summaryrefslogtreecommitdiff
path: root/puppet/modules/site_postfix
AgeCommit message (Collapse)Author
2017-02-23[feat] always set smtpd_relay_restrictionsvarac
now that we deprecate wheezy, we can always set smtpd_relay_restrictions
2016-07-19Block ip-based helo at MTA (#8139).Micah
Numeric helo is a very strong indicator of spam. When this is blocked, a very significant amount of spam stops. Change-Id: Ieb340190faf37638950d1aa60b52268659e0b7f6
2016-07-19Block MTAs that claim they are 'localhost'.Micah
Nobody should be claiming that they are localhost when they are connecting over smtpd Change-Id: Ifb7df855b4e12021c58b89b2053e31fb10806096
2016-07-05Use DANE/TLSA validation in postfix (#8141).Micah
Configure DNSSEC validation for client verification, giving us a stronger form of opportunistic TLS Change-Id: Iab92d4f593c4a5a44e3b694295096b0d7f687a37
2016-06-16Fix matching for cleanup check.Micah
The onlyif check was incorrectly specified in the original implementation in commit id: 15b83d88dcedab496a19cef57f11c5c8e091dd4a this inverts it so it is properly detected. Change-Id: I531e206fff1ca61780adcd195e1f917011e50fb4
2016-06-02Fix opendkim milter location (#8163).Micah
The unix socket method for connecting to the milter was incorrectly reverted, this puts it back to how it should be. Change-Id: Ifde669c920a249c782f577a112f4d45e60a889a2
2016-04-25[style] lint further morevarac
- ignore puppet lint error about inheriting from different namespace
2016-04-12Fix postfix connection to opendkim milter (#8020)Micah
In order for postfix to access the opendkim milter socket, we need to remove the chroot option for the cleanup service. See e97a9d3800b173375a630e18e4b1aa0894eb96e1 for opendkim implementation. Change-Id: I2742650965e61273fb804ebe9ce3f9bd38796582
2016-04-05testing: adds mx delivery testselijah
2016-03-11Set MUA required ciphers, tighten up the mandatory protocols (#4232)Micah
Change-Id: I328aa37b393817e1764ea7e635fcefc801adbbf4
2016-02-23Update opendkim platform pieces to match leap-cli.Micah
Change-Id: I9c8f9c9c3ee7cd89f013cbb08397377522ed5a4a
2016-02-12add postscreen greeter (Resolves: 2303)kwadronaut
Conflicts: puppet/modules/site_postfix/manifests/mx.pp
2016-02-11Due to the smtps transport specifying a header_check, the received_anonMicah
replacement wasn't being done. (#7890) This moves that replacement into its own class, clears the old value and sets it properly in the smtps transport. Change-Id: I27c02730597df4943761d8bcb61014aeded9dc75
2016-02-10add postscreen greeter (Resolves: 2303)kwadronaut
2016-02-04fix postfix Received anonymizing header regexp to properly match ClientMicah
CN entries (#7867) Change-Id: Ie33277a62e90f9dc0602bb963dbb96a61cebed1d
2016-02-02[bug] Add smtpd_relay_restrictions to postfix confvarac
smtpd_relay_restrictions was added in postfix 2.10 (jessie has 2.11 atm). Without this, outbound mails are rejected to be relayed. from http://www.postfix.org/SMTPD_ACCESS_README.html: NOTE: Postfix versions before 2.10 did not have smtpd_relay_restrictions. They combined the mail relay and spam blocking policies, under smtpd_recipient_restrictions. This could lead to unexpected results. For example, a permissive spam blocking policy could unexpectedly result in a permissive mail relay policy. An example of this is documented under "Dangerous use of smtpd_recipient_restrictions". smtpd_relay_restrictions defaults to 'permit_mynetworks, permit_sasl_authenticated, defer_unauth_destination' and is configured here to check for a valid client cert. see http://www.postfix.org/postconf.5.html#smtpd_relay_restrictions - Resolves: #7856
2016-01-21Make sure the certs are installed for all smtp tls clients, thusMicah
ensuring the satellite hosts are setup properly (#7611) Change-Id: I9dce57c305a6fd6a39596a941174fe1879af5e4f
2016-01-19Make sure machines in mynetworks are able to send mail through us,Micah
