From 6dc788f36934340710758614b5c44527b1e3e570 Mon Sep 17 00:00:00 2001
From: Alex Denes <caskd@redxen.eu>
Date: Thu, 7 Jan 2021 17:13:22 +0000
Subject: [PATCH] Postfix & Dovecot changes batch

- Use PGSQL directly from postfix
- Fix queries
- Remove auth socket
- Change domain temporarily to mailtest.redxen.eu
- Change TLS settings
- Re-enable chroots where auth socket isn't required anymore
- Add DNS records for unbound
- Add postfix to pgsql hba
- Use pre-built runfile instead of upstream to fix a "feature"
---
 .gitignore                      |  2 +
 configs/dovecot/APKBUILD        |  8 ++--
 configs/dovecot/README.md       |  2 +-
 configs/dovecot/base.sql        | 11 +++---
 configs/dovecot/dovecot.conf    |  9 -----
 configs/postfix/APKBUILD        | 20 ++++++----
 configs/postfix/main.cf         | 17 ++++----
 configs/postfix/master.cf       |  5 +--
 configs/postgresql/APKBUILD     |  4 +-
 configs/postgresql/pg_hba.conf  |  1 +
 configs/unbound/APKBUILD        |  4 +-
 configs/unbound/zones/redxen.eu |  3 +-
 openrc/postfix/APKBUILD         | 11 +++---
 openrc/postfix/conffile         |  1 +
 openrc/postfix/runfile          | 69 +++++++++++++++++++++++++++++++++
 15 files changed, 118 insertions(+), 49 deletions(-)
 create mode 100644 openrc/postfix/runfile

diff --git a/.gitignore b/.gitignore
index 43a2424..dc3b519 100644
--- a/.gitignore
+++ b/.gitignore
@@ -11,3 +11,5 @@ configs/grafana/grafana.ini
 configs/pleroma/secret.exs
 configs/gitea/gitea.ini
 configs/dovecot/pgsql.conf
+configs/postfix/pgsql-aliases.cf
+configs/postfix/pgsql-users.cf
diff --git a/configs/dovecot/APKBUILD b/configs/dovecot/APKBUILD
index 1eaaa3e..5f2324e 100644
--- a/configs/dovecot/APKBUILD
+++ b/configs/dovecot/APKBUILD
@@ -1,8 +1,8 @@
 # Contributor: Alex Denes <caskd@redxen.eu>
 # Maintainer: Alex Denes <caskd@redxen.eu>
 pkgname=redxen-config-dovecot
-pkgver=2021.01.06
-pkgrel=4
+pkgver=2021.01.07
+pkgrel=0
 pkgdesc="Dovecot configuration"
 url="https://git.redxen.eu/RedXen"
 arch="noarch"
@@ -23,6 +23,6 @@ package() {
 	install -d "$pkgdir"/var/mail
 }
 
-sha512sums="14c83a329c6bd6705e4fcdae68b309a0e083ab94afa8d7ca855a98fbb96bb842cf0927c5a5871c9c25b78092e643158169925944e7b18e490602f3849a5d1542  dovecot.conf
-5dd060068e0d54a3e5c4dbd259935adc70add545628c6c5dac64f93889771729418397656a7cb4a2bb62ec28c5673190edbf824ae05192a001bce07d97b58426  pgsql.conf
+sha512sums="00dcd8cae91bdddaa6e55cca6060d326ea38716426c028a5e481d55893df818236ec2556d8d496502cc356b5b53d71c76cdcf4cdee713242ceee10061f2a0714  dovecot.conf
+d4646d31915b6fc0df7cc9c06d66c369f6a622f2f0c783fd9463a05a53d1b3b3ba2ebcbe32b2391f0e44fe2a67c6eeeef3b00d3067325152054e184ac67ff745  pgsql.conf
 e305a5ee8196f09d805278acf27a2b66eae9c9e3c6e3458bca391597b1c720c063f8c92034d1af070c750fd0858da7eaa16e75a3b060064eac6b5bcb7b2452e7  rspamd.sieve"
diff --git a/configs/dovecot/README.md b/configs/dovecot/README.md
index 7cfe378..53e514d 100644
--- a/configs/dovecot/README.md
+++ b/configs/dovecot/README.md
@@ -3,7 +3,7 @@
 NOTE: THIS SETUP DOESN'T HANDLE PER-DOMAIN USERS
 
 First create the database and the tables by importing base.sql
-Then change the password with `ALTER USER dovecot PASSWORD '...';`
+Then change the password with `ALTER ROLE dovecot PASSWORD '...';`
 
 Adding users:
 
diff --git a/configs/dovecot/base.sql b/configs/dovecot/base.sql
index 9d5a982..1fb3d48 100644
--- a/configs/dovecot/base.sql
+++ b/configs/dovecot/base.sql
@@ -1,4 +1,3 @@
-CREATE USER dovecot PASSWORD 'CHANGEME' WITH LOGIN;
 CREATE DATABASE mail OWNER postgres;
 CREATE TABLE users (
 	userid VARCHAR(128) NOT NULL,
@@ -11,8 +10,10 @@ CREATE TABLE aliases (
 	target VARCHAR(128) NOT NULL,
 	alias VARCHAR(128) NOT NULL,
 	active boolean NOT NULL,
-	PRIMARY KEY (target),
-	UNIQUE (alias),
-	FOREIGN KEY (target) REFERENCES users (userid)
+	PRIMARY KEY (alias),
+	UNIQUE (alias)
 );
-GRANT SELECT ON TABLE users, aliases TO dovecot;
+CREATE ROLE dovecot PASSWORD 'CHANGEME' LOGIN;
+GRANT SELECT ON TABLE users TO dovecot;
+CREATE ROLE postfix PASSWORD 'CHANGEME' LOGIN;
+GRANT SELECT ON TABLE users, aliases TO postfix;
diff --git a/configs/dovecot/dovecot.conf b/configs/dovecot/dovecot.conf
index c9eaaf3..325094c 100644
--- a/configs/dovecot/dovecot.conf
+++ b/configs/dovecot/dovecot.conf
@@ -49,15 +49,6 @@ service imap-login {
 	}
 }
 
-service auth {
-	unix_listener auth {
-		mode = 0660
-		user = dovecot
-		group = mail
-	}
-	user = root
-}
-
 service lmtp {
 	unix_listener lmtp {
 		mode = 0660
diff --git a/configs/postfix/APKBUILD b/configs/postfix/APKBUILD
index 5796077..466c80c 100644
--- a/configs/postfix/APKBUILD
+++ b/configs/postfix/APKBUILD
@@ -1,24 +1,30 @@
 # Contributor: Alex Denes <caskd@redxen.eu>
 # Maintainer: Alex Denes <caskd@redxen.eu>
 pkgname=redxen-config-postfix
-pkgver=2021.01.06
-pkgrel=0
+pkgver=2021.01.07
+pkgrel=2
 pkgdesc="Postfix configuration files"
 url="https://git.redxen.eu/RedXen"
 arch="noarch"
 license="none"
-depends="postfix redxen-secret-letsencrypt-chain redxen-secret-letsencrypt-private"
+depends="postfix postfix-pgsql redxen-secret-letsencrypt-chain redxen-secret-letsencrypt-private"
 options="!check"
 install="$pkgname.pre-install"
 source="
 	master.cf
 	main.cf
+	pgsql-aliases.cf
+	pgsql-users.cf
 "
 
 package() {
-	install -Dm644 master.cf "$pkgdir"/etc/postfix.redxen/master.cf
-	install -Dm644 main.cf "$pkgdir"/etc/postfix.redxen/main.cf
+	install -Dm644 master.cf "$pkgdir"/etc/postfix/redxen/master.cf
+	install -Dm644 main.cf "$pkgdir"/etc/postfix/redxen/main.cf
+	install -Dm644 pgsql-aliases.cf "$pkgdir"/etc/postfix/redxen/pgsql-aliases.cf
+	install -Dm644 pgsql-users.cf "$pkgdir"/etc/postfix/redxen/pgsql-users.cf
 }
 
-sha512sums="2138eadcfd40ffd952767ecb0a288ceb2bdc93b830612c7499f55cd107ac91b3f5514a7c299cd72a17696cff52d71dc6548291ed93394790941efe4ec9362480  master.cf
-1b475ab41aa1990432ceb88f968646043baf2fa955401ed352c7e452b421d6e701373782c98081791072cb1fde508903f4482fd853d625a0fb5490794369e388  main.cf"
+sha512sums="e90b800f4be6ccaae76fa0bb9037005820c1a1aa1da7ed1e23cecb87a59b43901aa6a684445348c8f66c09d9e1a1de46818b57ae164f35ce4a1ae5363b12cc63  master.cf
+761c774435813be60d6f0bf0d71742c270fc7d3c760922dec172653dc70dd2bdae4d79a0f019ea7c9c59063280d78b500200cecce47a45fc000b318d546cd386  main.cf
+a1778901dbc12de543d9d5897b9d50ee5ebe47b7ef6ed87a0087249657f146ff8493de455d32016660cca3c8d669592e0ea9fbe9b6696d92cac6f014277f29e5  pgsql-aliases.cf
+72c50fe20b4d1a7ea2e60fb2cac0164814ab41011eb7f0d67a8a5715a0cc43d3ad573f198a7933eb130f68ec5c25c558fad791300e5bb25e020ca76a4303db4c  pgsql-users.cf"
diff --git a/configs/postfix/main.cf b/configs/postfix/main.cf
index 9ff1458..b7b14b5 100644
--- a/configs/postfix/main.cf
+++ b/configs/postfix/main.cf
@@ -4,15 +4,18 @@ smtpd_banner = $myhostname ESMTP RedXen Mail. DO NOT MESS WITH US OR WE WILL CUT
 inet_interfaces = all
 inet_protocols = all
 
