From db5fd91d32b215eb9827e36e2a51c98af993ab99 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 7 Mar 2013 18:16:13 +0100 Subject: added basic site_postfix::mx config --- puppet/modules/site_postfix/manifests/mx.pp | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) create mode 100644 puppet/modules/site_postfix/manifests/mx.pp (limited to 'puppet/modules/site_postfix') diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp new file mode 100644 index 00000000..9104c2cb --- /dev/null +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -0,0 +1,16 @@ +class site_postfix::mx { + + $domain_hash = hiera ('domain') + $domain = $domain_hash['full_suffix'] + + # see https://leap.se/code/issues/1936 for contact email addr + #$root_mail_recipient = '' + $postfix_smtp_listen = 'all' + + postfix::config { + # just en example + 'delay_warning_time': value => '4h'; + } + + include ::postfix +} -- cgit v1.2.3 From 886551dfd2e6eb7dc51d15ebbd6393198dfde78f Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 22 Apr 2013 17:28:40 +0200 Subject: hiera variable mx.contact -> postfix $root_mail_recipient --- puppet/modules/site_postfix/manifests/mx.pp | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'puppet/modules/site_postfix') diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index 9104c2cb..15449001 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -1,10 +1,10 @@ class site_postfix::mx { - $domain_hash = hiera ('domain') - $domain = $domain_hash['full_suffix'] + $domain_hash = hiera ('domain') + $domain = $domain_hash['full_suffix'] + $mx_hash = hiera('mx') - # see https://leap.se/code/issues/1936 for contact email addr - #$root_mail_recipient = '' + $root_mail_recipient = $mx_hash['contact'] $postfix_smtp_listen = 'all' postfix::config { -- cgit v1.2.3 From d14758f02a6a7d2b8675ea538692bba44b72689d Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 22 Apr 2013 22:15:51 +0200 Subject: Configure Postfix for incoming mails (Feature #2269) --- puppet/modules/site_postfix/manifests/mx.pp | 42 +++++++++++++++++++++++++++-- 1 file changed, 40 insertions(+), 2 deletions(-) (limited to 'puppet/modules/site_postfix') diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index 15449001..4bab7722 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -8,8 +8,46 @@ class site_postfix::mx { $postfix_smtp_listen = 'all' postfix::config { - # just en example - 'delay_warning_time': value => '4h'; + 'mydestination': + value => "\$myorigin, localhost, localhost.\$mydomain, ${domain}"; + 'smtpd_recipient_restrictions': + value => 'check_recipient_access hash:/etc/postfix/recipient,reject_unauth_destination'; + 'mailbox_size_limit': + value => '0'; + 'home_mailbox': + value => 'Maildir/'; + 'virtual_alias_maps': + value => 'hash:/etc/postfix/virtual'; + } + + postfix::hash { '/etc/postfix/virtual': } + postfix::hash { '/etc/postfix/recipient': } + + # for now, accept all mail + line {'deliver to vmail': + file => '/etc/postfix/recipient', + line => "@${domain} vmail", + notify => Exec['generate /etc/postfix/recipient.db'], + require => Package['postfix'], + } + + postfix::virtual { "@${domain}": destination => 'vmail'; } + #postfix::mailalias { 'vmail': recipient => 'vmail' } + + user { 'vmail': + ensure => present, + comment => 'Leap Mailspool', + home => '/var/mail/vmail', + shell => '/bin/false', + managehome => true, + } + + user { 'vmail': + ensure => present, + comment => 'Leap Mailspool', + home => '/var/mail/vmail', + shell => '/bin/false', + managehome => true, } include ::postfix -- cgit v1.2.3 From bb559881644c8207a7d2791655f535cf9bcd61be Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 23 Apr 2013 15:59:44 -0400 Subject: update postfix module to new shared version for parameterized classes, and other 2.7 updates update site_postfix::mx to use parameterized classes --- puppet/modules/site_postfix/manifests/mx.pp | 11 +++-------- 1 file changed, 3 insertions(+), 8 deletions(-) (limited to 'puppet/modules/site_postfix') diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index 4bab7722..2bf844bf 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -42,13 +42,8 @@ class site_postfix::mx { managehome => true, } - user { 'vmail': - ensure => present, - comment => 'Leap Mailspool', - home => '/var/mail/vmail', - shell => '/bin/false', - managehome => true, + class { 'postfix': + root_mail_recipient => $root_mail_recipient, + smtp_listen => 'all' } - - include ::postfix } -- cgit v1.2.3 From adc12547c53639fe9cf97157d05e2b401dc7c9c3 Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 26 Apr 2013 10:09:21 +0200 Subject: using alias resolver --- puppet/modules/site_postfix/manifests/mx.pp | 27 +++++++-------------------- 1 file changed, 7 insertions(+), 20 deletions(-) (limited to 'puppet/modules/site_postfix') diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index 2bf844bf..82536b80 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -11,28 +11,15 @@ class site_postfix::mx { 'mydestination': value => "\$myorigin, localhost, localhost.\$mydomain, ${domain}"; 'smtpd_recipient_restrictions': - value => 'check_recipient_access hash:/etc/postfix/recipient,reject_unauth_destination'; - 'mailbox_size_limit': - value => '0'; - 'home_mailbox': - value => 'Maildir/'; - 'virtual_alias_maps': - value => 'hash:/etc/postfix/virtual'; + value => 'check_recipient_access tcp:localhost:2244,reject_unauth_destination'; + 'mailbox_size_limit': value => '0'; + 'home_mailbox': value => 'Maildir/'; + 'virtual_alias_maps': value => 'tcp:localhost:4242'; + 'luser_relay': value => 'vmail'; + 'local_recipient_maps': value => ''; } - postfix::hash { '/etc/postfix/virtual': } - postfix::hash { '/etc/postfix/recipient': } - - # for now, accept all mail - line {'deliver to vmail': - file => '/etc/postfix/recipient', - line => "@${domain} vmail", - notify => Exec['generate /etc/postfix/recipient.db'], - require => Package['postfix'], - } - - postfix::virtual { "@${domain}": destination => 'vmail'; } - #postfix::mailalias { 'vmail': recipient => 'vmail' } + #include site_postfix::mx::smtp_checks user { 'vmail': ensure => present, -- cgit v1.2.3 From e6c4f16351be546985432bf865d123a82024b9ae Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 26 Apr 2013 12:24:05 +0200 Subject: smtpd_checks: smtpd_data_restrictions --- puppet/modules/site_postfix/manifests/mx.pp | 3 ++- puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp | 8 ++++++++ 2 files changed, 10 insertions(+), 1 deletion(-) create mode 100644 puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp (limited to 'puppet/modules/site_postfix') diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index 82536b80..72c38ab1 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -17,9 +17,10 @@ class site_postfix::mx { 'virtual_alias_maps': value => 'tcp:localhost:4242'; 'luser_relay': value => 'vmail'; 'local_recipient_maps': value => ''; + #'debug_peer_list': value => '127.0.0.1'; } - #include site_postfix::mx::smtp_checks + include site_postfix::mx::smtpd_checks user { 'vmail': ensure => present, diff --git a/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp new file mode 100644 index 00000000..e46bc149 --- /dev/null +++ b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp @@ -0,0 +1,8 @@ +class site_postfix::mx::smtpd_checks { + + postfix::config { + 'smtpd_data_restrictions': + value => 'permit_mynetworks, reject_unauth_pipelining, permit' + } + +} -- cgit v1.2.3 From a1dc911c792e963cd814154a24a60dfaf147ecdc Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 29 Apr 2013 14:06:38 +0200 Subject: smtpd_checks: smtpd_delay_reject --- puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'puppet/modules/site_postfix') diff --git a/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp index e46bc149..b2f2d7c2 100644 --- a/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp +++ b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp @@ -1,8 +1,9 @@ class site_postfix::mx::smtpd_checks { postfix::config { + 'smtpd_delay_reject': value => 'yes'; 'smtpd_data_restrictions': - value => 'permit_mynetworks, reject_unauth_pipelining, permit' + value => 'permit_mynetworks, reject_unauth_pipelining, permit'; } } -- cgit v1.2.3 From de4bdcddc33bd9aa2fc883ccef63f7c13543bb23 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 22 May 2013 19:39:37 +0200 Subject: smtpd_recipient_restrictions: +permit_tls_all_clientcerts --- puppet/modules/site_postfix/manifests/mx.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules/site_postfix') diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index 72c38ab1..a625cdcd 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -11,7 +11,7 @@ class site_postfix::mx { 'mydestination': value => "\$myorigin, localhost, localhost.\$mydomain, ${domain}"; 'smtpd_recipient_restrictions': - value => 'check_recipient_access tcp:localhost:2244,reject_unauth_destination'; + value => 'check_recipient_access tcp:localhost:2244,reject_unauth_destination,permit_tls_all_clientcerts'; 'mailbox_size_limit': value => '0'; 'home_mailbox': value => 'Maildir/'; 'virtual_alias_maps': value => 'tcp:localhost:4242'; -- cgit v1.2.3 From bcb165f6ed09dd51cc7b534a1fa5aafde21e3703 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 22 May 2013 19:40:13 +0200 Subject: beginning of smtp_auth config with client certs --- puppet/modules/site_postfix/manifests/mx/smtp_auth.pp | 10 ++++++++++ 1 file changed, 10 insertions(+) create mode 100644 puppet/modules/site_postfix/manifests/mx/smtp_auth.pp (limited to 'puppet/modules/site_postfix') diff --git a/puppet/modules/site_postfix/manifests/mx/smtp_auth.pp b/puppet/modules/site_postfix/manifests/mx/smtp_auth.pp new file mode 100644 index 00000000..ab75130e --- /dev/null +++ b/puppet/modules/site_postfix/manifests/mx/smtp_auth.pp @@ -0,0 +1,10 @@ +class site_postfix::mx::smtp_auth { + $x509 = hiera('x509') + + postfix::config { + 'smtpd_tls_cert_file': value => $x509['client_ca_cert']; + 'smtpd_tls_key_file': value => $x509['client_ca_key']; + 'smtpd_tls_ask_ccert': value => 'yes'; + #'smtpd_tls_CAfile': value => + } +} -- cgit v1.2.3 From c11047649e1ef630b48b007fb757fcc68b747e62 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 10 Jul 2013 14:10:22 +0200 Subject: added tls support, including smtp auth via client cert --- puppet/modules/site_postfix/manifests/mx.pp | 16 ++++++----- .../modules/site_postfix/manifests/mx/smtp_auth.pp | 10 ------- puppet/modules/site_postfix/manifests/mx/tls.pp | 31 ++++++++++++++++++++++ 3 files changed, 41 insertions(+), 16 deletions(-) delete mode 100644 puppet/modules/site_postfix/manifests/mx/smtp_auth.pp create mode 100644 puppet/modules/site_postfix/manifests/mx/tls.pp (limited to 'puppet/modules/site_postfix') diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index a625cdcd..e9656072 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -3,6 +3,7 @@ class site_postfix::mx { $domain_hash = hiera ('domain') $domain = $domain_hash['full_suffix'] $mx_hash = hiera('mx') + $cert_name = hiera('name') $root_mail_recipient = $mx_hash['contact'] $postfix_smtp_listen = 'all' @@ -12,15 +13,16 @@ class site_postfix::mx { value => "\$myorigin, localhost, localhost.\$mydomain, ${domain}"; 'smtpd_recipient_restrictions': value => 'check_recipient_access tcp:localhost:2244,reject_unauth_destination,permit_tls_all_clientcerts'; - 'mailbox_size_limit': value => '0'; - 'home_mailbox': value => 'Maildir/'; - 'virtual_alias_maps': value => 'tcp:localhost:4242'; - 'luser_relay': value => 'vmail'; - 'local_recipient_maps': value => ''; + 'mailbox_size_limit': value => '0'; + 'home_mailbox': value => 'Maildir/'; + 'virtual_alias_maps': value => 'tcp:localhost:4242'; + 'luser_relay': value => 'vmail'; + 'local_recipient_maps': value => ''; #'debug_peer_list': value => '127.0.0.1'; } include site_postfix::mx::smtpd_checks + include site_postfix::mx::tls user { 'vmail': ensure => present, @@ -32,6 +34,8 @@ class site_postfix::mx { class { 'postfix': root_mail_recipient => $root_mail_recipient, - smtp_listen => 'all' + smtp_listen => 'all', + require => [ X509::Key[$cert_name], X509::Cert[$cert_name], + User['vmail'] ] } } diff --git a/puppet/modules/site_postfix/manifests/mx/smtp_auth.pp b/puppet/modules/site_postfix/manifests/mx/smtp_auth.pp deleted file mode 100644 index ab75130e..00000000 --- a/puppet/modules/site_postfix/manifests/mx/smtp_auth.pp +++ /dev/null @@ -1,10 +0,0 @@ -class site_postfix::mx::smtp_auth { - $x509 = hiera('x509') - - postfix::config { - 'smtpd_tls_cert_file': value => $x509['client_ca_cert']; - 'smtpd_tls_key_file': value => $x509['client_ca_key']; - 'smtpd_tls_ask_ccert': value => 'yes'; - #'smtpd_tls_CAfile': value => - } -} diff --git a/puppet/modules/site_postfix/manifests/mx/tls.pp b/puppet/modules/site_postfix/manifests/mx/tls.pp new file mode 100644 index 00000000..7da38100 --- /dev/null +++ b/puppet/modules/site_postfix/manifests/mx/tls.pp @@ -0,0 +1,31 @@ +class site_postfix::mx::tls { + + $x509 = hiera('x509') + $key = $x509['key'] + $cert = $x509['cert'] + $client_ca = $x509['client_ca_cert'] + + include x509::variables + $cert_name = hiera('name') + $cert_path = "${x509::variables::certs}/${cert_name}.crt" + $key_path = "${x509::variables::keys}/${cert_name}.key" + + x509::key { $cert_name: + content => $key, + } + + x509::cert { $cert_name: + content => $cert, + } + + postfix::config { + 'smtpd_use_tls': value => 'yes'; + 'smtpd_tls_CAfile': value => $client_ca; + 'smtpd_tls_cert_file': value => $cert_path; + 'smtpd_tls_key_file': value => $key_path; + 'smtpd_tls_req_ccert': value => 'yes'; + 'smtpd_tls_security_level': + value => 'encrypt'; + } + +} -- cgit v1.2.3 From f64791335e40b2b6e05305a6d8dda989fb755b9d Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 15 Jul 2013 11:34:22 +0200 Subject: fix smtpd_recipient_restrictions, debug connections from localhost --- puppet/modules/site_postfix/manifests/mx.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'puppet/modules/site_postfix') diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index e9656072..5ec8ab49 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -12,13 +12,13 @@ class site_postfix::mx { 'mydestination': value => "\$myorigin, localhost, localhost.\$mydomain, ${domain}"; 'smtpd_recipient_restrictions': - value => 'check_recipient_access tcp:localhost:2244,reject_unauth_destination,permit_tls_all_clientcerts'; + value => 'check_recipient_access tcp:localhost:2244,permit_tls_all_clientcerts,reject_unauth_destination'; 'mailbox_size_limit': value => '0'; 'home_mailbox': value => 'Maildir/'; 'virtual_alias_maps': value => 'tcp:localhost:4242'; 'luser_relay': value => 'vmail'; 'local_recipient_maps': value => ''; - #'debug_peer_list': value => '127.0.0.1'; + 'debug_peer_list': value => '127.0.0.1'; } include site_postfix::mx::smtpd_checks -- cgit v1.2.3 From 4db33aa76139e26678d1b989873532bc50937917 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 7 Mar 2013 18:16:13 +0100 Subject: added basic site_postfix::mx config --- puppet/modules/site_postfix/manifests/mx.pp | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) create mode 100644 puppet/modules/site_postfix/manifests/mx.pp (limited to 'puppet/modules/site_postfix') diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp new file mode 100644 index 00000000..9104c2cb --- /dev/null +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -0,0 +1,16 @@ +class site_postfix::mx { + + $domain_hash = hiera ('domain') + $domain = $domain_hash['full_suffix'] + + # see https://leap.se/code/issues/1936 for contact email addr + #$root_mail_recipient = '' + $postfix_smtp_listen = 'all' + + postfix::config { + # just en example + 'delay_warning_time': value => '4h'; + } + + include ::postfix +} -- cgit v1.2.3 From 8d93b0f2fa3198cf4071cf93d8213fbfc3e0a9be Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 22 Apr 2013 17:28:40 +0200 Subject: hiera variable mx.contact -> postfix $root_mail_recipient --- puppet/modules/site_postfix/manifests/mx.pp | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'puppet/modules/site_postfix') diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index 9104c2cb..15449001 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -1,10 +1,10 @@ class site_postfix::mx { - $domain_hash = hiera ('domain') - $domain = $domain_hash['full_suffix'] + $domain_hash = hiera ('domain') + $domain = $domain_hash['full_suffix'] + $mx_hash = hiera('mx') - # see https://leap.se/code/issues/1936 for contact email addr - #$root_mail_recipient = '' + $root_mail_recipient = $mx_hash['contact'] $postfix_smtp_listen = 'all' postfix::config { -- cgit v1.2.3 From f45c144272915ef839edd0cb47a1085d01d4c36a Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 22 Apr 2013 22:15:51 +0200 Subject: Configure Postfix for incoming mails (Feature #2269) --- puppet/modules/site_postfix/manifests/mx.pp | 42 +++++++++++++++++++++++++++-- 1 file changed, 40 insertions(+), 2 deletions(-) (limited to 'puppet/modules/site_postfix') diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index 15449001..4bab7722 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -8,8 +8,46 @@ class site_postfix::mx { $postfix_smtp_listen = 'all' postfix::config { - # just en example - 'delay_warning_time': value => '4h'; + 'mydestination': + value => "\$myorigin, localhost, localhost.\$mydomain, ${domain}"; + 'smtpd_recipient_restrictions': + value => 'check_recipient_access hash:/etc/postfix/recipient,reject_unauth_destination'; + 'mailbox_size_limit': + value => '0'; + 'home_mailbox': + value => 'Maildir/'; + 'virtual_alias_maps': + value => 'hash:/etc/postfix/virtual'; + } + + postfix::hash { '/etc/postfix/virtual': } + postfix::hash { '/etc/postfix/recipient': } + + # for now, accept all mail + line {'deliver to vmail': + file => '/etc/postfix/recipient', + line => "@${domain} vmail", + notify => Exec['generate /etc/postfix/recipient.db'], + require => Package['postfix'], + } + + postfix::virtual { "@${domain}": destination => 'vmail'; } + #postfix::mailalias { 'vmail': recipient => 'vmail' } + + user { 'vmail': + ensure => present, + comment => 'Leap Mailspool', + home => '/var/mail/vmail', + shell => '/bin/false', + managehome => true, + } + + user { 'vmail': + ensure => present, + comment => 'Leap Mailspool', + home => '/var/mail/vmail', + shell => '/bin/false', + managehome => true, } include ::postfix -- cgit v1.2.3 From 9c08bdad1cbb5c9c71ef42b99d7ec491ed084269 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 23 Apr 2013 15:59:44 -0400 Subject: update postfix module to new shared version for parameterized classes, and other 2.7 updates update site_postfix::mx to use parameterized classes --- puppet/modules/site_postfix/manifests/mx.pp | 11 +++-------- 1 file changed, 3 insertions(+), 8 deletions(-) (limited to 'puppet/modules/site_postfix') diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index 4bab7722..2bf844bf 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -42,13 +42,8 @@ class site_postfix::mx { managehome => true, } - user { 'vmail': - ensure => present, - comment => 'Leap Mailspool', - home => '/var/mail/vmail', - shell => '/bin/false', - managehome => true, + class { 'postfix': + root_mail_recipient => $root_mail_recipient, + smtp_listen => 'all' } - - include ::postfix } -- cgit v1.2.3 From a7bcd40d22769ec61b3fdb8d04dd447f6167ed7e Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 26 Apr 2013 10:09:21 +0200 Subject: using alias resolver --- puppet/modules/site_postfix/manifests/mx.pp | 27 +++++++-------------------- 1 file changed, 7 insertions(+), 20 deletions(-) (limited to 'puppet/modules/site_postfix') diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index 2bf844bf..82536b80 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -11,28 +11,15 @@ class site_postfix::mx { 'mydestination': value => "\$myorigin, localhost, localhost.\$mydomain, ${domain}"; 'smtpd_recipient_restrictions': - value => 'check_recipient_access hash:/etc/postfix/recipient,reject_unauth_destination'; - 'mailbox_size_limit': - value => '0'; - 'home_mailbox': - value => 'Maildir/'; - 'virtual_alias_maps': - value => 'hash:/etc/postfix/virtual'; + value => 'check_recipient_access tcp:localhost:2244,reject_unauth_destination'; + 'mailbox_size_limit': value => '0'; + 'home_mailbox': value => 'Maildir/'; + 'virtual_alias_maps': value => 'tcp:localhost:4242'; + 'luser_relay': value => 'vmail'; + 'local_recipient_maps': value => ''; } - postfix::hash { '/etc/postfix/virtual': } - postfix::hash { '/etc/postfix/recipient': } - - # for now, accept all mail - line {'deliver to vmail': - file => '/etc/postfix/recipient', - line => "@${domain} vmail", - notify => Exec['generate /etc/postfix/recipient.db'], - require => Package['postfix'], - } - - postfix::virtual { "@${domain}": destination => 'vmail'; } - #postfix::mailalias { 'vmail': recipient => 'vmail' } + #include site_postfix::mx::smtp_checks user { 'vmail': ensure => present, -- cgit v1.2.3 From b50b03d8a2bc1970df696938b382ada79397ba07 Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 26 Apr 2013 12:24:05 +0200 Subject: smtpd_checks: smtpd_data_restrictions --- puppet/modules/site_postfix/manifests/mx.pp | 3 ++- puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp | 8 ++++++++ 2 files changed, 10 insertions(+), 1 deletion(-) create mode 100644 puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp (limited to 'puppet/modules/site_postfix') diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index 82536b80..72c38ab1 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -17,9 +17,10 @@ class site_postfix::mx { 'virtual_alias_maps': value => 'tcp:localhost:4242'; 'luser_relay': value => 'vmail'; 'local_recipient_maps': value => ''; + #'debug_peer_list': value => '127.0.0.1'; } - #include site_postfix::mx::smtp_checks + include site_postfix::mx::smtpd_checks user { 'vmail': ensure => present, diff --git a/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp new file mode 100644 index 00000000..e46bc149 --- /dev/null +++ b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp @@ -0,0 +1,8 @@ +class site_postfix::mx::smtpd_checks { + + postfix::config { + 'smtpd_data_restrictions': + value => 'permit_mynetworks, reject_unauth_pipelining, permit' + } + +} -- cgit v1.2.3 From 874cbdc087fde630ef7c44b51974aa702a151c7c Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 29 Apr 2013 14:06:38 +0200 Subject: smtpd_checks: smtpd_delay_reject --- puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'puppet/modules/site_postfix') diff --git a/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp index e46bc149..b2f2d7c2 100644 --- a/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp +++ b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp @@ -1,8 +1,9 @@ class site_postfix::mx::smtpd_checks { postfix::config { + 'smtpd_delay_reject': value => 'yes'; 'smtpd_data_restrictions': - value => 'permit_mynetworks, reject_unauth_pipelining, permit' + value => 'permit_mynetworks, reject_unauth_pipelining, permit'; } } -- cgit v1.2.3 From e5e64291b584340032655ff7c9398067691b06f6 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 22 Apr 2013 22:15:51 +0200 Subject: Configure Postfix for incoming mails (Feature #2269) --- puppet/modules/site_postfix/manifests/mx.pp | 31 ++++++++++++++++++++++++++++- 1 file changed, 30 insertions(+), 1 deletion(-) (limited to 'puppet/modules/site_postfix') diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index 72c38ab1..0d2a545a 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -18,9 +18,36 @@ class site_postfix::mx { 'luser_relay': value => 'vmail'; 'local_recipient_maps': value => ''; #'debug_peer_list': value => '127.0.0.1'; + value => 'check_recipient_access hash:/etc/postfix/recipient,reject_unauth_destination'; + 'mailbox_size_limit': + value => '0'; + 'home_mailbox': + value => 'Maildir/'; + 'virtual_alias_maps': + value => 'hash:/etc/postfix/virtual'; } - include site_postfix::mx::smtpd_checks + postfix::hash { '/etc/postfix/virtual': } + postfix::hash { '/etc/postfix/recipient': } + + # for now, accept all mail + line {'deliver to vmail': + file => '/etc/postfix/recipient', + line => "@${domain} vmail", + notify => Exec['generate /etc/postfix/recipient.db'], + require => Package['postfix'], + } + + postfix::virtual { "@${domain}": destination => 'vmail'; } + #postfix::mailalias { 'vmail': recipient => 'vmail' } + + user { 'vmail': + ensure => present, + comment => 'Leap Mailspool', + home => '/var/mail/vmail', + shell => '/bin/false', + managehome => true, + } user { 'vmail': ensure => present, @@ -30,6 +57,8 @@ class site_postfix::mx { managehome => true, } + include site_postfix::mx::smtpd_checks + class { 'postfix': root_mail_recipient => $root_mail_recipient, smtp_listen => 'all' -- cgit v1.2.3 From c601ad1021dabc0301097f7c32123c44fc06ca75 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 23 Apr 2013 15:59:44 -0400 Subject: update postfix module to new shared version for parameterized classes, and other 2.7 updates update site_postfix::mx to use parameterized classes --- puppet/modules/site_postfix/manifests/mx.pp | 8 -------- 1 file changed, 8 deletions(-) (limited to 'puppet/modules/site_postfix') diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index 0d2a545a..932cdd75 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -49,14 +49,6 @@ class site_postfix::mx { managehome => true, } - user { 'vmail': - ensure => present, - comment => 'Leap Mailspool', - home => '/var/mail/vmail', - shell => '/bin/false', - managehome => true, - } - include site_postfix::mx::smtpd_checks class { 'postfix': -- cgit v1.2.3 From 6b4d0522e1578ea1a0683c6a8d6c4117dca67d2f Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 26 Apr 2013 10:09:21 +0200 Subject: using alias resolver --- puppet/modules/site_postfix/manifests/mx.pp | 14 +------------- 1 file changed, 1 insertion(+), 13 deletions(-) (limited to 'puppet/modules/site_postfix') diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index 932cdd75..ee9bce3e 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -27,19 +27,7 @@ class site_postfix::mx { value => 'hash:/etc/postfix/virtual'; } - postfix::hash { '/etc/postfix/virtual': } - postfix::hash { '/etc/postfix/recipient': } - - # for now, accept all mail - line {'deliver to vmail': - file => '/etc/postfix/recipient', - line => "@${domain} vmail", - notify => Exec['generate /etc/postfix/recipient.db'], - require => Package['postfix'], - } - - postfix::virtual { "@${domain}": destination => 'vmail'; } - #postfix::mailalias { 'vmail': recipient => 'vmail' } + #include site_postfix::mx::smtp_checks user { 'vmail': ensure => present, -- cgit v1.2.3 From 2a853087a0bec5f9ec166fff538bda9076bb8369 Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 26 Apr 2013 12:24:05 +0200 Subject: smtpd_checks: smtpd_data_restrictions --- puppet/modules/site_postfix/manifests/mx.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules/site_postfix') diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index ee9bce3e..24698878 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -27,7 +27,7 @@ class site_postfix::mx { value => 'hash:/etc/postfix/virtual'; } - #include site_postfix::mx::smtp_checks + include site_postfix::mx::smtpd_checks user { 'vmail': ensure => present, -- cgit v1.2.3 From 901a06d29c0c658b479f4c5a0828b263d7d6de0f Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 22 May 2013 19:39:37 +0200 Subject: smtpd_recipient_restrictions: +permit_tls_all_clientcerts --- puppet/modules/site_postfix/manifests/mx.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules/site_postfix') diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index 24698878..fa2765a4 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -11,7 +11,7 @@ class site_postfix::mx { 'mydestination': value => "\$myorigin, localhost, localhost.\$mydomain, ${domain}"; 'smtpd_recipient_restrictions': - value => 'check_recipient_access tcp:localhost:2244,reject_unauth_destination'; + value => 'check_recipient_access tcp:localhost:2244,reject_unauth_destination,permit_tls_all_clientcerts'; 'mailbox_size_limit': value => '0'; 'home_mailbox': value => 'Maildir/'; 'virtual_alias_maps': value => 'tcp:localhost:4242'; -- cgit v1.2.3 From aa5be3d639c5445d3a069c72eb5c20e209440721 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 22 May 2013 19:40:13 +0200 Subject: beginning of smtp_auth config with client certs --- puppet/modules/site_postfix/manifests/mx/smtp_auth.pp | 10 ++++++++++ 1 file changed, 10 insertions(+) create mode 100644 puppet/modules/site_postfix/manifests/mx/smtp_auth.pp (limited to 'puppet/modules/site_postfix') diff --git a/puppet/modules/site_postfix/manifests/mx/smtp_auth.pp b/puppet/modules/site_postfix/manifests/mx/smtp_auth.pp new file mode 100644 index 00000000..ab75130e --- /dev/null +++ b/puppet/modules/site_postfix/manifests/mx/smtp_auth.pp @@ -0,0 +1,10 @@ +class site_postfix::mx::smtp_auth { + $x509 = hiera('x509') + + postfix::config { + 'smtpd_tls_cert_file': value => $x509['client_ca_cert']; + 'smtpd_tls_key_file': value => $x509['client_ca_key']; + 'smtpd_tls_ask_ccert': value => 'yes'; + #'smtpd_tls_CAfile': value => + } +} -- cgit v1.2.3 From 80b196be84d96b92e83acc680130a01370298c13 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 31 Jul 2013 17:56:26 +0200 Subject: use smtpd_tls_security_level = may in postfix config (Bug #3348) --- puppet/modules/site_postfix/manifests/mx/tls.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules/site_postfix') diff --git a/puppet/modules/site_postfix/manifests/mx/tls.pp b/puppet/modules/site_postfix/manifests/mx/tls.pp index 7da38100..4b7a2626 100644 --- a/puppet/modules/site_postfix/manifests/mx/tls.pp +++ b/puppet/modules/site_postfix/manifests/mx/tls.pp @@ -25,7 +25,7 @@ class site_postfix::mx::tls { 'smtpd_tls_key_file': value => $key_path; 'smtpd_tls_req_ccert': value => 'yes'; 'smtpd_tls_security_level': - value => 'encrypt'; + value => 'may'; } } -- cgit v1.2.3 From 231f6a03a93caa914bc04d40af2cb203ded676fb Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 28 Aug 2013 12:14:01 +0200 Subject: added site_postfix::debug for debugging (#3538) --- puppet/modules/site_postfix/manifests/debug.pp | 9 +++++++++ puppet/modules/site_postfix/manifests/mx.pp | 4 +++- 2 files changed, 12 insertions(+), 1 deletion(-) create mode 100644 puppet/modules/site_postfix/manifests/debug.pp (limited to 'puppet/modules/site_postfix') diff --git a/puppet/modules/site_postfix/manifests/debug.pp b/puppet/modules/site_postfix/manifests/debug.pp new file mode 100644 index 00000000..f370d166 --- /dev/null +++ b/puppet/modules/site_postfix/manifests/debug.pp @@ -0,0 +1,9 @@ +class site_postfix::debug { + + postfix::config { + 'debug_peer_list': value => '127.0.0.1'; + 'debug_peer_level': value => '1'; + 'smtpd_tls_loglevel': value => '1'; + } + +} diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index 0581f147..d7637c70 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -18,12 +18,14 @@ class site_postfix::mx { 'virtual_alias_maps': value => 'tcp:localhost:4242'; 'luser_relay': value => 'vmail'; 'local_recipient_maps': value => ''; - 'debug_peer_list': value => '127.0.0.1'; } include site_postfix::mx::smtpd_checks include site_postfix::mx::tls + # greater verbosity for debugging, take out for production + include site_postfix::debug + user { 'vmail': ensure => present, comment => 'Leap Mailspool', -- cgit v1.2.3 From 4bcf6fbba365097286c9a411436d2d6b686336c0 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 28 Aug 2013 12:18:16 +0200 Subject: integrate manual postfix config changes in puppet (Feature #3538) --- puppet/modules/site_postfix/manifests/mx.pp | 1 - puppet/modules/site_postfix/manifests/mx/tls.pp | 2 +- 2 files changed, 1 insertion(+), 2 deletions(-) (limited to 'puppet/modules/site_postfix') diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index d7637c70..7e2082d9 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -17,7 +17,6 @@ class site_postfix::mx { 'home_mailbox': value => 'Maildir/'; 'virtual_alias_maps': value => 'tcp:localhost:4242'; 'luser_relay': value => 'vmail'; - 'local_recipient_maps': value => ''; } include site_postfix::mx::smtpd_checks diff --git a/puppet/modules/site_postfix/manifests/mx/tls.pp b/puppet/modules/site_postfix/manifests/mx/tls.pp index 4b7a2626..8c9da9db 100644 --- a/puppet/modules/site_postfix/manifests/mx/tls.pp +++ b/puppet/modules/site_postfix/manifests/mx/tls.pp @@ -23,7 +23,7 @@ class site_postfix::mx::tls { 'smtpd_tls_CAfile': value => $client_ca; 'smtpd_tls_cert_file': value => $cert_path; 'smtpd_tls_key_file': value => $key_path; - 'smtpd_tls_req_ccert': value => 'yes'; + 'smtpd_tls_ask_ccert': value => 'yes'; 'smtpd_tls_security_level': value => 'may'; } -- cgit v1.2.3 From f52d2e77f3b3f0c478fcaa192e02683d7508a728 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 28 Aug 2013 16:37:49 +0200 Subject: SMTP checks (Feature #2304) --- puppet/modules/site_postfix/manifests/mx.pp | 2 -- puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp | 11 ++++++++++- 2 files changed, 10 insertions(+), 3 deletions(-) (limited to 'puppet/modules/site_postfix') diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index 7e2082d9..53dd9be4 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -11,8 +11,6 @@ class site_postfix::mx { postfix::config { 'mydestination': value => "\$myorigin, localhost, localhost.\$mydomain, ${domain}"; - 'smtpd_recipient_restrictions': - value => 'check_recipient_access tcp:localhost:2244,permit_tls_all_clientcerts,reject_unauth_destination'; 'mailbox_size_limit': value => '0'; 'home_mailbox': value => 'Maildir/'; 'virtual_alias_maps': value => 'tcp:localhost:4242'; diff --git a/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp index b2f2d7c2..bda666f8 100644 --- a/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp +++ b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp @@ -1,9 +1,18 @@ class site_postfix::mx::smtpd_checks { postfix::config { - 'smtpd_delay_reject': value => 'yes'; + 'smtpd_client_restrictions': + value => 'permit_mynetworks,permit'; 'smtpd_data_restrictions': value => 'permit_mynetworks, reject_unauth_pipelining, permit'; + 'smtpd_delay_reject': + value => 'yes'; + 'smtpd_helo_restrictions': + value => 'permit_mynetworks, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, permit'; + 'smtpd_recipient_restrictions': + value => 'reject_unknown_recipient_domain, permit_mynetworks, check_recipient_access tcp:localhost:2244, reject_unauth_destination, permit'; + 