Skip to content

WIP: LDAP over TLS, DKIM and robots.conf.j2#1

Open
ulvida wants to merge 38 commits into
mainfrom
cielito
Open

WIP: LDAP over TLS, DKIM and robots.conf.j2#1
ulvida wants to merge 38 commits into
mainfrom
cielito

Conversation

@ulvida

@ulvida ulvida commented Aug 8, 2025

Copy link
Copy Markdown

In this PR we fix:

  • LDAP authentication with encryption over TLS,
  • DKIM signature message handle,
  • we extend the robots.conf.j2 template, to handle mail parameters

We are also working in Spamassassin and Clamav integration.

Cuando tengamos algo listo sacamos el "WIP;" y proponemos la PR al upstream

@ulvida ulvida left a comment

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A first review of this "work in progress", before proposing to the upstream.

Comment thread tasks/perl-modules.yml Outdated
Comment thread tasks/perl-modules.yml Outdated
- name: Add ldap-secure to features if LDAP auth is enabled
set_fact:
sympa_cpanm_features: "{{ sympa_cpanm_features + ['ldap-secure'] }}"
when: sympa_ldap_auth_enabled | bool

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shouldn't we allow a non encrypted ldap authentication, with a second boolean flag or several values for this variable?

By the way, there is another PR for LDAP auth. It takes another approach, defining a structure sympa_config_ldap, and changing auth.conf template for a more rigid one.

I prefer present approach, that preserve pre-existent API variable sympa_web_authentication. I consider very elegant how present version of auth.conf template solves all possible backends, withe their specific parameters. I think we should take this approach for other templates, such as robots.conf: some parameters deserve specific consideration (such as listmaster), but after we can loop all the rest of key: value parameters as {{ key }} {{ value }}. The devops configuring her sympa server should ensure all are legitimate parameters for the .conf file.

It deserves to notice that building rigid templates doesn't really ensure we will detect configuration errors. If a parameter is misspelled, it will silently be ignored, eventually leading to a misconfiguration.

If we want to check configuration, we should explicitely do it with a loop of asserts on all possible values. For templates, considering sympa configuration file structure, appropriate loops on key: value parameters templated as {{ key }} {{ value }} are ok.


Comentario original en español:

¿no deberíamos permitir una authenticación en ldap sin encriptado, con un segundo booleano o con algunos valores a esta variable, en vez de enable/disable booleano?

Sea dicho de paso ya hay otra PR para la auth LDAP. Toma un enfoque diferente: define una estructura sympa_config_ldap, y cambia el template auth.conf por uno más rígido.

Prefiero el enfoque tomado acá, que respeta la variable de API pre-existente sympa_web_authentication. Y me parece muy elegante como la versión actual el template auth.conf resuelve todos los backend possibles, con sus diversos parámetros. Creo que podríamos tomarla para otras plantillas, como robots.conf: algunos parámetros merecen tratamiento especial (como listmaster), pero luego toda la lista restante de key: value, a carga do quién use el rol de poner ahí parámetros legitimos para un robot sympa.

Comment thread templates/robot.conf.j2 Outdated
{% if item.config_colors is defined %}
## Colors
{% for color in item.config_colors %}
color_{{ loop.index - 1 }} {{ color }}

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Entiendo que el parámetro color_x fue abandonado en la 6.2.70.

Comment thread templates/robot.conf.j2 Outdated
cookie_domain {{ item.web_domain | default(item.domain) }}
{% endif %}
{% if item.config_title is defined %}
title {{ item.config_title }}

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why adding prefix config_ to all the following parameters?

We are proposing the definition of sympa_robots role's API. I think we should stick as close as possible of sympa configuration vocabulary.


¿porqué config_ para todos los siguientes parámetros que agregan de un robot?

acá están proponiendo la API de la sympa_robots. Creo que el nombre debe ser igual al parámetro sympa. Idealmente, la plantilla debe considerar todos los parámetros de config que la doc indica se pueden usar en un robots.conf.

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

idem, my own fault.

Comment thread defaults/main.yml Outdated
sympa_dkim_feature: false
sympa_dkim_add_signature_to:
- robot
- list

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Candide question: Shouldn't we allow to sign each robot with its specific DKIM key?

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I guess it would be better if each robot is from an entirely different fqdn

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Now, in cielito.sympa.install, we hard coded dkim_same_key: false when calling dkim role .

But: are we proposing a complete and consistent DKIM features API for this upstream role?

@fzadikian fzadikian Sep 2, 2025

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Was dkim_same_key from our fork or from upstream? Why is it broken in our fork? Anyways, it doesn't seem like a great idea to have the same key for every (sub)domain.

Comment thread templates/robot.conf.j2 Outdated
@@ -1,8 +1,31 @@
# Robot configuration for {{ item.domain }}

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For code clarity, shouldn't we give a name (for instance sympa_robot) to this item loop variable?

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oups... my own fault.

Now I remember I preferred "not to change too much". I'll grap this in a PR specific to robots configuration.

Comment thread tasks/perl-modules.yml
set_fact:
sympa_cpanm_features: "{{ sympa_cpanm_features + ['ldap-secure'] }}"
when: sympa_ldap_auth_enabled | bool
tags: sympaldap

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

role tags are sympa-conf, sympa-auth, ... should therefore be sympa-ldap here.

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What about sympasoap, though?

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

right... anyway, all tagging is still to review. not very relevant, so.

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think these tags are not meant to be run until everything prior has been ran at least once, because the rest of the file has no tags at all

@fzadikian

fzadikian commented Aug 11, 2025

Copy link
Copy Markdown
Member

I added the LDAP variables to default/main.yml as well as README.md. and I also added the option for non-SSL LDAP authentication.

Comment thread README.md Outdated

#### *sympa_ldap_auth_ssl*

Whether authentication through LDAP uses SSL. Defaults to `true`.

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is it SSL or TLS? And shouldn't we allow any transport protocol, for sysadmin to be able to fit their installation with their LDAP requirements?

By the way, to complete LDAP understanding we should also document somewhere how to build sympa_web_authentication. A link to ldap auth.conf configuration would be worthy.

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is it SSL or TLS?

ldap-secure depends on IO::Socket::SSL, so I guess it is SSL.

And shouldn't we allow any transport protocol, for sysadmin to be able to fit their installation with their LDAP requirements?

What do you mean? We are currently covering both ldap and ldap-secure, the only ldap related features on sympa's cpanfile.

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ldap-secure depends on IO::Socket::SSL, so I guess it is SSL.

SSL is often used for secure layer, but strictly SSL is deprecated and being replaced by TLS. Seeing our LDAP parameters, I think we are using TLS 1.2, on port 389. ldaps (i.e. LDAP on SSL listen on port 636).

What do you mean?
I mean the LDAP may pre-exists and Sympa should bind to itl as provided: basic ldap on port 389, ldaps on 636 and/or ldap+starttls on 389 (our LDAP, for instance, took a while to offer this last protocol)

We are currently covering both ldap and ldap-secure, the only ldap related features on sympa's cpanfile.

There are also TLS parameters of the authentication.

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There are also TLS parameters of the authentication.

I see, then shall I rename variables to reference TLS instead of SSL, or directly reference "secure" instead?

I mean the LDAP may pre-exists and Sympa should bind to itl as provided: basic ldap on port 389, ldaps on 636 and/or ldap+starttls on 389 (our LDAP, for instance, took a while to offer this last protocol)

So then, does that need any special configurations from this role? I thought the {{ key }} {{ value }} approach would eliminate all those quirks.

@ulvida ulvida left a comment

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Non blocking details in API and templating, for a better PR to upstream.

Comment thread templates/sympa.conf.j2 Outdated
{% if sympa_dkim_signature_apply_on | length>0 %}
dkim_signature_apply_on {{ sympa_dkim_signature_apply_on | join(',') }}
{% else %}
dkim_signature_apply_on none

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

dkim_signature_apply_on is not mandatory, and default behaviour of sympa when its not defined - or empty? - is not none. I think it's good to define sympa_dkim_signature_apply_on as a list, but not to "over-template" it.

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So, just keep the if statement and remove the else statement entirely?

Comment thread defaults/main.yml Outdated
sympa_dkim_feature: false
sympa_dkim_add_signature_to:
- robot
- list

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Now, in cielito.sympa.install, we hard coded dkim_same_key: false when calling dkim role .

But: are we proposing a complete and consistent DKIM features API for this upstream role?

Comment thread defaults/main.yml Outdated
- md5_authenticated_messages
- smime_authenticated_messages
- dkim_authenticated_messages
- editor_validated_messages

@ulvida ulvida Sep 2, 2025

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I understand you set these values because of these sympa defaults.

However, this is the default behaviour of sympa when dkim_signature_apply_on is not defined. Here, we must allow such setting, not set values that reproduce this behaviour. As we need to allow "dkim_signature_apply_on not defined" in sympa, we shouldn't set a default value here.

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So, we shouldn't set any of these four values, and if the user decides to set dkim_signature_apply_on, they should handle it themselves? Just in case, this code was snipped from our legacy sympa role and adapted by @paulo-ruiz.

@ulvida ulvida Sep 5, 2025

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So, we shouldn't set any of these four values, and if the user decides to set dkim_signature_apply_on, they should handle it themselves?

Yes. Eventually the role could assert permitted values, but I think re-coding in the role the default behaviour of sympa conflicts with DRY principle. don't you think so?

Just in case, this code was snipped from our legacy sympa role and adapted by @paulo-ruiz.

legacy or upstream sympa role? There is nothing about DKIM in upstream version of this template. We are building our PR.

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

legacy or upstream sympa role? There is nothing about DKIM in upstream version of this template. We are building our PR.

I am referring to this.

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes. Eventually the role could assert permitted values, but I think re-coding in the role the default behaviour of sympa conflicts with DRY principle. don't you think so?

Yes, I agree that it's better to simplify this.

Comment thread templates/sympa.conf.j2
# adapted from stuvusIT/sympa repository on Github

## dkim_feature
dkim_feature {{ sympa_dkim_feature | bool | ternary('on', 'off') }}

@ulvida ulvida Sep 9, 2025

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

All the previous parameters of this file are prefixed with sympa_config_* and for this one and following we switch to sympa_*. Should we harmonise naming? or sympa_config_dkim_* is too much?

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

both variables exist, though. sympa_dkim_feature actually configures dkim, and sympa_config_dkim_feature just installs the dependencies. i would change the last one, but that would break upstream. merging them into one doesn't seem ideal either.

Comment thread tasks/robot.yml Outdated
path: "{{ sympa_installation_directory }}/arc/{{ sympa_robot_domain }}"
owner: "{{ sympa_unix_user }}"
group: "{{ sympa_unix_group }}"
mode: 0755

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Apparently, these folders per robot are not needed. Sympa create archive folder with the full name of the list list@robot_domain.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants