From 7d5b9461958cdb795990459cd0dad29a36e59fdd Mon Sep 17 00:00:00 2001 From: Micah Date: Tue, 8 Dec 2015 14:17:11 -0500 Subject: Use client cert fingerprint lookup to determine if the user is allowed to relay mail through us (#3634) Change-Id: I46cf3ffbef4261839c376f4c36a50d9c44eb1374 --- puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) (limited to 'puppet/modules/site_postfix/manifests/mx') diff --git a/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp index 1c3e5c92..f2bd571b 100644 --- a/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp +++ b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp @@ -15,13 +15,14 @@ class site_postfix::mx::smtpd_checks { value => 'permit_mynetworks, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, check_helo_access hash:$checks_dir/helo_checks, permit'; 'smtpd_recipient_restrictions': value => 'reject_unknown_recipient_domain, permit_mynetworks, check_recipient_access tcp:localhost:2244, reject_unauth_destination, permit'; - # We should change from permit_tls_all_clientcerts to permit_tls_clientcerts - # with a lookup on $relay_clientcerts! Right now we are listing the only - # valid CA that client certificates can use in the $smtp_tls_CAfile parameter - # but we cannot cut off a certificate that should no longer be used unless - # we use permit_tls_clientcerts with the $relay_clientcerts lookup + + # permit_tls_clientcerts will lookup client cert fingerprints from the tcp + # lookup on port 2424 (based on what is configured in relay_clientcerts + # paramter, see site_postfix::mx postfix::config resource) to determine + # if a client is allowed to relay mail through us. This enables us to + # disable a user by removing their valid client cert (#3634) 'smtps_recipient_restrictions': - value => 'permit_tls_all_clientcerts, check_recipient_access tcp:localhost:2244, reject_unauth_destination, permit'; + value => 'permit_tls_clientcerts, check_recipient_access tcp:localhost:2244, reject_unauth_destination, permit'; 'smtps_helo_restrictions': value => 'permit_mynetworks, check_helo_access hash:$checks_dir/helo_checks, permit'; 'smtpd_sender_restrictions': -- cgit v1.2.3