From 51f17512d031e937ebbb8f6568c7cffc287b65d3 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 17 Dec 2013 12:57:20 -0500 Subject: rename the tls.pp to be smtpd_tls.pp, this allows us to have a separate class for smtp vs. smtpd tls configurations Change-Id: Ic1cc560c76924fcbbc15e245bec7b78ac2de83d3 --- .../modules/site_postfix/manifests/mx/smtpd_tls.pp | 53 +++++++++++++++ puppet/modules/site_postfix/manifests/mx/tls.pp | 78 ---------------------- 2 files changed, 53 insertions(+), 78 deletions(-) create mode 100644 puppet/modules/site_postfix/manifests/mx/smtpd_tls.pp delete mode 100644 puppet/modules/site_postfix/manifests/mx/tls.pp diff --git a/puppet/modules/site_postfix/manifests/mx/smtpd_tls.pp b/puppet/modules/site_postfix/manifests/mx/smtpd_tls.pp new file mode 100644 index 00000000..5714218c --- /dev/null +++ b/puppet/modules/site_postfix/manifests/mx/smtpd_tls.pp @@ -0,0 +1,53 @@ +class site_postfix::mx::smtpd_tls { + + include x509::variables + $ca_path = "${x509::variables::local_CAs}/${site_config::params::client_ca_name}.crt" + $cert_path = "${x509::variables::certs}/${site_config::params::cert_name}.crt" + $key_path = "${x509::variables::keys}/${site_config::params::cert_name}.key" + + + postfix::config { + 'smtpd_use_tls': value => 'yes'; + 'smtpd_tls_CAfile': value => $ca_path; + 'smtpd_tls_cert_file': value => $cert_path; + 'smtpd_tls_key_file': value => $key_path; + 'smtpd_tls_ask_ccert': value => 'yes'; + 'smtpd_tls_security_level': + value => 'may'; + 'smtpd_tls_eecdh_grade': + value => 'ultra' + } + + # Setup DH parameters + # Instead of using the dh parameters that are created by leap cli, it is more + # secure to generate new parameter files that will only be used for postfix, + # for each machine + + include site_config::packages::gnutls + + # Note, the file name is called dh_1024.pem, but we are generating 2048bit dh + # parameters Neither Postfix nor OpenSSL actually care about the size of the + # prime in "smtpd_tls_dh1024_param_file". You can make it 2048 bits + + exec { 'certtool-postfix-gendh': + command => 'certtool --generate-dh-params --bits 2048 --outfile /etc/postfix/smtpd_tls_dh_param.pem', + user => root, + group => root, + creates => '/etc/postfix/smtpd_tls_dh_param.pem', + require => [ Package['gnutls-bin'], Package['postfix'] ] + } + + # Make sure the dh params file has correct ownership and mode + file { + '/etc/postfix/smtpd_tls_dh_param.pem': + owner => root, + group => root, + mode => '0600', + require => Exec['certtool-postfix-gendh']; + } + + postfix::config { 'smtpd_tls_dh1024_param_file': + value => '/etc/postfix/smtpd_tls_dh_param.pem', + require => File['/etc/postfix/smtpd_tls_dh_param.pem'] + } +} diff --git a/puppet/modules/site_postfix/manifests/mx/tls.pp b/puppet/modules/site_postfix/manifests/mx/tls.pp deleted file mode 100644 index 08978efd..00000000 --- a/puppet/modules/site_postfix/manifests/mx/tls.pp +++ /dev/null @@ -1,78 +0,0 @@ -class site_postfix::mx::tls { - - include x509::variables - $ca_path = "${x509::variables::local_CAs}/${site_config::params::client_ca_name}.crt" - $cert_path = "${x509::variables::certs}/${site_config::params::cert_name}.crt" - $key_path = "${x509::variables::keys}/${site_config::params::cert_name}.key" - - - postfix::config { - 'smtpd_use_tls': value => 'yes'; - 'smtpd_tls_CAfile': value => $ca_path; - 'smtpd_tls_cert_file': value => $cert_path; - 'smtpd_tls_key_file': value => $key_path; - 'smtpd_tls_ask_ccert': value => 'yes'; - 'smtpd_tls_security_level': - value => 'may'; - 'smtpd_tls_eecdh_grade': - value => 'ultra' - } - - # Setup DH parameters - # Instead of using the dh parameters that are created by leap cli, it is more - # secure to generate new parameter files that will only be used for postfix, - # for each machine - - include site_config::packages::gnutls - - # Note, the file name is called dh_1024.pem, but we are generating 2048bit dh - # parameters Neither Postfix nor OpenSSL actually care about the size of the - # prime in "smtpd_tls_dh1024_param_file". You can make it 2048 bits - - exec { 'certtool-postfix-gendh': - command => 'certtool --generate-dh-params --bits 2048 --outfile /etc/postfix/smtpd_tls_dh_param.pem', - user => root, - group => root, - creates => '/etc/postfix/smtpd_tls_dh_param.pem', - require => [ Package['gnutls-bin'], Package['postfix'] ] - } - - # Make sure the dh params file has correct ownership and mode - file { - '/etc/postfix/smtpd_tls_dh_param.pem': - owner => root, - group => root, - mode => '0600', - require => Exec['certtool-postfix-gendh']; - } - - postfix::config { 'smtpd_tls_dh1024_param_file': - value => '/etc/postfix/smtpd_tls_dh_param.pem', - require => File['/etc/postfix/smtpd_tls_dh_param.pem'] - } - -} - # smtp TLS - postfix::config { - 'smtp_use_tls': value => 'yes'; - 'smtp_tls_CApath': value => '/etc/ssl/certs/'; - 'smtp_tls_CAfile': value => $ca_path; - 'smtp_tls_cert_file': value => $cert_path; - 'smtp_tls_key_file': value => $key_path; - 'smtp_tls_ask_ccert': value => 'yes'; - 'smtp_tls_loglevel': value => '1'; - 'smtp_tls_exclude_ciphers': - value => 'aNULL, MD5, DES'; - # upstream default is md5 (since 2.5 and older used it), we force sha1 - 'smtp_tls_fingerprint_digest': - value => 'sha1'; - 'smtp_tls_session_cache_database': - value => 'btree:${queue_directory}/smtp_cache'; - 'smtp_tls_security_level': - value => 'may'; - # see issue #4011 - 'smtp_tls_protocols': - value => '!SSLv2, !SSLv3'; - } - - -- cgit v1.2.3 From 86a2d30985cb118fdb158cc605237ae9445b6123 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 17 Dec 2013 12:58:22 -0500 Subject: add a smtp_tls class and include that on both mx servers and satellites Change-Id: I779ea60e6d726d042203fa0756d73b4af079d728 --- puppet/modules/site_postfix/manifests/mx.pp | 3 ++- .../modules/site_postfix/manifests/mx/smtp_tls.pp | 29 ++++++++++++++++++++++ puppet/modules/site_postfix/manifests/satellite.pp | 3 +++ 3 files changed, 34 insertions(+), 1 deletion(-) create mode 100644 puppet/modules/site_postfix/manifests/mx/smtp_tls.pp diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index 59d3030d..441252f2 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -32,7 +32,8 @@ class site_postfix::mx { include site_postfix::mx::smtpd_checks include site_postfix::mx::checks - include site_postfix::mx::tls + include site_postfix::mx::smtp_tls + include site_postfix::mx::smtpd_tls include site_postfix::mx::reserved_aliases # greater verbosity for debugging, take out for production diff --git a/puppet/modules/site_postfix/manifests/mx/smtp_tls.pp b/puppet/modules/site_postfix/manifests/mx/smtp_tls.pp new file mode 100644 index 00000000..4b9c2fd9 --- /dev/null +++ b/puppet/modules/site_postfix/manifests/mx/smtp_tls.pp @@ -0,0 +1,29 @@ +class site_postfix::mx::smtp_tls { + + include x509::variables + $ca_path = "${x509::variables::local_CAs}/${site_config::params::ca_name}.crt" + $cert_path = "${x509::variables::certs}/${site_config::params::cert_name}.crt" + $key_path = "${x509::variables::keys}/${site_config::params::cert_name}.key" + + # smtp TLS + postfix::config { + 'smtp_use_tls': value => 'yes'; + 'smtp_tls_CApath': value => '/etc/ssl/certs/'; + 'smtp_tls_CAfile': value => $ca_path; + 'smtp_tls_cert_file': value => $cert_path; + 'smtp_tls_key_file': value => $key_path; + 'smtp_tls_loglevel': value => '1'; + 'smtp_tls_exclude_ciphers': + value => 'aNULL, MD5, DES'; + # upstream default is md5 (since 2.5 and older used it), we force sha1 + 'smtp_tls_fingerprint_digest': + value => 'sha1'; + 'smtp_tls_session_cache_database': + value => 'btree:${queue_directory}/smtp_cache'; + 'smtp_tls_security_level': + value => 'may'; + # see issue #4011 + 'smtp_tls_protocols': + value => '!SSLv2, !SSLv3'; + } +} diff --git a/puppet/modules/site_postfix/manifests/satellite.pp b/puppet/modules/site_postfix/manifests/satellite.pp index de20b667..7be51b22 100644 --- a/puppet/modules/site_postfix/manifests/satellite.pp +++ b/puppet/modules/site_postfix/manifests/satellite.pp @@ -3,9 +3,12 @@ class site_postfix::satellite { $root_mail_recipient = hiera ('contacts') $mail = hiera ('mail') $relayhost = $mail['smarthost'] + $cert_name = hiera('name') class { '::postfix::satellite': relayhost => $relayhost, root_mail_recipient => $root_mail_recipient } + + include site_postfix::mx::smtp_tls } -- cgit v1.2.3 From 5708e04af02ec7332be84dfb63200008c35b9af4 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 17 Dec 2013 13:06:17 -0500 Subject: set x509 use to true for all nodes, we need a cert for relaying using TLS (#1910) Change-Id: I347178f2a172e4be6af8c0c76d801b3c769235cd --- provider_base/common.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/provider_base/common.json b/provider_base/common.json index 5be0dd70..07a45972 100644 --- a/provider_base/common.json +++ b/provider_base/common.json @@ -25,7 +25,7 @@ }, "hosts": "=> hosts_file", "x509": { - "use": false, + "use": true, "cert": "= x509.use ? file(:node_x509_cert, :missing => 'x509 certificate for node $node. Run `leap cert update`') : nil", "key": "= x509.use ? file(:node_x509_key, :missing => 'x509 key for node $node. Run `leap cert update`') : nil", "ca_cert": "= try_file :ca_cert" -- cgit v1.2.3 From 88af29f3aba662aab4ca5ac3122d43139fb97004 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 17 Dec 2013 15:43:58 -0500 Subject: Fix for openvpn/unbound not starting at boot (#4506) This change sets the sysctl net.ipv4.ip_nonlocal_bind to allow applications to bind to an address, even when the link is down. This is necessary because applications like unbound and openvpn fail to start on boot in some situations because interfaces are not fully up (due to a combination of non-deterministic booting because of the likely potential setting of allow-hotplug in the interfaces file and the LSB boot dependency on $network not being sufficient. The only down-side to setting this is a daemon could bind to an incorrect ip and we wouldn't get an error, but this would be a configuration mistake, rather than a fatal condition. Change-Id: I5c03083e8c20bb25afad85a1230f4555808d341c --- .gitmodules | 3 +++ puppet/modules/site_config/manifests/default.pp | 4 +++- puppet/modules/site_config/manifests/sysctl.pp | 8 ++++++++ puppet/modules/sysctl | 1 + 4 files changed, 15 insertions(+), 1 deletion(-) create mode 100644 puppet/modules/site_config/manifests/sysctl.pp create mode 160000 puppet/modules/sysctl diff --git a/.gitmodules b/.gitmodules index 0b339593..cc8afdb5 100644 --- a/.gitmodules +++ b/.gitmodules @@ -85,3 +85,6 @@ [submodule "puppet/modules/backupninja"] path = puppet/modules/backupninja url = https://leap.se/git/puppet_backupninja +[submodule "puppet/modules/sysctl"] + path = puppet/modules/sysctl + url = https://leap.se/git/puppet_sysctl diff --git a/puppet/modules/site_config/manifests/default.pp b/puppet/modules/site_config/manifests/default.pp index 33d3df05..d85d9c8f 100644 --- a/puppet/modules/site_config/manifests/default.pp +++ b/puppet/modules/site_config/manifests/default.pp @@ -12,7 +12,6 @@ class site_config::default { include site_config::slow - include concat::setup # default class, used by all hosts @@ -22,6 +21,9 @@ class site_config::default { # configure apt include site_apt + # configure sysctl parameters + include site_config::sysctl + # configure ssh and include ssh-keys include site_config::sshd diff --git a/puppet/modules/site_config/manifests/sysctl.pp b/puppet/modules/site_config/manifests/sysctl.pp new file mode 100644 index 00000000..99f75123 --- /dev/null +++ b/puppet/modules/site_config/manifests/sysctl.pp @@ -0,0 +1,8 @@ +class site_config::sysctl { + + sysctl::config { + 'net.ipv4.ip_nonlocal_bind': + value => 1, + comment => 'Allow applications to bind to an address when link is down (see https://leap.se/code/issues/4506)' + } +} diff --git a/puppet/modules/sysctl b/puppet/modules/sysctl new file mode 160000 index 00000000..975852b7 --- /dev/null +++ b/puppet/modules/sysctl @@ -0,0 +1 @@ +Subproject commit 975852b7acc1125b4cd9d4d490b9abd8d31217e6 -- cgit v1.2.3