From 1e096614b495079f2f366f53fe1d01df455cf982 Mon Sep 17 00:00:00 2001 From: daurnimator Date: Fri, 5 Jun 2020 14:14:46 +1000 Subject: [PATCH 1/5] mail: initial commit --- argocd/applications/mail.yaml | 16 ++++ argocd/kustomization.yaml | 1 + cert-manager-issuers/prod_issuer.yaml | 1 + mail/README.md | 5 + mail/certificate.yaml | 12 +++ mail/files/main.cf | 52 ++++++++++ mail/files/master.cf | 125 ++++++++++++++++++++++++ mail/files/userdb-aliases.cf | 7 ++ mail/kustomization.yaml | 20 ++++ mail/resources.yaml | 118 +++++++++++++++++++++++ mail/secret-generator.yaml | 6 ++ mail/secrets.enc.yaml | 133 ++++++++++++++++++++++++++ 12 files changed, 496 insertions(+) create mode 100644 argocd/applications/mail.yaml create mode 100644 mail/README.md create mode 100644 mail/certificate.yaml create mode 100644 mail/files/main.cf create mode 100644 mail/files/master.cf create mode 100644 mail/files/userdb-aliases.cf create mode 100644 mail/kustomization.yaml create mode 100644 mail/resources.yaml create mode 100644 mail/secret-generator.yaml create mode 100644 mail/secrets.enc.yaml diff --git a/argocd/applications/mail.yaml b/argocd/applications/mail.yaml new file mode 100644 index 0000000..4db0000 --- /dev/null +++ b/argocd/applications/mail.yaml @@ -0,0 +1,16 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: mail +spec: + project: default + source: + repoURL: git@github.com:hashbang/gitops.git + path: mail/ + targetRevision: HEAD + destination: + server: https://kubernetes.default.svc + namespace: mail + syncPolicy: + syncOptions: + - CreateNamespace=true diff --git a/argocd/kustomization.yaml b/argocd/kustomization.yaml index dd2d7c5..122c775 100644 --- a/argocd/kustomization.yaml +++ b/argocd/kustomization.yaml @@ -17,6 +17,7 @@ resources: - applications/external-dns.yaml - applications/ingress-nginx.yaml - applications/ircd.yaml + - applications/mail.yaml - applications/monitoring.yaml - applications/mtls.yaml - applications/site.yaml diff --git a/cert-manager-issuers/prod_issuer.yaml b/cert-manager-issuers/prod_issuer.yaml index 8c8ddcd..b4654d8 100644 --- a/cert-manager-issuers/prod_issuer.yaml +++ b/cert-manager-issuers/prod_issuer.yaml @@ -16,6 +16,7 @@ spec: dnsZones: - "irc.hashbang.sh" - "hashbang.sh" + - "mail.hashbang.sh" dns01: route53: region: us-west-2 diff --git a/mail/README.md b/mail/README.md new file mode 100644 index 0000000..ad349ba --- /dev/null +++ b/mail/README.md @@ -0,0 +1,5 @@ +# Mail + +https://github.com/hashbang/docker-postfix + +Delivers mail to the shell servers diff --git a/mail/certificate.yaml b/mail/certificate.yaml new file mode 100644 index 0000000..0bd6dc0 --- /dev/null +++ b/mail/certificate.yaml @@ -0,0 +1,12 @@ +apiVersion: cert-manager.io/v1alpha2 +kind: Certificate +metadata: + namespace: mail + name: mail.hashbang.sh +spec: + secretName: mail-certs + dnsNames: + - mail.hashbang.sh + issuerRef: + name: letsencrypt-prod + kind: ClusterIssuer diff --git a/mail/files/main.cf b/mail/files/main.cf new file mode 100644 index 0000000..5b32a30 --- /dev/null +++ b/mail/files/main.cf @@ -0,0 +1,52 @@ +smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU) +biff = no + +# appending .domain is the MUA's job. +append_dot_mydomain = no + +# Uncomment the next line to generate "delayed mail" warnings +#delay_warning_time = 4h + +readme_directory = no + +# TLS parameters +smtpd_tls_cert_file = /etc/postfix/certs/tls.crt +smtpd_tls_key_file = /etc/postfix/certs/tls.key +smtpd_use_tls=yes +smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache +smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache +# smtpd_tls_CAfile = /etc/postfix/certs/cacert.pem +smtpd_tls_security_level = may +smtpd_tls_auth_only = no +smtpd_tls_loglevel = 1 +smtpd_tls_received_header = yes +smtpd_tls_session_cache_timeout = 3600s +smtp_tls_security_level = dane +smtp_tls_note_starttls_offer = yes +smtp_dns_support_level = dnssec + +# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for +# information on enabling SSL in the smtp client. + +smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination + +myhostname = mail.hashbang.sh +relay_domains = hashbang.sh +mydestination = mail.hashbang.sh, hashbang.sh, localhost.hashbang.sh, localhost +mynetworks = 127.0.0.0/8 46.4.114.111 +relayhost = +alias_maps = hash:/etc/aliases +alias_database = hash:/etc/aliases +myorigin = $mydomain +mailbox_size_limit = 0 +recipient_delimiter = + +inet_interfaces = all + +virtual_alias_maps = pgsql:/etc/postfix/userdb-aliases.cf + +message_size_limit = 52428800 + +compatibility_level = 2 + +# Support PROXY from load balancer +postscreen_upstream_proxy_protocol = haproxy diff --git a/mail/files/master.cf b/mail/files/master.cf new file mode 100644 index 0000000..0d9f582 --- /dev/null +++ b/mail/files/master.cf @@ -0,0 +1,125 @@ +# +# Postfix master process configuration file. For details on the format +# of the file, see the master(5) manual page (command: "man 5 master" or +# on-line: http://www.postfix.org/master.5.html). +# +# Do not forget to execute "postfix reload" after editing this file. +# +# ========================================================================== +# service type private unpriv chroot wakeup maxproc command + args +# (yes) (yes) (no) (never) (100) +# ========================================================================== +smtp inet n - y - 1 postscreen +smtpd pass - - y - - smtpd +#dnsblog unix - - y - 0 dnsblog +#tlsproxy unix - - y - 0 tlsproxy +#submission inet n - y - - smtpd +# -o syslog_name=postfix/submission +# -o smtpd_tls_security_level=encrypt +# -o smtpd_sasl_auth_enable=yes +# -o smtpd_tls_auth_only=yes +# -o smtpd_reject_unlisted_recipient=no +# -o smtpd_client_restrictions=$mua_client_restrictions +# -o smtpd_helo_restrictions=$mua_helo_restrictions +# -o smtpd_sender_restrictions=$mua_sender_restrictions +# -o smtpd_recipient_restrictions= +# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject +# -o milter_macro_daemon_name=ORIGINATING +#smtps inet n - y - - smtpd +# -o syslog_name=postfix/smtps +# -o smtpd_tls_wrappermode=yes +# -o smtpd_sasl_auth_enable=yes +# -o smtpd_reject_unlisted_recipient=no +# -o smtpd_client_restrictions=$mua_client_restrictions +# -o smtpd_helo_restrictions=$mua_helo_restrictions +# -o smtpd_sender_restrictions=$mua_sender_restrictions +# -o smtpd_recipient_restrictions= +# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject +# -o milter_macro_daemon_name=ORIGINATING +#628 inet n - y - - qmqpd +pickup unix n - y 60 1 pickup +cleanup unix n - y - 0 cleanup +qmgr unix n - n 300 1 qmgr +#qmgr unix n - n 300 1 oqmgr +tlsmgr unix - - y 1000? 1 tlsmgr +rewrite unix - - y - - trivial-rewrite +bounce unix - - y - 0 bounce +defer unix - - y - 0 bounce +trace unix - - y - 0 bounce +verify unix - - y - 1 verify +flush unix n - y 1000? 0 flush +proxymap unix - - n - - proxymap +proxywrite unix - - n - 1 proxymap +smtp unix - - y - - smtp +relay unix - - y - - smtp + -o syslog_name=postfix/$service_name +# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5 +showq unix n - y - - showq +error unix - - y - - error +retry unix - - y - - error +discard unix - - y - - discard +local unix - n n - - local +virtual unix - n n - - virtual +lmtp unix - - y - - lmtp +anvil unix - - y - 1 anvil +scache unix - - y - 1 scache +postlog unix-dgram n - n - 1 postlogd +# +# ==================================================================== +# Interfaces to non-Postfix software. Be sure to examine the manual +# pages of the non-Postfix software to find out what options it wants. +# +# Many of the following services use the Postfix pipe(8) delivery +# agent. See the pipe(8) man page for information about ${recipient} +# and other message envelope options. +# ==================================================================== +# +# maildrop. See the Postfix MAILDROP_README file for details. +# Also specify in main.cf: maildrop_destination_recipient_limit=1 +# +maildrop unix - n n - - pipe + flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient} +# +# ==================================================================== +# +# Recent Cyrus versions can use the existing "lmtp" master.cf entry. +# +# Specify in cyrus.conf: +# lmtp cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4 +# +# Specify in main.cf one or more of the following: +# mailbox_transport = lmtp:inet:localhost +# virtual_transport = lmtp:inet:localhost +# +# ==================================================================== +# +# Cyrus 2.1.5 (Amos Gouaux) +# Also specify in main.cf: cyrus_destination_recipient_limit=1 +# +#cyrus unix - n n - - pipe +# user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user} +# +# ==================================================================== +# Old example of delivery via Cyrus. +# +#old-cyrus unix - n n - - pipe +# flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user} +# +# ==================================================================== +# +# See the Postfix UUCP_README file for configuration details. +# +uucp unix - n n - - pipe + flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient) +# +# Other external delivery methods. +# +ifmail unix - n n - - pipe + flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient) +bsmtp unix - n n - - pipe + flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient +scalemail-backend unix - n n - 2 pipe + flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension} +mailman unix - n n - - pipe + flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py + ${nexthop} ${user} diff --git a/mail/files/userdb-aliases.cf b/mail/files/userdb-aliases.cf new file mode 100644 index 0000000..05f490c --- /dev/null +++ b/mail/files/userdb-aliases.cf @@ -0,0 +1,7 @@ +# See pgsql_table(5) + +domain = hashbang.sh +# TODO(daurnimator): DNS entry here had to be manually resolved +hosts = postgresql://mail:userdb-mail-lookup@104.248.21.126:25060/userdb?sslmode=require +dbname = userdb +query = select name || '@' || host from passwd where name = '%u' diff --git a/mail/kustomization.yaml b/mail/kustomization.yaml new file mode 100644 index 0000000..87e4ef5 --- /dev/null +++ b/mail/kustomization.yaml @@ -0,0 +1,20 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: mail +resources: + - resources.yaml + - certificate.yaml +configMapGenerator: + - name: mail-config + files: + - files/main.cf + - files/master.cf + - files/userdb-aliases.cf +generators: + - secret-generator.yaml +images: + - name: hashbang/postfix + digest: sha256:1c9491593e383b95cde6c75a82abcfe2e12e4a26b1656abeaac0bf1f8209b9ee + - name: alpine + newTag: alpine:3.12.0 + digest: sha256:a15790640a6690aa1730c38cf0a440e2aa44aaca9b0e8931a9f2b0d7cc90fd65 diff --git a/mail/resources.yaml b/mail/resources.yaml new file mode 100644 index 0000000..bf42a9b --- /dev/null +++ b/mail/resources.yaml @@ -0,0 +1,118 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: mail +spec: + selector: + matchLabels: + app: mail + replicas: 1 + strategy: + type: Recreate + template: + metadata: + labels: + app: mail + spec: + shareProcessNamespace: true + containers: + - name: postfix + image: hashbang/postfix + command: ["/bin/sh"] + args: + - "-c" + - | + ln -sf /etc/postfix/secrets/aliases /etc/aliases; + exec bash ./run.sh; + ports: + - containerPort: 25 + name: smtp + readinessProbe: + tcpSocket: + port: 25 + livenessProbe: + tcpSocket: + port: 25 + volumeMounts: + - mountPath: /etc/postfix/main.cf + name: mail-config + subPath: main.cf + readOnly: true + - mountPath: /etc/postfix/master.cf + name: mail-config + subPath: master.cf + readOnly: true + - mountPath: /etc/postfix/userdb-aliases.cf + name: mail-config + subPath: userdb-aliases.cf + readOnly: true + - mountPath: /etc/postfix/secrets + name: mail-secrets + readOnly: true + - mountPath: /etc/postfix/certs + name: mail-certs + readOnly: true + - mountPath: /var/spool/postfix + name: mail-spool + - name: config-reloader + # image includes busybox's inotifyd + pkill + image: alpine + command: ["/bin/sh"] + args: + - "-c" + - | + echo "Watching /etc/postfix/certs"; + inotifyd - /etc/postfix/certs:wMymndox | while read -r notifies ; do + echo "notify received: $notifies"; + echo "sending SIGHUP"; + pkill -HUP tlsmgr; + done + echo "Exiting."; + volumeMounts: + - mountPath: /etc/postfix/certs + name: mail-certs + readOnly: true + volumes: + - name: mail-config + configMap: + name: mail-config + - name: mail-secrets + secret: + secretName: mail-secrets + - name: mail-certs + secret: + secretName: mail-certs + - name: mail-spool + persistentVolumeClaim: + claimName: mail-spool +--- +apiVersion: v1 +kind: Service +metadata: + name: mail + labels: + app: mail + annotations: + service.beta.kubernetes.io/do-loadbalancer-enable-proxy-protocol: "true" + external-dns.alpha.kubernetes.io/hostname: "mail.hashbang.sh" +spec: + type: LoadBalancer + ports: + - name: smtp + port: 25 + targetPort: 25 + selector: + app: mail +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: mail-spool + labels: + app: mail +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi diff --git a/mail/secret-generator.yaml b/mail/secret-generator.yaml new file mode 100644 index 0000000..3866e94 --- /dev/null +++ b/mail/secret-generator.yaml @@ -0,0 +1,6 @@ +apiVersion: viaduct.ai/v1 +kind: ksops +metadata: + name: mail-secrets +files: + - ./secrets.enc.yaml diff --git a/mail/secrets.enc.yaml b/mail/secrets.enc.yaml new file mode 100644 index 0000000..482fb2e --- /dev/null +++ b/mail/secrets.enc.yaml @@ -0,0 +1,133 @@ +apiVersion: v1 +kind: Secret +metadata: + name: mail-secrets +type: Opaque +stringData: + aliases: ENC[AES256_GCM,data:zTwzx4D4eS7cq9bjCeca9IB7pwJuHGysnxgbgNhwHLJv0e4A7EnvlFP5f/zRG/HKNIay/m+ygxwaRg/PwMf1kn6mJpoXym/cqAv4ZJN6etZw/c/WOipCrm1mf9sZB0DLAB/PvvEEy09Q0RUxOIcPg/jxMnEAlbann0LLJcaXYxvAZYyNHjCDvqsxZ+NzZU7bnkMGII1Mv8tc6vLt605yQG5KEaOs5lbiU55XZOUyqTEzHpbyhM6hDSFC5Wz71FnwPQqLaaAGHyiCg77XWtJIzLvrEQofxZg8YsG8R1F6CXoNfQJ5Ka+rzL6YnLk39JAT6KpV8CQaGtVONthpapDEFz5eJi8qgUKFyoEIG/122Yb5RJkZCgoZiXPt2GkCgYSjq3UHfUIZoP/R1uiuOh0hUa0nIXKe3gb3hmzOo/fUjttgF0BIyA48CSAJeEYaoDBIvE5hK7FmfA8RJ6tWvtWYOINwYSGIxIme9TGPJ6Ym7cOp2c4Bu0i0HX4d5amJQ1uaDSQW1jbPo/4kr/x9pJaL9E+rJsDdktnuJIXII0vJqsmZVaAhEltZDUNY6KR51VZejh3hzd3k9MrBOqFOa/KBrOyKsXZCJkU8jnlBBF/g6UwAft5e3Dms5PpAIxm9p6LXXkBmUu8Zgzs=,iv:YhRtkz4oL8wqN3W+CQyhwGwhNYKsmEQvga62wzc+gBI=,tag:9rkZ3caaI915ykCFchdxpA==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + lastmodified: '2020-06-05T04:51:11Z' + mac: ENC[AES256_GCM,data:cZ0qg5FkUdVikeZzJ5IjFb0JigG7lNeA/xWFtS9w9Pg8KVLv7u7h06X/c/+0Ry4OUIzE25ql+D0Janks4b5KM313xc72vWsalFjXa6fGyWcRfjd3Vn7/QwBO0ENtekoHLtpuNpF1UWAv0L1AQ8zj0gTtDwtl2sFdWf7mzNRsf5k=,iv:srYI0LYqeSA7i8BMGriFnLSOxhDHNO1/qFc6czYSpEo=,tag:a62TNAotK7+jyQFxFmjm3Q==,type:str] + pgp: + - created_at: '2020-05-27T02:00:39Z' + enc: | + -----BEGIN PGP MESSAGE----- + + hQIMA+pWRuJw67SWAQ/9GXIZFEp/v1IT68Ro9LOMEtxoi1rmzmJRYMca5Jgt7xf+ + V0Hyfpo0fl3/xZaLwd0bIBaE0pjnsPCwzCd+IologGctDD5/PwOtdXm6WS1Lh6vH + tvVOAo63RnyGqlwO2cXkKIOCzIF7LKJi8TxE0M4cEK2RkcYz7ukfvzyrbm+jLAYo + 3Ve2k9GL72VPLwo+o+WbrhGjqsf6Qy5D9OT45FPNXCC2EF6zDyRrJwYtRFU+lZcB + bBQc2aE90fVSxxMQ18VNW7VNFAOfMANPSOilrIfzoyZE8lxgAExgXRyrwRuVxKfL + UAws9jrXz72AYTkVoQ3tWJP3MgtnbdTS9A8kUJI0hIjnKTsUKwBZv3SJxvKBFV0y + 4Qnz/cXw0qYp/6zBEaM0tOq04LqmU8fuPtPZg4V9TKVCoMaCQrvgLj5nWS6UiIhF + 1LOQSxPEjBPApvht4bRexfOGIdMxJ7uqZTfBkpa1McoPQFvFLmY9TT9IHjqkhj2g + kLpDX/oKskHP9/4C4QJa93az983GITDER4AhMmMN6P21LTnlRpzxQ1wDryzF4HCW + 1lixCt8KSM1qA2yAnrdzf0spmYl1Hh948AzDuMI6YoMJkDnyKsMH0vboOQnidTjK + WRMxUAoYhTKoJ3WXL1csakLFMMtbtIPWPWrH4lnbXA9WK2f50X5Ka7vkMkvdsrfS + XgFMqlMJ/AvlaQKJfqtca0xn47K9+8KMx9iroBpT4H8ejFA76JpTx9MQTgb+voUO + nQ0Y+2qr27/lyR2Esv7q+jkXkGhNlpL0o2nE2ZRpUJ9bV713KJCSSViBPe87Npc= + =ZQHM + -----END PGP MESSAGE----- + fp: 1FD6667A0808D4D48BDB8757A61B48D8288FCF8A + - created_at: '2020-05-27T02:00:39Z' + enc: |- + -----BEGIN PGP MESSAGE----- + + wcFMA4FedWMNSzdLARAAoj7C/JHMHvgNkVqs+c0JrgbrIlue6GnmPrQIPeyZpqxw + Lu75lw/a/SyZhEoJpDfJIGpt8edBmVEb6qJiwdvwZPcIkak6yfj9tMqaIU6vpNqb + qgSzPQqsaojOpeH9A6RJARixdcXM3b4essnV4PXmMQ7IVZCmeOT22qQ+7Gk/oX2M + 3eQ64x0mvSH1UNeo9BkzMD1vPEDa5pcUUBhzs8gT+IOpAq8EwKEAhna9JRnUDR9a + Ft4dyIREAO4evUtJ7ZtkZGEc2LpMkoK/lH9ljhUOjlAlSSC22Hpk5ol5Sg2pwCJJ + 931K1Ueptb+Cuhi/1NPk2XZKkVkQP5+Xglg5vI8e5jarXb0t0kKs7tjOlFc+0iRx + ToaSdHwSuPnskbVIOKgyvRml0uHnPmPpa+8ND6TxgBBa+Mb8tQnFNnkRKFz/19Ak + j9UAsVdJw+zU0KTTx4SiDRH39ydv2oeFLD20Oh80fqXyPcHc6jHsPEukn3A012Lm + p3BWab4WTaDBNCioWGtXKRHED3ZTorvSg1arbwHp1P3z/+8G3mJI9q0CvheMeG4k + j71YGeokktz626PT7LWBfViK60ZadmnHg6Cf/I19pd+Ai3FdsRadxLz/5jBiV2VE + 0j9WqtSXQSs7e9Xd85gEaEbLeKO1W7Ypa7Pmg86gJfaXHuWz4Cp3vDZdVhV161nS + 4AHkgmb1HMc7vAHPR0V+knYM9eGTfOCT4J3hRnLgauIfcvnI4GTlGpZO9NKaU22k + ZO/Gj//eS0JbkffL2GGFu8tA/eCakyrgq+S1MJe3HwUHzRL9AEonlt0O4ofNwT7h + SM0A + =nu7e + -----END PGP MESSAGE----- + fp: 954A3772D62EF90E4B31FBC6C91A9911192C187A + - created_at: '2020-05-27T02:00:39Z' + enc: | + -----BEGIN PGP MESSAGE----- + + hQEMA4SNlT+wHnqoAQf/fB2EW5yaGESpPSLUcOXdEfQON/wqfR3EZroX34xNz3+4 + RLFOwo7PagIOMbugSfVbxt14RYbxWT9+43oGSgg1F4b5IuxIT1wUwLSrCnR/QE8z + VEZkf2/yuZ8k0+HB3wG7fgP10EYo236aoiaWC28kWivqO76W9+ZQCgVcL4Wj+XTe + ueIPDAyZrnXbd3GTAUl0/VBMoZKJMr8AIK/5ZCnwoILxGe6BQpX4qDxBFRg65Yf6 + 8nMoai6FxbGnuBdIL3fuQ1UAggYCou9iQZpp632f0yHZ+B4b1plEt/iVCgb8WH4v + paCGx836Um2uFXm0rCZB5whAasxNkY9Ik/nZxuPnodJeAVWjlcPPAY9cqo3fTnYK + tnSxZ970TwiNWCeocWL/VGNXAnaIkofldGMzFsIumLVuyhUe3NhfTRYbflDTxG2o + nLb/1mGv416ULuKEgX9j+fezJgOyMgOaeQfkS8dm0w== + =al2j + -----END PGP MESSAGE----- + fp: 8333F292B1BBD334A61E6F566785F7AF28DE7081 + - created_at: '2020-05-27T02:00:39Z' + enc: |- + -----BEGIN PGP MESSAGE----- + + wcFMA82rPM2mSf/aARAAon72nRRf9II/gY+zdEH4IyqIHOiCG4H8jLt2dm2CkfOV + q/kiZoL5KUL+L+bGbOOiqenBZI5w4U6Vva4ap8/UKbaLqK3yDVBd/WafJf58BUlq + u76cNhxn9rcTcHzJ22/bKEbGO0KbVdx7ibQ85OBvzF1cdrqr1cxr+nblff81gQ41 + H6OvNUCneQYI4Bq9OYfOnesLC6cYunk+eFHiNGmcAbT7gpF+RD3DsyBLGPFCFm+a + CMOkCaXRNKrQdf7lCJi1jiuTOoJwER5CdYnEPNoojQCVGDqtKPHgggC81fc8rqme + Y09Zh9X6wWiJdbOVXZDCATzF5it+tqNz8ZSq9kNdpaOXXMOoYXBpP0Jamt4rMQbn + MqDsy4HEpL6u7D+IEe3+lArXLRAeJ6KhMnQM9MjWjQwZ2l6Gcy914j3y1ItGguBc + Ohd2y0PynT3F2jzxhQhlQ4D5wYQM31jpiE6x0acsTbDFYHAYn7dRprH9BYY3Dgh1 + V9EQIYdWowl9pUBEQzsJ+dAOVjTtUv+O/UQJCuow0/66n44dZ4UEycU0+lLqrRiE + CLnxDMtXdimm5/SEOHHLjaR8q4rve9WfGujV1iQZPEuK73kVaa3TbsQtc19FwhGq + YxLJuRqyZ2eM82Fq92ibCjT6xpUSz3fFyZJSSI2nTIGtKLXOYoArSrOAOTzdun/S + 4AHkwZABmgQMa+15cThhPISJ9+HuNuBK4OrhQvDgz+JihNuC4MHlhlKev/A2BFYi + YwFEvbPkyGNjZNCiV+tWGtf4KL4skSTg8eTgOFfu1Jr2Q3lYtRa/Zl/a4mFUGMTh + 5G0A + =oGHl + -----END PGP MESSAGE----- + fp: 6B61ECD76088748C70590D55E90A401336C8AAA9 + - created_at: '2020-05-27T02:00:39Z' + enc: | + -----BEGIN PGP MESSAGE----- + + hQIMA6dhVUuTLV7oAQ/6AoEKc0aiAC16FTJEQVpsi5Y6ffxey6zKRJeyx/6480DF + Bkg2tfoT8bEDTNYi6EqPPM4Vef3tgoR+3KMlML6Mt1y77N5Knni93RSaCyeSKaa6 + 1AZaLtLc6a6UF/qLJJ5ISniRdiSmJAQFttARu6h35IJrZlfNEi8rvnlP7AZObc2d + qjKcSqNI0S3jvHam61xys93mmvQbTpGP+PE++1qlt53231KH/RrgNhPMFQij6d52 + Pfxicu9D+x7fcIkDVHIbh3ycQOTzKzi1zJQpzo0vIRK7zVMOGNBL4V3jlxN+JTFa + xDSTW+E46BnmG1kwVGsawkakDt4W1MOGzT3Nd1b4X6QuEEOvqVGAOaYoYatAk2D5 + qy3ov3jq36z5Nc1+Zm6hMq+KnSSSOez5YDxx89b3eMuAb10Z1IcJ3Owr/zeXDdzJ + tX3gRWL/Mq9StJMhaXd1gH5Ba7ZH/P+USk68uny1erIUG3oFxa0quwW5VycYWDQf + aVJuhwX9XxPvAnUz/BGGt+r6rpFNPtmb0hDYk+TIYElXRHi9jQxYiOeBXhq87iBF + U1Jv/tsXZMKnAK0l/xZrwihAa3ZZ5jp0djZ5Btff/0afbz44vAjhmagWRaNNdHdr + elITYEoqnG/XIEtSXu3VBM9ArAU2h+H2IpslohkaDE7WqCsLvNtIRyiG5a6wJjvS + XgFCmA5J+bqcFs+EEncWcvRepym+pgVzp2z1e2ZPrSYXeJYw/L+KkSSCb+48F5eE + bJHG57xw6Krtfb1T6kFErfmiCDjgaJJ0mJUJozfFYsxL+/AlTjKf+oA+qkHh7qw= + =SkM7 + -----END PGP MESSAGE----- + fp: FC2255B7BBC7EABD4EFAFA1068907D8BCCD85A5A + - created_at: '2020-05-27T02:00:39Z' + enc: | + -----BEGIN PGP MESSAGE----- + + hQIMA8KRInHl7Vz+AQ/+NzGqUvMLyF9GPB5zfJDLRcNe0DPdj3rEoszXcl0LBxBY + 27wekbYkiF/pS8+EqIzgfaVRNAx5IOQvotSomATXgZ10FiLSYksmka1wI6xKUqRf + Gygnevg5MykUa03RhTVlEmKew4GdObN8bmMmGiqSYgnMeLCYlfuUnCixg/g5jmer + kZ+QWrvfoHnqiV5WI7cySXh3+Q8Ndyj3YjhIvw6H3Pc+RaCQ8WQ/H7AQjGpJPNrZ + iLriNeKlNNJYfPM7FZCi/PAhmmVS8m+AyFuHTe9rP8RMLCMCxqKzRZGteUi+XIjV + Z3gSsHXe5WWoyAgi0ox8B1bs6qP5jHZoN8/hrdtZqXBt90FTp5UyxM/cwd7oUYok + Y8Ep/innfyrxjxE/ND07v29LhFnFpZJMm0Orgze4gAiTy6S/Urnt6TW3OJvJPWjK + sjyaGECL3efgcGXeSfJxmsErtR2QtHB1oeIYlMetyGfS5Oego0Vo9KZ8uPu/TB5W + XqtbWJpxXpxrCj8kIDec1P3AhBYAohZfmPw10nqWOLcQwJEZWrj80Lr8HNH8AjBj + 1dMGC0nPUlT4hsiXav3ZA4ecy8kY3B6VFcXufWm9MreOS+QFW+g4s3Gvr0aQEzbg + //Q7DKvfPmDtWQf62tqX6yYA2KS7GkX8jH7tHKUsPYSOIt7/7z0JXvRB1BU2uHDS + XgHL9LbfoxLCWIqyQsRpX3UVpMCg44RqIOmJDRwnV22g97YATblk8AwgqaIiJk9O + lJcRfr25f5Q9cXxU4LPbR6h7LRJsrNKquxtefdkz0SoRUQjE40xR00NJ7htQB5E= + =n94p + -----END PGP MESSAGE----- + fp: C92FE5A3FBD58DD3EC5AA26BB10116B8193F2DBD + encrypted_regex: ^(data|stringData)$ + version: 3.5.0 From caabd520de5eb228eaa383891073f36550fbbf9f Mon Sep 17 00:00:00 2001 From: daurnimator Date: Mon, 8 Jun 2020 11:45:49 +1000 Subject: [PATCH 2/5] mail: yaml dislikes lines that start with whitespace --- mail/files/master.cf | 31 +++++++++++-------------------- 1 file changed, 11 insertions(+), 20 deletions(-) diff --git a/mail/files/master.cf b/mail/files/master.cf index 0d9f582..5068e75 100644 --- a/mail/files/master.cf +++ b/mail/files/master.cf @@ -51,9 +51,9 @@ flush unix n - y 1000? 0 flush proxymap unix - - n - - proxymap proxywrite unix - - n - 1 proxymap smtp unix - - y - - smtp -relay unix - - y - - smtp - -o syslog_name=postfix/$service_name -# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5 +relay unix - - y - - smtp -o syslog_name=postfix/$service_name +# -o smtp_helo_timeout=5 +# -o smtp_connect_timeout=5 showq unix n - y - - showq error unix - - y - - error retry unix - - y - - error @@ -77,8 +77,7 @@ postlog unix-dgram n - n - 1 postlogd # maildrop. See the Postfix MAILDROP_README file for details. # Also specify in main.cf: maildrop_destination_recipient_limit=1 # -maildrop unix - n n - - pipe - flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient} +maildrop unix - n n - - pipe flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient} # # ==================================================================== # @@ -96,30 +95,22 @@ maildrop unix - n n - - pipe # Cyrus 2.1.5 (Amos Gouaux) # Also specify in main.cf: cyrus_destination_recipient_limit=1 # -#cyrus unix - n n - - pipe -# user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user} +#cyrus unix - n n - - pipe user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user} # # ==================================================================== # Old example of delivery via Cyrus. # -#old-cyrus unix - n n - - pipe -# flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user} +#old-cyrus unix - n n - - pipe flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user} # # ==================================================================== # # See the Postfix UUCP_README file for configuration details. # -uucp unix - n n - - pipe - flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient) +uucp unix - n n - - pipe flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient) # # Other external delivery methods. # -ifmail unix - n n - - pipe - flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient) -bsmtp unix - n n - - pipe - flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient -scalemail-backend unix - n n - 2 pipe - flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension} -mailman unix - n n - - pipe - flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py - ${nexthop} ${user} +ifmail unix - n n - - pipe flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient) +bsmtp unix - n n - - pipe flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient +scalemail-backend unix - n n - 2 pipe flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension} +mailman unix - n n - - pipe flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py ${nexthop} ${user} From d5e4e94bd5a19cc035c39670460b4a74c7e74f08 Mon Sep 17 00:00:00 2001 From: daurnimator Date: Mon, 8 Jun 2020 11:46:56 +1000 Subject: [PATCH 3/5] mail: disable chroot postfix IRC channel don't recommend it --- mail/files/master.cf | 50 ++++++++++++++++++++++---------------------- 1 file changed, 25 insertions(+), 25 deletions(-) diff --git a/mail/files/master.cf b/mail/files/master.cf index 5068e75..6859141 100644 --- a/mail/files/master.cf +++ b/mail/files/master.cf @@ -9,11 +9,11 @@ # service type private unpriv chroot wakeup maxproc command + args # (yes) (yes) (no) (never) (100) # ========================================================================== -smtp inet n - y - 1 postscreen -smtpd pass - - y - - smtpd -#dnsblog unix - - y - 0 dnsblog -#tlsproxy unix - - y - 0 tlsproxy -#submission inet n - y - - smtpd +smtp inet n - n - 1 postscreen +smtpd pass - - n - - smtpd +#dnsblog unix - - n - 0 dnsblog +#tlsproxy unix - - n - 0 tlsproxy +#submission inet n - n - - smtpd # -o syslog_name=postfix/submission # -o smtpd_tls_security_level=encrypt # -o smtpd_sasl_auth_enable=yes @@ -25,7 +25,7 @@ smtpd pass - - y - - smtpd # -o smtpd_recipient_restrictions= # -o smtpd_relay_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING -#smtps inet n - y - - smtpd +#smtps inet n - n - - smtpd # -o syslog_name=postfix/smtps # -o smtpd_tls_wrappermode=yes # -o smtpd_sasl_auth_enable=yes @@ -36,33 +36,33 @@ smtpd pass - - y - - smtpd # -o smtpd_recipient_restrictions= # -o smtpd_relay_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING -#628 inet n - y - - qmqpd -pickup unix n - y 60 1 pickup -cleanup unix n - y - 0 cleanup +#628 inet n - n - - qmqpd +pickup unix n - n 60 1 pickup +cleanup unix n - n - 0 cleanup qmgr unix n - n 300 1 qmgr #qmgr unix n - n 300 1 oqmgr -tlsmgr unix - - y 1000? 1 tlsmgr -rewrite unix - - y - - trivial-rewrite -bounce unix - - y - 0 bounce -defer unix - - y - 0 bounce -trace unix - - y - 0 bounce -verify unix - - y - 1 verify -flush unix n - y 1000? 0 flush +tlsmgr unix - - n 1000? 1 tlsmgr +rewrite unix - - n - - trivial-rewrite +bounce unix - - n - 0 bounce +defer unix - - n - 0 bounce +trace unix - - n - 0 bounce +verify unix - - n - 1 verify +flush unix n - n 1000? 0 flush proxymap unix - - n - - proxymap proxywrite unix - - n - 1 proxymap -smtp unix - - y - - smtp -relay unix - - y - - smtp -o syslog_name=postfix/$service_name +smtp unix - - n - - smtp +relay unix - - n - - smtp -o syslog_name=postfix/$service_name # -o smtp_helo_timeout=5 # -o smtp_connect_timeout=5 -showq unix n - y - - showq -error unix - - y - - error -retry unix - - y - - error -discard unix - - y - - discard +showq unix n - n - - showq +error unix - - n - - error +retry unix - - n - - error +discard unix - - n - - discard local unix - n n - - local virtual unix - n n - - virtual -lmtp unix - - y - - lmtp -anvil unix - - y - 1 anvil -scache unix - - y - 1 scache +lmtp unix - - n - - lmtp +anvil unix - - n - 1 anvil +scache unix - - n - 1 scache postlog unix-dgram n - n - 1 postlogd # # ==================================================================== From 61438d8d32d5d808f85007f617a0a15f16d080f4 Mon Sep 17 00:00:00 2001 From: daurnimator Date: Mon, 8 Jun 2020 11:50:44 +1000 Subject: [PATCH 4/5] mail: use hostname for postgres database --- mail/files/userdb-aliases.cf | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/mail/files/userdb-aliases.cf b/mail/files/userdb-aliases.cf index 05f490c..ee473ed 100644 --- a/mail/files/userdb-aliases.cf +++ b/mail/files/userdb-aliases.cf @@ -1,7 +1,6 @@ # See pgsql_table(5) domain = hashbang.sh -# TODO(daurnimator): DNS entry here had to be manually resolved -hosts = postgresql://mail:userdb-mail-lookup@104.248.21.126:25060/userdb?sslmode=require +hosts = postgresql://mail:userdb-mail-lookup@userdb-attempt-too-do-user-989073-0.db.ondigitalocean.com:25060/userdb?sslmode=require dbname = userdb query = select name || '@' || host from passwd where name = '%u' From 9ee4b436c7c66117f659f304a0f3da84b72c88a2 Mon Sep 17 00:00:00 2001 From: daurnimator Date: Mon, 8 Jun 2020 11:51:56 +1000 Subject: [PATCH 5/5] mail: remove redundant dbname field --- mail/files/userdb-aliases.cf | 1 - 1 file changed, 1 deletion(-) diff --git a/mail/files/userdb-aliases.cf b/mail/files/userdb-aliases.cf index ee473ed..1c18468 100644 --- a/mail/files/userdb-aliases.cf +++ b/mail/files/userdb-aliases.cf @@ -2,5 +2,4 @@ domain = hashbang.sh hosts = postgresql://mail:userdb-mail-lookup@userdb-attempt-too-do-user-989073-0.db.ondigitalocean.com:25060/userdb?sslmode=require -dbname = userdb query = select name || '@' || host from passwd where name = '%u'