feat: changes for macher.solutions
This commit is contained in:
parent
856761d407
commit
8c5aac0f07
4 changed files with 139 additions and 3 deletions
|
|
@ -27,6 +27,27 @@ let
|
||||||
default_pass_scheme = CRYPT
|
default_pass_scheme = CRYPT
|
||||||
'';
|
'';
|
||||||
|
|
||||||
|
ldapConfigFallback = pkgs.writeText "dovecot-ldap-fallback.conf" ''
|
||||||
|
hosts = ldap.cloonar.com
|
||||||
|
tls = yes
|
||||||
|
dn = "cn=vmail,ou=system,ou=users,dc=cloonar,dc=com"
|
||||||
|
dnpass = "@ldap-password@"
|
||||||
|
auth_bind = no
|
||||||
|
ldap_version = 3
|
||||||
|
base = ou=users,dc=cloonar,dc=com
|
||||||
|
user_filter = (&(objectClass=mailAccount)(mail=%u)(!(mailSendOnly=TRUE)))
|
||||||
|
user_attrs = \
|
||||||
|
quota=quota_rule=*:bytes=%$, \
|
||||||
|
=home=/var/vmail/%d/%n/, \
|
||||||
|
=mail=maildir:/var/vmail/%d/%n/Maildir
|
||||||
|
pass_attrs = mail=user,userPassword=password
|
||||||
|
pass_filter = (&(objectClass=mailAccount)(mail=%u))
|
||||||
|
iterate_attrs = =user=%{ldap:mail}
|
||||||
|
iterate_filter = (objectClass=mailAccount)
|
||||||
|
scope = subtree
|
||||||
|
default_pass_scheme = CRYPT
|
||||||
|
'';
|
||||||
|
|
||||||
doveSync = pkgs.writeShellScriptBin "dove-sync.sh" ''
|
doveSync = pkgs.writeShellScriptBin "dove-sync.sh" ''
|
||||||
#!/usr/bin/env bash
|
#!/usr/bin/env bash
|
||||||
SERVER=''${1}
|
SERVER=''${1}
|
||||||
|
|
@ -59,6 +80,10 @@ let
|
||||||
doveadm user *@docfast.dev | while read user; do
|
doveadm user *@docfast.dev | while read user; do
|
||||||
doveadm -v sync -u $user $SERVER
|
doveadm -v sync -u $user $SERVER
|
||||||
done
|
done
|
||||||
|
|
||||||
|
doveadm user *@macher.solutions | while read user; do
|
||||||
|
doveadm -v sync -u $user $SERVER
|
||||||
|
done
|
||||||
'';
|
'';
|
||||||
|
|
||||||
quotaWarning = pkgs.writeShellScriptBin "quota-warning.sh" ''
|
quotaWarning = pkgs.writeShellScriptBin "quota-warning.sh" ''
|
||||||
|
|
@ -157,6 +182,14 @@ in
|
||||||
args = /run/dovecot2/ldap.conf
|
args = /run/dovecot2/ldap.conf
|
||||||
driver = ldap
|
driver = ldap
|
||||||
}
|
}
|
||||||
|
userdb {
|
||||||
|
args = /run/dovecot2/ldap-fallback.conf
|
||||||
|
driver = ldap
|
||||||
|
}
|
||||||
|
passdb {
|
||||||
|
args = /run/dovecot2/ldap-fallback.conf
|
||||||
|
driver = ldap
|
||||||
|
}
|
||||||
|
|
||||||
service imap-login {
|
service imap-login {
|
||||||
client_limit = 1000
|
client_limit = 1000
|
||||||
|
|
@ -247,6 +280,7 @@ in
|
||||||
|
|
||||||
systemd.services.dovecot.preStart = ''
|
systemd.services.dovecot.preStart = ''
|
||||||
sed -e "s/@ldap-password@/$(cat ${config.sops.secrets.dovecot-ldap-password.path})/" ${ldapConfig} > /run/dovecot2/ldap.conf
|
sed -e "s/@ldap-password@/$(cat ${config.sops.secrets.dovecot-ldap-password.path})/" ${ldapConfig} > /run/dovecot2/ldap.conf
|
||||||
|
sed -e "s/@ldap-password@/$(cat ${config.sops.secrets.dovecot-ldap-password.path})/" ${ldapConfigFallback} > /run/dovecot2/ldap-fallback.conf
|
||||||
'';
|
'';
|
||||||
|
|
||||||
systemd.services.dovecot = {
|
systemd.services.dovecot = {
|
||||||
|
|
|
||||||
|
|
@ -50,6 +50,7 @@ in
|
||||||
by self write
|
by self write
|
||||||
by anonymous auth
|
by anonymous auth
|
||||||
by dn="cn=owncloud,ou=system,ou=users,dc=cloonar,dc=com" write
|
by dn="cn=owncloud,ou=system,ou=users,dc=cloonar,dc=com" write
|
||||||
|
by dn="cn=authelia,ou=system,ou=users,dc=cloonar,dc=com" write
|
||||||
by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read
|
by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read
|
||||||
by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write
|
by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write
|
||||||
by * none
|
by * none
|
||||||
|
|
@ -290,6 +291,42 @@ in
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
|
||||||
|
"olcDatabase={3}mdb".attrs = {
|
||||||
|
objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ];
|
||||||
|
|
||||||
|
olcDatabase = "{3}mdb";
|
||||||
|
olcDbDirectory = "/var/lib/openldap/data";
|
||||||
|
|
||||||
|
olcSuffix = "dc=macher,dc=solutions";
|
||||||
|
|
||||||
|
olcAccess = [
|
||||||
|
''
|
||||||
|
{0}to attrs=userPassword
|
||||||
|
by self write
|
||||||
|
by anonymous auth
|
||||||
|
by dn="cn=owncloud,ou=system,ou=users,dc=cloonar,dc=com" write
|
||||||
|
by dn="cn=authelia,ou=system,ou=users,dc=cloonar,dc=com" write
|
||||||
|
by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read
|
||||||
|
by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write
|
||||||
|
by * none
|
||||||
|
''
|
||||||
|
''
|
||||||
|
{1}to attrs=pgpPublicKey
|
||||||
|
by self write
|
||||||
|
by anonymous read
|
||||||
|
by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read
|
||||||
|
by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write
|
||||||
|
by * read
|
||||||
|
''
|
||||||
|
''
|
||||||
|
{2}to *
|
||||||
|
by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read
|
||||||
|
by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write
|
||||||
|
by * read
|
||||||
|
''
|
||||||
|
];
|
||||||
|
};
|
||||||
|
|
||||||
"olcDatabase={5}mdb".attrs = {
|
"olcDatabase={5}mdb".attrs = {
|
||||||
objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ];
|
objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ];
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -78,10 +78,67 @@ let
|
||||||
debuglevel = 0
|
debuglevel = 0
|
||||||
'';
|
'';
|
||||||
|
|
||||||
|
mailboxesFallback = pkgs.writeText "mailboxes-fallback.cf" ''
|
||||||
|
server_host = ldap://${ldapServer}
|
||||||
|
search_base = ou=users,dc=cloonar,dc=com
|
||||||
|
version = 3
|
||||||
|
bind = yes
|
||||||
|
start_tls = yes
|
||||||
|
bind_dn = cn=vmail,ou=system,ou=users,dc=cloonar,dc=com
|
||||||
|
bind_pw = @ldap-password@
|
||||||
|
scope = sub
|
||||||
|
query_filter = (&(mail=%s)(objectClass=mailAccount)(!(mailSendOnly=TRUE)))
|
||||||
|
result_attribute = mail
|
||||||
|
debuglevel = 0
|
||||||
|
'';
|
||||||
|
|
||||||
|
accountsmapFallback = pkgs.writeText "accountsmap-fallback.cf" ''
|
||||||
|
server_host = ldap://${ldapServer}
|
||||||
|
search_base = ou=users,dc=cloonar,dc=com
|
||||||
|
version = 3
|
||||||
|
bind = yes
|
||||||
|
start_tls = yes
|
||||||
|
bind_dn = cn=vmail,ou=system,ou=users,dc=cloonar,dc=com
|
||||||
|
bind_pw = @ldap-password@
|
||||||
|
scope = sub
|
||||||
|
query_filter = (&(objectClass=mailAccount)(mail=%s))
|
||||||
|
result_attribute = mail
|
||||||
|
debuglevel = 0
|
||||||
|
'';
|
||||||
|
|
||||||
|
aliasesFallback = pkgs.writeText "aliases-fallback.cf" ''
|
||||||
|
server_host = ldap://${ldapServer}
|
||||||
|
search_base = ou=aliases,dc=cloonar,dc=com
|
||||||
|
version = 3
|
||||||
|
bind = yes
|
||||||
|
start_tls = yes
|
||||||
|
bind_dn = cn=vmail,ou=system,ou=users,dc=cloonar,dc=com
|
||||||
|
bind_pw = @ldap-password@
|
||||||
|
scope = one
|
||||||
|
query_filter = (&(objectClass=mailAlias)(mail=%s)(!(mailSendOnly=TRUE)))
|
||||||
|
result_attribute = maildrop
|
||||||
|
debuglevel = 0
|
||||||
|
'';
|
||||||
|
|
||||||
|
senderLoginMapsFallback = pkgs.writeText "sender_login_maps-fallback.cf" ''
|
||||||
|
server_host = ldap://${ldapServer}
|
||||||
|
search_base = dc=cloonar,dc=com
|
||||||
|
version = 3
|
||||||
|
bind = yes
|
||||||
|
start_tls = yes
|
||||||
|
bind_dn = cn=vmail,ou=system,ou=users,dc=cloonar,dc=com
|
||||||
|
bind_pw = @ldap-password@
|
||||||
|
scope = sub
|
||||||
|
query_filter = (|(&(objectClass=mailAccount)(mail=%s))(&(objectClass=mailAlias)(mail=%s)))
|
||||||
|
result_attribute = maildrop, mail
|
||||||
|
debuglevel = 0
|
||||||
|
'';
|
||||||
|
|
||||||
helo_access = pkgs.writeText "helo_access" ''
|
helo_access = pkgs.writeText "helo_access" ''
|
||||||
/^([0-9\.]+)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server sent non RFC compliant HELO identity (''${1})
|
/^([0-9\.]+)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server sent non RFC compliant HELO identity (''${1})
|
||||||
cloonar.com REJECT ACCESS DENIED. Your email was rejected because the sending mail server sent non RFC compliant HELO identity (''${1})
|
cloonar.com REJECT ACCESS DENIED. Your email was rejected because the sending mail server sent non RFC compliant HELO identity (''${1})
|
||||||
ghetto.at REJECT ACCESS DENIED. Your email was rejected because the sending mail server sent non RFC compliant HELO identity (''${1})
|
ghetto.at REJECT ACCESS DENIED. Your email was rejected because the sending mail server sent non RFC compliant HELO identity (''${1})
|
||||||
|
macher.solutions REJECT ACCESS DENIED. Your email was rejected because the sending mail server sent non RFC compliant HELO identity (''${1})
|
||||||
'';
|
'';
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
|
|
@ -116,10 +173,10 @@ in
|
||||||
# smtp_bind_address6 = "2a01:4f9:2b:1605::1";
|
# smtp_bind_address6 = "2a01:4f9:2b:1605::1";
|
||||||
mailbox_transport = "lmtp:unix:private/dovecot-lmtp";
|
mailbox_transport = "lmtp:unix:private/dovecot-lmtp";
|
||||||
virtual_mailbox_domains = "ldap:/run/postfix/domains.cf";
|
virtual_mailbox_domains = "ldap:/run/postfix/domains.cf";
|
||||||
virtual_mailbox_maps = "ldap:/run/postfix/mailboxes.cf";
|
virtual_mailbox_maps = "ldap:/run/postfix/mailboxes.cf,ldap:/run/postfix/mailboxes-fallback.cf";
|
||||||
virtual_alias_maps = "ldap:/run/postfix/accountsmap.cf,ldap:/run/postfix/aliases.cf";
|
virtual_alias_maps = "ldap:/run/postfix/accountsmap.cf,ldap:/run/postfix/accountsmap-fallback.cf,ldap:/run/postfix/aliases.cf,ldap:/run/postfix/aliases-fallback.cf";
|
||||||
virtual_transport = "lmtp:unix:private/dovecot-lmtp";
|
virtual_transport = "lmtp:unix:private/dovecot-lmtp";
|
||||||
smtpd_sender_login_maps = "ldap:/run/postfix/sender_login_maps.cf";
|
smtpd_sender_login_maps = "ldap:/run/postfix/sender_login_maps.cf,ldap:/run/postfix/sender_login_maps-fallback.cf";
|
||||||
|
|
||||||
# Do not display the name of the recipient table in the "User unknown" responses.
|
# Do not display the name of the recipient table in the "User unknown" responses.
|
||||||
# The extra detail makes trouble shooting easier but also reveals information
|
# The extra detail makes trouble shooting easier but also reveals information
|
||||||
|
|
@ -222,6 +279,10 @@ in
|
||||||
sed -e "s/@ldap-password@/$(cat ${config.sops.secrets.dovecot-ldap-password.path})/" ${accountsmap} > /run/postfix/accountsmap.cf
|
sed -e "s/@ldap-password@/$(cat ${config.sops.secrets.dovecot-ldap-password.path})/" ${accountsmap} > /run/postfix/accountsmap.cf
|
||||||
sed -e "s/@ldap-password@/$(cat ${config.sops.secrets.dovecot-ldap-password.path})/" ${aliases} > /run/postfix/aliases.cf
|
sed -e "s/@ldap-password@/$(cat ${config.sops.secrets.dovecot-ldap-password.path})/" ${aliases} > /run/postfix/aliases.cf
|
||||||
sed -e "s/@ldap-password@/$(cat ${config.sops.secrets.dovecot-ldap-password.path})/" ${senderLoginMaps} > /run/postfix/sender_login_maps.cf
|
sed -e "s/@ldap-password@/$(cat ${config.sops.secrets.dovecot-ldap-password.path})/" ${senderLoginMaps} > /run/postfix/sender_login_maps.cf
|
||||||
|
sed -e "s/@ldap-password@/$(cat ${config.sops.secrets.dovecot-ldap-password.path})/" ${mailboxesFallback} > /run/postfix/mailboxes-fallback.cf
|
||||||
|
sed -e "s/@ldap-password@/$(cat ${config.sops.secrets.dovecot-ldap-password.path})/" ${accountsmapFallback} > /run/postfix/accountsmap-fallback.cf
|
||||||
|
sed -e "s/@ldap-password@/$(cat ${config.sops.secrets.dovecot-ldap-password.path})/" ${aliasesFallback} > /run/postfix/aliases-fallback.cf
|
||||||
|
sed -e "s/@ldap-password@/$(cat ${config.sops.secrets.dovecot-ldap-password.path})/" ${senderLoginMapsFallback} > /run/postfix/sender_login_maps-fallback.cf
|
||||||
'';
|
'';
|
||||||
|
|
||||||
security.dhparams = {
|
security.dhparams = {
|
||||||
|
|
|
||||||
|
|
@ -194,6 +194,10 @@ in {
|
||||||
policy = "one_factor";
|
policy = "one_factor";
|
||||||
subject = "group:Mitarbeiter";
|
subject = "group:Mitarbeiter";
|
||||||
}
|
}
|
||||||
|
{
|
||||||
|
policy = "one_factor";
|
||||||
|
subject = "group:macher.solutions";
|
||||||
|
}
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue