Merge branch '0.5' into develop

Conflicts:
	provider_base/services/tor.json

Change-Id: I826579945a0d93c43384f0fd12c9833762b084cf

4 files changed, 45 insertions, 8 deletions

diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp
index de89c26e..bdfee665 100644
--- a/puppet/modules/site_postfix/manifests/mx.pp
+++ b/puppet/modules/site_postfix/manifests/mx.pp
@@ -4,7 +4,7 @@ class site_postfix::mx {
   $domain              = $domain_hash['full_suffix']
   $host_domain         = $domain_hash['full']
   $cert_name           = hiera('name')
-  $mynetworks          = join(hiera('mx_nodes'), ' ')
+  $mynetworks          = join(hiera('mynetworks'), ' ')
 
   $root_mail_recipient = hiera ('contacts')
   $postfix_smtp_listen = 'all'
@@ -31,6 +31,10 @@ class site_postfix::mx {
       value => 'vmail';
     'smtpd_tls_received_header':
       value => 'yes';
+    # Note: we are setting this here, instead of in site_postfix::mx::smtp_tls
+    # because the satellites need to have a different value
+    'smtp_tls_security_level':
+      value => 'may';
   }
 
   include site_postfix::mx::smtpd_checks
diff --git a/puppet/modules/site_postfix/manifests/mx/reserved_aliases.pp b/puppet/modules/site_postfix/manifests/mx/reserved_aliases.pp
index aea66f78..83e27376 100644
--- a/puppet/modules/site_postfix/manifests/mx/reserved_aliases.pp
+++ b/puppet/modules/site_postfix/manifests/mx/reserved_aliases.pp
@@ -1,11 +1,13 @@
+# Defines which mail addresses shouldn't be available and where they should fwd
 class site_postfix::mx::reserved_aliases {
 
   postfix::mailalias {
-    [ 'postmaster', 'hostmaster', 'domainadmin', 'certmaster', 'ssladmin',
-      'arin-admin', 'administrator', 'webmaster', 'www-data', 'www',
-      'nobody', 'sys', 'postgresql', 'mysql', 'bin', 'cron', 'lp', 'games',
-      'maildrop', 'abuse', 'noc', 'security', 'usenet', 'news', 'uucp',
-      'ftp' ]:
+    [ 'abuse', 'admin', 'arin-admin', 'administrator', 'bin', 'cron',
+      'certmaster', 'domainadmin', 'games', 'ftp', 'hostmaster', 'lp',
+      'maildrop', 'mysql', 'news', 'nobody', 'noc', 'postmaster', 'postgresql',
+      'security', 'ssladmin', 'sys', 'usenet', 'uucp', 'webmaster', 'www',
+      'www-data',
+    ]:
       ensure    => present,
       recipient => 'root'
   }
diff --git a/puppet/modules/site_postfix/manifests/mx/smtp_tls.pp b/puppet/modules/site_postfix/manifests/mx/smtp_tls.pp
index 3cc7ea72..d9b59f40 100644
--- a/puppet/modules/site_postfix/manifests/mx/smtp_tls.pp
+++ b/puppet/modules/site_postfix/manifests/mx/smtp_tls.pp
@@ -20,8 +20,6 @@ class site_postfix::mx::smtp_tls {
       value => 'sha1';
     'smtp_tls_session_cache_database':
       value => 'btree:${data_directory}/smtp_cache';
-    'smtp_tls_security_level':
-      value  => 'may';
     # see issue #4011
     'smtp_tls_protocols':
       value => '!SSLv2, !SSLv3';
diff --git a/puppet/modules/site_postfix/manifests/satellite.pp b/puppet/modules/site_postfix/manifests/satellite.pp
index 7be51b22..5725e6b8 100644
--- a/puppet/modules/site_postfix/manifests/satellite.pp
+++ b/puppet/modules/site_postfix/manifests/satellite.pp
@@ -10,5 +10,38 @@ class site_postfix::satellite {
     root_mail_recipient => $root_mail_recipient
   }
 
+  # There are special conditions for satellite hosts that will make them not be
+  # able to contact their relayhost:
+  #
+  # 1. they are on openstack/amazon/PC and are on the same cluster as the relay
+  # host, the MX lookup for the relay host will use the public IP, which cannot
+  # be contacted
+  #
+  # 2. When a domain is used that is not in DNS, because it is internal,
+  # a testing domain, etc. eg. a .local domain cannot be looked up in DNS
+  #
+  # to resolve this, so the satellite can contact the relayhost, we need to set
+  # the http://www.postfix.org/postconf.5.html#smtp_host_lookup to be 'native'
+  # which will cause the lookup to use the native naming service
+  # (nsswitch.conf), which typically defaults to 'files, dns' allowing the
+  # /etc/hosts to be consulted first, then DNS if the entry doesn't exist.
+  #
+  # NOTE: this will make it not possible to enable DANE support through DNSSEC
+  # with http://www.postfix.org/postconf.5.html#smtp_dns_support_level - but
+  # this parameter is not available until 2.11. If this ends up being important
+  # we could also make this an optional parameter for providers without
+  # dns / local domains
+
+  postfix::config {
+    'smtp_host_lookup':
+      value => 'native';
+
+    # Note: we are setting this here, instead of in site_postfix::mx::smtp_tls
+    # because the mx server has to have a different value
+    'smtp_tls_security_level':
+      value => 'encrypt';
+  }
+
   include site_postfix::mx::smtp_tls
+
 }