Merge branch 'develop' (0.5.0)

Conflicts:
	.gitignore

Change-Id: I778f3e1f1f4832f5894bc149ead67e9a4becf304

11 files changed, 328 insertions, 0 deletions

diff --git a/puppet/modules/site_postfix/files/checks/received_anon b/puppet/modules/site_postfix/files/checks/received_anon
new file mode 100644
index 00000000..2822973e
--- /dev/null
+++ b/puppet/modules/site_postfix/files/checks/received_anon
@@ -0,0 +1,2 @@
+/^Received: from (.* \([-._[:alnum:]]+ \[[.[:digit:]]{7,15}\]\))([[:space:]]+).*(\(using [.[:alnum:]]+ with cipher [-A-Z0-9]+ \([0-9]+\/[0-9]+ bits\)\))[[:space:]]+\(Client CN "([[:alnum:]]+)", Issuer "[[:print:]]+" \(verified OK\)\)[[:space:]]+by ([.[:alnum:]]+) \(([^)]+)\) with (E?SMTPS?A?) id ([A-F[:digit:]]+).*/
+ REPLACE Received: from [127.0.0.1] (localhost [127.0.0.1])${2}${3}${2}(Authenticated sender: $4)${2}with $7 id $8
diff --git a/puppet/modules/site_postfix/manifests/debug.pp b/puppet/modules/site_postfix/manifests/debug.pp
new file mode 100644
index 00000000..f370d166
--- /dev/null
+++ b/puppet/modules/site_postfix/manifests/debug.pp
@@ -0,0 +1,9 @@
+class site_postfix::debug {
+
+  postfix::config {
+    'debug_peer_list':      value => '127.0.0.1';
+    'debug_peer_level':     value => '1';
+    'smtpd_tls_loglevel':   value => '1';
+  }
+
+}
diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp
new file mode 100644
index 00000000..bdfee665
--- /dev/null
+++ b/puppet/modules/site_postfix/manifests/mx.pp
@@ -0,0 +1,74 @@
+class site_postfix::mx {
+
+  $domain_hash         = hiera ('domain')
+  $domain              = $domain_hash['full_suffix']
+  $host_domain         = $domain_hash['full']
+  $cert_name           = hiera('name')
+  $mynetworks          = join(hiera('mynetworks'), ' ')
+
+  $root_mail_recipient = hiera ('contacts')
+  $postfix_smtp_listen = 'all'
+
+  include site_config::x509::cert
+  include site_config::x509::key
+  include site_config::x509::client_ca::ca
+  include site_config::x509::client_ca::key
+
+  postfix::config {
+    'mynetworks':
+      value => "127.0.0.0/8 [::1]/128 [fe80::]/64 ${mynetworks}";
+    'mydestination':
+      value => "\$myorigin, localhost, localhost.\$mydomain, ${domain}";
+    'myhostname':
+      value => $host_domain;
+    'mailbox_size_limit':
+      value => '0';
+    'home_mailbox':
+      value => 'Maildir/';
+    'virtual_alias_maps':
+      value => 'tcp:localhost:4242';
+    'luser_relay':
+      value => 'vmail';
+    'smtpd_tls_received_header':
+      value => 'yes';
+    # Note: we are setting this here, instead of in site_postfix::mx::smtp_tls
+    # because the satellites need to have a different value
+    'smtp_tls_security_level':
+      value => 'may';
+  }
+
+  include site_postfix::mx::smtpd_checks
+  include site_postfix::mx::checks
+  include site_postfix::mx::smtp_tls
+  include site_postfix::mx::smtpd_tls
+  include site_postfix::mx::reserved_aliases
+
+  # greater verbosity for debugging, take out for production
+  #include site_postfix::debug
+
+  user { 'vmail':
+    ensure     => present,
+    comment    => 'Leap Mailspool',
+    home       => '/var/mail/vmail',
+    shell      => '/bin/false',
+    managehome => true,
+  }
+
+  class { 'postfix':
+    preseed             => true,
+    root_mail_recipient => $root_mail_recipient,
+    smtp_listen         => 'all',
+    mastercf_tail       =>
+    "smtps     inet  n       -       -       -       -       smtpd
+  -o smtpd_tls_wrappermode=yes
+  -o smtpd_tls_security_level=encrypt
+  -o smtpd_recipient_restrictions=\$smtps_recipient_restrictions
+  -o smtpd_helo_restrictions=\$smtps_helo_restrictions",
+    require             => [
+      Class['Site_config::X509::Key'],
+      Class['Site_config::X509::Cert'],
