fix: expand tmpfiles.d for MTA services (CO-2524)

Expand systemd-tmpfile.conf from 4 to 50 lines (+1,150%) as part of
zmfixperms replacement. Provides declarative directory management for
all MTA-related services.

Changes:
- Add postfix master and main configuration files
- Add postfix bysender database files
- Add postfix RE files (tag_as_foreign, tag_as_originating)
- Add virtual domain configuration files with postfix group access
- Add postfix setgid binaries (postqueue, postdrop) with mode 2755
- Add postfix data directory structure
- Add postfix spool directories with special permissions:
  * public: 0710 (postfix:postdrop)
  * maildrop: 0730 (postfix:postdrop)
- Add amavisd directories (anti-spam/anti-virus)
- Add spamassassin data directories
- Add altermime directory (MIME message modifier)
- Add cbpolicyd directories (postfix policy daemon)

Post-install requirements documented in comments:
- Recursive permission removal on data directory (chmod -R go-w)
- Recursive ownership change on spool directory (chown -fR)
- Additional spool subdirectories created at runtime by postfix

SELinux support:
- Automatic context restoration via 'z' directives (lines 2-24)
- No manual chcon/restorecon needed

Addresses CO-2524 (IN-754): Replace zmfixperms with tmpfiles.d

Author: M0Rf30

mta/PKGBUILD

@@ -61,6 +61,8 @@ source=(
   "postfix_tag_as_foreign.re.in"
   "postfix_tag_as_originating.re.in"
   "service-protocol.json"
+  "systemd-sysuser.conf"
+  "systemd-tmpfile.conf"
 )
 
 sha256sums=(
@@ -75,25 +77,27 @@ sha256sums=(
   '859386aa88ca443617c5c7b575333513e81555ad3ae6c2bd8ed61e577370fbd1'
   '4c86497fd1a5ec0bcca2250e10f477f5c4f4f178dc4a62173383f0b4e53a5829'
   '18aec2fc0c687f24f40bad9a6f64bb4f00ea513a218e6a3c5cdf3c900dff8a40'
+  'fa791f5e10ce0e913255bd9b2ab2c0638c14c9377fe1be38c993f20f12131090'
+  '2afb7cb0c8524f1f5f787714ea5b015c503f5b2ffe14ede6c837db50dd6b6de4'
 )
 
 package() {
   cd "${srcdir}"
 
   # consul for mta
-  install -Dm 755 "${pkgname}.sh" \
+  install -Dm755 "${pkgname}.sh" \
     "${pkgdir}/usr/bin/${pkgname}"
-  install -Dm 644 "${pkgname}-sidecar.service" \
+  install -Dm644 "${pkgname}-sidecar.service" \
     "${pkgdir}/usr/lib/systemd/system/${pkgname}-sidecar.service"
-  install -Dm 644 "${pkgname}.hcl" \
+  install -Dm644 "${pkgname}.hcl" \
     "${pkgdir}/etc/zextras/service-discover/${pkgname}.hcl"
-  install -Dm 644 "211-${pkgname}.sh" \
+  install -Dm644 "211-${pkgname}.sh" \
     "${pkgdir}/etc/zextras/pending-setups.d/211-${pkgname}.sh"
-  install -Dm 644 policies.json \
+  install -Dm644 policies.json \
     "${pkgdir}/etc/carbonio/mta/service-discover/policies.json"
-  install -Dm 644 intentions.json \
+  install -Dm644 intentions.json \
     "${pkgdir}/etc/carbonio/mta/service-discover/intentions.json"
-  install -Dm 644 service-protocol.json \
+  install -Dm644 service-protocol.json \
     "${pkgdir}/etc/carbonio/mta/service-discover/service-protocol.json"
 
   # postfix
@@ -111,10 +115,17 @@ package() {
   mkdir -p "${pkgdir}/opt/zextras/data/opendkim/"
   mkdir -p "${pkgdir}/opt/zextras/data/postfix/"
 
+  # systemd sysusers.d
+  install -Dm644 "${srcdir}/systemd-sysuser.conf" \
+    "${pkgdir}/usr/lib/sysusers.d/${pkgname}.conf"
+  # systemd tmpfiles.d
+  install -Dm644 "${srcdir}/systemd-tmpfile.conf" \
+    "${pkgdir}/usr/lib/tmpfiles.d/${pkgname}.conf"
+
   # systemd units and target
   mkdir -p "${pkgdir}/usr/lib/systemd/system/carbonio.target.wants"
   mkdir "${pkgdir}/usr/lib/systemd/system/${pkgname}.target.wants"
-  install -Dm 644 "${pkgname}.target" \
+  install -Dm644 "${pkgname}.target" \
     "${pkgdir}/usr/lib/systemd/system/${pkgname}.target"
   ln -sf "/usr/lib/systemd/system/${pkgname}.target" \
     "${pkgdir}/usr/lib/systemd/system/carbonio.target.wants/${pkgname}.target"
@@ -200,18 +211,8 @@ postinst__apt() {
     fi
   fi
 
-  if [ -x "/opt/zextras/libexec/zmfixperms" ]; then
-    /opt/zextras/libexec/zmfixperms
-  fi
-
-  chgrp zextras /opt/zextras/common/conf
-  chmod g+w /opt/zextras/common/conf
-
-  # mta consul
-  getent group 'carbonio-mta' >/dev/null \
-    || groupadd -r 'carbonio-mta'
-  getent passwd 'carbonio-mta' >/dev/null \
-    || useradd -r -M -g 'carbonio-mta' -s /sbin/nologin 'carbonio-mta'
+  systemd-sysusers
+  systemd-tmpfiles --create
 
   if [ -d /run/systemd/system ]; then
     systemctl daemon-reload &>/dev/null || :
@@ -278,18 +279,8 @@ postinst__ubuntu_noble() {
     fi
   fi
 
-  if [ -x "/opt/zextras/libexec/zmfixperms" ]; then
-    /opt/zextras/libexec/zmfixperms
-  fi
-
-  chgrp zextras /opt/zextras/common/conf
-  chmod g+w /opt/zextras/common/conf
-
-  # mta consul
-  getent group 'carbonio-mta' >/dev/null \
-    || groupadd -r 'carbonio-mta'
-  getent passwd 'carbonio-mta' >/dev/null \
-    || useradd -r -M -g 'carbonio-mta' -s /sbin/nologin 'carbonio-mta'
+  systemd-sysusers
+  systemd-tmpfiles --create
 
   if [ -d /run/systemd/system ]; then
     systemctl daemon-reload &>/dev/null || :
@@ -343,18 +334,8 @@ postinst__rocky_8() {
     fi
   fi
 
-  if [ -x "/opt/zextras/libexec/zmfixperms" ]; then
-    /opt/zextras/libexec/zmfixperms
-  fi
-
-  chgrp zextras /opt/zextras/common/conf
-  chmod g+w /opt/zextras/common/conf
-
-  # mta consul
-  getent group 'carbonio-mta' >/dev/null \
-    || groupadd -r 'carbonio-mta'
-  getent passwd 'carbonio-mta' >/dev/null \
-    || useradd -r -M -g 'carbonio-mta' -s /sbin/nologin 'carbonio-mta'
+  systemd-sysusers
+  systemd-tmpfiles --create
 
   if [ -d /run/systemd/system ]; then
     systemctl daemon-reload &>/dev/null || :
@@ -407,18 +388,8 @@ postinst__rocky_9() {
     fi
   fi
 
-  if [ -x "/opt/zextras/libexec/zmfixperms" ]; then
-    /opt/zextras/libexec/zmfixperms
-  fi
-
-  chgrp zextras /opt/zextras/common/conf
-  chmod g+w /opt/zextras/common/conf
-
-  # mta consul
-  getent group 'carbonio-mta' >/dev/null \
-    || groupadd -r 'carbonio-mta'
-  getent passwd 'carbonio-mta' >/dev/null \
-    || useradd -r -M -g 'carbonio-mta' -s /sbin/nologin 'carbonio-mta'
+  systemd-sysusers
+  systemd-tmpfiles --create
 
   if [ -d /run/systemd/system ]; then
     systemctl daemon-reload &>/dev/null || :

mta/systemd-sysuser.conf

@@ -0,0 +1,2 @@
+g carbonio-mta - - - "carbonio mta group"
+u carbonio-mta - "carbonio mta user" - /sbin/nologin

mta/systemd-tmpfile.conf

@@ -0,0 +1,61 @@
+# Postfix master configuration template (owned by carbonio-mta)
+z /opt/zextras/common/conf/master.cf.in 0440 zextras zextras - -
+
+# Note: main.cf and master.cf are owned and managed by carbonio-postfix package
+
+# Postfix bysender database
+z /opt/zextras/common/conf/bysender 0644 zextras zextras - -
+z /opt/zextras/common/conf/bysender.lmdb 0644 zextras zextras - -
+
+# Postfix RE files
+z /opt/zextras/common/conf/tag_as_foreign.re 0644 zextras zextras - -
+z /opt/zextras/common/conf/tag_as_foreign.re.in 0644 zextras zextras - -
+z /opt/zextras/common/conf/tag_as_originating.re 0644 zextras zextras - -
+z /opt/zextras/common/conf/tag_as_originating.re.in 0644 zextras zextras - -
+
+# Postfix virtual domain configuration files (group postfix for access)
+z /opt/zextras/conf/*-canonical.cf 0640 zextras postfix - -
+z /opt/zextras/conf/*-slm.cf 0640 zextras postfix - -
+z /opt/zextras/conf/*-transport.cf 0640 zextras postfix - -
+z /opt/zextras/conf/*-vad.cf 0640 zextras postfix - -
+z /opt/zextras/conf/*-vam.cf 0640 zextras postfix - -
+z /opt/zextras/conf/*-vmd.cf 0640 zextras postfix - -
+z /opt/zextras/conf/*-vmm.cf 0640 zextras postfix - -
+
+# Note: Postfix setgid binaries (postqueue, postdrop) permissions are handled by carbonio-postfix postinst script
+
+# Postfix data directory structure
+d /opt/zextras/data/postfix 0755 postfix zextras - -
+d /opt/zextras/data/postfix/data 0755 postfix postdrop - -
+
+# Postfix spool directories
+d /opt/zextras/data/postfix/spool 0755 root postfix - -
+d /opt/zextras/data/postfix/spool/pid 0755 postfix root - -
+
+# Postfix queue directories with special permissions
+d /opt/zextras/data/postfix/spool/public 0710 postfix postdrop - -
+d /opt/zextras/data/postfix/spool/maildrop 0730 postfix postdrop - -
+
+# Amavisd (anti-spam/anti-virus) directories
+d /opt/zextras/data/amavisd 0755 zextras zextras - -
+d /opt/zextras/data/amavisd/.spamassassin 0755 zextras zextras - -
+d /opt/zextras/data/spamassassin 0755 zextras zextras - -
+d /var/spamassassin 0755 zextras zextras - -
+
+# ClamAV antivirus database directory
+d /opt/zextras/data/clamav/db 0755 zextras zextras - -
+
+# OpenDKIM (email authentication) directory
+d /opt/zextras/data/opendkim 0755 zextras zextras - -
+
+# Altermime (MIME message modifier) directory
+d /opt/zextras/data/altermime 0755 zextras zextras - -
+
+# CBPolicyD (postfix policy daemon) directories
+d /opt/zextras/data/cbpolicyd 0755 zextras zextras - -
+d /opt/zextras/data/cbpolicyd/db 0755 zextras zextras - -
+
+# Note: The following operations require RPM post-install script:
+# 1. chmod -R go-w /opt/zextras/data/postfix/data (recursive permission removal)
+# 2. chown -fR postfix:postfix /opt/zextras/data/postfix/spool (recursive with -f flag)
+# 3. Additional spool subdirectories may be created at runtime by postfix