summaryrefslogtreecommitdiff
path: root/puppet/modules/site_postfix
diff options
context:
space:
mode:
Diffstat (limited to 'puppet/modules/site_postfix')
-rw-r--r--puppet/modules/site_postfix/manifests/mx.pp6
-rw-r--r--puppet/modules/site_postfix/manifests/mx/reserved_aliases.pp12
-rw-r--r--puppet/modules/site_postfix/manifests/mx/smtp_tls.pp2
-rw-r--r--puppet/modules/site_postfix/manifests/satellite.pp33
4 files changed, 45 insertions, 8 deletions
diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp
index de89c26e..bdfee665 100644
--- a/puppet/modules/site_postfix/manifests/mx.pp
+++ b/puppet/modules/site_postfix/manifests/mx.pp
@@ -4,7 +4,7 @@ class site_postfix::mx {
$domain = $domain_hash['full_suffix']
$host_domain = $domain_hash['full']
$cert_name = hiera('name')
- $mynetworks = join(hiera('mx_nodes'), ' ')
+ $mynetworks = join(hiera('mynetworks'), ' ')
$root_mail_recipient = hiera ('contacts')
$postfix_smtp_listen = 'all'
@@ -31,6 +31,10 @@ class site_postfix::mx {
value => 'vmail';
'smtpd_tls_received_header':
value => 'yes';
+ # Note: we are setting this here, instead of in site_postfix::mx::smtp_tls
+ # because the satellites need to have a different value
+ 'smtp_tls_security_level':
+ value => 'may';
}
include site_postfix::mx::smtpd_checks
diff --git a/puppet/modules/site_postfix/manifests/mx/reserved_aliases.pp b/puppet/modules/site_postfix/manifests/mx/reserved_aliases.pp
index aea66f78..83e27376 100644
--- a/puppet/modules/site_postfix/manifests/mx/reserved_aliases.pp
+++ b/puppet/modules/site_postfix/manifests/mx/reserved_aliases.pp
@@ -1,11 +1,13 @@
+# Defines which mail addresses shouldn't be available and where they should fwd
class site_postfix::mx::reserved_aliases {
postfix::mailalias {
- [ 'postmaster', 'hostmaster', 'domainadmin', 'certmaster', 'ssladmin',
- 'arin-admin', 'administrator', 'webmaster', 'www-data', 'www',
- 'nobody', 'sys', 'postgresql', 'mysql', 'bin', 'cron', 'lp', 'games',
- 'maildrop', 'abuse', 'noc', 'security', 'usenet', 'news', 'uucp',
- 'ftp' ]:
+ [ 'abuse', 'admin', 'arin-admin', 'administrator', 'bin', 'cron',
+ 'certmaster', 'domainadmin', 'games', 'ftp', 'hostmaster', 'lp',
+ 'maildrop', 'mysql', 'news', 'nobody', 'noc', 'postmaster', 'postgresql',
+ 'security', 'ssladmin', 'sys', 'usenet', 'uucp', 'webmaster', 'www',
+ 'www-data',
+ ]:
ensure => present,
recipient => 'root'
}
diff --git a/puppet/modules/site_postfix/manifests/mx/smtp_tls.pp b/puppet/modules/site_postfix/manifests/mx/smtp_tls.pp
index 3cc7ea72..d9b59f40 100644
--- a/puppet/modules/site_postfix/manifests/mx/smtp_tls.pp
+++ b/puppet/modules/site_postfix/manifests/mx/smtp_tls.pp
@@ -20,8 +20,6 @@ class site_postfix::mx::smtp_tls {
value => 'sha1';
'smtp_tls_session_cache_database':
value => 'btree:${data_directory}/smtp_cache';
- 'smtp_tls_security_level':
- value => 'may';
# see issue #4011
'smtp_tls_protocols':
value => '!SSLv2, !SSLv3';
diff --git a/puppet/modules/site_postfix/manifests/satellite.pp b/puppet/modules/site_postfix/manifests/satellite.pp
index 7be51b22..5725e6b8 100644
--- a/puppet/modules/site_postfix/manifests/satellite.pp
+++ b/puppet/modules/site_postfix/manifests/satellite.pp
@@ -10,5 +10,38 @@ class site_postfix::satellite {
root_mail_recipient => $root_mail_recipient
}
+ # There are special conditions for satellite hosts that will make them not be
+ # able to contact their relayhost:
+ #
+ # 1. they are on openstack/amazon/PC and are on the same cluster as the relay
+ # host, the MX lookup for the relay host will use the public IP, which cannot
+ # be contacted
+ #
+ # 2. When a domain is used that is not in DNS, because it is internal,
+ # a testing domain, etc. eg. a .local domain cannot be looked up in DNS
+ #
+ # to resolve this, so the satellite can contact the relayhost, we need to set
+ # the http://www.postfix.org/postconf.5.html#smtp_host_lookup to be 'native'
+ # which will cause the lookup to use the native naming service
+ # (nsswitch.conf), which typically defaults to 'files, dns' allowing the
+ # /etc/hosts to be consulted first, then DNS if the entry doesn't exist.
+ #
+ # NOTE: this will make it not possible to enable DANE support through DNSSEC
+ # with http://www.postfix.org/postconf.5.html#smtp_dns_support_level - but
+ # this parameter is not available until 2.11. If this ends up being important
+ # we could also make this an optional parameter for providers without
+ # dns / local domains
+
+ postfix::config {
+ 'smtp_host_lookup':
+ value => 'native';
+
+ # Note: we are setting this here, instead of in site_postfix::mx::smtp_tls
+ # because the mx server has to have a different value
+ 'smtp_tls_security_level':
+ value => 'encrypt';
+ }
+
include site_postfix::mx::smtp_tls
+
}