diff options
| author | Micah Anderson <micah@leap.se> | 2013-08-30 15:19:43 -0400 |
|---|---|---|
| committer | Micah Anderson <micah@leap.se> | 2013-08-31 08:33:53 -0400 |
| commit | ff26ca98604d9e3f3856cca2af678b21c096d1ee (patch) | |
| tree | fc559f6ed4e61207d00faa1965724b03f4f5d80b | |
| parent | 27efd6072ecf13b4bbdb098ee70eb81eb5cdc81c (diff) | |
postfix enable submission port using starttls, so the client can transition to the more restrictive TLS wrapper mode
Change-Id: I2a1728788378d9a1b79155ddb9bb4b0464b16baa
4 files changed, 12 insertions, 4 deletions
diff --git a/provider_base/files/service-definitions/v1/smtp-service.json.erb b/provider_base/files/service-definitions/v1/smtp-service.json.erb index 8fee9f8e..b31eaf21 100644 --- a/provider_base/files/service-definitions/v1/smtp-service.json.erb +++ b/provider_base/files/service-definitions/v1/smtp-service.json.erb @@ -15,7 +15,7 @@ host = {} host["hostname"] = node.domain.full host["ip_address"] = node.ip_address - host["port"] = 465 # hard coded for now, later node.smtp.port + host["port"] = 587 # hard coded for now, later node.smtp.port if node['location'] location_name = underscore(node.location.name) host["location"] = location_name diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index e9f662c3..eddf19f2 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -35,7 +35,13 @@ class site_postfix::mx { preseed => true, root_mail_recipient => $root_mail_recipient, smtp_listen => 'all', - mastercf_tail => "smtps inet n - - - - smtpd\n -o smtpd_tls_wrappermode=yes\n -o smtpd_tls_security_level=encrypt\n -o smtpd_recipient_restrictions=\$smtps_recipient_restrictions", + mastercf_tail => + "smtps inet n - - - - smtpd\n + -o smtpd_tls_wrappermode=yes\n + -o smtpd_tls_security_level=encrypt\n + submission inet n - n - - smtpd\n + -o smtpd_tls_security_level=encrypt\n + -o smtpd_recipient_restrictions=\$submission_recipient_restrictions", require => [ X509::Key[$cert_name], X509::Cert[$cert_name], User['vmail'] ] } diff --git a/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp index 640f2390..7ade8588 100644 --- a/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp +++ b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp @@ -18,8 +18,10 @@ class site_postfix::mx::smtpd_checks { # we use permit_tls_clientcerts with the $relay_clientcerts lookup 'smtps_recipient_restrictions': value => 'permit_tls_all_clientcerts, check_recipient_access tcp:localhost:2244, reject_unauth_destination, permit'; + 'submission_recipient_restrictions': + value => 'permit_tls_all_clientcerts, check_recipient_access tcp:localhost:2244, reject_unauth_destination, permit'; 'smtpd_sender_restrictions': value => 'permit_mynetworks, reject_non_fqdn_sender, reject_unknown_sender_domain, permit'; - } + } } diff --git a/puppet/modules/site_shorewall/manifests/mx.pp b/puppet/modules/site_shorewall/manifests/mx.pp index 123ffec2..332f164e 100644 --- a/puppet/modules/site_shorewall/manifests/mx.pp +++ b/puppet/modules/site_shorewall/manifests/mx.pp @@ -2,7 +2,7 @@ class site_shorewall::mx { include site_shorewall::defaults - $smtpd_ports = '25,465' + $smtpd_ports = '25,465,587' # define macro for incoming services file { '/etc/shorewall/macro.leap_mx': |