'smtpd_sender_restrictions': + value => 'check_sender_access tcp:localhost:2244, permit_mynetworks, reject_non_fqdn_sender, reject_unknown_sender_domain, permit'; } } -- cgit v1.2.3 From 683a1dbe729d3979c9390e2d0aeb5e0e4c258370 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 29 Aug 2013 16:02:07 +0200 Subject: Deploy postfix with an empty main.cf as beginning (Feature #3584) --- puppet/modules/site_postfix/manifests/mx.pp | 1 + 1 file changed, 1 insertion(+) (limited to 'puppet/modules/site_postfix') diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index 53dd9be4..ed5b3832 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -32,6 +32,7 @@ class site_postfix::mx { } class { 'postfix': + preseed => true, root_mail_recipient => $root_mail_recipient, smtp_listen => 'all', require => [ X509::Key[$cert_name], X509::Cert[$cert_name], -- cgit v1.2.3 From 6c508c1c938fa2933d633fa7896505e23128c997 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 29 Aug 2013 19:00:33 +0200 Subject: fix smtpd mail restrictions (Feature #3166) --- puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'puppet/modules/site_postfix') diff --git a/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp index bda666f8..0973e625 100644 --- a/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp +++ b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp @@ -4,15 +4,15 @@ class site_postfix::mx::smtpd_checks { 'smtpd_client_restrictions': value => 'permit_mynetworks,permit'; 'smtpd_data_restrictions': - value => 'permit_mynetworks, reject_unauth_pipelining, permit'; + value => 'permit_tls_all_clientcerts, permit_mynetworks, reject_unauth_pipelining, permit'; 'smtpd_delay_reject': value => 'yes'; 'smtpd_helo_restrictions': value => 'permit_mynetworks, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, permit'; 'smtpd_recipient_restrictions': - value => 'reject_unknown_recipient_domain, permit_mynetworks, check_recipient_access tcp:localhost:2244, reject_unauth_destination, permit'; + value => 'reject_unknown_recipient_domain, permit_tls_all_clientcerts, permit_mynetworks, check_recipient_access tcp:localhost:2244, reject_unauth_destination, permit'; 'smtpd_sender_restrictions': - value => 'check_sender_access tcp:localhost:2244, permit_mynetworks, reject_non_fqdn_sender, reject_unknown_sender_domain, permit'; + value => 'check_sender_access tcp:localhost:2244, permit_tls_all_clientcerts, permit_mynetworks, reject_non_fqdn_sender, reject_unknown_sender_domain, permit'; } } -- cgit v1.2.3 From ddcab83dda101ee335bbf37451f37e2bfe358c7f Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 29 Aug 2013 16:14:53 -0400 Subject: Make TLS-required smtps (465) be port for sending SMTP. This is preferred over 25 because that is typically blocked, and we cannot force TLS on that port due to other MTAs not being configured for this century. We don't use submission (568) because that uses STARTTLS, and the STARTTLS banner can easily be stripped by an adversary. (#3604) . enable smtps (port 465) for client submission over TLS, and require that TLS is enabled . add 465 to the allowed open ports in the firewall . change the smtp-service.json to use 465 instead of 25 note: I did not use the 'use_smtps' parameter that is available in the postfix class because it added some options that we do not want/need. Change-Id: I0040eb2dff6008a1c830d59df9963eb83dc9ea02 --- puppet/modules/site_postfix/manifests/mx.pp | 1 + 1 file changed, 1 insertion(+) (limited to 'puppet/modules/site_postfix') diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index ed5b3832..18815f70 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -35,6 +35,7 @@ class site_postfix::mx { preseed => true, root_mail_recipient => $root_mail_recipient, smtp_listen => 'all', + mastercf_tail => "smtps inet n - - - - smtpd\n -o smtpd_tls_wrappermode=yes\n -o smtpd_tls_security_level=encrypt\n", require => [ X509::Key[$cert_name], X509::Cert[$cert_name], User['vmail'] ] } -- cgit v1.2.3 From 27efd6072ecf13b4bbdb098ee70eb81eb5cdc81c Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Fri, 30 Aug 2013 15:01:15 -0400 Subject: change the master.cf_tail to pull in -o smtpd_recipient_restrictions=$smtps_recipient_restrictions from main.cf, allowing us to setup specific restrictions for the smtps port move permit_tls_all_clientcerts from the smtpd_data_restrictions and smtpd_recipient_restrictions to only be in smtps_recipient_restrictions make a note about the permit_tls_all_clientcerts being something that we don't want in the future remove check_sender_access check which was doing an unnecessary lookup Change-Id: If9101512e42f7cd82c0e06543cef696d6063f8dc --- puppet/modules/site_postfix/manifests/mx.pp | 2 +- puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp | 13 ++++++++++--- 2 files changed, 11 insertions(+), 4 deletions(-) (limited to 'puppet/modules/site_postfix') diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index 18815f70..e9f662c3 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -35,7 +35,7 @@ class site_postfix::mx { preseed => true, root_mail_recipient => $root_mail_recipient, smtp_listen => 'all', - mastercf_tail => "smtps inet n - - - - smtpd\n -o smtpd_tls_wrappermode=yes\n -o smtpd_tls_security_level=encrypt\n", + mastercf_tail => "smtps inet n - - - - smtpd\n -o smtpd_tls_wrappermode=yes\n -o smtpd_tls_security_level=encrypt\n -o smtpd_recipient_restrictions=\$smtps_recipient_restrictions", require => [ X509::Key[$cert_name], X509::Cert[$cert_name], User['vmail'] ] } diff --git a/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp index 0973e625..640f2390 100644 --- a/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp +++ b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp @@ -4,15 +4,22 @@ class site_postfix::mx::smtpd_checks { 'smtpd_client_restrictions': value => 'permit_mynetworks,permit'; 'smtpd_data_restrictions': - value => 'permit_tls_all_clientcerts, permit_mynetworks, reject_unauth_pipelining, permit'; + value => 'permit_mynetworks, reject_unauth_pipelining, permit'; 'smtpd_delay_reject': value => 'yes'; 'smtpd_helo_restrictions': value => 'permit_mynetworks, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, permit'; 'smtpd_recipient_restrictions': - value => 'reject_unknown_recipient_domain, permit_tls_all_clientcerts, permit_mynetworks, check_recipient_access tcp:localhost:2244, reject_unauth_destination, permit'; + value => 'reject_unknown_recipient_domain, permit_mynetworks, check_recipient_access tcp:localhost:2244, reject_unauth_destination, permit'; + # We should change from permit_tls_all_clientcerts to permit_tls_clientcerts + # with a lookup on $relay_clientcerts! Right now we are listing the only + # valid CA that client certificates can use in the $smtp_tls_CAfile parameter + # but we cannot cut off a certificate that should no longer be used unless + # we use permit_tls_clientcerts with the $relay_clientcerts lookup + 'smtps_recipient_restrictions': + value => 'permit_tls_all_clientcerts, check_recipient_access tcp:localhost:2244, reject_unauth_destination, permit'; 'smtpd_sender_restrictions': - value => 'check_sender_access tcp:localhost:2244, permit_tls_all_clientcerts, permit_mynetworks, reject_non_fqdn_sender, reject_unknown_sender_domain, permit'; + value => 'permit_mynetworks, reject_non_fqdn_sender, reject_unknown_sender_domain, permit'; } } -- cgit v1.2.3 From ff26ca98604d9e3f3856cca2af678b21c096d1ee Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Fri, 30 Aug 2013 15:19:43 -0400 Subject: postfix enable submission port using starttls, so the client can transition to the more restrictive TLS wrapper mode Change-Id: I2a1728788378d9a1b79155ddb9bb4b0464b16baa --- puppet/modules/site_postfix/manifests/mx.pp | 8 +++++++- puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp | 4 +++- 2 files changed, 10 insertions(+), 2 deletions(-) (limited to 'puppet/modules/site_postfix') diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index e9f662c3..eddf19f2 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -35,7 +35,13 @@ class site_postfix::mx { preseed => true, root_mail_recipient => $root_mail_recipient, smtp_listen => 'all', - mastercf_tail => "smtps inet n - - - - smtpd\n -o smtpd_tls_wrappermode=yes\n -o smtpd_tls_security_level=encrypt\n -o smtpd_recipient_restrictions=\$smtps_recipient_restrictions", + mastercf_tail => + "smtps inet n - - - - smtpd\n + -o smtpd_tls_wrappermode=yes\n + -o smtpd_tls_security_level=encrypt\n + submission inet n - n - - smtpd\n + -o smtpd_tls_security_level=encrypt\n + -o smtpd_recipient_restrictions=\$submission_recipient_restrictions", require => [ X509::Key[$cert_name], X509::Cert[$cert_name], User['vmail'] ] } diff --git a/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp index 640f2390..7ade8588 100644 --- a/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp +++ b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp @@ -18,8 +18,10 @@ class site_postfix::mx::smtpd_checks { # we use permit_tls_clientcerts with the $relay_clientcerts lookup 'smtps_recipient_restrictions': value => 'permit_tls_all_clientcerts, check_recipient_access tcp:localhost:2244, reject_unauth_destination, permit'; + 'submission_recipient_restrictions': + value => 'permit_tls_all_clientcerts, check_recipient_access tcp:localhost:2244, reject_unauth_destination, permit'; 'smtpd_sender_restrictions': value => 'permit_mynetworks, reject_non_fqdn_sender, reject_unknown_sender_domain, permit'; - } + } } -- cgit v1.2.3 From 822f92c3ff3fb8ef640b7e1c10819f367014f8d1 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 2 Sep 2013 17:02:55 +0200 Subject: disable postfix debugging by default --- puppet/modules/site_postfix/manifests/mx.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules/site_postfix') diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index eddf19f2..2e68297d 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -21,7 +21,7 @@ class site_postfix::mx { include site_postfix::mx::tls # greater verbosity for debugging, take out for production - include site_postfix::debug + #include site_postfix::debug user { 'vmail': ensure => present, -- cgit v1.2.3 From 8d69a43fe97079f9595ed460bfa36c4bfd6cb0a8 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 3 Sep 2013 10:22:40 -0400 Subject: Without smtpd_helo_required, the helo restrictions are easily bypassed by not sending a HELO (#3693) Change-Id: I6a7338136a53e16962a070826493139fa3307df7 --- puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp | 2 ++ 1 file changed, 2 insertions(+) (limited to 'puppet/modules/site_postfix') diff --git a/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp index 7ade8588..34cffb0d 100644 --- a/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp +++ b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp @@ -1,6 +1,8 @@ class site_postfix::mx::smtpd_checks { postfix::config { + 'smtpd_helo_required': + value => 'yes'; 'smtpd_client_restrictions': value => 'permit_mynetworks,permit'; 'smtpd_data_restrictions': -- cgit v1.2.3 From cfdbad27fe0b1c5e98b127f2c3d22258e233ef11 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 3 Sep 2013 10:37:21 -0400 Subject: add /etc/postfix/checks directory and setup a check_helo_access that allows admins to have some control over problem clients connecting that present helo patterns that they wish to block (#3694) Change-Id: I159c29b6fe17e3d75b607d1a6fa82856b976c9b4 --- puppet/modules/site_postfix/manifests/checks.pp | 23 ++++++++++++++++++++++ puppet/modules/site_postfix/manifests/mx.pp | 1 + .../site_postfix/manifests/mx/smtpd_checks.pp | 4 +++- .../site_postfix/templates/checks/helo_access.erb | 21 ++++++++++++++++++++ 4 files changed, 48 insertions(+), 1 deletion(-) create mode 100644 puppet/modules/site_postfix/manifests/checks.pp create mode 100644 puppet/modules/site_postfix/templates/checks/helo_access.erb (limited to 'puppet/modules/site_postfix') diff --git a/puppet/modules/site_postfix/manifests/checks.pp b/puppet/modules/site_postfix/manifests/checks.pp new file mode 100644 index 00000000..06f9a7a4 --- /dev/null +++ b/puppet/modules/site_postfix/manifests/checks.pp @@ -0,0 +1,23 @@ +class site_postfix::checks { + + file { + '/etc/postfix/checks': + ensure => directory, + mode => '0755', + owner => root, + group => postfix, + require => Class['postfix']; + + '/etc/postfix/checks/helo_checks': + content => template('site_postfix/checks/helo_access.erb'), + mode => '0644', + owner => root, + group => root; + } + + exec { + '/usr/sbin/postmap /etc/postfix/checks/helo_checks': + refreshonly => true, + subscribe => File['/etc/postfix/checks/helo_checks']; + } +} diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index 2e68297d..e5dc1c7b 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -18,6 +18,7 @@ class site_postfix::mx { } include site_postfix::mx::smtpd_checks + include site_postfix::checks include site_postfix::mx::tls # greater verbosity for debugging, take out for production diff --git a/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp index 7ade8588..795c1703 100644 --- a/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp +++ b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp @@ -1,6 +1,8 @@ class site_postfix::mx::smtpd_checks { postfix::config { + 'checks_dir': + value => '$config_directory/checks'; 'smtpd_client_restrictions': value => 'permit_mynetworks,permit'; 'smtpd_data_restrictions': @@ -8,7 +10,7 @@ class site_postfix::mx::smtpd_checks { 'smtpd_delay_reject': value => 'yes'; 'smtpd_helo_restrictions': - value => 'permit_mynetworks, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, permit'; + value => 'permit_mynetworks, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, check_helo_access hash:$checks_dir/helo_checks, permit'; 'smtpd_recipient_restrictions': value => 