Initial commit

configs/config.yaml.sample

@@ -0,0 +1,26 @@
+keycloak:
+  base_url: "<Keycloak URL>"
+  realm: "<Keycloak Realm>"
+  client_id: "<Client ID>"
+  client_secret: "<Client Secret>"
+  # admin API is derived: {base_url}/admin/realms/{realm}
+
+sqlite:
+  path: "/var/lib/kc-policy/aliases.db"
+
+policy:
+  domain: "<EMail domain-name>"
+  # cache for keycloak lookups (username->email, email->exists)
+  cache_ttl_seconds: 120
+  # if keycloak is down:
+  #  - "tempfail": return 451 (recommended)
+  #  - "dunno": fail-open
+  keycloak_failure_mode: "tempfail"
+
+sockets:
+  # These paths must be inside postfix chroot (/var/spool/postfix)
+  policy_socket: "/var/spool/postfix/private/kc-policy"
+  socketmap_socket: "/var/spool/postfix/private/kc-socketmap"
+  socket_owner_user: "postfix"
+  socket_owner_group: "postfix"
+  socket_mode: "0660"

configs/openrc-kc-policy

@@ -0,0 +1,23 @@
+#!/sbin/openrc-run
+
+name="kc-policy"
+command="/usr/local/sbin/kc-policy"
+command_args="/etc/kc-policy/config.yaml"
+command_background="yes"
+pidfile="/run/kc-policy.pid"
+
+depend() {
+  need net
+  after postfix
+}
+
+start_pre() {
+  checkpath -d -m 0750 -o root:postfix /etc/kc-policy
+  checkpath -d -m 0750 -o root:postfix /var/lib/kc-policy
+  checkpath -d -m 0755 -o root:root /usr/local/sbin
+  # sockets dir already exists
+}
+
+stop_post() {
+  rm -f /var/spool/postfix/private/kc-policy /var/spool/postfix/private/kc-socketmap
+}

configs/postfix-main.cf

@@ -0,0 +1,21 @@
+#
+# Configuration to add to /etc/postfix/main.cf
+#
+
+# Domaine local “virtuel”
+virtual_mailbox_domains = static:<EMail domain-name>
+
+# Delivery to dovecot LMTP
+virtual_transport = lmtp:unix:private/dovecot-lmtp
+
+# Dynamic aliases via socketmap
+virtual_alias_maps = socketmap:unix:private/kc-socketmap:alias
+
+# Policy (RCPT existence + sender policy on 587 via master.cf)
+smtpd_recipient_restrictions =
+  reject_non_fqdn_recipient,
+  reject_unknown_recipient_domain,
+  permit_sasl_authenticated,
+  reject_unauth_destination,
+  check_policy_service unix:private/kc-policy,
+  permit

configs/postfix-master.cf

@@ -0,0 +1,8 @@
+#
+# Configuration to add to /etc/postfix/master.cf
+#
+
+-o smtpd_sender_restrictions=check_policy_service unix:private/kc-policy
+
+# You can remove `reject_senders_login_mismaych` + `sender_login_maps`
+# as this kc-policy will handle it.