3 files changed, 14 insertions, 3 deletions

diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp
index a37c7af9..bdfee665 100644
--- a/puppet/modules/site_postfix/manifests/mx.pp
+++ b/puppet/modules/site_postfix/manifests/mx.pp
@@ -31,6 +31,10 @@ class site_postfix::mx {
       value => 'vmail';
     'smtpd_tls_received_header':
       value => 'yes';
+    # Note: we are setting this here, instead of in site_postfix::mx::smtp_tls
+    # because the satellites need to have a different value
+    'smtp_tls_security_level':
+      value => 'may';
   }
 
   include site_postfix::mx::smtpd_checks
diff --git a/puppet/modules/site_postfix/manifests/mx/smtp_tls.pp b/puppet/modules/site_postfix/manifests/mx/smtp_tls.pp
index 3cc7ea72..d9b59f40 100644
--- a/puppet/modules/site_postfix/manifests/mx/smtp_tls.pp
+++ b/puppet/modules/site_postfix/manifests/mx/smtp_tls.pp
@@ -20,8 +20,6 @@ class site_postfix::mx::smtp_tls {
       value => 'sha1';
     'smtp_tls_session_cache_database':
       value => 'btree:${data_directory}/smtp_cache';
-    'smtp_tls_security_level':
-      value  => 'may';
     # see issue #4011
     'smtp_tls_protocols':
       value => '!SSLv2, !SSLv3';
diff --git a/puppet/modules/site_postfix/manifests/satellite.pp b/puppet/modules/site_postfix/manifests/satellite.pp
index f5d5c7b7..5725e6b8 100644
--- a/puppet/modules/site_postfix/manifests/satellite.pp
+++ b/puppet/modules/site_postfix/manifests/satellite.pp
@@ -32,7 +32,16 @@ class site_postfix::satellite {
   # we could also make this an optional parameter for providers without
   # dns / local domains
 
-  postfix::config { 'smtp_host_lookup': value => 'native'; }
+  postfix::config {
+    'smtp_host_lookup':
+      value => 'native';
+
+    # Note: we are setting this here, instead of in site_postfix::mx::smtp_tls
+    # because the mx server has to have a different value
+    'smtp_tls_security_level':
+      value => 'encrypt';
+  }
 
   include site_postfix::mx::smtp_tls
+
 }