From 1e088983f6a80b6fd47543d0b4989e9ddb3234d5 Mon Sep 17 00:00:00 2001 From: Cullum Smith Date: Fri, 4 Oct 2024 21:59:59 -0400 Subject: add imap stuff --- files/etc/cron.d/acme.common | 2 + files/etc/pf.conf.freebsd | 6 +- .../etc/dovecot/conf.d/10-auth.conf.imap_server | 7 + .../etc/dovecot/conf.d/10-mail.conf.imap_server | 23 ++ .../etc/dovecot/conf.d/10-master.conf.imap_server | 32 +++ .../etc/dovecot/conf.d/10-ssl.conf.imap_server | 8 + .../etc/dovecot/conf.d/15-lda.conf.imap_server | 8 + .../dovecot/conf.d/15-mailboxes.conf.imap_server | 31 +++ .../etc/dovecot/conf.d/20-imap.conf.imap_server | 3 + .../etc/dovecot/conf.d/20-lmtp.conf.imap_server | 3 + .../dovecot/conf.d/20-managesieve.conf.imap_server | 11 + .../etc/dovecot/conf.d/90-fts.conf.imap_server | 6 + .../etc/dovecot/conf.d/90-quota.conf.imap_server | 32 +++ .../conf.d/90-sieve-extprograms.conf.imap_server | 3 + .../etc/dovecot/conf.d/90-sieve.conf.imap_server | 28 +++ .../dovecot/conf.d/auth-ldap.conf.ext.imap_server | 8 + .../dovecot-ldap-passdb.conf.ext.imap_server | 11 + .../dovecot-ldap-userdb.conf.ext.imap_server | 17 ++ .../usr/local/etc/dovecot/dovecot.conf.imap_server | 5 + .../local/etc/dovecot/report-ham.sieve.imap_server | 15 ++ .../etc/dovecot/report-spam.sieve.imap_server | 7 + .../sieve-before.d/10-rspamd.sieve.imap_server | 5 + files/usr/local/etc/nginx/nginx.conf.common | 2 +- .../local/etc/poudriere.d/make.conf.pkg_repository | 1 - .../local/etc/poudriere.d/pkglist.pkg_repository | 4 +- files/usr/local/etc/rc.d/solr.imap_server | 76 ++++++ files/usr/local/etc/rc.d/tika.imap_server | 55 ++++ files/usr/local/etc/solr/log4j2.xml.imap_server | 17 ++ .../usr/local/etc/solr/solrconfig.xml.imap_server | 280 +++++++++++++++++++++ files/usr/local/etc/sudoers.d/acme.smtp_server | 1 + files/usr/local/etc/tika/config.xml.imap_server | 21 ++ files/usr/local/etc/tika/log4j2.xml.imap_server | 17 ++ .../libexec/dovecot/quota-warning.sh.imap_server | 20 ++ .../dovecot/sieve-pipe/report-ham.sh.imap_server | 7 + .../dovecot/sieve-pipe/report-spam.sh.imap_server | 7 + .../db/solr/dovecot/conf/schema.xml.imap_server | 48 ++++ .../solr/dovecot/conf/solrconfig.xml.imap_server | 91 +++++++ files/var/db/solr/solr.xml.imap_server | 76 ++++++ scripts/hostclass/imap_server/10-solr | 78 ++++++ scripts/hostclass/imap_server/20-tika | 38 +++ scripts/hostclass/imap_server/30-dovecot | 108 ++++++++ scripts/hostclass/smtp_server/20-postfix | 6 +- scripts/os/freebsd/60-acme | 75 ++++++ vars/common | 2 + vars/hostclass/imap_server | 3 + vars/hostclass/smtp_server | 2 +- vars/hostname/imap1 | 3 + vars/os/freebsd | 5 - 48 files changed, 1297 insertions(+), 17 deletions(-) create mode 100644 files/etc/cron.d/acme.common create mode 100644 files/usr/local/etc/dovecot/conf.d/10-auth.conf.imap_server create mode 100644 files/usr/local/etc/dovecot/conf.d/10-mail.conf.imap_server create mode 100644 files/usr/local/etc/dovecot/conf.d/10-master.conf.imap_server create mode 100644 files/usr/local/etc/dovecot/conf.d/10-ssl.conf.imap_server create mode 100644 files/usr/local/etc/dovecot/conf.d/15-lda.conf.imap_server create mode 100644 files/usr/local/etc/dovecot/conf.d/15-mailboxes.conf.imap_server create mode 100644 files/usr/local/etc/dovecot/conf.d/20-imap.conf.imap_server create mode 100644 files/usr/local/etc/dovecot/conf.d/20-lmtp.conf.imap_server create mode 100644 files/usr/local/etc/dovecot/conf.d/20-managesieve.conf.imap_server create mode 100644 files/usr/local/etc/dovecot/conf.d/90-fts.conf.imap_server create mode 100644 files/usr/local/etc/dovecot/conf.d/90-quota.conf.imap_server create mode 100644 files/usr/local/etc/dovecot/conf.d/90-sieve-extprograms.conf.imap_server create mode 100644 files/usr/local/etc/dovecot/conf.d/90-sieve.conf.imap_server create mode 100644 files/usr/local/etc/dovecot/conf.d/auth-ldap.conf.ext.imap_server create mode 100644 files/usr/local/etc/dovecot/dovecot-ldap-passdb.conf.ext.imap_server create mode 100644 files/usr/local/etc/dovecot/dovecot-ldap-userdb.conf.ext.imap_server create mode 100644 files/usr/local/etc/dovecot/dovecot.conf.imap_server create mode 100644 files/usr/local/etc/dovecot/report-ham.sieve.imap_server create mode 100644 files/usr/local/etc/dovecot/report-spam.sieve.imap_server create mode 100644 files/usr/local/etc/dovecot/sieve-before.d/10-rspamd.sieve.imap_server create mode 100644 files/usr/local/etc/rc.d/solr.imap_server create mode 100644 files/usr/local/etc/rc.d/tika.imap_server create mode 100644 files/usr/local/etc/solr/log4j2.xml.imap_server create mode 100644 files/usr/local/etc/solr/solrconfig.xml.imap_server create mode 100644 files/usr/local/etc/sudoers.d/acme.smtp_server create mode 100644 files/usr/local/etc/tika/config.xml.imap_server create mode 100644 files/usr/local/etc/tika/log4j2.xml.imap_server create mode 100644 files/usr/local/libexec/dovecot/quota-warning.sh.imap_server create mode 100644 files/usr/local/libexec/dovecot/sieve-pipe/report-ham.sh.imap_server create mode 100644 files/usr/local/libexec/dovecot/sieve-pipe/report-spam.sh.imap_server create mode 100644 files/var/db/solr/dovecot/conf/schema.xml.imap_server create mode 100644 files/var/db/solr/dovecot/conf/solrconfig.xml.imap_server create mode 100644 files/var/db/solr/solr.xml.imap_server create mode 100644 scripts/hostclass/imap_server/10-solr create mode 100644 scripts/hostclass/imap_server/20-tika create mode 100644 scripts/hostclass/imap_server/30-dovecot create mode 100644 scripts/os/freebsd/60-acme create mode 100644 vars/hostclass/imap_server create mode 100644 vars/hostname/imap1 diff --git a/files/etc/cron.d/acme.common b/files/etc/cron.d/acme.common new file mode 100644 index 0000000..05bf064 --- /dev/null +++ b/files/etc/cron.d/acme.common @@ -0,0 +1,2 @@ +MAILTO=root +00 15 * * * ${acme_user} lockf -t 0 /tmp/acme-cron.lock acme.sh --cron --home ${acme_home} --syslog 6 > /dev/null diff --git a/files/etc/pf.conf.freebsd b/files/etc/pf.conf.freebsd index e01f49d..881fcea 100644 --- a/files/etc/pf.conf.freebsd +++ b/files/etc/pf.conf.freebsd @@ -5,8 +5,12 @@ $(if [ -n "${pf_egress_interfaces:-}" ]; then fi) allowed_tcp_ports = "{ $(join ', ' ${allowed_tcp_ports:-}) }" allowed_udp_ports = "{ $(join ', ' ${allowed_udp_ports:-}) }" + +$([ "${acme_standalone:-}" = true ] && cat < + + + + + + %maxLen{%-5p %c %m%notEmpty{ =>%ex{short}}}{10240}%n + + + + + + + + + + diff --git