-myorigin = redxen.eu
+myorigin = mailtest.redxen.eu
 myhostname = mail.$myorigin
 mydomain = $myorigin
-mydestination = mail.redxen.eu, smtp.redxen.eu, redxen.eu
+mydestination = mail.$myorigin, $myorigin
 mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
 
 relayhost =
 relay_domains = $mydestination
 
+alias_maps = proxy:pgsql:/etc/postfix/redxen/pgsql-aliases.cf
+local_recipient_maps = proxy:pgsql:/etc/postfix/redxen/pgsql-users.cf $alias_maps
+
 biff = no
 append_dot_mydomain = no
 delay_warning_time = 1h
@@ -25,12 +28,12 @@ notify_classes = resource, software, bounce
 # SMTP TLS
 smtp_tls_CApath = /etc/ssl/certs
 smtp_tls_security_level = may
-smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
 
 smtpd_use_tls = yes
 smtpd_tls_cert_file = /etc/ssl/redxen/letsencrypt/chain.crt
 smtpd_tls_key_file = /etc/ssl/redxen/letsencrypt/private.key
-smtpd_tls_security_level = encrypt
+smtpd_tls_security_level = may
+smtpd_tls_protocols = !SSLv2, !SSLv3
 
 # Restrictions
 smtpd_sender_restrictions    = reject_unknown_sender_domain
@@ -47,12 +50,6 @@ smtpd_recipient_restrictions = permit_sasl_authenticated,
                                reject_rhsbl_sender dbl.spamhaus.org
 smtpd_helo_restrictions      = reject_rhsbl_helo dbl.spamhaus.org
 
-# Dovecot auth
-smtpd_sasl_type = dovecot
-smtpd_sasl_path = /run/dovecot/auth
-smtpd_sasl_security_options=noanonymous
-smtpd_sasl_local_domain=$myhostname
-
 # Dovecot LMTP
 mailbox_transport = lmtp:unix:/run/dovecot/lmtp
 
diff --git a/configs/postfix/master.cf b/configs/postfix/master.cf
index 450d54b..774c537 100644
--- a/configs/postfix/master.cf
+++ b/configs/postfix/master.cf
@@ -5,10 +5,9 @@
 submission inet n       -       y       -       -       smtpd
 	-o smtpd_sasl_auth_enable=yes
 	-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-smtp      unix  -       -       n       -       -       smtp
-smtp      inet  n       -       n       -       -       smtpd
+smtp      inet  n       -       y       -       -       smtpd
 	-o smtpd_sasl_auth_enable=yes
-smtps     inet  n       -       n       -       -       smtpd
+smtps     inet  n       -       y       -       -       smtpd
 	-o smtpd_sasl_auth_enable=yes
 	-o syslog_name=postfix/$service_name
 	-o smtpd_tls_wrappermode=yes
diff --git a/configs/postgresql/APKBUILD b/configs/postgresql/APKBUILD
index 84c7b7a..fd4d810 100644
--- a/configs/postgresql/APKBUILD
+++ b/configs/postgresql/APKBUILD
@@ -1,7 +1,7 @@
 # Contributor: Alex Denes <caskd@redxen.eu>
 # Maintainer: Alex Denes <caskd@redxen.eu>
 pkgname=redxen-config-postgresql
-pkgver=2021.01.04
+pkgver=2021.01.07
 pkgrel=0
 pkgdesc="PostgreSQL configuration files"
 url="https://git.redxen.eu/RedXen"
@@ -23,5 +23,5 @@ package() {
 }
 
 sha512sums="8bb7d9a9c442da7652a79f70f5ab253cab68cdc98652c8e3a9a90bacb953db8de9811a6fdec70b1eaa8552217240cb633ca3d7a3e5c8b9eed423532532dbbc67  postgresql.conf
-23c7a029af7d130e177241542626e5b96acc94c4575cdb575ef6116f5335c1133fed5d833b2635b0be2837b8a48ed9fc615b635ce1d7598705d25d3ebfe08a93  pg_hba.conf
+fc4faccaf8d8a7e0a683e20b959a0ca1c6aa8b190ab1e5f1568deb9483329e82a43264ff676845eeafd4f6c8d812ce2648702ba3ea52de4eadff8dbafece274b  pg_hba.conf
 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e  pg_ident.conf"
diff --git a/configs/postgresql/pg_hba.conf b/configs/postgresql/pg_hba.conf
index 3053aa6..21463c5 100644
--- a/configs/postgresql/pg_hba.conf
+++ b/configs/postgresql/pg_hba.conf
@@ -3,5 +3,6 @@ host	murmur	murmur	0200::/7	md5
 host	grafana	grafana	0200::/7	md5
 host	gitea	gitea	0200::/7	md5
 host	mail	dovecot	0200::/7	md5
+host	mail	postfix	0200::/7	md5
 host	all	telegraf	127.0.0.1/32	md5
 host	all	telegraf	::1/128	md5
diff --git a/configs/unbound/APKBUILD b/configs/unbound/APKBUILD
index 4ad8347..85cebd0 100644
--- a/configs/unbound/APKBUILD
+++ b/configs/unbound/APKBUILD
@@ -2,7 +2,7 @@
 # Maintainer: Alex Denes <caskd@redxen.eu>
 pkgname=redxen-config-unbound
 pkgver=2021.01.06
-pkgrel=1
+pkgrel=3
 pkgdesc="Unbound configurations and some other stuff."
 url="https://git.redxen.eu/RedXen"
 arch="noarch"
@@ -63,4 +63,4 @@ d3754ced9d8055ff7f1d364a93c403bba3f220a60ea519bceee5e9c43112d6a00d20d15cf659fdd6
 d94ad338e2ea43c3ecdc62c861eddc0bb706807b738dd985309bcdf0b5fb435d7260bf272e2bbe40a774ec5b8fa49cbf23624c2c5213eea94f4f14aa3720abfa  rctrl.conf
 2183abc076166cd2026ccbf8d65e51870ca26a6fe11fbe48f2dbf9e8b8801b8b7c91c3607b2a48a254aeb8e364564fea361a2e3eccf13e0477542f7f3919bb5c  internal.conf
 28c917fe7f69643887097553312c4f1ffc747dffdbf150430e6c4b2e5833567922810716cb59a27887915664777ac3263be3c826956f504499f0ebdcc0b3aac5  auth-zones.conf
-45ac400a46c81b4e5adde43bc832f0b45c101883ebea5b1621b36e658c29e37b88af135ee4fa1e55f67e4cffedf4d330be09f75c218ca8d8834bed8b775c9726  redxen.eu"
+76794d08af7716f6b862969cded7a1f50c6c5cab0e0257b5362f26aeee22e003c2803cda23f5c335e252c4edae1165359d67467b43baba89513d682a5f35fb50  redxen.eu"
diff --git a/configs/unbound/zones/redxen.eu b/configs/unbound/zones/redxen.eu
index 8fb293a..e60c2c6 100644
--- a/configs/unbound/zones/redxen.eu
+++ b/configs/unbound/zones/redxen.eu
@@ -54,7 +54,8 @@ seed.redxen.eu.                         86400   IN      CNAME   redxen.eu.
 wireguard.redxen.eu.                    86400   IN      CNAME   9013723.fsn1-dc14.hetzner.redxen.eu.
 
 ; Mail (staging)
-newmail.redxen.eu.                      86400   IN      CNAME   9227948.nbg1-dc3.hetzner.redxen.eu.
+mailtest.redxen.eu.                     86400   IN      MX      10 mail.mailtest.redxen.eu.
+mail.mailtest.redxen.eu.                86400   IN      CNAME   9227948.nbg1-dc3.hetzner.redxen.eu.
 
