aboutsummaryrefslogtreecommitdiff
path: root/cluster/prod/app
diff options
context:
space:
mode:
authorQuentin Dufour <quentin@deuxfleurs.fr>2022-08-25 04:39:44 +0200
committerQuentin Dufour <quentin@deuxfleurs.fr>2022-08-25 04:39:44 +0200
commitec0e483d99200bda02547e425fb5d08697f6156a (patch)
tree7d35c9e24d96a2c178a0c4d7322ec7dd124db2b2 /cluster/prod/app
parentea1b0e9d19d0e1457fa6f6aee593f56d4347ae32 (diff)
downloadnixcfg-ec0e483d99200bda02547e425fb5d08697f6156a.tar.gz
nixcfg-ec0e483d99200bda02547e425fb5d08697f6156a.zip
Add email support
Diffstat (limited to 'cluster/prod/app')
-rw-r--r--cluster/prod/app/email/build/alps/Dockerfile20
-rw-r--r--cluster/prod/app/email/build/docker-compose.yml36
-rw-r--r--cluster/prod/app/email/build/dovecot/.gitignore1
-rw-r--r--cluster/prod/app/email/build/dovecot/Dockerfile16
-rw-r--r--cluster/prod/app/email/build/dovecot/README.md18
-rwxr-xr-xcluster/prod/app/email/build/dovecot/entrypoint.sh27
-rw-r--r--cluster/prod/app/email/build/dovecot/legacy/all_before.sieve5
-rw-r--r--cluster/prod/app/email/build/dovecot/legacy/dovecot-ldap.sample.conf8
-rw-r--r--cluster/prod/app/email/build/dovecot/legacy/report-ham.sieve17
-rw-r--r--cluster/prod/app/email/build/dovecot/legacy/report-spam.sieve9
-rw-r--r--cluster/prod/app/email/build/opendkim/Dockerfile9
-rw-r--r--cluster/prod/app/email/build/opendkim/README.md12
-rwxr-xr-xcluster/prod/app/email/build/opendkim/entrypoint8
-rw-r--r--cluster/prod/app/email/build/opendkim/opendkim.conf12
-rw-r--r--cluster/prod/app/email/build/postfix/Dockerfile13
-rw-r--r--cluster/prod/app/email/build/postfix/README.md18
-rwxr-xr-xcluster/prod/app/email/build/postfix/entrypoint.sh31
-rw-r--r--cluster/prod/app/email/build/sogo/Dockerfile17
-rw-r--r--cluster/prod/app/email/build/sogo/README.md20
-rwxr-xr-xcluster/prod/app/email/build/sogo/entrypoint13
-rw-r--r--cluster/prod/app/email/build/sogo/sogo.nginx.conf83
-rw-r--r--cluster/prod/app/email/config/dkim/keytable1
-rw-r--r--cluster/prod/app/email/config/dkim/signingtable2
-rw-r--r--cluster/prod/app/email/config/dkim/trusted4
-rwxr-xr-xcluster/prod/app/email/config/dovecot/certs.gen13
-rw-r--r--cluster/prod/app/email/config/dovecot/dovecot-ldap.conf.tpl12
-rw-r--r--cluster/prod/app/email/config/dovecot/dovecot.conf87
-rwxr-xr-xcluster/prod/app/email/config/postfix/certs.gen13
-rw-r--r--cluster/prod/app/email/config/postfix/dynamicmaps.cf9
-rw-r--r--cluster/prod/app/email/config/postfix/header_checks3
-rw-r--r--cluster/prod/app/email/config/postfix/ldap-account.cf.tpl12
-rw-r--r--cluster/prod/app/email/config/postfix/ldap-alias.cf.tpl9
-rw-r--r--cluster/prod/app/email/config/postfix/ldap-virtual-domains.cf.tpl12
-rw-r--r--cluster/prod/app/email/config/postfix/main.cf105
-rw-r--r--cluster/prod/app/email/config/postfix/master.cf114
-rw-r--r--cluster/prod/app/email/config/postfix/transport5
-rw-r--r--cluster/prod/app/email/config/postfix/transport.dbbin0 -> 12288 bytes
-rw-r--r--cluster/prod/app/email/config/sogo/sogo.conf.tpl69
-rw-r--r--cluster/prod/app/email/deploy/email.hcl505
-rw-r--r--cluster/prod/app/email/secrets/email/dkim/smtp.private1
-rw-r--r--cluster/prod/app/email/secrets/email/dovecot/backup_aws_access_key_id1
-rw-r--r--cluster/prod/app/email/secrets/email/dovecot/backup_aws_secret_access_key1
-rw-r--r--cluster/prod/app/email/secrets/email/dovecot/backup_restic_password1
-rw-r--r--cluster/prod/app/email/secrets/email/dovecot/backup_restic_repository1
-rw-r--r--cluster/prod/app/email/secrets/email/dovecot/dovecot.crt1
-rw-r--r--cluster/prod/app/email/secrets/email/dovecot/dovecot.key1
-rw-r--r--cluster/prod/app/email/secrets/email/dovecot/ldap_binddn1
-rw-r--r--cluster/prod/app/email/secrets/email/dovecot/ldap_bindpwd1
-rw-r--r--cluster/prod/app/email/secrets/email/postfix/postfix.crt1
-rw-r--r--cluster/prod/app/email/secrets/email/postfix/postfix.key1
-rw-r--r--cluster/prod/app/email/secrets/email/sogo/ldap_binddn1
-rw-r--r--cluster/prod/app/email/secrets/email/sogo/ldap_bindpw1
-rw-r--r--cluster/prod/app/email/secrets/email/sogo/postgre_auth1
53 files changed, 1382 insertions, 0 deletions
diff --git a/cluster/prod/app/email/build/alps/Dockerfile b/cluster/prod/app/email/build/alps/Dockerfile
new file mode 100644
index 0000000..92b1f14
--- /dev/null
+++ b/cluster/prod/app/email/build/alps/Dockerfile
@@ -0,0 +1,20 @@
+FROM golang:1.15.6-buster as builder
+
+ARG VERSION
+
+ENV CGO_ENABLED=0 GOOS=linux GOARCH=amd64
+WORKDIR /tmp/alps
+
+RUN git init && \
+ git remote add origin https://git.deuxfleurs.fr/Deuxfleurs/alps.git && \
+ git fetch --depth 1 origin ${VERSION} && \
+ git checkout FETCH_HEAD
+
+RUN go build -a -o /usr/local/bin/alps ./cmd/alps
+
+FROM scratch
+COPY --from=builder /usr/local/bin/alps /alps
+COPY --from=builder /tmp/alps/themes /themes
+COPY --from=builder /tmp/alps/plugins /plugins
+COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
+ENTRYPOINT ["/alps"]
diff --git a/cluster/prod/app/email/build/docker-compose.yml b/cluster/prod/app/email/build/docker-compose.yml
new file mode 100644
index 0000000..0826142
--- /dev/null
+++ b/cluster/prod/app/email/build/docker-compose.yml
@@ -0,0 +1,36 @@
+version: '3.4'
+services:
+
+ # Email
+ sogo:
+ build:
+ context: ./sogo
+ args:
+ # fake for now
+ VERSION: 5.0.0
+ image: superboum/amd64_sogo:v7
+
+ alps:
+ build:
+ context: ./alps
+ args:
+ VERSION: 9bafa64b9d
+ image: superboum/amd64_alps:v1
+
+ dovecot:
+ build:
+ context: ./dovecot
+ image: superboum/amd64_dovecot:v6
+
+ postfix:
+ build:
+ context: ./postfix
+ args:
+ # https://packages.debian.org/fr/buster/postfix
+ VERSION: 3.4.14-0+deb10u1
+ image: superboum/amd64_postfix:v3
+
+ opendkim:
+ build:
+ context: ./opendkim
+ image: superboum/amd64_opendkim:v6
diff --git a/cluster/prod/app/email/build/dovecot/.gitignore b/cluster/prod/app/email/build/dovecot/.gitignore
new file mode 100644
index 0000000..71a04e2
--- /dev/null
+++ b/cluster/prod/app/email/build/dovecot/.gitignore
@@ -0,0 +1 @@
+dovecot-ldap.conf
diff --git a/cluster/prod/app/email/build/dovecot/Dockerfile b/cluster/prod/app/email/build/dovecot/Dockerfile
new file mode 100644
index 0000000..cd1fd0d
--- /dev/null
+++ b/cluster/prod/app/email/build/dovecot/Dockerfile
@@ -0,0 +1,16 @@
+FROM amd64/debian:bullseye
+
+RUN apt-get update && \
+ apt-get install -y \
+ dovecot-antispam \
+ dovecot-core \
+ dovecot-imapd \
+ dovecot-ldap \
+ dovecot-managesieved \
+ dovecot-sieve \
+ dovecot-lmtpd && \
+ rm -rf /etc/dovecot/*
+RUN useradd mailstore
+COPY entrypoint.sh /usr/local/bin/entrypoint
+
+ENTRYPOINT ["/usr/local/bin/entrypoint"]
diff --git a/cluster/prod/app/email/build/dovecot/README.md b/cluster/prod/app/email/build/dovecot/README.md
new file mode 100644
index 0000000..8c9f372
--- /dev/null
+++ b/cluster/prod/app/email/build/dovecot/README.md
@@ -0,0 +1,18 @@
+```
+sudo docker build -t superboum/amd64_dovecot:v2 .
