email from external network

This commit is contained in:
Emmanuel Garette 2022-03-20 21:15:45 +01:00
parent 7751bdf2d1
commit f979aa993d
22 changed files with 144 additions and 33 deletions

View file

@ -12,6 +12,9 @@
<file>/etc/pki/ca-trust/source/anchors/ca_MailServer.crt</file> <file>/etc/pki/ca-trust/source/anchors/ca_MailServer.crt</file>
<file>/etc/pki/tls/certs/postfix.crt</file> <file>/etc/pki/tls/certs/postfix.crt</file>
<file owner="root" group="postfix" mode="440">/etc/pki/tls/private/postfix.key</file> <file owner="root" group="postfix" mode="440">/etc/pki/tls/private/postfix.key</file>
<file>/etc/postfix/sni</file>
<file source="postfix_sni.pem" file_type="variable" mode="400" variable="submission_domainname">postfix_pem_files</file>
<file mode="400">/etc/postfix/certs/postfix.pem</file>
</service> </service>
<service name='dovecot-init'> <service name='dovecot-init'>
<override/> <override/>
@ -24,7 +27,7 @@
<file engine='none'>/etc/dovecot/conf.d/10-auth.conf</file> <file engine='none'>/etc/dovecot/conf.d/10-auth.conf</file>
<file engine='none'>/etc/dovecot/conf.d/10-mail.conf</file> <file engine='none'>/etc/dovecot/conf.d/10-mail.conf</file>
<file>/etc/dovecot/conf.d/10-master.conf</file> <file>/etc/dovecot/conf.d/10-master.conf</file>
<file engine='none'>/etc/dovecot/conf.d/10-ssl.conf</file> <file>/etc/dovecot/conf.d/10-ssl.conf</file>
<!-- FIXME file engine='none'>/etc/dovecot/conf.d/12-managesieve.conf</file--> <!-- FIXME file engine='none'>/etc/dovecot/conf.d/12-managesieve.conf</file-->
<file engine='none'>/etc/dovecot/conf.d/15-ldap.conf</file> <file engine='none'>/etc/dovecot/conf.d/15-ldap.conf</file>
<file engine='none'>/etc/dovecot/conf.d/30-service-stats.conf</file> <file engine='none'>/etc/dovecot/conf.d/30-service-stats.conf</file>
@ -41,9 +44,15 @@
<file>/etc/pki/ca-trust/source/anchors/ca_IMAPServer.crt</file> <file>/etc/pki/ca-trust/source/anchors/ca_IMAPServer.crt</file>
<file>/etc/pki/tls/certs/dovecot.crt</file> <file>/etc/pki/tls/certs/dovecot.crt</file>
<file owner="root" group="dovecot" mode="440">/etc/pki/tls/private/dovecot.key</file> <file owner="root" group="dovecot" mode="440">/etc/pki/tls/private/dovecot.key</file>
<file source="external_imap.crt" file_type="variable" variable="imap_domainname">external_imap_crt</file>
<file owner="root" group="dovecot" mode="440" source="external_imap.key" file_type="variable" variable="imap_domainname">external_imap_key</file>
</service> </service>
</services> </services>
<variables> <variables>
<variable name="external_ports" redefine="True">
<value>587</value>
<value>993</value>
</variable>
<family name="annuaire"> <family name="annuaire">
<variable name="ldap_key_file_owner" redefine="True"> <variable name="ldap_key_file_owner" redefine="True">
<value>dovecot</value> <value>dovecot</value>
@ -52,12 +61,17 @@
<value>postfix</value> <value>postfix</value>
</variable> </variable>
</family> </family>
<family name="postfix" description="Postfix mail server"> <family name="mail" description="Mail domain" leadership="True">
<variable name="postfix_my_domains" type="domainname" description="Domaine de courriel généré localement" mandatory="True" multi="True"/> <variable name="mail_domains" type="domainname" description="Domaine de courriel géré localement" mandatory="True" multi="True"/>
<variable name='postfix_ca_chain' description="CA certificate" hidden='True'/> <variable name="imap_domainname" type="domainname" mandatory="True"/>
<variable name="submission_domainname" type="domainname" mandatory="True"/>
</family>
<family name="postfix">
<variable name='postfix_pem_files' type="filename" hidden='True' multi='True'/>
</family> </family>
<family name="dovecot" description="IMAP mail server"> <family name="dovecot" description="IMAP mail server">
<variable name='dovecot_ca_chain' description="CA certificate" hidden='True'/> <variable name='external_imap_crt' type="filename" hidden='True' multi='True'/>
<variable name='external_imap_key' type="filename" hidden='True' multi='True'/>
<variable name='dovecot_local_authentifications' description="CA certificate" hidden='True' multi="True" provider="mail"/> <variable name='dovecot_local_authentifications' description="CA certificate" hidden='True' multi="True" provider="mail"/>
<family name="local_authentification_" description="Local server authentification" dynamic='dovecot_local_authentifications'> <family name="local_authentification_" description="Local server authentification" dynamic='dovecot_local_authentifications'>
<variable name="local_authentification_ip_" type="ip" provider="mail_ip"/> <variable name="local_authentification_ip_" type="ip" provider="mail_ip"/>
@ -68,16 +82,6 @@
</family> </family>
</variables> </variables>
<constraints> <constraints>
<fill name="get_chain">
<param name="authority_cn" type="variable">domain_name_eth0</param>
<param name="authority_name">MailServer</param>
<target>postfix_ca_chain</target>
</fill>
<fill name="get_chain">
<param name="authority_cn" type="variable">domain_name_eth0</param>
<param name="authority_name">IMAPServer</param>
<target>dovecot_ca_chain</target>
</fill>
<fill name="get_password"> <fill name="get_password">
<param name="server_name" type="variable">domain_name_eth0</param> <param name="server_name" type="variable">domain_name_eth0</param>
<param name="username" type="suffix"/> <param name="username" type="suffix"/>
@ -89,13 +93,13 @@
<param name="linked_server" type="variable">smtp_relay_address</param> <param name="linked_server" type="variable">smtp_relay_address</param>
<param name="linked_provider">lmtp_server</param> <param name="linked_provider">lmtp_server</param>
<param name="linked_value" type="variable">domain_name_eth0</param> <param name="linked_value" type="variable">domain_name_eth0</param>
<target>postfix_my_domains</target> <target>mail_domains</target>
</check> </check>
<check name="set_linked_configuration"> <check name="set_linked_configuration">
<param name="linked_server" type="variable">smtp_relay_address</param> <param name="linked_server" type="variable">smtp_relay_address</param>
<param name="linked_provider">lmtp_criteria</param> <param name="linked_provider">lmtp_criteria</param>
<param name="dynamic" type="variable">domain_name_eth0</param> <param name="dynamic" type="variable">domain_name_eth0</param>
<target>postfix_my_domains</target> <target>mail_domains</target>
</check> </check>
<fill name="calc_value"> <fill name="calc_value">
<param type="variable">tls_ca_directory</param> <param type="variable">tls_ca_directory</param>
@ -103,5 +107,29 @@
<param name="join">/</param> <param name="join">/</param>
<target>revprox_ca_file</target> <target>revprox_ca_file</target>
</fill> </fill>
<fill name="calc_value">
<param>/etc/pki/tls/certs/imap_</param>
<param type="variable">imap_domainname</param>
<param>.crt</param>
<param name="join"></param>
<param name="multi" type="boolean">True</param>
<target>external_imap_crt</target>
</fill>
<fill name="calc_value">
<param>/etc/pki/tls/private/imap_</param>
<param type="variable">imap_domainname</param>
<param>.key</param>
<param name="join"></param>
<param name="multi" type="boolean">True</param>
<target>external_imap_key</target>
</fill>
<fill name="calc_value">
<param>/etc/postfix/certs/</param>
<param type="variable">submission_domainname</param>
<param>.pem</param>
<param name="join"></param>
<param name="multi" type="boolean">True</param>
<target>postfix_pem_files</target>
</fill>
</constraints> </constraints>
</rougail> </rougail>

View file

@ -16,6 +16,16 @@ ssl = required
#>GNUNUX #>GNUNUX
ssl_cert = </etc/pki/tls/certs/dovecot.crt ssl_cert = </etc/pki/tls/certs/dovecot.crt
ssl_key = </etc/pki/tls/private/dovecot.key ssl_key = </etc/pki/tls/private/dovecot.key
%for %%mail in %%mail_domains
local_name %%mail.imap_domainname {
ssl_cert = </etc/pki/tls/certs/imap_%%{mail.imap_domainname}.crt
ssl_key = </etc/pki/tls/private/imap_%%{mail.imap_domainname}.key
}
%end for
local_name %%domain_name_eth0 {
ssl_cert = </etc/pki/tls/certs/dovecot.crt
ssl_key = </etc/pki/tls/private/dovecot.key
}
#<GNUNUX #<GNUNUX
# If key file is password protected, give the password here. Alternatively # If key file is password protected, give the password here. Alternatively

View file

@ -1 +1 @@
%%dovecot_ca_chain %%get_chain(%%domain_name_eth0, "IMAPServer")

View file

@ -1 +1 @@
%%postfix_ca_chain %%get_chain(%%domain_name_eth0, "MailServer")

View file

@ -0,0 +1,2 @@
%%get_certificate(cn=%%rougail_variable, authority_cn=%%domain_name_eth0, authority_name='External')

View file

@ -0,0 +1 @@
%%get_private_key(cn=%%rougail_variable, authority_cn=%%domain_name_eth0, authority_name='External')

View file

@ -749,6 +749,9 @@ smtpd_tls_key_file = /etc/pki/tls/private/postfix.key
smtpd_tls_CApath = /etc/pki/tls/certs smtpd_tls_CApath = /etc/pki/tls/certs
smtpd_tls_CAfile = /etc/pki/ca-trust/source/anchors/ca_MailServer.crt smtpd_tls_CAfile = /etc/pki/ca-trust/source/anchors/ca_MailServer.crt
#>GNUNUX
tls_server_sni_maps = hash:/etc/postfix/sni
#<GNUNUX
# Announce STARTTLS support to remote SMTP clients, but do not require that # Announce STARTTLS support to remote SMTP clients, but do not require that
# clients use TLS encryption (opportunistic TLS inbound). # clients use TLS encryption (opportunistic TLS inbound).
# #
@ -796,7 +799,11 @@ smtpd_sasl_path = /srv/dovecot/auth
broken_sasl_auth_clients = yes broken_sasl_auth_clients = yes
dovecot_destination_recipient_limit = 1 dovecot_destination_recipient_limit = 1
virtual_mailbox_domains = %echo ', '.join(%%postfix_my_domains) %set %%domains = []
%for %%domain in %%mail_domains
%%domains.append(%%str(%%domain))%slurp
%end for
virtual_mailbox_domains = %echo ', '.join(%%domains)
virtual_mailbox_maps = ldap:/etc/postfix/ldapsource.cf virtual_mailbox_maps = ldap:/etc/postfix/ldapsource.cf
virtual_alias_maps = ldap:/etc/postfix/ldapsource.cf virtual_alias_maps = ldap:/etc/postfix/ldapsource.cf
virtual_minimum_uid = 1000 virtual_minimum_uid = 1000

View file

@ -0,0 +1,2 @@
%%get_private_key(%%domain_name_eth0, 'MailServer')
%%get_certificate(%%domain_name_eth0, "MailServer")

View file

@ -1,3 +1,4 @@
[Service] [Service]
ExecStartPre=/usr/sbin/postmap /etc/postfix/relay_passwd ExecStartPre=/usr/sbin/postmap /etc/postfix/relay_passwd
ExecStartPre=/usr/sbin/postmap -F /etc/postfix/sni
PIDFile=/srv/postfix/spool/pid/master.pid PIDFile=/srv/postfix/spool/pid/master.pid

View file

@ -0,0 +1,3 @@
%set %%cert = %%get_certificate(cn=%%rougail_variable, authority_cn=%%domain_name_eth0, authority_name='External')
%%get_private_key(cn=%%rougail_variable, authority_cn=%%domain_name_eth0, authority_name='External')
%%cert

View file

@ -0,0 +1,4 @@
%for %%name in %%mail_domains
%%name.submission_domainname /etc/postfix/certs/%%{name.submission_domainname}.pem
%end for
%%domain_name_eth0 /etc/postfix/certs/postfix.pem

View file

@ -3,8 +3,6 @@
<variables> <variables>
<family name='letsencrypt' description="Défi DNS pour Let's encrypt" leadership="True"> <family name='letsencrypt' description="Défi DNS pour Let's encrypt" leadership="True">
<variable name="domain_names" type="domainname" description="Nom des domaines" multi="True"/> <variable name="domain_names" type="domainname" description="Nom des domaines" multi="True"/>
<variable name="authority_cn" description="Nom de domaine de l'autorité" mandatory="True"/>
<variable name="authority_name" description="Nom de l'authorité" mandatory="True"/>
<variable name="plugin_name" type="string" description="Nom du greffon de mise à jour DNS du domaine" mandatory="True"/> <variable name="plugin_name" type="string" description="Nom du greffon de mise à jour DNS du domaine" mandatory="True"/>
<variable name="credential_filename" type="filename" description="Nom du fichier de configuration du greffin" mandatory="True"/> <variable name="credential_filename" type="filename" description="Nom du fichier de configuration du greffin" mandatory="True"/>
<variable name="email" type="mail" description="Courriel associé au certificat" mandatory="True"/> <variable name="email" type="mail" description="Courriel associé au certificat" mandatory="True"/>
@ -12,8 +10,7 @@
</variables> </variables>
<constraints> <constraints>
<check name="letsencrypt_certif"> <check name="letsencrypt_certif">
<param type="variable">authority_cn</param> <param type="variable">domain_name_eth0</param>
<param type="variable">authority_name</param>
<param type="variable">plugin_name</param> <param type="variable">plugin_name</param>
<param type="variable">credential_filename</param> <param type="variable">credential_filename</param>
<param type="variable">email</param> <param type="variable">email</param>

View file

@ -14,13 +14,13 @@ _X509_DIR = _join(_HERE, 'pki', 'x509')
def letsencrypt_certif(domain: str, def letsencrypt_certif(domain: str,
authority_cn: str, authority_cn: str,
authority_name: str,
plugin_name: str, plugin_name: str,
credential_filename: str, credential_filename: str,
email: str, email: str,
) -> None: ) -> None:
if None in (domain, authority_cn, authority_name, plugin_name, credential_filename, email): if None in (domain, authority_cn, plugin_name, credential_filename, email):
return return
authority_name = 'External'
date_file = _join(_LE_DIR, f'{domain}.date') date_file = _join(_LE_DIR, f'{domain}.date')
date = _datetime.now() date = _datetime.now()
today = str(date.date()) today = str(date.date())

View file

@ -42,3 +42,4 @@ export MAILMAN_WEB_CONFIG=/usr/share/postorius/m_postorius/settings.py
echo "DEBUG=True" >> /etc/mailman3.d/postorius.py echo "DEBUG=True" >> /etc/mailman3.d/postorius.py
systemctl restart postorius systemctl restart postorius

View file

@ -17,6 +17,8 @@
<variable name="nextcloud_admin_password" type="password" auto_freeze="True" hidden="True"/> <variable name="nextcloud_admin_password" type="password" auto_freeze="True" hidden="True"/>
<variable name="nextcloud_mail_admin" type="mail" mandatory="True"/> <variable name="nextcloud_mail_admin" type="mail" mandatory="True"/>
<variable name="nextcloud_instance_id" type="password" auto_freeze="True" hidden="True"/> <variable name="nextcloud_instance_id" type="password" auto_freeze="True" hidden="True"/>
<variable name="nexcloud_well_known_caldav" type="web_address" hidden='True'/>
<variable name="nexcloud_well_known_carddav" type="web_address" hidden='True'/>
</family> </family>
<family name="oauth2_client"> <family name="oauth2_client">
<variable name="oauth2_is_client_application" redefine='True'> <variable name="oauth2_is_client_application" redefine='True'>
@ -55,5 +57,39 @@
<param name="starts_with_char" type="boolean">True</param> <param name="starts_with_char" type="boolean">True</param>
<target>nextcloud_instance_id</target> <target>nextcloud_instance_id</target>
</fill> </fill>
<check name="set_linked_multi_variables">
<param name="linked_provider_0">revprox_clients</param>
<param name="linked_value_0" type="variable">revprox_client_external_domainname</param>
<param name="linked_provider_1">revprox_location</param>
<param name="linked_value_1">/.well-known/caldav</param>
<param name="linked_provider_2">revprox_is_websocket</param>
<param name="linked_value_2" type="boolean">False</param>
<param name="linked_provider_3">revprox_url</param>
<param name="linked_value_3" type="variable">nexcloud_well_known_caldav</param>
<target>revprox_client_server_domainname</target>
</check>
<fill name="calc_web_address">
<param type="variable">domain_name_eth0</param>
<param type="variable">revprox_client_port</param>
<param>/.well-known/caldav</param>
<target>nexcloud_well_known_caldav</target>
</fill>
<check name="set_linked_multi_variables">
<param name="linked_provider_0">revprox_clients</param>
<param name="linked_value_0" type="variable">revprox_client_external_domainname</param>
<param name="linked_provider_1">revprox_location</param>
<param name="linked_value_1">/.well-known/carddav</param>
<param name="linked_provider_2">revprox_is_websocket</param>
<param name="linked_value_2" type="boolean">False</param>
<param name="linked_provider_3">revprox_url</param>
<param name="linked_value_3" type="variable">nexcloud_well_known_carddav</param>
<target>revprox_client_server_domainname</target>
</check>
<fill name="calc_web_address">
<param type="variable">domain_name_eth0</param>
<param type="variable">revprox_client_port</param>
<param>/.well-known/carddav</param>
<target>nexcloud_well_known_carddav</target>
</fill>
</constraints> </constraints>
</rougail> </rougail>

View file

@ -14,6 +14,8 @@ else
sed -i "s/'installed' => false,/'installed' => true,/g" /etc/nextcloud/config.php sed -i "s/'installed' => false,/'installed' => true,/g" /etc/nextcloud/config.php
/usr/bin/php /usr/share/nextcloud/occ app:enable user_ldap -q /usr/bin/php /usr/share/nextcloud/occ app:enable user_ldap -q
fi fi
# Upgrade
/usr/bin/php /usr/share/nextcloud/occ upgrade || true
# SSO # SSO
/usr/bin/php /usr/share/nextcloud/occ app:enable oidc_login /usr/bin/php /usr/share/nextcloud/occ app:enable oidc_login
# Feature # Feature
@ -49,7 +51,6 @@ fi
# Need network # Need network
/usr/bin/php /usr/share/nextcloud/occ app:disable weather_status /usr/bin/php /usr/share/nextcloud/occ app:disable weather_status
# Maintenance # Maintenance
/usr/bin/php /usr/share/nextcloud/occ upgrade
/usr/bin/php /usr/share/nextcloud/occ files:scan --all -q /usr/bin/php /usr/share/nextcloud/occ files:scan --all -q
/usr/bin/php /usr/share/nextcloud/occ maintenance:repair -q /usr/bin/php /usr/share/nextcloud/occ maintenance:repair -q

View file

@ -1 +1 @@
%%get_certificate(cn=%%rougail_variable, authority_cn=%%domain_name_eth0, authority_name='ReverseProxy') %%get_certificate(cn=%%rougail_variable, authority_cn=%%domain_name_eth0, authority_name='External')

View file

@ -1 +1 @@
%%get_private_key(cn=%%rougail_variable, authority_cn=%%domain_name_eth0, authority_name='ReverseProxy') %%get_private_key(cn=%%rougail_variable, authority_cn=%%domain_name_eth0, authority_name='External')

View file

@ -45,3 +45,7 @@ postconf maillog_file
postconf maillog_file=/dev/stdout postconf maillog_file=/dev/stdout
# Test mail en ligne
https://www.mail-tester.com/
https://dkimvalidator.com/

View file

@ -37,14 +37,14 @@
</variable> </variable>
<family name="postfix" description="Postfix mail server"> <family name="postfix" description="Postfix mail server">
<variable name="postfix_mail_hostname" type="domainname" description="Nom de domaine extérieur du serveur de courriel" mandatory="True"/> <variable name="postfix_mail_hostname" type="domainname" description="Nom de domaine extérieur du serveur de courriel" mandatory="True"/>
<variable name="postfix_relay_domains" type="domainname" description="Domaine de courriel généré localement" multi="True"/> <variable name="postfix_relay_domains" type="domainname" description="Domaine de courriel généré localement" multi="True" mandatory="True" hidden="True"/>
<variable name='postfix_ca_chain' description="CA certificate" hidden='True'/> <variable name='postfix_ca_chain' description="CA certificate" hidden='True'/>
<variable name='postfix_relay_authentifications' description="CA certificate" hidden='True' multi="True" provider="mail"/> <variable name='postfix_relay_authentifications' description="CA certificate" hidden='True' multi="True" provider="mail"/>
<family name="local_authentification_" description="Local server authentification" dynamic='postfix_relay_authentifications'> <family name="local_authentification_" description="Local server authentification" dynamic='postfix_relay_authentifications'>
<variable name="local_authentification_ip_" type="ip" provider="mail_ip"/> <variable name="local_authentification_ip_" type="ip" provider="mail_ip"/>
<variable name="local_authentification_password_" type="secret" auto_save="True" provider="mail_password"/> <variable name="local_authentification_password_" type="secret" auto_save="True" provider="mail_password"/>
</family> </family>
<variable name='postfix_pem_files' type="filename" description="PEM certificates" hidden='True' multi='True'/> <variable name='postfix_pem_files' type="filename" hidden='True' multi='True'/>
</family> </family>
<family name="opendkim"> <family name="opendkim">
<variable name="opendkim_keys" type="filename" description="Keys filename" multi="True" hidden="True"/> <variable name="opendkim_keys" type="filename" description="Keys filename" multi="True" hidden="True"/>

View file

@ -0,0 +1,12 @@
from risotto.utils import multi_function as _multi_function
@_multi_function
def calc_postfix_relay_domains(criteria):
relay = set()
for lsts in criteria:
for lst in lsts:
if '@' in lst:
lst = lst.split('@')[1]
relay.add(lst)
return list(relay)

View file

@ -1,7 +1,9 @@
def calc_web_address(domain_name:str, port:str, local_location:str): def calc_web_address(domain_name: str, port: str, local_location: str) -> str:
if not domain_name or not port: if not domain_name or not port:
return return
web_address = f'https://{domain_name}:{port}' web_address = f'https://{domain_name}'
if port != '443':
web_address += f':{port}'
if local_location: if local_location:
web_address += local_location web_address += local_location
return web_address return web_address