without getting blocked by the rbl (#7819) Change-Id: Ib7a00f810b6c49528e5f99a1d83296553a81e65e
2015-12-17Make sure values that might get set incorrectly, due to preseed orMicah
debconf selections, are set correctly (#7478) Change-Id: I3bd261fd6fe27bbf10b8994ffff9f8b7be5b9de0
2015-12-09Use client cert fingerprint lookup to determine if the user is allowedMicah
to relay mail through us (#3634) Change-Id: I46cf3ffbef4261839c376f4c36a50d9c44eb1374
2015-12-01Switch from 'vmail' to leap-mx's user/group (#6936, #7639)Micah
This change will make sure that the user/group for leap-mx exist, and it changes the mail location from /var/mail/vmail to the more helpful name /var/mail/leap-mx. This change requires: https://github.com/leapcode/leap_mx/pull/78 and it would replace merge request: https://github.com/leapcode/leap_mx/pull/65 and fix https://leap.se/code/issues/6936 and https://leap.se/code/issues/7635 Change-Id: Idbe678dc999e394232c2eeef2b2018d39ab7cc3b
2015-12-01stop delivering non-existing local user mail to leap-mx (#5431)Micah
When mail comes in to the system, a lookup is done to see if it is a valid leap user, if it is, leap_mx now returns something of the form: uuid@deliver.local (see #5959). The virtual_mailbox_domains lists deliver.local, so postfix choses to deliver to virtual_mailbox_base (/var/mail/vmail) which has been hardcoded to the 'vmail' maildir and user. We want leap related mail and leap aliases to go through the virtual alias system, all the hard-coded universal aliases we want to go through the local system and we dont want these separate. Known domains that are considered 'virtual' will be forwarded or delivered to the vmail user, the rest rejected as unknown recipient, instead of being handed off to leap-mx. Previously, the way this was done is we leaned (too heavily) on the 'luser_relay' postfix configuration which sent anything that wasn't locally configured right to the leap_mx spool. That meant everything went there, including addresses that didn't exist, and leap-mx would then have to process those and bounce them. This removes the 'luser_relay' option, so any address that doesn't resolve properly to either a local address/alias, or a leap address or alias (through tcp lookups on 2424 and 4242) will get bounced as an unknown user. Change-Id: I3c22e9383861b3794dd9adfd7aa6a0cf0a773a18
2015-11-17[deprec] use @ in front of erb template tagsvarac
Puppet 3 shows now deprecation warnings if the "@" is missing. see https://docs.puppetlabs.com/puppet/latest/reference/lang_template_erb.html#non-printing-tags#[bug|feat|docs|style|refactor|test|pkg|i18n]
2015-11-02Add initial rate-limiting for outgoing SMTP, using postfwd (#5972)Micah
Change-Id: I6a6e68908b71d7499eb3ef3c7f0173b3d5b7baa2
2015-11-02Add basic DKIM support, this requires changes in leap_cli detailed inMicah
issue #5924 Change-Id: I6aa1e7751633407d441cbc6436d8426d37dbbfa7
2015-10-13add clamav filtering, with sanesecurity signature updating and provider ↵Micah
whitelisting (#3625) Change-Id: I15985ca00ee95bc62855f098a78e364ebbc32616
2015-09-24allow certain aliases, like 'abuse', to be publicly forwardable.elijah
2015-09-15Merge branch 'feature/rewrite_openpgp_header_7413' into developMicah Anderson
Change-Id: I42a1ef661dc55fb8110e82e930f67679c3dff1f8
2015-09-15minor lintingMicah Anderson
Change-Id: If92faee5f877301bf23564d5b6e71c4b1263de54
2015-09-14Merge remote-tracking branch 'micah/hiera_defaults_7443' into developvarac
2015-09-11switch aliases to use virtual_alias_mapselijah
2015-09-10Make sure hiera values have valid defaults if they are not specified (#7443)Micah Anderson
Change-Id: Ib701886ad26c5e39ccd669fadca81404b5c0426a
2015-09-10Fix clients being blocked by RBLs (#7431)Micah Anderson
