software/dovecot: Updated

971b75ea · Justin · b5200bd7 · 971b75ea · 971b75ea · 971b75ea
Commit 971b75ea authored Jan 31, 2023 by Justin
12 changed files
--- a/software/dovecot/buildout.hash.cfg
+++ b/software/dovecot/buildout.hash.cfg
@@ -15,13 +15,28 @@

 [template]
 filename = instance.cfg.in
-md5sum = 8269f0e38474f8946720b4ed051fc875
+md5sum = 4fb2401a7e181c3b4ddd737917f58335

 [template-dovecot]
 filename = instance-dovecot.cfg.in
-md5sum = 7525cf6b67754d23ca147fb9fe669fa1
+md5sum = 16b3ba167f55e33233a393a42ff62873

 [template-postfix]
-filename = instance-postfix.cfg.in
-md5sum = 8f7bfca893a01c390df7a3dc9c2410e1
+filename = instance-postfix.cfg.jinja2.in
+md5sum = 19a0dd212ddc41ab971850d941db2111

+[template-postfix-master-cf]
+filename = postfix_master.cf.jinja2.in
+md5sum = ef164517e3f7170d03499967d625c3bb
+
+[template-postfix-main-cf]
+filename = postfix_main.cf.jinja2.in
+md5sum = e9f03c66627beb4054d45123450162d2
+
+[template-postfix-aliases]
+filename = postfix_aliases.jinja2.in
+md5sum = 0969fbb25b05c02ef3c2d437b2f4e1a0
+
+[template-dovecot-main-conf]
+filename = dovecot_main.conf.in
+md5sum = 446bfa9103220c74207baad1fb7bd8d2
--- a/software/dovecot/dovecot_main.conf.in
+++ b/software/dovecot/dovecot_main.conf.in
+## Dovecot configuration file
+# If you're in a hurry, see http://wiki2.dovecot.org/QuickConfiguration
+
+# Enable installed protocols
+!include_try /usr/share/dovecot/protocols.d/*.protocol
+
+# A comma separated list of IPs or hosts where to listen in for connections.
+# "*" listens in all IPv4 interfaces, "::" listens in all IPv6 interfaces.
+# If you want to specify non-default ports or anything more complex,
+# edit conf.d/master.conf.
+listen = *, ::
+
+# Most of the actual configuration gets included below. The filenames are
+# first sorted by their ASCII value and parsed in that order. The 00-prefixes
+# in filenames are intended to make it easier to understand the ordering.
+!include conf.d/*.conf
+
--- a/software/dovecot/instance-dovecot-input-schema.json
+++ b/software/dovecot/instance-dovecot-input-schema.json
+{
+  "$schema": "http://json-schema.org/draft-04/schema#",
+  "description": "",
+  "type": "object",
+  "additionalProperties": false,
+  "properties": {
+    "tcpv4-port": {
+      "allOf": [
+        {
+          "$ref": "./schemas-definitions.json#/tcpv4port"
+        },
+        {
+          "description": "Start allocating ports at this value, going upward"
+        }
+      ]
+    },
+    "postmaster": {
+      "description": "Mail address to send technical mails to. Non-empty value required for smptd relay service to be deployed. Values will be put in alias-dict as 'postmaster' key (alias-dict takes precedence)",
+      "default": "",
+      "type": "string"
+    },
+    "alias-dict": {
+      "description": "Mail alias support",
+      "default": {},
+      "patternProperties": {
+        ".*": {
+          "description": "List of addresses alias expands to",
+          "type": "array"
+        }
+      },
+      "type": "object"
+    },
+    "relay": {
+      "description": "Forward outgoing mails to a specific relay. If enabled, relay must support TLS-encrypted SASL authentication.",
+      "dependencies": {
+        "host": [
+          "sasl-credential"
+        ]
+      },
+      "properties": {
+        "host": {
+          "description": "Host name or address of relay, with optional port (ex: '[example.com]:submission'). Enclosing hostname with [] prevents MX lookup.",
+          "type": "string"
+        },
+        "sasl-credential": {
+          "description": "SASL credential, in the login:password form",
+          "type": "string"
+        }
+      },
+      "default": {},
+      "type": "object"
+    },
+    "divert": {
+      "description": "Intercept all mails and send them to given addresses instead of original recipient",
+      "type": "array",
+      "items": {
+        "type": "string"
+      },
+      "uniqueItems": true
+    }
+  }
+}
--- a/software/dovecot/instance-dovecot-output-schema.json
+++ b/software/dovecot/instance-dovecot-output-schema.json
+{
+  "$schema": "http://json-schema.org/draft-04/schema#",
+  "description": "",
+  "type": "object",
+  "additionalProperties": false,
+  "properties": {
+    "tcpv4-port": {
+      "allOf": [
+        {
+          "$ref": "./schemas-definitions.json#/tcpv4port"
+        },
+        {
+          "description": "Start allocating ports at this value, going upward"
+        }
+      ]
+    },
+    "postmaster": {
+      "description": "Mail address to send technical mails to. Non-empty value required for smptd relay service to be deployed. Values will be put in alias-dict as 'postmaster' key (alias-dict takes precedence)",
+      "type": "string"
+    },
+    "alias-dict": {
+      "description": "Mail alias support",
+      "patternProperties": {
+        ".*": {
+          "description": "List of addresses alias expands to",
+          "type": "array"
+        }
+      },
+      "type": "object"
+    },
+    "relay": {
+      "description": "Forward outgoing mails to a specific relay. If enabled, relay must support TLS-encrypted SASL authentication.",
+      "dependencies": {
+        "host": [
+          "sasl-credential"
+        ]
+      },
+      "properties": {
+        "host": {
+          "description": "Host name or address of relay, with optional port (ex: '[example.com]:submission'). Enclosing hostname with [] prevents MX lookup.",
+          "type": "string"
+        },
+        "sasl-credential": {
+          "description": "SASL credential, in the login:password form",
+          "type": "string"
+        }
+      },
+      "default": {},
+      "type": "object"
+    },
+    "divert": {
+      "description": "Intercept all mails and send them to given addresses instead of original recipient",
+      "type": "array",
+      "items": {
+        "type": "string"
+      },
+      "uniqueItems": true
+    }
+  }
+}
--- a/software/dovecot/instance-dovecot.cfg.in
+++ b/software/dovecot/instance-dovecot.cfg.in
+[buildout]
+parts =
+extends =
+
 [dovecot-ssl]
 recipe = plone.recipe.command
 cert-file = $${directory:data}/cert.pem

--- a/software/dovecot/instance-postfix.cfg.in
+++ b/software/dovecot/instance-postfix.cfg.in
 {% set part_list = [] -%}
 {% macro section(name) %}{% do part_list.append(name) %}{{ name }}{% endmacro -%}
-{% if slapparameter_dict['use-ipv6'] -%}
+{% if slapparameter_dict.get('use-ipv6', True) -%}
 {%   set ip = '[' ~ (ipv6_set | list)[0] ~ ']' -%}
 {% else -%}
 {%   set ip = (ipv4_set | list)[0] -%}
 {% endif -%}
-{% set tcpv4_port = slapparameter_dict['tcpv4-port'] -%}
+{% set tcpv4_port = slapparameter_dict.get('tcpv4-port', 2025) -%}
 {% set relay = slapparameter_dict.get('relay', {}) -%}
-{% set divert = slapparameter_dict.get('divert', []) -%}
 {% set alias_dict = slapparameter_dict.get('alias-dict', {}) -%}
-{% do alias_dict.setdefault('postmaster', [slapparameter_dict['postmaster']]) -%}
-{% set smtpd_sasl_user = slapparameter_dict['smtpd-sasl-user'] -%}
-{% set smtpd_sasl_password = slapparameter_dict['smtpd-sasl-password'] -%}
+{# do alias_dict.setdefault('postmaster', [slapparameter_dict['postmaster']]) -#}
+{% do alias_dict.setdefault('postmaster', [""]) -%}
+{# set smtpd_sasl_user = slapparameter_dict['smtpd-sasl-user'] -#}
+{% set smtpd_sasl_user = slapparameter_dict.get('smtpd-sasl-user', "vmail@nowhere") -%}
+{# set smtpd_sasl_password = slapparameter_dict['smtpd-sasl-password'] -#}
+{% set smtpd_sasl_password = slapparameter_dict.get('smtpd-sasl-password', "1234") -%}
 {% set milter_list = [] %}

 [jinja2-template-base]
@@ -23,39 +25,39 @@ storage-path =

 [{{ section('publish') }}]
 recipe = slapos.cookbook:publish.serialised
-url = {{ dumps('smtp://' ~ urllib.quote_plus(smtpd_sasl_user) ~ ':' ~ urllib.quote_plus(smtpd_sasl_password) ~ '@' ~ ip ~ ':' ~ tcpv4_port) }}
+url = {{ dumps('smtp://' ~ urllib.parse.quote_plus(smtpd_sasl_user) ~ ':' ~ urllib.parse.quote_plus(smtpd_sasl_password) ~ '@' ~ ip ~ ':' ~ tcpv4_port) }}

 [directory]
 recipe = slapos.cookbook:mkdirectory
-etc = ${buildout:directory}/etc
-plugin = ${:etc}/plugin
-etc-postfix = ${:etc}/postfix
-etc-cyrus = ${:etc}/cyrus
-run = ${:etc}/run
-bin = ${buildout:directory}/bin
-usr = ${buildout:directory}/usr
-srv = ${buildout:directory}/srv
-var = ${buildout:directory}/var
-var-log = ${:var}/log
-var-lib = ${:var}/lib
-var-lib-postfix = ${:var-lib}/postfix
-var-spool = ${:var}/spool
-var-spool-postfix = ${:var-spool}/postfix
+etc = $${buildout:directory}/etc
+plugin = $${:etc}/plugin
+etc-postfix = $${:etc}/postfix
+etc-cyrus = $${:etc}/cyrus
+run = $${:etc}/run
+bin = $${buildout:directory}/bin
+usr = $${buildout:directory}/usr
+srv = $${buildout:directory}/srv
+var = $${buildout:directory}/var
+var-log = $${:var}/log
+var-lib = $${:var}/lib
+var-lib-postfix = $${:var-lib}/postfix
+var-spool = $${:var}/spool
+var-spool-postfix = $${:var-spool}/postfix
 # Not used at buildout level, presence needed by postfix.
-var-spool-postfix-active = ${:var-spool-postfix}/active
-var-spool-postfix-bounce = ${:var-spool-postfix}/bounce
-var-spool-postfix-corrupt = ${:var-spool-postfix}/corrupt
-var-spool-postfix-defer = ${:var-spool-postfix}/defer
-var-spool-postfix-deferred = ${:var-spool-postfix}/deferred
-var-spool-postfix-flush = ${:var-spool-postfix}/flush
-var-spool-postfix-hold = ${:var-spool-postfix}/hold
-var-spool-postfix-incoming = ${:var-spool-postfix}/incoming
-var-spool-postfix-maildrop = ${:var-spool-postfix}/maildrop
-var-spool-postfix-pid = ${:var-spool-postfix}/pid
-var-spool-postfix-private = ${:var-spool-postfix}/private
-var-spool-postfix-public = ${:var-spool-postfix}/public
-var-spool-postfix-saved = ${:var-spool-postfix}/saved
-var-spool-postfix-trace = ${:var-spool-postfix}/trace
+var-spool-postfix-active = $${:var-spool-postfix}/active
+var-spool-postfix-bounce = $${:var-spool-postfix}/bounce
+var-spool-postfix-corrupt = $${:var-spool-postfix}/corrupt
+var-spool-postfix-defer = $${:var-spool-postfix}/defer
+var-spool-postfix-deferred = $${:var-spool-postfix}/deferred
+var-spool-postfix-flush = $${:var-spool-postfix}/flush
+var-spool-postfix-hold = $${:var-spool-postfix}/hold
+var-spool-postfix-incoming = $${:var-spool-postfix}/incoming
+var-spool-postfix-maildrop = $${:var-spool-postfix}/maildrop
+var-spool-postfix-pid = $${:var-spool-postfix}/pid
+var-spool-postfix-private = $${:var-spool-postfix}/private
+var-spool-postfix-public = $${:var-spool-postfix}/public
+var-spool-postfix-saved = $${:var-spool-postfix}/saved
+var-spool-postfix-trace = $${:var-spool-postfix}/trace

 # Used for ERP5 resiliency or (more probably)
 # webrunner resiliency with erp5 inside.
@@ -63,27 +65,7 @@ var-spool-postfix-trace = ${:var-spool-postfix}/trace
 # Generate rdiff exclude file
 recipe = slapos.recipe.template
 inline = {{ '{{ "**\\n" }}' }}
-output = ${directory:srv}/exporter.exclude
-
-{% if divert -%}
-{%   set milter_port = tcpv4_port + 1 -%}
-{%   set socket = 'inet:' ~ ip ~ ':' ~ milter_port -%}
-[{{ section('divert-milter') }}]
-recipe = slapos.cookbook:wrapper
-command-line =
-  '{{ parameter_dict['buildout-bin-directory'] }}/munnel'
-  --listen '{{ socket }}'
-  -- {{ ' '.join(divert) }}
-wrapper-path = ${directory:run}/munnel
-{%   do milter_list.append(socket) -%}
-
-[{{ section('munnel-promise') }}]
-<= monitor-promise-base
-promise = check_socket_listening
-name = munnel.py
-config-host = {{ ip }}
-config-port = {{ milter_port }}
-{% endif -%}
+output = $${directory:srv}/exporter.exclude

 [configuration]
 smtp = {{ dumps(tcpv4_port) }}
@@ -91,7 +73,7 @@ inet-interfaces = {{ dumps(ip) }}
 alias-dict = {{ dumps(alias_dict) }}
 relayhost = {{ dumps(relay.get('host')) }}
 relay-sasl-credential = {{ dumps(relay.get('sasl-credential')) }}
-cyrus-sasldb = ${directory:etc-cyrus}/postfix.gdbm
+cyrus-sasldb = $${directory:etc-cyrus}/postfix.gdbm
 milter-list = {{ dumps(milter_list) }}
 xz-utils-location = {{ dumps(parameter_dict['xz-utils-location']) }}

@@ -100,7 +82,7 @@ recipe = slapos.cookbook:userinfo

 [smtp-sasl-passwd]
 < = jinja2-template-base
-output = ${directory:etc-postfix}/sasl_passwd
+output = $${directory:etc-postfix}/sasl_passwd
 {% if relay -%}
 inline = {{ "{{ host }} {{ sasl_credential }}" }}
 {%- else -%}
@@ -112,7 +94,7 @@ context =

 [{{ section('cyrus-smtpd-conf') }}]
 < = jinja2-template-base
-output = ${directory:etc-cyrus}/smtpd.conf
+output = $${directory:etc-cyrus}/smtpd.conf
 inline =
    pwcheck_method: auxprop
    mech_list: PLAIN LOGIN
@@ -124,38 +106,38 @@ context =
 recipe = plone.recipe.command
 stop-on-error = true
 command =
-  rm -f '${configuration:cyrus-sasldb}' &&
-  echo '{{ smtpd_sasl_password }}' | '${wrapper-postfix-saslpasswd2:wrapper-path}' -pc '{{ smtpd_sasl_user }}'
-update-command = ${:command}
+  rm -f '$${configuration:cyrus-sasldb}' &&
+  echo '{{ smtpd_sasl_password }}' | '$${wrapper-postfix-saslpasswd2:wrapper-path}' -pc '{{ smtpd_sasl_user }}'
+update-command = $${:command}

 [smtpd-ssl]
 recipe = plone.recipe.command
 stop-on-error = true
 openssl = '{{ parameter_dict['openssl'] }}/bin/openssl'
-cert = ${directory:etc-postfix}/smtpd.crt
-key = ${directory:etc-postfix}/smtpd.pem
-dh-512 = ${directory:etc-postfix}/dh512.pem
-dh-2048 = ${directory:etc-postfix}/dh2048.pem
+cert = $${directory:etc-postfix}/smtpd.crt
+key = $${directory:etc-postfix}/smtpd.pem
+dh-512 = $${directory:etc-postfix}/dh512.pem
+dh-2048 = $${directory:etc-postfix}/dh2048.pem
 command =
-  ${:openssl} dhparam -out '${:dh-512}' 512 &&
-  ${:openssl} dhparam -out '${:dh-2048}' 2048 &&
-  ${:update}
+  $${:openssl} dhparam -out '$${:dh-512}' 512 &&
+  $${:openssl} dhparam -out '$${:dh-2048}' 2048 &&
+  $${:update}
 update =
-  ${:openssl} req -newkey rsa -batch -new -x509 -days 3650 -nodes -keyout '${:key}' -out '${:cert}'
+  $${:openssl} req -newkey rsa -batch -new -x509 -days 3650 -nodes -keyout '$${:key}' -out '$${:cert}'

 [{{ section('postfix-logrotate') }}]
 recipe = slapos.cookbook:cron.d
-cron-entries = ${cron:cron-entries}
+cron-entries = $${cron:cron-entries}
 name = postfix-logrotate
 frequency = 0 0 * * *
-command = ${directory:bin}/postfix logrotate
+command = $${directory:bin}/postfix logrotate

 [postfix-main-cf-parameter]
 postfix-location = {{ parameter_dict['postfix-location'] }}

 [{{ section('postfix-main-cf') }}]
 < = jinja2-template-base
-output = ${directory:etc-postfix}/main.cf
+output = $${directory:etc-postfix}/main.cf
 url = {{ parameter_dict['template-postfix-main-cf'] }}
 context =
    key bin_directory directory:bin
@@ -182,43 +164,43 @@ context =

 [{{ section('postfix-master-cf') }}]
 < = jinja2-template-base
-output = ${directory:etc-postfix}/master.cf
+output = $${directory:etc-postfix}/master.cf
 url = {{ parameter_dict['template-postfix-master-cf'] }}
 context = key smtp configuration:smtp

 [aliases]
 < = jinja2-template-base
 url = {{ parameter_dict['template-postfix-aliases'] }}
-output = ${directory:etc-postfix}/aliases
+output = $${directory:etc-postfix}/aliases
 context =
    key alias_dict configuration:alias-dict

 [typed-paths]
 # Postfix-friendly rendering of file paths, prefixed with database type.
-aliases = hash:${aliases:output}
-smtp-sasl-passwd = hash:${smtp-sasl-passwd:output}
+aliases = hash:$${aliases:output}
+smtp-sasl-passwd = hash:$${smtp-sasl-passwd:output}

 [{{ section('postalias-db') }}]
 recipe = plone.recipe.command
 stop-on-error = true
-command = '${wrapper-postalias:wrapper-path}' '${typed-paths:aliases}' '${typed-paths:smtp-sasl-passwd}'
-update-command = ${:command}
+command = '$${wrapper-postalias:wrapper-path}' '$${typed-paths:aliases}' '$${typed-paths:smtp-sasl-passwd}'
+update-command = $${:command}

 [wrapper-postfix-saslpasswd2]
 recipe = slapos.cookbook:wrapper
-command-line = '{{ parameter_dict['cyrus-sasl-location'] }}/sbin/saslpasswd2' -f '${configuration:cyrus-sasldb}'
-wrapper-path = ${directory:bin}/saslpasswd2
+command-line = '{{ parameter_dict['cyrus-sasl-location'] }}/sbin/saslpasswd2' -f '$${configuration:cyrus-sasldb}'
+wrapper-path = $${directory:bin}/saslpasswd2

 [base-wrapper]
 recipe = slapos.cookbook:wrapper
 environment =
-  MAIL_CONFIG=${directory:etc-postfix}
-  SASL_CONF_PATH=${directory:etc-cyrus}
+  MAIL_CONFIG=$${directory:etc-postfix}
+  SASL_CONF_PATH=$${directory:etc-cyrus}

 [base-bin-wrapper]
 < = base-wrapper
-command-line = ${:path}/${:basename}
-wrapper-path = ${directory:bin}/${:basename}
+command-line = $${:path}/$${:basename}
+wrapper-path = $${directory:bin}/$${:basename}

 [base-bin-bin-wrapper]
 < = base-bin-wrapper
@@ -264,36 +246,25 @@ basename = {{ basename }}

 [{{ section('postfix-symlinks-libexec') }}]
 recipe = slapos.cookbook:symbolic.link
-target-directory = ${directory:usr}
+target-directory = $${directory:usr}
 link-binary =
    {{ parameter_dict['postfix-location'] }}/usr/libexec

