summaryrefslogtreecommitdiff
path: root/puppet/modules/site_postfix
AgeCommit message (Collapse)Author
2015-10-13add clamav filtering, with sanesecurity signature updating and provider ↵Micah
whitelisting (#3625) Change-Id: I15985ca00ee95bc62855f098a78e364ebbc32616
2015-09-24allow certain aliases, like 'abuse', to be publicly forwardable.elijah
2015-09-15Merge branch 'feature/rewrite_openpgp_header_7413' into developMicah Anderson
Change-Id: I42a1ef661dc55fb8110e82e930f67679c3dff1f8
2015-09-15minor lintingMicah Anderson
Change-Id: If92faee5f877301bf23564d5b6e71c4b1263de54
2015-09-14Merge remote-tracking branch 'micah/hiera_defaults_7443' into developvarac
2015-09-11switch aliases to use virtual_alias_mapselijah
2015-09-10Make sure hiera values have valid defaults if they are not specified (#7443)Micah Anderson
Change-Id: Ib701886ad26c5e39ccd669fadca81404b5c0426a
2015-09-10Fix clients being blocked by RBLs (#7431)Micah Anderson
Valid users submitting mail to be delivered should not be blocked by configured RBLs. Settings in main.cf are valid and used globally, unless they are overridden in master.cf for specific Postfix daemons. We have set in main.cf the smtp_client_restrictions parameter to check for configured rbls, so we need to override that and empty it in order to allow valid clients to send mail, even when their IP is listed in an RBL. Note: most users will typically be connecting via VPN, so their IP would typically be replaced by the VPN gateway one, but there are cases where this is still useful. Change-Id: Ie4171113c78ae2814402a1ed9b5343280cbf79d1
2015-09-08rewrite openpgp header to be always correct (#7413)Micah Anderson
The openpgp header added by the client is sometimes incorrect, because the client doesn't actually know what the proper URL is for the webapp. The server knows, however. Change-Id: I2243b19a6337d8e0be97590e2ca9c9c0b0fffdac
2015-08-21add support for configurable mail alias mapselijah
2015-07-28Support RBL blocking of incoming mail (#5923)Micah Anderson
Set zen.spamhaus as the default rbl Change-Id: Ic3537d645c80ba42267bab370a1cf77730382158
2015-04-28Reject inbound mail to local system users that don't appear invarac
/ect/aliases #6829 We began to recieve spam for vmail@DOMAIN. So we want to block inbound mail to local system users. However, users in the /etc/aliases file are still accepted on inbound mail - see https://leap.se/code/issues/6909 for a follow up. Change-Id: I03d3014984c4bd27f90147125fb037b68716624d
2014-12-09Deploy leap ca cert for smtp tls config (Bug #6485)varac
Change-Id: I029ffabd33299a5b42e5f262e372eafb6272d094
2014-12-02minor lintingMicah Anderson
Change-Id: Idf550ed004bcb42d6e19ac0a2c5286f52a390935
2014-04-02Force satellite hosts that only speak to relayhost to have aMicah Anderson
smtp_tls_security_level of 'encrypt', so it is not optional (#1902) Change-Id: I61ad0823e3eb8df6c224767d63f0911dcba42a16
2014-04-02Fix for satellite hosts that are unable to contact their relayhostMicah Anderson
because the DNS lookup is either impossible (.local domain), or incorrect (certain openstack/amazon/piston cloud configurations create this setup when the relayhost is in the same cluster as the satellite). Fixes #5225 Change-Id: Ifbc201678f2c0e97ee0e12bbf1c7f71d035d45c1
2014-04-01Include all the ips that are allowed to send mail through the relay inMicah Anderson
the mynetworks parameter. Previously we only allowed other mx servers to relay to each other, but this prevents system mail from non-mx nodes from getting out. Fixes "Helo command rejected: You are not in domain bitmask.net (in reply to RCPT TO command))" (#5343) Change-Id: I5e204958cb235808eedc3a1724fb2dc6c7a5b73b
2014-03-24fixes #5360 adds admin@ as reserved address + lintingkwadronaut
2013-12-19Set mynetworks to include any mx server in the provider to allow them to0.5.0rc1Micah Anderson
Helo as the domain (#4495) Change-Id: I6c8ac28faceb8b0c6129a606ede04837efd3d261
2013-12-19Fix the location of the smtp/smtpd_tls_session_cache_database (#4813)Micah Anderson
Change-Id: I959fa40ff508bbeaf7baa0b6ba90c10c9e6b0ef7
2013-12-18add a smtp_tls class and include that on both mx servers and satellitesMicah Anderson
Change-Id: I779ea60e6d726d042203fa0756d73b4af079d728
