7 files changed, 63 insertions, 10 deletions

diff --git a/puppet/modules/couchdb b/puppet/modules/couchdb
-Subproject f59e8b2e4aad3023f46ae3a1aad655b06605ee8
+Subproject dacaeb4d98be9468336923f5501822d389bda76
diff --git a/puppet/modules/site_postfix/manifests/checks.pp b/puppet/modules/site_postfix/manifests/checks.pp
new file mode 100644
index 00000000..06f9a7a4
--- /dev/null
+++ b/puppet/modules/site_postfix/manifests/checks.pp
@@ -0,0 +1,23 @@
+class site_postfix::checks {
+
+  file {
+    '/etc/postfix/checks':
+      ensure  => directory,
+      mode    => '0755',
+      owner   => root,
+      group   => postfix,
+      require => Class['postfix'];
+
+    '/etc/postfix/checks/helo_checks':
+      content => template('site_postfix/checks/helo_access.erb'),
+      mode    => '0644',
+      owner   => root,
+      group   => root;
+  }
+
+  exec {
+    '/usr/sbin/postmap /etc/postfix/checks/helo_checks':
+      refreshonly => true,
+      subscribe   => File['/etc/postfix/checks/helo_checks'];
+  }
+}
diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp
index 2e68297d..2d8f3db5 100644
--- a/puppet/modules/site_postfix/manifests/mx.pp
+++ b/puppet/modules/site_postfix/manifests/mx.pp
@@ -18,6 +18,7 @@ class site_postfix::mx {
   }
 
   include site_postfix::mx::smtpd_checks
+  include site_postfix::checks
   include site_postfix::mx::tls
 
   # greater verbosity for debugging, take out for production
@@ -36,13 +37,14 @@ class site_postfix::mx {
     root_mail_recipient => $root_mail_recipient,
     smtp_listen         => 'all',
     mastercf_tail       =>
-    "smtps     inet  n       -       -       -       -       smtpd\n
-    -o smtpd_tls_wrappermode=yes\n
-    -o smtpd_tls_security_level=encrypt\n
-    submission inet n        -       n       -       -       smtpd\n
-    -o smtpd_tls_security_level=encrypt\n
-    -o smtpd_recipient_restrictions=\$submission_recipient_restrictions",
-    require             => [ X509::Key[$cert_name], X509::Cert[$cert_name],
-                             User['vmail'] ]
+    "smtps     inet  n       -       -       -       -       smtpd
+  -o smtpd_tls_wrappermode=yes
+  -o smtpd_tls_security_level=encrypt
+submission inet n        -       n       -       -       smtpd
+  -o smtpd_tls_security_level=encrypt
+  -o smtpd_recipient_restrictions=\$submission_recipient_restrictions
+  -o smtpd_helo_restrictions=\$submission_helo_restrictions",
+    require             => [
+      X509::Key[$cert_name], X509::Cert[$cert_name], User['vmail'] ]
   }
 }
diff --git a/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp
index 34cffb0d..0f1500a4 100644
--- a/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp
+++ b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp
@@ -3,6 +3,8 @@ class site_postfix::mx::smtpd_checks {
   postfix::config {
     'smtpd_helo_required':
       value => 'yes';
+    'checks_dir':
+      value => '$config_directory/checks';
     'smtpd_client_restrictions':
       value => 'permit_mynetworks,permit';
     'smtpd_data_restrictions':
@@ -10,7 +12,7 @@ class site_postfix::mx::smtpd_checks {
     'smtpd_delay_reject':
       value => 'yes';
     'smtpd_helo_restrictions':
-      value => 'permit_mynetworks, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, permit';
+      value => 'permit_mynetworks, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, check_helo_access hash:$checks_dir/helo_checks, permit';
     'smtpd_recipient_restrictions':
       value => 'reject_unknown_recipient_domain, permit_mynetworks, check_recipient_access tcp:localhost:2244, reject_unauth_destination, permit';
     # We should change from permit_tls_all_clientcerts to permit_tls_clientcerts
@@ -22,6 +24,8 @@ class site_postfix::mx::smtpd_checks {
       value => 'permit_tls_all_clientcerts, check_recipient_access tcp:localhost:2244, reject_unauth_destination, permit';
     'submission_recipient_restrictions':
       value => 'permit_tls_all_clientcerts, check_recipient_access tcp:localhost:2244, reject_unauth_destination, permit';
+    'submission_helo_restrictions':
+      value => 'permit_mynetworks, check_helo_access hash:$checks_dir/helo_checks, permit';
     'smtpd_sender_restrictions':
       value => 'permit_mynetworks, reject_non_fqdn_sender, reject_unknown_sender_domain, permit';
     }
diff --git a/puppet/modules/site_postfix/templates/checks/helo_access.erb b/puppet/modules/site_postfix/templates/checks/helo_access.erb
new file mode 100644
index 00000000..bef3c11d
--- /dev/null
+++ b/puppet/modules/site_postfix/templates/checks/helo_access.erb
@@ -0,0 +1,21 @@
+# THIS FILE IS MANAGED BY PUPPET
+# To make changes to this file, please edit your platform directory under
+# puppet/modules/site_postfix/templates/checks/helo_access.erb and then deploy
+
+# The format of this file is the HELO/EHLO domain followed by an action.
+# The action could be OK to allow it, REJECT to reject it, or a custom
+# status code and message. Any lines that are prefixed by an octothorpe (#)
+# will be considered comments.
+
+# Some examples:
+#
+# Reject anyone that HELO's with foobar:
+# foobar REJECT
+#
+# Allow the switches to skip this check:
+# switch1 OK
+# switch2 OK
+
+# Reject anybody that HELO's as being in our own domain(s)
+# anyone who identifies themselves as us is a virus/spammer
+<%= domain %> 554 You are not in domain <%= domain %>
diff --git a/puppet/modules/site_shorewall/manifests/defaults.pp b/puppet/modules/site_shorewall/manifests/defaults.pp
index 35e47982..6a40d501 100644
--- a/puppet/modules/site_shorewall/manifests/defaults.pp
+++ b/puppet/modules/site_shorewall/manifests/defaults.pp
@@ -51,12 +51,14 @@ class site_shorewall::defaults {
       changes => 'set /files/etc/shorewall/shorewall.conf/SAFESTOP Yes',
       lens    => 'Shellvars.lns',
       incl    => '/etc/shorewall/shorewall.conf',
+      require => Package['shorewall'],
       notify  => Service[shorewall];
     # require that the interface exist
     'shorewall_REQUIRE_INTERFACE':
       changes => 'set /files/etc/shorewall/shorewall.conf/REQUIRE_INTERFACE Yes',
       lens    => 'Shellvars.lns',
       incl    => '/etc/shorewall/shorewall.conf',
+      require => Package['shorewall'],
       notify  => Service[shorewall];
     # configure shorewall-init
     'shorewall-init':
diff --git a/puppet/modules/soledad/manifests/server.pp b/puppet/modules/soledad/manifests/server.pp
index fcf9d461..393d416a 100644
--- a/puppet/modules/soledad/manifests/server.pp
+++ b/puppet/modules/soledad/manifests/server.pp
@@ -47,7 +47,8 @@ class soledad::server {
 
   package { 'soledad-server':
     ensure  => latest,
-    require => Class['site_apt::preferences::twisted']
+    require => [ Class['site_apt::preferences::twisted'],
+                 Class['site_apt::leap_repo'] ];
   }
 
   file { '/etc/default/soledad':