Remove indices from mailserver SQL schema and added send-only users.

group_vars/sovereign

@@ -11,28 +11,27 @@ admin_email: "{{ main_user_name }}@{{ domain }}"
 
 virtual_domains:
   - name: "{{ domain }}"
-    pk_id: 1
     doc_root: "/var/www/{{ domain }}"
 
 mail_virtual_users:
   - account: "{{ main_user_name }}"
     domain: "{{ domain }}"
-    password: "{{ 'changeme' | doveadm_pw_hash }}"
-    domain_pk_id: 1
+    password: "{{ lookup('password', secret + '/' + 'mail_main_user_password length=20') | doveadm_pw_hash }}"
+    sendonly: 0
+  - account: "noreply"
+    domain: "{{ domain }}"
+    password: "{{ lookup('password', secret + '/' + 'mail_noreply_password length=20') | doveadm_pw_hash }}"
+    sendonly: 1
 
 mail_virtual_aliases:
   - source: "root@{{ domain }}"
     destination: "{{ admin_email }}"
-    domain_pk_id: 1
   - source: "postmaster@{{ domain }}"
     destination: "{{ admin_email }}"
-    domain_pk_id: 1
   - source: "webmaster@{{ domain }}"
     destination: "{{ admin_email }}"
-    domain_pk_id: 1
   - source: "abuse@{{ domain }}"
     destination: "{{ admin_email }}"
-    domain_pk_id: 1
 
 common_timezone: 'Etc/UTC'
 

roles/mailserver/defaults/main.yml

@@ -20,27 +20,22 @@ friendly_networks:
 
 virtual_domains:
   - name: "{{ domain }}"
-    pk_id: 1
     doc_root: "/var/www/{{ domain }}"
 
 mail_virtual_users:
   - account: "{{ main_user_name }}"
     domain: "{{ domain }}"
     password: "{{ lookup('password', secret + '/' + 'mail_main_user_password length=20') | doveadm_pw_hash }}"
-    domain_pk_id: 1
+    sendonly: 0
 
 mail_virtual_aliases:
   - source: "root@{{ domain }}"
     destination: "{{ admin_email }}"
-    domain_pk_id: 1
   - source: "postmaster@{{ domain }}"
     destination: "{{ admin_email }}"
-    domain_pk_id: 1
   - source: "webmaster@{{ domain }}"
     destination: "{{ admin_email }}"
-    domain_pk_id: 1
   - source: "abuse@{{ domain }}"
     destination: "{{ admin_email }}"
-    domain_pk_id: 1
 
 zpush_timezone: "{{ common_timezone | default('Etc/UTC') }}"

roles/mailserver/files/etc_postfix_master.cf

@@ -20,6 +20,7 @@ submission inet  n       -       -       -       -       smtpd
   -o smtpd_client_restrictions=permit_sasl_authenticated,reject_unauth_destination,reject
   -o smtpd_sasl_security_options=noanonymous,noplaintext
   -o smtpd_sasl_tls_security_options=noanonymous
+  -o smtpd_sender_login_maps=pgsql:/etc/postfix/pgsql-sender-login-maps.cf
 
 # SMTP over SSL/TLS on port 465.
 #smtps     inet  n       -       -       -       -       smtpd

roles/mailserver/tasks/postfix.yml

@@ -89,6 +89,8 @@
     - pgsql-virtual-alias-maps.cf
     - pgsql-virtual-mailbox-domains.cf
     - pgsql-virtual-mailbox-maps.cf
+    - pgsql-recipient-access.cf
+    - pgsql-sender-login-maps.cf
   notify: restart postfix
 
 - name: Set firewall rules for postfix

roles/mailserver/templates/etc_dovecot_dovecot-sql.conf.ext.j2

@@ -103,7 +103,7 @@ default_pass_scheme = SHA512-CRYPT
 #  SELECT username, domain, password \
 #  FROM users WHERE username = '%n' AND domain = '%d'
 
-password_query = SELECT email AS user, password FROM virtual_users WHERE email = '%u';
+password_query = SELECT username AS user, domain, password FROM virtual_users WHERE username = '%n' AND domain = '%d' and sendonly = false;
 
 # userdb query to retrieve the user information. It can return fields:
 #   uid - System UID (overrides mail_uid setting)
@@ -136,3 +136,5 @@ password_query = SELECT email AS user, password FROM virtual_users WHERE email =
 
 # Query to get a list of all usernames.
 #iterate_query = SELECT username AS user FROM users
+
+iterate_query = SELECT username, domain FROM virtual_users WHERE sendonly = false;

roles/mailserver/templates/etc_postfix_main.cf.j2

@@ -72,7 +72,7 @@ smtpd_recipient_restrictions =
   reject_non_fqdn_hostname,
   reject_non_fqdn_recipient,
   reject_unknown_recipient_domain,
-  permit
+  check_recipient_access pgsql:/etc/postfix/pgsql-recipient-access.cf
 
 # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
 # information on enabling SSL in the smtp client.

roles/mailserver/templates/etc_postfix_pgsql-recipient-access.cf.j2

@@ -0,0 +1,5 @@
+user = {{ mail_db_username }}
+password = {{ mail_db_password }}
+hosts = 127.0.0.1
+dbname = {{ mail_db_database }}
+query = SELECT CASE WHEN sendonly = true THEN 'REJECT' ELSE 'OK' END AS access FROM virtual_users WHERE username = '%u' and domain = '%d';

roles/mailserver/templates/etc_postfix_pgsql-sender-login-maps.cf.j2

@@ -0,0 +1,5 @@
+user = {{ mail_db_username }}
+password = {{ mail_db_password }}
+hosts = 127.0.0.1
+dbname = {{ mail_db_database }}
+query = SELECT concat(username, '@', domain) AS 'owns' FROM virtual_users WHERE username = '%u' AND domain = '%d' UNION SELECT destination AS 'owns' FROM virtual_aliases WHERE source = concat('%u', '@', '%d');

roles/mailserver/templates/etc_postfix_pgsql-virtual-mailbox-maps.cf.j2

@@ -2,4 +2,4 @@ user = {{ mail_db_username }}
 password = {{ mail_db_password }}
 hosts = 127.0.0.1
 dbname = {{ mail_db_database }}
-query = SELECT 1 FROM virtual_users WHERE email='%s'
+query = SELECT 1 FROM virtual_users WHERE username = '%u' and domain = '%d'

roles/mailserver/templates/mailserver.sql.j2

@@ -14,44 +14,45 @@ CREATE UNIQUE INDEX name_idx ON virtual_domains (name);
 
 CREATE TABLE IF NOT EXISTS "virtual_users" (
         "id" SERIAL,
-        "domain_id" int NOT NULL,
+        "username" TEXT NOT NULL,
+        "domain" TEXT NOT NULL,
         "password" TEXT NOT NULL,
-        "email" TEXT NOT NULL UNIQUE,
-        PRIMARY KEY ("id"),
-        FOREIGN KEY (domain_id) REFERENCES virtual_domains(id) ON DELETE CASCADE
+        "sendonly" boolean DEFAULT FALSE,
+        PRIMARY KEY ("id")
 );
 
-
-CREATE UNIQUE INDEX email_idx ON virtual_users (email);
+CREATE UNIQUE INDEX email_idx ON virtual_users (username, domain);
 
 CREATE TABLE IF NOT EXISTS "virtual_aliases" (
         "id" SERIAL,
-        "domain_id" int NOT NULL,
         "source" TEXT NOT NULL,
         "destination" TEXT NOT NULL,
-        PRIMARY KEY ("id"),
-        FOREIGN KEY (domain_id) REFERENCES virtual_domains(id) ON DELETE CASCADE
+        PRIMARY KEY ("id")
 );
 
 CREATE INDEX source_idx ON virtual_aliases (source);
 
 {% for virtual_domain in virtual_domains %}
-INSERT INTO "virtual_domains" ("id", "name")
-        VALUES ('{{ virtual_domain.pk_id }}', '{{ virtual_domain.name }}');
+INSERT INTO "virtual_domains" ("name")
+        VALUES ('{{ virtual_domain.name }}');
 {% endfor %}
 
 {% for virtual_user in mail_virtual_users %}
-INSERT INTO "virtual_users"  ("domain_id", "password" , "email")
+INSERT INTO "virtual_users"  ("username", "domain", "password" , "sendonly")
 	VALUES (
-		'{{ virtual_user.domain_pk_id }}',
+		'{{ virtual_user.account }}',
+		'{{ virtual_user.domain }}',
 		'{{ virtual_user.password }}',
-		'{{ virtual_user.account }}@{{ virtual_user.domain }}'
+		'{{ virtual_user.sendonly }}'
 	);
 {% endfor %}
 
 {% if mail_virtual_aliases is defined %}
 {% for virtual_alias in mail_virtual_aliases %}
-INSERT INTO "virtual_aliases" ("domain_id", "source", "destination")
-    VALUES ('{{ virtual_alias.domain_pk_id }}', '{{ virtual_alias.source }}', '{{virtual_alias.destination }}');
+INSERT INTO "virtual_aliases" ("source", "destination")
+    VALUES (
+        '{{ virtual_alias.source }}',
+        '{{ virtual_alias.destination }}'
+    );
 {% endfor %}
 {% endif %}