3 files changed, 29 insertions, 5 deletions

diff --git a/puppet/modules/site_openvpn/manifests/resolver.pp b/puppet/modules/site_openvpn/manifests/resolver.pp
index c1bce858..c74fb509 100644
--- a/puppet/modules/site_openvpn/manifests/resolver.pp
+++ b/puppet/modules/site_openvpn/manifests/resolver.pp
@@ -60,25 +60,25 @@ class site_openvpn::resolver {
       path    => '/etc/unbound/unbound.conf',
       line    => 'server: include: /etc/unbound/conf.d/vpn_unlimited_tcp_resolver',
       notify  => Service['unbound'],
-      require => Package['unbound'];
+      require => [ Package['openvpn'], Package['unbound'] ];
     'add_unlimited_udp_resolver':
       ensure  => $ensure_unlimited,
       path    => '/etc/unbound/unbound.conf',
       line    => 'server: include: /etc/unbound/conf.d/vpn_unlimited_udp_resolver',
       notify  => Service['unbound'],
-      require => Package['unbound'];
+      require => [ Package['openvpn'], Package['unbound'] ];
     'add_limited_tcp_resolver':
       ensure  => $ensure_limited,
       path    => '/etc/unbound/unbound.conf',
       line    => 'server: include: /etc/unbound/conf.d/vpn_limited_tcp_resolver',
       notify  => Service['unbound'],
-      require => Package['unbound'];
-    'add_limited_udp_resolver':
+      require => [ Package['openvpn'], Package['unbound'] ];
+      'add_limited_udp_resolver':
       ensure  => $ensure_limited,
       path    => '/etc/unbound/unbound.conf',
       line    => 'server: include: /etc/unbound/conf.d/vpn_limited_udp_resolver',
       notify  => Service['unbound'],
-      require => Package['unbound']
+      require => [ Package['openvpn'], Package['unbound'] ];
   }
 
 }
diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp
index 0eb7a7cd..e44b7a9a 100644
--- a/puppet/modules/site_postfix/manifests/mx.pp
+++ b/puppet/modules/site_postfix/manifests/mx.pp
@@ -2,6 +2,7 @@ class site_postfix::mx {
 
   $domain_hash         = hiera ('domain')
   $domain              = $domain_hash['full_suffix']
+  $host_domain         = $domain_hash['full']
   $mx_hash             = hiera('mx')
   $cert_name           = hiera('name')
 
@@ -16,6 +17,8 @@ class site_postfix::mx {
   postfix::config {
     'mydestination':
       value => "\$myorigin, localhost, localhost.\$mydomain, ${domain}";
+    'myhostname':
+      value => $host_domain;
     'mailbox_size_limit':
       value => '0';
     'home_mailbox':
diff --git a/puppet/modules/site_postfix/manifests/mx/tls.pp b/puppet/modules/site_postfix/manifests/mx/tls.pp
index 5e399f5c..3bc7d85b 100644
--- a/puppet/modules/site_postfix/manifests/mx/tls.pp
+++ b/puppet/modules/site_postfix/manifests/mx/tls.pp
@@ -52,3 +52,24 @@ class site_postfix::mx::tls {
   }
 
 }
+  # smtp TLS
+  postfix::config {
+    'smtp_use_tls':        value  => 'yes';
+    'smtp_tls_CApath':     value  => '/etc/ssl/certs/';
+    'smtp_tls_CAfile':     value  => $ca_path;
+    'smtp_tls_cert_file':  value  => $cert_path;
+    'smtp_tls_key_file':   value  => $key_path;
+    'smtp_tls_ask_ccert':  value  => 'yes';
+    'smtp_tls_loglevel':   value  => '1';
+    'smtp_tls_exclude_ciphers':
+      value => 'aNULL, MD5, DES';
+    # upstream default is md5 (since 2.5 and older used it), we force sha1
+    'smtp_tls_fingerprint_digest':
+      value => 'sha1';
+    'smtp_tls_session_cache_database':
+      value => 'btree:${queue_directory}/smtp_cache';
+    'smtp_tls_security_level':
+      value  => 'may';
+  }
+
+