+      Class['Site_config::X509::Client_ca::Key'],
+      Class['Site_config::X509::Client_ca::Ca'],
+      User['vmail'] ]
+  }
+}
diff --git a/puppet/modules/site_postfix/manifests/mx/checks.pp b/puppet/modules/site_postfix/manifests/mx/checks.pp
new file mode 100644
index 00000000..5d75a5e5
--- /dev/null
+++ b/puppet/modules/site_postfix/manifests/mx/checks.pp
@@ -0,0 +1,41 @@
+class site_postfix::mx::checks {
+
+  file {
+    '/etc/postfix/checks':
+      ensure  => directory,
+      mode    => '0755',
+      owner   => root,
+      group   => postfix,
+      require => Package['postfix'];
+
+    '/etc/postfix/checks/helo_checks':
+      content => template('site_postfix/checks/helo_access.erb'),
+      mode    => '0644',
+      owner   => root,
+      group   => root;
+  }
+
+  exec {
+    '/usr/sbin/postmap /etc/postfix/checks/helo_checks':
+      refreshonly => true,
+      subscribe   => File['/etc/postfix/checks/helo_checks'];
+  }
+
+  # Anonymize the user's home IP from the email headers (Feature #3866)
+  package { 'postfix-pcre': ensure => installed, require => Package['postfix'] }
+
+  file { '/etc/postfix/checks/received_anon':
+    source  => 'puppet:///modules/site_postfix/checks/received_anon',
+    mode    => '0644',
+    owner   => root,
+    group   => root,
+    notify  => Service['postfix']
+  }
+
+  postfix::config {
+    'header_checks':
+      value   => 'pcre:/etc/postfix/checks/received_anon',
+      require => File['/etc/postfix/checks/received_anon'];
+  }
+
+}
diff --git a/puppet/modules/site_postfix/manifests/mx/reserved_aliases.pp b/puppet/modules/site_postfix/manifests/mx/reserved_aliases.pp
new file mode 100644
index 00000000..83e27376
--- /dev/null
+++ b/puppet/modules/site_postfix/manifests/mx/reserved_aliases.pp
@@ -0,0 +1,15 @@
+# Defines which mail addresses shouldn't be available and where they should fwd
+class site_postfix::mx::reserved_aliases {
+
+  postfix::mailalias {
+    [ 'abuse', 'admin', 'arin-admin', 'administrator', 'bin', 'cron',
+      'certmaster', 'domainadmin', 'games', 'ftp', 'hostmaster', 'lp',
+      'maildrop', 'mysql', 'news', 'nobody', 'noc', 'postmaster', 'postgresql',
+      'security', 'ssladmin', 'sys', 'usenet', 'uucp', 'webmaster', 'www',
+      'www-data',
+    ]:
+      ensure    => present,
+      recipient => 'root'
+  }
+
+}
diff --git a/puppet/modules/site_postfix/manifests/mx/smtp_auth.pp b/puppet/modules/site_postfix/manifests/mx/smtp_auth.pp
new file mode 100644
index 00000000..afa70527
--- /dev/null
+++ b/puppet/modules/site_postfix/manifests/mx/smtp_auth.pp
@@ -0,0 +1,6 @@
+class site_postfix::mx::smtp_auth {
+
+  postfix::config {
+    'smtpd_tls_ask_ccert': value => 'yes';
+  }
+}
diff --git a/puppet/modules/site_postfix/manifests/mx/smtp_tls.pp b/puppet/modules/site_postfix/manifests/mx/smtp_tls.pp
new file mode 100644
index 00000000..d9b59f40
--- /dev/null
+++ b/puppet/modules/site_postfix/manifests/mx/smtp_tls.pp
@@ -0,0 +1,27 @@
+class site_postfix::mx::smtp_tls {
+
+  include x509::variables
+  $ca_path   = "${x509::variables::local_CAs}/${site_config::params::ca_name}.crt"
+  $cert_path = "${x509::variables::certs}/${site_config::params::cert_name}.crt"
+  $key_path  = "${x509::variables::keys}/${site_config::params::cert_name}.key"
+
+  # smtp TLS
+  postfix::config {
+    'smtp_use_tls':        value  => 'yes';
+    'smtp_tls_CApath':     value  => '/etc/ssl/certs/';
+    'smtp_tls_CAfile':     value  => $ca_path;
+    'smtp_tls_cert_file':  value  => $cert_path;
+    'smtp_tls_key_file':   value  => $key_path;
+    'smtp_tls_loglevel':   value  => '1';
+    'smtp_tls_exclude_ciphers':
+      value => 'aNULL, MD5, DES';
+    # upstream default is md5 (since 2.5 and older used it), we force sha1
