Commit 7588af2f authored by Vitaly Lipatov's avatar Vitaly Lipatov

mail skill: document mailro (read) / mail (write) users + write-consumers…

mail skill: document mailro (read) / mail (write) users + write-consumers (cyradm, sec); add cyradm + sec.office SSH access to memory Co-Authored-By: 's avatarClaude <noreply@anthropic.com>
parent 9276f9c8
...@@ -34,6 +34,8 @@ ...@@ -34,6 +34,8 @@
| matrix.etersoft.ru (91.232.225.42, Synapse, CT 291 на border) | `ssh -p32 root@matrix.etersoft.ru` (alias `matrix`, порт 32; lav@ НЕ пускает; нужен ssh-agent), см. [lesson_matrix_etersoft_synapse_disk_telegram_bridge.md](lesson_matrix_etersoft_synapse_disk_telegram_bridge.md) | | matrix.etersoft.ru (91.232.225.42, Synapse, CT 291 на border) | `ssh -p32 root@matrix.etersoft.ru` (alias `matrix`, порт 32; lav@ НЕ пускает; нужен ssh-agent), см. [lesson_matrix_etersoft_synapse_disk_telegram_bridge.md](lesson_matrix_etersoft_synapse_disk_telegram_bridge.md) |
| tele.eterfund.ru (2a03:5a00:c:20::135, mautrix-telegram мост) | `ssh -p32 root@tele.eterfund.ru` (shell fish → `bash -lc`); ВЫКЛЮЧЕН 2026-06-14 | | tele.eterfund.ru (2a03:5a00:c:20::135, mautrix-telegram мост) | `ssh -p32 root@tele.eterfund.ru` (shell fish → `bash -lc`); ВЫКЛЮЧЕН 2026-06-14 |
| rca-gw (10.20.30.250, CT 652 на border) | `ssh root@10.20.30.250` (shell fish → `bash -s` heredoc). Изолированный PPTP-шлюз к облаку 1С-Рарус, см. [project_rarus_1c_vpn_gateway.md](project_rarus_1c_vpn_gateway.md) | | rca-gw (10.20.30.250, CT 652 на border) | `ssh root@10.20.30.250` (shell fish → `bash -s` heredoc). Изолированный PPTP-шлюз к облаку 1С-Рарус, см. [project_rarus_1c_vpn_gateway.md](project_rarus_1c_vpn_gateway.md) |
| cyradm.eterhost.ru (CT 239 LXC на border, внутр. 10.20.30.68) | `ssh root@10.20.30.68` (lav-ключ добавлен 2026-07-04). Публичный `cyradm.eterhost.ru` (91.232.225.23) = reverse-proxy на :443, **НЕ его SSH**. Фолбэк: `pct exec 239` на border (`unset ENV`). web-cyradm: `/var/www/webapps/web-cyradm/`, DB-конфиг `config/conf.php` (USER=mail, HOST=mysql.auth.dmz). См. [project_mail_password_hash_migration.md](project_mail_password_hash_migration.md) |
| sec.office (CT 251 time.office.etersoft.ru на border, внутр. 10.20.30.61) | `ssh root@10.20.30.61` (lav-ключ добавлен 2026-07-04). web-приложение смены паролей `/var/www/webapps/sec/`. См. [project_mail_password_hash_migration.md](project_mail_password_hash_migration.md) |
## Сервисы (не в skills) ## Сервисы (не в skills)
......
...@@ -49,13 +49,17 @@ Cert: `mail.etersoft.ru` + 15 SAN (autoconfig/autodiscover/imap.*/smtp.* over et ...@@ -49,13 +49,17 @@ Cert: `mail.etersoft.ru` + 15 SAN (autoconfig/autodiscover/imap.*/smtp.* over et
- amavis on as.office.etersoft.ru (10.20.30.210) - amavis on as.office.etersoft.ru (10.20.30.210)
## MySQL ## MySQL
The `mail` DB lives on **mysql.auth.etersoft.ru** (CT 219, 10.20.30.202). Access via the on-host wrapper — **no password needed** (creds live in `/root/.my.cnf.mail`, root-only): The `mail` DB lives on **mysql.auth.etersoft.ru** (CT 219, 10.20.30.202). Two mysql users back it:
- **`mailro`@%** (read-only SELECT) — the `maildb` wrapper below + SASL on mail.etersoft.ru (`/etc/sasl2/*.conf`, `/etc/postfix/sasl/smtpd.conf`).
- **`mail`@%** (write) — cyradm `/var/www/webapps/web-cyradm/config/conf.php` (CT 239) and sec.office `/var/www/webapps/sec/config.php` (CT 251) for password changes.
Query via the on-host wrapper — **no password needed** (mailro creds in `/root/.my.cnf`, root-only; the default `mysql` connects as mailro, read-only):
``` ```
ssh root@mysql.auth.etersoft.ru maildb # interactive ssh root@mysql.auth.etersoft.ru maildb # interactive (mailro, read-only)
ssh root@mysql.auth.etersoft.ru maildb -e 'SELECT ...' # one-shot query ssh root@mysql.auth.etersoft.ru maildb -e 'SELECT ...' # one-shot query
ssh root@mysql.auth.etersoft.ru maildb mail # use the mail DB ssh root@mysql.auth.etersoft.ru maildb mail # use the mail DB
``` ```
(`maildb` = `mysql --defaults-extra-file=/root/.my.cnf.mail`.) Tables: `accountuser` (auth), `virtual` (aliases), `domain` (domains). To rotate the `mail` user password: change it in MySQL, then update `/root/.my.cnf.mail` **and** the `sql_passwd` in `/etc/sasl2/{saslpasswd,smtpd,Cyrus}.conf` on mail.etersoft.ru, then restart saslauthd. (`maildb` = `mysql "$@"`, reads `/root/.my.cnf`.) Tables: `accountuser` (auth), `virtual` (aliases), `domain` (domains). **Admin** as mysql-root: `mysql --defaults-file=/root/.my.cnf.root` (default `mysql` is mailro/read-only). Rotate `mail@%`: `SET PASSWORD FOR 'mail'@'%'` (as root via `.my.cnf.root`), then update `PASS` in cyradm `config/conf.php` and `$password` in sec `config.php`.
## Cyrus autocreate ## Cyrus autocreate
`autocreate_inbox_folders: Archive|Drafts|Junk|Sent|Trash` (separator is `|`, NOT space!) `autocreate_inbox_folders: Archive|Drafts|Junk|Sent|Trash` (separator is `|`, NOT space!)
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment