summaryrefslogtreecommitdiff
path: root/puppet
diff options
context:
space:
mode:
Diffstat (limited to 'puppet')
-rw-r--r--puppet/modules/site_postfix/manifests/mx.pp2
-rw-r--r--puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp13
2 files changed, 11 insertions, 4 deletions
diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp
index 18815f70..e9f662c3 100644
--- a/puppet/modules/site_postfix/manifests/mx.pp
+++ b/puppet/modules/site_postfix/manifests/mx.pp
@@ -35,7 +35,7 @@ class site_postfix::mx {
preseed => true,
root_mail_recipient => $root_mail_recipient,
smtp_listen => 'all',
- mastercf_tail => "smtps inet n - - - - smtpd\n -o smtpd_tls_wrappermode=yes\n -o smtpd_tls_security_level=encrypt\n",
+ mastercf_tail => "smtps inet n - - - - smtpd\n -o smtpd_tls_wrappermode=yes\n -o smtpd_tls_security_level=encrypt\n -o smtpd_recipient_restrictions=\$smtps_recipient_restrictions",
require => [ X509::Key[$cert_name], X509::Cert[$cert_name],
User['vmail'] ]
}
diff --git a/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp
index 0973e625..640f2390 100644
--- a/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp
+++ b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp
@@ -4,15 +4,22 @@ class site_postfix::mx::smtpd_checks {
'smtpd_client_restrictions':
value => 'permit_mynetworks,permit';
'smtpd_data_restrictions':
- value => 'permit_tls_all_clientcerts, permit_mynetworks, reject_unauth_pipelining, permit';
+ value => 'permit_mynetworks, reject_unauth_pipelining, permit';
'smtpd_delay_reject':
value => 'yes';
'smtpd_helo_restrictions':
value => 'permit_mynetworks, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, permit';
'smtpd_recipient_restrictions':
- value => 'reject_unknown_recipient_domain, permit_tls_all_clientcerts, permit_mynetworks, check_recipient_access tcp:localhost:2244, reject_unauth_destination, permit';
+ value => 'reject_unknown_recipient_domain, permit_mynetworks, check_recipient_access tcp:localhost:2244, reject_unauth_destination, permit';
+ # We should change from permit_tls_all_clientcerts to permit_tls_clientcerts
+ # with a lookup on $relay_clientcerts! Right now we are listing the only
+ # valid CA that client certificates can use in the $smtp_tls_CAfile parameter
+ # but we cannot cut off a certificate that should no longer be used unless
+ # we use permit_tls_clientcerts with the $relay_clientcerts lookup
+ 'smtps_recipient_restrictions':
+ value => 'permit_tls_all_clientcerts, check_recipient_access tcp:localhost:2244, reject_unauth_destination, permit';
'smtpd_sender_restrictions':
- value => 'check_sender_access tcp:localhost:2244, permit_tls_all_clientcerts, permit_mynetworks, reject_non_fqdn_sender, reject_unknown_sender_domain, permit';
+ value => 'permit_mynetworks, reject_non_fqdn_sender, reject_unknown_sender_domain, permit';
}
}