Bug fix & SQLite module

README.md

@@ -11,6 +11,7 @@ my personal mail infrastructure components including:
 - rspamd
 - borg-backup
 - fail2ban
+- sqlite
 
 Also includes web components for installing multi-site `nginx` servers.
 
@@ -43,6 +44,17 @@ into the public repository (only commit on local internal branches). This is hel
 by our `.gitignore` in the public branch. View comments in `.gitignore` for more details
 about private usage.
 
+## SQLite
+
+Each user must have a password. It is always a good practice to hash passwords stored in a database, in case the database is compromised. If a user's password is MY_PASSWORD, you can hash it using Dovecot's password hash generator:
+
+```console
+$ doveadm pw -s SSHA512
+Enter new password:MY_PASSWORD
+Retype new password:MY_PASSWORD
+{SSHA512}HASHED_PASSWORD
+```
+Next edit sqlite.yml, and replace HASHED_PASSWORD with the exact output of the command.
 
 ## Contributing
 

inventory/host_vars/mailmash/network.yml

@@ -12,8 +12,8 @@ network:
     # network.hostname.public is used populate templates with
     # server's public hostname, including:
     #   - TLS certs to use with this pattern:
-    #     /etc/ssl/[hostname]-cert-combined.pem
-    #     /etc/ssl/[hostname]-key.pem
+    #     /etc/ssl/certs/[hostname]-cert-combined.pem
+    #     /etc/ssl/certs/[hostname]-key.pem
     #   - Postfix config parameter "myhostname"
     public: yourmail.server.com
 

inventory/host_vars/mailmash/packages.yml

@@ -0,0 +1,26 @@
+---
+packages:
+  required:
+    - aptitude
+    # acl is required for ansible to "become_user" as someone non-root because
+    # of permissions on its temporary files. Ansible will setfacl on temp files
+    # so it doesn't have to 0666 everything just so a new user can modify things.
+    - acl
+    # you aren't a linux server without sending nightly summary emails
+    - logwatch
+    # apt helpers for repo installs not included by default for some reason
+    - software-properties-common
+    # production CA bundles so we don't get unknown CA errors
+    - ca-certificates
+    # Maintains high numbers in /proc/sys/kernel/random/entropy_avail
+    - rng-tools
+    # should we use a more modern thing than collect? distributed osquery?
+    - collectd
+    # make sure 'install_recommends: no' or this installs lots of other stuff
+    - vim-nox
+    # rrdtool only installed so we can be lazy and generate graphs on-demand
+    # with: /usr/share/doc/collectd-core/examples/collectd2html.pl
+    # TODO: enable centralized reporting system
+    - rrdtool
+    # netstat, mii-tool, etc
+    - net-tools

inventory/host_vars/mailmash/sqlite.yml

@@ -0,0 +1,8 @@
+---
+authdb:
+  userid: 'info'
+  domain: 'server.com'
+  # Generate password with: doveadm pw -s SHA512-CRYPT
+  password: 'HASHED_PASSWORD'
+  email: 'postmaster'
+  alias: 'info'

inventory/host_vars/webby/packages.yml

@@ -0,0 +1,26 @@
+---
+packages:
+  required:
+    - aptitude
+    # acl is required for ansible to "become_user" as someone non-root because
+    # of permissions on its temporary files. Ansible will setfacl on temp files
+    # so it doesn't have to 0666 everything just so a new user can modify things.
+    - acl
+    # you aren't a linux server without sending nightly summary emails
+    - logwatch
+    # apt helpers for repo installs not included by default for some reason
+    - software-properties-common
+    # production CA bundles so we don't get unknown CA errors
+    - ca-certificates
+    # Maintains high numbers in /proc/sys/kernel/random/entropy_avail
+    - rng-tools
+    # should we use a more modern thing than collect? distributed osquery?
+    - collectd
+    # make sure 'install_recommends: no' or this installs lots of other stuff
+    - vim-nox
+    # rrdtool only installed so we can be lazy and generate graphs on-demand
+    # with: /usr/share/doc/collectd-core/examples/collectd2html.pl
+    # TODO: enable centralized reporting system
+    - rrdtool
+    # netstat, mii-tool, etc
+    - net-tools

inventory/inventory

@@ -1,5 +1,5 @@
 [mail]
-mailmash ansible_python_interpreter=/usr/bin/python3
+mailmash
 
 [web]
-webby ansible_python_interpreter=/usr/bin/python3
+webby

mailmash.yml

@@ -8,6 +8,7 @@
     - network
     - disableFirewall
     - rspamd
+    - sqlite
     - dovecot
     - sieve
     - postfix

roles/certreload/tasks/main.yml

@@ -3,10 +3,10 @@
 # exist, so we can't have our 'certs' role unconditionally fire things
 # like "reload nginx" and "reload postfix" because those don't exist
 # in every deployment.
-# As a hack, just check if /etc/ssl was recently modified then reload
+# As a hack, just check if /etc/ssl/certs was recently modified then reload
 - name: check certificate update recency
   stat:
-    path: /etc/ssl
+    path: /etc/ssl/certs/
   register: statSSL
 
 # Have to mock a command resulting in some "changed" status so ansible

roles/certs/tasks/main.yml

@@ -23,7 +23,7 @@
 
 #- name: allow certmaint to maint certs and keys (default)
 #  acl:
-#    path: /etc/ssl/
+#    path: /etc/ssl/certs/
 #    etype: user
 #    entity: certmaint
 #    permissions: rw
@@ -34,7 +34,7 @@
 
 #- name: allow certmaint to maint certs and keys (actual certs)
 #  acl:
-#    path: /etc/ssl/
+#    path: /etc/ssl/certs/
 #    etype: user
 #    entity: certmaint
 #    permissions: rwx
@@ -67,7 +67,7 @@
 - name: populate required certs (common types)
   copy:
     src: "tls/{{ item[0] }}-cert-combined.{{ item[1] }}.pem"
-    dest: /etc/ssl/
+    dest: /etc/ssl/certs/
     mode: 0644
     owner: certmaint
   loop: "{{ certs.required |product(certs.keyTypes) |list }}"
@@ -91,7 +91,7 @@
 - name: populate required certs (specific types)
   copy:
     src: "tls/{{ item.host }}-cert-combined.{{ item.type }}.pem"
-    dest: /etc/ssl/
+    dest: /etc/ssl/certs/
     mode: 0644
     owner: certmaint
   loop: "{{ certs.required }}"
@@ -101,8 +101,8 @@
 
 - name: plop LE cert chain
   copy:
-    src: "tls/lets-encrypt-x3-cross-signed.pem"
-    dest: /etc/ssl/
+    src: "lets-encrypt-x3-cross-signed.pem"
+    dest: /etc/ssl/certs/
     mode: 0644
     owner: certmaint
 

roles/common/files/override.conf

@@ -0,0 +1,2 @@
+[Service]
+TTYVTDisallocate=no

roles/common/tasks/main.yml

@@ -1,7 +1,7 @@
 ---
 # You can manually view how your OS-provided packages are supported with:
 # ubuntu-support-status --show-all
-- name: update packages
+- name: upgrade packages
   apt:
     update_cache: yes
     upgrade: safe
@@ -24,6 +24,17 @@
     group: root
     mode: 0644
 
+- name: create required dir structure for systemd getty
+  file:
+    dest: /etc/systemd/system/getty@tty1.service.d/
+    state: directory
+- name: configure override remove the clear screen before login
+  copy:
+    src: override.conf
+    dest: "/etc/systemd/system/getty@tty1.service.d/"
+    owner: root
+    group: root
+    mode: 0644
 
 - include_role:
     name: ramdisk
@@ -61,7 +72,7 @@
 - name: populate known-good dhparams
   copy:
     src: "{{ item }}"
-    dest: "/etc/ssl/{{ item }}"
+    dest: "/etc/ssl/certs/{{ item }}"
   loop:
     - ffdhe2048.pem
     - ffdhe3072.pem
@@ -205,41 +216,13 @@
   notify: reload sshd
 
 
-- name: install system tools
+- name: install required packages
   apt:
     pkg:
-      # acl is required for ansible to "become_user" as someone non-root because
-      # of permissions on its temporary files. Ansible will setfacl on temp files
-      # so it doesn't have to 0666 everything just so a new user can modify things.
-      - acl
-
-      # you aren't a linux server without sending nightly summary emails
-      - logwatch
-
-      # apt helpers for repo installs not included by default for some reason
-      - software-properties-common
-
-      # production CA bundles so we don't get unknown CA errors
-      - ca-certificates
-
-      # Maintains high numbers in /proc/sys/kernel/random/entropy_avail
-      - rng-tools
-
-      # should we use a more modern thing than collect? distributed osquery?
-      - collectd
-
-      # make sure 'install_recommends: no' or this installs lots of other stuff
-      - vim-nox
-
-      # rrdtool only installed so we can be lazy and generate graphs on-demand
-      # with: /usr/share/doc/collectd-core/examples/collectd2html.pl
-      # TODO: enable centralized reporting system
-      - rrdtool
-
-      # netstat, mii-tool, etc
-      - net-tools
-    install_recommends: no
-    state: latest
+      name: "{{ item }}"
+      install_recommends: no
+      state: latest
+    with_items: "{{ packages.required }}"
 
 # use a modern ntp client+server.
 #
@@ -285,7 +268,7 @@
 #
 #- name: install ohai
 #  apt:
-#    pkg: facter
+#    pkg: ohai
 #    state: latest
 
 

roles/dovecot/files/dovecot/dovecot-sql.conf.ext

@@ -71,7 +71,7 @@ driver = sqlite
 #   connect = host=sql.example.com dbname=virtual user=virtual password=blarg
 #   connect = /etc/dovecot/authdb.sqlite
 #
-connect = /etc/dovecot/authdb.sqlite
+connect = /var/mail/sqlite/authdb.sqlite3
 
 # Default password scheme.
 #
@@ -138,10 +138,10 @@ user_query = \
 # userdb prefetch instead of userdb sql in dovecot.conf. In that case you'll
 # also have to return userdb fields in password_query prefixed with "userdb_"
 # string. For example:
-password_query = \
-  SELECT '%u' AS user, password, \
-     "/var/mail/vhosts/" || '%d' || '/' || '%n' AS userdb_home, 145 AS userdb_uid, 145 AS userdb_gid \
-  FROM users WHERE userid = '%n' AND domain = '%d'
+#password_query = \
+#  SELECT '%u' AS user, password, \
+#     "/var/mail/vhosts/" || '%d' || '/' || '%n' AS userdb_home, 145 AS userdb_uid, 145 AS userdb_gid \
+#  FROM users WHERE userid = '%n' AND domain = '%d'
 
 # Query to get a list of all usernames.
 # This iteration is used for things like globally purging zero refcount emails

roles/dovecot/tasks/main.yml

@@ -58,19 +58,6 @@
   - resieve spam mover
   - restart dovecot
 
-# This permission is important because dovecot has multiple users:
-# - dovecot
-# - dovenull
-# - vmail
-# but login processes are run by the 'vmail' user, so 'vmail' must have read
-# access to the DB
-- name: fix user permissions on authdb
-  file:
-    path: /etc/dovecot/authdb.sqlite
-    owner: vmail
-    group: vmail
-    mode: 0600
-
 - name: instantiate dovecot SSL template with host vars
   template:
     src: dovecot/conf.d/10-ssl.conf.j2

roles/dovecot/templates/dovecot/conf.d/10-ssl.conf.j2

@@ -2,13 +2,13 @@
 ssl = required
 
 # Config detials at https://wiki.dovecot.org/SSL/DovecotConfiguration
-ssl_cert = </etc/ssl/{{ network.hostname.public }}-cert-combined.rsa2048.pem
+ssl_cert = </etc/ssl/certs/{{ network.hostname.public }}-cert-combined.rsa2048.pem
 ssl_key = </etc/ssl/private/{{ network.hostname.public }}-key.rsa2048.pem
 
 # Since v2.2.31+ you can specify alternative ssl certificate
 # if the algorithm differs from the primary certificate.
 # This is useful when migrating to e.g. ECDSA certificate.
-ssl_alt_cert = </etc/ssl/{{ network.hostname.public }}-cert-combined.prime256v1.pem
+ssl_alt_cert = </etc/ssl/certs/{{ network.hostname.public }}-cert-combined.prime256v1.pem
 ssl_alt_key = </etc/ssl/private/{{ network.hostname.public }}-key.prime256v1.pem
 
 # require modern crypto - taken from Mozilla's SSL recommendations page
@@ -19,4 +19,4 @@ ssl_prefer_server_ciphers = yes
 
 # newer dovecot 2.3+
 #ssl_min_protocol = TLSv1.2
-#ssl_dh = /etc/ssl/ffdhe4096.pem
+#ssl_dh = /etc/ssl/certs/ffdhe4096.pem

roles/nginx/files/tls/ssl_ciphers_intermediate

@@ -7,4 +7,4 @@ ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
 ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
 
 # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
-ssl_dhparam /etc/ssl/ffdhe2048.pem;
+ssl_dhparam /etc/ssl/certs/ffdhe2048.pem;

roles/nginx/files/tls/ssl_params

@@ -41,7 +41,7 @@ ssl_stapling on;
 ssl_stapling_verify on;
 
 # See: https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_trusted_certificate
-ssl_trusted_certificate /etc/ssl/lets-encrypt-x3-cross-signed.pem;
+ssl_trusted_certificate /etc/ssl/certs/lets-encrypt-x3-cross-signed.pem;
 
 # Instead of using resolver, take response from file:
 # ssl_stapling_file <-- must be set PER domain, but nginx so far has refused

roles/nginx/templates/basic-site.conf.j2

@@ -18,12 +18,12 @@ server {
   include /etc/nginx/ssl_ciphers_intermediate;
 {% endif %}
 
-  ssl_certificate     /etc/ssl/{{ item.domain }}-cert-combined.rsa2048.pem;
+  ssl_certificate     /etc/ssl/certs/{{ item.domain }}-cert-combined.rsa2048.pem;
   ssl_certificate_key /etc/ssl/private/{{ item.domain }}-key.rsa2048.pem;
 
   # nginx >= 1.11.0 (2016-05-24) allows loading redundant certs and keys so you
   # can serve modern EC clients and less modern RSA clients at the same time.
-  ssl_certificate     /etc/ssl/{{ item.domain }}-cert-combined.prime256v1.pem;
+  ssl_certificate     /etc/ssl/certs/{{ item.domain }}-cert-combined.prime256v1.pem;
   ssl_certificate_key /etc/ssl/private/{{ item.domain }}-key.prime256v1.pem;
 
   root   /srv/web/{{ item.domain }};

roles/postfix/files/postfix/aliases

@@ -0,0 +1,5 @@
+mailer-daemon: root
+# postmaster: root
+hostmaster: root
+webmaster: root
+abuse: root

roles/postfix/files/postfix/remap.sh

@@ -2,7 +2,7 @@
 
 here=$(dirname $0)
 
-MAPS="virtual"
+MAPS="aliases virtual"
 
 for map in $MAPS; do
   postmap $here/$map

roles/postfix/files/postfix/sqlite_alias.cf

@@ -0,0 +1,2 @@
+dbpath = /var/mail/sqlite/authdb.sqlite3
+query = SELECT alias FROM aliases WHERE email = '%s'

roles/postfix/files/postfix/sqlite_domains.cf

@@ -0,0 +1,2 @@
+dbpath = /var/mail/sqlite/authdb.sqlite3
+query = SELECT domain FROM users WHERE domain = '%s'

roles/postfix/files/postfix/sqlite_mailbox.cf

@@ -0,0 +1,3 @@
+dbpath = /var/mail/sqlite/authdb.sqlite3
+query = SELECT userid || '@' || domain AS email FROM users WHERE email = '%s'
+result_format = %d/%u/

roles/postfix/tasks/main.yml

@@ -6,6 +6,7 @@
     state: latest
     pkg:
       - postfix
+      - postfix-sqlite
       - postfix-doc
       - postfix-pcre