diff options
author | Micah Anderson <micah@leap.se> | 2013-08-30 15:19:43 -0400 |
---|---|---|
committer | Micah Anderson <micah@leap.se> | 2013-08-31 08:33:53 -0400 |
commit | ff26ca98604d9e3f3856cca2af678b21c096d1ee (patch) | |
tree | fc559f6ed4e61207d00faa1965724b03f4f5d80b /puppet | |
parent | 27efd6072ecf13b4bbdb098ee70eb81eb5cdc81c (diff) |
postfix enable submission port using starttls, so the client can transition to the more restrictive TLS wrapper mode
Change-Id: I2a1728788378d9a1b79155ddb9bb4b0464b16baa
Diffstat (limited to 'puppet')
-rw-r--r-- | puppet/modules/site_postfix/manifests/mx.pp | 8 | ||||
-rw-r--r-- | puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp | 4 | ||||
-rw-r--r-- | puppet/modules/site_shorewall/manifests/mx.pp | 2 |
3 files changed, 11 insertions, 3 deletions
diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index e9f662c3..eddf19f2 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -35,7 +35,13 @@ class site_postfix::mx { preseed => true, root_mail_recipient => $root_mail_recipient, smtp_listen => 'all', - mastercf_tail => "smtps inet n - - - - smtpd\n -o smtpd_tls_wrappermode=yes\n -o smtpd_tls_security_level=encrypt\n -o smtpd_recipient_restrictions=\$smtps_recipient_restrictions", + mastercf_tail => + "smtps inet n - - - - smtpd\n + -o smtpd_tls_wrappermode=yes\n + -o smtpd_tls_security_level=encrypt\n + submission inet n - n - - smtpd\n + -o smtpd_tls_security_level=encrypt\n + -o smtpd_recipient_restrictions=\$submission_recipient_restrictions", require => [ X509::Key[$cert_name], X509::Cert[$cert_name], User['vmail'] ] } diff --git a/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp index 640f2390..7ade8588 100644 --- a/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp +++ b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp @@ -18,8 +18,10 @@ class site_postfix::mx::smtpd_checks { # we use permit_tls_clientcerts with the $relay_clientcerts lookup 'smtps_recipient_restrictions': value => 'permit_tls_all_clientcerts, check_recipient_access tcp:localhost:2244, reject_unauth_destination, permit'; + 'submission_recipient_restrictions': + value => 'permit_tls_all_clientcerts, check_recipient_access tcp:localhost:2244, reject_unauth_destination, permit'; 'smtpd_sender_restrictions': value => 'permit_mynetworks, reject_non_fqdn_sender, reject_unknown_sender_domain, permit'; - } + } } diff --git a/puppet/modules/site_shorewall/manifests/mx.pp b/puppet/modules/site_shorewall/manifests/mx.pp index 123ffec2..332f164e 100644 --- a/puppet/modules/site_shorewall/manifests/mx.pp +++ b/puppet/modules/site_shorewall/manifests/mx.pp @@ -2,7 +2,7 @@ class site_shorewall::mx { include site_shorewall::defaults - $smtpd_ports = '25,465' + $smtpd_ports = '25,465,587' # define macro for incoming services file { '/etc/shorewall/macro.leap_mx': |