diff options
Diffstat (limited to 'puppet/modules/site_postfix')
7 files changed, 155 insertions, 21 deletions
| diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index 49692d24..71d61621 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -7,7 +7,8 @@ class site_postfix::mx {    $domain              = $domain_hash['full_suffix']    $host_domain         = $domain_hash['full']    $cert_name           = hiera('name') -  $mynetworks          = join(hiera('mynetworks'), ' ') +  $mynetworks          = join(hiera('mynetworks', ''), ' ') +  $rbls                = suffix(prefix(hiera('rbls', []), 'reject_rbl_client '), ',')    $root_mail_recipient = hiera('contacts')    $postfix_smtp_listen = 'all' @@ -20,16 +21,20 @@ class site_postfix::mx {    postfix::config {      'mynetworks':        value => "127.0.0.0/8 [::1]/128 [fe80::]/64 ${mynetworks}"; +    # Note: mydestination should not include @domain, because this is +    # used in virtual alias maps.      'mydestination': -      value => "\$myorigin, localhost, localhost.\$mydomain, ${domain}"; +      value => "\$myorigin, localhost, localhost.\$mydomain";      'myhostname':        value => $host_domain;      'mailbox_size_limit':        value => '0';      'home_mailbox':        value => 'Maildir/'; +    # Note: virtual-aliases map will take precedence over leap_mx +    # lookup (tcp:localhost)      'virtual_alias_maps': -      value => 'tcp:localhost:4242'; +      value => 'hash:/etc/postfix/virtual-aliases tcp:localhost:4242';      'luser_relay':        value => 'vmail';      'smtpd_tls_received_header': @@ -44,13 +49,20 @@ class site_postfix::mx {      # alias map      'local_recipient_maps':        value => '$alias_maps'; +    'smtpd_milters': +      value => 'unix:/run/clamav/milter.ctl,unix:/var/run/opendkim/opendkim.sock'; +    'milter_default_action': +      value => 'accept';    }    include site_postfix::mx::smtpd_checks    include site_postfix::mx::checks    include site_postfix::mx::smtp_tls    include site_postfix::mx::smtpd_tls -  include site_postfix::mx::reserved_aliases +  include site_postfix::mx::static_aliases +  include site_postfix::mx::rewrite_openpgp_header +  include clamav +  include postfwd    # greater verbosity for debugging, take out for production    #include site_postfix::debug @@ -72,7 +84,11 @@ class site_postfix::mx {    -o smtpd_tls_wrappermode=yes    -o smtpd_tls_security_level=encrypt    -o smtpd_recipient_restrictions=\$smtps_recipient_restrictions -  -o smtpd_helo_restrictions=\$smtps_helo_restrictions", +  -o smtpd_helo_restrictions=\$smtps_helo_restrictions +  -o smtpd_client_restrictions= +  -o cleanup_service_name=clean_smtps +clean_smtps	  unix	n	-	n	-	0	cleanup +  -o header_checks=pcre:/etc/postfix/checks/rewrite_openpgp_headers",      require             => [        Class['Site_config::X509::Key'],        Class['Site_config::X509::Cert'], diff --git a/puppet/modules/site_postfix/manifests/mx/reserved_aliases.pp b/puppet/modules/site_postfix/manifests/mx/reserved_aliases.pp deleted file mode 100644 index 83e27376..00000000 --- a/puppet/modules/site_postfix/manifests/mx/reserved_aliases.pp +++ /dev/null @@ -1,15 +0,0 @@ -# Defines which mail addresses shouldn't be available and where they should fwd -class site_postfix::mx::reserved_aliases { - -  postfix::mailalias { -    [ 'abuse', 'admin', 'arin-admin', 'administrator', 'bin', 'cron', -      'certmaster', 'domainadmin', 'games', 'ftp', 'hostmaster', 'lp', -      'maildrop', 'mysql', 'news', 'nobody', 'noc', 'postmaster', 'postgresql', -      'security', 'ssladmin', 'sys', 'usenet', 'uucp', 'webmaster', 'www', -      'www-data', -    ]: -      ensure    => present, -      recipient => 'root' -  } - -} diff --git a/puppet/modules/site_postfix/manifests/mx/rewrite_openpgp_header.pp b/puppet/modules/site_postfix/manifests/mx/rewrite_openpgp_header.pp new file mode 100644 index 00000000..71f945b8 --- /dev/null +++ b/puppet/modules/site_postfix/manifests/mx/rewrite_openpgp_header.pp @@ -0,0 +1,11 @@ +class site_postfix::mx::rewrite_openpgp_header { +  $mx             = hiera('mx') +  $correct_domain = $mx['key_lookup_domain'] + +  file { '/etc/postfix/checks/rewrite_openpgp_headers': +    content => template('site_postfix/checks/rewrite_openpgp_headers.erb'), +    mode    => '0644', +    owner   => root, +    group   => root; +  } +} diff --git a/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp index 0ec40277..1c3e5c92 100644 --- a/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp +++ b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp @@ -6,7 +6,7 @@ class site_postfix::mx::smtpd_checks {      'checks_dir':        value => '$config_directory/checks';      'smtpd_client_restrictions': -      value => 'permit_mynetworks,permit'; +      value => "${site_postfix::mx::rbls}permit_mynetworks,permit";      'smtpd_data_restrictions':        value => 'permit_mynetworks, reject_unauth_pipelining, permit';      'smtpd_delay_reject': diff --git a/puppet/modules/site_postfix/manifests/mx/static_aliases.pp b/puppet/modules/site_postfix/manifests/mx/static_aliases.pp new file mode 100644 index 00000000..71c0555a --- /dev/null +++ b/puppet/modules/site_postfix/manifests/mx/static_aliases.pp @@ -0,0 +1,88 @@ +# +# Defines static, hard coded aliases that are not in the database. +# These aliases take precedence over the database aliases. +# +# There are three classes of reserved names: +# +# (1) forbidden_usernames: +#     Some usernames are forbidden and cannot be registered. +#     this is defined in node property webapp.forbidden_usernames +#     This is enforced by the webapp. +# +# (2) public aliases: +#     Some aliases for root, and are publicly exposed so that anyone +#     can deliver mail to them. For example, postmaster. +#     These are implemented in the virtual alias map, which takes +#     precedence over the local alias map. +# +# (3) local aliases: +#     Some aliases are only available locally: mail can be delivered +#     to the alias if the mail originates from the local host, or is +#     hostname qualified, but otherwise it will be rejected. +#     These are implemented in the local alias map. +# +# The alias for local 'root' is defined elsewhere. In this file, we +# define the virtual 'root@domain' (which can be overwritten by +# defining an entry for root in node property mx.aliases). +# + +class site_postfix::mx::static_aliases { + +  $mx = hiera('mx') +  $root_recipients = hiera('contacts') + +  # +  # LOCAL ALIASES +  # + +  # NOTE: if you remove one of these, they will still appear in the +  # /etc/aliases file +  $local_aliases = [ +    'admin', 'administrator', 'bin', 'cron', 'games', 'ftp', 'lp', 'maildrop', +    'mysql', 'news', 'nobody', 'noc', 'postgresql', 'ssladmin', 'sys', +    'usenet', 'uucp', 'www', 'www-data' +  ] + +  postfix::mailalias { +    $local_aliases: +      ensure    => present, +      recipient => 'root' +  } + +  # +  # PUBLIC ALIASES +  # + +  $public_aliases = $mx['aliases'] + +  $default_public_aliases = { +    'root'          => $root_recipients, +    'abuse'         => 'postmaster', +    'arin-admin'    => 'root', +    'certmaster'    => 'hostmaster', +    'domainadmin'   => 'hostmaster', +    'hostmaster'    => 'root', +    'mailer-daemon' => 'postmaster', +    'postmaster'    => 'root', +    'security'      => 'root', +    'webmaster'     => 'hostmaster', +  } + +  $aliases = merge($default_public_aliases, $public_aliases) + +  exec { 'postmap_virtual_aliases': +    command     => '/usr/sbin/postmap /etc/postfix/virtual-aliases', +    refreshonly => true, +    user        => root, +    group       => root, +    require     => Package['postfix'], +    subscribe   => File['/etc/postfix/virtual-aliases'] +  } +  file { '/etc/postfix/virtual-aliases': +    content => template('site_postfix/virtual-aliases.erb'), +    owner   => root, +    group   => root, +    mode    => '0600', +    require => Package['postfix'] +  } +} diff --git a/puppet/modules/site_postfix/templates/checks/rewrite_openpgp_headers.erb b/puppet/modules/site_postfix/templates/checks/rewrite_openpgp_headers.erb new file mode 100644 index 00000000..7af14f7d --- /dev/null +++ b/puppet/modules/site_postfix/templates/checks/rewrite_openpgp_headers.erb @@ -0,0 +1,13 @@ +# THIS FILE IS MANAGED BY PUPPET +# +# This will replace the OpenPGP header that the client adds, because it is +# sometimes incorrect (due to the client not always knowing what the proper URL +# is for the webapp). +# e.g. This will rewrite this header: +# OpenPGP: id=4C0E01CD50E2F653; url="https://leap.se/key/elijah"; preference="signencrypt +# with this replacement: +# OpenPGP: id=4C0E01CD50E2F653; url="https://user.leap.se/key/elijah"; preference="signencrypt +# +# Note: whitespace in the pattern is represented by [[:space:]] to avoid these warnings from postmap: +# "record is in "key: value" format; is this an alias file?" and "duplicate entry" +/^(OpenPGP:[[:space:]]id=[[:alnum:]]+;[[:space:]]url="https:\/\/)<%= @domain %>(\/key\/[[:alpha:]]+";.*)/i REPLACE ${1}<%= @correct_domain %>${2} diff --git a/puppet/modules/site_postfix/templates/virtual-aliases.erb b/puppet/modules/site_postfix/templates/virtual-aliases.erb new file mode 100644 index 00000000..8373de97 --- /dev/null +++ b/puppet/modules/site_postfix/templates/virtual-aliases.erb @@ -0,0 +1,21 @@ +# +# This file is managed by puppet. +# +# These virtual aliases take precedence over all other aliases. +# + +# +# enable these virtual domains: +# +<%= @domain %> enabled +<%- @aliases.keys.map {|addr| addr.split('@')[1] }.compact.sort.uniq.each do |virt_domain| -%> +<%= virt_domain %> enabled +<%- end %> + +# +# virtual aliases: +# +<%- @aliases.keys.sort.each do |from| -%> +<%-   full_address = from =~ /@/ ? from : from + "@" + @domain -%> +<%= full_address %> <%= [@aliases[from]].flatten.map{|a| a =~ /@/ ? a : a + "@" + @domain}.join(', ') %> +<%- end -%> | 
