[debian-lan-devel] [SCM] Debian-LAN development and packaging branch, master, updated. 0.6-44-gcddc730
Andreas B. Mundt
andi at debian.org
Thu Sep 20 12:17:55 UTC 2012
The following commit has been merged in the master branch:
commit ba97bd6dd310af5e032465a22f9240ff622e3e8f
Author: Andreas B. Mundt <andi at debian.org>
Date: Wed Sep 19 13:58:32 2012 +0200
Implement a kerberized SMTP/IMAP server in the MAIL_SERVER class.
diff --git a/fai/config/class/50-host-classes b/fai/config/class/50-host-classes
index df3658e..8891c40 100755
--- a/fai/config/class/50-host-classes
+++ b/fai/config/class/50-host-classes
@@ -38,7 +38,7 @@ FLAVOR="LVM7_A"
#FLAVOR="RAIDLVM8_A RAID DISKLESS_SERVER" ## diskless, RAID1
#FLAVOR="RAIDLVM7BAK_A RAID DISKLESS_SERVER" ## diskless, RAID1, backup disk
-MAINSERVER_A="$FLAVOR LOG_SERVER PROXY NTP_SERVER DNS_SERVER NFS_SERVER \
+MAINSERVER_A="$FLAVOR LOG_SERVER PROXY NTP_SERVER DNS_SERVER NFS_SERVER MAIL_SERVER \
LDAP_CLIENT LDAP_SERVER KERBEROS_CLIENT KERBEROS_KDC KDC_LDAP SERVER_A"
WORKSTATION_A="LVM5_A LOG_CLIENT LDAP_CLIENT NFS_CLIENT KERBEROS_CLIENT CLIENT_A"
diff --git a/fai/config/debconf/MAIL_SERVER b/fai/config/debconf/MAIL_SERVER
new file mode 100644
index 0000000..e7eace7
--- /dev/null
+++ b/fai/config/debconf/MAIL_SERVER
@@ -0,0 +1,5 @@
+exim4-config exim4/dc_eximconfig_configtype select mail sent by smarthost; received via SMTP or fetchmail
+exim4-config exim4/mailname string mail.intern
+exim4-config exim4/dc_localdelivery select Maildir format in home directory
+exim4-config exim4/use_split_config boolean true
+exim4-config exim4/dc_local_interfaces string
diff --git a/fai/config/package_config/MAIL_SERVER b/fai/config/package_config/MAIL_SERVER
new file mode 100644
index 0000000..fe1140e
--- /dev/null
+++ b/fai/config/package_config/MAIL_SERVER
@@ -0,0 +1,4 @@
+PACKAGES aptitude
+exim4-daemon-heavy
+dovecot-imapd
+dovecot-gssapi
diff --git a/fai/config/scripts/CLIENT_A/40-maildir b/fai/config/scripts/CLIENT_A/40-maildir
new file mode 100755
index 0000000..293f4b7
--- /dev/null
+++ b/fai/config/scripts/CLIENT_A/40-maildir
@@ -0,0 +1,21 @@
+#!/usr/sbin/cfagent -f
+
+control:
+ any::
+ actionsequence = ( editfiles )
+ EditFileSize = ( 30000 )
+
+editfiles:
+ any::
+ { ${target}/etc/environment
+ ## Set MAIL variable:
+ AppendIfNoSuchLine "MAIL=~/Maildir"
+ }
+ { ${target}/etc/pam.d/login
+ ## Set MAIL variable:
+ ReplaceAll "pam_mail.so standard" With "pam_mail.so dir=~/Maildir"
+ }
+ { ${target}/etc/pam.d/sshd
+ ## Set MAIL variable:
+ ReplaceAll "pam_mail.so standard noenv" With "pam_mail.so dir=~/Maildir"
+ }
diff --git a/fai/config/scripts/KDC_LDAP/10-slapd-KDC b/fai/config/scripts/KDC_LDAP/10-slapd-KDC
index 90359ee..64da0e2 100755
--- a/fai/config/scripts/KDC_LDAP/10-slapd-KDC
+++ b/fai/config/scripts/KDC_LDAP/10-slapd-KDC
@@ -157,6 +157,16 @@ init_KDC() {
$ROOTCMD kadmin.local -q "ktadd -k /etc/krb5.keytab.ldap ldap/mainserver.intern"
$ROOTCMD chown -v openldap:openldap /etc/krb5.keytab.ldap
+ if ifclass MAIL_SERVER ; then
+ $ROOTCMD kadmin.local -q "addprinc -randkey smtp/mainserver.intern"
+ $ROOTCMD kadmin.local -q "ktadd -k /etc/krb5.keytab.smtp smtp/mainserver.intern"
+ $ROOTCMD chown Debian-exim:Debian-exim /etc/krb5.keytab.smtp
+
+ $ROOTCMD kadmin.local -q "addprinc -randkey imap/mainserver.intern"
+ $ROOTCMD kadmin.local -q "ktadd -k /etc/krb5.keytab.imap imap/mainserver.intern"
+ $ROOTCMD chown dovecot:dovecot /etc/krb5.keytab.imap
+ fi
+
echo "Initializing KDC finished. "
}
diff --git a/fai/config/scripts/MAIL_SERVER/10-exim b/fai/config/scripts/MAIL_SERVER/10-exim
new file mode 100755
index 0000000..99d4189
--- /dev/null
+++ b/fai/config/scripts/MAIL_SERVER/10-exim
@@ -0,0 +1,36 @@
+#!/usr/sbin/cfagent -f
+
+control:
+ any::
+ actionsequence = ( editfiles )
+ EditFileSize = ( 30000 )
+
+editfiles:
+ any::
+ { ${target}/etc/default/exim4
+ AppendIfNoSuchLine "KRB5_KTNAME=/etc/krb5.keytab.smtp; export KRB5_KTNAME"
+ }
+
+ { ${target}/etc/exim4/conf.d/auth/30_exim4-config_examples
+ BeginGroupIfNoSuchLine "# Authenticate via kerberos/GSSAPI:"
+ AppendIfNoSuchLine "# Authenticate via kerberos/GSSAPI:"
+ AppendIfNoSuchLine "auth_gssapi:"
+ AppendIfNoSuchLine " driver = cyrus_sasl"
+ AppendIfNoSuchLine " server_hostname = mail"
+ AppendIfNoSuchLine " server_realm = INTERN"
+ AppendIfNoSuchLine " server_mech = gssapi"
+ AppendIfNoSuchLine " public_name = GSSAPI"
+ AppendIfNoSuchLine " server_set_id = $auth1"
+ AppendIfNoSuchLine " server_advertise_condition = $(dollar){if def:tls_cipher}"
+ EndGroup
+ }
+
+ { ${target}/etc/exim4/conf.d/acl/30_exim4-config_check_rcpt
+ BeginGroupIfNoSuchLine " # Compare sender and kerberos ticket:"
+ LocateLineMatching "acl_check_rcpt:"
+ InsertLine ""
+ InsertLine " # Compare sender and kerberos ticket:"
+ InsertLine " deny condition = $(dollar){if eq{$authenticated_id}{$sender_address_local_part at INTERN}{false}{true}}"
+ InsertLine " message = Sender address $sender_address conflicts with authentication $authenticated_id."
+ EndGroup
+ }
diff --git a/fai/config/scripts/MAIL_SERVER/20-dovecot b/fai/config/scripts/MAIL_SERVER/20-dovecot
new file mode 100755
index 0000000..3ddfb1f
--- /dev/null
+++ b/fai/config/scripts/MAIL_SERVER/20-dovecot
@@ -0,0 +1,13 @@
+#!/usr/sbin/cfagent -f
+
+control:
+ any::
+ actionsequence = ( editfiles )
+ EditFileSize = ( 30000 )
+
+editfiles:
+ any::
+ { ${target}/etc/dovecot/conf.d/10-auth.conf
+ ReplaceAll "#auth_krb5_keytab =.*" With "auth_krb5_keytab = /etc/krb5.keytab.imap"
+ ReplaceAll "auth_mechanisms = plain" With "auth_mechanisms = gssapi plain"
+ }
diff --git a/fai/config/scripts/MAIL_SERVER/30-certs b/fai/config/scripts/MAIL_SERVER/30-certs
new file mode 100755
index 0000000..7308a72
--- /dev/null
+++ b/fai/config/scripts/MAIL_SERVER/30-certs
@@ -0,0 +1,52 @@
+#!/bin/bash
+#
+# Create a self-signed certificate for exim4 and switch on TLS.
+# Inspired by: /usr/share/doc/exim4-base/examples/exim-gencert
+#
+
+set -e
+
+## Activate TLS:
+FILE=/etc/exim4/conf.d/main/000_localmacros
+ainsl -a $FILE "MAIN_TLS_ENABLE = yes"
+
+
+## Create certificate:
+
+DIR=/etc/exim4
+CERT=$DIR/exim.crt
+KEY=$DIR/exim.key
+
+# valid for ten years:
+DAYS=3650
+
+if [ -f $target/$CERT ] && [ -f $target/$KEY ]; then
+ echo "$CERT and $KEY exists, exiting!"
+ exit 0
+fi
+
+SSLEAY="$(tempfile -m600 -pexi)"
+
+cat > $target/$SSLEAY <<EOF
+RANDOM=/dev/random
+[ req ]
+default_bits = 1024
+default_keyfile = exim.key
+distinguished_name = req_distinguished_name
+x509_extensions = v3_req
+prompt = no
+[ req_distinguished_name ]
+O = Debian-LAN SMTP server
+OU = Automatically-generated SMTP SSL key
+CN = mainserver.intern
+emailAddress = postmaster at mail.intern
+[ v3_req ]
+nsCertType = server
+subjectAltName=DNS:mainserver.intern,DNS:mainserver,DNS:mail.intern,DNS:mail,DNS:localhost
+EOF
+
+$ROOTCMD openssl req -config $SSLEAY -x509 -newkey rsa:1024 -keyout $KEY -out $CERT -days $DAYS -nodes
+rm -f $SSLEAY
+
+$ROOTCMD chown root:Debian-exim $KEY $CERT
+$ROOTCMD chmod 640 $KEY $CERT
--
Debian-LAN development and packaging
More information about the debian-lan-devel
mailing list