From 9b30664a41a9c27cedc3c8061ff6c9853f1f3f06 Mon Sep 17 00:00:00 2001 From: Jason Rothstein Date: Sun, 5 Dec 2021 11:54:39 -0600 Subject: [PATCH] Enable MySQL user accounts --- README.md | 74 ++++++++++++++++++- .../35/etc/dovecot/dovecot-sql.conf.ext | 8 ++ templates/Fedora/35/etc/dovecot/local.conf | 6 ++ vars/Fedora-35-default.yml | 5 ++ 4 files changed, 91 insertions(+), 2 deletions(-) create mode 100644 templates/Fedora/35/etc/dovecot/dovecot-sql.conf.ext create mode 100644 templates/Fedora/35/etc/dovecot/local.conf diff --git a/README.md b/README.md index 225dd44..bda1991 100644 --- a/README.md +++ b/README.md @@ -6,12 +6,82 @@ A brief description of the role goes here. Requirements ------------ -Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required. +Create database for MySQL/MariaDB with : + +``` +CREATE DATABASE IF NOT EXISTS `mailserver` DEFAULT CHARACTER SET utf8mb4; +USE `mailserver`; + +CREATE TABLE IF NOT EXISTS `virtual_domains` ( + `id` int(11) NOT NULL AUTO_INCREMENT, + `name` varchar(255) NOT NULL, + PRIMARY KEY (`id`) +) DEFAULT CHARSET=utf8mb4 CHECKSUM=1; + +CREATE TABLE IF NOT EXISTS `virtual_aliases` ( + `id` int(11) NOT NULL AUTO_INCREMENT, + `domain_id` int(11) NOT NULL, + `source` varchar(255) NOT NULL, + `destination` varchar(255) NOT NULL, + PRIMARY KEY (`id`), + KEY `domain_id` (`domain_id`), + CONSTRAINT `virtual_aliases_ibfk_1` FOREIGN KEY (`domain_id`) REFERENCES `virtual_domains` (`id`) ON DELETE CASCADE +) DEFAULT CHARSET=utf8mb4 CHECKSUM=1; + +CREATE TABLE IF NOT EXISTS `virtual_users` ( + `id` int(11) NOT NULL AUTO_INCREMENT, + `domain_id` int(11) NOT NULL, + `password` varchar(106) NOT NULL, + `email` varchar(255) NOT NULL, + PRIMARY KEY (`id`), + UNIQUE KEY `email` (`email`), + KEY `domain_id` (`domain_id`), + CONSTRAINT `virtual_users_ibfk_1` FOREIGN KEY (`domain_id`) REFERENCES `virtual_domains` (`id`) ON DELETE CASCADE +) DEFAULT CHARSET=utf8mb4 CHECKSUM=1; +``` + +Create an account to access MySQL/MariaDB with : + +``` +GRANT SELECT ON mailserver.* TO 'mailserver'@'%' IDENTIFIED BY 'changeme'; +FLUSH PRIVLEGES; +``` + +New users created via the following SQL : + +``` +INSERT INTO `virtual_domains` + (`name`) +VALUES + ('example.com'); + +SELECT * +FROM `virtual_domains` +WHERE `name`='example.com'; + +INSERT INTO `virtual_users` + (`domain_id`, `password`, `email`) +VALUES + ('1', ENCRYPT('changeme', CONCAT('$6$', SUBSTRING(SHA(RAND()), -16))), 'webmaster@example.com'); +``` + +In the above example, the MySQL/MariaDB ENCRYPT() function calls the OS crypt(3) function. The above uses a random 16 character SALT to encrypt, and selects the SHA-512 crypt method. Other available crypt methods are as follows : + +| ID | Method | +| - | - | +| 1 | MD5 | +| 5 | SHA-256 (glibc >= 2.7) | +| 6 | SHA-512 (glibc >= 2.7) | Role Variables -------------- -A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well. +| Variable | Default | Description | +| - | - | - | +| dovecot_mysql_server | undefined | Server to connect to | +| dovecot_mysql_database | undefined | Database with MySQL to use | +| dovecot_mysql_username | undefined | Username with read only rights | +| dovecot_mysql_password | undefined | Password for read only user | Dependencies ------------ diff --git a/templates/Fedora/35/etc/dovecot/dovecot-sql.conf.ext b/templates/Fedora/35/etc/dovecot/dovecot-sql.conf.ext new file mode 100644 index 0000000..f621fb8 --- /dev/null +++ b/templates/Fedora/35/etc/dovecot/dovecot-sql.conf.ext @@ -0,0 +1,8 @@ +{% if dovecot_mysql_server is defined and dovecot_mysql_database is defined and dovecot_mysql_username is defined and dovecot_mysql_password is defined %} +driver = mysql +connect = host={{ dovecot_mysql_server }} dbname={{ dovecot_mysql_database }} user={{ dovecot_mysql_username }} password={{ dovecot_mysql_password }} +default_pass_scheme = SHA512-CRYPT +password_query = SELECT email AS user, password FROM virtual_users WHERE email='%u'; +user_query = SELECT email AS user FROM virtual_users WHERE email='%u'; +iterate_query = SELECT email AS user FROM users; +{% endif %$} diff --git a/templates/Fedora/35/etc/dovecot/local.conf b/templates/Fedora/35/etc/dovecot/local.conf new file mode 100644 index 0000000..b29b3ef --- /dev/null +++ b/templates/Fedora/35/etc/dovecot/local.conf @@ -0,0 +1,6 @@ +!include conf.d/auth-sql.conf.ext +mail_location = maildir:/var/spool/mail/%d/%n +mail_privileged_group = mail +first_valid_uid = 0 +mail_uid = mail +mail_gid = mail diff --git a/vars/Fedora-35-default.yml b/vars/Fedora-35-default.yml index e1f6671..0b84c08 100644 --- a/vars/Fedora-35-default.yml +++ b/vars/Fedora-35-default.yml @@ -79,3 +79,8 @@ template_list: src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/dovecot/conf.d/90-sieve.conf' - dest: '/etc/dovecot/dovecot.conf' src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/dovecot/dovecot.conf' + - dest: '/etc/dovecot/dovecot-sql.conf.ext' + mode: '0600' + src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/dovecot/dovecot-sql.conf.ext' + - dest: '/etc/dovecot/local.conf' + src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/dovecot/local.conf'