 [{{ section('service-postfix-master') }}]
 < = base-wrapper
-command-line = ${directory:usr}/libexec/postfix/master
-wrapper-path = ${directory:run}/postfix-master
-
-[{{ section('postfix-promise') }}]
-<= monitor-promise-base
-promise = check_socket_listening
-name = postfix.py
-config-host = {{ ip }}
-config-port = {{ tcpv4_port }}
-
-[{{ section('promise-check-computer-memory') }}]
-<= monitor-promise-base
-promise = check_command_execute
-name = check-computer-memory.py
-config-command = "{{ parameter_dict["check-computer-memory-binary"] }}" -db ${monitor-instance-parameter:collector-db} --threshold "{{ slapparameter_dict["computer-memory-percent-threshold"] }}" --unit percent
+command-line = $${directory:usr}/libexec/postfix/master
+wrapper-path = $${directory:run}/postfix-master

 [monitor-instance-parameter]
 monitor-httpd-ipv6 = {{ (ipv6_set | list)[0] }}
 monitor-httpd-port = {{ tcpv4_port + 2 }}
-monitor-title = {{ slapparameter_dict['name'] }}
-password = {{ slapparameter_dict['monitor-passwd'] }}
+monitor-title = {{ slapparameter_dict.get('name', "Dovecot") }}
+password = {{ slapparameter_dict.get('monitor-passwd', "pwd") }}

 [buildout]
 extends =
    {{ template_monitor }}
 parts =
    {{ part_list | join('\n  ') }}
+eggs-directory = ${buildout:eggs-directory}
+develop-eggs-directory = ${buildout:develop-eggs-directory}
--- a/software/dovecot/instance.cfg.in
+++ b/software/dovecot/instance.cfg.in
 [buildout]
 parts =
-#   publish-connection-parameter
-# extends = {{ template_monitor }}
+  switch-softwaretype

 eggs-directory = ${buildout:eggs-directory}
 develop-eggs-directory = ${buildout:develop-eggs-directory}
 offline = true

+
 [default-dynamic-template-parameters]
-bin-directory = {{ bin_directory }}
-buildout-bin-directory = {{ buildout_bin_directory }}
+bin-directory = ${buildout:bin-directory}
+buildout-bin-directory = ${buildout:bin-directory}

 [dynamic-template-postfix-parameters]
 <= default-dynamic-template-parameters
-openssl = {{ openssl_location }}
-postfix-location = {{ postfix_location }}
-
-
+cyrus-sasl-location = ${cyrus-sasl:location}
+openssl = ${openssl:location}
+postfix-location = ${postfix:location}
+template-postfix-aliases = ${template-postfix-aliases:target}
+template-postfix-main-cf = ${template-postfix-main-cf:target}
+template-postfix-master-cf = ${template-postfix-master-cf:target}
+xz-utils-location =  ${xz-utils:location}

 [dynamic-template-postfix]
-< = jinja2-template-base
-url = {{ template_postfix }}
+recipe = slapos.recipe.template:jinja2
+url = ${template-postfix:output}
 filename = instance-postfix.cfg
+output = ${buildout:directory}/${:filename}
 extensions = jinja2.ext.do
-extra-context =
-    section parameter_dict dynamic-template-postfix-parameters
+context =
    import urllib urllib
-
-
-# [publish-connection-parameter]
-# recipe = slapos.cookbook:publish
-# <= monitor-publish
-
+    section parameter_dict dynamic-template-postfix-parameters
+    key slapparameter_dict slap-configuration:configuration
+    key ipv6_set slap-configuration:ipv6
+    raw template_monitor ${monitor2-template:output}

 [slap-configuration]
-recipe = slapos.cookbook:slapconfiguration
+recipe = slapos.cookbook:slapconfiguration.serialised
 computer = $${slap-connection:computer-id}
 partition = $${slap-connection:partition-id}
 url = $${slap-connection:server-url}
 key = $${slap-connection:key-file}
 cert = $${slap-connection:cert-file}

-# [directory]
-# recipe = slapos.cookbook:mkdirectory
-# etc = $${buildout:directory}/etc
-# var = $${buildout:directory}/var
-# srv = $${buildout:directory}/srv
-# bin = $${buildout:directory}/bin
-# tmp = $${buildout:directory}/tmp
-# run = $${:var}/run
-
-# services   = $${:etc}/service
-# data       = $${:srv}/data
-# groups     = $${:srv}/groups
-# recordings = $${:srv}/recordings
-
-
-
-
-# cyrus-sasl-location = {{ cyrus_sasl_location }}
-# template-postfix-aliases = {{ template_postfix_aliases }}
-# template-postfix-main-cf = {{ template_postfix_main_cf }}
-# template-postfix-master-cf = {{ template_postfix_master_cf }}
-# xz-utils-location =  {{ xz_utils_location }}
+[switch-softwaretype]
+recipe = slapos.cookbook:switch-softwaretype
+default = dynamic-template-postfix:output
+RootSoftwareInstance = $${:default}
--- a/software/dovecot/postfix_aliases.jinja2.in
+++ b/software/dovecot/postfix_aliases.jinja2.in
+# See http://www.postfix.org/aliases.5.html for format
+{% for name, alias_list in alias_dict.items() -%}
+{{ name }}: {{ alias_list | join(', ') }}
+{% endfor %}
--- a/software/dovecot/postfix_main.cf.jinja2.in
+++ b/software/dovecot/postfix_main.cf.jinja2.in
+# http://www.postfix.org/STANDARD_CONFIGURATION_README.html
+# http://www.postfix.org/postconf.5.html
+queue_directory = {{ queue_directory }}
+command_directory = {{ bin_directory }}
+daemon_directory = {{ usr_directory }}/libexec/postfix
+data_directory = {{ data_directory }}
+mail_owner = {{ mail_owner }}
+alias_maps = {{ aliases }}
+alias_database = {{ aliases }}
+mail_spool_directory = {{ spool_directory }}
+sendmail_path = {{ bin_directory }}/sendmail
+newaliases_path = {{ bin_directory }}/newaliases
+mailq_path = {{ bin_directory }}/mailq
+setgid_group = {{ setgid_group }}
+html_directory = no
+manpage_directory = {{ postfix_location }}/usr/local/man
+sample_directory = {{ postfix_location }}/etc/postfix
+readme_directory = no
+inet_interfaces = {{ inet_interfaces }}
+smtp_bind_address = 0.0.0.0
+smtp_bind_address6 = ::
+compatibility_level = 3.6
+smtputf8_enable = no
+
+# Compared to default:
+# - remove X-related variables, irrelevant for slapos, to be concise
+# - add SASL_CONF_PATH to have per-partition cyrus-sasl configuration
+import_environment =
+  MAIL_CONFIG MAIL_DEBUG MAIL_LOGTAG TZ LANG=C
+  SASL_CONF_PATH
+
+# Mandatory sasl auth over TLS
+# XXX: no man-in-the-middle protection
+smtpd_tls_cert_file = {{ cert }}
+smtpd_tls_key_file = {{ key }}
+smtpd_tls_dh512_param_file = {{ dh_512 }}
+{#
+  Note: 1024 vs. 2048 is not a typo, but what is actually recommended in
+  postfix documentation
+-#}
+smtpd_tls_dh1024_param_file = {{ dh_2048 }}
+
+smtpd_tls_security_level = encrypt
+smtpd_sasl_auth_enable = yes
+# Reject as many bogus cases as soon as possible, so errors are visible to ERP5
+# developper rather than relying on bounces.
+smtpd_recipient_restrictions =
+  reject_non_fqdn_recipient
+  reject_unknown_recipient_domain
+  permit_sasl_authenticated
+  reject
+# Do not allow mynetworks to send mails, only authenticated clients.
+smtpd_relay_restrictions =
+  permit_sasl_authenticated
+  defer_unauth_destination
+
+# We do not pass mail address in command lines, so accept those starting with
+# a dash.
+allow_min_user = yes
+
+# Disable local delivery
+local_transport = error
+
+smtpd_milters ={{ '\n  '.join(milter_list) }}
+
+{% if relayhost -%}
+relayhost = {{ relayhost }}
+smtp_tls_security_level = encrypt
+smtp_tls_session_cache_database = btree:{{ data_directory }}/smtp_scache
+smtp_sasl_auth_enable = yes
+smtp_sasl_password_maps = {{ sasl_passwd }}
+smtp_sasl_tls_security_options = noanonymous
+{%- endif %}
+
+maillog_file = {{ log_directory }}/postfix.log
+maillog_file_compressor = {{ xz_utils_location }}/bin/xz
+maillog_file_prefixes = {{ log_directory }}
--- a/software/dovecot/postfix_master.cf.jinja2.in
+++ b/software/dovecot/postfix_master.cf.jinja2.in
+# http://www.postfix.org/master.5.html
+# ==========================================================================
+# service type  private unpriv  chroot  wakeup  maxproc command + args
+#               (yes)   (yes)   (yes)   (never) (100)
+# ==========================================================================
+{{ smtp }}      inet  n       -       n       -       -       smtpd
+pickup    unix  n       -       n       60      1       pickup
+cleanup   unix  n       -       n       -       0       cleanup
+qmgr      unix  n       -       n       300     1       qmgr
+tlsmgr    unix  -       -       n       1000?   1       tlsmgr
+rewrite   unix  -       -       n       -       -       trivial-rewrite
+bounce    unix  -       -       n       -       0       bounce
+defer     unix  -       -       n       -       0       bounce
+trace     unix  -       -       n       -       0       bounce
+verify    unix  -       -       n       -       1       verify
+flush     unix  n       -       n       1000?   0       flush
+proxymap  unix  -       -       n       -       -       proxymap
+proxywrite unix -       -       n       -       1       proxymap
+smtp      unix  -       -       n       -       -       smtp
+relay     unix  -       -       n       -       -       smtp
+showq     unix  n       -       n       -       -       showq
+error     unix  -       -       n       -       -       error
+retry     unix  -       -       n       -       -       error
+discard   unix  -       -       n       -       -       discard
+local     unix  -       n       n       -       -       local
+virtual   unix  -       n       n       -       -       virtual
+lmtp      unix  -       -       n       -       -       lmtp
+anvil     unix  -       -       n       -       1       anvil
+scache    unix  -       -       n       -       1       scache
+postlog   unix-dgram n  -       n       -       1       postlogd
--- a/software/dovecot/software.cfg
+++ b/software/dovecot/software.cfg
 [buildout]
 extends =
-  ../../component/openssl/buildout.cfg
-  ../../component/python3/buildout.cfg
+  ../../component/xz-utils/buildout.cfg
  ../../component/postfix/buildout.cfg
  ../../stack/monitor/buildout.cfg
  ../../stack/slapos.cfg
  buildout.hash.cfg

