AUTH users can now only FROM as themselves or known aliases

Signed-off-by: David Loffredo <loffredo@steptools.com>

docs/ansible.html

@@ -55,30 +55,6 @@ <H1>Why Ansible?</H1>
 and can operate in parallel on lists of hosts, so you can configure or
 reproduce whole networks of machines.</p>
 
-<h2>Ansible Notes</h2>
-
-<p>If you need to specify some parameters before a batch install, you
-can use the debconf module.  Typically we install then configure, but
-this might be useful in certain situations.</p>
-
-<PRE>
-#dbconfig-common/bacula-director-mysql.conf:dbc_dbpass='whereami' #
-dbconfig-common
-
-# from debconf-show
-#  bacula-director-pgsql/pgsql/app-pass: (password omitted)
-#  bacula-director-pgsql/app-password-confirm: (password omitted)
-#  bacula-director-pgsql/pgsql/admin-pass: (password omitted)
-#  bacula-director-pgsql/password-confirm: (password omitted)
-
-# - name: Set MySQL root password before installing
-#   debconf: name='mysql-server' question='mysql-server/root_password' value='{{mysql_root_pass | quote}}' vtype='password'
-
-# - name: Confirm MySQL root password before installing
-#   debconf: name='mysql-server' question='mysql-server/root_password_again' value='{{mysql_root_pass | quote}}' vtype='password'
-
-</PRE>
-
 <div class=copyright>
 <p>Copyright &copy; 2020 David Loffredo, licensed under
 <a rel="license" href="https://creativecommons.org/licenses/by/4.0/">

docs/backup.html

@@ -89,16 +89,28 @@ <H2 class=rule>
 bacula_tunnel_sshkeypath: ~/.ssh/tunnel.key
 </PRE>
 
-<p>The client does not need many settings.  We will eventually have a
-variable for the file lists to back up.
-
-INCLUDE THE RSPAMD DBDIR /var/lib/rspamd
-
+<p>The client does not need many settings.
+The <code>bacula_client_fileset</code> variable describes the
+directories you want backed up.  There are many knobs other knobs to
+play with if you want to do something fancy.
 
 <PRE class=code>
-# Eventual list of files
+bacula_client_fileset:
+  include:
+    - /etc/letsencrypt
+    - "{{mail_db_root}}"
+    - "{{mail_dkim_root}}"
+    - "{{mail_spool_root}}"
+    - "{{webdata_root}}"
 </PRE>
 
+<p>If you have detailed knowledge of Bacula, you can add
+<code>options</code> and <code>exclude</code> entries to
+the <code>bacula_client_fileset</code> dictionary.  These translate to
+the equivalent Bacula FileSet sub-blocks.  You can also include
+a <code>freeform</code> entry with raw text for your own jobs and
+filesets.
+
 <p>If a client does not need an ssh tunnel,
 set <code>bacula_client_tunnel</code> to false in variables <em>for
 that client</em>.  You can have some clients with a tunnel and others
@@ -116,9 +128,9 @@ <H2 class=rule>
 variables.  Most roles need settings for just one machine at a time.
 The Bacula roles need settings over a network of machines, like each
 client of a director.  Defaults makes it even more interesting.
-The <code>bacula-common</code> role is used by the client and director
-roles to coordinate these settings.  The comments in that role has
-more discussion on defaults and hostvars.
+The <code>bacula-dflts</code> role is used by the client and director
+roles to coordinate these settings.  The source files for that role
+contain more discussion on defaults and hostvars.
 
 <!-- ============================== -->
 <H2 class=rule>
@@ -128,7 +140,6 @@ <H2 class=rule>
 the admin account when they are done.  All other interaction is done
 on the director machine using the Bacula console <code>bconsole</code>.
 
-
 <p>I recommend firing up the console and getting familiar with it
 before you need to.  Try to manually run a backup ("run") and try to
 restore some files ("restore").  The Bacula manual has

docs/index.html

@@ -9,7 +9,7 @@
 <body>
 <div class=toc>
 <UL>
-<LI><A href="https://github.com/david-loffredo/davecloud">Github Repo</A>
+<LI><A href="https://github.com/david-loffredo/davecloud">GitHub Repo</A>
 <p>
 <li><a href="#pkgs">Packages</a>
 <li><a href="#start">Getting Started</a>
@@ -34,19 +34,16 @@ <H1>DaveCloud Mail, Web, and Backup</H1>
 <li>A ground-up understanding of what is on the machine and why.
 </ol>
 
-<p>These pages explain <em>what</em> I learned, <em>how</em> to
-configure it, and <em>why</em> I made each choice, plus some fun
+<p>These pages cover <em>what</em> I learned, <em>how</em> to
+configure it, and <em>why</em> I made each choice, with some fun
 pictures of my old hardware.
 
-If those details don't interest you, a push-button mail server
-like <a href="https://github.com/modoboa/modoboa">Modoboa</a>,
-<a href="https://mailinabox.email/">mail-in-a-box</a>, or
-<a href="https://github.com/progmaticltd/homebox">homebox</a> is a
-fine alternative.</p>
 
 <p>I hope this is a useful starting point for <em>your</em> goals
 and choices.</p>
 
+
+
 <!-- ============================== -->
 <H2 class=rule>
 <A NAME=pkgs></A>Packages</H2>
@@ -78,6 +75,11 @@ <H2 class=rule>
 <li><a href="dns.html">DNS</a>
 </ul>
 
+<p>If these details don't interest you, a push-button mail server
+like <a href="https://github.com/modoboa/modoboa">Modoboa</a>,
+<a href="https://mailinabox.email/">mail-in-a-box</a>, or
+<a href="https://github.com/progmaticltd/homebox">homebox</a> is a
+fine alternative.</p>
 
 <!-- ============================== -->
 <H2 class=rule>
@@ -117,14 +119,13 @@ <H2 class=rule>
 
 
 <p>The <code>myhosts/hosts</code> file
-identifies <a href="machines.html">the machines that you are
-managing</a>, and organizes them into groups.  The playbooks describe
-tasks and roles that apply to the machines in each group.  We use two
-groups: <code>cloud</code> and <code>backup-server</code>.</p>
-
-<p>The machines are listed by fully qualified domain name (FQDN) and
-IP address, so the machine does not need to show up in DNS yet.
-Ansible uses the <code>ansible_host</code> variable to connect, and
+identifies <a href="machines.html">your machines</a>, and organizes
+them into groups.  We use two groups: <code>cloud</code>
+and <code>backup-server</code>.  The playbooks apply tasks to the
+machines in each group.  </p>
+
+<p>Machines are listed by fully qualified domain name (FQDN) and IP
+address.  Ansible uses the <code>ansible_host</code> to connect, and
 sets the <code>inventory_hostname</code> variable to the FQDN for use
 in the scripts.</p>
 
@@ -141,34 +142,32 @@ <H2 class=rule>
 guardian.example.com	ansible_host=5.6.7.8
 </PRE>
 
-<p>After you have provisioned the machines, <a href="dns.html">create
-DNS entries for them</a> using your registrar or other service.  We
-may eventually run Bind and make the cloud machine the DNS master, but
-still getting that sorted out.</p>
+<p>Once you have machines, <a href="dns.html">create DNS entries for
+them</a> using your registrar or other service.  We may eventually run
+Bind on the cloud machine, but still getting that sorted out.</p>
 
 
 <!-- ============================== -->
 <H2 class=rule>
 <A NAME=vars></A>Variables</H2>
 
 <p>The <code>myhosts/group_vars</code> directory contains settings for
-the groups of machines in the hosts file.  Ansible looks for
+the machine groups in the hosts file.  Ansible looks for
 a <code>&lt;group-name&gt;.yml</code> file or
 a <code>&lt;group-name&gt;/</code> directory containing YML files.
 Every machine belongs to the special <code>all</code> group.</p>
 
-<p>Most of our settings are in <code>group_vars/all/all.yml</code>.
-Look through this file and customize the values as appropriate.  Some
-things that are unique to the mail and web server, and that we do not
-want to apply to the backup server, are
-in <code>group_vars/cloud.yml</code>.
+<p>Most settings are in <code>all/all.yml</code>.  Look through this
+file and customize the values as appropriate.  A few things unique to
+each machine are kept in <code>cloud.yml</code>
+and <code>backup-server.yml</code>.
 
 <p>Sensitive values like passwords are in
-<code>group_vars/all/vault.yml</code>, which will be an encrypted
+<code>all/vault.yml</code>, which will be an encrypted
 <a href="https://docs.ansible.com/ansible/latest/user_guide/vault.html">Ansible
 vault file</a>.  The <code>vault.yml</code> that you copied is not yet
-encrypted and contains placeholders.  Edit it to contain real values
-and then encrypt it with your own unique password:
+encrypted and contains placeholders.  Edit it to contain real values,
+then encrypt it with your own unique password:
 
 <PRE class=code>
 $ ansible-vault encrypt vault.yml	# encrypt plain file
@@ -221,11 +220,12 @@ <H2 class=rule>
 for <code>--ask-pass</code>.  This is the only time a password-based
 login ever happens.  Ansible needs the <code>sshpass</code> package on
 your local machine to do password-based login to a remote machine.  If
-you can pre-install an ssh key for root, you could change this
-logic.</p>
+you can pre-install an ssh key for root, you could use
+the <code>--private-key</code> flag instead.</p>
 
 <PRE class=code>
-$ ansible-playbook -k --ask-vault-pass -i ../myhosts first.yml --limit machinename
+$ ansible-playbook -k --ask-vault-pass -i ../myhosts first.yml --limit cloud
+$ ansible-playbook -k --ask-vault-pass -i ../myhosts first.yml --limit backup-server
 </PRE>
 
 <p>After this, remote password login is disabled and everything

hosts.example/group_vars/cloud.yml

@@ -56,6 +56,9 @@ webdata_root:           /var/www
 #==============================
 # Backup Directories - for mail and web server
 #
+# Should we include the rspamd dbdir /var/lib/rspamd
+# What about /var/log?
+#
 bacula_client_fileset:
   include:
     - /etc/letsencrypt

roles/mailhost/tasks/dovecot.yml

@@ -5,6 +5,12 @@
 # Dovecot for local mail delivery and IMAP access.  Do not install the
 # dovecot-pop3 package, because we will only use IMAP.
 
+# Saw the following in /var/log, might be a leftover from the default
+# install that had 143 enabled.  Only seems to show up once.  dovecot:
+# master: Error: systemd listens on port 143, but it's not configured
+# in Dovecot. Closing.
+
+
 - name: dovecot and related packages present
   package:
     state: present

roles/mailhost/tasks/postfix.yml

@@ -18,13 +18,6 @@
 
 # The queue directory must be present or else the chroot will not be
 # populated.
-
-# Seeing issue in log, has to do with socket think we were not
-# seeing it because original chroot had something we do not.
-# root@davecloud:/vault# grep "systemd listens" /var/log/mail.log 
-# Jan 23 22:55:52 davecloud dovecot: master: Error: systemd listens on port 143, but it's not configured in Dovecot. Closing.
-# Jan 23 22:55:52 davecloud dovecot: master: Error: systemd listens on port 143, but it's not configured in Dovecot. Closing.
-
 - name: other mail directories and permissions
   file: state=directory path={{item}} mode=0755
   with_items:
@@ -33,11 +26,10 @@
 
 
 # The virtual user database holds account details.  We use SQLite
-# because this small, simple, and relatively static, but you can use
-# MySQL, Maria, or Postgres if you prefer.  I've written the mailcfg
-# perl utility to manage the database.  It uses DBI and might just
-# need minor changes to the connect statement and SQL for use with
-# other RDBs.
+# because this small, simple, and relatively static, but MySQL, Maria,
+# or Postgres would also work.  I wrote the mailcfg perl script to
+# manage the database.  It uses DBI and might just need minor changes
+# to the connect statement and SQL for the other RDBs.
 - name: postfix and related packages present
   package:
     state: present
@@ -61,10 +53,11 @@
   with_items:
     - main.cf
     - master.cf
+    - denied_recipients
+    - sqlite-sender-login-maps.cf
     - sqlite-virtual-alias-maps.cf
     - sqlite-virtual-mailbox-domains.cf
     - sqlite-virtual-mailbox-maps.cf
-    - denied_recipients
   notify:
     - postmap files
     - restart postfix

roles/mailhost/templates/postfix/main.cf

@@ -64,8 +64,6 @@ virtual_alias_maps = sqlite:/etc/postfix/sqlite-virtual-alias-maps.cf
 local_recipient_maps = $virtual_mailbox_maps
 
 
-
-
 # ==============================
 # TLS parameters
 
@@ -159,7 +157,7 @@ smtpd_recipient_restrictions =
   reject_non_fqdn_recipient,
   reject_unknown_recipient_domain
 
-#Some DNS BL's - high availability:
+#Some DNS BL's - high availability:  HANDLED BY RSPAMD
 #    reject_rbl_client zen.spamhaus.org,
 #    reject_rbl_client bl.spamcop.net,
 #    reject_rbl_client dul.dnsbl.sorbs.net,
@@ -180,6 +178,11 @@ smtpd_sender_restrictions =
   reject_unknown_reverse_client_hostname
 #  reject_unknown_address
 
+# Declare owners for each FROM mail address, AUTH user can send as
+# self or an alias, relay can send as anyone.  Enforced for submission
+# and smtps in master.cf
+smtpd_sender_login_maps = sqlite:/etc/postfix/sqlite-sender-login-maps.cf
+
 # Deny any useful feedback to abusing systems by changing all errors
 # to 554: Transaction Failed
 

roles/mailhost/templates/postfix/master.cf

@@ -15,6 +15,8 @@ smtp      inet  n       -       y       -       -       smtpd
 #smtpd     pass  -       -       y       -       -       smtpd
 #dnsblog   unix  -       -       y       -       0       dnsblog
 #tlsproxy  unix  -       -       y       -       0       tlsproxy
+
+# SMTP with STARTTLS on port 587.   Only with AUTH
 submission inet n       -       y       -       -       smtpd
   -o syslog_name=postfix/submission
   -o smtpd_tls_security_level=encrypt
@@ -23,30 +25,29 @@ submission inet n       -       y       -       -       smtpd
   -o smtpd_sasl_path=private/auth
   -o smtpd_reject_unlisted_recipient=no
   -o smtpd_client_restrictions=permit_sasl_authenticated,reject
+  -o smtpd_sender_restrictions=reject_sender_login_mismatch
   -o milter_macro_daemon_name=ORIGINATING
-#  -o smtpd_client_restrictions=$mua_client_restrictions
+# client_restrictions say only allow authenticated clients to connect
+# sender_restrictions say auth must own that address to use it.  Sql lookup
 #  -o smtpd_helo_restrictions=$mua_helo_restrictions
-#  -o smtpd_sender_restrictions=$mua_sender_restrictions
 #  -o smtpd_recipient_restrictions=
 #  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-#  -o milter_macro_daemon_name=ORIGINATING
 
-# SMTP over SSL/TLS on port 465.
+# SMTP over SSL/TLS on port 465.   Only with AUTH
 smtps     inet  n       -       y       -       -       smtpd
   -o syslog_name=postfix/smtps
   -o smtpd_tls_wrappermode=yes
   -o smtpd_sasl_auth_enable=yes
   -o smtpd_sasl_type=dovecot
   -o smtpd_sasl_path=private/auth
   -o smtpd_client_restrictions=permit_sasl_authenticated,reject
+  -o smtpd_sender_restrictions=reject_sender_login_mismatch
   -o milter_macro_daemon_name=ORIGINATING
   # -o smtpd_reject_unlisted_recipient=no
-  # -o smtpd_client_restrictions=$mua_client_restrictions
   # -o smtpd_helo_restrictions=$mua_helo_restrictions
-  # -o smtpd_sender_restrictions=$mua_sender_restrictions
   # -o smtpd_recipient_restrictions=
   # -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-  # -o milter_macro_daemon_name=ORIGINATING
+
 #628       inet  n       -       y       -       -       qmqpd
 pickup    unix  n       -       y       60      1       pickup
 cleanup   unix  n       -       y       -       0       cleanup

roles/mailhost/templates/postfix/sqlite-sender-login-maps.cf

@@ -0,0 +1,9 @@
+
+# Simple SQLite query for sender/login map.  Returns list of AUTH
+# logins that are allowed to send as a given address.  For a given
+# address, this includes the address (if an auth user), the alias
+# destination (if an alias), and the relay user if the address is one
+# that we handle mail for.
+
+dbpath = {{ mail_db }}
+query = SELECT email FROM users WHERE email='%s' AND active=1 UNION SELECT dst FROM aliases WHERE src='%s' UNION SELECT 'relay@{{domain}}' FROM domains WHERE name='%d'