a/files/usr/local/etc/solr/solrconfig.xml.imap_server b/files/usr/local/etc/solr/solrconfig.xml.imap_server new file mode 100644 index 0000000..f7a9d7b --- /dev/null +++ b/files/usr/local/etc/solr/solrconfig.xml.imap_server @@ -0,0 +1,280 @@ + + + 9.3.0 + + ${solr.data.dir:} + + + + ${solr.lock.type:native} + + + + + ${solr.ulog.dir:} + ${solr.ulog.numVersionBuckets:65536} + + + ${solr.autoCommit.maxTime:15000} + false + + + ${solr.autoSoftCommit.maxTime:-1} + + + + + ${solr.max.booleanClauses:1024} + + + + + + + + true + + 20 + + 200 + + + + + + + + + + + false + + + + + + + + + + + + + explicit + 10 + hdr + + + + + + explicit + json + true + + + + + + _text_ + + + + + + text_general + + + default + _text_ + solr.DirectSolrSpellChecker + internal + 0.5 + 2 + 1 + 5 + 4 + 0.01 + + + + + + default + on + true + 10 + 5 + 5 + true + true + 10 + 5 + + + spellcheck + + + + + + + + true + false + + + terms + + + + + + + + 100 + + + + + + 70 + 0.5 + [-\w ,/\n\"']{20,200} + + + + + + ]]> + ]]> + + + + + + + + + + + + + + + + + ,, + ,, + ,, + ,, + ,]]> + ]]> + + + + + + 10 + .,!? + + + + + + WORD + en + US + + + + + + + + + [^\w-\.] + _ + + + + + + + yyyy-MM-dd['T'[HH:mm[:ss[.SSS]][z + yyyy-MM-dd['T'[HH:mm[:ss[,SSS]][z + yyyy-MM-dd HH:mm[:ss[.SSS]][z + yyyy-MM-dd HH:mm[:ss[,SSS]][z + [EEE, ]dd MMM yyyy HH:mm[:ss] z + EEEE, dd-MMM-yy HH:mm:ss z + EEE MMM ppd HH:mm:ss [z ]yyyy + + + + + java.lang.String + text_general + + *_str + 256 + + true + + + java.lang.Boolean + booleans + + + java.util.Date + pdates + + + java.lang.Long + java.lang.Integer + plongs + + + java.lang.Number + pdoubles + + + + + + + + + + + text/plain; charset=UTF-8 + + diff --git a/files/usr/local/etc/sudoers.d/acme.smtp_server b/files/usr/local/etc/sudoers.d/acme.smtp_server new file mode 100644 index 0000000..5180fdc --- /dev/null +++ b/files/usr/local/etc/sudoers.d/acme.smtp_server @@ -0,0 +1 @@ +acme ALL=(root) NOPASSWD: /usr/sbin/service postfix reload diff --git a/files/usr/local/etc/tika/config.xml.imap_server b/files/usr/local/etc/tika/config.xml.imap_server new file mode 100644 index 0000000..22fe638 --- /dev/null +++ b/files/usr/local/etc/tika/config.xml.imap_server @@ -0,0 +1,21 @@ + + + + /usr/local/bin/java + false + + -Xmx${tika_heap_size} + -XX:+UseG1GC + -XX:+PerfDisableSharedMem + -XX:+ParallelRefProcEnabled + -XX:MaxGCPauseMillis=250 + -XX:+AlwaysPreTouch + -Dlog4j.configurationFile=${tika_conf_dir}/log4j2.xml + + + tika + status + + + + diff --git a/files/usr/local/etc/tika/log4j2.xml.imap_server b/files/usr/local/etc/tika/log4j2.xml.imap_server new file mode 100644 index 0000000..cabde07 --- /dev/null +++ b/files/usr/local/etc/tika/log4j2.xml.imap_server @@ -0,0 +1,17 @@ + + + + + + + %maxLen{%-5p %c %m%notEmpty{ =>%ex{short}}}{10240}%n + + + + + + + + + + diff --git a/files/usr/local/libexec/dovecot/quota-warning.sh.imap_server b/files/usr/local/libexec/dovecot/quota-warning.sh.imap_server new file mode 100644 index 0000000..96419f5 --- /dev/null +++ b/files/usr/local/libexec/dovecot/quota-warning.sh.imap_server @@ -0,0 +1,20 @@ +#!/bin/sh + +set -eu -o pipefail + +PERCENT=$1 +USER=$2 +FROM=$3 + +cat << EOF | /usr/libexec/dovecot/dovecot-lda -d "$USER" -o "plugin/quota=count:User quota:noenforcing" +From: ${FROM} +Subject: Mailbox quota warning + +This is an automatically generated message. + +Your mailbox is now ${PERCENT}% full. + +When your mailbox exceeds its quota, you will no longer receive new mail. + +Please delete some messages to free up space. +EOF diff --git a/files/usr/local/libexec/dovecot/sieve-pipe/report-ham.sh.imap_server b/files/usr/local/libexec/dovecot/sieve-pipe/report-ham.sh.imap_server new file mode 100644 index 0000000..e09674a --- /dev/null +++ b/files/usr/local/libexec/dovecot/sieve-pipe/report-ham.sh.imap_server @@ -0,0 +1,7 @@ +#!/bin/sh + +exec /usr/local/bin/rspamc \\ + --connect="${rspamd_host}.${domain}" \\ + --password="${rspamd_rw_password}" \\ + --key="${rspamd_pubkey}" \\ + learn_ham diff --git a/files/usr/local/libexec/dovecot/sieve-pipe/report-spam.sh.imap_server b/files/usr/local/libexec/dovecot/sieve-pipe/report-spam.sh.imap_server new file mode 100644 index 0000000..825113f --- /dev/null +++ b/files/usr/local/libexec/dovecot/sieve-pipe/report-spam.sh.imap_server @@ -0,0 +1,7 @@ +#!/bin/sh + +exec /usr/local/bin/rspamc \\ + --connect="${rspamd_host}.${domain}" \\ + --password="${rspamd_rw_password}" \\ + --key="${rspamd_pubkey}" \\ + learn_spam diff --git a/files/var/db/solr/dovecot/conf/schema.xml.imap_server b/files/var/db/solr/dovecot/conf/schema.xml.imap_server new file mode 100644 index 0000000..601a290 --- /dev/null +++ b/files/var/db/solr/dovecot/conf/schema.xml.imap_server @@ -0,0 +1,48 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + id + diff --git a/files/var/db/solr/dovecot/conf/solrconfig.xml.imap_server b/files/var/db/solr/dovecot/conf/solrconfig.xml.imap_server new file mode 100644 index 0000000..918a755 --- /dev/null +++ b/files/var/db/solr/dovecot/conf/solrconfig.xml.imap_server @@ -0,0 +1,91 @@ + + + + 9.3.0 + + + + + + + + + + + + + + ${solr.data.dir:} + + + + + ${solr.ulog.dir:} + ${solr.ulog.numVersionBuckets:65536} + + + + ${solr.autoCommit.maxTime:15000} + false + + + + ${solr.autoSoftCommit.maxTime:-1} + + + + + + + + + + + + + + true + + 20 + + 200 + + false + + + + + + + + + + explicit + 10 + + + + + + _text_ + + + + + diff --git a/files/var/db/solr/solr.xml.imap_server b/files/var/db/solr/solr.xml.imap_server new file mode 100644 index 0000000..1778390 --- /dev/null +++ b/files/var/db/solr/solr.xml.imap_server @@ -0,0 +1,76 @@ + + + + + + + + ${solr.max.booleanClauses:1024} + ${solr.sharedLib:} + ${solr.modules:} + ${solr.allowPaths:} + ${solr.allowUrls:} + + + + ${host:} + ${solr.port.advertise:0} + ${hostContext:solr} + + ${genericCoreNodeNames:true} + + ${zkClientTimeout:30000} + ${distribUpdateSoTimeout:600000} + ${distribUpdateConnTimeout:60000} + ${zkCredentialsProvider:org.apache.solr.common.cloud.DefaultZkCredentialsProvider} + ${zkACLProvider:org.apache.solr.common.cloud.DefaultZkACLProvider} + ${zkCredentialsInjector:org.apache.solr.common.cloud.DefaultZkCredentialsInjector} + ${distributedClusterStateUpdates:false} + ${distributedCollectionConfigSetExecution:false} + ${minStateByteLenForCompression:-1} + ${stateCompressor:org.apache.solr.common.util.ZLibCompressor} + + + + + ${socketTimeout:600000} + ${connTimeout:60000} + + + + + + + + + diff --git a/scripts/hostclass/imap_server/10-solr b/scripts/hostclass/imap_server/10-solr new file mode 100644 index 0000000..252a8c3 --- /dev/null +++ b/scripts/hostclass/imap_server/10-solr @@ -0,0 +1,78 @@ +#!/bin/sh + +: ${solr_version:='9.7.0'} + +solr_uid=161 +solr_user=solr +solr_data_dir=/var/db/solr +solr_conf_dir=/usr/local/etc/solr +solr_install_dir=/usr/local/solr +solr_heap_size=2g +solr_softcommit_ms=60000 +solr_url="https://dlcdn.apache.org/solr/solr/${solr_version}/solr-${solr_version}-slim.tgz" +solr_port=8983 + +# Install dependencies. +pkg install -y \ + curl \ + openjdk21 \ + bash + +# Add local solr user. +add_user \ + -u "$solr_uid" \ + -c 'Apache Solr' \ + -d "$solr_data_dir" \ + -s /usr/sbin/nologin \ + "$solr_user" + +# Create ZFS dataset for solr DB. +create_dataset -o "mountpoint=${solr_data_dir}" "${state_dataset}/solr" + +# Set ownership on solr DB dir. +install_directory -m 0770 -o "$solr_user" -g "$solr_user" "$solr_data_dir" + +# Create solr install/config directories. +install_directory -m 0755 \ + "$solr_install_dir" \ + "$solr_conf_dir" + +# Download and extract the solr tarball. +curl -fL "$solr_url" | tar xf - -C "$solr_install_dir" --strip-components 1 + +# Copy solr rc script. +install_file -m 0555 /usr/local/etc/rc.d/solr + +# Copy solr config files. +install_file -m 0644 \ + "${solr_conf_dir}/solrconfig.xml" \ + "${solr_conf_dir}/log4j2.xml" + +# Copy the default solr config from the distribution. +install -v -m 0644 -o "$solr_user" -g "$solr_user" \ + "${solr_install_dir}/server/solr/solr.xml" \ + "${solr_data_dir}/solr.xml" + +# Enable and start solr. +sysrc -v \ + solr_enable=YES \ + solr_heap_size="$solr_heap_size" + +# Start solr. +service solr restart + +# Create solr collection for dovecot. +if ! [ -d "${solr_data_dir}/dovecot" ]; then + log "waiting a few seconds for solr to finish starting up" + sleep 3 + JAVA_TOOL_OPTIONS='-Xmx64m' su -m "$solr_user" -c "${solr_install_dir}/bin/solr create --name dovecot --solr-url http://127.0.0.1:${solr_port}" +fi + +# Copy solr configs for dovecot. +install_file -m 0644 -o "$solr_user" -g "$solr_user" \ + "${solr_data_dir}/dovecot/conf/schema.xml" \ + "${solr_data_dir}/dovecot/conf/solrconfig.xml" +rm -f "${solr_data_dir}/dovecot/conf/managed-schema.xml" + +# Restart solr. +service solr restart diff --git a/scripts/hostclass/imap_server/20-tika b/scripts/hostclass/imap_server/20-tika new file mode 100644 index 0000000..3b4aa47 --- /dev/null +++ b/scripts/hostclass/imap_server/20-tika @@ -0,0 +1,38 @@ +#!/bin/sh + +: ${tika_version:='2.9.2'} +: ${tika_uid:='787'} + +tika_user=tika +tika_conf_dir=/usr/local/etc/tika +tika_install_dir=/usr/local/tika +tika_heap_size=2g +tika_port=9998 +tika_url="https://dlcdn.apache.org/tika/${tika_version}/tika-server-standard-${tika_version}.jar" + +# Add local tika user. +add_user \ + -u "$tika_uid" \ + -c 'Apache Tika' \ + -d /nonexistent \ + -s /usr/sbin/nologin \ + "$tika_user" + +# Create tika install/config directories. +install_directory -m 0755 \ + "$tika_install_dir" \ + "$tika_conf_dir" + +# Download tika jar file. +curl -fL -o "${tika_install_dir}/tika.jar" "$tika_url" + +# Copy tika rc script. +install_file -m 0555 /usr/local/etc/rc.d/tika + +# Copy tika config files. +install_template -m 0644 "${tika_conf_dir}/config.xml" +install_file -m 0644 "${tika_conf_dir}/log4j2.xml" + +# Enable and start tika. +sysrc -v tika_enable=YES +service tika restart diff --git a/scripts/hostclass/imap_server/30-dovecot b/scripts/hostclass/imap_server/30-dovecot new file mode 100644 index 0000000..07c089e --- /dev/null +++ b/scripts/hostclass/imap_server/30-dovecot @@ -0,0 +1,108 @@ +#!/bin/sh + +: ${dovecot_recipient_delimiter:='+'} +: ${dovecot_default_quota:='10G'} +: ${dovecot_quota_grace_percent:='5'} +: ${dovecot_quota_mail_from:="postmaster@${email_domain}"} +: ${rspamd_host:='smtp'} + +dovecot_user=dovecot +dovecot_login_user=dovenull +dovecot_vmail_user=vmail +dovecot_vmail_uid=793 +dovecot_vmail_dir=/var/db/vmail +dovecot_conf_dir=/usr/local/etc/dovecot +dovecot_script_dir=/usr/local/libexec/dovecot +dovecot_sieve_before_dir="${dovecot_conf_dir}/sieve-before.d" +dovecot_sieve_pipe_bin_dir="${dovecot_script_dir}/sieve-pipe" +dovecot_keytab="${keytab_dir}/dovecot.keytab" +dovecot_tls_cert="${dovecot_conf_dir}/dovecot.crt" +dovecot_tls_key="${dovecot_conf_dir}/dovecot.key" +dovecot_cipherlist='ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305' + +pkg install -y \ + dovecot \ + dovecot-pigeonhole \ + rspamd + +# Add local vmail user. +add_user \ + -u "$dovecot_vmail_uid" \ + -c 'Virtual Mail User' \ + -d "$dovecot_vmail_dir" \ + -s /usr/sbin/nologin \ + "$dovecot_vmail_user" + +# Create ZFS dataset for virtual maildirs. +create_dataset -o "mountpoint=${dovecot_vmail_dir}" "${state_dataset}/mailboxes" + +# Set ownership on vmail dir. +install_directory -m 0770 -o "$dovecot_vmail_user" -g "$dovecot_vmail_user" "$dovecot_vmail_dir" + +# Create service principals and keytab. +add_principal -nokey -x "containerdn=${services_basedn}" "imap/${fqdn}" +add_principal -nokey -x "containerdn=${services_basedn}" "sieve/${fqdn}" + +ktadd -k "$dovecot_keytab" "imap/${fqdn}" +ktadd -k "$dovecot_keytab" "sieve/${fqdn}" +chgrp "$dovecot_user" "$dovecot_keytab" +chmod 640 "$dovecot_keytab" + +dovecot_uid=$(id -u "$dovecot_user") +install_directory -o "$dovecot_user" -m 0700 "/var/krb5/user/${dovecot_uid}" +ln -snfv "$dovecot_keytab" "/var/krb5/user/${dovecot_uid}/keytab" +ln -snfv "$dovecot_keytab" "/var/krb5/user/${dovecot_uid}/client.keytab" + +# Create dovecot directories. +install_directory -m 0755 \ + "${dovecot_conf_dir}/conf.d" \ + "$dovecot_sieve_before_dir" \ + "$dovecot_sieve_pipe_bin_dir" + +# Generate dovecot configuration. +install_template -m 0644 \ + "${dovecot_conf_dir}/dovecot.conf" \ + "${dovecot_conf_dir}/dovecot-ldap-userdb.conf.ext" \ + "${dovecot_conf_dir}/dovecot-ldap-passdb.conf.ext" \ + "${dovecot_conf_dir}/conf.d/10-auth.conf" \ + "${dovecot_conf_dir}/conf.d/10-mail.conf" \ + "${dovecot_conf_dir}/conf.d/10-master.conf" \ + "${dovecot_conf_dir}/conf.d/10-ssl.conf" \ + "${dovecot_conf_dir}/conf.d/15-lda.conf" \ + "${dovecot_conf_dir}/conf.d/90-fts.conf" \ + "${dovecot_conf_dir}/conf.d/90-quota.conf" \ + "${dovecot_conf_dir}/conf.d/90-sieve.conf" \ + "${dovecot_conf_dir}/conf.d/90-sieve-extprograms.conf" \ + "${dovecot_conf_dir}/conf.d/auth-ldap.conf.ext" + +install_template -m 0550 -o root -g "$dovecot_user" \ + "${dovecot_sieve_pipe_bin_dir}/report-spam.sh" \ + "${dovecot_sieve_pipe_bin_dir}/report-ham.sh" \ + +install_file -m 0555 \ + "${dovecot_script_dir}/quota-warning.sh" + +install_file -m 0644 \ + "${dovecot_conf_dir}/conf.d/15-mailboxes.conf" \ + "${dovecot_conf_dir}/conf.d/20-imap.conf" \ + "${dovecot_conf_dir}/conf.d/20-lmtp.conf" \ + "${dovecot_conf_dir}/conf.d/20-managesieve.conf" \ + "${dovecot_conf_dir}/report-ham.sieve" \ + "${dovecot_conf_dir}/report-spam.sieve" \ + "${dovecot_sieve_before_dir}/10-rspamd.sieve" + +# Compile sieve scripts. +sievec "${dovecot_conf_dir}/report-ham.sieve" +sievec "${dovecot_conf_dir}/report-spam.sieve" +sievec "${dovecot_sieve_before_dir}/10-rspamd.sieve" + +# Copy TLS certificate for dovecot. +install_certificate -m 0644 -o root -g "$dovecot_user" dovecot "$dovecot_tls_cert" +install_certificate_key -m 0640 -o root -g "$dovecot_user" dovecot "$dovecot_tls_key" + +# Enable and start dovecot and dependencies. +sysrc -v dovecot_enable=YES +service dovecot restart + +# Disable rspamd log rotation (we don't actually run rspamd here). +echo '# intentionally empty' > /usr/local/etc/newsyslog.conf.d/rspamd.newsyslog.conf diff --git a/scripts/hostclass/smtp_server/20-postfix b/scripts/hostclass/smtp_server/20-postfix index 0d4830f..e224e9b 100644 --- a/scripts/hostclass/smtp_server/20-postfix +++ b/scripts/hostclass/smtp_server/20-postfix @@ -7,12 +7,8 @@ : ${postfix_recipient_delimiter:='+'} : ${postfix_message_size_limit:='67108864'} # 64 MB : ${postfix_virtual_domains:="$email_domain"} -: ${postfix_lmtp_port:='24'} -: ${postfix_quota_port:='10993'} : ${imap_host='imap'} -: ${lmtp_port='25'} -: ${quota_status_port='10993'} postfix_conf_dir=/usr/local/etc/postfix postfix_user=postfix @@ -57,7 +53,7 @@ install_certificate_key -m 0640 -o root -g "$postfix_user" postfix "$postfix_loc if [ "$postfix_public_fqdn" != "$fqdn" ]; then # Acquire public TLS certificate. install_file /usr/local/etc/sudoers.d/acme - get_acme_certificate \ + acme_install_certificate \ -c "$postfix_public_tls_cert" \ -k "$postfix_public_tls_key" \ -g "$postfix_user" \ diff --git a/scripts/os/freebsd/60-acme b/scripts/os/freebsd/60-acme new file mode 100644 index 0000000..902e674 --- /dev/null +++ b/scripts/os/freebsd/60-acme @@ -0,0 +1,75 @@ +#!/bin/sh + +[ "${acme:-}" = true ] || return 0 + +: ${acme_email:="root@${email_domain}"} +: ${acme_keylength:='ec-256'} + +acme_cert_dir=/usr/local/etc/ssl/acme +acme_standalone_port=9080 +acme_user=acme +acme_home=/var/db/acme +acme_webroot=/usr/local/www/acme + +pkg install -y acme.sh + +install_directory -m 0775 -o root -g "$acme_user" "$acme_cert_dir" +install_template -m 0644 /etc/cron.d/acme + +if [ -n "${acme_eab_kid:-}" ]; then + su -m "$acme_user" -c "acme.sh --home ${acme_home} --register-account --eab-kid ${acme_eab_kid} --eab-hmac-key ${acme_eab_hmac_key}" +else + su -m "$acme_user" -c "acme.sh --home ${acme_home} --register-account --email ${acme_email}" +fi + +acme_install_certificate(){ + _aic_group=0 + _aic_cert_path= + _aic_key_path= + _aic_reload_cmd= + + while