+```
+
+
+```
+sudo docker run -t -i \
+ -e TLSINFO="/C=FR/ST=Bretagne/L=Rennes/O=Deuxfleurs/CN=www.deuxfleurs.fr" \
+ -p 993:993 \
+ -p 143:143 \
+ -p 24:24 \
+ -p 1337:1337 \
+ -v /mnt/glusterfs/email/ssl:/etc/ssl/ \
+ -v /mnt/glusterfs/email/mail:/var/mail \
+ -v `pwd`/dovecot-ldap.conf:/etc/dovecot/dovecot-ldap.conf \
+ superboum/amd64_dovecot:v1 \
+ dovecot -F
+```
diff --git a/cluster/prod/app/email/build/dovecot/entrypoint.sh b/cluster/prod/app/email/build/dovecot/entrypoint.sh
new file mode 100755
index 0000000..2165d8f
--- /dev/null
+++ b/cluster/prod/app/email/build/dovecot/entrypoint.sh
@@ -0,0 +1,27 @@
+#!/bin/bash
+
+if [[ ! -f /etc/ssl/certs/dovecot.crt || ! -f /etc/ssl/private/dovecot.key ]]; then
+ cd /root
+ openssl req \
+ -new \
+ -newkey rsa:4096 \
+ -days 3650 \
+ -nodes \
+ -x509 \
+ -subj ${TLSINFO} \
+ -keyout dovecot.key \
+ -out dovecot.crt
+
+ mkdir -p /etc/ssl/{certs,private}/
+
+ cp dovecot.crt /etc/ssl/certs/dovecot.crt
+ cp dovecot.key /etc/ssl/private/dovecot.key
+ chmod 400 /etc/ssl/certs/dovecot.crt
+ chmod 400 /etc/ssl/private/dovecot.key
+fi
+
+if [[ $(stat -c '%U' /var/mail/) != "mailstore" ]]; then
+ chown -R mailstore /var/mail
+fi
+
+exec "$@"
diff --git a/cluster/prod/app/email/build/dovecot/legacy/all_before.sieve b/cluster/prod/app/email/build/dovecot/legacy/all_before.sieve
new file mode 100644
index 0000000..7d2e57e
--- /dev/null
+++ b/cluster/prod/app/email/build/dovecot/legacy/all_before.sieve
@@ -0,0 +1,5 @@
+require ["fileinto", "mailbox"];
+if header :contains "X-Spam-Flag" "YES" {
+ fileinto :create "Junk";
+}
+
diff --git a/cluster/prod/app/email/build/dovecot/legacy/dovecot-ldap.sample.conf b/cluster/prod/app/email/build/dovecot/legacy/dovecot-ldap.sample.conf
new file mode 100644
index 0000000..472d5e8
--- /dev/null
+++ b/cluster/prod/app/email/build/dovecot/legacy/dovecot-ldap.sample.conf
@@ -0,0 +1,8 @@
+hosts = ldap.example.com
+dn = cn=admin,dc=example,dc=com
+dnpass = s3cr3t
+base = dc=example,dc=com
+scope = subtree
+user_filter = (&(mail=%u)(&(objectClass=inetOrgPerson)(memberOf=cn=email,ou=groups,dc=example,dc=com)))
+pass_filter = (&(mail=%u)(&(objectClass=inetOrgPerson)(memberOf=cn=email,ou=groups,dc=example,dc=com)))
+user_attrs = mail=/var/mail/%{ldap:mail}
diff --git a/cluster/prod/app/email/build/dovecot/legacy/report-ham.sieve b/cluster/prod/app/email/build/dovecot/legacy/report-ham.sieve
new file mode 100644
index 0000000..c5a994a
--- /dev/null
+++ b/cluster/prod/app/email/build/dovecot/legacy/report-ham.sieve
@@ -0,0 +1,17 @@
+require ["vnd.dovecot.pipe", "copy", "imapsieve", "environment", "variables", "vnd.dovecot.debug"];
+
+if environment :matches "imap.mailbox" "*" {
+ set "mailbox" "${1}";
+}
+
+if string "${mailbox}" "Trash" {
+ stop;
+}
+
+if environment :matches "imap.user" "*" {
+ set "username" "${1}";
+}
+
+pipe :copy "sa-learn" [ "--ham", "-u", "debian-spamd" ];
+debug_log "ham reported by ${username}";
+
diff --git a/cluster/prod/app/email/build/dovecot/legacy/report-spam.sieve b/cluster/prod/app/email/build/dovecot/legacy/report-spam.sieve
new file mode 100644
index 0000000..1be7389
--- /dev/null
+++ b/cluster/prod/app/email/build/dovecot/legacy/report-spam.sieve
@@ -0,0 +1,9 @@
+require ["vnd.dovecot.pipe", "copy", "imapsieve", "environment", "variables", "vnd.dovecot.debug"];
+
+if environment :matches "imap.user" "*" {
+ set "username" "${1}";
+}
+
+pipe :copy "sa-learn" [ "--spam", "-u", "debian-spamd"];
+debug_log "spam reported by ${username}";
+
diff --git a/cluster/prod/app/email/build/opendkim/Dockerfile b/cluster/prod/app/email/build/opendkim/Dockerfile
new file mode 100644
index 0000000..452d6e8
--- /dev/null
+++ b/cluster/prod/app/email/build/opendkim/Dockerfile
@@ -0,0 +1,9 @@
+FROM amd64/debian:bullseye
+
+RUN apt-get update && \
+ apt-get dist-upgrade -y && \
+ apt-get install -y opendkim opendkim-tools
+
+COPY ./opendkim.conf /etc/opendkim.conf
+COPY ./entrypoint /entrypoint
+CMD ["/entrypoint"]
diff --git a/cluster/prod/app/email/build/opendkim/README.md b/cluster/prod/app/email/build/opendkim/README.md
new file mode 100644
index 0000000..e146125
--- /dev/null
+++ b/cluster/prod/app/email/build/opendkim/README.md
@@ -0,0 +1,12 @@
+```
+sudo docker build -t superboum/amd64_opendkim:v1 .
+```
+
+```
+sudo docker run -t -i \
+ -v `pwd`/conf:/etc/dkim \
+ -v /dev/log:/dev/log \
+ -p 8999:8999
+ superboum/amd64_opendkim:v1
+ opendkim -f -v -x /etc/opendkim.conf
+```
diff --git a/cluster/prod/app/email/build/opendkim/entrypoint b/cluster/prod/app/email/build/opendkim/entrypoint
new file mode 100755
index 0000000..7a1485c
--- /dev/null
+++ b/cluster/prod/app/email/build/opendkim/entrypoint
@@ -0,0 +1,8 @@
+#!/bin/bash
+
+chown 0:0 /etc/dkim/*
+chown 0:0 /etc/dkim
+chmod 400 /etc/dkim/*
+chmod 700 /etc/dkim
+
+opendkim -f -v -x /etc/opendkim.conf
diff --git a/cluster/prod/app/email/build/opendkim/opendkim.conf b/cluster/prod/app/email/build/opendkim/opendkim.conf
new file mode 100644
index 0000000..0d6465f
--- /dev/null
+++ b/cluster/prod/app/email/build/opendkim/opendkim.conf
@@ -0,0 +1,12 @@
+Syslog yes
+SyslogSuccess yes
+LogWhy yes
+UMask 007
+Mode sv
+OversignHeaders From
+TrustAnchorFile /usr/share/dns/root.key
+KeyTable refile:/etc/dkim/keytable
+SigningTable refile:/etc/dkim/signingtable
+ExternalIgnoreList refile:/etc/dkim/trusted
+InternalHosts refile:/etc/dkim/trusted
+Socket inet:8999
diff --git a/cluster/prod/app/email/build/postfix/Dockerfile b/cluster/prod/app/email/build/postfix/Dockerfile
new file mode 100644
index 0000000..0c74fdc
--- /dev/null
+++ b/cluster/prod/app/email/build/postfix/Dockerfile
@@ -0,0 +1,13 @@
+FROM amd64/debian:buster
+
+ARG VERSION
+
+RUN apt-get update && \
+ apt-get install -y \
+ postfix=$VERSION \
+ postfix-ldap
+
+COPY entrypoint.sh /usr/local/bin/entrypoint
+
+ENTRYPOINT ["/usr/local/bin/entrypoint"]
+CMD ["postfix", "start-fg"]
diff --git a/cluster/prod/app/email/build/postfix/README.md b/cluster/prod/app/email/build/postfix/README.md
new file mode 100644
index 0000000..ac44fc0
--- /dev/null
+++ b/cluster/prod/app/email/build/postfix/README.md
@@ -0,0 +1,18 @@
+```
+sudo docker build -t superboum/amd64_postfix:v1 .
