diff options
Diffstat (limited to 'puppet')
| -rw-r--r-- | puppet/modules/site_postfix/manifests/mx.pp | 6 | ||||
| -rw-r--r-- | puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp | 13 | 
2 files changed, 13 insertions, 6 deletions
| diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index 7ec60d49..75378480 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -51,6 +51,12 @@ class site_postfix::mx {        value => 'static:42424';      'smtpd_tls_received_header':        value => 'yes'; +    # the following is needed for matching user's client cert fingerprints to +    # enable relaying (#3634) +    'smtpd_tls_fingerprint_digest': +      value => 'sha1'; +    'relay_clientcerts': +      value => 'tcp:localhost:2424';      # Note: we are setting this here, instead of in site_postfix::mx::smtp_tls      # because the satellites need to have a different value      'smtp_tls_security_level': diff --git a/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp index 1c3e5c92..f2bd571b 100644 --- a/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp +++ b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp @@ -15,13 +15,14 @@ class site_postfix::mx::smtpd_checks {        value => 'permit_mynetworks, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, check_helo_access hash:$checks_dir/helo_checks, permit';      'smtpd_recipient_restrictions':        value => 'reject_unknown_recipient_domain, permit_mynetworks, check_recipient_access tcp:localhost:2244, reject_unauth_destination, permit'; -    # We should change from permit_tls_all_clientcerts to permit_tls_clientcerts -    # with a lookup on $relay_clientcerts! Right now we are listing the only -    # valid CA that client certificates can use in the $smtp_tls_CAfile parameter -    # but we cannot cut off a certificate that should no longer be used unless -    # we use permit_tls_clientcerts with the $relay_clientcerts lookup + +    # permit_tls_clientcerts will lookup client cert fingerprints from the tcp +    # lookup on port 2424 (based on what is configured in relay_clientcerts +    # paramter, see site_postfix::mx postfix::config resource) to determine +    # if a client is allowed to relay mail through us. This enables us to +    # disable a user by removing their valid client cert (#3634)      'smtps_recipient_restrictions': -      value => 'permit_tls_all_clientcerts, check_recipient_access tcp:localhost:2244, reject_unauth_destination, permit'; +      value => 'permit_tls_clientcerts, check_recipient_access tcp:localhost:2244, reject_unauth_destination, permit';      'smtps_helo_restrictions':        value => 'permit_mynetworks, check_helo_access hash:$checks_dir/helo_checks, permit';      'smtpd_sender_restrictions': | 
