diff options
| author | varac <varacanero@zeromail.org> | 2013-07-10 14:10:22 +0200 | 
|---|---|---|
| committer | varac <varacanero@zeromail.org> | 2013-07-10 15:43:30 +0200 | 
| commit | c11047649e1ef630b48b007fb757fcc68b747e62 (patch) | |
| tree | 96ae277c03fc81ff119799e3bfdb22a0c7984476 /puppet/modules | |
| parent | 0f95eccb08b80c02db99d57da413025813766d5e (diff) | |
added tls support, including smtp auth via client cert
Diffstat (limited to 'puppet/modules')
| -rw-r--r-- | puppet/modules/site_postfix/manifests/mx.pp | 16 | ||||
| -rw-r--r-- | puppet/modules/site_postfix/manifests/mx/smtp_auth.pp | 10 | ||||
| -rw-r--r-- | puppet/modules/site_postfix/manifests/mx/tls.pp | 31 | 
3 files changed, 41 insertions, 16 deletions
| diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index a625cdcd..e9656072 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -3,6 +3,7 @@ class site_postfix::mx {    $domain_hash         = hiera ('domain')    $domain              = $domain_hash['full_suffix']    $mx_hash             = hiera('mx') +  $cert_name           = hiera('name')    $root_mail_recipient = $mx_hash['contact']    $postfix_smtp_listen = 'all' @@ -12,15 +13,16 @@ class site_postfix::mx {        value => "\$myorigin, localhost, localhost.\$mydomain, ${domain}";      'smtpd_recipient_restrictions':        value => 'check_recipient_access tcp:localhost:2244,reject_unauth_destination,permit_tls_all_clientcerts'; -    'mailbox_size_limit':   value => '0'; -    'home_mailbox':         value => 'Maildir/'; -    'virtual_alias_maps':   value => 'tcp:localhost:4242'; -    'luser_relay':          value => 'vmail'; -    'local_recipient_maps': value => ''; +    'mailbox_size_limit':   value  => '0'; +    'home_mailbox':         value  => 'Maildir/'; +    'virtual_alias_maps':   value  => 'tcp:localhost:4242'; +    'luser_relay':          value  => 'vmail'; +    'local_recipient_maps': value  => '';      #'debug_peer_list':      value => '127.0.0.1';    }    include site_postfix::mx::smtpd_checks +  include site_postfix::mx::tls    user { 'vmail':      ensure     => present, @@ -32,6 +34,8 @@ class site_postfix::mx {    class { 'postfix':      root_mail_recipient => $root_mail_recipient, -    smtp_listen         => 'all' +    smtp_listen         => 'all', +    require             => [ X509::Key[$cert_name], X509::Cert[$cert_name], +      User['vmail'] ]    }  } diff --git a/puppet/modules/site_postfix/manifests/mx/smtp_auth.pp b/puppet/modules/site_postfix/manifests/mx/smtp_auth.pp deleted file mode 100644 index ab75130e..00000000 --- a/puppet/modules/site_postfix/manifests/mx/smtp_auth.pp +++ /dev/null @@ -1,10 +0,0 @@ -class site_postfix::mx::smtp_auth { -  $x509 = hiera('x509') - -  postfix::config { -    'smtpd_tls_cert_file': value => $x509['client_ca_cert']; -    'smtpd_tls_key_file':  value => $x509['client_ca_key']; -    'smtpd_tls_ask_ccert': value => 'yes'; -    #'smtpd_tls_CAfile':    value => -  } -} diff --git a/puppet/modules/site_postfix/manifests/mx/tls.pp b/puppet/modules/site_postfix/manifests/mx/tls.pp new file mode 100644 index 00000000..7da38100 --- /dev/null +++ b/puppet/modules/site_postfix/manifests/mx/tls.pp @@ -0,0 +1,31 @@ +class site_postfix::mx::tls { + +  $x509                = hiera('x509') +  $key                 = $x509['key'] +  $cert                = $x509['cert'] +  $client_ca           = $x509['client_ca_cert'] + +  include x509::variables +  $cert_name = hiera('name') +  $cert_path = "${x509::variables::certs}/${cert_name}.crt" +  $key_path  = "${x509::variables::keys}/${cert_name}.key" + +  x509::key { $cert_name: +    content => $key, +  } + +  x509::cert { $cert_name: +    content => $cert, +  } + +  postfix::config { +    'smtpd_use_tls':        value  => 'yes'; +    'smtpd_tls_CAfile':     value  => $client_ca; +    'smtpd_tls_cert_file':  value  => $cert_path; +    'smtpd_tls_key_file':   value  => $key_path; +    'smtpd_tls_req_ccert':  value  => 'yes'; +    'smtpd_tls_security_level': +      value  => 'encrypt'; +  } + +} | 