+    'smtp_tls_fingerprint_digest':
+      value => 'sha1';
+    'smtp_tls_session_cache_database':
+      value => 'btree:${data_directory}/smtp_cache';
+    # see issue #4011
+    'smtp_tls_protocols':
+      value => '!SSLv2, !SSLv3';
+  }
+}
diff --git a/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp
new file mode 100644
index 00000000..0ec40277
--- /dev/null
+++ b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp
@@ -0,0 +1,31 @@
+class site_postfix::mx::smtpd_checks {
+
+  postfix::config {
+    'smtpd_helo_required':
+      value => 'yes';
+    'checks_dir':
+      value => '$config_directory/checks';
+    'smtpd_client_restrictions':
+      value => 'permit_mynetworks,permit';
+    'smtpd_data_restrictions':
+      value => 'permit_mynetworks, reject_unauth_pipelining, permit';
+    'smtpd_delay_reject':
+      value => 'yes';
+    'smtpd_helo_restrictions':
+      value => 'permit_mynetworks, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, check_helo_access hash:$checks_dir/helo_checks, permit';
+    'smtpd_recipient_restrictions':
+      value => 'reject_unknown_recipient_domain, permit_mynetworks, check_recipient_access tcp:localhost:2244, reject_unauth_destination, permit';
+    # We should change from permit_tls_all_clientcerts to permit_tls_clientcerts
+    # with a lookup on $relay_clientcerts! Right now we are listing the only
+    # valid CA that client certificates can use in the $smtp_tls_CAfile parameter
+    # but we cannot cut off a certificate that should no longer be used unless
+    # we use permit_tls_clientcerts with the $relay_clientcerts lookup
+    'smtps_recipient_restrictions':
+      value => 'permit_tls_all_clientcerts, check_recipient_access tcp:localhost:2244, reject_unauth_destination, permit';
+    'smtps_helo_restrictions':
+      value => 'permit_mynetworks, check_helo_access hash:$checks_dir/helo_checks, permit';
+    'smtpd_sender_restrictions':
+      value => 'permit_mynetworks, reject_non_fqdn_sender, reject_unknown_sender_domain, permit';
+    }
+
+}
diff --git a/puppet/modules/site_postfix/manifests/mx/smtpd_tls.pp b/puppet/modules/site_postfix/manifests/mx/smtpd_tls.pp
new file mode 100644
index 00000000..0809c75f
--- /dev/null
+++ b/puppet/modules/site_postfix/manifests/mx/smtpd_tls.pp
@@ -0,0 +1,55 @@
+class site_postfix::mx::smtpd_tls {
+
+  include x509::variables
+  $ca_path   = "${x509::variables::local_CAs}/${site_config::params::client_ca_name}.crt"
+  $cert_path = "${x509::variables::certs}/${site_config::params::cert_name}.crt"
+  $key_path  = "${x509::variables::keys}/${site_config::params::cert_name}.key"
+
+
+  postfix::config {
+    'smtpd_use_tls':        value  => 'yes';
+    'smtpd_tls_CAfile':     value  => $ca_path;
+    'smtpd_tls_cert_file':  value  => $cert_path;
+    'smtpd_tls_key_file':   value  => $key_path;
+    'smtpd_tls_ask_ccert':  value  => 'yes';
+    'smtpd_tls_security_level':
+      value  => 'may';
+    'smtpd_tls_eecdh_grade':
+      value => 'ultra';
+    'smtpd_tls_session_cache_database':
+      value => 'btree:${data_directory}/smtpd_scache';
+  }
+
+  # Setup DH parameters
+  # Instead of using the dh parameters that are created by leap cli, it is more
+  # secure to generate new parameter files that will only be used for postfix,
+  # for each machine
+
+  include site_config::packages::gnutls
+
+  # Note, the file name is called dh_1024.pem, but we are generating 2048bit dh
+  # parameters Neither Postfix nor OpenSSL actually care about the size of the
+  # prime in "smtpd_tls_dh1024_param_file".  You can make it 2048 bits
+
+  exec { 'certtool-postfix-gendh':
+    command => 'certtool --generate-dh-params --bits 2048 --outfile /etc/postfix/smtpd_tls_dh_param.pem',
+    user    => root,
+    group   => root,
+    creates => '/etc/postfix/smtpd_tls_dh_param.pem',
+    require => [ Package['gnutls-bin'], Package['postfix'] ]
+  }
+
+  # Make sure the dh params file has correct ownership and mode
+  file {
+    '/etc/postfix/smtpd_tls_dh_param.pem':
+      owner   => root,
+      group   => root,
+      mode    => '0600',
+      require => Exec['certtool-postfix-gendh'];
+  }
+
+  postfix::config { 'smtpd_tls_dh1024_param_file':
+    value   => '/etc/postfix/smtpd_tls_dh_param.pem',
+    require => File['/etc/postfix/smtpd_tls_dh_param.pem']
+  }
+}
diff --git a/puppet/modules/site_postfix/manifests/satellite.pp b/puppet/modules/site_postfix/manifests/satellite.pp
new file mode 100644
index 00000000..5725e6b8
--- /dev/null
+++ b/puppet/modules/site_postfix/manifests/satellite.pp
@@ -0,0 +1,47 @@
+class site_postfix::satellite {
+
+  $root_mail_recipient = hiera ('contacts')
+  $mail                = hiera ('mail')
+  $relayhost           = $mail['smarthost']
+  $cert_name           = hiera('name')
+
+  class { '::postfix::satellite':
+    relayhost           => $relayhost,
+    root_mail_recipient => $root_mail_recipient
+  }
+
+  # There are special conditions for satellite hosts that will make them not be
+  # able to contact their relayhost:
+  #
+  # 1. they are on openstack/amazon/PC and are on the same cluster as the relay
+  # host, the MX lookup for the relay host will use the public IP, which cannot
+  # be contacted
+  #
+  # 2. When a domain is used that is not in DNS, because it is internal,
+  # a testing domain, etc. eg. a .local domain cannot be looked up in DNS
+  #
+  # to resolve this, so the satellite can contact the relayhost, we need to set
+  # the http://www.postfix.org/postconf.5.html#smtp_host_lookup to be 'native'
+  # which will cause the lookup to use the native naming service
+  # (nsswitch.conf), which typically defaults to 'files, dns' allowing the
+  # /etc/hosts to be consulted first, then DNS if the entry doesn't exist.
+  #
+  # NOTE: this will make it not possible to enable DANE support through DNSSEC
+  # with http://www.postfix.org/postconf.5.html#smtp_dns_support_level - but
+  # this parameter is not available until 2.11. If this ends up being important
+  # we could also make this an optional parameter for providers without
+  # dns / local domains
+
+  postfix::config {
+    'smtp_host_lookup':
+      value => 'native';
+
+    # Note: we are setting this here, instead of in site_postfix::mx::smtp_tls
+    # because the mx server has to have a different value
+    'smtp_tls_security_level':
+      value => 'encrypt';
+  }
+
+  include site_postfix::mx::smtp_tls
+
+}
diff --git a/puppet/modules/site_postfix/templates/checks/helo_access.erb b/puppet/modules/site_postfix/templates/checks/helo_access.erb
new file mode 100644
index 00000000..bef3c11d
--- /dev/null
+++ b/puppet/modules/site_postfix/templates/checks/helo_access.erb
@@ -0,0 +1,21 @@
+# THIS FILE IS MANAGED BY PUPPET
+# To make changes to this file, please edit your platform directory under
+# puppet/modules/site_postfix/templates/checks/helo_access.erb and then deploy
+
+# The format of this file is the HELO/EHLO domain followed by an action.
+# The action could be OK to allow it, REJECT to reject it, or a custom
+# status code and message. Any lines that are prefixed by an octothorpe (#)
+# will be considered comments.
+
+# Some examples:
+#
+# Reject anyone that HELO's with foobar:
+# foobar REJECT
+#
+# Allow the switches to skip this check:
+# switch1 OK
+# switch2 OK
+
+# Reject anybody that HELO's as being in our own domain(s)
+# anyone who identifies themselves as us is a virus/spammer
+<%= domain %> 554 You are not in domain <%= domain %>