add postfix/rspamd

author: Cullum Smith <cullum@sacredheartsc.com> 2024-10-03 08:37:38 -0400
committer: Cullum Smith <cullum@sacredheartsc.com> 2024-10-03 08:37:38 -0400
commit: 47f90d0916ac34ef132e3bb6da92a4a67dffbba8 (patch)
tree: 764a6aee2dea7a69096eba27c4264776f8190380 /scripts
parent: ee583b5929925b2e9658385430da4f73b4883287 (diff)
download: infrastructure-47f90d0916ac34ef132e3bb6da92a4a67dffbba8.tar.gz
4 files changed, 201 insertions, 6 deletions
diff --git a/scripts/common/10-vars b/scripts/common/10-vars
index 3b01cd2..6ea7cad 100644
--- a/scripts/common/10-vars
+++ b/scripts/common/10-vars
@@ -20,8 +20,9 @@ ldap_uri=$(printf "ldap://%s.${domain}/ " $idm_hostnames)
 ldaps_uri=$(printf "ldaps://%s.${domain}/ " $idm_hostnames)
 ldap_hosts=$(printf "%s.${domain} " $idm_hostnames)
 accounts_basedn="ou=accounts,${basedn}"
-people_basedn="ou=people,${accounts_basedn}"
-robots_basedn="ou=robots,${accounts_basedn}"
+users_basedn="ou=users,${accounts_basedn}"
+people_basedn="ou=people,${users_basedn}"
+robots_basedn="ou=robots,${users_basedn}"
 hosts_basedn="ou=hosts,${accounts_basedn}"
 services_basedn="ou=services,${accounts_basedn}"
 groups_basedn="ou=groups,${accounts_basedn}"
@@ -31,7 +32,5 @@ automount_basedn="ou=automount,${basedn}"
 sudo_basedn="ou=sudo,${basedn}"
 dns_basedn="ou=dns,${basedn}"
 kdc_basedn="cn=kdc,${basedn}"
-mail_basedn="ou=mail,${basedn}"
-mail_domains_basedn="ou=domains,${mail_basedn}"
 
 boxconf_dn="krbPrincipalName=${boxconf_username}@${realm},${robots_basedn}"
diff --git a/scripts/hostclass/idm_server/10-slapd b/scripts/hostclass/idm_server/10-slapd
index 83cdbb6..d108ae2 100644
--- a/scripts/hostclass/idm_server/10-slapd
+++ b/scripts/hostclass/idm_server/10-slapd
@@ -120,13 +120,19 @@ objectClass: organizationalUnit
 ou: $(ldap_rdn_value "$accounts_basedn")
 EOF
 
-  # ou=people,ou=accounts,dc=example,dc=com
+  # ou=users,ou=accounts,dc=example,dc=com
+  ldap_add "$users_basedn" <<EOF
+objectClass: organizationalUnit
+ou: $(ldap_rdn_value "$users_basedn")
+EOF
+
+  # ou=people,ou=users,ou=accounts,dc=example,dc=com
   ldap_add "$people_basedn" <<EOF
 objectClass: organizationalUnit
 ou: $(ldap_rdn_value "$people_basedn")
 EOF
 
-  # ou=robots,ou=accounts,dc=example,dc=com
+  # ou=robots,ou=users,ou=accounts,dc=example,dc=com
   ldap_add "$robots_basedn" <<EOF
 objectClass: organizationalUnit
 ou: $(ldap_rdn_value "$robots_basedn")
diff --git a/scripts/hostclass/smtp_server/10-rspamd b/scripts/hostclass/smtp_server/10-rspamd
new file mode 100644
index 0000000..d104e9c
--- /dev/null
+++ b/scripts/hostclass/smtp_server/10-rspamd
@@ -0,0 +1,103 @@
+#!/bin/sh
+
+: ${rspamd_processes:="$nproc"}
+: ${rspamd_dkim_selector:='dkim'}
+: ${rspamd_domain_whitelist:=''}
+: ${rspamd_port:='11334'}
+: ${rspamd_redis_maxmemory:='1g'}
+: ${postfix_virtual_domains:="$email_domain"}
+
+postfix_user=postfix
+postfix_home_dir=/var/spool/postfix
+
+redis_user=redis
+redis_data_dir=/var/db/redis
+rspamd_user=rspamd
+rspamd_conf_dir=/usr/local/etc/rspamd
+rspamd_milter_sock="${postfix_home_dir}/rspamd.sock"
+rspamd_data_dir=/var/db/rspamd
+rspamd_redis_sock=/var/run/redis/rspamd.sock
+rspamd_bayes_redis_sock=/var/run/redis/rspamd-bayes.sock
+rspamd_redis_data_dir="${redis_data_dir}/rspamd"
+rspamd_bayes_redis_data_dir="${redis_data_dir}/rspamd-bayes"
+rspamd_tls_cert=/usr/local/etc/nginx/rspamd.crt
+rspamd_tls_key=/usr/local/etc/nginx/rspamd.key
+
+pkg install -y \
+  postfix \
+  redis \
+  rspamd \
+  nginx
+
+# Create ZFS dataset for Redis DBs.
