]> git.proxmox.com Git - pmg-api.git/blob - PMG/Config.pm
projects / pmg-api.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
pmg_verify_tls_policy: improve regex
[pmg-api.git] / PMG / Config.pm
1 package PMG::Config::Base;
2
3 use strict;
4 use warnings;
5 use URI;
6 use Data::Dumper;
7
8 use PVE::Tools;
9 use PVE::JSONSchema qw(get_standard_option);
10 use PVE::SectionConfig;
11
12 use base qw(PVE::SectionConfig);
13
14 my $defaultData = {
15 propertyList => {
16 type => { description => "Section type." },
17 section => {
18 description => "Secion ID.",
19 type => 'string', format => 'pve-configid',
20 },
21 },
22 };
23
24 sub private {
25 return $defaultData;
26 }
27
28 sub format_section_header {
29 my ($class, $type, $sectionId) = @_;
30
31 die "internal error ($type ne $sectionId)" if $type ne $sectionId;
32
33 return "section: $type\n";
34 }
35
36
37 sub parse_section_header {
38 my ($class, $line) = @_;
39
40 if ($line =~ m/^section:\s*(\S+)\s*$/) {
41 my $section = $1;
42 my $errmsg = undef; # set if you want to skip whole section
43 eval { PVE::JSONSchema::pve_verify_configid($section); };
44 $errmsg = $@ if $@;
45 my $config = {}; # to return additional attributes
46 return ($section, $section, $errmsg, $config);
47 }
48 return undef;
49 }
50
51 package PMG::Config::Admin;
52
53 use strict;
54 use warnings;
55
56 use base qw(PMG::Config::Base);
57
58 sub type {
59 return 'admin';
60 }
61
62 sub properties {
63 return {
64 advfilter => {
65 description => "Use advanced filters for statistic.",
66 type => 'boolean',
67 default => 1,
68 },
69 dailyreport => {
70 description => "Send daily reports.",
71 type => 'boolean',
72 default => 1,
73 },
74 statlifetime => {
75 description => "User Statistics Lifetime (days)",
76 type => 'integer',
77 default => 7,
78 minimum => 1,
79 },
80 demo => {
81 description => "Demo mode - do not start SMTP filter.",
82 type => 'boolean',
83 default => 0,
84 },
85 email => {
86 description => "Administrator E-Mail address.",
87 type => 'string', format => 'email',
88 default => 'admin@domain.tld',
89 },
90 http_proxy => {
91 description => "Specify external http proxy which is used for downloads (example: 'http://username:password\@host:port/')",
92 type => 'string',
93 pattern => "http://.*",
94 },
95 avast => {
96 description => "Use Avast Virus Scanner (/bin/scan). You need to buy and install 'Avast Core Security' before you can enable this feature.",
97 type => 'boolean',
98 default => 0,
99 },
100 clamav => {
101 description => "Use ClamAV Virus Scanner. This is the default virus scanner and is enabled by default.",
102 type => 'boolean',
103 default => 1,
104 },
105 };
106 }
107
108 sub options {
109 return {
110 advfilter => { optional => 1 },
111 avast => { optional => 1 },
112 clamav => { optional => 1 },
113 statlifetime => { optional => 1 },
114 dailyreport => { optional => 1 },
115 demo => { optional => 1 },
116 email => { optional => 1 },
117 http_proxy => { optional => 1 },
118 };
119 }
120
121 package PMG::Config::Spam;
122
123 use strict;
124 use warnings;
125
126 use base qw(PMG::Config::Base);
127
128 sub type {
129 return 'spam';
130 }
131
132 sub properties {
133 return {
134 languages => {
135 description => "This option is used to specify which languages are considered OK for incoming mail.",
136 type => 'string',
137 pattern => '(all|([a-z][a-z])+( ([a-z][a-z])+)*)',
138 default => 'all',
139 },
140 use_bayes => {
141 description => "Whether to use the naive-Bayesian-style classifier.",
142 type => 'boolean',
143 default => 1,
144 },
145 use_awl => {
146 description => "Use the Auto-Whitelist plugin.",
147 type => 'boolean',
148 default => 1,
149 },
150 use_razor => {
151 description => "Whether to use Razor2, if it is available.",
152 type => 'boolean',
153 default => 1,
154 },
155 wl_bounce_relays => {
156 description => "Whitelist legitimate bounce relays.",
157 type => 'string',
158 },
159 clamav_heuristic_score => {
160 description => "Score for ClamaAV heuristics (Google Safe Browsing database, PhishingScanURLs, ...).",
161 type => 'integer',
162 minimum => 0,
163 maximum => 1000,
164 default => 3,
165 },
166 bounce_score => {
167 description => "Additional score for bounce mails.",
168 type => 'integer',
169 minimum => 0,
170 maximum => 1000,
171 default => 0,
172 },
173 rbl_checks => {
174 description => "Enable real time blacklists (RBL) checks.",
175 type => 'boolean',
176 default => 1,
177 },
178 maxspamsize => {
179 description => "Maximum size of spam messages in bytes.",
180 type => 'integer',
181 minimum => 64,
182 default => 256*1024,
183 },
184 };
185 }
186
187 sub options {
188 return {
189 use_awl => { optional => 1 },
190 use_razor => { optional => 1 },
191 wl_bounce_relays => { optional => 1 },
192 languages => { optional => 1 },
193 use_bayes => { optional => 1 },
194 clamav_heuristic_score => { optional => 1 },
195 bounce_score => { optional => 1 },
196 rbl_checks => { optional => 1 },
197 maxspamsize => { optional => 1 },
198 };
199 }
200
201 package PMG::Config::SpamQuarantine;
202
203 use strict;
204 use warnings;
205
206 use base qw(PMG::Config::Base);
207
208 sub type {
209 return 'spamquar';
210 }
211
212 sub properties {
213 return {
214 lifetime => {
215 description => "Quarantine life time (days)",
216 type => 'integer',
217 minimum => 1,
218 default => 7,
219 },
220 authmode => {
221 description => "Authentication mode to access the quarantine interface. Mode 'ticket' allows login using tickets sent with the daily spam report. Mode 'ldap' requires to login using an LDAP account. Finally, mode 'ldapticket' allows both ways.",
222 type => 'string',
223 enum => [qw(ticket ldap ldapticket)],
224 default => 'ticket',
225 },
226 reportstyle => {
227 description => "Spam report style.",
228 type => 'string',
229 enum => [qw(none short verbose custom)],
230 default => 'verbose',
231 },
232 viewimages => {
233 description => "Allow to view images.",
234 type => 'boolean',
235 default => 1,
236 },
237 allowhrefs => {
238 description => "Allow to view hyperlinks.",
239 type => 'boolean',
240 default => 1,
241 },
242 hostname => {
243 description => "Quarantine Host. Useful if you run a Cluster and want users to connect to a specific host.",
244 type => 'string', format => 'address',
245 },
246 port => {
247 description => "Quarantine Port. Useful if you have a reverse proxy or port forwarding for the webinterface. Only used for the generated Spam report.",
248 type => 'integer',
249 minimum => 1,
250 maximum => 65535,
251 default => 8006,
252 },
253 protocol => {
254 description => "Quarantine Webinterface Protocol. Useful if you have a reverse proxy for the webinterface. Only used for the generated Spam report.",
255 type => 'string',
256 enum => [qw(http https)],
257 default => 'https',
258 },
259 mailfrom => {
260 description => "Text for 'From' header in daily spam report mails.",
261 type => 'string',
262 },
263 };
264 }
265
266 sub options {
267 return {
268 mailfrom => { optional => 1 },
269 hostname => { optional => 1 },
270 lifetime => { optional => 1 },
271 authmode => { optional => 1 },
272 reportstyle => { optional => 1 },
273 viewimages => { optional => 1 },
274 allowhrefs => { optional => 1 },
275 port => { optional => 1 },
276 protocol => { optional => 1 },
277 };
278 }
279
280 package PMG::Config::VirusQuarantine;
281
282 use strict;
283 use warnings;
284
285 use base qw(PMG::Config::Base);
286
287 sub type {
288 return 'virusquar';
289 }
290
291 sub properties {
292 return {};
293 }
294
295 sub options {
296 return {
297 lifetime => { optional => 1 },
298 viewimages => { optional => 1 },
299 allowhrefs => { optional => 1 },
300 };
301 }
302
303 package PMG::Config::ClamAV;
304
305 use strict;
306 use warnings;
307
308 use base qw(PMG::Config::Base);
309
310 sub type {
311 return 'clamav';
312 }
313
314 sub properties {
315 return {
316 dbmirror => {
317 description => "ClamAV database mirror server.",
318 type => 'string',
319 default => 'database.clamav.net',
320 },
321 archiveblockencrypted => {
322 description => "Wether to block encrypted archives. Mark encrypted archives as viruses.",
323 type => 'boolean',
324 default => 0,
325 },
326 archivemaxrec => {
327 description => "Nested archives are scanned recursively, e.g. if a ZIP archive contains a TAR file, all files within it will also be scanned. This options specifies how deeply the process should be continued. Warning: setting this limit too high may result in severe damage to the system.",
328 type => 'integer',
329 minimum => 1,
330 default => 5,
331 },
332 archivemaxfiles => {
333 description => "Number of files to be scanned within an archive, a document, or any other kind of container. Warning: disabling this limit or setting it too high may result in severe damage to the system.",
334 type => 'integer',
335 minimum => 0,
336 default => 1000,
337 },
338 archivemaxsize => {
339 description => "Files larger than this limit won't be scanned.",
340 type => 'integer',
341 minimum => 1000000,
342 default => 25000000,
343 },
344 maxscansize => {
345 description => "Sets the maximum amount of data to be scanned for each input file.",
346 type => 'integer',
347 minimum => 1000000,
348 default => 100000000,
349 },
350 maxcccount => {
351 description => "This option sets the lowest number of Credit Card or Social Security numbers found in a file to generate a detect.",
352 type => 'integer',
353 minimum => 0,
354 default => 0,
355 },
356 safebrowsing => {
357 description => "Enables support for Google Safe Browsing.",
358 type => 'boolean',
359 default => 1
360 },
361 };
362 }
363
364 sub options {
365 return {
366 archiveblockencrypted => { optional => 1 },
367 archivemaxrec => { optional => 1 },
368 archivemaxfiles => { optional => 1 },
369 archivemaxsize => { optional => 1 },
370 maxscansize => { optional => 1 },
371 dbmirror => { optional => 1 },
372 maxcccount => { optional => 1 },
373 safebrowsing => { optional => 1 },
374 };
375 }
376
377 package PMG::Config::Mail;
378
379 use strict;
380 use warnings;
381
382 use PVE::ProcFSTools;
383
384 use base qw(PMG::Config::Base);
385
386 sub type {
387 return 'mail';
388 }
389
390 my $physicalmem = 0;
391 sub physical_memory {
392
393 return $physicalmem if $physicalmem;
394
395 my $info = PVE::ProcFSTools::read_meminfo();
396 my $total = int($info->{memtotal} / (1024*1024));
397
398 return $total;
399 }
400
401 sub get_max_filters {
402 # estimate optimal number of filter servers
403
404 my $max_servers = 5;
405 my $servermem = 120;
406 my $memory = physical_memory();
407 my $add_servers = int(($memory - 512)/$servermem);
408 $max_servers += $add_servers if $add_servers > 0;
409 $max_servers = 40 if $max_servers > 40;
410
411 return $max_servers - 2;
412 }
413
414 sub get_max_smtpd {
415 # estimate optimal number of smtpd daemons
416
417 my $max_servers = 25;
418 my $servermem = 20;
419 my $memory = physical_memory();
420 my $add_servers = int(($memory - 512)/$servermem);
421 $max_servers += $add_servers if $add_servers > 0;
422 $max_servers = 100 if $max_servers > 100;
423 return $max_servers;
424 }
425
426 sub get_max_policy {
427 # estimate optimal number of proxpolicy servers
428 my $max_servers = 2;
429 my $memory = physical_memory();
430 $max_servers = 5 if $memory >= 500;
431 return $max_servers;
432 }
433
434 sub properties {
435 return {
436 int_port => {
437 description => "SMTP port number for outgoing mail (trusted).",
438 type => 'integer',
439 minimum => 1,
440 maximum => 65535,
441 default => 26,
442 },
443 ext_port => {
444 description => "SMTP port number for incoming mail (untrusted). This must be a different number than 'int_port'.",
445 type => 'integer',
446 minimum => 1,
447 maximum => 65535,
448 default => 25,
449 },
450 relay => {
451 description => "The default mail delivery transport (incoming mails).",
452 type => 'string', format => 'address',
453 },
454 relayport => {
455 description => "SMTP port number for relay host.",
456 type => 'integer',
457 minimum => 1,
458 maximum => 65535,
459 default => 25,
460 },
461 relaynomx => {
462 description => "Disable MX lookups for default relay.",
463 type => 'boolean',
464 default => 0,
465 },
466 smarthost => {
467 description => "When set, all outgoing mails are deliverd to the specified smarthost.",
468 type => 'string', format => 'address',
469 },
470 smarthostport => {
471 description => "SMTP port number for smarthost.",
472 type => 'integer',
473 minimum => 1,
474 maximum => 65535,
475 default => 25,
476 },
477 banner => {
478 description => "ESMTP banner.",
479 type => 'string',
480 maxLength => 1024,
481 default => 'ESMTP Proxmox',
482 },
483 max_filters => {
484 description => "Maximum number of pmg-smtp-filter processes.",
485 type => 'integer',
486 minimum => 3,
487 maximum => 40,
488 default => get_max_filters(),
489 },
490 max_policy => {
491 description => "Maximum number of pmgpolicy processes.",
492 type => 'integer',
493 minimum => 2,
494 maximum => 10,
495 default => get_max_policy(),
496 },
497 max_smtpd_in => {
498 description => "Maximum number of SMTP daemon processes (in).",
499 type => 'integer',
500 minimum => 3,
501 maximum => 100,
502 default => get_max_smtpd(),
503 },
504 max_smtpd_out => {
505 description => "Maximum number of SMTP daemon processes (out).",
506 type => 'integer',
507 minimum => 3,
508 maximum => 100,
509 default => get_max_smtpd(),
510 },
511 conn_count_limit => {
512 description => "How many simultaneous connections any client is allowed to make to this service. To disable this feature, specify a limit of 0.",
513 type => 'integer',
514 minimum => 0,
515 default => 50,
516 },
517 conn_rate_limit => {
518 description => "The maximal number of connection attempts any client is allowed to make to this service per minute. To disable this feature, specify a limit of 0.",
519 type => 'integer',
520 minimum => 0,
521 default => 0,
522 },
523 message_rate_limit => {
524 description => "The maximal number of message delivery requests that any client is allowed to make to this service per minute.To disable this feature, specify a limit of 0.",
525 type => 'integer',
526 minimum => 0,
527 default => 0,
528 },
529 hide_received => {
530 description => "Hide received header in outgoing mails.",
531 type => 'boolean',
532 default => 0,
533 },
534 maxsize => {
535 description => "Maximum email size. Larger mails are rejected.",
536 type => 'integer',
537 minimum => 1024,
538 default => 1024*1024*10,
539 },
540 dwarning => {
541 description => "SMTP delay warning time (in hours).",
542 type => 'integer',
543 minimum => 0,
544 default => 4,
545 },
546 tls => {
547 description => "Enable TLS.",
548 type => 'boolean',
549 default => 0,
550 },
551 tlslog => {
552 description => "Enable TLS Logging.",
553 type => 'boolean',
554 default => 0,
555 },
556 tlsheader => {
557 description => "Add TLS received header.",
558 type => 'boolean',
559 default => 0,
560 },
561 spf => {
562 description => "Use Sender Policy Framework.",
563 type => 'boolean',
564 default => 1,
565 },
566 greylist => {
567 description => "Use Greylisting.",
568 type => 'boolean',
569 default => 1,
570 },
571 helotests => {
572 description => "Use SMTP HELO tests.",
573 type => 'boolean',
574 default => 0,
575 },
576 rejectunknown => {
577 description => "Reject unknown clients.",
578 type => 'boolean',
579 default => 0,
580 },
581 rejectunknownsender => {
582 description => "Reject unknown senders.",
583 type => 'boolean',
584 default => 0,
585 },
586 verifyreceivers => {
587 description => "Enable receiver verification. The value spefifies the numerical reply code when the Postfix SMTP server rejects a recipient address.",
588 type => 'string',
589 enum => ['450', '550'],
590 },
591 dnsbl_sites => {
592 description => "Optional list of DNS white/blacklist domains (see postscreen_dnsbl_sites parameter).",
593 type => 'string', format => 'dnsbl-entry-list',
594 },
595 dnsbl_threshold => {
596 description => "The inclusive lower bound for blocking a remote SMTP client, based on its combined DNSBL score (see postscreen_dnsbl_threshold parameter).",
597 type => 'integer',
598 minimum => 0,
599 default => 1
600 },
601 };
602 }
603
604 sub options {
605 return {
606 int_port => { optional => 1 },
607 ext_port => { optional => 1 },
608 smarthost => { optional => 1 },
609 smarthostport => { optional => 1 },
610 relay => { optional => 1 },
611 relayport => { optional => 1 },
612 relaynomx => { optional => 1 },
613 dwarning => { optional => 1 },
614 max_smtpd_in => { optional => 1 },
615 max_smtpd_out => { optional => 1 },
616 greylist => { optional => 1 },
617 helotests => { optional => 1 },
618 tls => { optional => 1 },
619 tlslog => { optional => 1 },
620 tlsheader => { optional => 1 },
621 spf => { optional => 1 },
622 maxsize => { optional => 1 },
623 banner => { optional => 1 },
624 max_filters => { optional => 1 },
625 max_policy => { optional => 1 },
626 hide_received => { optional => 1 },
627 rejectunknown => { optional => 1 },
628 rejectunknownsender => { optional => 1 },
629 conn_count_limit => { optional => 1 },
630 conn_rate_limit => { optional => 1 },
631 message_rate_limit => { optional => 1 },
632 verifyreceivers => { optional => 1 },
633 dnsbl_sites => { optional => 1 },
634 dnsbl_threshold => { optional => 1 },
635 };
636 }
637
638 package PMG::Config;
639
640 use strict;
641 use warnings;
642 use IO::File;
643 use Data::Dumper;
644 use Template;
645
646 use PVE::SafeSyslog;
647 use PVE::Tools qw($IPV4RE $IPV6RE);
648 use PVE::INotify;
649 use PVE::JSONSchema;
650
651 use PMG::Cluster;
652
653 PMG::Config::Admin->register();
654 PMG::Config::Mail->register();
655 PMG::Config::SpamQuarantine->register();
656 PMG::Config::VirusQuarantine->register();
657 PMG::Config::Spam->register();
658 PMG::Config::ClamAV->register();
659
660 # initialize all plugins
661 PMG::Config::Base->init();
662
663 PVE::JSONSchema::register_format(
664 'transport-domain', \&pmg_verify_transport_domain);
665
666 sub pmg_verify_transport_domain {
667 my ($name, $noerr) = @_;
668
669 # like dns-name, but can contain leading dot
670 my $namere = "([a-zA-Z0-9]([a-zA-Z0-9\-]*[a-zA-Z0-9])?)";
671
672 if ($name !~ /^\.?(${namere}\.)*${namere}$/) {
673 return undef if $noerr;
674 die "value does not look like a valid transport domain\n";
675 }
676 return $name;
677 }
678
679 PVE::JSONSchema::register_format(
680 'transport-domain-or-email', \&pmg_verify_transport_domain_or_email);
681
682 sub pmg_verify_transport_domain_or_email {
683 my ($name, $noerr) = @_;
684
685 my $namere = "([a-zA-Z0-9]([a-zA-Z0-9\-]*[a-zA-Z0-9])?)";
686
687 # email address
688 if ($name =~ m/^(?:[^\s\/\@]+\@)(${namere}\.)*${namere}$/) {
689 return $name;
690 }
691
692 # like dns-name, but can contain leading dot
693 if ($name !~ /^\.?(${namere}\.)*${namere}$/) {
694 return undef if $noerr;
695 die "value does not look like a valid transport domain or email address\n";
696 }
697 return $name;
698 }
699
700 PVE::JSONSchema::register_format(
701 'dnsbl-entry', \&pmg_verify_dnsbl_entry);
702
703 sub pmg_verify_dnsbl_entry {
704 my ($name, $noerr) = @_;
705
706 # like dns-name, but can contain trailing weight: 'domain*<WEIGHT>'
707 my $namere = "([a-zA-Z0-9]([a-zA-Z0-9\-]*[a-zA-Z0-9])?)";
708
709 if ($name !~ /^(${namere}\.)*${namere}(\*\-?\d+)?$/) {
710 return undef if $noerr;
711 die "value '$name' does not look like a valid dnsbl entry\n";
712 }
713 return $name;
714 }
715
716 sub new {
717 my ($type) = @_;
718
719 my $class = ref($type) || $type;
720
721 my $cfg = PVE::INotify::read_file("pmg.conf");
722
723 return bless $cfg, $class;
724 }
725
726 sub write {
727 my ($self) = @_;
728
729 PVE::INotify::write_file("pmg.conf", $self);
730 }
731
732 my $lockfile = "/var/lock/pmgconfig.lck";
733
734 sub lock_config {
735 my ($code, $errmsg) = @_;
736
737 my $p = PVE::Tools::lock_file($lockfile, undef, $code);
738 if (my $err = $@) {
739 $errmsg ? die "$errmsg: $err" : die $err;
740 }
741 }
742
743 # set section values
744 sub set {
745 my ($self, $section, $key, $value) = @_;
746
747 my $pdata = PMG::Config::Base->private();
748
749 my $plugin = $pdata->{plugins}->{$section};
750 die "no such section '$section'" if !$plugin;
751
752 if (defined($value)) {
753 my $tmp = PMG::Config::Base->check_value($section, $key, $value, $section, 0);
754 $self->{ids}->{$section} = { type => $section } if !defined($self->{ids}->{$section});
755 $self->{ids}->{$section}->{$key} = PMG::Config::Base->decode_value($section, $key, $tmp);
756 } else {
757 if (defined($self->{ids}->{$section})) {
758 delete $self->{ids}->{$section}->{$key};
759 }
760 }
761
762 return undef;
763 }
764
765 # get section value or default
766 sub get {
767 my ($self, $section, $key, $nodefault) = @_;
768
769 my $pdata = PMG::Config::Base->private();
770 my $pdesc = $pdata->{propertyList}->{$key};
771 die "no such property '$section/$key'\n"
772 if !(defined($pdesc) && defined($pdata->{options}->{$section}) &&
773 defined($pdata->{options}->{$section}->{$key}));
774
775 if (defined($self->{ids}->{$section}) &&
776 defined(my $value = $self->{ids}->{$section}->{$key})) {
777 return $value;
778 }
779
780 return undef if $nodefault;
781
782 return $pdesc->{default};
783 }
784
785 # get a whole section with default value
786 sub get_section {
787 my ($self, $section) = @_;
788
789 my $pdata = PMG::Config::Base->private();
790 return undef if !defined($pdata->{options}->{$section});
791
792 my $res = {};
793
794 foreach my $key (keys %{$pdata->{options}->{$section}}) {
795
796 my $pdesc = $pdata->{propertyList}->{$key};
797
798 if (defined($self->{ids}->{$section}) &&
799 defined(my $value = $self->{ids}->{$section}->{$key})) {
800 $res->{$key} = $value;
801 next;
802 }
803 $res->{$key} = $pdesc->{default};
804 }
805
806 return $res;
807 }
808
809 # get a whole config with default values
810 sub get_config {
811 my ($self) = @_;
812
813 my $pdata = PMG::Config::Base->private();
814
815 my $res = {};
816
817 foreach my $type (keys %{$pdata->{plugins}}) {
818 my $plugin = $pdata->{plugins}->{$type};
819 $res->{$type} = $self->get_section($type);
820 }
821
822 return $res;
823 }
824
825 sub read_pmg_conf {
826 my ($filename, $fh) = @_;
827
828 local $/ = undef; # slurp mode
829
830 my $raw = <$fh> if defined($fh);
831
832 return PMG::Config::Base->parse_config($filename, $raw);
833 }
834
835 sub write_pmg_conf {
836 my ($filename, $fh, $cfg) = @_;
837
838 my $raw = PMG::Config::Base->write_config($filename, $cfg);
839
840 PVE::Tools::safe_print($filename, $fh, $raw);
841 }
842
843 PVE::INotify::register_file('pmg.conf', "/etc/pmg/pmg.conf",
844 \&read_pmg_conf,
845 \&write_pmg_conf,
846 undef, always_call_parser => 1);
847
848 # parsers/writers for other files
849
850 my $domainsfilename = "/etc/pmg/domains";
851
852 sub postmap_pmg_domains {
853 PMG::Utils::run_postmap($domainsfilename);
854 }
855
856 sub read_pmg_domains {
857 my ($filename, $fh) = @_;
858
859 my $domains = {};
860
861 my $comment = '';
862 if (defined($fh)) {
863 while (defined(my $line = <$fh>)) {
864 chomp $line;
865 next if $line =~ m/^\s*$/;
866 if ($line =~ m/^#(.*)\s*$/) {
867 $comment = $1;
868 next;
869 }
870 if ($line =~ m/^(\S+)\s.*$/) {
871 my $domain = $1;
872 $domains->{$domain} = {
873 domain => $domain, comment => $comment };
874 $comment = '';
875 } else {
876 warn "parse error in '$filename': $line\n";
877 $comment = '';
878 }
879 }
880 }
881
882 return $domains;
883 }
884
885 sub write_pmg_domains {
886 my ($filename, $fh, $domains) = @_;
887
888 foreach my $domain (sort keys %$domains) {
889 my $comment = $domains->{$domain}->{comment};
890 PVE::Tools::safe_print($filename, $fh, "#$comment\n")
891 if defined($comment) && $comment !~ m/^\s*$/;
892
893 PVE::Tools::safe_print($filename, $fh, "$domain 1\n");
894 }
895 }
896
897 PVE::INotify::register_file('domains', $domainsfilename,
898 \&read_pmg_domains,
899 \&write_pmg_domains,
900 undef, always_call_parser => 1);
901
902 my $mynetworks_filename = "/etc/pmg/mynetworks";
903
904 sub read_pmg_mynetworks {
905 my ($filename, $fh) = @_;
906
907 my $mynetworks = {};
908
909 my $comment = '';
910 if (defined($fh)) {
911 while (defined(my $line = <$fh>)) {
912 chomp $line;
913 next if $line =~ m/^\s*$/;
914 if ($line =~ m!^((?:$IPV4RE|$IPV6RE))/(\d+)\s*(?:#(.*)\s*)?$!) {
915 my ($network, $prefix_size, $comment) = ($1, $2, $3);
916 my $cidr = "$network/${prefix_size}";
917 $mynetworks->{$cidr} = {
918 cidr => $cidr,
919 network_address => $network,
920 prefix_size => $prefix_size,
921 comment => $comment // '',
922 };
923 } else {
924 warn "parse error in '$filename': $line\n";
925 }
926 }
927 }
928
929 return $mynetworks;
930 }
931
932 sub write_pmg_mynetworks {
933 my ($filename, $fh, $mynetworks) = @_;
934
935 foreach my $cidr (sort keys %$mynetworks) {
936 my $data = $mynetworks->{$cidr};
937 my $comment = $data->{comment} // '*';
938 PVE::Tools::safe_print($filename, $fh, "$cidr #$comment\n");
939 }
940 }
941
942 PVE::INotify::register_file('mynetworks', $mynetworks_filename,
943 \&read_pmg_mynetworks,
944 \&write_pmg_mynetworks,
945 undef, always_call_parser => 1);
946
947 PVE::JSONSchema::register_format(
948 'tls-policy', \&pmg_verify_tls_policy);
949
950 sub pmg_verify_tls_policy {
951 my ($policy, $noerr) = @_;
952
953 # TODO: extend to parse attributes of the policy
954 my $valid_policy = qr/none|may|encrypt|dane|dane-only|fingerprint|verify|secure/;
955
956 if ($policy !~ /^${valid_policy}$/) {
957 return undef if $noerr;
958 die "value '$policy' does not look like a valid tls policy\n";
959 }
960 return $policy;
961 }
962
963 sub read_tls_policy {
964 my ($filename, $fh) = @_;
965
966 return {} if !defined($fh);
967
968 my $tls_policy = {};
969
970 while (defined(my $line = <$fh>)) {
971 chomp $line;
972 next if $line =~ m/^\s*$/;
973 next if $line =~ m/^#(.*)\s*$/;
974
975 my $parse_error = sub {
976 my ($err) = @_;
977 warn "parse error in '$filename': $line - $err";
978 };
979
980 if ($line =~ m/^(\S+)\s+(.+)\s*$/) {
981 my ($domain, $policy) = ($1, $2);
982
983 eval {
984 pmg_verify_transport_domain($domain);
985 pmg_verify_tls_policy($policy);
986 };
987 if (my $err = $@) {
988 $parse_error->($err);
989 next;
990 }
991
992 $tls_policy->{$domain} = {
993 domain => $domain,
994 policy => $policy,
995 };
996 } else {
997 $parse_error->('wrong format');
998 }
999 }
1000
1001 return $tls_policy;
1002 }
1003
1004 sub write_tls_policy {
1005 my ($filename, $fh, $tls_policy) = @_;
1006
1007 return if !$tls_policy;
1008
1009 foreach my $domain (sort keys %$tls_policy) {
1010 my $entry = $tls_policy->{$domain};
1011 PVE::Tools::safe_print(
1012 $filename, $fh, "$entry->{domain} $entry->{policy}\n");
1013 }
1014 }
1015
1016 my $tls_policy_map_filename = "/etc/pmg/tls_policy";
1017 PVE::INotify::register_file('tls_policy', $tls_policy_map_filename,
1018 \&read_tls_policy,
1019 \&write_tls_policy,
1020 undef, always_call_parser => 1);
1021
1022 sub postmap_tls_policy {
1023 PMG::Utils::run_postmap($tls_policy_map_filename);
1024 }
1025
1026 my $transport_map_filename = "/etc/pmg/transport";
1027
1028 sub postmap_pmg_transport {
1029 PMG::Utils::run_postmap($transport_map_filename);
1030 }
1031
1032 sub read_transport_map {
1033 my ($filename, $fh) = @_;
1034
1035 return [] if !defined($fh);
1036
1037 my $res = {};
1038
1039 my $comment = '';
1040
1041 while (defined(my $line = <$fh>)) {
1042 chomp $line;
1043 next if $line =~ m/^\s*$/;
1044 if ($line =~ m/^#(.*)\s*$/) {
1045 $comment = $1;
1046 next;
1047 }
1048
1049 my $parse_error = sub {
1050 my ($err) = @_;
1051 warn "parse error in '$filename': $line - $err";
1052 $comment = '';
1053 };
1054
1055 if ($line =~ m/^(\S+)\s+smtp:(\S+):(\d+)\s*$/) {
1056 my ($domain, $host, $port) = ($1, $2, $3);
1057
1058 eval { pmg_verify_transport_domain_or_email($domain); };
1059 if (my $err = $@) {
1060 $parse_error->($err);
1061 next;
1062 }
1063 my $use_mx = 1;
1064 if ($host =~ m/^\[(.*)\]$/) {
1065 $host = $1;
1066 $use_mx = 0;
1067 }
1068
1069 eval { PVE::JSONSchema::pve_verify_address($host); };
1070 if (my $err = $@) {
1071 $parse_error->($err);
1072 next;
1073 }
1074
1075 my $data = {
1076 domain => $domain,
1077 host => $host,
1078 port => $port,
1079 use_mx => $use_mx,
1080 comment => $comment,
1081 };
1082 $res->{$domain} = $data;
1083 $comment = '';
1084 } else {
1085 $parse_error->('wrong format');
1086 }
1087 }
1088
1089 return $res;
1090 }
1091
1092 sub write_transport_map {
1093 my ($filename, $fh, $tmap) = @_;
1094
1095 return if !$tmap;
1096
1097 foreach my $domain (sort keys %$tmap) {
1098 my $data = $tmap->{$domain};
1099
1100 my $comment = $data->{comment};
1101 PVE::Tools::safe_print($filename, $fh, "#$comment\n")
1102 if defined($comment) && $comment !~ m/^\s*$/;
1103
1104 my $use_mx = $data->{use_mx};
1105 $use_mx = 0 if $data->{host} =~ m/^(?:$IPV4RE|$IPV6RE)$/;
1106
1107 if ($use_mx) {
1108 PVE::Tools::safe_print(
1109 $filename, $fh, "$data->{domain} smtp:$data->{host}:$data->{port}\n");
1110 } else {
1111 PVE::Tools::safe_print(
1112 $filename, $fh, "$data->{domain} smtp:[$data->{host}]:$data->{port}\n");
1113 }
1114 }
1115 }
1116
1117 PVE::INotify::register_file('transport', $transport_map_filename,
1118 \&read_transport_map,
1119 \&write_transport_map,
1120 undef, always_call_parser => 1);
1121
1122 # config file generation using templates
1123
1124 sub get_template_vars {
1125 my ($self) = @_;
1126
1127 my $vars = { pmg => $self->get_config() };
1128
1129 my $nodename = PVE::INotify::nodename();
1130 my $int_ip = PMG::Cluster::remote_node_ip($nodename);
1131 $vars->{ipconfig}->{int_ip} = $int_ip;
1132
1133 my $transportnets = [];
1134
1135 if (my $tmap = PVE::INotify::read_file('transport')) {
1136 foreach my $domain (sort keys %$tmap) {
1137 my $data = $tmap->{$domain};
1138 my $host = $data->{host};
1139 if ($host =~ m/^$IPV4RE$/) {
1140 push @$transportnets, "$host/32";
1141 } elsif ($host =~ m/^$IPV6RE$/) {
1142 push @$transportnets, "[$host]/128";
1143 }
1144 }
1145 }
1146
1147 $vars->{postfix}->{transportnets} = join(' ', @$transportnets);
1148
1149 my $mynetworks = [ '127.0.0.0/8', '[::1]/128' ];
1150
1151 if (my $int_net_cidr = PMG::Utils::find_local_network_for_ip($int_ip, 1)) {
1152 if ($int_net_cidr =~ m/^($IPV6RE)\/(\d+)$/) {
1153 push @$mynetworks, "[$1]/$2";
1154 } else {
1155 push @$mynetworks, $int_net_cidr;
1156 }
1157 } else {
1158 if ($int_ip =~ m/^$IPV6RE$/) {
1159 push @$mynetworks, "[$int_ip]/128";
1160 } else {
1161 push @$mynetworks, "$int_ip/32";
1162 }
1163 }
1164
1165 my $netlist = PVE::INotify::read_file('mynetworks');
1166 foreach my $cidr (keys %$netlist) {
1167 if ($cidr =~ m/^($IPV6RE)\/(\d+)$/) {
1168 push @$mynetworks, "[$1]/$2";
1169 } else {
1170 push @$mynetworks, $cidr;
1171 }
1172 }
1173
1174 push @$mynetworks, @$transportnets;
1175
1176 # add default relay to mynetworks
1177 if (my $relay = $self->get('mail', 'relay')) {
1178 if ($relay =~ m/^$IPV4RE$/) {
1179 push @$mynetworks, "$relay/32";
1180 } elsif ($relay =~ m/^$IPV6RE$/) {
1181 push @$mynetworks, "[$relay]/128";
1182 } else {
1183 # DNS name - do nothing ?
1184 }
1185 }
1186
1187 $vars->{postfix}->{mynetworks} = join(' ', @$mynetworks);
1188
1189 # normalize dnsbl_sites
1190 my @dnsbl_sites = PVE::Tools::split_list($vars->{pmg}->{mail}->{dnsbl_sites});
1191 if (scalar(@dnsbl_sites)) {
1192 $vars->{postfix}->{dnsbl_sites} = join(',', @dnsbl_sites);
1193 }
1194
1195 $vars->{postfix}->{dnsbl_threshold} = $self->get('mail', 'dnsbl_threshold');
1196
1197 my $usepolicy = 0;
1198 $usepolicy = 1 if $self->get('mail', 'greylist') ||
1199 $self->get('mail', 'spf');
1200 $vars->{postfix}->{usepolicy} = $usepolicy;
1201
1202 if ($int_ip =~ m/^$IPV6RE$/) {
1203 $vars->{postfix}->{int_ip} = "[$int_ip]";
1204 } else {
1205 $vars->{postfix}->{int_ip} = $int_ip;
1206 }
1207
1208 my $resolv = PVE::INotify::read_file('resolvconf');
1209 $vars->{dns}->{hostname} = $nodename;
1210
1211 my $domain = $resolv->{search} // 'localdomain';
1212 $vars->{dns}->{domain} = $domain;
1213
1214 my $wlbr = "$nodename.$domain";
1215 foreach my $r (PVE::Tools::split_list($vars->{pmg}->{spam}->{wl_bounce_relays})) {
1216 $wlbr .= " $r"
1217 }
1218 $vars->{composed}->{wl_bounce_relays} = $wlbr;
1219
1220 if (my $proxy = $vars->{pmg}->{admin}->{http_proxy}) {
1221 eval {
1222 my $uri = URI->new($proxy);
1223 my $host = $uri->host;
1224 my $port = $uri->port // 8080;
1225 if ($host) {
1226 my $data = { host => $host, port => $port };
1227 if (my $ui = $uri->userinfo) {
1228 my ($username, $pw) = split(/:/, $ui, 2);
1229 $data->{username} = $username;
1230 $data->{password} = $pw if defined($pw);
1231 }
1232 $vars->{proxy} = $data;
1233 }
1234 };
1235 warn "parse http_proxy failed - $@" if $@;
1236 }
1237
1238 return $vars;
1239 }
1240
1241 # use one global TT cache
1242 our $tt_include_path = ['/etc/pmg/templates' ,'/var/lib/pmg/templates' ];
1243
1244 my $template_toolkit;
1245
1246 sub get_template_toolkit {
1247
1248 return $template_toolkit if $template_toolkit;
1249
1250 $template_toolkit = Template->new({ INCLUDE_PATH => $tt_include_path });
1251
1252 return $template_toolkit;
1253 }
1254
1255 # rewrite file from template
1256 # return true if file has changed
1257 sub rewrite_config_file {
1258 my ($self, $tmplname, $dstfn) = @_;
1259
1260 my $demo = $self->get('admin', 'demo');
1261
1262 if ($demo) {
1263 my $demosrc = "$tmplname.demo";
1264 $tmplname = $demosrc if -f "/var/lib/pmg/templates/$demosrc";
1265 }
1266
1267 my ($perm, $uid, $gid);
1268
1269 if ($dstfn eq '/etc/clamav/freshclam.conf') {
1270 # needed if file contains a HTTPProxyPasswort
1271
1272 $uid = getpwnam('clamav');
1273 $gid = getgrnam('adm');
1274 $perm = 0600;
1275 }
1276
1277 my $tt = get_template_toolkit();
1278
1279 my $vars = $self->get_template_vars();
1280
1281 my $output = '';
1282
1283 $tt->process($tmplname, $vars, \$output) ||
1284 die $tt->error() . "\n";
1285
1286 my $old = PVE::Tools::file_get_contents($dstfn, 128*1024) if -f $dstfn;
1287
1288 return 0 if defined($old) && ($old eq $output); # no change
1289
1290 PVE::Tools::file_set_contents($dstfn, $output, $perm);
1291
1292 if (defined($uid) && defined($gid)) {
1293 chown($uid, $gid, $dstfn);
1294 }
1295
1296 return 1;
1297 }
1298
1299 # rewrite spam configuration
1300 sub rewrite_config_spam {
1301 my ($self) = @_;
1302
1303 my $use_awl = $self->get('spam', 'use_awl');
1304 my $use_bayes = $self->get('spam', 'use_bayes');
1305 my $use_razor = $self->get('spam', 'use_razor');
1306
1307 my $changes = 0;
1308
1309 # delete AW and bayes databases if those features are disabled
1310 if (!$use_awl) {
1311 $changes = 1 if unlink '/root/.spamassassin/auto-whitelist';
1312 }
1313
1314 if (!$use_bayes) {
1315 $changes = 1 if unlink '/root/.spamassassin/bayes_journal';
1316 $changes = 1 if unlink '/root/.spamassassin/bayes_seen';
1317 $changes = 1 if unlink '/root/.spamassassin/bayes_toks';
1318 }
1319
1320 # make sure we have a custom.cf file (else cluster sync fails)
1321 IO::File->new('/etc/mail/spamassassin/custom.cf', 'a', 0644);
1322
1323 $changes = 1 if $self->rewrite_config_file(
1324 'local.cf.in', '/etc/mail/spamassassin/local.cf');
1325
1326 $changes = 1 if $self->rewrite_config_file(
1327 'init.pre.in', '/etc/mail/spamassassin/init.pre');
1328
1329 $changes = 1 if $self->rewrite_config_file(
1330 'v310.pre.in', '/etc/mail/spamassassin/v310.pre');
1331
1332 $changes = 1 if $self->rewrite_config_file(
1333 'v320.pre.in', '/etc/mail/spamassassin/v320.pre');
1334
1335 if ($use_razor) {
1336 mkdir "/root/.razor";
1337
1338 $changes = 1 if $self->rewrite_config_file(
1339 'razor-agent.conf.in', '/root/.razor/razor-agent.conf');
1340
1341 if (! -e '/root/.razor/identity') {
1342 eval {
1343 my $timeout = 30;
1344 PVE::Tools::run_command(['razor-admin', '-discover'], timeout => $timeout);
1345 PVE::Tools::run_command(['razor-admin', '-register'], timeout => $timeout);
1346 };
1347 my $err = $@;
1348 syslog('info', "registering razor failed: $err") if $err;
1349 }
1350 }
1351
1352 return $changes;
1353 }
1354
1355 # rewrite ClamAV configuration
1356 sub rewrite_config_clam {
1357 my ($self) = @_;
1358
1359 return $self->rewrite_config_file(
1360 'clamd.conf.in', '/etc/clamav/clamd.conf');
1361 }
1362
1363 sub rewrite_config_freshclam {
1364 my ($self) = @_;
1365
1366 return $self->rewrite_config_file(
1367 'freshclam.conf.in', '/etc/clamav/freshclam.conf');
1368 }
1369
1370 sub rewrite_config_postgres {
1371 my ($self) = @_;
1372
1373 my $pgconfdir = "/etc/postgresql/9.6/main";
1374
1375 my $changes = 0;
1376
1377 $changes = 1 if $self->rewrite_config_file(
1378 'pg_hba.conf.in', "$pgconfdir/pg_hba.conf");
1379
1380 $changes = 1 if $self->rewrite_config_file(
1381 'postgresql.conf.in', "$pgconfdir/postgresql.conf");
1382
1383 return $changes;
1384 }
1385
1386 # rewrite /root/.forward
1387 sub rewrite_dot_forward {
1388 my ($self) = @_;
1389
1390 my $dstfn = '/root/.forward';
1391
1392 my $email = $self->get('admin', 'email');
1393
1394 my $output = '';
1395 if ($email && $email =~ m/\s*(\S+)\s*/) {
1396 $output = "$1\n";
1397 } else {
1398 # empty .forward does not forward mails (see man local)
1399 }
1400
1401 my $old = PVE::Tools::file_get_contents($dstfn, 128*1024) if -f $dstfn;
1402
1403 return 0 if defined($old) && ($old eq $output); # no change
1404
1405 PVE::Tools::file_set_contents($dstfn, $output);
1406
1407 return 1;
1408 }
1409
1410 my $write_smtp_whitelist = sub {
1411 my ($filename, $data, $action) = @_;
1412
1413 $action = 'OK' if !$action;
1414
1415 my $old = PVE::Tools::file_get_contents($filename, 1024*1024)
1416 if -f $filename;
1417
1418 my $new = '';
1419 foreach my $k (sort keys %$data) {
1420 $new .= "$k $action\n";
1421 }
1422
1423 return 0 if defined($old) && ($old eq $new); # no change
1424
1425 PVE::Tools::file_set_contents($filename, $new);
1426
1427 PMG::Utils::run_postmap($filename);
1428
1429 return 1;
1430 };
1431
1432 sub rewrite_postfix_whitelist {
1433 my ($rulecache) = @_;
1434
1435 # see man page for regexp_table for postfix regex table format
1436
1437 # we use a hash to avoid duplicate entries in regex tables
1438 my $tolist = {};
1439 my $fromlist = {};
1440 my $clientlist = {};
1441
1442 foreach my $obj (@{$rulecache->{"greylist:receiver"}}) {
1443 my $oclass = ref($obj);
1444 if ($oclass eq 'PMG::RuleDB::Receiver') {
1445 my $addr = PMG::Utils::quote_regex($obj->{address});
1446 $tolist->{"/^$addr\$/"} = 1;
1447 } elsif ($oclass eq 'PMG::RuleDB::ReceiverDomain') {
1448 my $addr = PMG::Utils::quote_regex($obj->{address});
1449 $tolist->{"/^.+\@$addr\$/"} = 1;
1450 } elsif ($oclass eq 'PMG::RuleDB::ReceiverRegex') {
1451 my $addr = $obj->{address};
1452 $addr =~ s|/|\\/|g;
1453 $tolist->{"/^$addr\$/"} = 1;
1454 }
1455 }
1456
1457 foreach my $obj (@{$rulecache->{"greylist:sender"}}) {
1458 my $oclass = ref($obj);
1459 my $addr = PMG::Utils::quote_regex($obj->{address});
1460 if ($oclass eq 'PMG::RuleDB::EMail') {
1461 my $addr = PMG::Utils::quote_regex($obj->{address});
1462 $fromlist->{"/^$addr\$/"} = 1;
1463 } elsif ($oclass eq 'PMG::RuleDB::Domain') {
1464 my $addr = PMG::Utils::quote_regex($obj->{address});
1465 $fromlist->{"/^.+\@$addr\$/"} = 1;
1466 } elsif ($oclass eq 'PMG::RuleDB::WhoRegex') {
1467 my $addr = $obj->{address};
1468 $addr =~ s|/|\\/|g;
1469 $fromlist->{"/^$addr\$/"} = 1;
1470 } elsif ($oclass eq 'PMG::RuleDB::IPAddress') {
1471 $clientlist->{$obj->{address}} = 1;
1472 } elsif ($oclass eq 'PMG::RuleDB::IPNet') {
1473 $clientlist->{$obj->{address}} = 1;
1474 }
1475 }
1476
1477 $write_smtp_whitelist->("/etc/postfix/senderaccess", $fromlist);
1478 $write_smtp_whitelist->("/etc/postfix/rcptaccess", $tolist);
1479 $write_smtp_whitelist->("/etc/postfix/clientaccess", $clientlist);
1480 $write_smtp_whitelist->("/etc/postfix/postscreen_access", $clientlist, 'permit');
1481 };
1482
1483 # rewrite /etc/postfix/*
1484 sub rewrite_config_postfix {
1485 my ($self, $rulecache) = @_;
1486
1487 # make sure we have required files (else postfix start fails)
1488 IO::File->new($transport_map_filename, 'a', 0644);
1489
1490 my $changes = 0;
1491
1492 if ($self->get('mail', 'tls')) {
1493 eval {
1494 PMG::Utils::gen_proxmox_tls_cert();
1495 };
1496 syslog ('info', "generating certificate failed: $@") if $@;
1497 }
1498
1499 $changes = 1 if $self->rewrite_config_file(
1500 'main.cf.in', '/etc/postfix/main.cf');
1501
1502 $changes = 1 if $self->rewrite_config_file(
1503 'master.cf.in', '/etc/postfix/master.cf');
1504
1505 # make sure we have required files (else postfix start fails)
1506 # Note: postmap need a valid /etc/postfix/main.cf configuration
1507 postmap_pmg_domains();
1508 postmap_pmg_transport();
1509 postmap_tls_policy();
1510
1511 rewrite_postfix_whitelist($rulecache) if $rulecache;
1512
1513 # make sure aliases.db is up to date
1514 system('/usr/bin/newaliases');
1515
1516 return $changes;
1517 }
1518
1519 sub rewrite_config {
1520 my ($self, $rulecache, $restart_services, $force_restart) = @_;
1521
1522 $force_restart = {} if ! $force_restart;
1523
1524 if (($self->rewrite_config_postfix($rulecache) && $restart_services) ||
1525 $force_restart->{postfix}) {
1526 PMG::Utils::service_cmd('postfix', 'restart');
1527 }
1528
1529 if ($self->rewrite_dot_forward() && $restart_services) {
1530 # no need to restart anything
1531 }
1532
1533 if ($self->rewrite_config_postgres() && $restart_services) {
1534 # do nothing (too many side effects)?
1535 # does not happen anyways, because config does not change.
1536 }
1537
1538 if (($self->rewrite_config_spam() && $restart_services) ||
1539 $force_restart->{spam}) {
1540 PMG::Utils::service_cmd('pmg-smtp-filter', 'restart');
1541 }
1542
1543 if (($self->rewrite_config_clam() && $restart_services) ||
1544 $force_restart->{clam}) {
1545 PMG::Utils::service_cmd('clamav-daemon', 'restart');
1546 }
1547
1548 if (($self->rewrite_config_freshclam() && $restart_services) ||
1549 $force_restart->{freshclam}) {
1550 PMG::Utils::service_cmd('clamav-freshclam', 'restart');
1551 }
1552 }
1553
1554 1;
PMG API