diff options
Diffstat (limited to 'puppet')
-rw-r--r-- | puppet/modules/site_config/manifests/caching_resolver.pp | 18 | ||||
-rw-r--r-- | puppet/modules/site_postfix/manifests/mx.pp | 33 | ||||
-rw-r--r-- | puppet/modules/site_rsyslog/templates/client.conf.erb | 1 |
3 files changed, 40 insertions, 12 deletions
diff --git a/puppet/modules/site_config/manifests/caching_resolver.pp b/puppet/modules/site_config/manifests/caching_resolver.pp index 5541472d..4da13d9c 100644 --- a/puppet/modules/site_config/manifests/caching_resolver.pp +++ b/puppet/modules/site_config/manifests/caching_resolver.pp @@ -1,6 +1,8 @@ # deploy local caching resolver class site_config::caching_resolver { tag 'leap_base' + $domain = hiera('domain') + $internal_domain = $domain['internal_suffix'] # We need to make sure Package['bind9'] isn't installed because when it is, it # keeps unbound from running. Some base debian installs will install bind9, @@ -17,13 +19,15 @@ class site_config::caching_resolver { require => Package['bind9'], settings => { server => { - verbosity => '1', - interface => [ '127.0.0.1', '::1' ], - port => '53', - hide-identity => 'yes', - hide-version => 'yes', - harden-glue => 'yes', - access-control => [ '127.0.0.0/8 allow', '::1 allow' ] + verbosity => '1', + interface => [ '127.0.0.1', '::1' ], + port => '53', + hide-identity => 'yes', + hide-version => 'yes', + harden-glue => 'yes', + access-control => [ '127.0.0.0/8 allow', '::1 allow' ], + module-config => '"validator iterator"', + domain-insecure => $internal_domain } } } diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index 0b760eb4..2dac85f5 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -57,10 +57,6 @@ class site_postfix::mx { value => 'sha1'; 'relay_clientcerts': value => 'tcp:localhost:2424'; - # Note: we are setting this here, instead of in site_postfix::mx::smtp_tls - # because the satellites need to have a different value - 'smtp_tls_security_level': - value => 'may'; # reject inbound mail to system users # see https://leap.se/code/issues/6829 # this blocks *only* mails to system users, that don't appear in the @@ -90,6 +86,35 @@ class site_postfix::mx { value => 'permit_mynetworks'; 'postscreen_greet_action': value => 'enforce'; + # Level of DNS support in the Postfix SMTP client. Enable DNS lookups + # (default: empty). When empty, then the legacy "disable_dns_lookups" + # (default: no) parameter is used. Setting 'smtp_dns_support_level' to + # enabled sets the previous behavior with the new parameter. When set to + # 'dnssec" this enables DNSSEC lookups. + 'smtp_dns_support_level': + value => 'dnssec'; + + # http://www.postfix.org/TLS_README.html#client_tls_dane The "dane" level is + # a stronger form of opportunistic TLS that is resistant to man in the + # middle and downgrade attacks when the destination domain uses DNSSEC to + # publish DANE TLSA records for its MX hosts. If a remote SMTP server has + # "usable" (see RFC 6698) DANE TLSA records, the server connection will be + # authenticated. When DANE authentication fails, there is no fallback to + # unauthenticated or plaintext delivery. + # + # If TLSA records are published for a given remote SMTP server (implying TLS + # support), but are all "unusable" due to unsupported parameters or + # malformed data, the Postfix SMTP client will use mandatory unauthenticated + # TLS. Otherwise, when no TLSA records are published, the Postfix SMTP + # client behavior is the same as with may. + # + # This requires postfix to be able to send its DNS queries to a recursive + # DNS nameserver that is able to validate the signed records + # + # Note: we are setting this here, instead of in site_postfix::mx::smtp_tls + # because the satellites need to have a different value + 'smtp_tls_security_level': + value => 'dane'; } # Make sure that the cleanup serivce is not chrooted, otherwise it cannot diff --git a/puppet/modules/site_rsyslog/templates/client.conf.erb b/puppet/modules/site_rsyslog/templates/client.conf.erb index 7f94759d..553b8373 100644 --- a/puppet/modules/site_rsyslog/templates/client.conf.erb +++ b/puppet/modules/site_rsyslog/templates/client.conf.erb @@ -93,7 +93,6 @@ auth,authpriv.* /var/log/secure <% if scope.lookupvar('rsyslog::log_style') == 'debian' -%> # First some standard log files. Log by facility. # -*.*;auth,authpriv.none -/var/log/syslog cron.* /var/log/cron.log daemon.* -/var/log/daemon.log kern.* -/var/log/kern.log |