summaryrefslogtreecommitdiff
path: root/puppet/modules/site_postfix
diff options
context:
space:
mode:
Diffstat (limited to 'puppet/modules/site_postfix')
-rw-r--r--puppet/modules/site_postfix/files/checks/helo_access.pcre2
-rw-r--r--puppet/modules/site_postfix/manifests/mx.pp33
-rw-r--r--puppet/modules/site_postfix/manifests/mx/checks.pp7
-rw-r--r--puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp2
-rw-r--r--puppet/modules/site_postfix/templates/checks/helo_access.erb2
5 files changed, 41 insertions, 5 deletions
diff --git a/puppet/modules/site_postfix/files/checks/helo_access.pcre b/puppet/modules/site_postfix/files/checks/helo_access.pcre
new file mode 100644
index 00000000..4ebd42e6
--- /dev/null
+++ b/puppet/modules/site_postfix/files/checks/helo_access.pcre
@@ -0,0 +1,2 @@
+!/[[:alpha:]]/ REJECT Numeric HELO is a sign of spam, please contact us if this is in error
+
diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp
index 0b760eb4..2dac85f5 100644
--- a/puppet/modules/site_postfix/manifests/mx.pp
+++ b/puppet/modules/site_postfix/manifests/mx.pp
@@ -57,10 +57,6 @@ class site_postfix::mx {
value => 'sha1';
'relay_clientcerts':
value => 'tcp:localhost:2424';
- # Note: we are setting this here, instead of in site_postfix::mx::smtp_tls
- # because the satellites need to have a different value
- 'smtp_tls_security_level':
- value => 'may';
# reject inbound mail to system users
# see https://leap.se/code/issues/6829
# this blocks *only* mails to system users, that don't appear in the
@@ -90,6 +86,35 @@ class site_postfix::mx {
value => 'permit_mynetworks';
'postscreen_greet_action':
value => 'enforce';
+ # Level of DNS support in the Postfix SMTP client. Enable DNS lookups
+ # (default: empty). When empty, then the legacy "disable_dns_lookups"
+ # (default: no) parameter is used. Setting 'smtp_dns_support_level' to
+ # enabled sets the previous behavior with the new parameter. When set to
+ # 'dnssec" this enables DNSSEC lookups.
+ 'smtp_dns_support_level':
+ value => 'dnssec';
+
+ # http://www.postfix.org/TLS_README.html#client_tls_dane The "dane" level is
+ # a stronger form of opportunistic TLS that is resistant to man in the
+ # middle and downgrade attacks when the destination domain uses DNSSEC to
+ # publish DANE TLSA records for its MX hosts. If a remote SMTP server has
+ # "usable" (see RFC 6698) DANE TLSA records, the server connection will be
+ # authenticated. When DANE authentication fails, there is no fallback to
+ # unauthenticated or plaintext delivery.
+ #
+ # If TLSA records are published for a given remote SMTP server (implying TLS
+ # support), but are all "unusable" due to unsupported parameters or
+ # malformed data, the Postfix SMTP client will use mandatory unauthenticated
+ # TLS. Otherwise, when no TLSA records are published, the Postfix SMTP
+ # client behavior is the same as with may.
+ #
+ # This requires postfix to be able to send its DNS queries to a recursive
+ # DNS nameserver that is able to validate the signed records
+ #
+ # Note: we are setting this here, instead of in site_postfix::mx::smtp_tls
+ # because the satellites need to have a different value
+ 'smtp_tls_security_level':
+ value => 'dane';
}
# Make sure that the cleanup serivce is not chrooted, otherwise it cannot
diff --git a/puppet/modules/site_postfix/manifests/mx/checks.pp b/puppet/modules/site_postfix/manifests/mx/checks.pp
index f406ad34..9678c205 100644
--- a/puppet/modules/site_postfix/manifests/mx/checks.pp
+++ b/puppet/modules/site_postfix/manifests/mx/checks.pp
@@ -1,3 +1,4 @@
+# management of specific MTA checks
class site_postfix::mx::checks {
file {
@@ -13,6 +14,12 @@ class site_postfix::mx::checks {
mode => '0644',
owner => root,
group => root;
+
+ '/etc/postfix/checks/helo_checks.pcre':
+ source => 'puppet:///modules/site_postfix/checks/helo_access.pcre',
+ mode => '0644',
+ owner => root,
+ group => root;
}
exec {
diff --git a/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp
index 291d7ee4..162e6d86 100644
--- a/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp
+++ b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp
@@ -28,7 +28,7 @@ class site_postfix::mx::smtpd_checks {
'smtps_relay_restrictions':
value => 'permit_mynetworks, permit_tls_clientcerts, defer_unauth_destination';
'smtps_helo_restrictions':
- value => 'permit_mynetworks, check_helo_access hash:$checks_dir/helo_checks, permit';
+ value => 'permit_mynetworks, check_helo_access hash:$checks_dir/helo_checks, check_helo_access pcre:$checks_dir/helo_checks.pcre, permit';
'smtpd_sender_restrictions':
value => 'permit_mynetworks, reject_non_fqdn_sender, reject_unknown_sender_domain, permit';
}
diff --git a/puppet/modules/site_postfix/templates/checks/helo_access.erb b/puppet/modules/site_postfix/templates/checks/helo_access.erb
index bac2c45a..e0708605 100644
--- a/puppet/modules/site_postfix/templates/checks/helo_access.erb
+++ b/puppet/modules/site_postfix/templates/checks/helo_access.erb
@@ -19,3 +19,5 @@
# Reject anybody that HELO's as being in our own domain(s)
# anyone who identifies themselves as us is a virus/spammer
<%= @domain %> 554 You are not in domain <%= @domain %>
+localhost 554 You are not localhost
+