From fee571ccc4cd0cf8c665cf7446a0bb99c6dd30cf Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 27 Nov 2013 13:10:01 -0500 Subject: disable starttls over submission for client connections, we are using TLS wrapper mode on the smtps port 465 now (#4366) enable the missing smtpd_helo_restrictions for smtps Change-Id: Iac497369d65c5ad8fd7e93e6fcabb830b855b4f6 --- puppet/modules/site_postfix/manifests/mx.pp | 5 +---- puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp | 4 +--- 2 files changed, 2 insertions(+), 7 deletions(-) diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index 474ed03d..59d3030d 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -55,10 +55,7 @@ class site_postfix::mx { -o smtpd_tls_wrappermode=yes -o smtpd_tls_security_level=encrypt -o smtpd_recipient_restrictions=\$smtps_recipient_restrictions -submission inet n - n - - smtpd - -o smtpd_tls_security_level=encrypt - -o smtpd_recipient_restrictions=\$submission_recipient_restrictions - -o smtpd_helo_restrictions=\$submission_helo_restrictions", + -o smtpd_helo_restrictions=\$smtps_helo_restrictions", require => [ Class['Site_config::X509::Key'], Class['Site_config::X509::Cert'], diff --git a/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp index 0f1500a4..0ec40277 100644 --- a/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp +++ b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp @@ -22,9 +22,7 @@ class site_postfix::mx::smtpd_checks { # we use permit_tls_clientcerts with the $relay_clientcerts lookup 'smtps_recipient_restrictions': value => 'permit_tls_all_clientcerts, check_recipient_access tcp:localhost:2244, reject_unauth_destination, permit'; - 'submission_recipient_restrictions': - value => 'permit_tls_all_clientcerts, check_recipient_access tcp:localhost:2244, reject_unauth_destination, permit'; - 'submission_helo_restrictions': + 'smtps_helo_restrictions': value => 'permit_mynetworks, check_helo_access hash:$checks_dir/helo_checks, permit'; 'smtpd_sender_restrictions': value => 'permit_mynetworks, reject_non_fqdn_sender, reject_unknown_sender_domain, permit'; -- cgit v1.2.3