February 2021 - debops-devel - lists.debops.org

by Imre Jonk

Hi all, I've attached a diff file for the debops.postldap role. It contains CipherMail-specific changes to the role defaults that more people might be interested in. What do you think? Should I make a PR for (some of) these changes? The changes are: - Use of mailRecipient object class where it makes sense, specifically in the ldap_virtual_alias_maps, ldap_virtual_mailbox_maps and ldap_smtpd_sender_login_maps configuration. - Support for virtual alias lookups for group members. This allows us to make a distribution list out of an LDAP group. Postfix resolves the distribution list members using special_result_attribute and leaf_result_attribute. - search_base of ldap_virtual_mailbox_maps.cf set to the base DN instead of ou=People. We did this because we also have mailboxes that are accessed by services whose LDAP accounts are under the ou=Hosts tree. An example is the system that uses IMAP to access messages in our support(a)ciphermail.com mailbox. - The maildir paths are /var/vmail/<uid>/Maildir instead of /var/vmail/<domain>/<localpart>/Maildir. I like to associate mailboxes with the accounts in LDAP, which are primarily distinguished by uid and not email addresses. - We are using mailAlternateAddress attributes (mailRecipient objectClass) instead of mailAlias objects. This allows us to add email aliases directly to the existing people and group objects. The filters have been updated for this. - I have removed the ldap_unauth_sender_access sender restriction. This restriction forces SMTP clients to authenticate before sending mail when the sender address exists in LDAP. This is nice, but the ldap_unauth_domain_access sender restriction already forces authentication when an SMTP client tries to send mail from one of the domains in LDAP, which should be enough. Removing this restriction reduces the complexity of the whole system a little and saves some LDAP lookups. - We're not using postldap__domain_rev_pattern. Personal LDAP objects look like this: dn: uid=imre,ou=People,dc=ciphermail,dc=com objectClass: authorizedServiceObject objectClass: hostObject objectClass: inetOrgPerson objectClass: ldapPublicKey objectClass: mailRecipient objectClass: posixAccount objectClass: posixGroup objectClass: posixGroupId objectClass: shadowAccount objectClass: top cn: Imre Jonk gid: imre gidNumber: 2002000000 homeDirectory: /home/imre mail: imre(a)ciphermail.com mailAddress: imre(a)ciphermail.com sn: Jonk uid: imre uidNumber: 2002000000 authorizedService: all givenName: Imre host: posix:all loginShell: /bin/bash mailAlternateAddress: dev(a)ciphermail.com mailAlternateAddress: imre(a)ciphermail.com mailAlternateAddress: imre(a)staging.ciphermail.com Group LDAP objects used as distribution lists look like this: dn: cn=UNIX Administrators,ou=Groups,dc=ciphermail,dc=com objectClass: authorizedServiceObject objectClass: groupOfNames objectClass: hostObject objectClass: mailRecipient objectClass: posixGroup objectClass: posixGroupId objectClass: top cn: UNIX Administrators gid: admins gidNumber: 2000000000 mail: tech(a)ciphermail.com mailAddress: tech(a)ciphermail.com member: uid=imre,ou=People,dc=ciphermail,dc=com member: uid=martijn,ou=People,dc=ciphermail,dc=com authorizedService: all description: People responsible for UNIX-like infrastructure host: posix:all mailAlternateAddress: abuse(a)ciphermail.com mailAlternateAddress: abuse(a)djigzo.com mailAlternateAddress: hostmaster(a)ciphermail.com mailAlternateAddress: postmaster(a)ciphermail.com mailAlternateAddress: postmaster(a)djigzo.com mailAlternateAddress: root(a)ciphermail.com mailAlternateAddress: security(a)ciphermail.com mailAlternateAddress: tech(a)ciphermail.com mailAlternateAddress: tech(a)staging.ciphermail.com mailAlternateAddress: webmaster(a)ciphermail.com owner: uid=imre,ou=People,dc=ciphermail,dc=com owner: uid=martijn,ou=People,dc=ciphermail,dc=com Hoping this is useful for someone. It took me quite a while to figure out and explain in writing what customizations I've made to this role. It's been a while since I last touched the mail cluster configuration... Cheers, Imre

4 years

2
3
0 / 0

Debops t-shirt arrived!

by Damiano Venturin

Hello debopsers! I'VE GOT THE T-SHIRT (habeo t-shirt :-D) !! Its quality is jaw dropping! My wife is so amazed by the fabric's quality that she feels envious. Many thanks to Imre and all those who kindly put so much efforts is it. Much appreciated! -- Damiano Venturin https://dam.venturin.net

4 years

2
1
0 / 0

Call for testing: Debian Bullseye

by Imre Jonk

Hi all, The Debian release team just hit the second milestone in the Bullseye release process. The 'testing' distribution is now in soft freeze [1], which means that package maintainers are discouraged from making large changes, and new source packages are not allowed into Bullseye. [1] https://lists.debian.org/debian-devel-announce/2021/02/msg00002.html If you haven't done so already, please see if you can spin up a test system with Debian Bullseye to test our playbooks against. Issues and pull requests are more than welcome. Problems with the testing distribution (see also RC bugs [2]) should be filed against the Debian bug tracking system [3]. [2] https://bugs.debian.org/release-critical/ [3] https://www.debian.org/Bugs/ Happy hacking! Imre

4 years

1
0
0 / 0

2025

2024

2023

2022

2021

2020

debops-devel February 2021