+```
+
+```
+sudo docker run -t -i \
+ -e TLSINFO="/C=FR/ST=Bretagne/L=Rennes/O=Deuxfleurs/CN=smtp.deuxfleurs.fr" \
+ -e MAILNAME="smtp.deuxfleurs.fr" \
+ -p 25:25 \
+ -p 465:465 \
+ -p 587:587 \
+ -v `pwd`/../../ansible/roles/container_conf/files/email/postfix-conf:/etc/postfix-conf \
+ -v /mnt/glusterfs/email/postfix-ssl/private:/etc/ssl/private \
+ -v /mnt/glusterfs/email/postfix-ssl/certs:/etc/ssl/certs \
+ superboum/amd64_postfix:v1 \
+ bash
+```
+
diff --git a/cluster/prod/app/email/build/postfix/entrypoint.sh b/cluster/prod/app/email/build/postfix/entrypoint.sh
new file mode 100755
index 0000000..fcf1a66
--- /dev/null
+++ b/cluster/prod/app/email/build/postfix/entrypoint.sh
@@ -0,0 +1,31 @@
+#!/bin/bash
+
+if [[ ! -f /etc/ssl/certs/postfix.crt || ! -f /etc/ssl/private/postfix.key ]]; then
+ cd /root
+ openssl req \
+ -new \
+ -newkey rsa:4096 \
+ -days 3650 \
+ -nodes \
+ -x509 \
+ -subj ${TLSINFO} \
+ -keyout postfix.key \
+ -out postfix.crt
+
+ mkdir -p /etc/ssl/{certs,private}/
+
+ cp postfix.crt /etc/ssl/certs/postfix.crt
+ cp postfix.key /etc/ssl/private/postfix.key
+ chmod 400 /etc/ssl/certs/postfix.crt
+ chmod 400 /etc/ssl/private/postfix.key
+fi
+
+# A way to map files inside the postfix folder :s
+for file in $(ls /etc/postfix-conf); do
+ cp /etc/postfix-conf/${file} /etc/postfix/${file}
+done
+
+echo ${MAILNAME} > /etc/mailname
+postmap /etc/postfix/transport
+
+exec "$@"
diff --git a/cluster/prod/app/email/build/sogo/Dockerfile b/cluster/prod/app/email/build/sogo/Dockerfile
new file mode 100644
index 0000000..46880dd
--- /dev/null
+++ b/cluster/prod/app/email/build/sogo/Dockerfile
@@ -0,0 +1,17 @@
+#FROM amd64/debian:stretch as builder
+
+FROM amd64/debian:buster
+
+RUN mkdir ~/.gnupg && echo "disable-ipv6" >> ~/.gnupg/dirmngr.conf
+
+RUN apt-get update && \
+ apt-get install -y apt-transport-https gnupg2 sudo nginx && \
+ rm -rf /etc/nginx/sites-enabled/* && \
+ apt-key adv --keyserver keys.gnupg.net --recv-key 0x810273C4 && \
+ echo "deb http://packages.inverse.ca/SOGo/nightly/5/debian/ buster buster" > /etc/apt/sources.list.d/sogo.list && \
+ apt-get update && \
+ apt-get install -y sogo sogo-activesync sope4.9-gdl1-postgresql postgresql-client
+
+COPY sogo.nginx.conf /etc/nginx/sites-enabled/sogo.conf
+COPY entrypoint /usr/sbin/entrypoint
+ENTRYPOINT ["/usr/sbin/entrypoint"]
diff --git a/cluster/prod/app/email/build/sogo/README.md b/cluster/prod/app/email/build/sogo/README.md
new file mode 100644
index 0000000..ea12245
--- /dev/null
+++ b/cluster/prod/app/email/build/sogo/README.md
@@ -0,0 +1,20 @@
+```
+docker build -t superboum/amd64_sogo:v6 .
+
+# privileged is only for debug
+docker run --rm -ti \
+ --privileged \
+ -p 8080:8080 \
+ -v /tmp/sogo/log:/var/log/sogo \
+ -v /tmp/sogo/run:/var/run/sogo \
+ -v /tmp/sogo/spool:/var/spool/sogo \
+ -v /tmp/sogo/tmp:/tmp \
+ -v `pwd`/sogo:/etc/sogo:ro \
+ superboum/amd64_sogo:v1
+```
+
+Password must be url encoded in sogo.conf for postgres
+Will need a nginx instance: http://wiki.sogo.nu/nginxSettings
+
+Might (or might not) be needed:
+traefik.frontend.headers.customRequestHeaders=x-webobjects-server-port:443||x-webobjects-server-name=sogo.deuxfleurs.fr||x-webobjects-server-url:https://sogo.deuxfleurs.fr
diff --git a/cluster/prod/app/email/build/sogo/entrypoint b/cluster/prod/app/email/build/sogo/entrypoint
new file mode 100755
index 0000000..8b39def
--- /dev/null
+++ b/cluster/prod/app/email/build/sogo/entrypoint
@@ -0,0 +1,13 @@
+#!/bin/bash
+mkdir -p /var/log/sogo
+mkdir -p /var/run/sogo
+mkdir -p /var/spool/sogo
+chown sogo /var/log/sogo
+chown sogo /var/run/sogo
+chown sogo /var/spool/sogo
+
+nginx -g 'daemon on; master_process on;'
+sudo -u sogo memcached -d
+sudo -u sogo sogod
+sleep 10
+tail -n200 -f /var/log/sogo/sogo.log
diff --git a/cluster/prod/app/email/build/sogo/sogo.nginx.conf b/cluster/prod/app/email/build/sogo/sogo.nginx.conf
new file mode 100644
index 0000000..ad920a5
--- /dev/null
+++ b/cluster/prod/app/email/build/sogo/sogo.nginx.conf
@@ -0,0 +1,83 @@
+server {
+ listen 8080;
+ server_name default_server;
+ root /usr/lib/GNUstep/SOGo/WebServerResources/;
+
+ ## requirement to create new calendars in Thunderbird ##
+ proxy_http_version 1.1;
+
+ # Message size limit
+ client_max_body_size 50m;
+ client_body_buffer_size 128k;
+
+ location = / {
+ rewrite ^ '/SOGo';
+ allow all;
+ }
+
+ location = /principals/ {
+ rewrite ^ '/SOGo/dav';
+ allow all;
+ }
+
+ location ^~/SOGo {
+ proxy_pass 'http://127.0.0.1:20000';
+ proxy_redirect 'http://127.0.0.1:20000' default;
+ # forward user's IP address
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header Host $host;
+ proxy_set_header x-webobjects-server-protocol HTTP/1.0;
+ proxy_set_header x-webobjects-remote-host 127.0.0.1;
+ proxy_set_header x-webobjects-server-name $server_name;
+ proxy_set_header x-webobjects-server-url $scheme://$host;
+ proxy_set_header x-webobjects-server-port $server_port;
+ proxy_connect_timeout 90;
+ proxy_send_timeout 90;
+ proxy_read_timeout 90;
+ proxy_buffer_size 4k;
+ proxy_buffers 4 32k;
+ proxy_busy_buffers_size 64k;
+ proxy_temp_file_write_size 64k;
+ break;
+ }
+
+ location /SOGo.woa/WebServerResources/ {
+ alias /usr/lib/GNUstep/SOGo/WebServerResources/;
+ allow all;
+ expires max;
+ }
+
+ location /SOGo/WebServerResources/ {
+ alias /usr/lib/GNUstep/SOGo/WebServerResources/;
+ allow all;
+ expires max;
+ }
+
+ location (^/SOGo/so/ControlPanel/Products/([^/]*)/Resources/(.*)$) {
+ alias /usr/lib/GNUstep/SOGo/$1.SOGo/Resources/$2;
+ expires max;
+ }
+
+ location (^/SOGo/so/ControlPanel/Products/[^/]*UI/Resources/.*\.(jpg|png|gif|css|js)$) {
+ alias /usr/lib/GNUstep/SOGo/$1.SOGo/Resources/$2;
+ expires max;
+ }
+
+ location ^~ /Microsoft-Server-ActiveSync {
+ access_log /var/log/nginx/activesync.log;
+ error_log /var/log/nginx/activesync-error.log;
+
+ proxy_connect_timeout 75;
+ proxy_send_timeout 3600;
+ proxy_read_timeout 3600;
+ proxy_buffers 64 256k;
+
+ proxy_set_header Host $host;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+
+ proxy_pass http://127.0.0.1:20000/SOGo/Microsoft-Server-ActiveSync;
+ proxy_redirect http://127.0.0.1:20000/SOGo/Microsoft-Server-ActiveSync /;
+ }
+}
diff --git a/cluster/prod/app/email/config/dkim/keytable b/cluster/prod/app/email/config/dkim/keytable
new file mode 100644
index 0000000..f4ac7cd
--- /dev/null
+++ b/cluster/prod/app/email/config/dkim/keytable
@@ -0,0 +1 @@
+smtp._domainkey.deuxfleurs.fr deuxfleurs.fr:smtp:/etc/dkim/smtp.private
diff --git a/cluster/prod/app/email/config/dkim/signingtable b/cluster/prod/app/email/config/dkim/signingtable
new file mode 100644
index 0000000..60d66ff
--- /dev/null
+++ b/cluster/prod/app/email/config/dkim/signingtable
@@ -0,0 +1,2 @@
+*@deuxfleurs.fr smtp._domainkey.deuxfleurs.fr
+*@dufour.io smtp._domainkey.deuxfleurs.fr
diff --git a/cluster/prod/app/email/config/dkim/trusted b/cluster/prod/app/email/config/dkim/trusted
new file mode 100644
index 0000000..a01170d
--- /dev/null
+++ b/cluster/prod/app/email/config/dkim/trusted
@@ -0,0 +1,4 @@
+127.0.0.1
+localhost
+192.168.1.0/24
+172.16.0.0/12
diff --git a/cluster/prod/app/email/config/dovecot/certs.gen b/cluster/prod/app/email/config/dovecot/certs.gen
new file mode 100755
index 0000000..f26e917
--- /dev/null
+++ b/cluster/prod/app/email/config/dovecot/certs.gen
@@ -0,0 +1,13 @@
+#!/bin/bash
+
+TLSINFO="/C=FR/ST=Bretagne/L=Rennes/O=Deuxfleurs/CN=imap.deuxfleurs.fr"
+openssl req \
+ -new \
+ -newkey rsa:4096 \
+ -days 3650 \
+ -nodes \
+ -x509 \
+ -subj ${TLSINFO} \
+ -keyout dovecot.key \
+ -out dovecot.crt
+
diff --git a/cluster/prod/app/email/config/dovecot/dovecot-ldap.conf.tpl b/cluster/prod/app/email/config/dovecot/dovecot-ldap.conf.tpl
new file mode 100644
index 0000000..d04bcfa
--- /dev/null
+++ b/cluster/prod/app/email/config/dovecot/dovecot-ldap.conf.tpl
@@ -0,0 +1,12 @@
+hosts = {{ env "meta.site" }}.bottin.service.prod.consul
+dn = {{ key "secrets/email/dovecot/ldap_binddn" | trimSpace }}
+dnpass = {{ key "secrets/email/dovecot/ldap_bindpwd" | trimSpace }}
+base = dc=deuxfleurs,dc=fr
+scope = subtree
+user_filter = (&(mail=%u)(&(objectClass=inetOrgPerson)(memberOf=cn=email,ou=groups,dc=deuxfleurs,dc=fr)))
+pass_filter = (&(mail=%u)(&(objectClass=inetOrgPerson)(memberOf=cn=email,ou=groups,dc=deuxfleurs,dc=fr)))
+user_attrs = \
+ =user=%{ldap:cn}, \
+ =mail=maildir:/var/mail/%{ldap:cn}, \
+ =uid=1000, \
+ =gid=1000
diff --git a/cluster/prod/app/email/config/dovecot/dovecot.conf b/cluster/prod/app/email/config/dovecot/dovecot.conf
new file mode 100644
index 0000000..5f89a07
--- /dev/null
+++ b/cluster/prod/app/email/config/dovecot/dovecot.conf
@@ -0,0 +1,87 @@
+auth_mechanisms = plain login
+auth_username_format = %u
+log_timestamp = "%Y-%m-%d %H:%M:%S "
+mail_location = maildir:/var/mail/%u
+mail_privileged_group = mail
+
+log_path = /dev/stderr
+info_log_path = /dev/stdout
+debug_log_path = /dev/stdout
+
+protocols = imap sieve lmtp
+
+ssl_cert = < /etc/ssl/certs/dovecot.crt
+ssl_key = < /etc/ssl/private/dovecot.key
+
+service auth {
+ inet_listener {
+ port = 1337
+ }
+}
+
+
+
+service lmtp {
+ inet_listener lmtp {
+ address = 0.0.0.0
+ port = 24
+ }
+}
+
+# https://doc.dovecot.org/configuration_manual/authentication/ldap_authentication/
+passdb {
+ args = /etc/dovecot/dovecot-ldap.conf
+ driver = ldap
+}
+userdb {
+ driver = prefetch
+}
+userdb {
+ args = /etc/dovecot/dovecot-ldap.conf
+ driver = ldap
+}
+
+
+service imap-login {
+ service_count = 0 # performance mode. set to 1 for secure mode
+ process_min_avail = 1
+ inet_listener imap {
+ port = 143
+ }
+ inet_listener imaps {
+ port = 993
+ }
+}
+
+protocol imap {
+ mail_plugins = $mail_plugins imap_sieve
+}
+
+protocol lda {
+ auth_socket_path = /var/run/dovecot/auth-master
+ info_log_path = /var/log/dovecot-deliver.log
+ log_path = /var/log/dovecot-deliver-errors.log
+ postmaster_address = postmaster@deuxfleurs.fr
+ mail_plugins = $mail_plugins sieve
+}
+
+plugin {
+ sieve = file:~/sieve;active=~/dovecot.sieve
+ sieve_before = /etc/dovecot/all_before.sieve
+
+ # antispam learn
+ sieve_plugins = sieve_imapsieve sieve_extprograms
+ sieve_global_extensions = +vnd.dovecot.pipe +vnd.dovecot.environment +vnd.dovecot.debug
+ sieve_pipe_bin_dir = /usr/bin
+
+ imapsieve_mailbox1_name = Junk
+ imapsieve_mailbox1_causes = COPY FLAG APPEND
+ imapsieve_mailbox1_before = file:/etc/dovecot/report-spam.sieve
+
+ imapsieve_mailbox2_name = *
+ imapsieve_mailbox2_from = Spam
+ imapsieve_mailbox2_causes = COPY APPEND
+ imapsieve_mailbox2_before = file:/etc/dovecot/report-ham.sieve
+
+}
+
diff --git a/cluster/prod/app/email/config/postfix/certs.gen b/cluster/prod/app/email/config/postfix/certs.gen
new file mode 100755
index 0000000..f25439b
--- /dev/null
+++ b/cluster/prod/app/email/config/postfix/certs.gen
@@ -0,0 +1,13 @@
+#!/bin/bash
+
+TLSINFO="/C=FR/ST=Bretagne/L=Rennes/O=Deuxfleurs/CN=smtp.deuxfleurs.fr"
+openssl req \
+ -new \
+ -newkey rsa:4096 \
+ -days 3650 \
+ -nodes \
+ -x509 \
+ -subj ${TLSINFO} \
+ -keyout postfix.key \
+ -out postfix.crt
+
diff --git a/cluster/prod/app/email/config/postfix/dynamicmaps.cf b/cluster/prod/app/email/config/postfix/dynamicmaps.cf
new file mode 100644
index 0000000..32d8f62
--- /dev/null
+++ b/cluster/prod/app/email/config/postfix/dynamicmaps.cf
@@ -0,0 +1,9 @@
+# Postfix dynamic maps configuration file.
+#
+# The first match found is the one that is used. Wildcards are not supported
+# as of postfix 2.0.2
+#
+#type location of .so file open function (mkmap func)
+#==== ================================ ============= ============
+ldap postfix-ldap.so dict_ldap_open
+sqlite postfix-sqlite.so dict_sqlite_open
diff --git a/cluster/prod/app/email/config/postfix/header_checks b/cluster/prod/app/email/config/postfix/header_checks
new file mode 100644
index 0000000..cad52ec
--- /dev/null
+++ b/cluster/prod/app/email/config/postfix/header_checks
@@ -0,0 +1,3 @@
+/^Received:/ IGNORE
+/^X-Originating-IP:/ IGNORE
+/^X-Mailer:/ IGNORE
diff --git a/cluster/prod/app/email/config/postfix/ldap-account.cf.tpl b/cluster/prod/app/email/config/postfix/ldap-account.cf.tpl
new file mode 100644
index 0000000..80df925
--- /dev/null
+++ b/cluster/prod/app/email/config/postfix/ldap-account.cf.tpl
@@ -0,0 +1,12 @@
+bind = yes
+bind_dn = {{ key "secrets/email/postfix/ldap_binddn" | trimSpace }}
+bind_pw = {{ key "secrets/email/postfix/ldap_bindpwd" | trimSpace }}
+version = 3
+timeout = 20
+start_tls = no
+tls_require_cert = no
+server_host = ldap://{{ env "meta.site" }}.bottin.service.prod.consul
+scope = sub
+search_base = ou=users,dc=deuxfleurs,dc=fr
+query_filter = mail=%s
+result_attribute = mail
diff --git a/cluster/prod/app/email/config/postfix/ldap-alias.cf.tpl b/cluster/prod/app/email/config/postfix/ldap-alias.cf.tpl
new file mode 100644
index 0000000..5a1ad9d
--- /dev/null
+++ b/cluster/prod/app/email/config/postfix/ldap-alias.cf.tpl
@@ -0,0 +1,9 @@
+server_host = {{ env "meta.site" }}.bottin.service.prod.consul
+server_port = 389
+search_base = dc=deuxfleurs,dc=fr
+query_filter = (&(objectClass=inetOrgPerson)(memberOf=cn=%s,ou=mailing_lists,ou=groups,dc=deuxfleurs,dc=fr))
+result_attribute = mail
+bind = yes
+bind_dn = {{ key "secrets/email/postfix/ldap_binddn" | trimSpace }}
+bind_pw = {{ key "secrets/email/postfix/ldap_bindpwd" | trimSpace }}
+version = 3
diff --git a/cluster/prod/app/email/config/postfix/ldap-virtual-domains.cf.tpl b/cluster/prod/app/email/config/postfix/ldap-virtual-domains.cf.tpl
new file mode 100644
index 0000000..3cb48f9
--- /dev/null
+++ b/cluster/prod/app/email/config/postfix/ldap-virtual-domains.cf.tpl
@@ -0,0 +1,12 @@
+bind = yes
+bind_dn = {{ key "secrets/email/postfix/ldap_binddn" | trimSpace }}
+bind_pw = {{ key "secrets/email/postfix/ldap_bindpwd" | trimSpace }}
+version = 3
+timeout = 20
+start_tls = no
+tls_require_cert = no
+server_host = ldap://{{ env "meta.site" }}.bottin.service.prod.consul
+scope = sub
+search_base = ou=domains,ou=groups,dc=deuxfleurs,dc=fr
+query_filter = (&(objectclass=dNSDomain)(domain=%s))
+result_attribute = domain
diff --git a/cluster/prod/app/email/config/postfix/main.cf b/cluster/prod/app/email/config/postfix/main.cf
new file mode 100644
index 0000000..2d0b992
--- /dev/null
+++ b/cluster/prod/app/email/config/postfix/main.cf
@@ -0,0 +1,105 @@
+#===
+# Base configuration
+#===
+myhostname = smtp.deuxfleurs.fr
+alias_maps = hash:/etc/aliases
+alias_database = hash:/etc/aliases
+myorigin = /etc/mailname
+mydestination = smtp.deuxfleurs.fr
+mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 192.168.1.0/24
+mailbox_size_limit = 0
+recipient_delimiter = +
+inet_protocols = all
+inet_interfaces = all
+message_size_limit = 204800000
+smtpd_banner = $myhostname
+biff = no
+append_dot_mydomain = no
+readme_directory = no
+compatibility_level = 2
+
+#===
+# TLS parameters
+#===
+smtpd_tls_cert_file=/etc/ssl/postfix.crt
+smtpd_tls_key_file=/etc/ssl/postfix.key
+smtpd_tls_dh1024_param_file=auto
+smtpd_use_tls=yes
+smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
+smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
+#smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
+smtp_tls_security_level = may
+
+#===
+# Remove privacy related content from emails
+#===
+mime_header_checks = regexp:/etc/postfix/header_checks
+header_checks = regexp:/etc/postfix/header_checks
+
+#===
+# Handle user authentication (handled by dovecot)
+#===
+smtpd_sasl_auth_enable = yes
+smtpd_sasl_path = inet:dovecot-auth.service.prod.consul:1337
+smtpd_sasl_type = dovecot
+
+#===
+# Restrictions / Checks
+#===
+# -- Inspired by: http://www.postfix.org/SMTPD_ACCESS_README.html#lists
+
+# Require a valid HELO
+smtpd_helo_required = yes
+# As we use the same postfix to send and receive,
+# we can't enforce a valid HELO hostname...
+#smtpd_helo_restrictions =
+# reject_unknown_helo_hostname
+
+# Require that sender email has a valid domain
+smtpd_sender_restrictions =
+ reject_unknown_sender_domain
+
+# Delivering email policy
+# MyNetwork is required by sogo
+smtpd_recipient_restrictions =
+ permit_sasl_authenticated
+ permit_mynetworks
+ reject_unauth_destination
+ reject_rbl_client zen.spamhaus.org
+ reject_rhsbl_reverse_client dbl.spamhaus.org
+ reject_rhsbl_helo dbl.spamhaus.org
+ reject_rhsbl_sender dbl.spamhaus.org
+
+# Sending email policy
+# MyNetwork is required by sogo
+smtpd_relay_restrictions =
+ permit_sasl_authenticated
+ permit_mynetworks
+ reject_unauth_destination
+
+smtpd_data_restrictions = reject_unauth_pipelining
+
+smtpd_client_connection_rate_limit = 2
+
+#===
+# Rate limiting
+#===
+slow_destination_recipient_limit = 20
+slow_destination_concurrency_limit = 2
+
+#====
+# Transport configuration
+#====
+transport_maps = hash:/etc/postfix/transport
+virtual_mailbox_domains = ldap:/etc/postfix/ldap-virtual-domains.cf
+virtual_mailbox_maps = ldap:/etc/postfix/ldap-account.cf
+virtual_alias_maps = ldap:/etc/postfix/ldap-alias.cf
+virtual_transport = lmtp:dovecot-lmtp.service.prod.consul:24
+
+#===
+# Mail filters
+#===
+milter_default_action = accept
+milter_protocol = 6
+smtpd_milters = inet:opendkim.service.prod.consul:8999
+non_smtpd_milters = inet:opendkim.service.prod.consul:8999
diff --git a/cluster/prod/app/email/config/postfix/master.cf b/cluster/prod/app/email/config/postfix/master.cf
new file mode 100644
index 0000000..53bc601
--- /dev/null
+++ b/cluster/prod/app/email/config/postfix/master.cf
@@ -0,0 +1,114 @@
+#
+# Postfix master process configuration file. For details on the format
+# of the file, see the master(5) manual page (command: "man 5 master").
+#
+# Do not forget to execute "postfix reload" after editing this file.
+#
+# ==========================================================================
+# service type private unpriv chroot wakeup maxproc command + args
+# (yes) (yes) (yes) (never) (100)
+# ==========================================================================
+smtp inet n - n - - smtpd
+submission inet n - n - - smtpd
+ -o smtpd_tls_security_level=encrypt
+ -o smtpd_sasl_auth_enable=yes
+ -o smtpd_client_restrictions=permit_sasl_authenticated,reject
+ -o milter_macro_daemon_name=ORIGINATING
+smtps inet n - n - - smtpd
+ -o smtpd_tls_wrappermode=yes
+ -o smtpd_sasl_auth_enable=yes
+ -o smtpd_client_restrictions=permit_sasl_authenticated,reject
+ -o milter_macro_daemon_name=ORIGINATING
+slow unix - - n - 5 smtp
+ -o syslog_name=postfix-slow
+ -o smtp_destination_concurrency_limit=3
+ -o slow_destination_rate_delay=1
+
+
+#628 inet n - - - - qmqpd
+pickup fifo n - n 60 1 pickup
+cleanup unix n - n - 0 cleanup
+qmgr fifo n - n 300 1 qmgr
+#qmgr fifo n - - 300 1 oqmgr
+tlsmgr unix - - n 1000? 1 tlsmgr
+rewrite unix - - n - - trivial-rewrite
+bounce unix - - n - 0 bounce
+defer unix - - n - 0 bounce
+trace unix - - n - 0 bounce
+verify unix - - n - 1 verify
+flush unix n - n 1000? 0 flush
+proxymap unix - - n - - proxymap
+proxywrite unix - - n - 1 proxymap
+# When relaying mail as backup MX, disable fallback_relay to avoid MX loops
+smtp unix - - n - - smtp
+# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
+relay unix - - n - - smtp
+ -o smtp_fallback_relay=
+showq unix n - n - - showq
+error unix - - n - - error
+retry unix - - n - - error
+discard unix - - n - - discard
+local unix - n n - - local
+virtual unix - n n - - virtual
+lmtp unix - - n - - lmtp
+anvil unix - - n - 1 anvil
+#
+# ====================================================================
+# Interfaces to non-Postfix software. Be sure to examine the manual
+# pages of the non-Postfix software to find out what options it wants.
+#
+# Many of the following services use the Postfix pipe(8) delivery
+# agent. See the pipe(8) man page for information about ${recipient}
+# and other message envelope options.
+# ====================================================================
+#
+# maildrop. See the Postfix MAILDROP_README file for details.
+# Also specify in main.cf: maildrop_destination_recipient_limit=1
+#
+scache unix - - n - 1 scache
+maildrop unix - n n - - pipe
+ flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
+#
+# ====================================================================
+#
+# Recent Cyrus versions can use the existing "lmtp" master.cf entry.
+#
+# Specify in cyrus.conf:
+# lmtp cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
+#
+# Specify in main.cf one or more of the following:
+# mailbox_transport = lmtp:inet:localhost
+# virtual_transport = lmtp:inet:localhost
+#
+# ====================================================================
+#
+# Cyrus 2.1.5 (Amos Gouaux)
+# Also specify in main.cf: cyrus_destination_recipient_limit=1
+#
+#cyrus unix - n n - - pipe
+# user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
+#
+# ====================================================================
+# Old example of delivery via Cyrus.
+#
+#old-cyrus unix - n n - - pipe
+# flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
+#
+# ====================================================================
+#
+# See the Postfix UUCP_README file for configuration details.
+#
+uucp unix - n n - - pipe
+ flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
+#
+# Other external delivery methods.
+#
+ifmail unix - n n - - pipe
+ flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
+bsmtp unix - n n - - pipe
+ flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
+scalemail-backend unix - n n - 2 pipe
+ flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
+mailman unix - n n - - pipe
+ flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
+ ${nexthop} ${user}
diff --git a/cluster/prod/app/email/config/postfix/transport b/cluster/prod/app/email/config/postfix/transport
new file mode 100644
index 0000000..68f62c5
--- /dev/null
+++ b/cluster/prod/app/email/config/postfix/transport
@@ -0,0 +1,5 @@
+#wanadoo.com slow:
+#wanadoo.fr slow:
+#orange.com slow:
+#orange.fr slow:
+#smtp.orange.fr slow:
diff --git a/cluster/prod/app/email/config/postfix/transport.db b/cluster/prod/app/email/config/postfix/transport.db
new file mode 100644
index 0000000..487f394
--- /dev/null
+++ b/cluster/prod/app/email/config/postfix/transport.db
Binary files differ
diff --git a/cluster/prod/app/email/config/sogo/sogo.conf.tpl b/cluster/prod/app/email/config/sogo/sogo.conf.tpl
new file mode 100644
index 0000000..d6094bf
--- /dev/null
+++ b/cluster/prod/app/email/config/sogo/sogo.conf.tpl
@@ -0,0 +1,69 @@
+{
+ WONoDetach = NO;
+ WOWorkersCount = 3;
+ SxVMemLimit = 300;
+ WOPort = "127.0.0.1:20000";
+ SOGoProfileURL = "postgresql://{{ key "secrets/email/sogo/postgre_auth" | trimSpace }}@psql-proxy.service.prod.consul:5432/sogo/sogo_user_profile";
+ OCSFolderInfoURL = "postgresql://{{ key "secrets/email/sogo/postgre_auth" | trimSpace }}@psql-proxy.service.prod.consul:5432/sogo/sogo_folder_info";
+ OCSSessionsFolderURL = "postgresql://{{ key "secrets/email/sogo/postgre_auth" | trimSpace }}@psql-proxy.service.prod.consul:5432/sogo/sogo_sessions_folder";
+ OCSEMailAlarmsFolderURL = "postgresql://{{ key "secrets/email/sogo/postgre_auth" | trimSpace }}@psql-proxy.service.prod.consul:5432/sogo/sogo_alarms_folder";
+ OCSStoreURL = "postgresql://{{ key "secrets/email/sogo/postgre_auth" | trimSpace }}@psql-proxy.service.prod.consul:5432/sogo/sogo_store";
+ OCSAclURL = "postgresql://{{ key "secrets/email/sogo/postgre_auth" | trimSpace }}@psql-proxy.service.prod.consul:5432/sogo/sogo_acl";
+ OCSCacheFolderURL = "postgresql://{{ key "secrets/email/sogo/postgre_auth" | trimSpace }}@psql-proxy.service.prod.consul:5432/sogo/sogo_cache_folder";
+ SOGoTimeZone = "Europe/Paris";
+ SOGoMailDomain = "deuxfleurs.fr";
+ SOGoLanguage = French;
+ SOGoAppointmentSendEMailNotifications = YES;
+ SOGoEnablePublicAccess = YES;
+ SOGoMailingMechanism = smtp;
+ SOGoSMTPServer = postfix-smtp.service.prod.consul;
+ SOGoSMTPAuthenticationType = PLAIN;
+ SOGoForceExternalLoginWithEmail = YES;
+ SOGoIMAPAclConformsToIMAPExt = YES;
+ SOGoTimeZone = UTC;
+ SOGoSentFolderName = Sent;
+ SOGoTrashFolderName = Trash;
+ SOGoDraftsFolderName = Drafts;
+ SOGoIMAPServer = "imaps://dovecot-imaps.service.prod.consul:993/?tlsVerifyMode=none";
+ SOGoSieveServer = "sieve://sieve.service.prod.consul:4190/?tls=YES";
+ SOGoIMAPAclConformsToIMAPExt = YES;
+ SOGoVacationEnabled = NO;
+ SOGoForwardEnabled = NO;
+ SOGoSieveScriptsEnabled = NO;
+ SOGoFirstDayOfWeek = 1;
+ SOGoRefreshViewCheck = every_5_minutes;
+ SOGoMailAuxiliaryUserAccountsEnabled = NO;
+ SOGoPasswordChangeEnabled = YES;
+ SOGoPageTitle = "deuxfleurs.fr";
+ SOGoLoginModule = Mail;
+ SOGoMailAddOutgoingAddresses = YES;
+ SOGoSelectedAddressBook = autobook;
+ SOGoMailAuxiliaryUserAccountsEnabled = YES;
+ SOGoCalendarEventsDefaultClassification = PRIVATE;
+ SOGoMailReplyPlacement = above;
+ SOGoMailSignaturePlacement = above;
+ SOGoMailComposeMessageType = html;
+
+ SOGoLDAPContactInfoAttribute = "displayname";
+
+ SOGoUserSources = (
+ {
+ type = ldap;
+ CNFieldName = displayname;
+ IDFieldName = cn;
+ UIDFieldName = cn;
+ MailFieldNames = (mail, mailForwardingAddress);
+ SearchFieldNames = (displayname, cn, sn, mail, telephoneNumber);
+ IMAPLoginFieldName = mail;
+ baseDN = "ou=users,dc=deuxfleurs,dc=fr";
+ bindDN = "{{ key "secrets/email/sogo/ldap_binddn" | trimSpace }}";
+ bindPassword = "{{ key "secrets/email/sogo/ldap_bindpw" | trimSpace}}";
+ bindFields = (cn, mail);
+ canAuthenticate = YES;
+ displayName = "Bottin";
+ hostname = "ldap://{{ env "meta.site" }}.bottin.service.prod.consul:389";
+ id = bottin;
+ isAddressBook = NO;
+ }
+ );
+}
diff --git a/cluster/prod/app/email/deploy/email.hcl b/cluster/prod/app/email/deploy/email.hcl
new file mode 100644
index 0000000..0c6308a
--- /dev/null
+++ b/cluster/prod/app/email/deploy/email.hcl
@@ -0,0 +1,505 @@
+job "email" {
+ datacenters = ["orion"]
+ type = "service"
+ priority = 65
+
+ group "dovecot" {
+ count = 1
+
+ network {
+ port "zauthentication_port" {
+ static = 1337
+ to = 1337
+ }
+ port "imaps_port" {
+ static = 993
+ to = 993
+ }
+ port "imap_port" {
+ static = 143
+ to = 143
+ }
+ port "lmtp_port" {
+ static = 24
+ to = 24
+ }
+ }
+
+ task "server" {
+ driver = "docker"
+
+ constraint {
+ attribute = "${attr.unique.hostname}"
+ operator = "="
+ value = "doradille"
+ }
+
+ config {
+ image = "superboum/amd64_dovecot:v6"
+ readonly_rootfs = false
+ network_mode = "host"
+ ports = [ "zauthentication_port", "imaps_port", "imap_port", "lmtp_port" ]
+ command = "dovecot"
+ args = [ "-F" ]
+ volumes = [
+ "secrets/ssl/certs:/etc/ssl/certs",
+ "secrets/ssl/private:/etc/ssl/private",
+ "secrets/conf/:/etc/dovecot/",
+ "/mnt/ssd/mail:/var/mail/",
+ ]
+ }
+
+ env {
+ TLSINFO = "/C=FR/ST=Bretagne/L=Rennes/O=Deuxfleurs/CN=imap.deuxfleurs.fr"
+ }
+
+ resources {
+ cpu = 100
+ memory = 200
+ }
+
+ service {
+ name = "dovecot-imap"
+ port = "imap_port"
+ tags = [
+ "dovecot"
+ ]
+ check {
+ type = "tcp"
+ port = "imap_port"
+ interval = "60s"
+ timeout = "5s"
+ check_restart {
+ limit = 3
+ grace = "90s"
+ ignore_warnings = false
+ }
+ }
+ }
+
+ service {
+ name = "dovecot-imaps"
+ port = "imaps_port"
+ tags = [
+ "dovecot",
+ "(diplonat (tcp_port 993))"
+ ]
+
+ check {
+ type = "tcp"
+ port = "imaps_port"
+ interval = "60s"
+ timeout = "5s"
+ check_restart {
+ limit = 3
+ grace = "90s"
+ ignore_warnings = false
+ }
+ }
+ }
+
+ service {
+ name = "dovecot-lmtp"
+ port = "lmtp_port"
+ tags = [
+ "dovecot",
+ ]
+
+ check {
+ type = "tcp"
+ port = "lmtp_port"
+ interval = "60s"
+ timeout = "5s"
+ check_restart {
+ limit = 3
+ grace = "90s"
+ ignore_warnings = false
+ }
+ }
+ }
+
+ service {
+ name = "dovecot-auth"
+ port = "zauthentication_port"
+ tags = [
+ "dovecot",
+ ]
+ check {
+ type = "tcp"
+ port = "zauthentication_port"
+ interval = "60s"
+ timeout = "5s"
+ check_restart {
+ limit = 3
+ grace = "90s"
+ ignore_warnings = false
+ }
+ }
+ }
+
+ template {
+ data = file("../config/dovecot/dovecot-ldap.conf.tpl")
+ destination = "secrets/conf/dovecot-ldap.conf"
+ perms = "400"
+ }
+ template {
+ data = file("../config/dovecot/dovecot.conf")
+ destination = "secrets/conf/dovecot.conf"
+ perms = "400"
+ }
+
+ # ----- secrets ------
+ template {
+ # data = "{{ key \"secrets/email/dovecot/dovecot.crt\" }}"
+ data = "{{ with $d := key \"tricot/certs/imap.deuxfleurs.fr\" | parseJSON }}{{ $d.cert_pem }}{{ end }}"
+ destination = "secrets/ssl/certs/dovecot.crt"
+ perms = "400"
+ }
+ template {
+ # data = "{{ key \"secrets/email/dovecot/dovecot.key\" }}"
+ data = "{{ with $d := key \"tricot/certs/imap.deuxfleurs.fr\" | parseJSON }}{{ $d.key_pem }}{{ end }}"
+ destination = "secrets/ssl/private/dovecot.key"
+ perms = "400"
+ }
+ }
+ }
+
+ group "opendkim" {
+ count = 1
+
+ network {
+ port "dkim_port" {
+ static = 8999
+ to = 8999
+ }
+ }
+
+ task "server" {
+ driver = "docker"
+ config {
+ image = "superboum/amd64_opendkim:v6"
+ readonly_rootfs = false
+ ports = [ "dkim_port" ]
+ volumes = [
+ "/dev/log:/dev/log",
+ "secrets/dkim:/etc/dkim",
+ ]
+ }
+
+ resources {
+ cpu = 100
+ memory = 50
+ }
+
+ service {
+ name = "opendkim"
+ port = "dkim_port"
+ address_mode = "host"
+ tags = [
+ "opendkim",
+ ]
+ check {
+ type = "tcp"
+ port = "dkim_port"
+ interval = "60s"
+ timeout = "5s"
+ check_restart {
+ limit = 3
+ grace = "90s"
+ ignore_warnings = false
+ }
+ }
+ }
+
+ template {
+ data = file("../config/dkim/keytable")
+ destination = "secrets/dkim/keytable"
+ }
+ template {
+ data = file("../config/dkim/signingtable")
+ destination = "secrets/dkim/signingtable"
+ }
+ template {
+ data = file("../config/dkim/trusted")
+ destination = "secrets/dkim/trusted"
+ }
+
+ # --- secrets ---
+ template {
+ data = "{{ key \"secrets/email/dkim/smtp.private\" }}"
+ destination = "secrets/dkim/smtp.private"
+ }
+ }
+ }
+
+ group "postfix" {
+ count = 1
+
+ network {
+ port "smtp_port" {
+ static = 25
+ to = 25
+ }
+ port "smtps_port" {
+ static = 465
+ to = 465
+ }
+ port "submission_port" {
+ static = 587
+ to = 587
+ }
+ }
+
+ task "server" {
+ driver = "docker"
+ config {
+ image = "superboum/amd64_postfix:v3"
+ readonly_rootfs = false
+ network_mode = "host"
+ ports = [ "smtp_port", "smtps_port", "submission_port" ]
+ command = "postfix"
+ args = [ "start-fg" ]
+ volumes = [
+ "secrets/ssl:/etc/ssl",
+ "secrets/postfix:/etc/postfix-conf",
+ "/dev/log:/dev/log"
+ ]
+ }
+
+ env {
+ TLSINFO = "/C=FR/ST=Bretagne/L=Rennes/O=Deuxfleurs/CN=smtp.deuxfleurs.fr"
+ MAILNAME = "smtp.deuxfleurs.fr"
+ }
+
+ resources {
+ cpu = 100
+ memory = 200
+ }
+
+ service {
+ name = "postfix-smtp"
+ port = "smtp_port"
+ address_mode = "host"
+ tags = [
+ "postfix",
+ "(diplonat (tcp_port 25 465 587))"
+ ]
+ check {
+ type = "tcp"
+ port = "smtp_port"
+ interval = "60s"
+ timeout = "5s"
+ check_restart {
+ limit = 3
+ grace = "90s"
+ ignore_warnings = false
+ }
+ }
+ }
+
+ service {
+ name = "postfix-smtps"
+ port = "smtps_port"
+ address_mode = "host"
+ tags = [
+ "postfix",
+ ]
+
+ check {
+ type = "tcp"
+ port = "smtps_port"
+ interval = "60s"
+ timeout = "5s"
+ check_restart {
+ limit = 3
+ grace = "90s"
+ ignore_warnings = false
+ }
+ }
+ }
+
+ service {
+ name = "postfix-submission"
+ port = "submission_port"
+ address_mode = "host"
+ tags = [
+ "postfix",
+ ]
+
+ check {
+ type = "tcp"
+ port = "submission_port"
+ interval = "60s"
+ timeout = "5s"
+ check_restart {
+ limit = 3
+ grace = "90s"
+ ignore_warnings = false
+ }
+ }
+ }
+
+ template {
+ data = file("../config/postfix/ldap-account.cf.tpl")
+ destination = "secrets/postfix/ldap-account.cf"
+ }
+
+ template {
+ data = file("../config/postfix/ldap-alias.cf.tpl")
+ destination = "secrets/postfix/ldap-alias.cf"
+ }
+
+ template {
+ data = file("../config/postfix/ldap-virtual-domains.cf.tpl")
+ destination = "secrets/postfix/ldap-virtual-domains.cf"
+ }
+
+ template {
+ data = file("../config/postfix/dynamicmaps.cf")
+ destination = "secrets/postfix/dynamicmaps.cf"
+ }
+
+ template {
+ data = file("../config/postfix/header_checks")
+ destination = "secrets/postfix/header_checks"
+ }
+
+ template {
+ data = file("../config/postfix/main.cf")
+ destination = "secrets/postfix/main.cf"
+ }
+
+ template {
+ data = file("../config/postfix/master.cf")
+ destination = "secrets/postfix/master.cf"
+ }
+
+ template {
+ data = file("../config/postfix/transport")
+ destination = "secrets/postfix/transport"
+ }
+
+ # --- secrets ---
+ template {
+ # data = "{{ key \"secrets/email/postfix/postfix.crt\" }}"
