diff options
-rw-r--r-- | puppet/modules/leap_mx/manifests/init.pp | 8 | ||||
-rw-r--r-- | puppet/modules/site_postfix/manifests/mx.pp | 6 | ||||
-rw-r--r-- | puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp | 13 | ||||
-rw-r--r-- | tests/white-box/mx.rb | 2 |
4 files changed, 22 insertions, 7 deletions
diff --git a/puppet/modules/leap_mx/manifests/init.pp b/puppet/modules/leap_mx/manifests/init.pp index 70d2c2d4..055a57ef 100644 --- a/puppet/modules/leap_mx/manifests/init.pp +++ b/puppet/modules/leap_mx/manifests/init.pp @@ -40,6 +40,14 @@ class leap_mx { require => Group['leap-mx']; } + file { '/var/mail/leap-mx': + ensure => directory, + owner => 'leap-mx', + group => 'leap-mx', + mode => '0755', + require => User['leap-mx'], + } + # # LEAP-MX CONFIG # diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index 7ec60d49..75378480 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -51,6 +51,12 @@ class site_postfix::mx { value => 'static:42424'; 'smtpd_tls_received_header': value => 'yes'; + # the following is needed for matching user's client cert fingerprints to + # enable relaying (#3634) + 'smtpd_tls_fingerprint_digest': + value => 'sha1'; + 'relay_clientcerts': + value => 'tcp:localhost:2424'; # Note: we are setting this here, instead of in site_postfix::mx::smtp_tls # because the satellites need to have a different value 'smtp_tls_security_level': diff --git a/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp index 1c3e5c92..f2bd571b 100644 --- a/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp +++ b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp @@ -15,13 +15,14 @@ class site_postfix::mx::smtpd_checks { value => 'permit_mynetworks, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, check_helo_access hash:$checks_dir/helo_checks, permit'; 'smtpd_recipient_restrictions': value => 'reject_unknown_recipient_domain, permit_mynetworks, check_recipient_access tcp:localhost:2244, reject_unauth_destination, permit'; - # We should change from permit_tls_all_clientcerts to permit_tls_clientcerts - # with a lookup on $relay_clientcerts! Right now we are listing the only - # valid CA that client certificates can use in the $smtp_tls_CAfile parameter - # but we cannot cut off a certificate that should no longer be used unless - # we use permit_tls_clientcerts with the $relay_clientcerts lookup + + # permit_tls_clientcerts will lookup client cert fingerprints from the tcp + # lookup on port 2424 (based on what is configured in relay_clientcerts + # paramter, see site_postfix::mx postfix::config resource) to determine + # if a client is allowed to relay mail through us. This enables us to + # disable a user by removing their valid client cert (#3634) 'smtps_recipient_restrictions': - value => 'permit_tls_all_clientcerts, check_recipient_access tcp:localhost:2244, reject_unauth_destination, permit'; + value => 'permit_tls_clientcerts, check_recipient_access tcp:localhost:2244, reject_unauth_destination, permit'; 'smtps_helo_restrictions': value => 'permit_mynetworks, check_helo_access hash:$checks_dir/helo_checks, permit'; 'smtpd_sender_restrictions': diff --git a/tests/white-box/mx.rb b/tests/white-box/mx.rb index ba523fe0..336f78a4 100644 --- a/tests/white-box/mx.rb +++ b/tests/white-box/mx.rb @@ -32,7 +32,7 @@ class Mx < LeapTest end def test_03_Are_MX_daemons_running? - assert_running '.*/usr/bin/twistd.*leap_mx.tac' + assert_running '.*/usr/bin/twistd.*mx.tac' assert_running '^/usr/lib/postfix/master$' assert_running '^/usr/sbin/postfwd' assert_running 'postfwd2::cache$' |