Commit 23cd8fa5 authored by ale's avatar ale
Browse files

Set up the quota policy service using the proxy

The Dovecot quota policy service resides on the backends, so we have
to use postfix-policyd-proxy to get there. Runs with local UNIX
sockets, one per Postfix instance (using a systemd multi-instance
service template).
parent a858555c
[Unit]
Description=Postfix policyd proxy
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/bin/true
[Install]
WantedBy=multi-user.target
[Unit]
Description=Postfix policyd proxy (quota-service)
PartOf=postfix-policyd-proxy.service
After=network.target
[Service]
Type=simple
Restart=always
User=postfix
Group=postfix
LimitNOFILE=65536
ExecStart=/usr/bin/policyd-proxy --config /etc/postfix-policyd-proxy.yml --socket /var/spool/%i/private/policyd-quota
NoNewPrivileges=yes
PrivateTmp=yes
PrivateDevices=yes
ProtectSystem=full
ProtectHome=yes
ReadOnlyDirectories=/
ReadWriteDirectories=/var/spool/%i/private/
[Install]
WantedBy=multi-user.target
......@@ -62,6 +62,11 @@
enabled: yes
masked: no
- name: reload postfix-policyd-proxy
systemd:
name: postfix-policyd-proxy.service
state: restarted
- name: restart keystored
systemd:
name: keystored.service
......
......@@ -8,6 +8,7 @@
vars:
packages:
- postfix-policyd-spf-python
- postfix-policyd-proxy
- opendkim
- libpam-authclient
- auth-sasl-server
......@@ -66,11 +67,39 @@
# Install postfix-policyd-spf-python
- template:
- name: Configure postfix-policyd-spf-python
template:
src: spf-policyd.conf.j2
dest: /etc/postfix-policyd-spf-python/policyd-spf.conf
notify: "reload postfix-in"
# Install postfix-policyd-proxy for the dovecot quota service on backends
- name: Configure postfix-policyd-proxy
template:
src: postfix-policyd-proxy.yml.j2
dest: "/etc/postfix-policyd-proxy.yml"
owner: postfix
mode: 0400
notify: "restart postfix-policyd-proxy"
- name: Install postfix-policyd-proxy systemd unit templates
copy:
src: "{{ item }}"
dest: "/etc/systemd/system/{{ item }}"
loop:
- "postfix-policyd-proxy.service"
- "postfix-policyd-proxy@.service"
notify: "restart postfix-policyd-proxy"
- name: Enable postfix-policyd-proxy systemd units
systemd:
name: "postfix-policyd-proxy@{{ item }}.service"
enabled: yes
loop:
- "postfix-in"
- "postfix-smtp-auth"
# Install opendkim
- template:
......
......@@ -64,6 +64,7 @@ smtpd_recipient_restrictions =
reject_invalid_helo_hostname,
reject_rbl_client {{ rbl_domain_name }},
check_policy_service unix:private/policyd-spf,
check_policy_service { unix:private/policyd-quota, default_action=DUNNO },
permit
rbl_reply_maps = ${indexed}dnsbl-reply-map
......
ldap:
uri: "ldapi://%%2frun%%2fldap%%2fldapi"
bind_dn: "{{ postfix_ldap_bind_dn }}"
bind_pw: "{{ ldap_postfix_password }}"
base_dn: "ou=People,dc=investici,dc=org,o=Anarchy"
filter: "(&(objectClass=virtualMailUser)(|(status=active)(status=readonly)))"
attr: "host"
result_fmt: "%s.mail-backend.{{ domain }}:7716"
......@@ -66,6 +66,7 @@ smtpd_recipient_restrictions =
reject_sender_login_mismatch,
check_sender_access ${indexed}access-sender,
check_policy_service { unix:ratelimit/policy, default_action=DUNNO },
check_policy_service { unix:private/policyd-quota, default_action=DUNNO },
permit_sasl_authenticated,
reject
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment