changeset 311:51d3748f8112

Configure Dovecot (IMAP) for PROXY protocol use Includes moving firewall rules into the Dovecot class to keep things closer together and swapping to a template so that we can put specific values in for IPs
author IBBoard <dev@ibboard.co.uk>
date Sun, 23 Feb 2020 16:00:41 +0000
parents e9a7e504598b
children 490d7ec20172
files manifests/nodes.pp manifests/templates.pp modules/dovecot/manifests/init.pp modules/dovecot/templates/99-imap-only.conf.erb
diffstat 4 files changed, 58 insertions(+), 14 deletions(-) [+]
line wrap: on
line diff
--- a/manifests/nodes.pp	Sun Feb 23 15:43:51 2020 +0000
+++ b/manifests/nodes.pp	Sun Feb 23 16:00:41 2020 +0000
@@ -22,6 +22,7 @@
 		proxy_upstream => ['2a00:1098::82:1000:3b:1:1', '2a00:1098::80:1000:3b:1:1'],
 		mailserver => 'mail.ibboard.co.uk',
 		imapserver => 'imap.ibboard.co.uk',
+		imapserver_proxy => '2a00:1098:82:52::01d4:03',
 		firewall_cmd => 'iptables',
 	}
 	# If the console fails to start, you may need to run "restorecon /etc/systemd/system/getty.target.wants/*"
--- a/manifests/templates.pp	Sun Feb 23 15:43:51 2020 +0000
+++ b/manifests/templates.pp	Sun Feb 23 16:00:41 2020 +0000
@@ -32,6 +32,7 @@
 	$proxy_upstream = undef,
 	$mailserver,
 	$imapserver,
+	$imapserver_proxy = undef,
 	$firewall_cmd = 'iptables',
 	) {
 
@@ -73,6 +74,9 @@
 	class { 'email':
 		mailserver => $mailserver,
 		imapserver => $imapserver,
+		mailserver_ip => $primary_ip,
+		imapserver_proxy => $imapserver_proxy,
+		proxy_upstream => $proxy_upstream,
 	}
 }
 
@@ -146,11 +150,6 @@
 		proto => tcp,
 		action => accept,
 	}
-	firewall { '102 allow IMAPS':
-		dport => 993,
-		proto => tcp,
-		action => accept,
-	}
 	# Note: SSH port will be managed separately as we 
 	# put it on a different port to hide from script kiddy noise
 }
@@ -469,6 +468,7 @@
 	$proxy_upstream = undef,
 	$mailserver,
 	$imapserver,
+	$imapserver_proxy = undef,
 	$firewall_cmd = 'iptables',
 	){
 	class { 'basevpsnode':
@@ -477,6 +477,7 @@
 		proxy_upstream => $proxy_upstream,
 		mailserver => $mailserver,
 		imapserver => $imapserver,
+		imapserver_proxy => $imapserver_proxy,
 		firewall_cmd => $firewall_cmd,
 	}
 
@@ -707,6 +708,9 @@
 class email (
 	$mailserver,
 	$imapserver,
+	$mailserver_ip,
+	$imapserver_proxy = undef,
+	$proxy_upstream = [],
 	){
 	class { 'postfix':
 		mailserver => $mailserver,
@@ -714,6 +718,9 @@
 	}
 	class { 'dovecot':
 		imapserver => $imapserver,
+		imapserver_ip => $mailserver_ip,
+		imapserver_proxy => $imapserver_proxy,
+		proxy_upstream => $proxy_upstream,
 	}
 	# Unspecified SpamAssassin config dependencies that started
 	# showing up as errors in our logs
--- a/modules/dovecot/manifests/init.pp	Sun Feb 23 15:43:51 2020 +0000
+++ b/modules/dovecot/manifests/init.pp	Sun Feb 23 16:00:41 2020 +0000
@@ -1,5 +1,8 @@
 class dovecot (
 	$imapserver,
+	$imapserver_ip,
+	$imapserver_proxy = undef,
+	$proxy_upstream = [],
 	) {
 	package { 'dovecot':
 		ensure => installed,
@@ -10,15 +13,7 @@
 		require => Package['dovecot'],
 	}
 	file { '/etc/dovecot/conf.d/99-imap-only.conf':
-		content => 'protocols = imap
-service imap-login {
-  # Only allow IMAP locally and IMAPS externally
-  inet_listener imap {
-     address = 127.0.0.1
-  }
-  inet_listener imaps {
-  }
-}',
+		content => template('dovecot/99-imap-only.conf.erb'),
 	}
 	file { '/etc/dovecot/conf.d/99-extra.conf':
 		content => 'mail_location = maildir:/var/mail/vhosts/%d/%n:INBOX=/var/mail/vhosts/%d/%n/Inbox
@@ -61,4 +56,21 @@
 		enable => true,
 		subscribe => Package['dovecot'],
 	}
+	firewall { '102 allow IMAPS':
+		destination => $imapserver_ip,
+		dport => 993,
+		proto => tcp,
+		action => accept,
+	}
+	if $imapserver_proxy != undef {
+		$proxy_upstream.each |Stdlib::IP::Address::V6 $upstream_addr| {
+			firewall { "100 limit PROXY protocol for IMAP to upstream $upstream_addr":
+				source => $upstream_addr,
+				destination => $imapserver_proxy,
+				dport => 993,
+				proto => tcp,
+				action => accept,
+			}
+		}
+	}
 }
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/modules/dovecot/templates/99-imap-only.conf.erb	Sun Feb 23 16:00:41 2020 +0000
@@ -0,0 +1,24 @@
+protocols = imap
+service imap-login {
+  # Only allow IMAP locally and IMAPS externally
+  inet_listener imap {
+    address = 127.0.0.1
+  }
+  inet_listener imaps {
+    address = <%= @imapserver_ip %>
+    ssl = yes
+  }
+<% if @imapserver_proxy -%>
+  # If we're running a 6-to-4 proxy then add it on the proxy IP
+  inet_listener imaps_proxy {
+    address = <%= @imapserver_proxy %>
+    port = 993
+    ssl = yes
+    haproxy = yes
+  }
+<% end -%>
+}
+<% if @imapserver_proxy -%>
+# And set the trusted proxy servers if we're using them
+haproxy_trusted_networks = <%= @proxy_upstream.join(' ') %>
+<% end -%>
\ No newline at end of file