summaryrefslogtreecommitdiff
path: root/puppet/modules/site_postfix
diff options
context:
space:
mode:
Diffstat (limited to 'puppet/modules/site_postfix')
-rw-r--r--puppet/modules/site_postfix/manifests/mx.pp41
-rw-r--r--puppet/modules/site_postfix/manifests/mx/smtp_auth.pp10
-rw-r--r--puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp9
-rw-r--r--puppet/modules/site_postfix/manifests/mx/tls.pp31
4 files changed, 91 insertions, 0 deletions
diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp
new file mode 100644
index 00000000..0581f147
--- /dev/null
+++ b/puppet/modules/site_postfix/manifests/mx.pp
@@ -0,0 +1,41 @@
+class site_postfix::mx {
+
+ $domain_hash = hiera ('domain')
+ $domain = $domain_hash['full_suffix']
+ $mx_hash = hiera('mx')
+ $cert_name = hiera('name')
+
+ $root_mail_recipient = $mx_hash['contact']
+ $postfix_smtp_listen = 'all'
+
+ postfix::config {
+ 'mydestination':
+ value => "\$myorigin, localhost, localhost.\$mydomain, ${domain}";
+ 'smtpd_recipient_restrictions':
+ value => 'check_recipient_access tcp:localhost:2244,permit_tls_all_clientcerts,reject_unauth_destination';
+ 'mailbox_size_limit': value => '0';
+ 'home_mailbox': value => 'Maildir/';
+ 'virtual_alias_maps': value => 'tcp:localhost:4242';
+ 'luser_relay': value => 'vmail';
+ 'local_recipient_maps': value => '';
+ 'debug_peer_list': value => '127.0.0.1';
+ }
+
+ include site_postfix::mx::smtpd_checks
+ include site_postfix::mx::tls
+
+ user { 'vmail':
+ ensure => present,
+ comment => 'Leap Mailspool',
+ home => '/var/mail/vmail',
+ shell => '/bin/false',
+ managehome => true,
+ }
+
+ class { 'postfix':
+ root_mail_recipient => $root_mail_recipient,
+ smtp_listen => 'all',
+ require => [ X509::Key[$cert_name], X509::Cert[$cert_name],
+ User['vmail'] ]
+ }
+}
diff --git a/puppet/modules/site_postfix/manifests/mx/smtp_auth.pp b/puppet/modules/site_postfix/manifests/mx/smtp_auth.pp
new file mode 100644
index 00000000..ab75130e
--- /dev/null
+++ b/puppet/modules/site_postfix/manifests/mx/smtp_auth.pp
@@ -0,0 +1,10 @@
+class site_postfix::mx::smtp_auth {
+ $x509 = hiera('x509')
+
+ postfix::config {
+ 'smtpd_tls_cert_file': value => $x509['client_ca_cert'];
+ 'smtpd_tls_key_file': value => $x509['client_ca_key'];
+ 'smtpd_tls_ask_ccert': value => 'yes';
+ #'smtpd_tls_CAfile': value =>
+ }
+}
diff --git a/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp
new file mode 100644
index 00000000..b2f2d7c2
--- /dev/null
+++ b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp
@@ -0,0 +1,9 @@
+class site_postfix::mx::smtpd_checks {
+
+ postfix::config {
+ 'smtpd_delay_reject': value => 'yes';
+ 'smtpd_data_restrictions':
+ value => 'permit_mynetworks, reject_unauth_pipelining, permit';
+ }
+
+}
diff --git a/puppet/modules/site_postfix/manifests/mx/tls.pp b/puppet/modules/site_postfix/manifests/mx/tls.pp
new file mode 100644
index 00000000..7da38100
--- /dev/null
+++ b/puppet/modules/site_postfix/manifests/mx/tls.pp
@@ -0,0 +1,31 @@
+class site_postfix::mx::tls {
+
+ $x509 = hiera('x509')
+ $key = $x509['key']
+ $cert = $x509['cert']
+ $client_ca = $x509['client_ca_cert']
+
+ include x509::variables
+ $cert_name = hiera('name')
+ $cert_path = "${x509::variables::certs}/${cert_name}.crt"
+ $key_path = "${x509::variables::keys}/${cert_name}.key"
+
+ x509::key { $cert_name:
+ content => $key,
+ }
+
+ x509::cert { $cert_name:
+ content => $cert,
+ }
+
+ postfix::config {
+ 'smtpd_use_tls': value => 'yes';
+ 'smtpd_tls_CAfile': value => $client_ca;
+ 'smtpd_tls_cert_file': value => $cert_path;
+ 'smtpd_tls_key_file': value => $key_path;
+ 'smtpd_tls_req_ccert': value => 'yes';
+ 'smtpd_tls_security_level':
+ value => 'encrypt';
+ }
+
+}