From b7c03c7cac3d3b04dade4086f416f1305c946830 Mon Sep 17 00:00:00 2001
From: varac <varacanero@zeromail.org>
Date: Thu, 7 Mar 2013 15:24:29 +0100
Subject: include site_mx

---
 puppet/modules/apache  | 2 +-
 puppet/modules/apt     | 2 +-
 puppet/modules/couchdb | 2 +-
 puppet/modules/stunnel | 2 +-
 4 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/puppet/modules/apache b/puppet/modules/apache
index c3e92a9b..090e59ad 160000
--- a/puppet/modules/apache
+++ b/puppet/modules/apache
@@ -1 +1 @@
-Subproject commit c3e92a9b3cb02f1546b6b1570f10a968d380005c
+Subproject commit 090e59ad1fcba01e868237a83cadf9254cf09d3e
diff --git a/puppet/modules/apt b/puppet/modules/apt
index 1a72a996..6bf7a6ab 160000
--- a/puppet/modules/apt
+++ b/puppet/modules/apt
@@ -1 +1 @@
-Subproject commit 1a72a99693c1d77bfe891546408f88264fca98ee
+Subproject commit 6bf7a6ab5d6e63f75c94f49aa0f12959e954efa8
diff --git a/puppet/modules/couchdb b/puppet/modules/couchdb
index 20deb065..7b6c9a29 160000
--- a/puppet/modules/couchdb
+++ b/puppet/modules/couchdb
@@ -1 +1 @@
-Subproject commit 20deb0652ccfe105eddec6ba2ad32b8d633705f6
+Subproject commit 7b6c9a29b1333ce733dd5d7c0dadd7f90513b261
diff --git a/puppet/modules/stunnel b/puppet/modules/stunnel
index fc1589a5..75d387fc 160000
--- a/puppet/modules/stunnel
+++ b/puppet/modules/stunnel
@@ -1 +1 @@
-Subproject commit fc1589a5f09d80f58d730d4e1f6a8058483f61fc
+Subproject commit 75d387fc8aff12232fdeae2efbbfccdd91f94656
-- 
cgit v1.2.3


From 3da143db6a4369f09c513d95aeea6eb119f2c9f2 Mon Sep 17 00:00:00 2001
From: varac <varacanero@zeromail.org>
Date: Thu, 7 Mar 2013 15:27:45 +0100
Subject: added submodule postfix from git://labs.riseup.net/shared-postfix

---
 .gitmodules            | 3 +++
 puppet/modules/postfix | 1 +
 2 files changed, 4 insertions(+)
 create mode 160000 puppet/modules/postfix

diff --git a/.gitmodules b/.gitmodules
index 717ae5ed..b84dfef2 100644
--- a/.gitmodules
+++ b/.gitmodules
@@ -73,3 +73,6 @@
 [submodule "puppet/modules/haproxy"]
 	path = puppet/modules/haproxy
 	url = git://code.leap.se/puppet_haproxy
+[submodule "puppet/modules/postfix"]
+	path = puppet/modules/postfix
+	url = git://labs.riseup.net/shared-postfix
diff --git a/puppet/modules/postfix b/puppet/modules/postfix
new file mode 160000
index 00000000..881a59ac
--- /dev/null
+++ b/puppet/modules/postfix
@@ -0,0 +1 @@
+Subproject commit 881a59ac62684028a7f4cb358e3592efc3ae99a9
-- 
cgit v1.2.3


From 1d1afa65b9072cbc59b45d2fcdc77707e31a97ae Mon Sep 17 00:00:00 2001
From: varac <varacanero@zeromail.org>
Date: Thu, 7 Mar 2013 15:42:17 +0100
Subject: added site_mx

---
 puppet/modules/site_mx/manifests/init.pp | 3 +++
 1 file changed, 3 insertions(+)
 create mode 100644 puppet/modules/site_mx/manifests/init.pp

diff --git a/puppet/modules/site_mx/manifests/init.pp b/puppet/modules/site_mx/manifests/init.pp
new file mode 100644
index 00000000..f7f358ce
--- /dev/null
+++ b/puppet/modules/site_mx/manifests/init.pp
@@ -0,0 +1,3 @@
+class site_mx {
+  include site_postfix::mx
+}
-- 
cgit v1.2.3


From 4ceba14f444e41dc7dcc9f2176f4bf464f5286cd Mon Sep 17 00:00:00 2001
From: varac <varacanero@zeromail.org>
Date: Thu, 7 Mar 2013 17:16:09 +0100
Subject: shorewall rules for site_mx

---
 puppet/modules/site_shorewall/manifests/mx.pp      | 24 ++++++++++++++++++++++
 .../site_shorewall/manifests/service/smtp.pp       | 13 ++++++++++++
 2 files changed, 37 insertions(+)
 create mode 100644 puppet/modules/site_shorewall/manifests/mx.pp
 create mode 100644 puppet/modules/site_shorewall/manifests/service/smtp.pp

diff --git a/puppet/modules/site_shorewall/manifests/mx.pp b/puppet/modules/site_shorewall/manifests/mx.pp
new file mode 100644
index 00000000..5ec95fdd
--- /dev/null
+++ b/puppet/modules/site_shorewall/manifests/mx.pp
@@ -0,0 +1,24 @@
+class site_shorewall::mx {
+
+  include site_shorewall::defaults
+
+  $smtpd_ports = '25'
+
+  # define macro for incoming services
+  file { '/etc/shorewall/macro.leap_mx':
+    content => "PARAM   -       -       tcp    ${smtpd_ports} ",
+    notify  => Service['shorewall'],
+    require => Package['shorewall']
+  }
+
+
+  shorewall::rule {
+      'net2fw-mx':
+        source      => 'net',
+        destination => '$FW',
+        action      => 'leap_mx(ACCEPT)',
+        order       => 200;
+  }
+
+  include site_shorewall::service::smtp
+}
diff --git a/puppet/modules/site_shorewall/manifests/service/smtp.pp b/puppet/modules/site_shorewall/manifests/service/smtp.pp
new file mode 100644
index 00000000..7fbdf14e
--- /dev/null
+++ b/puppet/modules/site_shorewall/manifests/service/smtp.pp
@@ -0,0 +1,13 @@
+class site_shorewall::service::smtp {
+
+  include site_shorewall::defaults
+
+  shorewall::rule {
+      'fw2net-http':
+        source      => '$FW',
+        destination => 'net',
+        action      => 'SMTP(ACCEPT)',
+        order       => 200;
+  }
+
+}
-- 
cgit v1.2.3


From c1e55fde49858c1bc9cf0da129a3b7df91cf9899 Mon Sep 17 00:00:00 2001
From: varac <varacanero@zeromail.org>
Date: Thu, 7 Mar 2013 18:15:45 +0100
Subject: include shorewall rules for site_mx

---
 puppet/modules/site_mx/manifests/init.pp | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/puppet/modules/site_mx/manifests/init.pp b/puppet/modules/site_mx/manifests/init.pp
index f7f358ce..4b2db215 100644
--- a/puppet/modules/site_mx/manifests/init.pp
+++ b/puppet/modules/site_mx/manifests/init.pp
@@ -1,3 +1,7 @@
 class site_mx {
+  tag 'leap_service'
+
   include site_postfix::mx
+  include site_shorewall::mx
+  include site_shorewall::service::smtp
 }
-- 
cgit v1.2.3


From db5fd91d32b215eb9827e36e2a51c98af993ab99 Mon Sep 17 00:00:00 2001
From: varac <varacanero@zeromail.org>
Date: Thu, 7 Mar 2013 18:16:13 +0100
Subject: added basic site_postfix::mx config

---
 puppet/modules/site_postfix/manifests/mx.pp | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)
 create mode 100644 puppet/modules/site_postfix/manifests/mx.pp

diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp
new file mode 100644
index 00000000..9104c2cb
--- /dev/null
+++ b/puppet/modules/site_postfix/manifests/mx.pp
@@ -0,0 +1,16 @@
+class site_postfix::mx {
+
+  $domain_hash = hiera ('domain')
+  $domain = $domain_hash['full_suffix']
+
+  # see https://leap.se/code/issues/1936 for contact email addr
+  #$root_mail_recipient = ''
+  $postfix_smtp_listen = 'all'
+
+  postfix::config {
+    # just en example
+    'delay_warning_time':     value => '4h';
+  }
+
+  include ::postfix
+}
-- 
cgit v1.2.3


From 424dcefa2ab51a2185935b11d910bd2dbab8d1fb Mon Sep 17 00:00:00 2001
From: varac <varacanero@zeromail.org>
Date: Wed, 17 Apr 2013 18:35:37 +0200
Subject: added site_mx::haproxy

---
 puppet/modules/site_mx/manifests/haproxy.pp | 14 ++++++++++++++
 puppet/modules/site_mx/manifests/init.pp    |  1 +
 2 files changed, 15 insertions(+)
 create mode 100644 puppet/modules/site_mx/manifests/haproxy.pp

diff --git a/puppet/modules/site_mx/manifests/haproxy.pp b/puppet/modules/site_mx/manifests/haproxy.pp
new file mode 100644
index 00000000..988eeaf3
--- /dev/null
+++ b/puppet/modules/site_mx/manifests/haproxy.pp
@@ -0,0 +1,14 @@
+class site_mx::haproxy {
+
+  include site_haproxy
+
+  $haproxy     = hiera('haproxy')
+  $local_ports = $haproxy['local_ports']
+
+  # Template uses $global_options, $defaults_options
+  concat::fragment { 'leap_haproxy_webapp_couchdb':
+    target  => '/etc/haproxy/haproxy.cfg',
+    order   => '20',
+    content => template('site_webapp/haproxy_couchdb.cfg.erb'),
+  }
+}
diff --git a/puppet/modules/site_mx/manifests/init.pp b/puppet/modules/site_mx/manifests/init.pp
index 4b2db215..8c8b8d7e 100644
--- a/puppet/modules/site_mx/manifests/init.pp
+++ b/puppet/modules/site_mx/manifests/init.pp
@@ -2,6 +2,7 @@ class site_mx {
   tag 'leap_service'
 
   include site_postfix::mx
+  include site_mx::haproxy
   include site_shorewall::mx
   include site_shorewall::service::smtp
 }
-- 
cgit v1.2.3


From 15d19dfb940ca0ac55f0f92356aab7fe58aa9dba Mon Sep 17 00:00:00 2001
From: varac <varacanero@zeromail.org>
Date: Wed, 17 Apr 2013 18:46:13 +0200
Subject: added provider_base/services/mx.json

---
 provider_base/services/mx.json | 8 ++++++++
 1 file changed, 8 insertions(+)
 create mode 100644 provider_base/services/mx.json

diff --git a/provider_base/services/mx.json b/provider_base/services/mx.json
new file mode 100644
index 00000000..61ae0db9
--- /dev/null
+++ b/provider_base/services/mx.json
@@ -0,0 +1,8 @@
+{
+  "stunnel": {
+    "couch_client": "= stunnel_client(nodes_like_me[:services => :couchdb], global.services[:couchdb].couch.port)"
+  },
+  "haproxy": {
+    "local_ports": "= stunnel.couch_client.field(:accept_port)"
+  }
+}
-- 
cgit v1.2.3


From 67e98211f7414bfd8986ef2be1bcf9e5d5be406f Mon Sep 17 00:00:00 2001
From: Micah Anderson <micah@riseup.net>
Date: Wed, 17 Apr 2013 16:01:19 -0400
Subject: initial mx couchdb stunnel configuration

---
 provider_base/services/mx.json              |  9 ++++++++
 puppet/modules/site_mx/manifests/couchdb.pp | 35 +++++++++++++++++++++++++++++
 puppet/modules/site_mx/manifests/init.pp    |  1 +
 3 files changed, 45 insertions(+)
 create mode 100644 puppet/modules/site_mx/manifests/couchdb.pp

diff --git a/provider_base/services/mx.json b/provider_base/services/mx.json
index 61ae0db9..949374ad 100644
--- a/provider_base/services/mx.json
+++ b/provider_base/services/mx.json
@@ -4,5 +4,14 @@
   },
   "haproxy": {
     "local_ports": "= stunnel.couch_client.field(:accept_port)"
+  },
+  "x509": {
+    "use": true,
+    "ca_cert": "= file :ca_cert, :missing => 'provider CA. Run `leap cert ca`'",
+    "client_ca_cert": "= file_path :client_ca_cert",
+    "client_ca_key": "= file_path :client_ca_key",
+    "commercial_cert": "= file [:commercial_cert, domain.full_suffix]",
+    "commercial_key": "= file [:commercial_key, domain.full_suffix]",
+    "commercial_ca_cert": "= try_file :commercial_ca_cert"
   }
 }
diff --git a/puppet/modules/site_mx/manifests/couchdb.pp b/puppet/modules/site_mx/manifests/couchdb.pp
new file mode 100644
index 00000000..f842ceab
--- /dev/null
+++ b/puppet/modules/site_mx/manifests/couchdb.pp
@@ -0,0 +1,35 @@
+class site_mx::couchdb {
+
+  $stunnel = hiera('stunnel')
+  $couch_client            = $stunnel['couch_client']
+  $couch_client_connect    = $couch_client['connect']
+
+  include x509::variables
+  $x509                    = hiera('x509')
+  $key                     = $x509['key']
+  $cert                    = $x509['cert']
+  $ca                      = $x509['ca_cert']
+  $cert_name               = 'leap_couchdb'
+  $ca_name                 = 'leap_ca'
+  $ca_path                 = "${x509::variables::local_CAs}/${ca_name}.crt"
+  $cert_path               = "${x509::variables::certs}/${cert_name}.crt"
+  $key_path                = "${x509::variables::keys}/${cert_name}.key"
+
+  class { 'site_stunnel::setup':
+    cert_name => $cert_name,
+    key       => $key,
+    cert      => $cert,
+    ca_name   => $ca_name,
+    ca        => $ca
+  }
+
+  $couchdb_stunnel_client_defaults = {
+    'connect_port' => $couch_client_connect,
+    'client'     => true,
+    'cafile'     => $ca_path,
+    'key'        => $key_path,
+    'cert'       => $cert_path,
+  }
+
+  create_resources(site_stunnel::clients, $couch_client, $couchdb_stunnel_client_defaults)
+}
diff --git a/puppet/modules/site_mx/manifests/init.pp b/puppet/modules/site_mx/manifests/init.pp
index 8c8b8d7e..86ae56e1 100644
--- a/puppet/modules/site_mx/manifests/init.pp
+++ b/puppet/modules/site_mx/manifests/init.pp
@@ -5,4 +5,5 @@ class site_mx {
   include site_mx::haproxy
   include site_shorewall::mx
   include site_shorewall::service::smtp
+  include site_mx::couchdb
 }
-- 
cgit v1.2.3


From 886551dfd2e6eb7dc51d15ebbd6393198dfde78f Mon Sep 17 00:00:00 2001
From: varac <varacanero@zeromail.org>
Date: Mon, 22 Apr 2013 17:28:40 +0200
Subject: hiera variable mx.contact -> postfix $root_mail_recipient

---
 provider_base/services/mx.json              | 3 +++
 puppet/modules/site_postfix/manifests/mx.pp | 8 ++++----
 2 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/provider_base/services/mx.json b/provider_base/services/mx.json
index 949374ad..b15bfbc8 100644
--- a/provider_base/services/mx.json
+++ b/provider_base/services/mx.json
@@ -1,4 +1,7 @@
 {
+  "mx": {
+    "contact": "= global.provider.contacts.default"
+  },
   "stunnel": {
     "couch_client": "= stunnel_client(nodes_like_me[:services => :couchdb], global.services[:couchdb].couch.port)"
   },
diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp
index 9104c2cb..15449001 100644
--- a/puppet/modules/site_postfix/manifests/mx.pp
+++ b/puppet/modules/site_postfix/manifests/mx.pp
@@ -1,10 +1,10 @@
 class site_postfix::mx {
 
-  $domain_hash = hiera ('domain')
-  $domain = $domain_hash['full_suffix']
+  $domain_hash         = hiera ('domain')
+  $domain              = $domain_hash['full_suffix']
+  $mx_hash             = hiera('mx')
 
-  # see https://leap.se/code/issues/1936 for contact email addr
-  #$root_mail_recipient = ''
+  $root_mail_recipient = $mx_hash['contact']
   $postfix_smtp_listen = 'all'
 
   postfix::config {
-- 
cgit v1.2.3


From d14758f02a6a7d2b8675ea538692bba44b72689d Mon Sep 17 00:00:00 2001
From: varac <varacanero@zeromail.org>
Date: Mon, 22 Apr 2013 22:15:51 +0200
Subject: Configure Postfix for incoming mails (Feature #2269)

---
 puppet/modules/site_postfix/manifests/mx.pp | 42 +++++++++++++++++++++++++++--
 1 file changed, 40 insertions(+), 2 deletions(-)

diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp
index 15449001..4bab7722 100644
--- a/puppet/modules/site_postfix/manifests/mx.pp
+++ b/puppet/modules/site_postfix/manifests/mx.pp
@@ -8,8 +8,46 @@ class site_postfix::mx {
   $postfix_smtp_listen = 'all'
 
   postfix::config {
-    # just en example
-    'delay_warning_time':     value => '4h';
+    'mydestination':
+      value => "\$myorigin, localhost, localhost.\$mydomain, ${domain}";
+    'smtpd_recipient_restrictions':
+      value => 'check_recipient_access hash:/etc/postfix/recipient,reject_unauth_destination';
+    'mailbox_size_limit':
+      value => '0';
+    'home_mailbox':
+      value => 'Maildir/';
+    'virtual_alias_maps':
+      value => 'hash:/etc/postfix/virtual';
+  }
+
+  postfix::hash { '/etc/postfix/virtual': }
+  postfix::hash { '/etc/postfix/recipient': }
+
+  # for now, accept all mail
+  line {'deliver to vmail':
+    file    => '/etc/postfix/recipient',
+    line    => "@${domain} vmail",
+    notify  => Exec['generate /etc/postfix/recipient.db'],
+    require => Package['postfix'],
+  }
+
+  postfix::virtual { "@${domain}": destination => 'vmail'; }
+  #postfix::mailalias { 'vmail': recipient => 'vmail' }
+
+  user { 'vmail':
+    ensure     => present,
+    comment    => 'Leap Mailspool',
+    home       => '/var/mail/vmail',
+    shell      => '/bin/false',
+    managehome => true,
+  }
+
+  user { 'vmail':
+    ensure     => present,
+    comment    => 'Leap Mailspool',
+    home       => '/var/mail/vmail',
+    shell      => '/bin/false',
+    managehome => true,
   }
 
   include ::postfix
-- 
cgit v1.2.3


From 997ab7fb2303da86ee27cb781ba6b74d4a2e89a6 Mon Sep 17 00:00:00 2001
From: varac <varacanero@zeromail.org>
Date: Tue, 23 Apr 2013 16:27:43 +0200
Subject: no need to import common anymore

---
 puppet/manifests/site.pp | 1 -
 1 file changed, 1 deletion(-)

diff --git a/puppet/manifests/site.pp b/puppet/manifests/site.pp
index 08cbbb9e..327b6a67 100644
--- a/puppet/manifests/site.pp
+++ b/puppet/manifests/site.pp
@@ -11,7 +11,6 @@ Package { require => Exec['apt_updated'] }
 
 include stdlib
 
-import 'common'
 include site_config::default
 include site_config::slow
 
-- 
cgit v1.2.3


From 9159f1e023e0f38bb9b8bdcfb69f77823184f6ec Mon Sep 17 00:00:00 2001
From: Micah Anderson <micah@riseup.net>
Date: Wed, 17 Apr 2013 16:01:19 -0400
Subject: initial mx couchdb stunnel configuration

---
 provider_base/services/mx.json | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/provider_base/services/mx.json b/provider_base/services/mx.json
index b15bfbc8..ab46960d 100644
--- a/provider_base/services/mx.json
+++ b/provider_base/services/mx.json
@@ -17,4 +17,15 @@
     "commercial_key": "= file [:commercial_key, domain.full_suffix]",
     "commercial_ca_cert": "= try_file :commercial_ca_cert"
   }
+}
+  },
+  "x509": {
+    "use": true,
+    "ca_cert": "= file :ca_cert, :missing => 'provider CA. Run `leap cert ca`'",
+    "client_ca_cert": "= file_path :client_ca_cert",
+    "client_ca_key": "= file_path :client_ca_key",
+    "commercial_cert": "= file [:commercial_cert, domain.full_suffix]",
+    "commercial_key": "= file [:commercial_key, domain.full_suffix]",
+    "commercial_ca_cert": "= try_file :commercial_ca_cert"
+  }
 }
-- 
cgit v1.2.3


From bb559881644c8207a7d2791655f535cf9bcd61be Mon Sep 17 00:00:00 2001
From: Micah Anderson <micah@riseup.net>
Date: Tue, 23 Apr 2013 15:59:44 -0400
Subject: update postfix module to new shared version for parameterized
 classes, and other 2.7 updates update site_postfix::mx to use parameterized
 classes

---
 puppet/modules/postfix                      |  2 +-
 puppet/modules/site_postfix/manifests/mx.pp | 11 +++--------
 2 files changed, 4 insertions(+), 9 deletions(-)

diff --git a/puppet/modules/postfix b/puppet/modules/postfix
index 881a59ac..8e43dc85 160000
--- a/puppet/modules/postfix
+++ b/puppet/modules/postfix
@@ -1 +1 @@
-Subproject commit 881a59ac62684028a7f4cb358e3592efc3ae99a9
+Subproject commit 8e43dc85da5a5e45e88aef5f7c32c9cc1c35201c
diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp
index 4bab7722..2bf844bf 100644
--- a/puppet/modules/site_postfix/manifests/mx.pp
+++ b/puppet/modules/site_postfix/manifests/mx.pp
@@ -42,13 +42,8 @@ class site_postfix::mx {
     managehome => true,
   }
 
-  user { 'vmail':
-    ensure     => present,
-    comment    => 'Leap Mailspool',
-    home       => '/var/mail/vmail',
-    shell      => '/bin/false',
-    managehome => true,
+  class { 'postfix':
+    root_mail_recipient => $root_mail_recipient,
+    smtp_listen         => 'all'
   }
-
-  include ::postfix
 }
-- 
cgit v1.2.3


From f242bcefaeae008083c0281f3103b67d31264e4f Mon Sep 17 00:00:00 2001
From: varac <varacanero@zeromail.org>
Date: Fri, 26 Apr 2013 10:08:18 +0200
Subject: fixed provider_base/services/mx.json syntax

---
 provider_base/services/mx.json | 11 -----------
 1 file changed, 11 deletions(-)

diff --git a/provider_base/services/mx.json b/provider_base/services/mx.json
index ab46960d..b15bfbc8 100644
--- a/provider_base/services/mx.json
+++ b/provider_base/services/mx.json
@@ -17,15 +17,4 @@
     "commercial_key": "= file [:commercial_key, domain.full_suffix]",
     "commercial_ca_cert": "= try_file :commercial_ca_cert"
   }
-}
-  },
-  "x509": {
-    "use": true,
-    "ca_cert": "= file :ca_cert, :missing => 'provider CA. Run `leap cert ca`'",
-    "client_ca_cert": "= file_path :client_ca_cert",
-    "client_ca_key": "= file_path :client_ca_key",
-    "commercial_cert": "= file [:commercial_cert, domain.full_suffix]",
-    "commercial_key": "= file [:commercial_key, domain.full_suffix]",
-    "commercial_ca_cert": "= try_file :commercial_ca_cert"
-  }
 }
-- 
cgit v1.2.3


From adc12547c53639fe9cf97157d05e2b401dc7c9c3 Mon Sep 17 00:00:00 2001
From: varac <varacanero@zeromail.org>
Date: Fri, 26 Apr 2013 10:09:21 +0200
Subject: using alias resolver

---
 puppet/modules/site_postfix/manifests/mx.pp | 27 +++++++--------------------
 1 file changed, 7 insertions(+), 20 deletions(-)

diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp
index 2bf844bf..82536b80 100644
--- a/puppet/modules/site_postfix/manifests/mx.pp
+++ b/puppet/modules/site_postfix/manifests/mx.pp
@@ -11,28 +11,15 @@ class site_postfix::mx {
     'mydestination':
       value => "\$myorigin, localhost, localhost.\$mydomain, ${domain}";
     'smtpd_recipient_restrictions':
-      value => 'check_recipient_access hash:/etc/postfix/recipient,reject_unauth_destination';
-    'mailbox_size_limit':
-      value => '0';
-    'home_mailbox':
-      value => 'Maildir/';
-    'virtual_alias_maps':
-      value => 'hash:/etc/postfix/virtual';
+      value => 'check_recipient_access tcp:localhost:2244,reject_unauth_destination';
+    'mailbox_size_limit':   value => '0';
+    'home_mailbox':         value => 'Maildir/';
+    'virtual_alias_maps':   value => 'tcp:localhost:4242';
+    'luser_relay':          value => 'vmail';
+    'local_recipient_maps': value => '';
   }
 
-  postfix::hash { '/etc/postfix/virtual': }
-  postfix::hash { '/etc/postfix/recipient': }
-
-  # for now, accept all mail
-  line {'deliver to vmail':
-    file    => '/etc/postfix/recipient',
-    line    => "@${domain} vmail",
-    notify  => Exec['generate /etc/postfix/recipient.db'],
-    require => Package['postfix'],
-  }
-
-  postfix::virtual { "@${domain}": destination => 'vmail'; }
-  #postfix::mailalias { 'vmail': recipient => 'vmail' }
+  #include site_postfix::mx::smtp_checks
 
   user { 'vmail':
     ensure     => present,
-- 
cgit v1.2.3


From e6c4f16351be546985432bf865d123a82024b9ae Mon Sep 17 00:00:00 2001
From: varac <varacanero@zeromail.org>
Date: Fri, 26 Apr 2013 12:24:05 +0200
Subject: smtpd_checks: smtpd_data_restrictions

---
 puppet/modules/site_postfix/manifests/mx.pp              | 3 ++-
 puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp | 8 ++++++++
 2 files changed, 10 insertions(+), 1 deletion(-)
 create mode 100644 puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp

diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp
index 82536b80..72c38ab1 100644
--- a/puppet/modules/site_postfix/manifests/mx.pp
+++ b/puppet/modules/site_postfix/manifests/mx.pp
@@ -17,9 +17,10 @@ class site_postfix::mx {
     'virtual_alias_maps':   value => 'tcp:localhost:4242';
     'luser_relay':          value => 'vmail';
     'local_recipient_maps': value => '';
+    #'debug_peer_list':      value => '127.0.0.1';
   }
 
-  #include site_postfix::mx::smtp_checks
+  include site_postfix::mx::smtpd_checks
 
   user { 'vmail':
     ensure     => present,
diff --git a/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp
new file mode 100644
index 00000000..e46bc149
--- /dev/null
+++ b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp
@@ -0,0 +1,8 @@
+class site_postfix::mx::smtpd_checks {
+
+  postfix::config {
+    'smtpd_data_restrictions':
+      value => 'permit_mynetworks, reject_unauth_pipelining, permit'
+  }
+
+}
-- 
cgit v1.2.3


From a1dc911c792e963cd814154a24a60dfaf147ecdc Mon Sep 17 00:00:00 2001
From: varac <varacanero@zeromail.org>
Date: Mon, 29 Apr 2013 14:06:38 +0200
Subject: smtpd_checks: smtpd_delay_reject

---
 puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp
index e46bc149..b2f2d7c2 100644
--- a/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp
+++ b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp
@@ -1,8 +1,9 @@
 class site_postfix::mx::smtpd_checks {
 
   postfix::config {
+    'smtpd_delay_reject': value => 'yes';
     'smtpd_data_restrictions':
-      value => 'permit_mynetworks, reject_unauth_pipelining, permit'
+      value => 'permit_mynetworks, reject_unauth_pipelining, permit';
   }
 
 }
-- 
cgit v1.2.3


From de4bdcddc33bd9aa2fc883ccef63f7c13543bb23 Mon Sep 17 00:00:00 2001
From: varac <varacanero@zeromail.org>
Date: Wed, 22 May 2013 19:39:37 +0200
Subject: smtpd_recipient_restrictions: +permit_tls_all_clientcerts

---
 puppet/modules/site_postfix/manifests/mx.pp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp
index 72c38ab1..a625cdcd 100644
--- a/puppet/modules/site_postfix/manifests/mx.pp
+++ b/puppet/modules/site_postfix/manifests/mx.pp
@@ -11,7 +11,7 @@ class site_postfix::mx {
     'mydestination':
       value => "\$myorigin, localhost, localhost.\$mydomain, ${domain}";
     'smtpd_recipient_restrictions':
-      value => 'check_recipient_access tcp:localhost:2244,reject_unauth_destination';
+      value => 'check_recipient_access tcp:localhost:2244,reject_unauth_destination,permit_tls_all_clientcerts';
     'mailbox_size_limit':   value => '0';
     'home_mailbox':         value => 'Maildir/';
     'virtual_alias_maps':   value => 'tcp:localhost:4242';
-- 
cgit v1.2.3


From bcb165f6ed09dd51cc7b534a1fa5aafde21e3703 Mon Sep 17 00:00:00 2001
From: varac <varacanero@zeromail.org>
Date: Wed, 22 May 2013 19:40:13 +0200
Subject: beginning of smtp_auth config with client certs

