1,27 @@
+# Copyright 2019 dhtech
+#
+# Use of this source code is governed by a BSD-style
+# license that can be found in the LICENSE file
+
+
+def generate(host, *args):
+
+    info = {}
+    info['ldap_uri'] = 'ldaps://ldap3.tech.dreamhack.se',
+    info['postfix_destinations'] = [
+        'localhost',
+        'mail.tech.dreamhack.se',
+        'tech.dreamhack.se',
+        'lists.tech.dreamhack.se',
+        'event.dreamhack.se',
+    ]
+    info['postfix_networks'] = [
+        '127.0.0.0/8',
+        '[::ffff:127.0.0.0]/104',
+        '[::1]/128',
+        '77.80.228.128/25',
+        '77.80.231.0/24',
+    ]
+    return {'mailmx': info}
+
+# vim: ts=4: sts=4: sw=4: expandtab
diff --git a/modules/mailmx/manifests/init.pp b/modules/mailmx/manifests/init.pp
new file mode 100644
index 00000000..e9c75ddd
--- /dev/null
+++ b/modules/mailmx/manifests/init.pp
@@ -0,0 +1,109 @@
+# Copyright 2019 dhtech
+#
+# Use of this source code is governed by a BSD-style
+# license that can be found in the LICENSE file
+#
+# == Class: mailmx
+#
+# This module manages the rancid server which fetches and saves configuration
+# in the core and dist service.
+#
+# === Parameters
+#
+# [*postfix_networks*]
+#   Decides how postfix will be used.
+# [*postfix_destinations*]
+#   Decides how postfix will be used.
+#
+
+class mailmx($ldap_uri, $postfix_networks, $postfix_destinations) {
+
+  #
+  # Postfix
+  #
+  package { ['postfix', 'postfix-ldap', 'postfix-sqlite']:
+    ensure => installed,
+  }
+
+  file { '/etc/postfix/main.cf':
+    ensure  => file,
+    content => template('mailmx/postfix/main.cf.erb'),
+    notify  => Service['postfix'],
+    require => Package['postfix'],
+  }
+
+  file { '/etc/postfix/dynamicmaps.cf':
+    ensure  => file,
+    content => template('mailmx/postfix/dynamicmaps.cf.erb'),
+  }
+
+  file { '/etc/postfix/ldap-lists-stage1.cf':
+    ensure  => file,
+    content => template('mailmx/postfix/ldap-lists-stage1.cf.erb'),
+  }
+
+  file { '/etc/postfix/ldap-lists-stage2.cf':
+    ensure  => file,
+    content => template('mailmx/postfix/ldap-lists-stage2.cf.erb'),
+  }
+
+  file { '/etc/postfix/ldap-people.cf':
+    ensure  => file,
+    content => template('mailmx/postfix/ldap-people.cf.erb'),
+  }
+
+  file { '/etc/postfix/pfix-no-srs.cf':
+    ensure  => file,
+    content => template('mailmx/postfix/pfix-no-srs.cf.erb'),
+    notify  => Exec['postmap-pfix-no-srs'],
+  }
+
+  exec { 'postmap-pfix-no-srs':
+    refreshonly => true,
+    command     => '/usr/sbin/postmap /etc/postfix/pfix-no-srs.cf',
+  }
+
+  file { '/etc/postfix/transport':
+    ensure  => file,
+    content => template('mailmx/postfix/transport.erb'),
+    notify  => Exec['postmap-transport'],
+  }
+
+  exec { 'postmap-transport':
+    refreshonly => true,
+    command     => '/usr/sbin/postmap /etc/postfix/transport',
+  }
+
+  service { 'postfix':
+    ensure  => 'running',
+    name    => 'postfix',
+    enable  => true,
+    require => Package['postfix'],
+  }
+
+  #
+  # Dovecot
+  #
+  package { ['dovecot-core', 'dovecot-imapd']:
+    ensure => installed,
+  }
+
+  file { '/etc/dovecot/dovecot.conf':
+    ensure  => file,
+    content => template('mailmx/dovecot/dovecot.conf.erb'),
+    notify  => Service['dovecot'],
+  }
+
+  file { '/etc/pam.d/dovecot':
+    ensure  => file,
+    content => template('mailmx/dovecot/dovecot.pam.erb'),
+  }
+
+  service { 'dovecot':
+    ensure  => 'running',
+    name    => 'dovecot',
+    enable  => true,
+    require => Package['dovecot-core'],
+  }
+
+}
diff --git a/modules/mailmx/metadata.json b/modules/mailmx/metadata.json
new file mode 100644
index 00000000..d5993133
--- /dev/null
+++ b/modules/mailmx/metadata.json
@@ -0,0 +1,14 @@
+{
+  "name": "dhtech-mailmx",
+  "version": "0.1.0",
+  "author": "dhtech",
+  "summary": "This module manages a mailserver (SMTP and IMAP)",
+  "license": "Apache 2.0",
+  "source": "",
+  "project_page": null,
+  "issues_url": null,
+  "dependencies": [
+    {"name":"puppetlabs/stdlib","version_requirement":">= 1.0.0"}
+  ]
+}
+
diff --git a/modules/mailmx/templates/dovecot/dovecot.conf.erb b/modules/mailmx/templates/dovecot/dovecot.conf.erb
new file mode 100644
index 00000000..292df866
--- /dev/null
+++ b/modules/mailmx/templates/dovecot/dovecot.conf.erb
@@ -0,0 +1,41 @@
+# AUTOGENERATED BY PUPPET
+# All manual changes will be overwritten
+
+# generated with `dovecot -n` to show settings that differ
+# from defaults
+
+# 2.2.27 (c0f36b0): /etc/dovecot/dovecot.conf
+# Pigeonhole version 0.4.16 (fed8554)
+# OS: Linux 4.9.0-7-686-pae i686 Debian 9.7 ext4
+listen = *, [::]
+log_timestamp = "%Y-%m-%d %H:%M:%S "
+
+mail_location = mbox:/var/mbox/%u:INBOX=/var/mail/%u
+mail_privileged_group = mail
+
+passdb {
+  driver = pam
+}
+
+protocols = imap
+
+protocol pop3 {
+  pop3_uidl_format = %08Xu%08Xv
+}
+
+service auth {
+  user = root
+}
+
+service imap-login {
+  inet_listener imap {
+    port = 0
+  }
+}
+
+ssl_cert = </etc/ssl/certs/server.crt
+ssl_key =  </etc/ssl/private/server.key
+
+userdb {
+  driver = passwd
+}
diff --git a/modules/mailmx/templates/dovecot/dovecot.pam.erb b/modules/mailmx/templates/dovecot/dovecot.pam.erb
new file mode 100644
index 00000000..a00b980b
--- /dev/null
+++ b/modules/mailmx/templates/dovecot/dovecot.pam.erb
@@ -0,0 +1,10 @@
+# AUTOGENERATED BY PUPPET
+# All manual changes will be overwritten
+#
+# /etc/pam.d/dovecot - authentication for dovecot
+#
+#%PAM-1.0
+
+@include common-auth
+@include common-account
+@include common-session
diff --git a/modules/mailmx/templates/postfix/dynamicmaps.cf.erb b/modules/mailmx/templates/postfix/dynamicmaps.cf.erb
new file mode 100644
index 00000000..7b27a5aa
--- /dev/null
+++ b/modules/mailmx/templates/postfix/dynamicmaps.cf.erb
@@ -0,0 +1,12 @@
+# AUTOGENERATED BY PUPPET
+# All manual changes will be overwritten
+
+# Postfix dynamic maps configuration file.
+#
+# The first match found is the one that is used.  Wildcards are not supported
+# as of postfix 2.0.2
+#
+#type   location of .so file                    open function   (mkmap func)
+#====   ================================        =============   ============
+ldap    postfix-ldap.so                         dict_ldap_open
+sqlite  postfix-sqlite.so                       dict_sqlite_open
diff --git a/modules/mailmx/templates/postfix/ldap-lists-stage1.cf.erb b/modules/mailmx/templates/postfix/ldap-lists-stage1.cf.erb
new file mode 100644
index 00000000..2ca2e8ee
--- /dev/null
+++ b/modules/mailmx/templates/postfix/ldap-lists-stage1.cf.erb
@@ -0,0 +1,27 @@
+# AUTOGENERATED BY PUPPET
+# All manual changes will be overwritten
+
+# The purpose of this stage is to rewrite incoming dhtech@tech
+# to a temporary dhtech-mail@lists.tech that is handled by
+# our python hack in /usr/local/bin/listmgmr
+
+server_host = ldaps://ldap3.tech.dreamhack.se
+tls_ca_cert_file = /etc/ssl/dhtech-ca.crt
+tls_require_cert = yes
+version = 3
+search_base = dc=dreamhack,dc=se
+
+query_filter = cn=%s-mail
+result_attribute = cn
+result_format = %s@lists.tech.dreamhack.se
+root@mail:/etc/postfix# cat ldap-people.cf
+# Handle personal email forwarding
+
+server_host = ldaps://ldap3.tech.dreamhack.se
+tls_ca_cert_file = /etc/ssl/dhtech-ca.crt
+tls_require_cert = yes
+version = 3
+search_base = ou=people,dc=tech,dc=dreamhack,dc=se
+
+query_filter = uid=%s
+result_attribute = gosaMailForwardingAddress
diff --git a/modules/mailmx/templates/postfix/ldap-lists-stage2.cf.erb b/modules/mailmx/templates/postfix/ldap-lists-stage2.cf.erb
new file mode 100644
index 00000000..3dd8b390
--- /dev/null
+++ b/modules/mailmx/templates/postfix/ldap-lists-stage2.cf.erb
@@ -0,0 +1,18 @@
+# AUTOGENERATED BY PUPPET
+# All manual changes will be overwritten
+
+# This stage handles the return traffic that has gone through
+# /usr/local/bin/listmgmr to send out to the actual recipients.