getopts c:g:k:r: _aic_opt; do + case $_aic_opt in + c) _aic_cert_path=$OPTARG ;; + g) _aic_group=$OPTARG ;; + k) _aic_key_path=$OPTARG ;; + r) _aic_reload_cmd=$OPTARG ;; + esac + done + + shift $((OPTIND - 1)) + _aic_name=$1 + + # Acquire the certificate via HTTP ACME challenge. + _aic_domain_args='' + for _aic_domain; do + _aic_domain_args="${_aic_domain_args} -d ${_aic_domain}" + done + + if [ -n "${acme_standalone:-}" ]; then + su -m "$acme_user" -c "acme.sh --home ${acme_home} --issue --keylength ${acme_keylength} --standalone --httport ${acme_standalone_port} ${_aic_domain_args}" && _aic_rc=$? || _aic_rc=$? + else + install_directory -o root -g "$acme_user" -m 0775 "$acme_webroot" + su -m "$acme_user" -c "acme.sh --home ${acme_home} --issue --keylength ${acme_keylength} -w ${acme_webroot} ${_aic_domain_args}" && _aic_rc=$? || _aic_rc=$? + fi + + case $_aic_rc in + 0) ;; # New cert was issued. + 2) ;; # Cert was unchanged. + *) die "failed to issue ACME certificate for: $*" ;; + esac + + # Install the certificate to the requested location. + if [ -f "$_aic_key_path" ]; then + chmod 640 "$_aic_key_path" + chown "${acme_user}:${_aic_group}" "$_aic_key_path" + else + install -o "$acme_user" -g "$_aic_group" -m 0640 /dev/null "$_aic_key_path" + fi + + if [ -n "$_aic_reload_cmd" ]; then + su -m "$acme_user" -c "acme.sh --home ${acme_home} --install-cert --domain ${_aic_name} --key-file ${_aic_key_path} --fullchain-file ${_aic_cert_path} --reloadcmd '${_aic_reload_cmd}'" + else + su -m "$acme_user" -c "acme.sh --home ${acme_home} --install-cert --domain ${_aic_name} --key-file ${_aic_key_path} --fullchain-file ${_aic_cert_path}" + fi +} diff --git a/vars/common b/vars/common index 7c54673..18d0e52 100644 --- a/vars/common +++ b/vars/common @@ -39,6 +39,8 @@ graphics_type=intel boxconf_username='s-boxconf' host_keytab_groupname=hostkeytab host_keytab_gid=788 +lmtp_port=25 +quota_status_port=10993 krb5_ticket_lifetime=24h krb5_renew_lifetime=7d nslcd_min_uid=1000 diff --git a/vars/hostclass/imap_server b/vars/hostclass/imap_server new file mode 100644 index 0000000..c1467b2 --- /dev/null +++ b/vars/hostclass/imap_server @@ -0,0 +1,3 @@ +#!/bin/sh + +allowed_tcp_ports="ssh imaps ${lmtp_port} ${quota_status_port}" diff --git a/vars/hostclass/smtp_server b/vars/hostclass/smtp_server index d68e28a..fd05469 100644 --- a/vars/hostclass/smtp_server +++ b/vars/hostclass/smtp_server @@ -2,5 +2,5 @@ allowed_tcp_ports="ssh smtp submission ${rspamd_port} http https" postfix_mynetworks='127.0.0.1/8' +acme=true nginx_gssapi=true -nginx_acme=true diff --git a/vars/hostname/imap1 b/vars/hostname/imap1 new file mode 100644 index 0000000..09de713 --- /dev/null +++ b/vars/hostname/imap1 @@ -0,0 +1,3 @@ +#!/bin/sh + +cnames=imap diff --git a/vars/os/freebsd b/vars/os/freebsd index 8b0afb3..12d3938 100644 --- a/vars/os/freebsd +++ b/vars/os/freebsd @@ -9,11 +9,6 @@ intel_epp=50 see_other_uids=0 export ASSUME_ALWAYS_YES=yes -acme_cert_dir=/usr/local/etc/ssl/acme -acme_standalone_port=9080 -acme_uid=169 -acme_webroot=/usr/local/www/acme -apache_version=24 keytab_dir=/var/db/keytabs nfscbd_port=7745 nginx_user=www -- cgit v1.2.3