From b7c03c7cac3d3b04dade4086f416f1305c946830 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 7 Mar 2013 15:24:29 +0100 Subject: include site_mx --- puppet/modules/apache | 2 +- puppet/modules/apt | 2 +- puppet/modules/couchdb | 2 +- puppet/modules/stunnel | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/puppet/modules/apache b/puppet/modules/apache index c3e92a9b..090e59ad 160000 --- a/puppet/modules/apache +++ b/puppet/modules/apache @@ -1 +1 @@ -Subproject commit c3e92a9b3cb02f1546b6b1570f10a968d380005c +Subproject commit 090e59ad1fcba01e868237a83cadf9254cf09d3e diff --git a/puppet/modules/apt b/puppet/modules/apt index 1a72a996..6bf7a6ab 160000 --- a/puppet/modules/apt +++ b/puppet/modules/apt @@ -1 +1 @@ -Subproject commit 1a72a99693c1d77bfe891546408f88264fca98ee +Subproject commit 6bf7a6ab5d6e63f75c94f49aa0f12959e954efa8 diff --git a/puppet/modules/couchdb b/puppet/modules/couchdb index 20deb065..7b6c9a29 160000 --- a/puppet/modules/couchdb +++ b/puppet/modules/couchdb @@ -1 +1 @@ -Subproject commit 20deb0652ccfe105eddec6ba2ad32b8d633705f6 +Subproject commit 7b6c9a29b1333ce733dd5d7c0dadd7f90513b261 diff --git a/puppet/modules/stunnel b/puppet/modules/stunnel index fc1589a5..75d387fc 160000 --- a/puppet/modules/stunnel +++ b/puppet/modules/stunnel @@ -1 +1 @@ -Subproject commit fc1589a5f09d80f58d730d4e1f6a8058483f61fc +Subproject commit 75d387fc8aff12232fdeae2efbbfccdd91f94656 -- cgit v1.2.3 From 3da143db6a4369f09c513d95aeea6eb119f2c9f2 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 7 Mar 2013 15:27:45 +0100 Subject: added submodule postfix from git://labs.riseup.net/shared-postfix --- .gitmodules | 3 +++ puppet/modules/postfix | 1 + 2 files changed, 4 insertions(+) create mode 160000 puppet/modules/postfix diff --git a/.gitmodules b/.gitmodules index 717ae5ed..b84dfef2 100644 --- a/.gitmodules +++ b/.gitmodules @@ -73,3 +73,6 @@ [submodule "puppet/modules/haproxy"] path = puppet/modules/haproxy url = git://code.leap.se/puppet_haproxy +[submodule "puppet/modules/postfix"] + path = puppet/modules/postfix + url = git://labs.riseup.net/shared-postfix diff --git a/puppet/modules/postfix b/puppet/modules/postfix new file mode 160000 index 00000000..881a59ac --- /dev/null +++ b/puppet/modules/postfix @@ -0,0 +1 @@ +Subproject commit 881a59ac62684028a7f4cb358e3592efc3ae99a9 -- cgit v1.2.3 From 1d1afa65b9072cbc59b45d2fcdc77707e31a97ae Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 7 Mar 2013 15:42:17 +0100 Subject: added site_mx --- puppet/modules/site_mx/manifests/init.pp | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 puppet/modules/site_mx/manifests/init.pp diff --git a/puppet/modules/site_mx/manifests/init.pp b/puppet/modules/site_mx/manifests/init.pp new file mode 100644 index 00000000..f7f358ce --- /dev/null +++ b/puppet/modules/site_mx/manifests/init.pp @@ -0,0 +1,3 @@ +class site_mx { + include site_postfix::mx +} -- cgit v1.2.3 From 4ceba14f444e41dc7dcc9f2176f4bf464f5286cd Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 7 Mar 2013 17:16:09 +0100 Subject: shorewall rules for site_mx --- puppet/modules/site_shorewall/manifests/mx.pp | 24 ++++++++++++++++++++++ .../site_shorewall/manifests/service/smtp.pp | 13 ++++++++++++ 2 files changed, 37 insertions(+) create mode 100644 puppet/modules/site_shorewall/manifests/mx.pp create mode 100644 puppet/modules/site_shorewall/manifests/service/smtp.pp diff --git a/puppet/modules/site_shorewall/manifests/mx.pp b/puppet/modules/site_shorewall/manifests/mx.pp new file mode 100644 index 00000000..5ec95fdd --- /dev/null +++ b/puppet/modules/site_shorewall/manifests/mx.pp @@ -0,0 +1,24 @@ +class site_shorewall::mx { + + include site_shorewall::defaults + + $smtpd_ports = '25' + + # define macro for incoming services + file { '/etc/shorewall/macro.leap_mx': + content => "PARAM - - tcp ${smtpd_ports} ", + notify => Service['shorewall'], + require => Package['shorewall'] + } + + + shorewall::rule { + 'net2fw-mx': + source => 'net', + destination => '$FW', + action => 'leap_mx(ACCEPT)', + order => 200; + } + + include site_shorewall::service::smtp +} diff --git a/puppet/modules/site_shorewall/manifests/service/smtp.pp b/puppet/modules/site_shorewall/manifests/service/smtp.pp new file mode 100644 index 00000000..7fbdf14e --- /dev/null +++ b/puppet/modules/site_shorewall/manifests/service/smtp.pp @@ -0,0 +1,13 @@ +class site_shorewall::service::smtp { + + include site_shorewall::defaults + + shorewall::rule { + 'fw2net-http': + source => '$FW', + destination => 'net', + action => 'SMTP(ACCEPT)', + order => 200; + } + +} -- cgit v1.2.3 From c1e55fde49858c1bc9cf0da129a3b7df91cf9899 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 7 Mar 2013 18:15:45 +0100 Subject: include shorewall rules for site_mx --- puppet/modules/site_mx/manifests/init.pp | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/puppet/modules/site_mx/manifests/init.pp b/puppet/modules/site_mx/manifests/init.pp index f7f358ce..4b2db215 100644 --- a/puppet/modules/site_mx/manifests/init.pp +++ b/puppet/modules/site_mx/manifests/init.pp @@ -1,3 +1,7 @@ class site_mx { + tag 'leap_service' + include site_postfix::mx + include site_shorewall::mx + include site_shorewall::service::smtp } -- cgit v1.2.3 From db5fd91d32b215eb9827e36e2a51c98af993ab99 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 7 Mar 2013 18:16:13 +0100 Subject: added basic site_postfix::mx config --- puppet/modules/site_postfix/manifests/mx.pp | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) create mode 100644 puppet/modules/site_postfix/manifests/mx.pp diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp new file mode 100644 index 00000000..9104c2cb --- /dev/null +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -0,0 +1,16 @@ +class site_postfix::mx { + + $domain_hash = hiera ('domain') + $domain = $domain_hash['full_suffix'] + + # see https://leap.se/code/issues/1936 for contact email addr + #$root_mail_recipient = '' + $postfix_smtp_listen = 'all' + + postfix::config { + # just en example + 'delay_warning_time': value => '4h'; + } + + include ::postfix +} -- cgit v1.2.3 From 424dcefa2ab51a2185935b11d910bd2dbab8d1fb Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 17 Apr 2013 18:35:37 +0200 Subject: added site_mx::haproxy --- puppet/modules/site_mx/manifests/haproxy.pp | 14 ++++++++++++++ puppet/modules/site_mx/manifests/init.pp | 1 + 2 files changed, 15 insertions(+) create mode 100644 puppet/modules/site_mx/manifests/haproxy.pp diff --git a/puppet/modules/site_mx/manifests/haproxy.pp b/puppet/modules/site_mx/manifests/haproxy.pp new file mode 100644 index 00000000..988eeaf3 --- /dev/null +++ b/puppet/modules/site_mx/manifests/haproxy.pp @@ -0,0 +1,14 @@ +class site_mx::haproxy { + + include site_haproxy + + $haproxy = hiera('haproxy') + $local_ports = $haproxy['local_ports'] + + # Template uses $global_options, $defaults_options + concat::fragment { 'leap_haproxy_webapp_couchdb': + target => '/etc/haproxy/haproxy.cfg', + order => '20', + content => template('site_webapp/haproxy_couchdb.cfg.erb'), + } +} diff --git a/puppet/modules/site_mx/manifests/init.pp b/puppet/modules/site_mx/manifests/init.pp index 4b2db215..8c8b8d7e 100644 --- a/puppet/modules/site_mx/manifests/init.pp +++ b/puppet/modules/site_mx/manifests/init.pp @@ -2,6 +2,7 @@ class site_mx { tag 'leap_service' include site_postfix::mx + include site_mx::haproxy include site_shorewall::mx include site_shorewall::service::smtp } -- cgit v1.2.3 From 15d19dfb940ca0ac55f0f92356aab7fe58aa9dba Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 17 Apr 2013 18:46:13 +0200 Subject: added provider_base/services/mx.json --- provider_base/services/mx.json | 8 ++++++++ 1 file changed, 8 insertions(+) create mode 100644 provider_base/services/mx.json diff --git a/provider_base/services/mx.json b/provider_base/services/mx.json new file mode 100644 index 00000000..61ae0db9 --- /dev/null +++ b/provider_base/services/mx.json @@ -0,0 +1,8 @@ +{ + "stunnel": { + "couch_client": "= stunnel_client(nodes_like_me[:services => :couchdb], global.services[:couchdb].couch.port)" + }, + "haproxy": { + "local_ports": "= stunnel.couch_client.field(:accept_port)" + } +} -- cgit v1.2.3 From 67e98211f7414bfd8986ef2be1bcf9e5d5be406f Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 17 Apr 2013 16:01:19 -0400 Subject: initial mx couchdb stunnel configuration --- provider_base/services/mx.json | 9 ++++++++ puppet/modules/site_mx/manifests/couchdb.pp | 35 +++++++++++++++++++++++++++++ puppet/modules/site_mx/manifests/init.pp | 1 + 3 files changed, 45 insertions(+) create mode 100644 puppet/modules/site_mx/manifests/couchdb.pp diff --git a/provider_base/services/mx.json b/provider_base/services/mx.json index 61ae0db9..949374ad 100644 --- a/provider_base/services/mx.json +++ b/provider_base/services/mx.json @@ -4,5 +4,14 @@ }, "haproxy": { "local_ports": "= stunnel.couch_client.field(:accept_port)" + }, + "x509": { + "use": true, + "ca_cert": "= file :ca_cert, :missing => 'provider CA. Run `leap cert ca`'", + "client_ca_cert": "= file_path :client_ca_cert", + "client_ca_key": "= file_path :client_ca_key", + "commercial_cert": "= file [:commercial_cert, domain.full_suffix]", + "commercial_key": "= file [:commercial_key, domain.full_suffix]", + "commercial_ca_cert": "= try_file :commercial_ca_cert" } } diff --git a/puppet/modules/site_mx/manifests/couchdb.pp b/puppet/modules/site_mx/manifests/couchdb.pp new file mode 100644 index 00000000..f842ceab --- /dev/null +++ b/puppet/modules/site_mx/manifests/couchdb.pp @@ -0,0 +1,35 @@ +class site_mx::couchdb { + + $stunnel = hiera('stunnel') + $couch_client = $stunnel['couch_client'] + $couch_client_connect = $couch_client['connect'] + + include x509::variables + $x509 = hiera('x509') + $key = $x509['key'] + $cert = $x509['cert'] + $ca = $x509['ca_cert'] + $cert_name = 'leap_couchdb' + $ca_name = 'leap_ca' + $ca_path = "${x509::variables::local_CAs}/${ca_name}.crt" + $cert_path = "${x509::variables::certs}/${cert_name}.crt" + $key_path = "${x509::variables::keys}/${cert_name}.key" + + class { 'site_stunnel::setup': + cert_name => $cert_name, + key => $key, + cert => $cert, + ca_name => $ca_name, + ca => $ca + } + + $couchdb_stunnel_client_defaults = { + 'connect_port' => $couch_client_connect, + 'client' => true, + 'cafile' => $ca_path, + 'key' => $key_path, + 'cert' => $cert_path, + } + + create_resources(site_stunnel::clients, $couch_client, $couchdb_stunnel_client_defaults) +} diff --git a/puppet/modules/site_mx/manifests/init.pp b/puppet/modules/site_mx/manifests/init.pp index 8c8b8d7e..86ae56e1 100644 --- a/puppet/modules/site_mx/manifests/init.pp +++ b/puppet/modules/site_mx/manifests/init.pp @@ -5,4 +5,5 @@ class site_mx { include site_mx::haproxy include site_shorewall::mx include site_shorewall::service::smtp + include site_mx::couchdb } -- cgit v1.2.3 From 886551dfd2e6eb7dc51d15ebbd6393198dfde78f Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 22 Apr 2013 17:28:40 +0200 Subject: hiera variable mx.contact -> postfix $root_mail_recipient --- provider_base/services/mx.json | 3 +++ puppet/modules/site_postfix/manifests/mx.pp | 8 ++++---- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/provider_base/services/mx.json b/provider_base/services/mx.json index 949374ad..b15bfbc8 100644 --- a/provider_base/services/mx.json +++ b/provider_base/services/mx.json @@ -1,4 +1,7 @@ { + "mx": { + "contact": "= global.provider.contacts.default" + }, "stunnel": { "couch_client": "= stunnel_client(nodes_like_me[:services => :couchdb], global.services[:couchdb].couch.port)" }, diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index 9104c2cb..15449001 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -1,10 +1,10 @@ class site_postfix::mx { - $domain_hash = hiera ('domain') - $domain = $domain_hash['full_suffix'] + $domain_hash = hiera ('domain') + $domain = $domain_hash['full_suffix'] + $mx_hash = hiera('mx') - # see https://leap.se/code/issues/1936 for contact email addr - #$root_mail_recipient = '' + $root_mail_recipient = $mx_hash['contact'] $postfix_smtp_listen = 'all' postfix::config { -- cgit v1.2.3 From d14758f02a6a7d2b8675ea538692bba44b72689d Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 22 Apr 2013 22:15:51 +0200 Subject: Configure Postfix for incoming mails (Feature #2269) --- puppet/modules/site_postfix/manifests/mx.pp | 42 +++++++++++++++++++++++++++-- 1 file changed, 40 insertions(+), 2 deletions(-) diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index 15449001..4bab7722 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -8,8 +8,46 @@ class site_postfix::mx { $postfix_smtp_listen = 'all' postfix::config { - # just en example - 'delay_warning_time': value => '4h'; + 'mydestination': + value => "\$myorigin, localhost, localhost.\$mydomain, ${domain}"; + 'smtpd_recipient_restrictions': + value => 'check_recipient_access hash:/etc/postfix/recipient,reject_unauth_destination'; + 'mailbox_size_limit': + value => '0'; + 'home_mailbox': + value => 'Maildir/'; + 'virtual_alias_maps': + value => 'hash:/etc/postfix/virtual'; + } + + postfix::hash { '/etc/postfix/virtual': } + postfix::hash { '/etc/postfix/recipient': } + + # for now, accept all mail + line {'deliver to vmail': + file => '/etc/postfix/recipient', + line => "@${domain} vmail", + notify => Exec['generate /etc/postfix/recipient.db'], + require => Package['postfix'], + } + + postfix::virtual { "@${domain}": destination => 'vmail'; } + #postfix::mailalias { 'vmail': recipient => 'vmail' } + + user { 'vmail': + ensure => present, + comment => 'Leap Mailspool', + home => '/var/mail/vmail', + shell => '/bin/false', + managehome => true, + } + + user { 'vmail': + ensure => present, + comment => 'Leap Mailspool', + home => '/var/mail/vmail', + shell => '/bin/false', + managehome => true, } include ::postfix -- cgit v1.2.3 From 997ab7fb2303da86ee27cb781ba6b74d4a2e89a6 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 23 Apr 2013 16:27:43 +0200 Subject: no need to import common anymore --- puppet/manifests/site.pp | 1 - 1 file changed, 1 deletion(-) diff --git a/puppet/manifests/site.pp b/puppet/manifests/site.pp index 08cbbb9e..327b6a67 100644 --- a/puppet/manifests/site.pp +++ b/puppet/manifests/site.pp @@ -11,7 +11,6 @@ Package { require => Exec['apt_updated'] } include stdlib -import 'common' include site_config::default include site_config::slow -- cgit v1.2.3 From 9159f1e023e0f38bb9b8bdcfb69f77823184f6ec Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 17 Apr 2013 16:01:19 -0400 Subject: initial mx couchdb stunnel configuration --- provider_base/services/mx.json | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/provider_base/services/mx.json b/provider_base/services/mx.json index b15bfbc8..ab46960d 100644 --- a/provider_base/services/mx.json +++ b/provider_base/services/mx.json @@ -17,4 +17,15 @@ "commercial_key": "= file [:commercial_key, domain.full_suffix]", "commercial_ca_cert": "= try_file :commercial_ca_cert" } +} + }, + "x509": { + "use": true, + "ca_cert": "= file :ca_cert, :missing => 'provider CA. Run `leap cert ca`'", + "client_ca_cert": "= file_path :client_ca_cert", + "client_ca_key": "= file_path :client_ca_key", + "commercial_cert": "= file [:commercial_cert, domain.full_suffix]", + "commercial_key": "= file [:commercial_key, domain.full_suffix]", + "commercial_ca_cert": "= try_file :commercial_ca_cert" + } } -- cgit v1.2.3 From bb559881644c8207a7d2791655f535cf9bcd61be Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 23 Apr 2013 15:59:44 -0400 Subject: update postfix module to new shared version for parameterized classes, and other 2.7 updates update site_postfix::mx to use parameterized classes --- puppet/modules/postfix | 2 +- puppet/modules/site_postfix/manifests/mx.pp | 11 +++-------- 2 files changed, 4 insertions(+), 9 deletions(-) diff --git a/puppet/modules/postfix b/puppet/modules/postfix index 881a59ac..8e43dc85 160000 --- a/puppet/modules/postfix +++ b/puppet/modules/postfix @@ -1 +1 @@ -Subproject commit 881a59ac62684028a7f4cb358e3592efc3ae99a9 +Subproject commit 8e43dc85da5a5e45e88aef5f7c32c9cc1c35201c diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index 4bab7722..2bf844bf 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -42,13 +42,8 @@ class site_postfix::mx { managehome => true, } - user { 'vmail': - ensure => present, - comment => 'Leap Mailspool', - home => '/var/mail/vmail', - shell => '/bin/false', - managehome => true, + class { 'postfix': + root_mail_recipient => $root_mail_recipient, + smtp_listen => 'all' } - - include ::postfix } -- cgit v1.2.3 From f242bcefaeae008083c0281f3103b67d31264e4f Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 26 Apr 2013 10:08:18 +0200 Subject: fixed provider_base/services/mx.json syntax --- provider_base/services/mx.json | 11 ----------- 1 file changed, 11 deletions(-) diff --git a/provider_base/services/mx.json b/provider_base/services/mx.json index ab46960d..b15bfbc8 100644 --- a/provider_base/services/mx.json +++ b/provider_base/services/mx.json @@ -17,15 +17,4 @@ "commercial_key": "= file [:commercial_key, domain.full_suffix]", "commercial_ca_cert": "= try_file :commercial_ca_cert" } -} - }, - "x509": { - "use": true, - "ca_cert": "= file :ca_cert, :missing => 'provider CA. Run `leap cert ca`'", - "client_ca_cert": "= file_path :client_ca_cert", - "client_ca_key": "= file_path :client_ca_key", - "commercial_cert": "= file [:commercial_cert, domain.full_suffix]", - "commercial_key": "= file [:commercial_key, domain.full_suffix]", - "commercial_ca_cert": "= try_file :commercial_ca_cert" - } } -- cgit v1.2.3 From adc12547c53639fe9cf97157d05e2b401dc7c9c3 Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 26 Apr 2013 10:09:21 +0200 Subject: using alias resolver --- puppet/modules/site_postfix/manifests/mx.pp | 27 +++++++-------------------- 1 file changed, 7 insertions(+), 20 deletions(-) diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index 2bf844bf..82536b80 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -11,28 +11,15 @@ class site_postfix::mx { 'mydestination': value => "\$myorigin, localhost, localhost.\$mydomain, ${domain}"; 'smtpd_recipient_restrictions': - value => 'check_recipient_access hash:/etc/postfix/recipient,reject_unauth_destination'; - 'mailbox_size_limit': - value => '0'; - 'home_mailbox': - value => 'Maildir/'; - 'virtual_alias_maps': - value => 'hash:/etc/postfix/virtual'; + value => 'check_recipient_access tcp:localhost:2244,reject_unauth_destination'; + 'mailbox_size_limit': value => '0'; + 'home_mailbox': value => 'Maildir/'; + 'virtual_alias_maps': value => 'tcp:localhost:4242'; + 'luser_relay': value => 'vmail'; + 'local_recipient_maps': value => ''; } - postfix::hash { '/etc/postfix/virtual': } - postfix::hash { '/etc/postfix/recipient': } - - # for now, accept all mail - line {'deliver to vmail': - file => '/etc/postfix/recipient', - line => "@${domain} vmail", - notify => Exec['generate /etc/postfix/recipient.db'], - require => Package['postfix'], - } - - postfix::virtual { "@${domain}": destination => 'vmail'; } - #postfix::mailalias { 'vmail': recipient => 'vmail' } + #include site_postfix::mx::smtp_checks user { 'vmail': ensure => present, -- cgit v1.2.3 From e6c4f16351be546985432bf865d123a82024b9ae Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 26 Apr 2013 12:24:05 +0200 Subject: smtpd_checks: smtpd_data_restrictions --- puppet/modules/site_postfix/manifests/mx.pp | 3 ++- puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp | 8 ++++++++ 2 files changed, 10 insertions(+), 1 deletion(-) create mode 100644 puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index 82536b80..72c38ab1 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -17,9 +17,10 @@ class site_postfix::mx { 'virtual_alias_maps': value => 'tcp:localhost:4242'; 'luser_relay': value => 'vmail'; 'local_recipient_maps': value => ''; + #'debug_peer_list': value => '127.0.0.1'; } - #include site_postfix::mx::smtp_checks + include site_postfix::mx::smtpd_checks user { 'vmail': ensure => present, diff --git a/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp new file mode 100644 index 00000000..e46bc149 --- /dev/null +++ b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp @@ -0,0 +1,8 @@ +class site_postfix::mx::smtpd_checks { + + postfix::config { + 'smtpd_data_restrictions': + value => 'permit_mynetworks, reject_unauth_pipelining, permit' + } + +} -- cgit v1.2.3 From a1dc911c792e963cd814154a24a60dfaf147ecdc Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 29 Apr 2013 14:06:38 +0200 Subject: smtpd_checks: smtpd_delay_reject --- puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp index e46bc149..b2f2d7c2 100644 --- a/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp +++ b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp @@ -1,8 +1,9 @@ class site_postfix::mx::smtpd_checks { postfix::config { + 'smtpd_delay_reject': value => 'yes'; 'smtpd_data_restrictions': - value => 'permit_mynetworks, reject_unauth_pipelining, permit' + value => 'permit_mynetworks, reject_unauth_pipelining, permit'; } } -- cgit v1.2.3 From de4bdcddc33bd9aa2fc883ccef63f7c13543bb23 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 22 May 2013 19:39:37 +0200 Subject: smtpd_recipient_restrictions: +permit_tls_all_clientcerts --- puppet/modules/site_postfix/manifests/mx.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index 72c38ab1..a625cdcd 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -11,7 +11,7 @@ class site_postfix::mx { 'mydestination': value => "\$myorigin, localhost, localhost.\$mydomain, ${domain}"; 'smtpd_recipient_restrictions': - value => 'check_recipient_access tcp:localhost:2244,reject_unauth_destination'; + value => 'check_recipient_access tcp:localhost:2244,reject_unauth_destination,permit_tls_all_clientcerts'; 'mailbox_size_limit': value => '0'; 'home_mailbox': value => 'Maildir/'; 'virtual_alias_maps': value => 'tcp:localhost:4242'; -- cgit v1.2.3 From bcb165f6ed09dd51cc7b534a1fa5aafde21e3703 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 22 May 2013 19:40:13 +0200 Subject: beginning of smtp_auth config with client certs --- puppet/modules/site_postfix/manifests/mx/smtp_auth.pp | 10 ++++++++++ 1 file changed, 10 insertions(+) create mode 100644 puppet/modules/site_postfix/manifests/mx/smtp_auth.pp diff --git a/puppet/modules/site_postfix/manifests/mx/smtp_auth.pp b/puppet/modules/site_postfix/manifests/mx/smtp_auth.pp new file mode 100644 index 00000000..ab75130e --- /dev/null +++ b/puppet/modules/site_postfix/manifests/mx/smtp_auth.pp @@ -0,0 +1,10 @@ +class site_postfix::mx::smtp_auth { + $x509 = hiera('x509') + + postfix::config { + 'smtpd_tls_cert_file': value => $x509['client_ca_cert']; + 'smtpd_tls_key_file': value => $x509['client_ca_key']; + 'smtpd_tls_ask_ccert': value => 'yes'; + #'smtpd_tls_CAfile': value => + } +} -- cgit v1.2.3 From ff813f6da042e66b38a0c4c19df6956bdd5ca9c3 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 9 Jul 2013 15:39:56 +0200 Subject: updated submodule apt --- puppet/modules/apt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/apt b/puppet/modules/apt index 6bf7a6ab..1a72a996 160000 --- a/puppet/modules/apt +++ b/puppet/modules/apt @@ -1 +1 @@ -Subproject commit 6bf7a6ab5d6e63f75c94f49aa0f12959e954efa8 +Subproject commit 1a72a99693c1d77bfe891546408f88264fca98ee -- cgit v1.2.3 From 3f31c74e7365a7508377324a9e0b26b3e746c0c1 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 9 Jul 2013 15:42:07 +0200 Subject: updated submodule couchdb --- puppet/modules/couchdb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/couchdb b/puppet/modules/couchdb index 7b6c9a29..20deb065 160000 --- a/puppet/modules/couchdb +++ b/puppet/modules/couchdb @@ -1 +1 @@ -Subproject commit 7b6c9a29b1333ce733dd5d7c0dadd7f90513b261 +Subproject commit 20deb0652ccfe105eddec6ba2ad32b8d633705f6 -- cgit v1.2.3 From 9fae22550eb599baac912e88343a81d2517bba93 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 9 Jul 2013 15:42:59 +0200 Subject: updated submodule apache --- puppet/modules/apache | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/apache b/puppet/modules/apache index 090e59ad..c3e92a9b 160000 --- a/puppet/modules/apache +++ b/puppet/modules/apache @@ -1 +1 @@ -Subproject commit 090e59ad1fcba01e868237a83cadf9254cf09d3e +Subproject commit c3e92a9b3cb02f1546b6b1570f10a968d380005c -- cgit v1.2.3 From 0f95eccb08b80c02db99d57da413025813766d5e Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 9 Jul 2013 17:26:06 +0200 Subject: re-add mx service --- puppet/manifests/site.pp | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/puppet/manifests/site.pp b/puppet/manifests/site.pp index 327b6a67..a340ce66 100644 --- a/puppet/manifests/site.pp +++ b/puppet/manifests/site.pp @@ -36,3 +36,7 @@ if $services =~ /\bmonitor\b/ { if $services =~ /\btor\b/ { include site_tor } + +if $services =~ /\bmx\b/ { + include site_mx +} -- cgit v1.2.3 From c11047649e1ef630b48b007fb757fcc68b747e62 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 10 Jul 2013 14:10:22 +0200 Subject: added tls support, including smtp auth via client cert --- puppet/modules/site_postfix/manifests/mx.pp | 16 ++++++----- .../modules/site_postfix/manifests/mx/smtp_auth.pp | 10 ------- puppet/modules/site_postfix/manifests/mx/tls.pp | 31 ++++++++++++++++++++++ 3 files changed, 41 insertions(+), 16 deletions(-) delete mode 100644 puppet/modules/site_postfix/manifests/mx/smtp_auth.pp create mode 100644 puppet/modules/site_postfix/manifests/mx/tls.pp diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index a625cdcd..e9656072 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -3,6 +3,7 @@ class site_postfix::mx { $domain_hash = hiera ('domain') $domain = $domain_hash['full_suffix'] $mx_hash = hiera('mx') + $cert_name = hiera('name') $root_mail_recipient = $mx_hash['contact'] $postfix_smtp_listen = 'all' @@ -12,15 +13,16 @@ class site_postfix::mx { value => "\$myorigin, localhost, localhost.\$mydomain, ${domain}"; 'smtpd_recipient_restrictions': value => 'check_recipient_access tcp:localhost:2244,reject_unauth_destination,permit_tls_all_clientcerts'; - 'mailbox_size_limit': value => '0'; - 'home_mailbox': value => 'Maildir/'; - 'virtual_alias_maps': value => 'tcp:localhost:4242'; - 'luser_relay': value => 'vmail'; - 'local_recipient_maps': value => ''; + 'mailbox_size_limit': value => '0'; + 'home_mailbox': value => 'Maildir/'; + 'virtual_alias_maps': value => 'tcp:localhost:4242'; + 'luser_relay': value => 'vmail'; + 'local_recipient_maps': value => ''; #'debug_peer_list': value => '127.0.0.1'; } include site_postfix::mx::smtpd_checks + include site_postfix::mx::tls user { 'vmail': ensure => present, @@ -32,6 +34,8 @@ class site_postfix::mx { class { 'postfix': root_mail_recipient => $root_mail_recipient, - smtp_listen => 'all' + smtp_listen => 'all', + require => [ X509::Key[$cert_name], X509::Cert[$cert_name], + User['vmail'] ] } } diff --git a/puppet/modules/site_postfix/manifests/mx/smtp_auth.pp b/puppet/modules/site_postfix/manifests/mx/smtp_auth.pp deleted file mode 100644 index ab75130e..00000000 --- a/puppet/modules/site_postfix/manifests/mx/smtp_auth.pp +++ /dev/null @@ -1,10 +0,0 @@ -class site_postfix::mx::smtp_auth { - $x509 = hiera('x509') - - postfix::config { - 'smtpd_tls_cert_file': value => $x509['client_ca_cert']; - 'smtpd_tls_key_file': value => $x509['client_ca_key']; - 'smtpd_tls_ask_ccert': value => 'yes'; - #'smtpd_tls_CAfile': value => - } -} diff --git a/puppet/modules/site_postfix/manifests/mx/tls.pp b/puppet/modules/site_postfix/manifests/mx/tls.pp new file mode 100644 index 00000000..7da38100 --- /dev/null +++ b/puppet/modules/site_postfix/manifests/mx/tls.pp @@ -0,0 +1,31 @@ +class site_postfix::mx::tls { + + $x509 = hiera('x509') + $key = $x509['key'] + $cert = $x509['cert'] + $client_ca = $x509['client_ca_cert'] + + include x509::variables + $cert_name = hiera('name') + $cert_path = "${x509::variables::certs}/${cert_name}.crt" + $key_path = "${x509::variables::keys}/${cert_name}.key" + + x509::key { $cert_name: + content => $key, + } + + x509::cert { $cert_name: + content => $cert, + } + + postfix::config { + 'smtpd_use_tls': value => 'yes'; + 'smtpd_tls_CAfile': value => $client_ca; + 'smtpd_tls_cert_file': value => $cert_path; + 'smtpd_tls_key_file': value => $key_path; + 'smtpd_tls_req_ccert': value => 'yes'; + 'smtpd_tls_security_level': + value => 'encrypt'; + } + +} -- cgit v1.2.3 From f64791335e40b2b6e05305a6d8dda989fb755b9d Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 15 Jul 2013 11:34:22 +0200 Subject: fix smtpd_recipient_restrictions, debug connections from localhost --- puppet/modules/site_postfix/manifests/mx.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index e9656072..5ec8ab49 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -12,13 +12,13 @@ class site_postfix::mx { 'mydestination': value => "\$myorigin, localhost, localhost.\$mydomain, ${domain}"; 'smtpd_recipient_restrictions': - value => 'check_recipient_access tcp:localhost:2244,reject_unauth_destination,permit_tls_all_clientcerts'; + value => 'check_recipient_access tcp:localhost:2244,permit_tls_all_clientcerts,reject_unauth_destination'; 'mailbox_size_limit': value => '0'; 'home_mailbox': value => 'Maildir/'; 'virtual_alias_maps': value => 'tcp:localhost:4242'; 'luser_relay': value => 'vmail'; 'local_recipient_maps': value => ''; - #'debug_peer_list': value => '127.0.0.1'; + 'debug_peer_list': value => '127.0.0.1'; } include site_postfix::mx::smtpd_checks -- cgit v1.2.3