+# Since we only want to handle groups that have been processed,
+# limit to cn=*-mail.
+
+server_host = ldaps://ldap3.tech.dreamhack.se
+tls_ca_cert_file = /etc/ssl/dhtech-ca.crt
+tls_require_cert = yes
+version = 3
+search_base = dc=dreamhack,dc=se
+
+query_filter = (&(cn=%s)(cn=*-mail))
+special_result_attribute = member
+result_attribute = uid
+result_format = %s@tech.dreamhack.se
diff --git a/modules/mailmx/templates/postfix/ldap-people.cf.erb b/modules/mailmx/templates/postfix/ldap-people.cf.erb
new file mode 100644
index 00000000..9171b558
--- /dev/null
+++ b/modules/mailmx/templates/postfix/ldap-people.cf.erb
@@ -0,0 +1,13 @@
+# AUTOGENERATED BY PUPPET
+# All manual changes will be overwritten
+
+# Handle personal email forwarding
+
+server_host = <%= @ldap_uri %>
+tls_ca_cert_file = /etc/ssl/dhtech-ca.crt
+tls_require_cert = yes
+version = 3
+search_base = ou=people,dc=tech,dc=dreamhack,dc=se
+
+query_filter = uid=%s
+result_attribute = gosaMailForwardingAddress
diff --git a/modules/mailmx/templates/postfix/main.cf.erb b/modules/mailmx/templates/postfix/main.cf.erb
new file mode 100644
index 00000000..828da08e
--- /dev/null
+++ b/modules/mailmx/templates/postfix/main.cf.erb
@@ -0,0 +1,48 @@
+# AUTOGENERATED BY PUPPET
+# All manual changes will be overwritten
+
+# See /usr/share/postfix/main.cf.dist for a commented, more complete version
+smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
+biff = no
+
+# appending .domain is the MUA's job.
+append_dot_mydomain = no
+
+# Uncomment the next line to generate "delayed mail" warnings
+#delay_warning_time = 4h
+
+readme_directory = no
+
+# TLS parameters
+smtpd_tls_cert_file=/etc/ssl/certs/server.crt
+smtpd_tls_key_file=/etc/ssl/private/server.key
+smtpd_use_tls=yes
+smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
+smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
+
+# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
+# information on enabling SSL in the smtp client.
+
+smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
+myhostname = <%= @fqdn %>
+alias_maps = hash:/etc/aliases, ldap:/etc/postfix/ldap-people.cf, ldap:/etc/postfix/ldap-lists-stage1.cf, ldap:/etc/postfix/ldap-lists-stage2.cf
+
+virtual_mailbox_domains = 
+virtual_alias_maps = ldap:/etc/postfix/ldap-people.cf, ldap:/etc/postfix/ldap-lists-stage1.cf
+
+alias_database = hash:/etc/aliases
+myorigin = /etc/mailname
+mydestination = <%= @postfix_destinations.join(', ') %>
+relayhost = 
+mynetworks = <%= @postfix_networks.join(' ') %>
+mailbox_size_limit = 0
+recipient_delimiter = +
+inet_interfaces = all
+
+# SRS for SPF forwarding
+recipient_canonical_maps = hash:/etc/postfix/pfix-no-srs.cf, tcp:127.0.0.1:10002
+recipient_canonical_classes = envelope_recipient
+sender_canonical_maps = hash:/etc/postfix/pfix-no-srs.cf, tcp:127.0.0.1:10001
+sender_canonical_classes = envelope_sender
+
+transport_maps = hash:/etc/postfix/transport
diff --git a/modules/mailmx/templates/postfix/pfix-no-srs.cf.erb b/modules/mailmx/templates/postfix/pfix-no-srs.cf.erb
new file mode 100644
index 00000000..68fe22e4
--- /dev/null
+++ b/modules/mailmx/templates/postfix/pfix-no-srs.cf.erb
@@ -0,0 +1,10 @@
+# AUTOGENERATED BY PUPPET
+# All manual changes will be overwritten
+
+root@tech.dreamhack.se root@tech.dreamhack.se
+abuse@tech.dreamhack.se abuse@tech.dreamhack.se
+noc@tech.dreamhack.se noc@tech.dreamhack.se
+
+root@mail.tech.dreamhack.se root@mail.tech.dreamhack.se
+abuse@mail.tech.dreamhack.se abuse@mail.tech.dreamhack.se
+noc@mail.tech.dreamhack.se noc@mail.tech.dreamhack.se
diff --git a/modules/mailmx/templates/postfix/transport.erb b/modules/mailmx/templates/postfix/transport.erb
new file mode 100644
index 00000000..58f1a446
--- /dev/null
+++ b/modules/mailmx/templates/postfix/transport.erb
@@ -0,0 +1,6 @@
+# AUTOGENERATED BY PUPPET
+# All manual changes will be overwritten
+
+lists.tech.dreamhack.se   	listmgmr:dummy
+.lists.tech.dreamhack.se   	listmgmr:dummy
+*				: