summaryrefslogtreecommitdiff
path: root/puppet/modules/site_postfix
diff options
context:
space:
mode:
authorMicah Anderson <micah@leap.se>2013-08-30 15:19:43 -0400
committerMicah Anderson <micah@leap.se>2013-08-31 08:33:53 -0400
commitff26ca98604d9e3f3856cca2af678b21c096d1ee (patch)
treefc559f6ed4e61207d00faa1965724b03f4f5d80b /puppet/modules/site_postfix
parent27efd6072ecf13b4bbdb098ee70eb81eb5cdc81c (diff)
postfix enable submission port using starttls, so the client can transition to the more restrictive TLS wrapper mode
Change-Id: I2a1728788378d9a1b79155ddb9bb4b0464b16baa
Diffstat (limited to 'puppet/modules/site_postfix')
-rw-r--r--puppet/modules/site_postfix/manifests/mx.pp8
-rw-r--r--puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp4
2 files changed, 10 insertions, 2 deletions
diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp
index e9f662c3..eddf19f2 100644
--- a/puppet/modules/site_postfix/manifests/mx.pp
+++ b/puppet/modules/site_postfix/manifests/mx.pp
@@ -35,7 +35,13 @@ class site_postfix::mx {
preseed => true,
root_mail_recipient => $root_mail_recipient,
smtp_listen => 'all',
- mastercf_tail => "smtps inet n - - - - smtpd\n -o smtpd_tls_wrappermode=yes\n -o smtpd_tls_security_level=encrypt\n -o smtpd_recipient_restrictions=\$smtps_recipient_restrictions",
+ mastercf_tail =>
+ "smtps inet n - - - - smtpd\n
+ -o smtpd_tls_wrappermode=yes\n
+ -o smtpd_tls_security_level=encrypt\n
+ submission inet n - n - - smtpd\n
+ -o smtpd_tls_security_level=encrypt\n
+ -o smtpd_recipient_restrictions=\$submission_recipient_restrictions",
require => [ X509::Key[$cert_name], X509::Cert[$cert_name],
User['vmail'] ]
}
diff --git a/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp
index 640f2390..7ade8588 100644
--- a/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp
+++ b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp
@@ -18,8 +18,10 @@ class site_postfix::mx::smtpd_checks {
# we use permit_tls_clientcerts with the $relay_clientcerts lookup
'smtps_recipient_restrictions':
value => 'permit_tls_all_clientcerts, check_recipient_access tcp:localhost:2244, reject_unauth_destination, permit';
+ 'submission_recipient_restrictions':
+ value => 'permit_tls_all_clientcerts, check_recipient_access tcp:localhost:2244, reject_unauth_destination, permit';
'smtpd_sender_restrictions':
value => 'permit_mynetworks, reject_non_fqdn_sender, reject_unknown_sender_domain, permit';
- }
+ }
}