fix: expand tmpfiles.d for MTA services (CO-2524) (#44)

M0Rf30 · web-flow · commit 941c24fd30db · 2026-01-15T20:14:24.000+01:00
* fix: expand tmpfiles.d for MTA services (CO-2524)

Expand systemd-tmpfile.conf from 4 to 50 lines (+1,150%) as part of
zmfixperms replacement. Provides declarative directory management for
all MTA-related services.

Changes:
- Add postfix master and main configuration files
- Add postfix bysender database files
- Add postfix RE files (tag_as_foreign, tag_as_originating)
- Add virtual domain configuration files with postfix group access
- Add postfix setgid binaries (postqueue, postdrop) with mode 2755
- Add postfix data directory structure
- Add postfix spool directories with special permissions:
  * public: 0710 (postfix:postdrop)
  * maildrop: 0730 (postfix:postdrop)
- Add amavisd directories (anti-spam/anti-virus)
- Add spamassassin data directories
- Add altermime directory (MIME message modifier)
- Add cbpolicyd directories (postfix policy daemon)

Post-install requirements documented in comments:
- Recursive permission removal on data directory (chmod -R go-w)
- Recursive ownership change on spool directory (chown -fR)
- Additional spool subdirectories created at runtime by postfix

SELinux support:
- Automatic context restoration via 'z' directives (lines 2-24)
- No manual chcon/restorecon needed

Addresses CO-2524 (IN-754): Replace zmfixperms with tmpfiles.d

* fix: call systemd-tmpfiles with specific config file (CO-2524)

Change from:
  systemd-tmpfiles --create

To:
  systemd-tmpfiles --create /usr/lib/tmpfiles.d/carbonio-mta.conf

Benefits:
- Only processes this package's tmpfiles.d configuration
- Avoids redundant processing of other packages' configs
- Faster execution during package installation
- Clear separation of concerns between packages

This prevents each package from reprocessing all tmpfiles.d configs
in /usr/lib/tmpfiles.d/ during postinst, which was inefficient when
packages have dependency relationships.

* refactor: move ClamAV directory to carbonio-clamav package (CO-2524)

Remove ClamAV data directory management from carbonio-mta tmpfiles.d
configuration as it's now handled by carbonio-clamav package directly.

Changes:
- Remove /opt/zextras/data/clamav/db entry from systemd-tmpfile.conf
- Update PKGBUILD checksum for systemd-tmpfile.conf

This follows the principle that packages should manage their own
directories. The carbonio-clamav package now includes its own
tmpfiles.d configuration for its data directory.

Related to CO-2524 (IN-754) - tmpfiles.d migration

* refactor: move third-party directories to respective packages (CO-2524)

Remove amavisd, spamassassin, and cbpolicyd directory management
from carbonio-mta as these are now handled by their respective
third-party packages.

Changes:
- Removed 4 amavisd/spamassassin entries (lines 39-43)
- Removed 2 cbpolicyd entries (lines 51-53)
- Reduced from 58 to 48 lines
- Updated PKGBUILD checksum

Directories moved to:
- carbonio-amavisd: /opt/zextras/data/amavisd/*
- carbonio-perl-mail-spamassassin: /opt/zextras/data/spamassassin, /var/spamassassin
- carbonio-policyd: /opt/zextras/data/cbpolicyd/*

Kept in carbonio-mta:
- /opt/zextras/data/opendkim (carbonio-opendkim doesn't create it)
- /opt/zextras/data/altermime (carbonio-altermime doesn't create it)

Related to CO-2524 (IN-754) - tmpfiles.d migration

* refactor: move postfix directories to carbonio-postfix (CO-2524)

Removes postfix directory management from carbonio-mta - these are now
handled by carbonio-postfix package via its own tmpfiles.d and sysusers.d.

Changes:
- Removed postfix directory definitions (lines 27-37, -11 lines)
- Removed postfix-related notes (lines 45-48, -4 lines)
- Kept MTA-owned config file permissions (master.cf.in, bysender, RE files,
  virtual domain configs)
- Updated checksum

Package boundaries:
- carbonio-postfix: Manages postfix users, groups, base directories, SGID binaries
- carbonio-mta: Manages MTA-specific config files that need group postfix access

Code reduction:
- Before: 49 lines → After: 33 lines (-16 lines, -33%)

Related: CO-2524, IN-754

* fix: correct sysusers.d syntax for carbonio-mta group (CO-2524)

The group definition had incorrect syntax with too many fields:
  g carbonio-mta - - - "carbonio mta group"

This caused systemd-sysusers to fail with error:
  'carbonio mta group' is not a valid login shell field

The correct sysusers.d group format is:
  g NAME ID

Fixed by removing extra fields and adding comments for clarity.

Fixes:
- carbonio-mta user/group creation failure
- carbonio-core post-install failure (exit code 73)
- systemd-sysusers processing errors

Impact: Critical - blocks proper package installation

* fix: silence systemd-sysusers and tmpfiles to prevent postinst failures (CO-2524)

* fix: remove redundant mkdir/chown from postinst scripts

Directory creation for amavisd, clamav, opendkim, postfix is now
handled by their respective packages' tmpfiles.d configurations:
- carbonio-amavisd: /opt/zextras/data/amavisd/*
- carbonio-clamav: /opt/zextras/data/clamav/db
- carbonio-postfix: /opt/zextras/data/postfix/*
- carbonio-mta: /opt/zextras/data/opendkim, altermime

This removes ~100 lines of duplicate directory setup code from
all 4 postinst functions.

* chore: add SPDX license headers to systemd configs

Add SPDX-FileCopyrightText and SPDX-License-Identifier headers
to sysusers.d and tmpfiles.d configurations for license compliance.

Updated PKGBUILD checksums accordingly.
diff --git a/mta/PKGBUILD b/mta/PKGBUILD
@@ -61,6 +61,8 @@ source=(
   "postfix_tag_as_foreign.re.in"
   "postfix_tag_as_originating.re.in"
   "service-protocol.json"
+  "systemd-sysuser.conf"
+  "systemd-tmpfile.conf"
 )
 
 sha256sums=(
@@ -75,25 +77,27 @@ sha256sums=(
   '859386aa88ca443617c5c7b575333513e81555ad3ae6c2bd8ed61e577370fbd1'
   '4c86497fd1a5ec0bcca2250e10f477f5c4f4f178dc4a62173383f0b4e53a5829'
   '18aec2fc0c687f24f40bad9a6f64bb4f00ea513a218e6a3c5cdf3c900dff8a40'
+  '6f69c0041b463cbb24c80d980042298b8c29fed70bac6a221e5fec5fcd995a2c'
+  '630adfda297f6483fc5de6b63d3c82732db122600b465d27ee5f1b4783cf02e6'
 )
 
 package() {
   cd "${srcdir}"
 
   # consul for mta
-  install -Dm 755 "${pkgname}.sh" \
+  install -Dm755 "${pkgname}.sh" \
     "${pkgdir}/usr/bin/${pkgname}"
-  install -Dm 644 "${pkgname}-sidecar.service" \
+  install -Dm644 "${pkgname}-sidecar.service" \
     "${pkgdir}/usr/lib/systemd/system/${pkgname}-sidecar.service"
-  install -Dm 644 "${pkgname}.hcl" \
+  install -Dm644 "${pkgname}.hcl" \
     "${pkgdir}/etc/zextras/service-discover/${pkgname}.hcl"
-  install -Dm 644 "211-${pkgname}.sh" \
+  install -Dm644 "211-${pkgname}.sh" \
     "${pkgdir}/etc/zextras/pending-setups.d/211-${pkgname}.sh"
-  install -Dm 644 policies.json \
+  install -Dm644 policies.json \
     "${pkgdir}/etc/carbonio/mta/service-discover/policies.json"
-  install -Dm 644 intentions.json \
+  install -Dm644 intentions.json \
     "${pkgdir}/etc/carbonio/mta/service-discover/intentions.json"
-  install -Dm 644 service-protocol.json \
+  install -Dm644 service-protocol.json \
     "${pkgdir}/etc/carbonio/mta/service-discover/service-protocol.json"
 
   # postfix
@@ -111,10 +115,17 @@ package() {
   mkdir -p "${pkgdir}/opt/zextras/data/opendkim/"
   mkdir -p "${pkgdir}/opt/zextras/data/postfix/"
 
+  # systemd sysusers.d
+  install -Dm644 "${srcdir}/systemd-sysuser.conf" \
+    "${pkgdir}/usr/lib/sysusers.d/${pkgname}.conf"
+  # systemd tmpfiles.d
+  install -Dm644 "${srcdir}/systemd-tmpfile.conf" \
+    "${pkgdir}/usr/lib/tmpfiles.d/${pkgname}.conf"
+
   # systemd units and target
   mkdir -p "${pkgdir}/usr/lib/systemd/system/carbonio.target.wants"
   mkdir "${pkgdir}/usr/lib/systemd/system/${pkgname}.target.wants"
-  install -Dm 644 "${pkgname}.target" \
+  install -Dm644 "${pkgname}.target" \
     "${pkgdir}/usr/lib/systemd/system/${pkgname}.target"
   ln -sf "/usr/lib/systemd/system/${pkgname}.target" \
     "${pkgdir}/usr/lib/systemd/system/carbonio.target.wants/${pkgname}.target"
@@ -161,32 +172,7 @@ postinst__apt() {
     fi
   fi
 
-  chown zextras:zextras /opt/zextras/common/conf/master.cf.in
-  chmod 440 /opt/zextras/common/conf/master.cf.in
-  chown zextras:zextras /opt/zextras/common/conf/tag_as_*.re.in
-
-  mkdir -p /opt/zextras/data/amavisd/db
-  mkdir -p /opt/zextras/data/amavisd/tmp
-  mkdir -p /opt/zextras/data/amavisd/var
-  mkdir -p /opt/zextras/data/amavisd/quarantine
-  chown -R zextras:zextras /opt/zextras/data/amavisd/*
-
-  mkdir -p /opt/zextras/data/opendkim
-  chown -R zextras:zextras /opt/zextras/data/opendkim
-
-  mkdir -p /opt/zextras/data/clamav/db
-  chown -R zextras:zextras /opt/zextras/data/clamav/db
-
-  mkdir -p /opt/zextras/data/postfix/spool/pid
-  chown postfix:zextras /opt/zextras/data/postfix
-  chown root:postfix /opt/zextras/data/postfix/spool
-  chown postfix:root /opt/zextras/data/postfix/spool/pid
-
-  chown zextras:zextras /opt/zextras/data
-
-  if [ -f /opt/zextras/common/conf/main.cf ]; then
-    chown zextras:zextras /opt/zextras/common/conf/main.cf
-  fi
+  # Note: Directory creation for amavisd, clamav, postfix handled by their respective packages' tmpfiles.d
 
   if [ ! -e /etc/aliases ] || [ -L /etc/aliases ]; then
     if [ -L /etc/aliases ]; then
@@ -200,18 +186,8 @@ postinst__apt() {
     fi
   fi
 
-  if [ -x "/opt/zextras/libexec/zmfixperms" ]; then
-    /opt/zextras/libexec/zmfixperms
-  fi
-
-  chgrp zextras /opt/zextras/common/conf
-  chmod g+w /opt/zextras/common/conf
-
-  # mta consul
-  getent group 'carbonio-mta' >/dev/null \
-    || groupadd -r 'carbonio-mta'
-  getent passwd 'carbonio-mta' >/dev/null \
-    || useradd -r -M -g 'carbonio-mta' -s /sbin/nologin 'carbonio-mta'
+  systemd-sysusers >/dev/null 2>&1 || :
+  systemd-tmpfiles --create /usr/lib/tmpfiles.d/carbonio-mta.conf >/dev/null 2>&1 || :
 
   if [ -d /run/systemd/system ]; then
     systemctl daemon-reload &>/dev/null || :
@@ -239,32 +215,7 @@ postinst__ubuntu_noble() {
     fi
   fi
 
-  chown zextras:zextras /opt/zextras/common/conf/master.cf.in
-  chmod 440 /opt/zextras/common/conf/master.cf.in
-  chown zextras:zextras /opt/zextras/common/conf/tag_as_*.re.in
-
-  mkdir -p /opt/zextras/data/amavisd/db
-  mkdir -p /opt/zextras/data/amavisd/tmp
-  mkdir -p /opt/zextras/data/amavisd/var
-  mkdir -p /opt/zextras/data/amavisd/quarantine
-  chown -R zextras:zextras /opt/zextras/data/amavisd/*
-
-  mkdir -p /opt/zextras/data/opendkim
-  chown -R zextras:zextras /opt/zextras/data/opendkim
-
-  mkdir -p /opt/zextras/data/clamav/db
-  chown -R zextras:zextras /opt/zextras/data/clamav/db
-
-  mkdir -p /opt/zextras/data/postfix/spool/pid
-  chown postfix:zextras /opt/zextras/data/postfix
-  chown root:postfix /opt/zextras/data/postfix/spool
-  chown postfix:root /opt/zextras/data/postfix/spool/pid
-
-  chown zextras:zextras /opt/zextras/data
-
-  if [ -f /opt/zextras/common/conf/main.cf ]; then
-    chown zextras:zextras /opt/zextras/common/conf/main.cf
-  fi
+  # Note: Directory creation for amavisd, clamav, postfix handled by their respective packages' tmpfiles.d
 
   if [ ! -e /etc/aliases ] || [ -L /etc/aliases ]; then
     if [ -L /etc/aliases ]; then
@@ -278,18 +229,8 @@ postinst__ubuntu_noble() {
     fi
   fi
 
