From 8684aa38ece3271a0eb0f8a1751f6c3297025afa Mon Sep 17 00:00:00 2001
From: Micah Anderson <micah@leap.se>
Date: Tue, 28 Jul 2015 14:35:40 -0400
Subject: Support RBL blocking of incoming mail (#5923)

Set zen.spamhaus as the default rbl

Change-Id: Ic3537d645c80ba42267bab370a1cf77730382158
---
 provider_base/services/mx.json                           | 1 +
 puppet/modules/site_postfix/manifests/mx.pp              | 1 +
 puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp | 2 +-
 3 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/provider_base/services/mx.json b/provider_base/services/mx.json
index 11293ae8..db2e4795 100644
--- a/provider_base/services/mx.json
+++ b/provider_base/services/mx.json
@@ -16,6 +16,7 @@
     "salt": "= hex_secret :couch_leap_mx_password_salt, 128"
   },
   "mynetworks": "= nodes['environment' => '!local'].map{|name, n| [n.ip_address, (global.facts[name]||{})['ec2_public_ipv4']]}.flatten.compact.uniq",
+  "rbls": ["zen.spamhaus.org"],
   "x509": {
     "use": true,
     "use_commercial": true,
diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp
index 49692d24..af0f9f56 100644
--- a/puppet/modules/site_postfix/manifests/mx.pp
+++ b/puppet/modules/site_postfix/manifests/mx.pp
@@ -8,6 +8,7 @@ class site_postfix::mx {
   $host_domain         = $domain_hash['full']
   $cert_name           = hiera('name')
   $mynetworks          = join(hiera('mynetworks'), ' ')
+  $rbls                = suffix(prefix(hiera('rbls'), 'reject_rbl_client '), ',')
 
   $root_mail_recipient = hiera('contacts')
   $postfix_smtp_listen = 'all'
diff --git a/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp
index 0ec40277..1c3e5c92 100644
--- a/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp
+++ b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp
@@ -6,7 +6,7 @@ class site_postfix::mx::smtpd_checks {
     'checks_dir':
       value => '$config_directory/checks';
     'smtpd_client_restrictions':
-      value => 'permit_mynetworks,permit';
+      value => "${site_postfix::mx::rbls}permit_mynetworks,permit";
     'smtpd_data_restrictions':
       value => 'permit_mynetworks, reject_unauth_pipelining, permit';
     'smtpd_delay_reject':
-- 
cgit v1.2.3