[COOK-3328] Refactor main.cf template and attributes

Signed-off-by: Seth Vargo <sethvargo@gmail.com>

CHANGELOG.md

@@ -1,3 +1,12 @@
+## v3.?.?:
+
+- [COOK-3328]: Refactor main.cf template and attributes for greater flexibility.
+
+**Breaking changes**:
+
+- Attributes are namespaced as `node['postfix']`, `node['postfix']['main']`, 
+  and `node['postfix']['master']`.
+
 ## v2.1.6:
 
 ### Bug

README.md

@@ -23,79 +23,63 @@ Attributes
 
 See `attributes/default.rb` for default values.
 
+
+## Generic cookbook attributes
+
 * `node['postfix']['mail_type']` - Sets the kind of mail
   configuration. `master` will set up a server (relayhost).
-* `node['postfix']['myhostname']` - corresponds to the myhostname
-  option in `/etc/postfix/main.cf`.
-* `node['postfix']['mydomain']` - corresponds to the mydomain option
-  in `/etc/postfix/main.cf`.
-* `node['postfix']['myorigin']` - corresponds to the myorigin option
-  in `/etc/postfix/main.cf`.
-* `node['postfix']['relayhost']` - corresponds to the relayhost option
-  in `/etc/postfix/main.cf`.
 * `node['postfix']['relayhost_role']` - name of a role used for search
   in the client recipe.
 * `node['postfix']['multi_environment_relay']` - set to true if nodes
   should not constrain search for the relayhost in their own
   environment.
-* `node['postfix']['inet_interfaces']` - if set, corresponds to the
-  inet_interfaces option in `/etc/postfix/main.cf`. nil by default,
-  which will result in 'all' for master `mail_type` and
-  'loopback-only' for non-master (anything else) `mail_type`.
-* `node['postfix']['mail_relay_networks']` - corresponds to the
-  mynetworks option in `/etc/postfix/main.cf`.
-* `node['postfix']['smtpd_use_tls']` - set to "yes" to use TLS for
-  SMTPD, which will use the snakeoil certs.
-* `node['postfix']['smtp_sasl_auth_enable']` - set to "yes" to enable
-  SASL authentication for SMTP.
-* `node['postfix']['smtp_sasl_password_maps']` - corresponds to the
-  `smtp_sasl_password_maps` option in `/etc/postfix/main.cf`.
-* `node['postfix']['smtp_sasl_security_options']` - corresponds to the
-  `smtp_sasl_security_options` option in `/etc/postfix/main.cf`.
-* `node['postfix']['smtp_tls_cafile']` - corresponds to the
-  `smtp_tls_CAfile` option in `/etc/postfix/main.cf`.
-* `node['postfix']['smtp_use_tls']` - corresponds to the
-  `smtp_use_tls` option in `/etc/postfix/main.cf`.
-* `node['postfix']['smtp_sasl_user_name']` - mapped in the
-  `sasl_passwd` file as the user to authenticate as.
-* `node['postfix']['smtp_sasl_passwd']` - mapped in the `sasl_passwd`
-  file as the password to use.
+* `node['postfix']['use_procmail']` - set to true if nodes should use
+  procmail as the delivery agent.
 * `node['postfix']['aliases']` - hash of aliases to create with
   `recipe[postfix::aliases]`, see below under __Recipes__ for more
   information.
-* `node['postfix']['use_procmail']` - set to true if nodes should use
-  procmail as the delivery agent (mailbox_command).
-* `node['postfix']['milter_default_action']` - corresponds to the
-  `milter_default_action` option in `/etc/postfix/main.cf`.
-* `node['postfix']['milter_protocol']` - corresponds to the
-  `milter_protocol` option in `/etc/postfix/main.cf`.
-* `node['postfix']['smtpd_milters']` - corresponds to the
-  `smtpd_milters` option in `/etc/postfix/main.cf`.
-* `node['postfix']['non_smtpd_milters']` - corresponds to the
-  `non_smtpd_milters` option in `/etc/postfix/main.cf`.
-* `node['postfix']['inet_interfaces']` - interfaces to listen to, all
-  or loopback-only
-* `node['postfix']['sender_canonical_classes']` - controls what
-  addresses are subject to `sender_canonical_maps` address mapping,
-  specify one or more of: `envelope_sender`, `header_sender` - defaults to
-  nil
-* `node['postfix']['recipient_canonical_classes']` - controls what
-  addresses are subject to `recipient_canonical_maps` address mapping,
-  specify one or more of: `envelope_recipient`, `header_recipient` -
-  defaults to nil
