summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMicah <micah@leap.se>2015-12-08 14:17:11 -0500
committerMicah <micah@leap.se>2015-12-09 16:26:28 -0500
commit7d5b9461958cdb795990459cd0dad29a36e59fdd (patch)
tree16a9d5b14ca4e0595d9d2e023c99edad4f7780a9
parent40968b97e8a01957667d12fe627a1a194d57be77 (diff)
Use client cert fingerprint lookup to determine if the user is allowed
to relay mail through us (#3634) Change-Id: I46cf3ffbef4261839c376f4c36a50d9c44eb1374
-rw-r--r--puppet/modules/site_postfix/manifests/mx.pp6
-rw-r--r--puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp13
2 files changed, 13 insertions, 6 deletions
diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp
index 7ec60d49..75378480 100644
--- a/puppet/modules/site_postfix/manifests/mx.pp
+++ b/puppet/modules/site_postfix/manifests/mx.pp
@@ -51,6 +51,12 @@ class site_postfix::mx {
value => 'static:42424';
'smtpd_tls_received_header':
value => 'yes';
+ # the following is needed for matching user's client cert fingerprints to
+ # enable relaying (#3634)
+ 'smtpd_tls_fingerprint_digest':
+ value => 'sha1';
+ 'relay_clientcerts':
+ value => 'tcp:localhost:2424';
# Note: we are setting this here, instead of in site_postfix::mx::smtp_tls
# because the satellites need to have a different value
'smtp_tls_security_level':
diff --git a/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp
index 1c3e5c92..f2bd571b 100644
--- a/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp
+++ b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp
@@ -15,13 +15,14 @@ class site_postfix::mx::smtpd_checks {
value => 'permit_mynetworks, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, check_helo_access hash:$checks_dir/helo_checks, permit';
'smtpd_recipient_restrictions':
value => 'reject_unknown_recipient_domain, permit_mynetworks, check_recipient_access tcp:localhost:2244, reject_unauth_destination, permit';
- # We should change from permit_tls_all_clientcerts to permit_tls_clientcerts
- # with a lookup on $relay_clientcerts! Right now we are listing the only
- # valid CA that client certificates can use in the $smtp_tls_CAfile parameter
- # but we cannot cut off a certificate that should no longer be used unless
- # we use permit_tls_clientcerts with the $relay_clientcerts lookup
+
+ # permit_tls_clientcerts will lookup client cert fingerprints from the tcp
+ # lookup on port 2424 (based on what is configured in relay_clientcerts
+ # paramter, see site_postfix::mx postfix::config resource) to determine
+ # if a client is allowed to relay mail through us. This enables us to
+ # disable a user by removing their valid client cert (#3634)
'smtps_recipient_restrictions':
- value => 'permit_tls_all_clientcerts, check_recipient_access tcp:localhost:2244, reject_unauth_destination, permit';
+ value => 'permit_tls_clientcerts, check_recipient_access tcp:localhost:2244, reject_unauth_destination, permit';
'smtps_helo_restrictions':
value => 'permit_mynetworks, check_helo_access hash:$checks_dir/helo_checks, permit';
'smtpd_sender_restrictions':