13 files changed, 273 insertions, 86 deletions

diff --git a/modules/postfix/manifests/init.pp b/modules/postfix/manifests/init.pp
index 855778da..8a4394df 100644
--- a/modules/postfix/manifests/init.pp
+++ b/modules/postfix/manifests/init.pp
@@ -1,63 +1,24 @@
 class postfix {
+    package { postfix: }
 
-    class base {
-        package { postfix:
-            ensure => installed
-        }
-    	package { 'nail':
-                ensure => installed
-        }
-        service { postfix:
-            ensure => running,
-            subscribe => [ Package['postfix']],
-            path => "/etc/init.d/postfix"
-        }
-    }    
-
-    file { '/etc/postfix/main.cf': 
-        ensure => present, 
-        owner => root, 
-        group => root, 
-        mode => 644, 
-        require => Package["postfix"], 
-        content => "", 
-        notify => [Service['postfix']] 
-    } 
-
-
-    class simple_relay inherits base {
-        file { '/etc/postfix/main.cf':
-            content => template("postfix/simple_relay_main.cf"),
-        }
+    service { 'postfix':
+        subscribe => Package['postfix'],
     }
 
-    class smtp_server inherits base {
-        include postgrey
-        file { '/etc/postfix/main.cf':
-            content => template("postfix/main.cf"),
-        }
-
-        file { '/etc/postfix/transport_regexp':
-            ensure => present,
-            owner => root, 
-            group => root, 
-            mode => 644, 
-            content => template("postfix/transport_regexp"),
-        }
-
+    file { '/etc/postfix/main.cf':
+        require => Package['postfix'],
+        content => '',
+        notify  => Service['postfix'],
     }
 
-    class primary_smtp inherits smtp_server {
-        file { '/etc/postfix/master.cf':
-            ensure => present,
-            owner => root, 
-            group => root, 
-            mode => 644, 
-            content => template("postfix/primary_master.cf"),
-        }
+    file { '/etc/ssl/postfix/':
+        ensure => directory,
     }
 
-    class secondary_smtp inherits smtp_server {
+    openssl::self_signed_splitted_cert { "${::hostname}.${::domain}":
+        filename  => 'postfix',
+        directory => '/etc/ssl/postfix/',
+        owner     => 'postfix',
+        group     => 'postfix'
     }
-
 }
diff --git a/modules/postfix/manifests/server.pp b/modules/postfix/manifests/server.pp
new file mode 100644
index 00000000..85ab261c
--- /dev/null
+++ b/modules/postfix/manifests/server.pp
@@ -0,0 +1,13 @@
+class postfix::server inherits postfix {
+    include postgrey
+    include amavis
+    include spamassassin
+
+    File['/etc/postfix/main.cf'] {
+        content => template('postfix/main.cf'),
+    }
+
+    file { '/etc/postfix/transport_regexp':
+        content => template('postfix/transport_regexp'),
+    }
+}
diff --git a/modules/postfix/manifests/server/primary.pp b/modules/postfix/manifests/server/primary.pp
new file mode 100644
index 00000000..c14a8606
--- /dev/null
+++ b/modules/postfix/manifests/server/primary.pp
@@ -0,0 +1,43 @@
+class postfix::server::primary inherits postfix::server {
+
+    # Adding DKIM server
+    include opendkim
+    opendkim::domain{['mageia.org', 'sucuk.mageia.org', 'duvel.mageia.org', 'forums.mageia.org', 'madb.mageia.org','rabbit.mageia.org', 'fiona.mageia.org','identity.mageia.org', 'group.mageia.org', 'neru.mageia.org']:}
+    opendkim::trusted{['127.0.0.0/8', '212.85.158.0/24']:}
+
+    package { ['postfix-ldap', 'sqlite3-tools', 'dovecot-plugins-sqlite','rspamd']: }
+
+    # council is here until we fully decide who has aliases in com team,
+
+    # see https://bugs.mageia.org/show_bug.cgi?id=1345
+    # alumni is a special group for tracking previous members of
+    # the project, so they keep their aliases for a time
+    $aliases_group = ['mga-founders',
+                      'mga-packagers',
+                      'mga-sysadmin',
+                      'mga-council',
+                      'mga-alumni',
+                      'mga-i18n-committers']
+    $ldap_password = extlookup('postfix_ldap','x')
+    $ldap_servers = get_ldap_servers()
+
+    file {
+        '/etc/postfix/master.cf':
+            content => template('postfix/primary_master.cf');
+        '/etc/postfix/ldap_aliases.conf':
+            content => template('postfix/ldap_aliases.conf');
+        # TODO merge the file with the previous one, for common part (ldap, etc)
+        '/etc/postfix/group_aliases.conf':
+            content => template('postfix/group_aliases.conf');
+        # TODO make it conditional to the presence of sympa
+        '/etc/postfix/sympa_aliases':
+            content => template('postfix/sympa_aliases');
+        '/etc/postfix/virtual_aliases':
+            content => template('postfix/virtual_aliases');
+    }
+
+    exec { 'postmap /etc/postfix/virtual_aliases':
+        refreshonly => true,
+        subscribe   => File['/etc/postfix/virtual_aliases'],
+    }
+}
diff --git a/modules/postfix/manifests/server/secondary.pp b/modules/postfix/manifests/server/secondary.pp
new file mode 100644
index 00000000..e4dd8721
--- /dev/null
+++ b/modules/postfix/manifests/server/secondary.pp
@@ -0,0 +1 @@
+class postfix::server::secondary inherits postfix::server { }
diff --git a/modules/postfix/manifests/simple_relay.pp b/modules/postfix/manifests/simple_relay.pp
new file mode 100644
index 00000000..8911f781
--- /dev/null
+++ b/modules/postfix/manifests/simple_relay.pp
@@ -0,0 +1,9 @@
+class postfix::simple_relay inherits postfix {
+    File['/etc/postfix/main.cf'] {
+        content => template('postfix/simple_relay_main.cf'),
+    }
+    file {
+        '/etc/postfix/sympa_aliases':
+            content => template('postfix/sympa_aliases');
+    }
+}
diff --git a/modules/postfix/templates/group_aliases.conf b/modules/postfix/templates/group_aliases.conf
new file mode 100644
index 00000000..eac16dab
--- /dev/null
+++ b/modules/postfix/templates/group_aliases.conf
@@ -0,0 +1,15 @@
+<%-
+  ldap = ldap_servers.map { |l| "ldaps://#{l}:636" }
+-%>
+server_host = <%= ldap.join(' ') %>
+search_base = <%= dc_suffix %>
+query_filter = (&(cn=mga-%u)(objectClass=groupOfNames))
+result_attribute = mail
+special_result_attribute = member
+bind = yes
+bind_dn = cn=postfix-<%= hostname %>,ou=System Accounts,<%= dc_suffix %>
+bind_pw = <%= ldap_password %>
+# postfix complain on url 
+# warning: dict_ldap_open: URL scheme ldaps requires protocol version 3
+version = 3 
+domain = group.<%= domain %>
diff --git a/modules/postfix/templates/ldap_aliases.conf b/modules/postfix/templates/ldap_aliases.conf
new file mode 100644
index 00000000..40d7da13
--- /dev/null
+++ b/modules/postfix/templates/ldap_aliases.conf
@@ -0,0 +1,20 @@
+<%-
+# TODO I am sure that a more elegant way could be find
+query_string = ''
+aliases_group.each do |g|  
+    query_string += '(memberOf=cn=' + g + ',ou=Group,' + dc_suffix + ')'
+end 
+
+ldap = ldap_servers.map { |l| "ldaps://#{l}:636" }
+-%>
+server_host = <%= ldap.join(' ') %>
+search_base = <%= dc_suffix %>
+query_filter = (&(uid=%u)(|<%= query_string %>))
+result_attribute = mail
+bind = yes
+bind_dn = cn=postfix-<%= hostname %>,ou=System Accounts,<%= dc_suffix %>
+bind_pw = <%= ldap_password %>
+# postfix complain on url 
+# warning: dict_ldap_open: URL scheme ldaps requires protocol version 3
+version = 3 
+domain = <%= domain %>
diff --git a/modules/postfix/templates/main.cf b/modules/postfix/templates/main.cf
index 7b60f3a3..6b42a4de 100644
--- a/modules/postfix/templates/main.cf
+++ b/modules/postfix/templates/main.cf
@@ -11,79 +11,143 @@ sendmail_path = /usr/sbin/sendmail.postfix
 setgid_group = postdrop
 command_directory = /usr/sbin
 manpage_directory = /usr/share/man
-daemon_directory = <%= lib_dir %>/postfix/
+daemon_directory = /usr/libexec/postfix
+meta_directory = /etc/postfix
+shlib_directory = /usr/lib64
+compatibility_level = 2
 data_directory = /var/lib/postfix
 newaliases_path = /usr/bin/newaliases
 mailq_path = /usr/bin/mailq
 queue_directory = /var/spool/postfix
 mail_owner = postfix
+<% if all_tags.include?('postfix::simple_relay') || all_tags.include?('postfix::server::secondary') %>
+relayhost = sucuk.<%= domain %>
+<%- end -%>
 
 # User configurable parameters
 
 <% if all_tags.include?('postfix::simple_relay') %>
-inet_interfaces = localhost
+inet_interfaces = localhost, 127.0.0.1
 <% else %>
 inet_interfaces = all
 <% end %>
 
 inet_protocols = all
-mynetworks_style = host
+<% if @hostname == 'neru' then %>
+# We do not have a reverse on ipv6 :(
+smtp_address_preference = ipv4
+<%- end -%>
+
+# FIXME Do not hardcode this
+mynetworks = 212.85.158.144/28 [2a02:2178:2:7::]/64 127.0.0.0/16 163.172.148.228 [2001:bc8:4400:2800::4115]
 myhostname = <%= fqdn %>
 mydomain = <%= domain %>
-mydestination = <%= fqdn %>
-myorigin = $mydomain
-<%- if all_tags.include?('postfix::secondary_smtp') -%>
-relay_domains = <%= domain %>, ml.<%= domain %> 
+<%- if all_tags.include?('postfix::server::secondary') -%>
+relay_domains = <%= domain %>,
+                ml.<%= domain %>,
+                group.<%= domain %>
 <%- end -%>
 
 mydestination = <%= fqdn %>
-<%- if all_tags.include?('postfix::primary_smtp') -%>
-                <%= domain %>,
-<%-   if classes.include?('sympa') -%>
+<%- if all_tags.include?('postfix::server::primary') -%>
                 ml.<%= domain %>
-<%-   end -%>
+<%- end -%>
+
+<%- if all_tags.include?('postfix::server::primary') -%>
+
+virtual_mailbox_domains = <%= domain %>,
+                          group.<%= domain %>
+
+# postfix complain if not set
+# Mar 22 23:51:20 alamut postfix/virtual[22952]: fatal: bad string length 0 < 1: virtual_mailbox_base = 
+virtual_mailbox_base = /var/lib/mail
+
+# local_recipient_maps is disabled, as we need to route all
+# non local email to ryu as long as mageia ml are hosted 
+# there. Hence the use of fallback_transport , but this is
+# taken in account only of local_recipient_maps is empty
+local_recipient_maps =
+# route ml to ryu ( ml being mageia-*@mageia )
+fallback_transport_maps = regexp:/etc/postfix/transport_regexp
+
+# needed by sympa to handle bounce, according to the doc
+recipient_delimiter = +
 
-alias_maps = hash:/etc/aliases
-	     # uncomment if we want to enable ldap based alias 
-             # and create the file
-             #ldap:/etc/postfix/ldap_aliases.conf
+
+alias_maps = hash:/etc/postfix/aliases
+
+virtual_alias_maps = ldap:/etc/postfix/ldap_aliases.conf
+                     ldap:/etc/postfix/group_aliases.conf
+                     hash:/etc/postfix/virtual_aliases
+<%- if classes.include?('sympa::server') -%>
+                     regexp:/etc/postfix/sympa_aliases
+<%- end -%>
+<% else %>
+<%- if classes.include?('sympa::server') -%>
+virtual_alias_maps = regexp:/etc/postfix/sympa_aliases
+<%- end -%>
 <%- end -%>
 
+<%- if all_tags.include?('postfix::server::primary') -%>
+# Adding DKIM Miler for primaryserver (sucuk)
+smtpd_milters = inet:127.0.0.1:8891
+non_smtpd_milters = $smtpd_milters
+milter_default_action = accept
+milter_protocol = 2
+
+# Adding Sender Rewriting Scheme
+sender_canonical_maps = socketmap:inet:localhost:10003:forward
+sender_canonical_classes = envelope_sender
+recipient_canonical_maps = socketmap:inet:localhost:10003:reverse
+recipient_canonical_classes= envelope_recipient,header_recipient
+<%- end -%>
 
-<%- if all_tags.include?('postfix::smtp_server') -%>
+<%- if all_tags.include?('postfix::server') -%>
 transport_maps = regexp:/etc/postfix/transport_regexp
+content_filter = smtp-filter:[127.0.0.1]:10025
 <%- end -%>
 
-<%- if classes.include?('sympa') -%>
+<%- if classes.include?('sympa::server') -%>
 sympa_destination_recipient_limit = 1
 sympabounce_destination_recipient_limit = 1
 <%- end -%>
 
 #delay_warning_time = 4h
-smtpd_banner = $myhostname ESMTP $mail_name ($mail_version) (Mandriva Linux)
+smtpd_banner = $myhostname ESMTP $mail_name ($mail_version) (<%= lsbdistid %>)
 unknown_local_recipient_reject_code = 450
 smtp-filter_destination_concurrency_limit = 2
 lmtp-filter_destination_concurrency_limit = 2
+# enable opportunistic TLS when receiving
 smtpd_use_tls = yes
-smtpd_tls_cert_file = /etc/pki/tls/certs/postfix.pem
-smtpd_tls_key_file = /etc/pki/tls/private/postfix.pem
+smtpd_tls_received_header = yes
+smtpd_tls_cert_file = /etc/ssl/postfix/postfix.crt
+smtpd_tls_key_file = /etc/ssl/postfix/postfix.key
 smtpd_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
+# enable opportunistic TLS when sending
+smtp_tls_security_level = may
+smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
 
-<%- if all_tags.include?('postfix::smtp_server') -%>
+<%- if all_tags.include?('postfix::server') -%>
 smtpd_etrn_restrictions = reject
 
 smtpd_helo_required = yes
 
-smtpd_data_restrictions = reject_unauth_pipelining 
+smtpd_data_restrictions = permit_mynetworks
+                          reject_unauth_pipelining 
                           reject_multi_recipient_bounce
 
-smtpd_recipient_restrictions = reject_non_fqdn_recipient
-    reject_non_fqdn_sender
+smtpd_recipient_restrictions = permit_mynetworks
 #    not done yet, not sure if we need to offer this kind of service
 #    permit_sasl_authenticated
-    permit_mynetworks
-    reject_unauth_destination
     reject_non_fqdn_helo_hostname
+    reject_non_fqdn_recipient
+    reject_non_fqdn_sender
+    check_sender_access hash:/etc/postfix/access
+    reject_rhsbl_helo sbl.spamhaus.org
+    reject_rhsbl_reverse_client sbl.spamhaus.org
+    reject_rhsbl_sender sbl.spamhaus.org
+    reject_rbl_client sbl.spamhaus.org
+    reject_unauth_destination
     reject_unknown_sender_domain
     reject_unknown_client
   <%- if classes.include?('postgrey') -%>
@@ -91,3 +155,5 @@ smtpd_recipient_restrictions = reject_non_fqdn_recipient
   <%- end -%>
 <%- end -%>
 
+# Needed for buggy clients
+always_add_missing_headers = yes
diff --git a/modules/postfix/templates/primary_master.cf b/modules/postfix/templates/primary_master.cf
index 299bbd6c..e05d33dc 100644
--- a/modules/postfix/templates/primary_master.cf
+++ b/modules/postfix/templates/primary_master.cf
@@ -116,7 +116,7 @@ cyrus-inet	unix	-	-	y	-	-	lmtp
 #mailman   unix  -       n       n       -       -       pipe
 #  flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
 #  ${nexthop} ${user}
-<% if classes.include?('sympa') %>
+<% if classes.include?('sympa::server') %>
 sympa        unix  -       n       n       -       -       pipe
   flags=R user=sympa argv=/usr/sbin/queue ${recipient}
 sympabounce  unix  -       n       n       -       -       pipe
@@ -174,4 +174,3 @@ smtp-filter	unix	-	-	y	-	-	smtp
   -o max_use=20
 #
 ##### END OF CONTENT FILTER CUSTOMIZATIONS #####
-
diff --git a/modules/postfix/templates/simple_relay_main.cf b/modules/postfix/templates/simple_relay_main.cf
index 5f8d44ca..e0c116a7 100644
--- a/modules/postfix/templates/simple_relay_main.cf
+++ b/modules/postfix/templates/simple_relay_main.cf
@@ -11,7 +11,7 @@ sendmail_path = /usr/sbin/sendmail.postfix
 setgid_group = postdrop
 command_directory = /usr/sbin
 manpage_directory = /usr/share/man
-daemon_directory = <%= lib_dir %>/postfix/
+daemon_directory = /usr/libexec/postfix/
 data_directory = /var/lib/postfix
 newaliases_path = /usr/bin/newaliases
 mailq_path = /usr/bin/mailq
@@ -20,11 +20,12 @@ mail_owner = postfix
 
 # User configurable parameters
 
-inet_interfaces = localhost
+myhostname = <%= fqdn %>
+mydomain = <%= domain %>
 inet_protocols = all
 mynetworks_style = host
 #delay_warning_time = 4h
-smtpd_banner = $myhostname ESMTP $mail_name ($mail_version) (Mandriva Linux)
+smtpd_banner = $myhostname ESMTP $mail_name ($mail_version) (Mageia Linux)
 unknown_local_recipient_reject_code = 450
 smtp-filter_destination_concurrency_limit = 2
 lmtp-filter_destination_concurrency_limit = 2
@@ -32,3 +33,19 @@ smtpd_use_tls = yes
 smtpd_tls_cert_file = /etc/pki/tls/certs/postfix.pem
 smtpd_tls_key_file = /etc/pki/tls/private/postfix.pem
 smtpd_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
+
+<%- if classes.include?('sympa::server') -%>
+local_recipient_maps =
+fallback_transport_maps = regexp:/etc/postfix/transport_regexp
+transport_maps = regexp:/etc/postfix/transport_regexp
+mydestination = ml.<%= domain %>
+sympa_destination_recipient_limit = 1
+sympabounce_destination_recipient_limit = 1
+virtual_alias_maps = regexp:/etc/postfix/sympa_aliases
+# needed by sympa to handle bounce, according to the doc
+recipient_delimiter = +
+# This is ugly for a simple relay but we need ml.mageia.org to accept email :(
+inet_interfaces = all
+<%- else -%>
+inet_interfaces = localhost
+<%- end -%>
diff --git a/modules/postfix/templates/sympa_aliases b/modules/postfix/templates/sympa_aliases
new file mode 100644
index 00000000..436e7a28
--- /dev/null
+++ b/modules/postfix/templates/sympa_aliases
@@ -0,0 +1,8 @@
+# everything is handled with transports in postfix,
+# but according to https://www.sympa.org/faq/postfix, we also need this one
+<% escaped_domain = ( 'ml.' + domain ).sub('.','\.') %>
+/^(.*)-owner\@<%= escaped_domain %>$/    $1+owner@ml.<%= domain %>
+# redirect the mail from the ml domain to sysadmin
+/^listmaster\@<%= escaped_domain %>$/    listmaster@<%= domain %>
+# errors are sent there, so that should also be redirected
+/^sympa-request\@<%= escaped_domain %>$/    listmaster@<%= domain %>
diff --git a/modules/postfix/templates/transport_regexp b/modules/postfix/templates/transport_regexp
index 5d005c7b..3eb5494f 100644
--- a/modules/postfix/templates/transport_regexp
+++ b/modules/postfix/templates/transport_regexp
@@ -1,8 +1,10 @@
 <%
 ml_domain = 'ml\.' + domain.gsub('.','\.')
 %>
-<%- if classes.include?('sympa') -%>
+<%- if classes.include?('sympa::server') -%>
 /^.*+owner\@<%= ml_domain %>$/ sympabounce:
+/^bounce+.*\@<%= ml_domain %>$/ sympabounce:
 /^.*\@<%= ml_domain %>$/       sympa:
+<%- else -%>
+/^.*\@<%= ml_domain %>$/       smtp:sucuk.mageia.org
 <%- end -%>
-
diff --git a/modules/postfix/templates/virtual_aliases b/modules/postfix/templates/virtual_aliases
new file mode 100644
index 00000000..861e79c6
--- /dev/null
+++ b/modules/postfix/templates/virtual_aliases
@@ -0,0 +1,33 @@
+# do not forget to add $domain or it will not work
+# do not hardcode the domain, or it will be harvested by bot
+
+treasurer@<%= domain %> treasurer@group.<%= domain %>
+president@<%= domain %> ennael@<%= domain %>
+secretary@<%= domain %> obgr_seneca@<%= domain %>
+
+contact@<%= domain %> council@group.<%= domain %>
+press@<%= domain %> council@group.<%= domain %>
+
+# later switch to a team alias
+root@<%= domain %> sysadmin@group.<%= domain %>
+
+security@<%= domain %> security@group.<%= domain %>
+
+# Temporary(?) alias until there is a real board-commits@ list
+board-commits@ml.<%= domain %> board-public@ml.<%= domain %>
+
+# TODO see https://www.ietf.org/rfc/rfc2142.txt
+<%
+['postmaster','hostmaster','abuse','noc','listmaster','MAILER-DAEMON'].each { |a| 
+%>
+<%= a %>@<%= domain %> root@<%= domain %>
+<% 
+}
+
+['webmaster','www'].each { |a| 
+%>
+<%= a %>@<%= domain %> web@group.<%= domain %>
+<% } %>
+
+# TODO :
+# info, marketing, sales -> marketing ( once we do have a team )