-  if [ -x "/opt/zextras/libexec/zmfixperms" ]; then
-    /opt/zextras/libexec/zmfixperms
-  fi
-
-  chgrp zextras /opt/zextras/common/conf
-  chmod g+w /opt/zextras/common/conf
-
-  # mta consul
-  getent group 'carbonio-mta' >/dev/null \
-    || groupadd -r 'carbonio-mta'
-  getent passwd 'carbonio-mta' >/dev/null \
-    || useradd -r -M -g 'carbonio-mta' -s /sbin/nologin 'carbonio-mta'
+  systemd-sysusers >/dev/null 2>&1 || :
+  systemd-tmpfiles --create /usr/lib/tmpfiles.d/carbonio-mta.conf >/dev/null 2>&1 || :
 
   if [ -d /run/systemd/system ]; then
     systemctl daemon-reload &>/dev/null || :
@@ -304,32 +245,7 @@ postinst__ubuntu_noble() {
 }
 
 postinst__rocky_8() {
-  chown zextras:zextras /opt/zextras/common/conf/master.cf.in
-  chmod 440 /opt/zextras/common/conf/master.cf.in
-  chown zextras:zextras /opt/zextras/common/conf/tag_as_*.re.in
-
-  mkdir -p /opt/zextras/data/amavisd/db
-  mkdir -p /opt/zextras/data/amavisd/tmp
-  mkdir -p /opt/zextras/data/amavisd/var
-  mkdir -p /opt/zextras/data/amavisd/quarantine
-  chown -R zextras:zextras /opt/zextras/data/amavisd/*
-
-  mkdir -p /opt/zextras/data/opendkim
-  chown -R zextras:zextras /opt/zextras/data/opendkim
-
-  mkdir -p /opt/zextras/data/clamav/db
-  chown -R zextras:zextras /opt/zextras/data/clamav/db
-
-  mkdir -p /opt/zextras/data/postfix/spool/pid
-  chown postfix:zextras /opt/zextras/data/postfix
-  chown root:postfix /opt/zextras/data/postfix/spool
-  chown postfix:root /opt/zextras/data/postfix/spool/pid
-
-  chown zextras:zextras /opt/zextras/data
-
-  if [ -f /opt/zextras/common/conf/main.cf ]; then
-    chown zextras:zextras /opt/zextras/common/conf/main.cf
-  fi
+  # Note: Directory creation for amavisd, clamav, postfix handled by their respective packages' tmpfiles.d
 
   if [ ! -e /etc/aliases ] || [ -L /etc/aliases ]; then
     if [ -L /etc/aliases ]; then
@@ -343,18 +259,8 @@ postinst__rocky_8() {
     fi
   fi
 
-  if [ -x "/opt/zextras/libexec/zmfixperms" ]; then
-    /opt/zextras/libexec/zmfixperms
-  fi
-
-  chgrp zextras /opt/zextras/common/conf
-  chmod g+w /opt/zextras/common/conf
-
-  # mta consul
-  getent group 'carbonio-mta' >/dev/null \
-    || groupadd -r 'carbonio-mta'
-  getent passwd 'carbonio-mta' >/dev/null \
-    || useradd -r -M -g 'carbonio-mta' -s /sbin/nologin 'carbonio-mta'
+  systemd-sysusers >/dev/null 2>&1 || :
+  systemd-tmpfiles --create /usr/lib/tmpfiles.d/carbonio-mta.conf >/dev/null 2>&1 || :
 
   if [ -d /run/systemd/system ]; then
     systemctl daemon-reload &>/dev/null || :
@@ -368,32 +274,7 @@ postinst__rocky_8() {
 }
 
 postinst__rocky_9() {
-  chown zextras:zextras /opt/zextras/common/conf/master.cf.in
-  chmod 440 /opt/zextras/common/conf/master.cf.in
-  chown zextras:zextras /opt/zextras/common/conf/tag_as_*.re.in
-
-  mkdir -p /opt/zextras/data/amavisd/db
-  mkdir -p /opt/zextras/data/amavisd/tmp
-  mkdir -p /opt/zextras/data/amavisd/var
-  mkdir -p /opt/zextras/data/amavisd/quarantine
-  chown -R zextras:zextras /opt/zextras/data/amavisd/*
-
-  mkdir -p /opt/zextras/data/opendkim
-  chown -R zextras:zextras /opt/zextras/data/opendkim
-
-  mkdir -p /opt/zextras/data/clamav/db
-  chown -R zextras:zextras /opt/zextras/data/clamav/db
-
-  mkdir -p /opt/zextras/data/postfix/spool/pid
-  chown postfix:zextras /opt/zextras/data/postfix
-  chown root:postfix /opt/zextras/data/postfix/spool
-  chown postfix:root /opt/zextras/data/postfix/spool/pid
-
-  chown zextras:zextras /opt/zextras/data
-
-  if [ -f /opt/zextras/common/conf/main.cf ]; then
-    chown zextras:zextras /opt/zextras/common/conf/main.cf
-  fi
+  # Note: Directory creation for amavisd, clamav, postfix handled by their respective packages' tmpfiles.d
 
   if [ ! -e /etc/aliases ] || [ -L /etc/aliases ]; then
     if [ -L /etc/aliases ]; then
@@ -407,18 +288,8 @@ postinst__rocky_9() {
     fi
   fi
 
-  if [ -x "/opt/zextras/libexec/zmfixperms" ]; then
-    /opt/zextras/libexec/zmfixperms
-  fi
-
-  chgrp zextras /opt/zextras/common/conf
-  chmod g+w /opt/zextras/common/conf
-
-  # mta consul
-  getent group 'carbonio-mta' >/dev/null \
-    || groupadd -r 'carbonio-mta'
-  getent passwd 'carbonio-mta' >/dev/null \
-    || useradd -r -M -g 'carbonio-mta' -s /sbin/nologin 'carbonio-mta'
+  systemd-sysusers >/dev/null 2>&1 || :
+  systemd-tmpfiles --create /usr/lib/tmpfiles.d/carbonio-mta.conf >/dev/null 2>&1 || :
 
   if [ -d /run/systemd/system ]; then
     systemctl daemon-reload &>/dev/null || :
diff --git a/mta/systemd-sysuser.conf b/mta/systemd-sysuser.conf
@@ -0,0 +1,8 @@
+# SPDX-FileCopyrightText: 2025 Zextras <https://www.zextras.com>
+# SPDX-License-Identifier: GPL-2.0-only
+
+# Carbonio MTA service user and group
+# See sysusers.d(5) for format
+
+g carbonio-mta -
+u carbonio-mta - "Carbonio MTA Service" - /sbin/nologin
diff --git a/mta/systemd-tmpfile.conf b/mta/systemd-tmpfile.conf
@@ -0,0 +1,37 @@
+# SPDX-FileCopyrightText: 2025 Zextras <https://www.zextras.com>
+# SPDX-License-Identifier: GPL-2.0-only
+
+# Carbonio MTA directories and permissions
+# See tmpfiles.d(5) for format
+
+z /opt/zextras/common/conf/master.cf.in 0440 zextras zextras
+
+# Note: main.cf and master.cf are owned and managed by carbonio-postfix package
+
+# Postfix bysender database
+z /opt/zextras/common/conf/bysender 0644 zextras zextras
+z /opt/zextras/common/conf/bysender.lmdb 0644 zextras zextras
+
+# Postfix RE files
+z /opt/zextras/common/conf/tag_as_foreign.re 0644 zextras zextras
+z /opt/zextras/common/conf/tag_as_foreign.re.in 0644 zextras zextras
+z /opt/zextras/common/conf/tag_as_originating.re 0644 zextras zextras
+z /opt/zextras/common/conf/tag_as_originating.re.in 0644 zextras zextras
+
+# Postfix virtual domain configuration files (group postfix for access)
+z /opt/zextras/conf/*-canonical.cf 0640 zextras postfix
+z /opt/zextras/conf/*-slm.cf 0640 zextras postfix
+z /opt/zextras/conf/*-transport.cf 0640 zextras postfix
+z /opt/zextras/conf/*-vad.cf 0640 zextras postfix
+z /opt/zextras/conf/*-vam.cf 0640 zextras postfix
+z /opt/zextras/conf/*-vmd.cf 0640 zextras postfix
+z /opt/zextras/conf/*-vmm.cf 0640 zextras postfix
+
+# Note: Postfix directories are managed by carbonio-postfix tmpfiles.d
+# Note: Postfix setgid binaries (postqueue, postdrop) permissions are handled by carbonio-postfix postinst script
+
+# OpenDKIM (email authentication) directory
+d /opt/zextras/data/opendkim 0755 zextras zextras
+
+# Altermime (MIME message modifier) directory
+d /opt/zextras/data/altermime 0755 zextras zextras