-parts +=
+parts =
  slapos-cookbook
  dovecot
  template
-  eggs
-
-[eggs]
-recipe = zc.recipe.egg
-eggs +=
-  plone.recipe.command
-  collective.recipe.template
-scripts =

 [dovecot]
 recipe = slapos.recipe.cmmi
 url = https://dovecot.org/releases/2.3/dovecot-2.3.20.tar.gz
 location = @@LOCATION@@
-# md5sum = 4340e59915605e30dcdb70aa9eb06acb
 configure-command = ./configure
 configure-options =
  --prefix=${:location}
@@ -35,15 +25,6 @@ post-install = cp -r ${:location}/share/doc/dovecot/example-config/* ${:location
 recipe = slapos.recipe.template
 url = ${:_profile_base_location_}/${:filename}
 output = ${buildout:directory}/template.cfg
-context =
-  key template_postfix template-postfix:target
-  key template_dovecot template-dovecot:target
-  key bin_directory buildout:bin-directory
-  key buildout_bin_directory buildout:bin-directory
-  key postfix_location postfix:location
-  key openssl_location openssl:location
-  raw openssl_bin ${openssl:location}/bin/openssl
-  raw template_monitor ${monitor2-template:output}

 [download-base]
 recipe = slapos.recipe.build:download
@@ -53,4 +34,19 @@ url = ${:_profile_base_location_}/${:filename}
 <=download-base

 [template-postfix]
+recipe = slapos.recipe.template
+url = ${:_profile_base_location_}/${:filename}
+output = ${buildout:directory}/instance-postfix.cfg.jinja2
+
+[template-postfix-master-cf]
+< = download-base
+
+[template-postfix-main-cf]
 < = download-base
+
+[template-postfix-aliases]
+< = download-base
+
+[template-dovecot-main-conf]
+< = download-base
+
--- a/software/dovecot/software.cfg.json
+++ b/software/dovecot/software.cfg.json
+{
+  "name": "ERP5",
+  "description": "ERP5, Open-Source ERP",
+  "serialisation": "json-in-xml",
+  "software-type": {
+    "default": {
+      "title": "Default",
+      "software-type": "default",
+      "request": "instance-dovecot-input-schema.json",
+      "response": "instance-dovecot-output-schema.json",
+      "index": 0
+    }
+  }
+}