-* `node['postfix']['canonical_classes']` - controls what addresses are
-  subject to `canonical_maps` address mapping, specify one or more of:
-  `envelope_sender`, `envelope_recipient`, `header_sender`,
-  `header_recipient` - defaults to nil
-* `node['postfix']['sender_canonical_maps']` - optional address
-  mapping lookup tables for envelope and header sender addresses, eg.
-  `hash:/etc/postfix/sender_canonical` - defaults to nil
-* `node['postfix']['recipient_canonical_maps']` - optional address
-  mapping lookup tables for envelope and header recipient addresses,
-  eg. `hash:/etc/postfix/recipient_canonical` - defaults to nil
-* `node['postfix']['canonical_maps']` - optional address mapping
-  lookup tables for message headers and envelopes, eg.
-  `hash:/etc/postfix/canonical` - defaults to nil
+* `node['postfix']['main_template_source']` - Cookbook source for main.cf template. Default 'postfix'
+* `node['postfix']['master_template_source']` - Cookbook source for master.cf template. Default 'postfix'
+
+## main.cf and sasl\_passwd template attributes
+
+The main.cf template has been simplified to include any attributes in the `node['postfix']['main']`
+data structure.  The following attributes are still included with this cookbook
+to maintain some semblance of backwards compatibility.
+
+This change in namespace to `node['postfix']['main']` should allow for greater flexibility,
+given the large number of configuration variables for the postfix daemon.  All of these cookbook
+attributes correspond to the option of the same name in `/etc/postfix/main.cf`.
+
+* `node['postfix']['main']['biff']` - (yes/no); default no 
+* `node['postfix']['main']['append_dot_mydomain']` - (yes/no); default no
+* `node['postfix']['main']['myhostname']` - defaults to fqdn from Ohai
+* `node['postfix']['main']['mydomain']` - defaults to domain from Ohai
+* `node['postfix']['main']['myorigin']` - defaults to $myhostname
+* `node['postfix']['main']['mynetworks']` - default is `127.0.0.0/8`
+* `node['postfix']['main']['inet_interfaces']` - set to `loopback-only`, or `all` for server recipe
+* `node['postfix']['main']['alias_maps']` - set to `hash:/etc/aliases`
+* `node['postfix']['main']['mailbox_size_limit']` - set to `0` (disabled)
+* `node['postfix']['main']['recipient_delimiter']` - set to `+`
+* `node['postfix']['main']['mydestination']` - default fqdn, hostname, localhost.localdomain, localhost
+* `node['postfix']['main']['smtpd_use_tls']` - (yes/no); default yes. See conditional cert/key attributes.
+  - `node['postfix']['main']['smtpd_tls_cert_file']` - conditional attribute, set to full path of server's x509 certificate.
+  - `node['postfix']['main']['smtpd_tls_key_file']` - conditional attribute, set to full path of server's private key
+  - `node['postfix']['main']['smtpd_tls_CAfile']` - set to platform specific CA bundle
+  - `node['postfix']['main']['smtpd_tls_session_cache_database']` - set to `btree:${data_directory}/smtpd_scache`
+* `node['postfix']['main']['smtp_use_tls']` - (yes/no); default yes.  See following conditional attributes.
+  - `node['postfix']['main']['smtp_tls_CAfile']` - set to platform specific CA bundle
+  - `node['postfix']['main']['smtp_tls_session_cache_database']` - set to `btree:${data_directory}/smtpd_scache`
+* `node['postfix']['main']['smtp_sasl_auth_enable']` - (yes/no); default no.  If enabled, see following conditional attributes.
+  - `node['postfix']['main']['smtp_sasl_password_maps']` - Set to `hash:/etc/postfix/sasl_passwd` template file 
+  - `node['postfix']['main']['smtp_sasl_security_options']` - Set to noanonymous
+  - `node['postfix']['main']['relayhost']` - Set to empty string 
+  - `node['postfix']['sasl']['smtp_sasl_user_name']` - SASL user to authenticate as.  Default empty 
+  - `node['postfix']['sasl']['smtp_sasl_passwd']` - SASL password to use.  Default empty. 
+
+## master.cf template attributes
+
+* `node['postfix']['master']['submission'] - Whether to use submission (TCP 587) daemon. (true/false); default false
 
 Recipes
 =======
@@ -115,7 +99,7 @@ client
 ------
 
 Use this recipe to have nodes automatically search for the mail relay
-based which node has the `node['postfix']['relayhost']` role. Sets the
+based which node has the `node['postfix']['relayhost_role']` role. Sets the
 `node['postfix']['relayhost']` attribute to the first result from the
 search.
 
@@ -168,7 +152,7 @@ is `master`. See __Examples__ for information on how to use
 `recipe[postfix::server]` to do this automatically.
 
 If you need to use SASL authentication to send mail through your ISP
-(such as on a home network), use `recipe[postfix::sasl_auth]` and set
+(such as on a home network), use `postfix::sasl_auth` and set
 the appropriate attributes.
 
 For each of these implementations, see __Examples__ for role usage.
@@ -185,26 +169,30 @@ The `base` role is applied to all nodes in the environment.
     name "base"
     run_list("recipe[postfix]")
     override_attributes(
+      "mail_type" => "client",
       "postfix" => {
-        "mail_type" => "client",
-        "mydomain" => "example.com",
-        "myorigin" => "example.com",
-        "relayhost" => "[smtp.example.com]",
-        "smtp_use_tls" => "no"
+        "main" => {
+          "mydomain" => "example.com",
+          "myorigin" => "example.com",
+          "relayhost" => "[smtp.example.com]",
+          "smtp_use_tls" => "no"
+        }
       }
     )
 
 The `relayhost` role is applied to the nodes that are relayhosts.
 Often this is 2 systems using a CNAME of `smtp.example.com`.
 
     name "relayhost"
-    run_list("recipe[postfix]")
+    run_list("recipe[postfix::server]")
     override_attributes(
       "postfix" => {
-        "mail_relay_networks" => "10.3.3.0/24",
         "mail_type" => "master",
-        "mydomain" => "example.com",
-        "myorigin" => "example.com"
+        "main" => {
+          "mynetworks" => [ "10.3.3.0/24", "127.0.0.0/8" ],
+          "inet-interfaces" => "all",
+          "mydomain" => "example.com",
+          "myorigin" => "example.com"
       }
     )
 
@@ -217,14 +205,17 @@ access to SMTP.
     run_list("recipe[postfix], recipe[postfix::sasl_auth]")
     override_attributes(
       "postfix" => {
-        "mail_relay_networks" => "10.3.3.0/24",
         "mail_type" => "master",
-        "mydomain" => "example.com",
-        "myorigin" => "example.com",
-        "relayhost" => "[smtp.comcast.net]:587",
-        "smtp_sasl_auth_enable" => "yes",
-        "smtp_sasl_passwd" => "your_password",
-        "smtp_sasl_user_name" => "your_username"
+        "main" => {
+          "mynetworks" => "10.3.3.0/24",
+          "mail_type" => "master",
+          "mydomain" => "example.com",
+          "myorigin" => "example.com",
+          "relayhost" => "[smtp.comcast.net]:587",
+          "smtp_sasl_auth_enable" => "yes",
+          "smtp_sasl_passwd" => "your_password",
+          "smtp_sasl_user_name" => "your_username"
+        }
       }
     )
 
@@ -241,9 +232,11 @@ If you'd like to use the more dynamic search based approach for discovery, use t
     run_list("recipe[postfix::server]")
     override_attributes(
       "postfix" => {
-        "mail_relay_networks" => "10.3.3.0/24",
-        "mydomain" => "example.com",
-        "myorigin" => "example.com"
+        "main" => {
+          "mynetworks" => "10.3.3.0/24",
+          "mydomain" => "example.com",
+          "myorigin" => "example.com"
+        }
       }
     )
 
@@ -254,8 +247,10 @@ Then, add the `postfix::client` recipe to the run list of your `base` role or eq
     override_attributes(
       "postfix" => {
         "mail_type" => "client",
-        "mydomain" => "example.com",
-        "myorigin" => "example.com"
+        "main" => {
+          "mydomain" => "example.com",
+          "myorigin" => "example.com"
+        }
       }
     )
 
@@ -266,9 +261,11 @@ If you wish to use a different role name for the relayhost, then also set the at
     run_list("recipe[postfix::server]")
     override_attributes(
       "postfix" => {
-        "mail_relay_networks" => "10.3.3.0/24",
-        "mydomain" => "example.com",
-        "myorigin" => "example.com"
+        "main" => {
+          "mynetworks" => "10.3.3.0/24",
+          "mydomain" => "example.com",
+          "myorigin" => "example.com"
+        }
       }
     )
 
@@ -280,8 +277,10 @@ The base role would look something like this:
       "postfix" => {
         "relayhost_role" => "postfix_master",
         "mail_type" => "client",
-        "mydomain" => "example.com",
-        "myorigin" => "example.com"
+        "main" => {
+          "mydomain" => "example.com",
+          "myorigin" => "example.com"
+        }
       }
     )
 

attributes/default.rb

@@ -15,37 +15,75 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+# Generic cookbook attributes
 default['postfix']['mail_type']  = "client"
-default['postfix']['myhostname'] = node['fqdn']
-default['postfix']['mydomain']   = node['domain']
-default['postfix']['myorigin']   = "$myhostname"
-default['postfix']['relayhost']  = ""
-default['postfix']['mail_relay_networks']        = "127.0.0.0/8"
-default['postfix']['relayhost_role']             = "relayhost"
+default['postfix']['relayhost_role'] = "relayhost"
 default['postfix']['multi_environment_relay'] = false
-default['postfix']['inet_interfaces'] = nil
+default['postfix']['use_procmail'] = false
+default['postfix']['aliases'] = {}
+default['postfix']['main_template_source'] = "postfix"
+default['postfix']['master_template_source'] = "postfix"
 
-default['postfix']['smtpd_use_tls'] = "yes"
-default['postfix']['smtp_sasl_auth_enable'] = "no"
-default['postfix']['smtp_sasl_password_maps']    = "hash:/etc/postfix/sasl_passwd"
-default['postfix']['smtp_sasl_security_options'] = "noanonymous"
-default['postfix']['smtp_tls_cafile'] = "/etc/postfix/cacert.pem"
-default['postfix']['smtp_use_tls']    = "yes"
-default['postfix']['smtp_sasl_user_name'] = ""
-default['postfix']['smtp_sasl_passwd']    = ""
+# Non-default main.cf attributes
+default['postfix']['main']['biff'] = "no"
+default['postfix']['main']['append_dot_mydomain'] = "no"
+default['postfix']['main']['myhostname'] = node['fqdn']
+default['postfix']['main']['mydomain'] = node['domain']
+default['postfix']['main']['myorigin'] = "$myhostname"
+default['postfix']['main']['mydestination'] = [ node['postfix']['main']['myhostname'], node['hostname'], "localhost.localdomain", "localhost" ]
+default['postfix']['main']['smtpd_use_tls'] = "yes"
+default['postfix']['main']['smtp_use_tls'] = "yes"
+default['postfix']['main']['alias_maps'] = [ "hash:/etc/aliases" ]
+default['postfix']['main']['mailbox_size_limit'] = 0
+default['postfix']['main']['recipient_delimiter'] = "+"
+default['postfix']['main']['smtp_sasl_auth_enable'] = "no"
+default['postfix']['main']['mynetworks'] = "127.0.0.0/8"
+default['postfix']['main']['inet_interfaces'] = "loopback-only"
 
-default['postfix']['use_procmail'] = false
+# Conditional attributes
+case node['platform_family']
+when "rhel"
+  cafile = "/etc/pki/tls/cert.pem"
+else
+  cafile = "/etc/postfix/cacert.pem"
+end
 
-default['postfix']['milter_default_action']  = "tempfail"
-default['postfix']['milter_protocol']  = "6"
-default['postfix']['smtpd_milters']  = ""
-default['postfix']['non_smtpd_milters']  = ""
+if node['postfix']['use_procmail']
+  default['postfix']['main']['mailbox_command'] = '/usr/bin/procmail -a "$EXTENSION"'
+end
 
-default['postfix']['aliases'] = {}
+if node['postfix']['main']['smtpd_use_tls'] == "yes"
+  default['postfix']['main']['smtpd_tls_cert_file'] = "/etc/ssl/certs/ssl-cert-snakeoil.pem"
+  default['postfix']['main']['smtpd_tls_key_file'] = "/etc/ssl/private/ssl-cert-snakeoil.key"
+  default['postfix']['main']['smtpd_tls_CAfile'] = cafile
+  default['postfix']['main']['smtpd_tls_session_cache_database'] = "btree:${data_directory}/smtpd_scache"
+end
+
+if node['postfix']['main']['smtp_use_tls'] == "yes"
+  default['postfix']['main']['smtp_tls_CAfile'] = cafile
+  default['postfix']['main']['smtp_tls_session_cache_database'] = "btree:${data_directory}/smtp_scache"
+end
+
+if node['postfix']['main']['smtp_sasl_auth_enable'] == "yes"
+  default['postfix']['main']['smtp_sasl_password_maps'] = "hash:/etc/postfix/sasl_passwd"
+  default['postfix']['main']['smtp_sasl_security_options'] = "noanonymous"
+  default['postfix']['sasl']['smtp_sasl_user_name'] = ""
+  default['postfix']['sasl']['smtp_sasl_passwd']    = ""
+  default['postfix']['main']['relayhost'] = ""
+end
+
+# Default main.cf attributes according to `postconf -d`
+#default['postfix']['main']['relayhost'] = ""
+#default['postfix']['main']['milter_default_action']  = "tempfail"
+#default['postfix']['main']['milter_protocol']  = "6"
+#default['postfix']['main']['smtpd_milters']  = ""
+#default['postfix']['main']['non_smtpd_milters']  = ""
+#default['postfix']['main']['sender_canonical_classes'] = nil
+#default['postfix']['main']['recipient_canonical_classes'] = nil
+#default['postfix']['main']['canonical_classes'] = nil
+#default['postfix']['main']['sender_canonical_maps'] = nil
+#default['postfix']['main']['recipient_canonical_maps'] = nil
+#default['postfix']['main']['canonical_maps'] = nil
 
-default['postfix']['sender_canonical_classes'] = nil
-default['postfix']['recipient_canonical_classes'] = nil
-default['postfix']['canonical_classes'] = nil
-default['postfix']['sender_canonical_maps'] = nil
-default['postfix']['recipient_canonical_maps'] = nil
-default['postfix']['canonical_maps'] = nil
+# Master.cf attributes
+default['postfix']['master']['submission'] = false