add-cyrus-user   [plain text]

#!/usr/bin/perl

#---------------------------------------------------------------------
# This script was designed to ease adding Cyrus-IMAP users for
# a very specific kind of configuration: Postfix+Cyrus, where
#
#	mailbox_transport = default (mailbox delivery), 
#	fallback_transport = cyrus
#
# in such a configuration, an IMAP-user without a local account
# will requires no additional Postfix configuration, but an
# IMAP-user who is also a local user requires that a user-specific
# line be added to the transports file to force the use of the
# 'cyrus' transport.  The Postfix-specific configuration can be
# suppressed with the "-no_mta_cfg" flag.
#
# In order for the script to be able to edit the two Postfix config
# files correctly, the files must have 'tag-lines' in them which
# the script uses to orient itself when inserting the new lines.
# The tag-lines are:
#
# /etc/postfix/transport:
#	"# add-cyrus-user tag (don't remove this line)"
#
# /etc/postfix/virtual:
#	"# Cyrus IMAP users (do not remove this line)"
#
# Without these tag-lines the script will fail.
#
# This script assumes the use of 'sasldb2' authentication.
#
# USAGE:
#
#	add-cyrus-user -u <IMAP-username> -p <IMAP-password [options]
#
#	options are:
#		-q[uota]		set quota for mailbox (in KB)
#		-part[ition]	specify a partition (default = "default")
#		-no_mta_cfg		do not perform Postfix-specific steps
#
# yes, I know, specifying the password on the command-line is
# insecure.  The script will prompt you for the cyrus username
# and password if you do not specify them on the command line.
#
# AUTHOR
#
#	Robert Urban <urban@tru64.org>
#
#---------------------------------------------------------------------

use Cyrus::IMAP::Admin;
use FileHandle;
use File::Basename;
use Fcntl ':flock'; # import LOCK_* constants

my $DEBUG = 0;
my $VERBOSE = 1;
my $mta_cfg = 1;

my $TRANSPORT_FILE = '/etc/postfix/transport';
my $VIRTUAL_FILE = '/etc/postfix/virtual';

my $user = '';
my $pass = '';
my $quota = '';
my $partition = 'default';

#--------------------------------------------------------------------
# parse arguments
#--------------------------------------------------------------------
while ($_ = shift) {
	if (/^-h/) {
		usage();
		exit;
	} elsif (/^-u(ser)?$/) {
		$user = shift;
	} elsif (/^-p(ass)?$/) {
		$pass = shift;
	} elsif (/^-part(ition)?/) {
		$partition = shift;
	} elsif (/^-q(uota)?/) {
		$quota = shift;
		if ($quota =~ /^(\d+)m/i) {
			$quota *= 1024;
		}
	} elsif (/^-no_mta_cfg/) {
		$mta_cfg = 0;
	} else {
		print "unknown param [$_]\n\n";
		usage();
		exit;
	}
}

#--------------------------------------------------------------------
# main(), if you like
#--------------------------------------------------------------------

if (!$user) {
	$user = query('Enter new Cyrus user');
}

if (!$pass) {
	$pass = query('Enter password for new Cyrus user', 1);
}

if ($DEBUG) {
	print "USERNAME: $user, PASSWORD: $pass\n";
	print "PARTITION = [$partition]\n";
	print "QUOTA = [$quota]\n";
	print "MTA_CFG = [$mta_cfg]\n";
}

$unix_user = (getpwnam($user)) ? 1 : 0;
$VERBOSE && print "$user is".($unix_user ? '' : ' NOT')." a unix user\n";

$client = Cyrus::IMAP::Admin->new('localhost');
defined($client) || die "failed to get Admin obj.";

#--------------------------------------------------------------------
# authenticate administrator
#--------------------------------------------------------------------
while (1) {
	$cp = getCyrusPassword();
	$ret = $client->authenticate(
		User => 'cyrus',
		Password => $cp,
	);
	if ($ret) { last; }
	print "Cyrus password incorrect.\n";
}

#--------------------------------------------------------------------
# create IMAP mailbox
#--------------------------------------------------------------------

$mbox = "user.$user";

$VERBOSE && print "adding CYRUS user [$mbox]\n";
if (!$DEBUG) {
	if (!$client->create($mbox, $partition)) {
		die "failed to create mailbox [$mbox]";
	}

	#----------------------------------------------------------------
	# give user "cyrus" all permissions on mailbox
	#----------------------------------------------------------------
	if (!$client->setacl($mbox, cyrus => 'all')) {
		die "failed to give cyrus user permissions for [$mbox]";
	}
}

#--------------------------------------------------------------------
# set quota for mailbox
#--------------------------------------------------------------------
if ($quota && !$DEBUG) {
	$VERBOSE && print "setting quota for [$mbox] to $quota\n";
	if (!$client->setquota($mbox, STORAGE => $quota)) {
		#die "failed to set quota for [$mbox]";
		# does not necessarily need to be fatal
		print "failed to set quota for [$mbox]\n";
	}
}

#--------------------------------------------------------------------
# create SASL entry
#--------------------------------------------------------------------
setSaslPassword($user, $pass);

#--------------------------------------------------------------------
# the following code is Postfix-specific
#--------------------------------------------------------------------
if ($unix_user && $mta_cfg) {
	addTransportLine($user);
	addVirtualLine($user);
	$VERBOSE && print "generating new postfix maps\n";
	myExec("postmap $TRANSPORT_FILE");
	myExec("postmap $VIRTUAL_FILE");
}

exit;

sub usage
{
	print <<_EOF_;
usage: $0 -u NEWUSER -p NEWPASSWORD [options]
  options:
    -q[uota] <quota>     quota for mailbox in KB, or MB, if suffixed with 'm'
    -part[ition] <part>  partition on which to create mailbox. none = 'default'
    -no_mta_cfg          do not perform MTA-specific steps (Postfix)

  If "-u USER" or "-p PASS" is not specified on command line, script
  will prompt for it/them.
_EOF_

}

sub query
{
	my $prompt = shift;
	my $echo_off = shift;

	print "${prompt}? ";
	my $ans;
	do {
		if ($echo_off) { system("stty -echo"); }
		chomp($ans = <STDIN>);
		if ($echo_off) { system("stty echo"); }
		if (!$ans) { print "you must enter something here\n"; }
	} while(!length($ans));

	$ans;
}

sub setSaslPassword
{
	my ($user, $pass) = @_;

	my $fh = FileHandle->new;

	open($fh, "|saslpasswd2 -p $user") || die "popen to saslpasswd2 failed";
	print $fh "$pass\n";
	close($fh);
}

sub getCyrusPassword
{
	print "Please Enter Cyrus administration password: ";
	system('stty -echo');
	my $p;
	chomp($p = <STDIN>);
	system('stty echo');
	print "\n";

	$p;
}

sub addTransportLine
{
	my $user = shift;

	my $line = "${user}\@y42.org\tcyrus:";

	editFile($TRANSPORT_FILE, 'add-cyrus-user', $line);
}

sub addVirtualLine
{
	my $user = shift;

	my $line = "${user}\t${user}\@y42.org";

	editFile($VIRTUAL_FILE, 'Cyrus IMAP users', $line);
}

#-----------------------------------------------------------------
# editFile()
#
# in order to work with flock(), the contents must be kept in
# memory and written back to input file.
#-----------------------------------------------------------------
sub editFile
{
	my ($file, $tag, $line) = @_;

	my (@contents);

	$VERBOSE && print "editing [$file]\n";

	my $dn = dirname($file);
	my $bn = basename($file);

	my $fh = FileHandle->new("+<$file");
	defined($fh) || die "open $file for reading";
	lockFile($fh);

	my $state = 'looking';
	while(<$fh>) {
		if ($state eq 'found') {
			if (/^\s*#/) {
				push(@contents, $_);
				next;
			}
			push(@contents, "$line\n");
			push(@contents, $_);
			$state = 'copyrest';
		} elsif ($state eq 'looking') {
			push(@contents, $_);
			if (/$tag/) {
				$state = 'found';
			}
		} else {
			# state = copyrest
			push(@contents, $_);
		}
	}

	if ($state eq 'looking') {
		die "tag [$tag] not found in file [$file]";
	}

	if ($DEBUG) {
		unlockFile($fh);
		return;
	}

	# rewind file-pointer
	seek($fh, 0, 0) || die "seek";
	truncate($fh, 0) || die "truncate";

	# write new contents
	foreach (@contents) {
		print $fh $_;
	}

	unlockFile($fh);
	$fh->close;
}

sub myRename
{
	my ($old, $new) = @_;

	($VERBOSE > 1) && print "rename: $old --> $new\n";
	$DEBUG && return;

	if (!rename($old, $new)) {
		die "rename of $old to $new failed";
	}
}

sub myExec
{
	my $cmd = shift;

	($VERBOSE > 1) && print "CMD: $cmd\n";

	$DEBUG && return;

	return !system($cmd);
}

sub unlockFile
{
	my $fh = shift;

    $DEBUG && print "unlocking file\n";
    flock($fh, LOCK_UN) || die "flock lock_un ($!)";
}

sub lockFile
{
	my $fh = shift;

	$DEBUG && print "locking file\n";
	flock($fh, LOCK_EX) || die "flock lock_ex ($!)";
}