From 8684aa38ece3271a0eb0f8a1751f6c3297025afa Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 28 Jul 2015 14:35:40 -0400 Subject: Support RBL blocking of incoming mail (#5923) Set zen.spamhaus as the default rbl Change-Id: Ic3537d645c80ba42267bab370a1cf77730382158 --- puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules/site_postfix/manifests/mx') diff --git a/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp index 0ec40277..1c3e5c92 100644 --- a/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp +++ b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp @@ -6,7 +6,7 @@ class site_postfix::mx::smtpd_checks { 'checks_dir': value => '$config_directory/checks'; 'smtpd_client_restrictions': - value => 'permit_mynetworks,permit'; + value => "${site_postfix::mx::rbls}permit_mynetworks,permit"; 'smtpd_data_restrictions': value => 'permit_mynetworks, reject_unauth_pipelining, permit'; 'smtpd_delay_reject': -- cgit v1.2.3 From b5fbda1ca3832043e1636ee964a806ff222cb05f Mon Sep 17 00:00:00 2001 From: elijah Date: Fri, 21 Aug 2015 17:13:34 -0700 Subject: add support for configurable mail alias maps --- .../site_postfix/manifests/mx/reserved_aliases.pp | 15 ------ .../site_postfix/manifests/mx/static_aliases.pp | 58 ++++++++++++++++++++++ 2 files changed, 58 insertions(+), 15 deletions(-) delete mode 100644 puppet/modules/site_postfix/manifests/mx/reserved_aliases.pp create mode 100644 puppet/modules/site_postfix/manifests/mx/static_aliases.pp (limited to 'puppet/modules/site_postfix/manifests/mx') diff --git a/puppet/modules/site_postfix/manifests/mx/reserved_aliases.pp b/puppet/modules/site_postfix/manifests/mx/reserved_aliases.pp deleted file mode 100644 index 83e27376..00000000 --- a/puppet/modules/site_postfix/manifests/mx/reserved_aliases.pp +++ /dev/null @@ -1,15 +0,0 @@ -# Defines which mail addresses shouldn't be available and where they should fwd -class site_postfix::mx::reserved_aliases { - - postfix::mailalias { - [ 'abuse', 'admin', 'arin-admin', 'administrator', 'bin', 'cron', - 'certmaster', 'domainadmin', 'games', 'ftp', 'hostmaster', 'lp', - 'maildrop', 'mysql', 'news', 'nobody', 'noc', 'postmaster', 'postgresql', - 'security', 'ssladmin', 'sys', 'usenet', 'uucp', 'webmaster', 'www', - 'www-data', - ]: - ensure => present, - recipient => 'root' - } - -} diff --git a/puppet/modules/site_postfix/manifests/mx/static_aliases.pp b/puppet/modules/site_postfix/manifests/mx/static_aliases.pp new file mode 100644 index 00000000..786d74c1 --- /dev/null +++ b/puppet/modules/site_postfix/manifests/mx/static_aliases.pp @@ -0,0 +1,58 @@ +# +# Defines static, hard coded aliases that are not in the database. +# + +class site_postfix::mx::static_aliases { + + $mx = hiera('mx') + $aliases = $mx['aliases'] + + # + # Predefined aliases. + # + # Defines which mail addresses shouldn't be available and where they should + # fwd + # + # TODO: reconcile this with the node property webapp.forbidden_usernames + # + # NOTE: if you remove one of these, they will still appear in the + # /etc/aliases file + # + postfix::mailalias { + [ 'abuse', 'admin', 'arin-admin', 'administrator', 'bin', 'cron', + 'certmaster', 'domainadmin', 'games', 'ftp', 'hostmaster', 'lp', + 'maildrop', 'mysql', 'news', 'nobody', 'noc', 'postmaster', 'postgresql', + 'security', 'ssladmin', 'sys', 'usenet', 'uucp', 'webmaster', 'www', + 'www-data', + ]: + ensure => present, + recipient => 'root' + } + + # + # Custom aliases. + # + # This does not use the puppet mailalias resource because we want to be able + # to guarantee the contents of the alias file. This is needed so if you + # remove an alias from the node's config, it will get removed from the alias + # file. + # + + # both alias files must be listed under "alias_database", because once you + # specify one, then `newaliases` no longer will default to updating + # "/etc/aliases.db". + postfix::config { + 'alias_database': + value => "/etc/aliases, /etc/postfix/custom-aliases"; + 'alias_maps': + value => "hash:/etc/aliases, hash:/etc/postfix/custom-aliases"; + } + + file { '/etc/postfix/custom-aliases': + content => template('site_postfix/custom-aliases.erb'), + owner => root, + group => root, + mode => 0600, + notify => Exec['newaliases'] + } +} -- cgit v1.2.3 From ffd340e7b014bc9f35fb6f9365230d483650cc1d Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 3 Sep 2015 13:03:01 -0400 Subject: rewrite openpgp header to be always correct (#7413) The openpgp header added by the client is sometimes incorrect, because the client doesn't actually know what the proper URL is for the webapp. The server knows, however. Change-Id: I2243b19a6337d8e0be97590e2ca9c9c0b0fffdac --- .../site_postfix/manifests/mx/rewrite_openpgp_header.pp | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100644 puppet/modules/site_postfix/manifests/mx/rewrite_openpgp_header.pp (limited to 'puppet/modules/site_postfix/manifests/mx') diff --git a/puppet/modules/site_postfix/manifests/mx/rewrite_openpgp_header.pp b/puppet/modules/site_postfix/manifests/mx/rewrite_openpgp_header.pp new file mode 100644 index 00000000..71f945b8 --- /dev/null +++ b/puppet/modules/site_postfix/manifests/mx/rewrite_openpgp_header.pp @@ -0,0 +1,11 @@ +class site_postfix::mx::rewrite_openpgp_header { + $mx = hiera('mx') + $correct_domain = $mx['key_lookup_domain'] + + file { '/etc/postfix/checks/rewrite_openpgp_headers': + content => template('site_postfix/checks/rewrite_openpgp_headers.erb'), + mode => '0644', + owner => root, + group => root; + } +} -- cgit v1.2.3 From 702bf139f407d60e7c297ceb67fc6c30fead1e61 Mon Sep 17 00:00:00 2001 From: elijah Date: Fri, 11 Sep 2015 10:34:56 -0700 Subject: switch aliases to use virtual_alias_maps --- .../site_postfix/manifests/mx/static_aliases.pp | 32 ++++++++-------------- 1 file changed, 12 insertions(+), 20 deletions(-) (limited to 'puppet/modules/site_postfix/manifests/mx') diff --git a/puppet/modules/site_postfix/manifests/mx/static_aliases.pp b/puppet/modules/site_postfix/manifests/mx/static_aliases.pp index 786d74c1..d81e05b3 100644 --- a/puppet/modules/site_postfix/manifests/mx/static_aliases.pp +++ b/puppet/modules/site_postfix/manifests/mx/static_aliases.pp @@ -30,29 +30,21 @@ class site_postfix::mx::static_aliases { } # - # Custom aliases. - # - # This does not use the puppet mailalias resource because we want to be able - # to guarantee the contents of the alias file. This is needed so if you - # remove an alias from the node's config, it will get removed from the alias - # file. - # - - # both alias files must be listed under "alias_database", because once you - # specify one, then `newaliases` no longer will default to updating - # "/etc/aliases.db". - postfix::config { - 'alias_database': - value => "/etc/aliases, /etc/postfix/custom-aliases"; - 'alias_maps': - value => "hash:/etc/aliases, hash:/etc/postfix/custom-aliases"; + # Custom static virtual aliases. + # + exec { 'postmap_virtual_aliases': + command => '/usr/sbin/postmap /etc/postfix/virtual-aliases', + refreshonly => true, + user => root, + group => root, + require => Package['postfix'], + subscribe => File['/etc/postfix/virtual-aliases'] } - - file { '/etc/postfix/custom-aliases': - content => template('site_postfix/custom-aliases.erb'), + file { '/etc/postfix/virtual-aliases': + content => template('site_postfix/virtual-aliases.erb'), owner => root, group => root, mode => 0600, - notify => Exec['newaliases'] + require => Package['postfix'] } } -- cgit v1.2.3 From 36fea3b7f448f50d500c0ec1a30b8c745b6f8c4c Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 15 Sep 2015 10:54:24 -0400 Subject: minor linting Change-Id: If92faee5f877301bf23564d5b6e71c4b1263de54 --- puppet/modules/site_postfix/manifests/mx/static_aliases.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules/site_postfix/manifests/mx') diff --git a/puppet/modules/site_postfix/manifests/mx/static_aliases.pp b/puppet/modules/site_postfix/manifests/mx/static_aliases.pp index d81e05b3..e9118470 100644 --- a/puppet/modules/site_postfix/manifests/mx/static_aliases.pp +++ b/puppet/modules/site_postfix/manifests/mx/static_aliases.pp @@ -44,7 +44,7 @@ class site_postfix::mx::static_aliases { content => template('site_postfix/virtual-aliases.erb'), owner => root, group => root, - mode => 0600, + mode => '0600', require => Package['postfix'] } } -- cgit v1.2.3 From afd8867ba953513c6e08f957e3099f0ff3b1a3a2 Mon Sep 17 00:00:00 2001 From: elijah Date: Thu, 24 Sep 2015 13:29:15 -0700 Subject: allow certain aliases, like 'abuse', to be publicly forwardable. --- .../site_postfix/manifests/mx/static_aliases.pp | 68 +++++++++++++++++----- 1 file changed, 53 insertions(+), 15 deletions(-) (limited to 'puppet/modules/site_postfix/manifests/mx') diff --git a/puppet/modules/site_postfix/manifests/mx/static_aliases.pp b/puppet/modules/site_postfix/manifests/mx/static_aliases.pp index e9118470..71c0555a 100644 --- a/puppet/modules/site_postfix/manifests/mx/static_aliases.pp +++ b/puppet/modules/site_postfix/manifests/mx/static_aliases.pp @@ -1,37 +1,75 @@ # # Defines static, hard coded aliases that are not in the database. +# These aliases take precedence over the database aliases. +# +# There are three classes of reserved names: +# +# (1) forbidden_usernames: +# Some usernames are forbidden and cannot be registered. +# this is defined in node property webapp.forbidden_usernames +# This is enforced by the webapp. +# +# (2) public aliases: +# Some aliases for root, and are publicly exposed so that anyone +# can deliver mail to them. For example, postmaster. +# These are implemented in the virtual alias map, which takes +# precedence over the local alias map. +# +# (3) local aliases: +# Some aliases are only available locally: mail can be delivered +# to the alias if the mail originates from the local host, or is +# hostname qualified, but otherwise it will be rejected. +# These are implemented in the local alias map. +# +# The alias for local 'root' is defined elsewhere. In this file, we +# define the virtual 'root@domain' (which can be overwritten by +# defining an entry for root in node property mx.aliases). # class site_postfix::mx::static_aliases { $mx = hiera('mx') - $aliases = $mx['aliases'] + $root_recipients = hiera('contacts') # - # Predefined aliases. - # - # Defines which mail addresses shouldn't be available and where they should - # fwd - # - # TODO: reconcile this with the node property webapp.forbidden_usernames + # LOCAL ALIASES # + # NOTE: if you remove one of these, they will still appear in the # /etc/aliases file - # + $local_aliases = [ + 'admin', 'administrator', 'bin', 'cron', 'games', 'ftp', 'lp', 'maildrop', + 'mysql', 'news', 'nobody', 'noc', 'postgresql', 'ssladmin', 'sys', + 'usenet', 'uucp', 'www', 'www-data' + ] + postfix::mailalias { - [ 'abuse', 'admin', 'arin-admin', 'administrator', 'bin', 'cron', - 'certmaster', 'domainadmin', 'games', 'ftp', 'hostmaster', 'lp', - 'maildrop', 'mysql', 'news', 'nobody', 'noc', 'postmaster', 'postgresql', - 'security', 'ssladmin', 'sys', 'usenet', 'uucp', 'webmaster', 'www', - 'www-data', - ]: + $local_aliases: ensure => present, recipient => 'root' } # - # Custom static virtual aliases. + # PUBLIC ALIASES # + + $public_aliases = $mx['aliases'] + + $default_public_aliases = { + 'root' => $root_recipients, + 'abuse' => 'postmaster', + 'arin-admin' => 'root', + 'certmaster' => 'hostmaster', + 'domainadmin' => 'hostmaster', + 'hostmaster' => 'root', + 'mailer-daemon' => 'postmaster', + 'postmaster' => 'root', + 'security' => 'root', + 'webmaster' => 'hostmaster', + } + + $aliases = merge($default_public_aliases, $public_aliases) + exec { 'postmap_virtual_aliases': command => '/usr/sbin/postmap /etc/postfix/virtual-aliases', refreshonly => true, -- cgit v1.2.3