4 files changed, 100 insertions, 16 deletions
diff --git a/puppet/modules/site_postfix/manifests/mx/reserved_aliases.pp b/puppet/modules/site_postfix/manifests/mx/reserved_aliases.pp
deleted file mode 100644
index 83e27376..00000000
--- a/puppet/modules/site_postfix/manifests/mx/reserved_aliases.pp
+++ /dev/null
@@ -1,15 +0,0 @@
-# Defines which mail addresses shouldn't be available and where they should fwd
-class site_postfix::mx::reserved_aliases {
-
-  postfix::mailalias {
-    [ 'abuse', 'admin', 'arin-admin', 'administrator', 'bin', 'cron',
-      'certmaster', 'domainadmin', 'games', 'ftp', 'hostmaster', 'lp',
-      'maildrop', 'mysql', 'news', 'nobody', 'noc', 'postmaster', 'postgresql',
-      'security', 'ssladmin', 'sys', 'usenet', 'uucp', 'webmaster', 'www',
-      'www-data',
-    ]:
-      ensure    => present,
-      recipient => 'root'
-  }
-
-}
diff --git a/puppet/modules/site_postfix/manifests/mx/rewrite_openpgp_header.pp b/puppet/modules/site_postfix/manifests/mx/rewrite_openpgp_header.pp
new file mode 100644
index 00000000..71f945b8
--- /dev/null
+++ b/puppet/modules/site_postfix/manifests/mx/rewrite_openpgp_header.pp
@@ -0,0 +1,11 @@
+class site_postfix::mx::rewrite_openpgp_header {
+  $mx             = hiera('mx')
+  $correct_domain = $mx['key_lookup_domain']
+
+  file { '/etc/postfix/checks/rewrite_openpgp_headers':
+    content => template('site_postfix/checks/rewrite_openpgp_headers.erb'),
+    mode    => '0644',
+    owner   => root,
+    group   => root;
+  }
+}
diff --git a/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp
index 0ec40277..1c3e5c92 100644
--- a/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp
+++ b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp
@@ -6,7 +6,7 @@ class site_postfix::mx::smtpd_checks {
     'checks_dir':
       value => '$config_directory/checks';
     'smtpd_client_restrictions':
-      value => 'permit_mynetworks,permit';
+      value => "${site_postfix::mx::rbls}permit_mynetworks,permit";
     'smtpd_data_restrictions':
       value => 'permit_mynetworks, reject_unauth_pipelining, permit';
     'smtpd_delay_reject':
diff --git a/puppet/modules/site_postfix/manifests/mx/static_aliases.pp b/puppet/modules/site_postfix/manifests/mx/static_aliases.pp
new file mode 100644
index 00000000..71c0555a
--- /dev/null
+++ b/puppet/modules/site_postfix/manifests/mx/static_aliases.pp
@@ -0,0 +1,88 @@
+#
+# Defines static, hard coded aliases that are not in the database.
+# These aliases take precedence over the database aliases.
+#
+# There are three classes of reserved names:
+#
+# (1) forbidden_usernames:
+#     Some usernames are forbidden and cannot be registered.
+#     this is defined in node property webapp.forbidden_usernames
+#     This is enforced by the webapp.
+#
+# (2) public aliases:
+#     Some aliases for root, and are publicly exposed so that anyone
+#     can deliver mail to them. For example, postmaster.
+#     These are implemented in the virtual alias map, which takes
+#     precedence over the local alias map.
+#
+# (3) local aliases:
+#     Some aliases are only available locally: mail can be delivered
+#     to the alias if the mail originates from the local host, or is
+#     hostname qualified, but otherwise it will be rejected.
+#     These are implemented in the local alias map.
+#
+# The alias for local 'root' is defined elsewhere. In this file, we
+# define the virtual 'root@domain' (which can be overwritten by
+# defining an entry for root in node property mx.aliases).
+#
+
+class site_postfix::mx::static_aliases {
+
+  $mx = hiera('mx')
+  $root_recipients = hiera('contacts')
+
+  #
+  # LOCAL ALIASES
+  #
+
+  # NOTE: if you remove one of these, they will still appear in the
+  # /etc/aliases file
+  $local_aliases = [
+    'admin', 'administrator', 'bin', 'cron', 'games', 'ftp', 'lp', 'maildrop',
+    'mysql', 'news', 'nobody', 'noc', 'postgresql', 'ssladmin', 'sys',
+    'usenet', 'uucp', 'www', 'www-data'
+  ]
+
+  postfix::mailalias {
+    $local_aliases:
+      ensure    => present,
+      recipient => 'root'
+  }
+
+  #
+  # PUBLIC ALIASES
+  #
+
+  $public_aliases = $mx['aliases']
+
+  $default_public_aliases = {
+    'root'          => $root_recipients,
+    'abuse'         => 'postmaster',
+    'arin-admin'    => 'root',
+    'certmaster'    => 'hostmaster',
+    'domainadmin'   => 'hostmaster',
+    'hostmaster'    => 'root',
+    'mailer-daemon' => 'postmaster',
+    'postmaster'    => 'root',
+    'security'      => 'root',
+    'webmaster'     => 'hostmaster',
+  }
+
+  $aliases = merge($default_public_aliases, $public_aliases)
+
+  exec { 'postmap_virtual_aliases':
+    command     => '/usr/sbin/postmap /etc/postfix/virtual-aliases',
+    refreshonly => true,
+    user        => root,
+    group       => root,
+    require     => Package['postfix'],
+    subscribe   => File['/etc/postfix/virtual-aliases']
+  }
+  file { '/etc/postfix/virtual-aliases':
+    content => template('site_postfix/virtual-aliases.erb'),
+    owner   => root,
+    group   => root,
+    mode    => '0600',
+    require => Package['postfix']
+  }
+}