summaryrefslogtreecommitdiff
path: root/puppet/modules/site_postfix
diff options
context:
space:
mode:
authorMicah <micah@leap.se>2015-11-24 15:11:47 -0500
committerMicah <micah@leap.se>2015-12-01 10:12:47 -0500
commitfc9f820d0cd363e127859af23e20b61eed71dc1e (patch)
tree2692cfdbfbe02ede8fc9ca9adac2ae21222abb17 /puppet/modules/site_postfix
parentbd06baca709cf4b78d831bff15720c74a66b38b2 (diff)
stop delivering non-existing local user mail to leap-mx (#5431)
When mail comes in to the system, a lookup is done to see if it is a valid leap user, if it is, leap_mx now returns something of the form: uuid@deliver.local (see #5959). The virtual_mailbox_domains lists deliver.local, so postfix choses to deliver to virtual_mailbox_base (/var/mail/vmail) which has been hardcoded to the 'vmail' maildir and user. We want leap related mail and leap aliases to go through the virtual alias system, all the hard-coded universal aliases we want to go through the local system and we dont want these separate. Known domains that are considered 'virtual' will be forwarded or delivered to the vmail user, the rest rejected as unknown recipient, instead of being handed off to leap-mx. Previously, the way this was done is we leaned (too heavily) on the 'luser_relay' postfix configuration which sent anything that wasn't locally configured right to the leap_mx spool. That meant everything went there, including addresses that didn't exist, and leap-mx would then have to process those and bounce them. This removes the 'luser_relay' option, so any address that doesn't resolve properly to either a local address/alias, or a leap address or alias (through tcp lookups on 2424 and 4242) will get bounced as an unknown user. Change-Id: I3c22e9383861b3794dd9adfd7aa6a0cf0a773a18
Diffstat (limited to 'puppet/modules/site_postfix')
-rw-r--r--puppet/modules/site_postfix/manifests/mx.pp24
1 files changed, 22 insertions, 2 deletions
diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp
index 71d61621..de317205 100644
--- a/puppet/modules/site_postfix/manifests/mx.pp
+++ b/puppet/modules/site_postfix/manifests/mx.pp
@@ -30,13 +30,25 @@ class site_postfix::mx {
'mailbox_size_limit':
value => '0';
'home_mailbox':
- value => 'Maildir/';
+ value => '';
+ 'virtual_mailbox_domains':
+ value => 'deliver.local';
+ 'virtual_mailbox_base':
+ value => '/var/mail/vmail';
+ 'virtual_mailbox_maps':
+ value => 'static:Maildir/';
# Note: virtual-aliases map will take precedence over leap_mx
# lookup (tcp:localhost)
'virtual_alias_maps':
value => 'hash:/etc/postfix/virtual-aliases tcp:localhost:4242';
'luser_relay':
- value => 'vmail';
+ value => '';
+ # uid and gid are set to an arbitrary hard-coded value here, this
+ # must match the 'vmail' user block below
+ 'virtual_uid_maps':
+ value => 'static:42424';
+ 'virtual_gid_maps':
+ value => 'static:42424';
'smtpd_tls_received_header':
value => 'yes';
# Note: we are setting this here, instead of in site_postfix::mx::smtp_tls
@@ -67,11 +79,19 @@ class site_postfix::mx {
# greater verbosity for debugging, take out for production
#include site_postfix::debug
+ # Make the 'vmail' user for leap-mx. This user is where all legitimate,
+ # non-system mail is delivered so leap-mx can process it. Previously, we let
+ # the system pick a uid/gid, but we need to know what they are set to in order
+ # to set the virtual_uid_maps and virtual_gid_maps. Its a bit overkill write a
+ # fact just for this, so instead we pick arbitrary numbers that seem unlikely
+ # to be used and then use them in the postfix configuration
user { 'vmail':
ensure => present,
comment => 'Leap Mailspool',
home => '/var/mail/vmail',
shell => '/bin/false',
+ uid => '42424',
+ gid => '42424',
managehome => true,
}