+ data = "{{ with $d := key \"tricot/certs/smtp.deuxfleurs.fr\" | parseJSON }}{{ $d.cert_pem }}{{ end }}"
+ destination = "secrets/ssl/postfix.crt"
+ perms = "400"
+ }
+
+ template {
+ # data = "{{ key \"secrets/email/postfix/postfix.key\" }}"
+ data = "{{ with $d := key \"tricot/certs/smtp.deuxfleurs.fr\" | parseJSON }}{{ $d.key_pem }}{{ end }}"
+ destination = "secrets/ssl/postfix.key"
+ perms = "400"
+ }
+ }
+ }
+
+ group "alps" {
+ count = 1
+
+ network {
+ port "alps_web_port" { to = 1323 }
+ }
+
+ task "main" {
+ driver = "docker"
+ config {
+ image = "lxpz/alps_amd64:v2"
+ readonly_rootfs = true
+ ports = [ "alps_web_port" ]
+ args = [
+ "-skiptlsverification",
+ "-theme",
+ "alps",
+ "imaps://imap.deuxfleurs.fr:993",
+ "smtps://smtp.deuxfleurs.fr:465"
+ ]
+ }
+
+ resources {
+ cpu = 100
+ memory = 100
+ }
+
+ service {
+ name = "alps"
+ port = "alps_web_port"
+ address_mode = "host"
+ tags = [
+ "alps",
+ "traefik.enable=true",
+ "traefik.frontend.entryPoints=https,http",
+ "traefik.frontend.rule=Host:alps.deuxfleurs.fr",
+ "tricot alps.deuxfleurs.fr",
+ ]
+ check {
+ type = "tcp"
+ port = "alps_web_port"
+ interval = "60s"
+ timeout = "5s"
+ check_restart {
+ limit = 3
+ grace = "5m"
+ ignore_warnings = false
+ }
+ }
+ }
+ }
+ }
+
+
+ group "sogo" {
+ count = 1
+
+ network {
+ port "sogo_web_port" { to = 8080 }
+ }
+
+ task "bundle" {
+ driver = "docker"
+ config {
+ image = "superboum/amd64_sogo:v7"
+ readonly_rootfs = false
+ ports = [ "sogo_web_port" ]
+ volumes = [
+ "secrets/sogo.conf:/etc/sogo/sogo.conf",
+ ]
+ }
+
+ template {
+ data = file("../config/sogo/sogo.conf.tpl")
+ destination = "secrets/sogo.conf"
+ }
+
+ resources {
+ cpu = 200
+ memory = 1000
+ }
+
+ service {
+ name = "sogo"
+ port = "sogo_web_port"
+ address_mode = "host"
+ tags = [
+ "sogo",
+ "tricot www.sogo.deuxfleurs.fr",
+ "tricot sogo.deuxfleurs.fr",
+ ]
+ check {
+ type = "tcp"
+ port = "sogo_web_port"
+ interval = "60s"
+ timeout = "5s"
+ check_restart {
+ limit = 3
+ grace = "5m"
+ ignore_warnings = false
+ }
+ }
+ }
+
+ }
+ }
+}
diff --git a/cluster/prod/app/email/secrets/email/dkim/smtp.private b/cluster/prod/app/email/secrets/email/dkim/smtp.private
new file mode 100644
index 0000000..3aa3621
--- /dev/null
+++ b/cluster/prod/app/email/secrets/email/dkim/smtp.private
@@ -0,0 +1 @@
+RSA_PRIVATE_KEY dkim
diff --git a/cluster/prod/app/email/secrets/email/dovecot/backup_aws_access_key_id b/cluster/prod/app/email/secrets/email/dovecot/backup_aws_access_key_id
new file mode 100644
index 0000000..9ae6adf
--- /dev/null
+++ b/cluster/prod/app/email/secrets/email/dovecot/backup_aws_access_key_id
@@ -0,0 +1 @@
+USER AWS Acces Key ID
diff --git a/cluster/prod/app/email/secrets/email/dovecot/backup_aws_secret_access_key b/cluster/prod/app/email/secrets/email/dovecot/backup_aws_secret_access_key
new file mode 100644
index 0000000..ac95906
--- /dev/null
+++ b/cluster/prod/app/email/secrets/email/dovecot/backup_aws_secret_access_key
@@ -0,0 +1 @@
+USER AWS Secret Access key
diff --git a/cluster/prod/app/email/secrets/email/dovecot/backup_restic_password b/cluster/prod/app/email/secrets/email/dovecot/backup_restic_password
new file mode 100644
index 0000000..c19a4a3
--- /dev/null
+++ b/cluster/prod/app/email/secrets/email/dovecot/backup_restic_password
@@ -0,0 +1 @@
+USER Restic backup password to encrypt data
diff --git a/cluster/prod/app/email/secrets/email/dovecot/backup_restic_repository b/cluster/prod/app/email/secrets/email/dovecot/backup_restic_repository
new file mode 100644
index 0000000..0434a15
--- /dev/null
+++ b/cluster/prod/app/email/secrets/email/dovecot/backup_restic_repository
@@ -0,0 +1 @@
+USER Restic Repository URL, check op_guide/backup-minio to see the format
diff --git a/cluster/prod/app/email/secrets/email/dovecot/dovecot.crt b/cluster/prod/app/email/secrets/email/dovecot/dovecot.crt
new file mode 100644
index 0000000..7229cfc
--- /dev/null
+++ b/cluster/prod/app/email/secrets/email/dovecot/dovecot.crt
@@ -0,0 +1 @@
+SSL_CERT dovecot deuxfleurs.fr
diff --git a/cluster/prod/app/email/secrets/email/dovecot/dovecot.key b/cluster/prod/app/email/secrets/email/dovecot/dovecot.key
new file mode 100644
index 0000000..0d42c79
--- /dev/null
+++ b/cluster/prod/app/email/secrets/email/dovecot/dovecot.key
@@ -0,0 +1 @@
+SSL_KEY dovecot
diff --git a/cluster/prod/app/email/secrets/email/dovecot/ldap_binddn b/cluster/prod/app/email/secrets/email/dovecot/ldap_binddn
new file mode 100644
index 0000000..da380f2
--- /dev/null
+++ b/cluster/prod/app/email/secrets/email/dovecot/ldap_binddn
@@ -0,0 +1 @@
+SERVICE_DN dovecot Dovecot IMAP server
diff --git a/cluster/prod/app/email/secrets/email/dovecot/ldap_bindpwd b/cluster/prod/app/email/secrets/email/dovecot/ldap_bindpwd
new file mode 100644
index 0000000..068f663
--- /dev/null
+++ b/cluster/prod/app/email/secrets/email/dovecot/ldap_bindpwd
@@ -0,0 +1 @@
+SERVICE_PASSWORD dovecot
diff --git a/cluster/prod/app/email/secrets/email/postfix/postfix.crt b/cluster/prod/app/email/secrets/email/postfix/postfix.crt
new file mode 100644
index 0000000..f004d67
--- /dev/null
+++ b/cluster/prod/app/email/secrets/email/postfix/postfix.crt
@@ -0,0 +1 @@
+SSL_CERT postfix deuxfleurs.fr
diff --git a/cluster/prod/app/email/secrets/email/postfix/postfix.key b/cluster/prod/app/email/secrets/email/postfix/postfix.key
new file mode 100644
index 0000000..2cf1706
--- /dev/null
+++ b/cluster/prod/app/email/secrets/email/postfix/postfix.key
@@ -0,0 +1 @@
+SSL_KEY postfix
diff --git a/cluster/prod/app/email/secrets/email/sogo/ldap_binddn b/cluster/prod/app/email/secrets/email/sogo/ldap_binddn
new file mode 100644
index 0000000..df627d3
--- /dev/null
+++ b/cluster/prod/app/email/secrets/email/sogo/ldap_binddn
@@ -0,0 +1 @@
+SERVICE_DN sogo SoGo email frontend
diff --git a/cluster/prod/app/email/secrets/email/sogo/ldap_bindpw b/cluster/prod/app/email/secrets/email/sogo/ldap_bindpw
new file mode 100644
index 0000000..8d2f35b
--- /dev/null
+++ b/cluster/prod/app/email/secrets/email/sogo/ldap_bindpw
@@ -0,0 +1 @@
+SERVICE_PASSWORD sogo
diff --git a/cluster/prod/app/email/secrets/email/sogo/postgre_auth b/cluster/prod/app/email/secrets/email/sogo/postgre_auth
new file mode 100644
index 0000000..4f66253
--- /dev/null
+++ b/cluster/prod/app/email/secrets/email/sogo/postgre_auth
@@ -0,0 +1 @@
+USER SoGo postgres auth (format: sogo:<password>) (TODO: replace this with two separate files and change template)