+create_dataset -o "mountpoint=${redis_data_dir}" "${state_dataset}/redis"
+
+# Generate config files for redis instances.
+install_template -m 0644 \
+  /usr/local/etc/redis-rspamd.conf \
+  /usr/local/etc/redis-rspamd-bayes.conf
+
+# Create data directories for each redis instance.
+install_directory -o "$redis_user" -m 0700 \
+  "$rspamd_redis_data_dir" \
+  "$rspamd_bayes_redis_data_dir"
+
+# Enable and start redis instances.
+sysrc -v \
+  redis_enable=YES \
+  redis_profiles='rspamd rspamd-bayes'
+service redis restart
+
+# Copy rspamd config files.
+install_directory -m 0755 \
+  "${rspamd_conf_dir}/local.d" \
+  "${rspamd_conf_dir}/local.d/maps.d"
+
+install_directory -m 0750 -g "$rspamd_user" "${rspamd_data_dir}/dkim"
+
+install_file -m 0640 -g "$rspamd_user" \
+  "${rspamd_conf_dir}/local.d/logging.inc" \
+  "${rspamd_conf_dir}/local.d/multimap.conf" \
+  "${rspamd_conf_dir}/local.d/phishing.conf" \
+  "${rspamd_conf_dir}/local.d/replies.conf" \
+  "${rspamd_conf_dir}/local.d/worker-normal.inc"
+
+rspamd_ro_password_hash=$(rspamadm pw -p "$rspamd_ro_password")
+rspamd_rw_password_hash=$(rspamadm pw -p "$rspamd_rw_password")
+
+install_template -m 0640 -g "$rspamd_user" \
+  "${rspamd_conf_dir}/local.d/classifier-bayes.conf" \
+  "${rspamd_conf_dir}/local.d/dkim_signing.conf" \
+  "${rspamd_conf_dir}/local.d/redis.conf" \
+  "${rspamd_conf_dir}/local.d/worker-controller.inc" \
+  "${rspamd_conf_dir}/local.d/worker-proxy.inc"
+
+printf '%s\n' ${rspamd_domain_whitelist} | tee "${rspamd_conf_dir}/local.d/maps.d/domain-whitelist.map"
+
+# Copy DKIM keys.
+for domain in $postfix_virtual_domains; do
+  install_file -m 0640 -g "$rspamd_user" "${rspamd_data_dir}/dkim/${domain}.key"
+done
+
+# Add rspamd user to redis group, so it can write to the redis unix socket.
+pw groupmod "$redis_user" -m "$rspamd_user"
+
+# Generate nginx configuration.
+install_template -m 0644 \
+  /usr/local/etc/nginx/nginx.conf \
+  /usr/local/etc/nginx/acme.conf \
+  /usr/local/etc/nginx/vhosts.conf
+
+# Copy TLS certificate for nginx.
+install_certificate     nginx "$rspamd_tls_cert"
+install_certificate_key nginx "$rspamd_tls_key"
+
+# Enable and start rspamd and nginx.
+sysrc -v \
+  rspamd_enable=YES \
+  nginx_enable=YES
+
+# The rspamd rc script seems to hold onto open descriptors, which causes
+# the parent boxconf SSH process to never close.
+service rspamd restart > /dev/null 2>&1 < /dev/null
+service nginx restart
diff --git a/scripts/hostclass/smtp_server/20-postfix b/scripts/hostclass/smtp_server/20-postfix
new file mode 100644
index 0000000..6f891da
--- /dev/null
+++ b/scripts/hostclass/smtp_server/20-postfix
@@ -0,0 +1,87 @@
+#!/bin/sh
+
+: ${postfix_public_fqdn:="$fqdn"}
+: ${postfix_cipherlist:='ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305'}
+: ${postfix_myorigin:="$email_domain"}
+: ${postfix_mynetworks:=''}
+: ${postfix_recipient_delimiter:='+'}
+: ${postfix_message_size_limit:='67108864'} # 64 MB
+: ${postfix_virtual_domains:="$email_domain"}
+: ${postfix_lmtp_port:='24'}
+: ${postfix_quota_port:='10993'}
+
+: ${imap_host='imap'}
+: ${lmtp_port='25'}
+: ${quota_status_port='10993'}
+
+postfix_conf_dir=/usr/local/etc/postfix
+postfix_user=postfix
+postfix_keytab="${keytab_dir}/postfix.keytab"
+postfix_public_tls_cert="${acme_cert_dir}/postfix.crt"
+postfix_public_tls_key="${acme_cert_dir}/postfix.key"
+postfix_local_tls_cert="${postfix_conf_dir}/postfix.crt"
+postfix_local_tls_key="${postfix_conf_dir}/postfix.key"
+postfix_dhparams="${postfix_conf_dir}/dhparams.pem"
+
+# Install packages.
+pkg install -y \
+  postfix \
+  cyrus-sasl-saslauthd
+
+# Create SMTP service principal and keytab.
+add_principal -nokey -x "containerdn=${services_basedn}" "smtp/${fqdn}"
+
+ktadd -k "$postfix_keytab" "smtp/${fqdn}"
+chgrp "$postfix_user" "$postfix_keytab"
+chmod 640 "$postfix_keytab"
+
+postfix_uid=$(id -u "$postfix_user")
+install_directory -o "$postfix_user" -m 0700 "/var/krb5/user/${postfix_uid}"
+ln -snfv "$postfix_keytab" "/var/krb5/user/${postfix_uid}/keytab"
+ln -snfv "$postfix_keytab" "/var/krb5/user/${postfix_uid}/client.keytab"
+
+# Generate postfix configuration.
+install_template -m 0644 \
+  "${postfix_conf_dir}/main.cf" \
+  "${postfix_conf_dir}/virtual_mailboxes.cf" \
+  "${postfix_conf_dir}/virtual_aliases.cf" \
+  /usr/local/lib/sasl2/smtpd.conf
+install_file -m 0644 "${postfix_conf_dir}/master.cf"
+
+# Allow postfix to read the saslauthd socket.
+install_directory -m 0750 -o "$saslauthd_user" -g "$postfix_user" "$saslauthd_runtime_dir"
+
+# Copy internal TLS certificate.
+install_certificate     -m 0644 -o root -g "$postfix_user" postfix "$postfix_local_tls_cert"
+install_certificate_key -m 0640 -o root -g "$postfix_user" postfix "$postfix_local_tls_key"
+
+# Generate dhparams.
+[ -f "$postfix_dhparams" ] || openssl dhparam -out "$postfix_dhparams" 2048
+
+if [ "$postfix_public_fqdn" != "$fqdn" ]; then
+  # Acquire public TLS certificate.
+  install_file /usr/local/etc/sudoers.d/acme
+  get_acme_certificate \
+    -c "$postfix_public_tls_cert" \
+    -k "$postfix_public_tls_key" \
+    -g "$postfix_user" \
+    -r 'sudo service postfix reload' \
+    "$postfix_public_fqdn"
+fi
+
+# Enable and start postfix and saslauthd.
+sysrc -v \
+  saslauthd_flags='-a kerberos5' \
+  saslauthd_enable=YES \
+  postfix_enable=YES
+
+service saslauthd restart
+service postfix restart
+
+# Use postfix as the system MTA.
+install_directory -m 0755 /usr/local/etc/mail
+install_file -m 0644 /usr/local/etc/mail/mailer.conf
+
+# Configure local aliases.
+install_template -m 0644 /etc/aliases
+newaliases
author	Cullum Smith <cullum@sacredheartsc.com>	2024-10-03 08:37:38 -0400
committer	Cullum Smith <cullum@sacredheartsc.com>	2024-10-03 08:37:38 -0400
commit	47f90d0916ac34ef132e3bb6da92a4a67dffbba8 (patch)
tree	764a6aee2dea7a69096eba27c4264776f8190380 /scripts
parent	ee583b5929925b2e9658385430da4f73b4883287 (diff)
download	infrastructure-47f90d0916ac34ef132e3bb6da92a4a67dffbba8.tar.gz