summaryrefslogtreecommitdiff
path: root/puppet
diff options
context:
space:
mode:
Diffstat (limited to 'puppet')
-rw-r--r--puppet/modules/leap_mx/manifests/init.pp10
-rw-r--r--puppet/modules/site_apt/files/keys/leap_experimental_key.asc76
-rw-r--r--puppet/modules/site_apt/manifests/init.pp6
-rw-r--r--puppet/modules/site_apt/manifests/leap_repo.pp2
-rw-r--r--puppet/modules/site_config/manifests/remove/files.pp10
-rw-r--r--puppet/modules/site_postfix/manifests/mx.pp6
-rw-r--r--puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp13
7 files changed, 108 insertions, 15 deletions
diff --git a/puppet/modules/leap_mx/manifests/init.pp b/puppet/modules/leap_mx/manifests/init.pp
index 70d2c2d4..5c356315 100644
--- a/puppet/modules/leap_mx/manifests/init.pp
+++ b/puppet/modules/leap_mx/manifests/init.pp
@@ -40,6 +40,14 @@ class leap_mx {
require => Group['leap-mx'];
}
+ file { '/var/mail/leap-mx':
+ ensure => directory,
+ owner => 'leap-mx',
+ group => 'leap-mx',
+ mode => '0755',
+ require => User['leap-mx'],
+ }
+
#
# LEAP-MX CONFIG
#
@@ -52,7 +60,7 @@ class leap_mx {
notify => Service['leap-mx'];
}
- leap::logfile { 'mx': }
+ leap::logfile { 'mx': process => 'leap-mx' }
#
# LEAP-MX CODE AND DEPENDENCIES
diff --git a/puppet/modules/site_apt/files/keys/leap_experimental_key.asc b/puppet/modules/site_apt/files/keys/leap_experimental_key.asc
new file mode 100644
index 00000000..1baa1a67
--- /dev/null
+++ b/puppet/modules/site_apt/files/keys/leap_experimental_key.asc
@@ -0,0 +1,76 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQINBFRiYXMBEAC/96OXISCU9kndpa7zYedBd4NzXppk1hRPDgGH5Ccl7mFYRaaY
+abKOJuilvMThBn2GelFRVXrhFT0K6TVCbrAaLHpb7KGpaxgKY/a+mYCA9BAtYkvR
+ru4Xh6VhozI5hDlIDCD5og96d7ymYjVaxiN89ilh4j8TL5Bh4PoCaxIbmxHiVmtM
+fIKw9LPAvpViC+8iS+x751plK8NFe4lAbSycWh3AdDfM5wSlUpEa1FwFuilo4Jya
+upEY9Uk5qLlNTFTBJmVEwKFXT0swb2o62EzN4LbW7yNC69Ign+G+PCNBiYhIdUKJ
+6dPAUexaSAxW6NPf/rdMVHY6tBlx41lzPvnF3ysnsoxKGdoU/Jbri4cIJRikMnzW
+GFCJmUdEPkAkkKHgGXCipvrM6Amhmp3Kg5PQUIjRafH9CBo0bsPSordtk/GarMe+
+8fxZ0rjyLN17hsgwWKCWBIBvPAB0UTh22xjNDh4jmehn5ijdjqKatchcEu9MsSPA
+l5r0aU+cDLghw6c8TmbqYfOK2nkbwBVkctWjlVohnO1PAOdxwQ0gFoZf3o9QIADg
+BsZTy2CZCag9OK0NCiMoO47JoAdQiaFcUAJvjOwncoE3SuyKTtKitENuAmzl7xjY
+HNyq72t7TKBJaWqzngnIp2nsJVaZ8Va+7hC/xqRbWoXVrY5mp53xwJQoiwARAQAB
+tDZMRUFQIGV4cGVyaW1lbnRhbCBhcmNoaXZlIHNpZ25pbmcga2V5IDxzeXNkZXZA
+bGVhcC5zZT6JAj4EEwECACgCGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheABQJU
+70BcBQkET0XnAAoJEIN8GtU2dCnZ37gQALHC4ms+1zqht2rO2WB8mD9Hi8a0hvUm
+v94pbsdovb4whZNYwAt9KLjo2COZArj9grpSq0Cu7nrnL01OdZ7spi1sFbrWAsE7
+Fdtx0LceTXcpNgjpQkfBUFxo+tdXnMIGM8ZF4afKRJX4+oVdxqZ0GXwP3fXqcHKk
+oEMGtQkCQlORzmhe3q3gQTc4hgut2Z4DihprdF83jTZFCkfuQdlZqx93aOmmNuSZ
+0ElE3k1F4D0KSO70BZmxLQQAWdaHOpKX7ABcF6gcRf2IRwZleL5tTecxYAUvcPvy
+h9KGRLkxLesCbBrop7k3X+NQUj94reFyTcLrPpzHtoqENrfy49nxJXJRzN5O1YA/
+b9VwcRqICszqydwmHeEPf3GEss3A3maamDnhrw8F7NEB6u7GzV00iH7C+ZHUrirk
+Hifiz7u88fsKF8VJh0K9oJiD1IQ8+ctQUNU0ObXRy6bizduKHBgYnNTHzVgUIfzZ
+j0IUjH+xpuTrk1Ry1GUtj0rr+qmc+smh7Jw1apSQx8Yr4Dv613IhVe8v/bLsuLDo
+tChYLLzrXp02sOKz1jw2LX1YAC3VRm4iQi25CQM3O62MxNep1+oRY6C1PXmINb8z
+iuZpSa+lIKqWpu07O0Taevpkg2R95lNdQ3zAF2vAwghSQCPzYqLbX2wHnUESK/5Y
+r/VqRDKoJqb4iQI+BBMBAgAoBQJUYmFzAhsDBQkB4TOABgsJCAcDAgYVCAIJCgsE
+FgIDAQIeAQIXgAAKCRCDfBrVNnQp2fAhD/4jROIUTlOLxPmYIt9RSAH+aaVQb3Jz
+JYYKpU8KCgxNHZ0CJX2IHVs+slR5tpWTCWfRRcy+KDxc89MCpQH0TggIom515VIY
+53oc6r4UXjEdWP5QvL2Kq8s/EWNxQ9rTiHlP8PzZcavVgCOm7xHdqtAdRs7hkXLp
+5WFxT9GzLXnXROOmV8dfX3P9qc3uHtct9tAaMm7GZOBH0So3a6MhZtiNzSTuuXBf
+zL88ETTkp8qwFr+ZV5SzvUIkP2CESk4O3YEEz1d+cBEeL/RlTz91aVyB5sEIHtk5
+xAaATRMYxDOW6y3au61R1esWspU35CuJW3y58Mm5wM/EhhNIQBpKawMAlBPxRUag
+MF594UkAWJWblnuOzJm5XOXwQpkGfJLgpxxfpi7P5qZagESt8eTeXH8Ljmbi2kPy
+4cYX8ZN5tYjkdIJD2IFNYoRoUGWm7peRIV7zxZysojfecsdT0tqOz/i5KQD/kvLM
+kLTjpQbF9nUjEXpGEbzzapmveEVmmPar3tEYU41YdDEowqnNm2CLMezXy68FKHsl
+VAaY5rftvaWLHHu8Osm8sbzcPDAyHuf//iEUddGfUEOrZY/5FGx3T/NpQODh8BhJ
+DSavn8HyX8nV6zOho4sN4psuiCLRiVT/fRfYNOXCZZ4i69mviGE3t7AJbcJdqoS7
+wOfSzvDc+boqQLkCDQRUYmFzARAAuXEBKATEkCyugIsWGocUkAwSzY1qJi3bj0cs
+aYiEN7/5+at6bsCLzoLCOLvvvGZk8481B6UaNz3qm5/+w8P0zAGuZb2nI7tZ9nVl
+9krRaj4cj9MrFiRe6fMLfxqBSITNWIkGptQc/4RC2wpmUGf+uY05FDZLCyWykK5N
++Qn0SNkxX6dN/aKA60f4tNSwvjDWiClnjalDanJ8xJmTZ9k6Rt+99KYy2auE450n
+hGZ08LZdMGtsxQOqDecchNlw1fIRsI81J4x3E7CP8x1ByS0Mp0hWeOagXfKwkNZS
+cI5HU2nlKAoPZNUvPJLJU2BlpmTZNeAsvk3SGMuwrxiSKE/4Tf4FLTcnU35MYT/1
+RncJrjG17WJ36tLu/MveEBMpb7lNOpf4sbnC51etA1QPU3Q0f9GsOIh+ZcNFKD1d
+9apgzhqpa+3TYArOfJrOpODRrALIuFQXn732QI6phBAMXKGqQ1vKyE0cQRmKqEfE
+CPagOdG0vmdSxToifgdGIcN0Xj0KDcI2wqKXIjgAA03KVS4XNeVBmftQqOX6HNCq
+lxuzkKQK8B1/wbnhpUKao7TipwofZ8xGpBB7dKYS3iEp+MKvRS6A4f/HXcplCJfC
+gS6ZgNCwWVfpW5lCH+8usIP7H+QpYLkclY4s0o3Pr2aA8hc1zXXF8hf5+zUQr1Ot
+0RC1KWUAEQEAAYkCJQQYAQIADwUCVGJhcwIbDAUJAeEzgAAKCRCDfBrVNnQp2c3e
+D/9aqiwS3irHJu3oQZedbseQ+7Fu9yjflVBD5mvcsqTQ4feCv83As+tYIrNm2vfG
+cRZM54evroKnxSXwNm9csp8VMZigyUnLVWMWKZaUwMr5x/5zScQk55jEWJfmRK0j
+io7aKiWx+m3DGw4lgidII09OcOt7jfaYaelWFaYJ+OZFMDfOQu/sRepPjbcsOFJj
+o/1Y8CS7NZNM3lIWRoyRkS31QeEWZ55pF/R8xr4hyRE6ipqDfREvPk7eFpQXZ4LI
+E8q/B1xTs3Njsc0Zhe64NRSoQnmj/BKDnLzMqf+WoZxHiaLa/s9m3FpStOw/INLq
+NLY1PK+n1Ih8GQ/t4kBhV1vjAzE4/wjDnpvj4Xttj5/coz1gN3JkJghQvudtz3JI
+fcR2YD7cKuhf/S9w0HkpsF3suUNsAWxBiyfyFh4Yg1xuiA8thqONTNFgqI4rdG+4
+Zu9Ji6bQNayAw7P0/7tDCd0JpFMao+/id5eE93dBYds/yik3QSYRr8eYdkI8aISI
+6W+ibACAY5fOa06pOsol/HLf4vS16gOJbhG+O0pdZHNlkMmb+lT5orAXmsw1556X
+Neb7jnS6qdCYQvomhj75ELPqI0AUnSKp2KQ9BJoq3L6FucobS35TGXT69ynhScZl
+KSPYvmUpu7HOpHoZXBqsy6/6e1mbyQZh/dgIBKYnKg4SXokCWgQoAQoARAUCVO9A
+hz0dA0VuY3J5cHRpb24gY2FwYWJsZSBzdWJrZXkgaXMgbm90IG5lZWRlZCBmb3Ig
+YXJjaGl2ZSBzaWduaW5nAAoJEIN8GtU2dCnZAP0P/08/k+GxL4X99qg+DDsnxS43
+1ApDrR8GnDgIZfHWCaf6QummFo3XhRe+heL6SM8+lAFYXGCDhs4jwEjqXSVvdi8Y
+mWYUYRiJPUd/y9PBMH4WQjte85cBZJ41t7mnPfDTPfyfEiN6xFtmKhwVgvxhpAWR
+U7gxg5T88ZSILaD2XRKUWtzN0E6c+5Won54PR4xclSICInRYAwU903bUDwvdBGSX
+ivYklg2zStlqcfuwBSUBRro/GUarWymZFK9FQKRpcw6VwnxoZ9Dz9lkkMti3ZQSY
+tGZkA6jUCnGQ7Tlm7Vxg1jbBUB3PSS7nA2vy3iVeww66SH167ByoX5KSZwkWOC42
+OBydH4Lliy+8SaGxXMzddjcZw4Zu4oy1xgiov4B/3elCi1ftvLBF1pTydrtL8Cmu
+fpPE2olpqCnubpfG72ZQiV6OQmeDHecxQkQvKb7Zb8osuAcPQydqYdmnI+K+MXhs
+mzbhbofzxwOwirt9sDRyMqSoWBY5nohjeNAGhyYxqQYf2g2xo3bX1gAgwdHpD+FY
+P+E1bEIPDFcTB6KbJbKspTVQl/TUgM75aa7A4JYhnXh2iImn0sZ+pwEn0qbhfh9f
+atzRTdBqNNZrrEenwhUPjOD3vs75sb+7vMOP33iFdL+ioZv9w5+0Wnk72ixJbjyV
+0Aajyaaa0eUMFZ1GLalK
+=tlXs
+-----END PGP PUBLIC KEY BLOCK-----
diff --git a/puppet/modules/site_apt/manifests/init.pp b/puppet/modules/site_apt/manifests/init.pp
index 635ba975..c809a837 100644
--- a/puppet/modules/site_apt/manifests/init.pp
+++ b/puppet/modules/site_apt/manifests/init.pp
@@ -3,10 +3,16 @@ class site_apt {
$sources = hiera('sources')
$apt_config = $sources['apt']
+
+ # debian repo urls
$apt_url_basic = $apt_config['basic']
$apt_url_security = $apt_config['security']
$apt_url_backports = $apt_config['backports']
+ # leap repo url
+ $platform_sources = $sources['platform']
+ $apt_url_platform_basic = $platform_sources['apt']['basic']
+
# needed on jessie hosts for getting pnp4nagios from testing
if ( $::operatingsystemmajrelease == '8' ) {
$use_next_release = true
diff --git a/puppet/modules/site_apt/manifests/leap_repo.pp b/puppet/modules/site_apt/manifests/leap_repo.pp
index 462b2686..a1382374 100644
--- a/puppet/modules/site_apt/manifests/leap_repo.pp
+++ b/puppet/modules/site_apt/manifests/leap_repo.pp
@@ -5,7 +5,7 @@ class site_apt::leap_repo {
$major_version = $platform['major_version']
apt::sources_list { 'leap.list':
- content => "deb http://deb.leap.se/${major_version} ${::lsbdistcodename} main\n",
+ content => "deb ${::site_apt::apt_url_platform_basic} ${::lsbdistcodename} main\n",
before => Exec[refresh_apt]
}
diff --git a/puppet/modules/site_config/manifests/remove/files.pp b/puppet/modules/site_config/manifests/remove/files.pp
index 67171259..077381e1 100644
--- a/puppet/modules/site_config/manifests/remove/files.pp
+++ b/puppet/modules/site_config/manifests/remove/files.pp
@@ -14,7 +14,7 @@ class site_config::remove::files {
# Platform 0.8 removals
tidy {
'/etc/default/leap_mx':;
- '/etc/logrotate.d/leap-mx':;
+ '/etc/logrotate.d/mx':;
}
#
@@ -23,7 +23,6 @@ class site_config::remove::files {
tidy {
'/etc/rsyslog.d/99-tapicero.conf':;
- '/etc/rsyslog.d/99-leap-mx.conf':;
'/etc/rsyslog.d/01-webapp.conf':;
'/etc/rsyslog.d/50-stunnel.conf':;
'/etc/logrotate.d/stunnel':;
@@ -32,13 +31,10 @@ class site_config::remove::files {
path => '/var/log/',
recurse => true,
matches => 'leap_mx*';
- # We rotate 5 logs, so we should only have mx.log, mx.log.[1-5], with an
- # optional .gz suffix. The following will remove any logs that are out
- # of this range
- 'leap_mx_rotate':
+ 'mx':
path => '/var/log/leap/',
recurse => true,
- matches => [ 'mx.log.[6-9](.gz)?', 'mx.log.[0-9][0-9]'];
+ matches => 'mx.log*';
'/srv/leap/webapp/public/provider.json':;
'/srv/leap/couchdb/designs/tmp_users':
recurse => true,
diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp
index 7ec60d49..75378480 100644
--- a/puppet/modules/site_postfix/manifests/mx.pp
+++ b/puppet/modules/site_postfix/manifests/mx.pp
@@ -51,6 +51,12 @@ class site_postfix::mx {
value => 'static:42424';
'smtpd_tls_received_header':
value => 'yes';
+ # the following is needed for matching user's client cert fingerprints to
+ # enable relaying (#3634)
+ 'smtpd_tls_fingerprint_digest':
+ value => 'sha1';
+ 'relay_clientcerts':
+ value => 'tcp:localhost:2424';
# Note: we are setting this here, instead of in site_postfix::mx::smtp_tls
# because the satellites need to have a different value
'smtp_tls_security_level':
diff --git a/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp
index 1c3e5c92..f2bd571b 100644
--- a/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp
+++ b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp
@@ -15,13 +15,14 @@ class site_postfix::mx::smtpd_checks {
value => 'permit_mynetworks, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, check_helo_access hash:$checks_dir/helo_checks, permit';
'smtpd_recipient_restrictions':
value => 'reject_unknown_recipient_domain, permit_mynetworks, check_recipient_access tcp:localhost:2244, reject_unauth_destination, permit';
- # We should change from permit_tls_all_clientcerts to permit_tls_clientcerts
- # with a lookup on $relay_clientcerts! Right now we are listing the only
- # valid CA that client certificates can use in the $smtp_tls_CAfile parameter
- # but we cannot cut off a certificate that should no longer be used unless
- # we use permit_tls_clientcerts with the $relay_clientcerts lookup
+
+ # permit_tls_clientcerts will lookup client cert fingerprints from the tcp
+ # lookup on port 2424 (based on what is configured in relay_clientcerts
+ # paramter, see site_postfix::mx postfix::config resource) to determine
+ # if a client is allowed to relay mail through us. This enables us to
+ # disable a user by removing their valid client cert (#3634)
'smtps_recipient_restrictions':
- value => 'permit_tls_all_clientcerts, check_recipient_access tcp:localhost:2244, reject_unauth_destination, permit';
+ value => 'permit_tls_clientcerts, check_recipient_access tcp:localhost:2244, reject_unauth_destination, permit';
'smtps_helo_restrictions':
value => 'permit_mynetworks, check_helo_access hash:$checks_dir/helo_checks, permit';
'smtpd_sender_restrictions':
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-05 06:14:32 +0000