 ; Mumble
 _mumble._tcp.redxen.eu.                 86400   IN      SRV     0 5 64738 8101153.nbg1-dc3.hetzner.redxen.eu.
diff --git a/openrc/postfix/APKBUILD b/openrc/postfix/APKBUILD
index e6e862e..17a9db2 100644
--- a/openrc/postfix/APKBUILD
+++ b/openrc/postfix/APKBUILD
@@ -1,8 +1,8 @@
 # Contributor: Alex Denes <caskd@redxen.eu>
 # Maintainer: Alex Denes <caskd@redxen.eu>
 pkgname=redxen-openrc-postfix
-pkgver=2020.12.10
-pkgrel=0
+pkgver=2021.01.06
+pkgrel=3
 pkgdesc="Postfix OpenRC service files"
 url="https://git.redxen.eu/RedXen"
 arch="noarch"
@@ -10,13 +10,14 @@ license="none"
 depends="openrc postfix-openrc redxen-config-postfix"
 options="!check"
 source="
+	runfile
 	conffile
 "
 builddir="$srcdir"
 
 package() {
-	mkdir -p "$pkgdir"/etc/init.d
-	ln -s postfix "$pkgdir"/etc/init.d/postfix.redxen
+	install -Dm755 runfile "$pkgdir"/etc/init.d/postfix.redxen
 	install -Dm644 conffile "$pkgdir"/etc/conf.d/postfix.redxen
 }
-sha512sums="cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e  conffile"
+sha512sums="f810dcb32530c60c48f813a5a6741763bbf34b4d1cac961cdab9eb3e072174a982040a93319aef08b3dc74de209ed2b082228a39757742f0077cacb7eba3c906  runfile
+9da3af881cc36690434b9a0809edad205478f4e4e2cba5c5a2d04de701141d38ac16c0942c1cdf242d5a81bf9a580bdd8166e74fa31b51227bbaf6fa8afd8cb9  conffile"
diff --git a/openrc/postfix/conffile b/openrc/postfix/conffile
index e69de29..5fca680 100644
--- a/openrc/postfix/conffile
+++ b/openrc/postfix/conffile
@@ -0,0 +1 @@
+CONF_DIR="/etc/postfix/redxen"
diff --git a/openrc/postfix/runfile b/openrc/postfix/runfile
new file mode 100644
index 0000000..69edc5d
--- /dev/null
+++ b/openrc/postfix/runfile
@@ -0,0 +1,69 @@
+#!/sbin/openrc-run
+# Copyright 1999-2011 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/mail-mta/postfix/files/postfix.rc6.2.6,v 1.3 2011/10/24 12:52:32 eras Exp $
+
+# Please read http://www.postfix.org/MULTI_INSTANCE_README.html for multi instance support
+
+if [ "${CONF_DIR}" = "/etc/postfix" ]; then
+	CONF_PARAM=""
+	CONF_MESSAGE=""
+else
+	CONF_PARAM="-c ${CONF_DIR}"
+	CONF_MESSAGE="(${CONF_DIR})"
+fi
+
+extra_started_commands="reload abort flush"
+
+description_reload="Re-read configuration files. Running processes terminate at their earliest convenience."
+description_abort="Stop the Postfix mail system abruptly. Running processes are signaled to stop immediately."
+description_flush="Force delivery: attempt to deliver every message in the deferred mail queue."
+
+depend() {
+	use logger dns ypbind amavisd antivirus postfix_greylist net saslauthd
+	after firewall
+	if [ "${SVCNAME}" = "postfix" ]; then
+		provide mta
+	fi
+}
+
+start() {
+	if [ ! -z "${CONF_PARAM}" ]; then
+		einfo "Please consider updating your config for postmulti support."
+	fi
+	ebegin "Starting postfix ${CONF_MESSAGE}"
+	if [ ! -d ${CONF_DIR} ]; then
+		eend 1 "${CONF_DIR} does not exist"
+		return 1
+	fi
+	/usr/sbin/postfix ${CONF_PARAM} start >/dev/null 2>&1
+	eend $?
+}
+
+stop() {
+	ebegin "Stopping postfix ${CONF_MESSAGE}"
+	/usr/sbin/postfix ${CONF_PARAM} stop >/dev/null 2>&1
+	eend $?
+}
+
+reload() {
+	ebegin "Reloading postfix ${CONF_MESSAGE}"
+	/usr/sbin/postfix ${CONF_PARAM} reload >/dev/null 2>&1
+	eend $?
+}
+
+abort() {
+	ebegin "Aborting postfix ${CONF_MESSAGE}"
+
+	if service_started "${SVCNAME}"; then
+		mark_service_stopped "${SVCNAME}"
+	fi
+	/usr/sbin/postfix ${CONF_PARAM} abort >/dev/null 2>&1
+	eend $?
+}
+
+flush() {
+	ebegin "Flushing postfix ${CONF_MESSAGE}"
+	/usr/sbin/postfix ${CONF_PARAM} flush >/dev/null 2>&1
+	eend $?
+}