[main-mx] Ajout de policyd (cluebringer) pour appliquer des quotas smtp

Bundler/policyd.xml

@@ -0,0 +1,5 @@
+<Bundle name="policyd">
+    <Package name="postfix-cluebringer"/>
+    <Path name="/etc/cluebringer/cluebringer.conf"/>
+    <Path name="/etc/cluebringer/cluebringer-webui.conf"/>
+</Bundle>

Cfg/etc/cluebringer/cluebringer-webui.conf/cluebringer-webui.conf

@@ -0,0 +1,17 @@
+<?php
+
+# mysql:host=xx;dbname=yyy
+# pgsql:host=xx;dbname=yyy
+# sqlite:////full/unix/path/to/file.db?mode=0666
+#
+#$DB_DSN="sqlite:////tmp/cluebringer.sqlite";
+$DB_DSN="pgsql:host=pgsql.adm.crans.org;dbname=policyd";
+#$DB_DSN="mysql:host=xx;dbname=yyy";
+
+#$DB_DSN="DBI:Pg:database=policyd;host=pgsql.adm.crans.org";
+#$DB_DSN="_DBC_DBTYPE_:host=_DBC_DBSERVER_;dbname=_DBC_DBNAME_";
+$DB_USER="cluebringer";
+#$DB_PASS="_DBC_DBPASS_";
+
+
+?>

Cfg/etc/cluebringer/cluebringer-webui.conf/info.xml

@@ -0,0 +1,3 @@
+<FileInfo>
+    <Info owner='root' group='root' perms='0644'/>
+</FileInfo>

Cfg/etc/cluebringer/cluebringer.conf/cluebringer.conf

@@ -0,0 +1,187 @@
+#
+# Server configuration
+#
+[server]
+
+# Protocols to load
+protocols=<<EOT
+Postfix
+#Bizanga
+EOT
+
+# Modules to load
+modules=<<EOT
+Core
+#AccessControl
+#CheckHelo
+#CheckSPF
+#Greylisting
+Quotas
+EOT
+
+# User to run this daemon as
+user=cluebringer
+group=cluebringer
+
+# Filename to store pid of parent process
+pid_file=/var/run/cluebringer/cbpolicyd.pid
+
+# Uncommenting the below option will prevent cbpolicyd going into the background
+#background=no
+
+# Preforking configuration
+#
+# min_server		- Minimum servers to keep around
+# min_spare_servers	- Minimum spare servers to keep around ready to 
+# 			  handle requests
+# max_spare_servers	- Maximum spare servers to have around doing nothing
+# max_servers		- Maximum servers alltogether
+# max_requests		- Maximum number of requests each child will serve
+#
+# One may want to use the following as a rough guideline...
+# Small mailserver:  2, 2, 4, 10, 1000
+# Medium mailserver: 4, 4, 12, 25, 1000
+# Large mailserver: 8, 8, 16, 64, 1000
+#
+#min_servers=4
+#min_spare_servers=4
+#max_spare_servers=12
+#max_servers=25
+#max_requests=1000
+
+
+
+# Log level:
+# 0 - Errors only
+# 1 - Warnings and errors
+# 2 - Notices, warnings, errors
+# 3 - Info, notices, warnings, errors
+# 4 - Debugging 
+#log_level=2
+
+# File to log to instead of stdout
+#log_file=/var/log/cbpolicyd.log
+
+# Log destination for mail logs...
+# main		- Default. Log to policyd's main log mechanism, accepts NO args
+# syslog	- log mail via syslog
+#			format: log_mail=facility@method,args
+#
+# Valid methods for syslog:
+# native	- Let Sys::Syslog decide
+# unix		- Unix socket
+# udp		- UDP socket
+# stream	- Stream (for Solaris)
+#
+# Example: unix native
+#log_mail=mail@syslog:native
+#
+# Example: unix socket 
+#log_mail=mail@syslog:unix
+#
+# Example: udp
+#log_mail=mail@syslog:udp,127.0.0.1
+#
+# Example: Solaris 
+#log_mail=local0@syslog:stream,/dev/log
+#log_mail=maillog
+log_mail=mail@syslog:native
+
+# Things to log in extreme detail
+# modules 	- Log detailed module running information
+# tracking 	- Log detailed tracking information
+# policies 	- Log policy resolution
+# protocols 	- Log general protocol info, but detailed
+# bizanga 	- Log the bizanga protocol
+#
+# There is no default for this configuration option. Options can be
+# separated by commas. ie. protocols,modules
+#
+#log_detail=
+
+# IP to listen on, * for all
+#host=*
+host=127.0.0.1
+
+# Port to run on
+#port=10031
+
+# Timeout in communication with clients
+#timeout=120
+
+# cidr_allow/cidr_deny
+# Comma, whitespace or semi-colon separated. Contains a CIDR block to 
+# compare the clients IP to.  If cidr_allow or cidr_deny options are 
+# given, the incoming client must match a cidr_allow and not match a 
+# cidr_deny or the client connection will be closed.
+#cidr_allow=0.0.0.0/0
+#cidr_deny=
+
+
+
+[database]
+#DSN=DBI:SQLite:dbname=policyd.sqlite
+#DSN=DBI:mysql:database=policyd;host=localhost
+DSN=DBI:Pg:database=policyd;host=pgsql.adm.crans.org
+#DSN=DBI:_DBC_DBTYPE_:dbname=_DBC_DBNAME_;host=_DBC_DBSERVER_
+## Debian
+# DB_Type can be one of - pgsql, mysql or sqlite3
+# DB_Host is ignored for sqlite3. For pgsql and mysql it should be left 
+#         unset or as 'localhost' if you wish to use unix sockets to communicate
+#         with the database. To use TCP/IP to connect to a local database set 
+#         '127.0.0.1' as the value. Otherwise use the hostname or IP address of 
+#         the database server.
+# DB_Port is ignored for sqlite3. For pgsql it will default to '5432' and 
+#         for mysql the default is '3306'. If you are running your database server
+#         on a non-standard port you should set it's value here.
+# DB_Name defaults to '/var/lib/cluebringer/cluebringer.db' for sqlite3, if you 
+#         wish to use another file for the database set it's full path here and 
+#         ensure that the cluebringer user can read and write not only the file
+#         but the directory it lives in. For pgsql and mysql this will 
+#         default to 'cluebringer', otherwise you should set the name of the 
+#         database here.
+
+DB_Type=pgsql
+DB_Host=pgsql.adm.crans.org
+#DB_Port=5432
+DB_Name=policyd
+#Username=_DBC_DBUSER_
+#Password=_DBC_DBPASS_
+
+
+# What do we do when we have a database connection problem
+# tempfail	- Return temporary failure
+# pass		- Return success
+bypass_mode=tempfail
+
+# How many seconds before we retry a DB connection
+bypass_timeout=30
+
+
+
+# Access Control module
+[AccessControl]
+enable=0
+
+
+# Greylisting module
+[Greylisting]
+enable=0
+
+
+# CheckHelo module
+[CheckHelo]
+enable=0
+
+
+# CheckSPF module
+[CheckSPF]
+enable=0
+
+
+# Quotas module
+[Quotas]
+enable=1
+
+
+