2013-12-18rename the tls.pp to be smtpd_tls.pp, this allows us to have a separateMicah Anderson
class for smtp vs. smtpd tls configurations Change-Id: Ic1cc560c76924fcbbc15e245bec7b78ac2de83d3
2013-11-27disable starttls over submission for client connections, we are using TLS ↵Micah Anderson
wrapper mode on the smtps port 465 now (#4366) enable the missing smtpd_helo_restrictions for smtps Change-Id: Iac497369d65c5ad8fd7e93e6fcabb830b855b4f6
2013-10-31certtool-postfix-gendh attempted before postfix is installed (Bug #4340)Micah Anderson
Change-Id: I4ffb5b9203741d1152dfd93ef9ecc45f6a6088d4
2013-10-31require postfix is installed before installing postfix-pcre (#4223)Micah Anderson
Change-Id: I547b99becb8b16fec0ac89f06fb6d833cbde3c2b
2013-10-11class moved but forgot to renamevarac
2013-10-11move site_config::checks to site_config::mx::checksvarac
2013-10-11deploy postfix satellites on all nodes (Bug #1683)varac
2013-10-10contacts is now a top-level hiera variablevarac
2013-10-10fix site_postfix::mx::reserved_aliases class name and package arrayvarac
2013-10-09setup email account 'blacklist' by configuring reserved aliases, effectively ↵Micah Anderson
implementing RFC2142 and more (#3602) Change-Id: Ic2765b25ff9e1560def4900a1bf38dc8023b0ffa
2013-10-06It turns out postfix's variable for 1024bit DH parameters can actually take ↵0.3.0rc3Micah Anderson
a file of arbitrary length (#4012) Neither Postfix nor OpenSSL actually care about the size of the prime in "smtpd_tls_dh1024_param_file". You can make it 2048 bits Change-Id: Id60deec93547e7df6dfc414209afaf9d53c710b5
2013-10-06implement stripping user's home IPs from Received headers (#3866)Micah Anderson
Change-Id: I6d78286f84144bba5fd3166cc0264570e4fd3ee0
2013-10-06only use TLSv1 or later for smtp (Feature #4011)Micah Anderson
Disable on the client-side with postfix (smtp) SSLv2/SSLv3 and only allow for TLSv1 or later SMTP servers almost universally support TLSv1. There are very few servers that don't (the few that are would result sending in the clear for these, but the alternative isn't much better). This is unlikely to cause any significant problems. Change-Id: I8f98ba32973537905b71f63b100f41a420b6aa3f
2013-10-03Merge branch 'feature/3953' into developMicah Anderson
2013-10-03It turns out postfix's variable for 1024bit DH parameters can actually take ↵Micah Anderson
a file of arbitrary length (#4012) Neither Postfix nor OpenSSL actually care about the size of the prime in "smtpd_tls_dh1024_param_file". You can make it 2048 bits Change-Id: Id60deec93547e7df6dfc414209afaf9d53c710b5
2013-10-02setup smtpd_tls_eecdh_grade to 'ultra' and configure the ↵Micah Anderson
smtpd_tls_dh1024_param file, after generating it (#3953) Change-Id: I8e88a4862cda052c2f0ca0149f1d0753c7c83cb5
2013-09-26set myhostname in postfix the internet hostname of this mail system. The ↵Micah Anderson
default would otherwise be set to be something like starfish.local instead of the fully qualified domain (#3869) Change-Id: I4a537402de08b41446d344d8c21973b8d09e7ad6
2013-09-26Merge branch 'bug/3868' into developMicah Anderson
2013-09-26Add client-side TLS configuration (#3868)Micah Anderson
Change-Id: I0b82930f6f6a453e57f1d57fd8b5df78d464e206
2013-09-26Merge branch 'bug/3868' into developMicah Anderson
2013-09-26properly set the $smtps_recipient_restrictions variable in master.cf (#3935)Micah Anderson
Change-Id: Ia5f35977b3dad08c10256f0281ab36ffb230c9fd
2013-09-25add smtp_tls_received_header to include information about the protocol and ↵Micah Anderson
cipher used as well as the client and issuer CommonName into the "Received:" header Also, clean up the parameters to standardize them Change-Id: Ib6be27f0f93e0a9e20fbdffa1d42220a25fc8ed4
2013-09-24fix client_ca cert+key for mx service (Feature #3921)varac
2013-09-24seperate cert and key deployment (#3918)varac
2013-09-19only deploy x509 stuff for nodes if it existes in hiera (Feature #3875)varac
2013-09-18use x509 for postfix ca and fix names for cert+key (Feature #3833)varac
2013-09-03use check_helo_access hash:/helo_checks also for $submission_helo_restrictionsvarac
2013-09-03fix $master_cf_tail formatvarac
2013-09-03Sending mail fails when relaying using non-fully-qualified hostname (Feature ↵varac
#3667)