From 27efd6072ecf13b4bbdb098ee70eb81eb5cdc81c Mon Sep 17 00:00:00 2001
From: Micah Anderson <micah@leap.se>
Date: Fri, 30 Aug 2013 15:01:15 -0400
Subject: change the master.cf_tail to pull in -o
 smtpd_recipient_restrictions=$smtps_recipient_restrictions from main.cf,
 allowing us to setup specific restrictions for the smtps port

move permit_tls_all_clientcerts from the smtpd_data_restrictions and smtpd_recipient_restrictions to only be in smtps_recipient_restrictions

make a note about the permit_tls_all_clientcerts being something that we don't want in the future

remove check_sender_access check which was doing an unnecessary lookup

Change-Id: If9101512e42f7cd82c0e06543cef696d6063f8dc
---
 puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

(limited to 'puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp')

diff --git a/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp
index 0973e625..640f2390 100644
--- a/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp
+++ b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp
@@ -4,15 +4,22 @@ class site_postfix::mx::smtpd_checks {
     'smtpd_client_restrictions':
       value => 'permit_mynetworks,permit';
     'smtpd_data_restrictions':
-      value => 'permit_tls_all_clientcerts, permit_mynetworks, reject_unauth_pipelining, permit';
+      value => 'permit_mynetworks, reject_unauth_pipelining, permit';
     'smtpd_delay_reject':
       value => 'yes';
     'smtpd_helo_restrictions':
       value => 'permit_mynetworks, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, permit';
     'smtpd_recipient_restrictions':
-      value => 'reject_unknown_recipient_domain, permit_tls_all_clientcerts, permit_mynetworks, check_recipient_access tcp:localhost:2244, reject_unauth_destination, permit';
+      value => 'reject_unknown_recipient_domain, permit_mynetworks, check_recipient_access tcp:localhost:2244, reject_unauth_destination, permit';
+    # We should change from permit_tls_all_clientcerts to permit_tls_clientcerts
+    # with a lookup on $relay_clientcerts! Right now we are listing the only
+    # valid CA that client certificates can use in the $smtp_tls_CAfile parameter
+    # but we cannot cut off a certificate that should no longer be used unless
+    # we use permit_tls_clientcerts with the $relay_clientcerts lookup
+    'smtps_recipient_restrictions':
+      value => 'permit_tls_all_clientcerts, check_recipient_access tcp:localhost:2244, reject_unauth_destination, permit';
     'smtpd_sender_restrictions':
-      value => 'check_sender_access tcp:localhost:2244, permit_tls_all_clientcerts, permit_mynetworks, reject_non_fqdn_sender, reject_unknown_sender_domain, permit';
+      value => 'permit_mynetworks, reject_non_fqdn_sender, reject_unknown_sender_domain, permit';
   }
 
 }
-- 
cgit v1.2.3