From 9531b13447ff204a00a138a137818054603fe1c9 Mon Sep 17 00:00:00 2001
From: Micah Anderson <micah@leap.se>
Date: Tue, 17 Dec 2013 12:58:22 -0500
Subject: add a smtp_tls class and include that on both mx servers and
 satellites

Change-Id: I779ea60e6d726d042203fa0756d73b4af079d728
---
 .../modules/site_postfix/manifests/mx/smtp_tls.pp  | 29 ++++++++++++++++++++++
 1 file changed, 29 insertions(+)
 create mode 100644 puppet/modules/site_postfix/manifests/mx/smtp_tls.pp

(limited to 'puppet/modules/site_postfix/manifests/mx')

diff --git a/puppet/modules/site_postfix/manifests/mx/smtp_tls.pp b/puppet/modules/site_postfix/manifests/mx/smtp_tls.pp
new file mode 100644
index 00000000..4b9c2fd9
--- /dev/null
+++ b/puppet/modules/site_postfix/manifests/mx/smtp_tls.pp
@@ -0,0 +1,29 @@
+class site_postfix::mx::smtp_tls {
+
+  include x509::variables
+  $ca_path   = "${x509::variables::local_CAs}/${site_config::params::ca_name}.crt"
+  $cert_path = "${x509::variables::certs}/${site_config::params::cert_name}.crt"
+  $key_path  = "${x509::variables::keys}/${site_config::params::cert_name}.key"
+
+  # smtp TLS
+  postfix::config {
+    'smtp_use_tls':        value  => 'yes';
+    'smtp_tls_CApath':     value  => '/etc/ssl/certs/';
+    'smtp_tls_CAfile':     value  => $ca_path;
+    'smtp_tls_cert_file':  value  => $cert_path;
+    'smtp_tls_key_file':   value  => $key_path;
+    'smtp_tls_loglevel':   value  => '1';
+    'smtp_tls_exclude_ciphers':
+      value => 'aNULL, MD5, DES';
+    # upstream default is md5 (since 2.5 and older used it), we force sha1
+    'smtp_tls_fingerprint_digest':
+      value => 'sha1';
+    'smtp_tls_session_cache_database':
+      value => 'btree:${queue_directory}/smtp_cache';
+    'smtp_tls_security_level':
+      value  => 'may';
+    # see issue #4011
+    'smtp_tls_protocols':
+      value => '!SSLv2, !SSLv3';
+  }
+}
-- 
cgit v1.2.3