summaryrefslogtreecommitdiff
path: root/puppet
diff options
context:
space:
mode:
Diffstat (limited to 'puppet')
-rw-r--r--puppet/modules/site_config/manifests/caching_resolver.pp18
-rw-r--r--puppet/modules/site_postfix/manifests/mx.pp33
-rw-r--r--puppet/modules/site_rsyslog/templates/client.conf.erb1
3 files changed, 40 insertions, 12 deletions
diff --git a/puppet/modules/site_config/manifests/caching_resolver.pp b/puppet/modules/site_config/manifests/caching_resolver.pp
index 5541472d..4da13d9c 100644
--- a/puppet/modules/site_config/manifests/caching_resolver.pp
+++ b/puppet/modules/site_config/manifests/caching_resolver.pp
@@ -1,6 +1,8 @@
# deploy local caching resolver
class site_config::caching_resolver {
tag 'leap_base'
+ $domain = hiera('domain')
+ $internal_domain = $domain['internal_suffix']
# We need to make sure Package['bind9'] isn't installed because when it is, it
# keeps unbound from running. Some base debian installs will install bind9,
@@ -17,13 +19,15 @@ class site_config::caching_resolver {
require => Package['bind9'],
settings => {
server => {
- verbosity => '1',
- interface => [ '127.0.0.1', '::1' ],
- port => '53',
- hide-identity => 'yes',
- hide-version => 'yes',
- harden-glue => 'yes',
- access-control => [ '127.0.0.0/8 allow', '::1 allow' ]
+ verbosity => '1',
+ interface => [ '127.0.0.1', '::1' ],
+ port => '53',
+ hide-identity => 'yes',
+ hide-version => 'yes',
+ harden-glue => 'yes',
+ access-control => [ '127.0.0.0/8 allow', '::1 allow' ],
+ module-config => '"validator iterator"',
+ domain-insecure => $internal_domain
}
}
}
diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp
index 0b760eb4..2dac85f5 100644
--- a/puppet/modules/site_postfix/manifests/mx.pp
+++ b/puppet/modules/site_postfix/manifests/mx.pp
@@ -57,10 +57,6 @@ class site_postfix::mx {
value => 'sha1';
'relay_clientcerts':
value => 'tcp:localhost:2424';
- # Note: we are setting this here, instead of in site_postfix::mx::smtp_tls
- # because the satellites need to have a different value
- 'smtp_tls_security_level':
- value => 'may';
# reject inbound mail to system users
# see https://leap.se/code/issues/6829
# this blocks *only* mails to system users, that don't appear in the
@@ -90,6 +86,35 @@ class site_postfix::mx {
value => 'permit_mynetworks';
'postscreen_greet_action':
value => 'enforce';
+ # Level of DNS support in the Postfix SMTP client. Enable DNS lookups
+ # (default: empty). When empty, then the legacy "disable_dns_lookups"
+ # (default: no) parameter is used. Setting 'smtp_dns_support_level' to
+ # enabled sets the previous behavior with the new parameter. When set to
+ # 'dnssec" this enables DNSSEC lookups.
+ 'smtp_dns_support_level':
+ value => 'dnssec';
+
+ # http://www.postfix.org/TLS_README.html#client_tls_dane The "dane" level is
+ # a stronger form of opportunistic TLS that is resistant to man in the
+ # middle and downgrade attacks when the destination domain uses DNSSEC to
+ # publish DANE TLSA records for its MX hosts. If a remote SMTP server has
+ # "usable" (see RFC 6698) DANE TLSA records, the server connection will be
+ # authenticated. When DANE authentication fails, there is no fallback to
+ # unauthenticated or plaintext delivery.
+ #
+ # If TLSA records are published for a given remote SMTP server (implying TLS
+ # support), but are all "unusable" due to unsupported parameters or
+ # malformed data, the Postfix SMTP client will use mandatory unauthenticated
+ # TLS. Otherwise, when no TLSA records are published, the Postfix SMTP
+ # client behavior is the same as with may.
+ #
+ # This requires postfix to be able to send its DNS queries to a recursive
+ # DNS nameserver that is able to validate the signed records
+ #
+ # Note: we are setting this here, instead of in site_postfix::mx::smtp_tls
+ # because the satellites need to have a different value
+ 'smtp_tls_security_level':
+ value => 'dane';
}
# Make sure that the cleanup serivce is not chrooted, otherwise it cannot
diff --git a/puppet/modules/site_rsyslog/templates/client.conf.erb b/puppet/modules/site_rsyslog/templates/client.conf.erb
index 7f94759d..553b8373 100644
--- a/puppet/modules/site_rsyslog/templates/client.conf.erb
+++ b/puppet/modules/site_rsyslog/templates/client.conf.erb
@@ -93,7 +93,6 @@ auth,authpriv.* /var/log/secure
<% if scope.lookupvar('rsyslog::log_style') == 'debian' -%>
# First some standard log files. Log by facility.
#
-*.*;auth,authpriv.none -/var/log/syslog
cron.* /var/log/cron.log
daemon.* -/var/log/daemon.log
kern.* -/var/log/kern.log