Cfg/etc/cluebringer/cluebringer.conf/info.xml

@@ -0,0 +1,3 @@
+<FileInfo>
+    <Info owner='root' group='root' perms='0644'/>
+</FileInfo>

Metadata/groups.xml

@@ -728,6 +728,7 @@
     <!-- Ca c'est pour distinguer les smtp qui ne sont utilise que en
      interne comme le serveur des adherents par exemple -->
    <Group name="mail-mx-public"/>
+   <Group name="policyd"/>
   </Group>
 
   <Group name="mail-mx-secondary"
@@ -1465,6 +1466,11 @@
    <Bundle name="munin-node"/>
   </Group>
 
+  <Group name="policyd">
+   <Group name="php" comment="Pour l'interface d'admin de policyd" />
+   <Bundle name="policyd"/>
+  </Group>
+
   <Group name="munin-server"
     category="supervisor-server">
     <Bundle name="munin-server" />

Python/etc/postfix/main.cf

@@ -238,8 +238,13 @@ if mx:
 @smtpd_sender_restrictions=reject_unknown_sender_domain
 @
 @## Filtrage au RCPT TO
-@# permet si le client est dans le reseau local
-@smtpd_recipient_restrictions=permit_mynetworks
+if main:
+    @# test contre cluebringer pour les quota / rate par utilisateur sasl
+    @smtpd_recipient_restrictions=check_policy_service inet:127.0.0.1:10031
+    @# permet si le client est dans le reseau local
+    @                          permit_mynetworks
+else:
+    @smtpd_recipient_restrictions=permit_mynetworks
 @# rejette les recipients sans nom de domaine totalement qualifie
 add("reject_non_fqdn_recipient")
 if main:
@@ -254,6 +259,8 @@ if public:
     add("check_policy_service inet:127.0.0.1:2501")
 @# jette le reste
 @
+if main:
+    @smtpd_end_of_data_restrictions=check_policy_service inet:127.0.0.1:10031
 @# Tailles maximales : 20Mo pour les msgs et 75 pour les mbox
 message_size_limit = 20971520
 mailbox_size_limit = 78643000

Rules/policyd.xml

@@ -0,0 +1,5 @@
+<Rules priority="1">
+  <Group name="policyd">
+    <Service type="deb" name="postfix-cluebringer" status="on"/>
+  </Group>
+</Rules>