---
 puppet/modules/site_postfix/manifests/mx/smtp_auth.pp | 10 ++++++++++
 1 file changed, 10 insertions(+)
 create mode 100644 puppet/modules/site_postfix/manifests/mx/smtp_auth.pp

diff --git a/puppet/modules/site_postfix/manifests/mx/smtp_auth.pp b/puppet/modules/site_postfix/manifests/mx/smtp_auth.pp
new file mode 100644
index 00000000..ab75130e
--- /dev/null
+++ b/puppet/modules/site_postfix/manifests/mx/smtp_auth.pp
@@ -0,0 +1,10 @@
+class site_postfix::mx::smtp_auth {
+  $x509 = hiera('x509')
+
+  postfix::config {
+    'smtpd_tls_cert_file': value => $x509['client_ca_cert'];
+    'smtpd_tls_key_file':  value => $x509['client_ca_key'];
+    'smtpd_tls_ask_ccert': value => 'yes';
+    #'smtpd_tls_CAfile':    value =>
+  }
+}
-- 
cgit v1.2.3


From ff813f6da042e66b38a0c4c19df6956bdd5ca9c3 Mon Sep 17 00:00:00 2001
From: varac <varacanero@zeromail.org>
Date: Tue, 9 Jul 2013 15:39:56 +0200
Subject: updated submodule apt

---
 puppet/modules/apt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/puppet/modules/apt b/puppet/modules/apt
index 6bf7a6ab..1a72a996 160000
--- a/puppet/modules/apt
+++ b/puppet/modules/apt
@@ -1 +1 @@
-Subproject commit 6bf7a6ab5d6e63f75c94f49aa0f12959e954efa8
+Subproject commit 1a72a99693c1d77bfe891546408f88264fca98ee
-- 
cgit v1.2.3


From 3f31c74e7365a7508377324a9e0b26b3e746c0c1 Mon Sep 17 00:00:00 2001
From: varac <varacanero@zeromail.org>
Date: Tue, 9 Jul 2013 15:42:07 +0200
Subject: updated submodule couchdb

---
 puppet/modules/couchdb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/puppet/modules/couchdb b/puppet/modules/couchdb
index 7b6c9a29..20deb065 160000
--- a/puppet/modules/couchdb
+++ b/puppet/modules/couchdb
@@ -1 +1 @@
-Subproject commit 7b6c9a29b1333ce733dd5d7c0dadd7f90513b261
+Subproject commit 20deb0652ccfe105eddec6ba2ad32b8d633705f6
-- 
cgit v1.2.3


From 9fae22550eb599baac912e88343a81d2517bba93 Mon Sep 17 00:00:00 2001
From: varac <varacanero@zeromail.org>
Date: Tue, 9 Jul 2013 15:42:59 +0200
Subject: updated submodule apache

---
 puppet/modules/apache | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/puppet/modules/apache b/puppet/modules/apache
index 090e59ad..c3e92a9b 160000
--- a/puppet/modules/apache
+++ b/puppet/modules/apache
@@ -1 +1 @@
-Subproject commit 090e59ad1fcba01e868237a83cadf9254cf09d3e
+Subproject commit c3e92a9b3cb02f1546b6b1570f10a968d380005c
-- 
cgit v1.2.3


From 0f95eccb08b80c02db99d57da413025813766d5e Mon Sep 17 00:00:00 2001
From: varac <varacanero@zeromail.org>
Date: Tue, 9 Jul 2013 17:26:06 +0200
Subject: re-add mx service

---
 puppet/manifests/site.pp | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/puppet/manifests/site.pp b/puppet/manifests/site.pp
index 327b6a67..a340ce66 100644
--- a/puppet/manifests/site.pp
+++ b/puppet/manifests/site.pp
@@ -36,3 +36,7 @@ if $services =~ /\bmonitor\b/ {
 if $services =~ /\btor\b/ {
   include site_tor
 }
+
+if $services =~ /\bmx\b/ {
+  include site_mx
+}
-- 
cgit v1.2.3


From c11047649e1ef630b48b007fb757fcc68b747e62 Mon Sep 17 00:00:00 2001
From: varac <varacanero@zeromail.org>
Date: Wed, 10 Jul 2013 14:10:22 +0200
Subject: added tls support, including smtp auth via client cert

---
 puppet/modules/site_postfix/manifests/mx.pp        | 16 ++++++-----
 .../modules/site_postfix/manifests/mx/smtp_auth.pp | 10 -------
 puppet/modules/site_postfix/manifests/mx/tls.pp    | 31 ++++++++++++++++++++++
 3 files changed, 41 insertions(+), 16 deletions(-)
 delete mode 100644 puppet/modules/site_postfix/manifests/mx/smtp_auth.pp
 create mode 100644 puppet/modules/site_postfix/manifests/mx/tls.pp

diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp
index a625cdcd..e9656072 100644
--- a/puppet/modules/site_postfix/manifests/mx.pp
+++ b/puppet/modules/site_postfix/manifests/mx.pp
@@ -3,6 +3,7 @@ class site_postfix::mx {
   $domain_hash         = hiera ('domain')
   $domain              = $domain_hash['full_suffix']
   $mx_hash             = hiera('mx')
+  $cert_name           = hiera('name')
 
   $root_mail_recipient = $mx_hash['contact']
   $postfix_smtp_listen = 'all'
@@ -12,15 +13,16 @@ class site_postfix::mx {
       value => "\$myorigin, localhost, localhost.\$mydomain, ${domain}";
     'smtpd_recipient_restrictions':
       value => 'check_recipient_access tcp:localhost:2244,reject_unauth_destination,permit_tls_all_clientcerts';
-    'mailbox_size_limit':   value => '0';
-    'home_mailbox':         value => 'Maildir/';
-    'virtual_alias_maps':   value => 'tcp:localhost:4242';
-    'luser_relay':          value => 'vmail';
-    'local_recipient_maps': value => '';
+    'mailbox_size_limit':   value  => '0';
+    'home_mailbox':         value  => 'Maildir/';
+    'virtual_alias_maps':   value  => 'tcp:localhost:4242';
+    'luser_relay':          value  => 'vmail';
+    'local_recipient_maps': value  => '';
     #'debug_peer_list':      value => '127.0.0.1';
   }
 
   include site_postfix::mx::smtpd_checks
+  include site_postfix::mx::tls
 
   user { 'vmail':
     ensure     => present,
@@ -32,6 +34,8 @@ class site_postfix::mx {
 
   class { 'postfix':
     root_mail_recipient => $root_mail_recipient,
-    smtp_listen         => 'all'
+    smtp_listen         => 'all',
+    require             => [ X509::Key[$cert_name], X509::Cert[$cert_name],
+      User['vmail'] ]
   }
 }
diff --git a/puppet/modules/site_postfix/manifests/mx/smtp_auth.pp b/puppet/modules/site_postfix/manifests/mx/smtp_auth.pp
deleted file mode 100644
index ab75130e..00000000
--- a/puppet/modules/site_postfix/manifests/mx/smtp_auth.pp
+++ /dev/null
@@ -1,10 +0,0 @@
-class site_postfix::mx::smtp_auth {
-  $x509 = hiera('x509')
-
-  postfix::config {
-    'smtpd_tls_cert_file': value => $x509['client_ca_cert'];
-    'smtpd_tls_key_file':  value => $x509['client_ca_key'];
-    'smtpd_tls_ask_ccert': value => 'yes';
-    #'smtpd_tls_CAfile':    value =>
-  }
-}
diff --git a/puppet/modules/site_postfix/manifests/mx/tls.pp b/puppet/modules/site_postfix/manifests/mx/tls.pp
new file mode 100644
index 00000000..7da38100
--- /dev/null
+++ b/puppet/modules/site_postfix/manifests/mx/tls.pp
@@ -0,0 +1,31 @@
+class site_postfix::mx::tls {
+
+  $x509                = hiera('x509')
+  $key                 = $x509['key']
+  $cert                = $x509['cert']
+  $client_ca           = $x509['client_ca_cert']
+
+  include x509::variables
+  $cert_name = hiera('name')
+  $cert_path = "${x509::variables::certs}/${cert_name}.crt"
+  $key_path  = "${x509::variables::keys}/${cert_name}.key"
+
+  x509::key { $cert_name:
+    content => $key,
+  }
+
+  x509::cert { $cert_name:
+    content => $cert,
+  }
+
+  postfix::config {
+    'smtpd_use_tls':        value  => 'yes';
+    'smtpd_tls_CAfile':     value  => $client_ca;
+    'smtpd_tls_cert_file':  value  => $cert_path;
+    'smtpd_tls_key_file':   value  => $key_path;
+    'smtpd_tls_req_ccert':  value  => 'yes';
+    'smtpd_tls_security_level':
+      value  => 'encrypt';
+  }
+
+}
-- 
cgit v1.2.3


From f64791335e40b2b6e05305a6d8dda989fb755b9d Mon Sep 17 00:00:00 2001
From: varac <varacanero@zeromail.org>
Date: Mon, 15 Jul 2013 11:34:22 +0200
Subject: fix smtpd_recipient_restrictions, debug connections from localhost

---
 puppet/modules/site_postfix/manifests/mx.pp | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp
index e9656072..5ec8ab49 100644
--- a/puppet/modules/site_postfix/manifests/mx.pp
+++ b/puppet/modules/site_postfix/manifests/mx.pp
@@ -12,13 +12,13 @@ class site_postfix::mx {
     'mydestination':
       value => "\$myorigin, localhost, localhost.\$mydomain, ${domain}";
     'smtpd_recipient_restrictions':
-      value => 'check_recipient_access tcp:localhost:2244,reject_unauth_destination,permit_tls_all_clientcerts';
+      value => 'check_recipient_access tcp:localhost:2244,permit_tls_all_clientcerts,reject_unauth_destination';
     'mailbox_size_limit':   value  => '0';
     'home_mailbox':         value  => 'Maildir/';
     'virtual_alias_maps':   value  => 'tcp:localhost:4242';
     'luser_relay':          value  => 'vmail';
     'local_recipient_maps': value  => '';
-    #'debug_peer_list':      value => '127.0.0.1';
+    'debug_peer_list':      value => '127.0.0.1';
   }
 
   include site_postfix::mx::smtpd_checks
-- 
cgit v1.2.3