summaryrefslogtreecommitdiff
path: root/playbooks/roles/mail/templates/volumes
diff options
context:
space:
mode:
Diffstat (limited to 'playbooks/roles/mail/templates/volumes')
-rw-r--r--playbooks/roles/mail/templates/volumes/data/dms/config/dovecot.cf27
-rw-r--r--playbooks/roles/mail/templates/volumes/data/dms/config/postfix-master.cf3
-rwxr-xr-xplaybooks/roles/mail/templates/volumes/data/dms/config/user-patches.sh13
-rw-r--r--playbooks/roles/mail/templates/volumes/scripts/check-postfix-health.unused.sh24
-rw-r--r--playbooks/roles/mail/templates/volumes/scripts/wait-for-cert.sh23
-rw-r--r--playbooks/roles/mail/templates/volumes/scripts/wait-for-postfix.unused.sh27
6 files changed, 111 insertions, 6 deletions
diff --git a/playbooks/roles/mail/templates/volumes/data/dms/config/dovecot.cf b/playbooks/roles/mail/templates/volumes/data/dms/config/dovecot.cf
new file mode 100644
index 0000000..62d0550
--- /dev/null
+++ b/playbooks/roles/mail/templates/volumes/data/dms/config/dovecot.cf
@@ -0,0 +1,27 @@
+haproxy_trusted_networks = {{ homelab_network }}
+
+service imap-login {
+ inet_listener imap {
+ haproxy = yes
+ }
+
+ inet_listener imaps {
+ haproxy = yes
+ }
+}
+
+service pop3-login {
+ inet_listener pop3 {
+ haproxy = yes
+ }
+
+ inet_listener pop3s {
+ haproxy = yes
+ }
+}
+
+service managesieve-login {
+ inet_listener sieve {
+ haproxy = yes
+ }
+}
diff --git a/playbooks/roles/mail/templates/volumes/data/dms/config/postfix-master.cf b/playbooks/roles/mail/templates/volumes/data/dms/config/postfix-master.cf
new file mode 100644
index 0000000..1885f4d
--- /dev/null
+++ b/playbooks/roles/mail/templates/volumes/data/dms/config/postfix-master.cf
@@ -0,0 +1,3 @@
+smtp/inet/postscreen_upstream_proxy_protocol=haproxy
+submission/inet/smtpd_upstream_proxy_protocol=haproxy
+submissions/inet/smtpd_upstream_proxy_protocol=haproxy
diff --git a/playbooks/roles/mail/templates/volumes/data/dms/config/user-patches.sh b/playbooks/roles/mail/templates/volumes/data/dms/config/user-patches.sh
index c62753f..1749499 100755
--- a/playbooks/roles/mail/templates/volumes/data/dms/config/user-patches.sh
+++ b/playbooks/roles/mail/templates/volumes/data/dms/config/user-patches.sh
@@ -3,7 +3,13 @@
postconf -e 'smtpd_sasl_type = dovecot'
postconf -e 'smtpd_sasl_path = /dev/shm/sasl-auth.sock'
postconf -e 'smtpd_sasl_auth_enable = yes'
-postconf -e 'broken_sasl_auth_clients = yes'
+postconf -e 'broken_sasl_auth_clients = no'
+postconf -e 'smtpd_tls_auth_only = yes'
+postconf -e 'smtpd_tls_security_level = encrypt'
+
+postconf -e 'postscreen_bare_newline_enable = no'
+postconf -e 'postscreen_non_smtp_command_enable = no'
+postconf -e 'postscreen_pipelining_enable = no'
postconf -e 'smtp_tls_wrappermode = yes' # for relay
@@ -34,8 +40,3 @@ userdb {
args = username_format=%u uid=docker gid=docker home=/var/mail/%d/%u
default_fields = uid=docker gid=docker home=/var/mail/%d/%u
}" > /etc/dovecot/conf.d/auth-ldap.conf.ext
-
-#userdb {
-# driver = static
-# args = home=/var/mail/%u
-#}"
diff --git a/playbooks/roles/mail/templates/volumes/scripts/check-postfix-health.unused.sh b/playbooks/roles/mail/templates/volumes/scripts/check-postfix-health.unused.sh
new file mode 100644
index 0000000..198221a
--- /dev/null
+++ b/playbooks/roles/mail/templates/volumes/scripts/check-postfix-health.unused.sh
@@ -0,0 +1,24 @@
+#!/bin/bash
+
+LOCKFILE="/var/mail-state/lib-postfix/master.lock"
+
+function log() {
+ echo "[health] $@"
+}
+
+if [ -f "$LOCKFILE" ]; then
+ PID=$(cat "$LOCKFILE")
+ log "pid $PID"
+ if kill -0 "$PID" 2>/dev/null; then
+ if ss --listening --tcp | grep -P 'LISTEN.+:smtp' > /dev/null; then
+ log "successfully listening to smtp"
+ exit 0
+ fi
+ else
+ # Not our postfix lock.
+ exit 0
+ fi
+fi
+
+log "bad health state"
+exit 1
diff --git a/playbooks/roles/mail/templates/volumes/scripts/wait-for-cert.sh b/playbooks/roles/mail/templates/volumes/scripts/wait-for-cert.sh
new file mode 100644
index 0000000..0f8018c
--- /dev/null
+++ b/playbooks/roles/mail/templates/volumes/scripts/wait-for-cert.sh
@@ -0,0 +1,23 @@
+#!/bin/bash
+set -e
+
+function log() {
+ echo "[cert] $@"
+}
+
+CERT="/certs/{{ mail_domain }}.pem"
+MAX_TRIES=30
+TRY=0
+
+while [ ! -f "$CERT" ]; do
+ if [ "$TRY" -eq "$MAX_TRIES" ]; then
+ log "[$TRY/$MAX_TRIES] Max tries, failing."
+ exit 1
+ fi
+ log "[$TRY/$MAX_TRIES] Certificate nonexistant. Waiting..."
+ sleep 2
+ TRY=$((TRY + 1))
+done
+
+log "Cert check done. Starting DMS."
+supervisord -c /etc/supervisor/supervisord.conf
diff --git a/playbooks/roles/mail/templates/volumes/scripts/wait-for-postfix.unused.sh b/playbooks/roles/mail/templates/volumes/scripts/wait-for-postfix.unused.sh
new file mode 100644
index 0000000..3e8a8c5
--- /dev/null
+++ b/playbooks/roles/mail/templates/volumes/scripts/wait-for-postfix.unused.sh
@@ -0,0 +1,27 @@
+# This was an attempt to keep rolling updates with very little downtime.
+# I don't think it's worth it, and the nature of update_config provides
+# little flexibility to use here.
+
+#!/bin/bash
+set -e
+
+function log() {
+ echo "[startup] $@"
+}
+
+LOCKFILE="/var/mail-state/lib-postfix/master.lock"
+MAX_TRIES=30
+TRY=0
+
+while [ -f "$LOCKFILE" ]; do
+ if [ "$TRY" -eq "$MAX_TRIES" ]; then
+ log "[$TRY/$MAX_TRIES] Max tries, failing."
+ exit 1
+ fi
+ log "[$TRY/$MAX_TRIES] Lockfile exists, waiting for it to be cleaned up by previous container..."
+ sleep 2
+ TRY=$((TRY + 1))
+done
+
+log "Lock check done. Starting DMS."
+supervisord -c /etc/supervisor/supervisord.conf
generated by cgit v1.2.3-70-g09d2 (git 2.46.0) at 2025-09-22 23:11:25 +0000