1 files changed, 31 insertions, 0 deletions

diff --git a/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp
new file mode 100644
index 00000000..0ec40277
--- /dev/null
+++ b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp
@@ -0,0 +1,31 @@
+class site_postfix::mx::smtpd_checks {
+
+  postfix::config {
+    'smtpd_helo_required':
+      value => 'yes';
+    'checks_dir':
+      value => '$config_directory/checks';
+    'smtpd_client_restrictions':
+      value => 'permit_mynetworks,permit';
+    'smtpd_data_restrictions':
+      value => 'permit_mynetworks, reject_unauth_pipelining, permit';
+    'smtpd_delay_reject':
+      value => 'yes';
+    'smtpd_helo_restrictions':
+      value => 'permit_mynetworks, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, check_helo_access hash:$checks_dir/helo_checks, permit';
+    'smtpd_recipient_restrictions':
+      value => 'reject_unknown_recipient_domain, permit_mynetworks, check_recipient_access tcp:localhost:2244, reject_unauth_destination, permit';
+    # We should change from permit_tls_all_clientcerts to permit_tls_clientcerts
+    # with a lookup on $relay_clientcerts! Right now we are listing the only
+    # valid CA that client certificates can use in the $smtp_tls_CAfile parameter
+    # but we cannot cut off a certificate that should no longer be used unless
+    # we use permit_tls_clientcerts with the $relay_clientcerts lookup
+    'smtps_recipient_restrictions':
+      value => 'permit_tls_all_clientcerts, check_recipient_access tcp:localhost:2244, reject_unauth_destination, permit';
+    'smtps_helo_restrictions':
+      value => 'permit_mynetworks, check_helo_access hash:$checks_dir/helo_checks, permit';
+    'smtpd_sender_restrictions':
+      value => 'permit_mynetworks, reject_non_fqdn_sender, reject_unknown_sender_domain, permit';
+    }
+
+}