summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--puppet/modules/leap_mx/manifests/init.pp8
-rw-r--r--puppet/modules/site_postfix/manifests/mx.pp6
-rw-r--r--puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp13
-rw-r--r--tests/white-box/mx.rb2
4 files changed, 22 insertions, 7 deletions
diff --git a/puppet/modules/leap_mx/manifests/init.pp b/puppet/modules/leap_mx/manifests/init.pp
index 70d2c2d4..055a57ef 100644
--- a/puppet/modules/leap_mx/manifests/init.pp
+++ b/puppet/modules/leap_mx/manifests/init.pp
@@ -40,6 +40,14 @@ class leap_mx {
require => Group['leap-mx'];
}
+ file { '/var/mail/leap-mx':
+ ensure => directory,
+ owner => 'leap-mx',
+ group => 'leap-mx',
+ mode => '0755',
+ require => User['leap-mx'],
+ }
+
#
# LEAP-MX CONFIG
#
diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp
index 7ec60d49..75378480 100644
--- a/puppet/modules/site_postfix/manifests/mx.pp
+++ b/puppet/modules/site_postfix/manifests/mx.pp
@@ -51,6 +51,12 @@ class site_postfix::mx {
value => 'static:42424';
'smtpd_tls_received_header':
value => 'yes';
+ # the following is needed for matching user's client cert fingerprints to
+ # enable relaying (#3634)
+ 'smtpd_tls_fingerprint_digest':
+ value => 'sha1';
+ 'relay_clientcerts':
+ value => 'tcp:localhost:2424';
# Note: we are setting this here, instead of in site_postfix::mx::smtp_tls
# because the satellites need to have a different value
'smtp_tls_security_level':
diff --git a/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp
index 1c3e5c92..f2bd571b 100644
--- a/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp
+++ b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp
@@ -15,13 +15,14 @@ class site_postfix::mx::smtpd_checks {
value => 'permit_mynetworks, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, check_helo_access hash:$checks_dir/helo_checks, permit';
'smtpd_recipient_restrictions':
value => 'reject_unknown_recipient_domain, permit_mynetworks, check_recipient_access tcp:localhost:2244, reject_unauth_destination, permit';
- # We should change from permit_tls_all_clientcerts to permit_tls_clientcerts
- # with a lookup on $relay_clientcerts! Right now we are listing the only
- # valid CA that client certificates can use in the $smtp_tls_CAfile parameter
- # but we cannot cut off a certificate that should no longer be used unless
- # we use permit_tls_clientcerts with the $relay_clientcerts lookup
+
+ # permit_tls_clientcerts will lookup client cert fingerprints from the tcp
+ # lookup on port 2424 (based on what is configured in relay_clientcerts
+ # paramter, see site_postfix::mx postfix::config resource) to determine
+ # if a client is allowed to relay mail through us. This enables us to
+ # disable a user by removing their valid client cert (#3634)
'smtps_recipient_restrictions':
- value => 'permit_tls_all_clientcerts, check_recipient_access tcp:localhost:2244, reject_unauth_destination, permit';
+ value => 'permit_tls_clientcerts, check_recipient_access tcp:localhost:2244, reject_unauth_destination, permit';
'smtps_helo_restrictions':
value => 'permit_mynetworks, check_helo_access hash:$checks_dir/helo_checks, permit';
'smtpd_sender_restrictions':
diff --git a/tests/white-box/mx.rb b/tests/white-box/mx.rb
index ba523fe0..336f78a4 100644
--- a/tests/white-box/mx.rb
+++ b/tests/white-box/mx.rb
@@ -32,7 +32,7 @@ class Mx < LeapTest
end
def test_03_Are_MX_daemons_running?
- assert_running '.*/usr/bin/twistd.*leap_mx.tac'
+ assert_running '.*/usr/bin/twistd.*mx.tac'
assert_running '^/usr/lib/postfix/master$'
assert_running '^/usr/sbin/postfwd'
assert_running 'postfwd2::cache$'