Valid users submitting mail to be delivered should not be blocked by configured RBLs. Settings in main.cf are valid and used globally, unless they are overridden in master.cf for specific Postfix daemons. We have set in main.cf the smtp_client_restrictions parameter to check for configured rbls, so we need to override that and empty it in order to allow valid clients to send mail, even when their IP is listed in an RBL. Note: most users will typically be connecting via VPN, so their IP would typically be replaced by the VPN gateway one, but there are cases where this is still useful. Change-Id: Ie4171113c78ae2814402a1ed9b5343280cbf79d1
2015-09-08rewrite openpgp header to be always correct (#7413)Micah Anderson
The openpgp header added by the client is sometimes incorrect, because the client doesn't actually know what the proper URL is for the webapp. The server knows, however. Change-Id: I2243b19a6337d8e0be97590e2ca9c9c0b0fffdac
2015-08-21add support for configurable mail alias mapselijah
2015-07-28Support RBL blocking of incoming mail (#5923)Micah Anderson
Set zen.spamhaus as the default rbl Change-Id: Ic3537d645c80ba42267bab370a1cf77730382158
2015-04-28Reject inbound mail to local system users that don't appear invarac
/ect/aliases #6829 We began to recieve spam for vmail@DOMAIN. So we want to block inbound mail to local system users. However, users in the /etc/aliases file are still accepted on inbound mail - see https://leap.se/code/issues/6909 for a follow up. Change-Id: I03d3014984c4bd27f90147125fb037b68716624d
2014-12-09Deploy leap ca cert for smtp tls config (Bug #6485)varac
Change-Id: I029ffabd33299a5b42e5f262e372eafb6272d094
2014-12-02minor lintingMicah Anderson
Change-Id: Idf550ed004bcb42d6e19ac0a2c5286f52a390935
2014-04-02Force satellite hosts that only speak to relayhost to have aMicah Anderson
smtp_tls_security_level of 'encrypt', so it is not optional (#1902) Change-Id: I61ad0823e3eb8df6c224767d63f0911dcba42a16
2014-04-02Fix for satellite hosts that are unable to contact their relayhostMicah Anderson
because the DNS lookup is either impossible (.local domain), or incorrect (certain openstack/amazon/piston cloud configurations create this setup when the relayhost is in the same cluster as the satellite). Fixes #5225 Change-Id: Ifbc201678f2c0e97ee0e12bbf1c7f71d035d45c1
2014-04-01Include all the ips that are allowed to send mail through the relay inMicah Anderson
the mynetworks parameter. Previously we only allowed other mx servers to relay to each other, but this prevents system mail from non-mx nodes from getting out. Fixes "Helo command rejected: You are not in domain bitmask.net (in reply to RCPT TO command))" (#5343) Change-Id: I5e204958cb235808eedc3a1724fb2dc6c7a5b73b
2014-03-24fixes #5360 adds admin@ as reserved address + lintingkwadronaut
2013-12-19Set mynetworks to include any mx server in the provider to allow them to0.5.0rc1Micah Anderson
Helo as the domain (#4495) Change-Id: I6c8ac28faceb8b0c6129a606ede04837efd3d261
2013-12-19Fix the location of the smtp/smtpd_tls_session_cache_database (#4813)Micah Anderson
Change-Id: I959fa40ff508bbeaf7baa0b6ba90c10c9e6b0ef7
2013-12-18add a smtp_tls class and include that on both mx servers and satellitesMicah Anderson
Change-Id: I779ea60e6d726d042203fa0756d73b4af079d728
2013-12-18rename the tls.pp to be smtpd_tls.pp, this allows us to have a separateMicah Anderson
class for smtp vs. smtpd tls configurations Change-Id: Ic1cc560c76924fcbbc15e245bec7b78ac2de83d3
2013-11-27disable starttls over submission for client connections, we are using TLS ↵Micah Anderson
wrapper mode on the smtps port 465 now (#4366) enable the missing smtpd_helo_restrictions for smtps Change-Id: Iac497369d65c5ad8fd7e93e6fcabb830b855b4f6
2013-10-31certtool-postfix-gendh attempted before postfix is installed (Bug #4340)Micah Anderson
Change-Id: I4ffb5b9203741d1152dfd93ef9ecc45f6a6088d4
2013-10-31require postfix is installed before installing postfix-pcre (#4223)Micah Anderson
Change-Id: I547b99becb8b16fec0ac89f06fb6d833cbde3c2b