'reject_unknown_recipient_domain, permit_mynetworks, check_recipient_access tcp:localhost:2244, reject_unauth_destination, permit'; # We should change from permit_tls_all_clientcerts to permit_tls_clientcerts diff --git a/puppet/modules/site_postfix/templates/checks/helo_access.erb b/puppet/modules/site_postfix/templates/checks/helo_access.erb new file mode 100644 index 00000000..bef3c11d --- /dev/null +++ b/puppet/modules/site_postfix/templates/checks/helo_access.erb @@ -0,0 +1,21 @@ +# THIS FILE IS MANAGED BY PUPPET +# To make changes to this file, please edit your platform directory under +# puppet/modules/site_postfix/templates/checks/helo_access.erb and then deploy + +# The format of this file is the HELO/EHLO domain followed by an action. +# The action could be OK to allow it, REJECT to reject it, or a custom +# status code and message. Any lines that are prefixed by an octothorpe (#) +# will be considered comments. + +# Some examples: +# +# Reject anyone that HELO's with foobar: +# foobar REJECT +# +# Allow the switches to skip this check: +# switch1 OK +# switch2 OK + +# Reject anybody that HELO's as being in our own domain(s) +# anyone who identifies themselves as us is a virus/spammer +<%= domain %> 554 You are not in domain <%= domain %> -- cgit v1.2.3 From d901c602f61697f329e37bc92209c264755094c1 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 3 Sep 2013 15:26:23 +0200 Subject: Sending mail fails when relaying using non-fully-qualified hostname (Feature #3667) --- puppet/modules/site_postfix/manifests/mx.pp | 7 ++++--- puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp | 2 ++ 2 files changed, 6 insertions(+), 3 deletions(-) (limited to 'puppet/modules/site_postfix') diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index e5dc1c7b..515b6825 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -42,8 +42,9 @@ class site_postfix::mx { -o smtpd_tls_security_level=encrypt\n submission inet n - n - - smtpd\n -o smtpd_tls_security_level=encrypt\n - -o smtpd_recipient_restrictions=\$submission_recipient_restrictions", - require => [ X509::Key[$cert_name], X509::Cert[$cert_name], - User['vmail'] ] + -o smtpd_recipient_restrictions=\$submission_recipient_restrictions\n + -o smtpd_helo_restrictions=\$submission_helo_restrictions", + require => + [ X509::Key[$cert_name], X509::Cert[$cert_name], User['vmail'] ] } } diff --git a/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp index b1536d64..7aea71fb 100644 --- a/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp +++ b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp @@ -24,6 +24,8 @@ class site_postfix::mx::smtpd_checks { value => 'permit_tls_all_clientcerts, check_recipient_access tcp:localhost:2244, reject_unauth_destination, permit'; 'submission_recipient_restrictions': value => 'permit_tls_all_clientcerts, check_recipient_access tcp:localhost:2244, reject_unauth_destination, permit'; + 'submission_helo_restrictions': + value => 'permit_mynetworks, permit'; 'smtpd_sender_restrictions': value => 'permit_mynetworks, reject_non_fqdn_sender, reject_unknown_sender_domain, permit'; } -- cgit v1.2.3 From 1c0bde0eef6f693a3a67b88eed40173d9f4cf756 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 3 Sep 2013 16:20:02 +0200 Subject: fix $master_cf_tail format --- puppet/modules/site_postfix/manifests/mx.pp | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) (limited to 'puppet/modules/site_postfix') diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index 515b6825..2d8f3db5 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -37,14 +37,14 @@ class site_postfix::mx { root_mail_recipient => $root_mail_recipient, smtp_listen => 'all', mastercf_tail => - "smtps inet n - - - - smtpd\n - -o smtpd_tls_wrappermode=yes\n - -o smtpd_tls_security_level=encrypt\n - submission inet n - n - - smtpd\n - -o smtpd_tls_security_level=encrypt\n - -o smtpd_recipient_restrictions=\$submission_recipient_restrictions\n - -o smtpd_helo_restrictions=\$submission_helo_restrictions", - require => - [ X509::Key[$cert_name], X509::Cert[$cert_name], User['vmail'] ] + "smtps inet n - - - - smtpd + -o smtpd_tls_wrappermode=yes + -o smtpd_tls_security_level=encrypt +submission inet n - n - - smtpd + -o smtpd_tls_security_level=encrypt + -o smtpd_recipient_restrictions=\$submission_recipient_restrictions + -o smtpd_helo_restrictions=\$submission_helo_restrictions", + require => [ + X509::Key[$cert_name], X509::Cert[$cert_name], User['vmail'] ] } } -- cgit v1.2.3 From ccdf90ea9c48efbaa34dda8f23d6a95db9970cd9 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 3 Sep 2013 18:46:09 +0200 Subject: use check_helo_access hash:/helo_checks also for $submission_helo_restrictions --- puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules/site_postfix') diff --git a/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp index 7aea71fb..0f1500a4 100644 --- a/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp +++ b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp @@ -25,7 +25,7 @@ class site_postfix::mx::smtpd_checks { 'submission_recipient_restrictions': value => 'permit_tls_all_clientcerts, check_recipient_access tcp:localhost:2244, reject_unauth_destination, permit'; 'submission_helo_restrictions': - value => 'permit_mynetworks, permit'; + value => 'permit_mynetworks, check_helo_access hash:$checks_dir/helo_checks, permit'; 'smtpd_sender_restrictions': value => 'permit_mynetworks, reject_non_fqdn_sender, reject_unknown_sender_domain, permit'; } -- cgit v1.2.3 From 1f9003eb6ed90400279011d477e6143e2eb6e2db Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 18 Sep 2013 16:50:59 +0200 Subject: use x509 for postfix ca and fix names for cert+key (Feature #3833) --- puppet/modules/site_postfix/manifests/mx.pp | 3 +-- puppet/modules/site_postfix/manifests/mx/tls.pp | 20 ++++---------------- 2 files changed, 5 insertions(+), 18 deletions(-) (limited to 'puppet/modules/site_postfix') diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index 2d8f3db5..4a7d66ed 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -44,7 +44,6 @@ submission inet n - n - - smtpd -o smtpd_tls_security_level=encrypt -o smtpd_recipient_restrictions=\$submission_recipient_restrictions -o smtpd_helo_restrictions=\$submission_helo_restrictions", - require => [ - X509::Key[$cert_name], X509::Cert[$cert_name], User['vmail'] ] + require => Class['Site_config::X509'] } } diff --git a/puppet/modules/site_postfix/manifests/mx/tls.pp b/puppet/modules/site_postfix/manifests/mx/tls.pp index 8c9da9db..34df72bb 100644 --- a/puppet/modules/site_postfix/manifests/mx/tls.pp +++ b/puppet/modules/site_postfix/manifests/mx/tls.pp @@ -1,26 +1,14 @@ class site_postfix::mx::tls { - $x509 = hiera('x509') - $key = $x509['key'] - $cert = $x509['cert'] - $client_ca = $x509['client_ca_cert'] - include x509::variables - $cert_name = hiera('name') - $cert_path = "${x509::variables::certs}/${cert_name}.crt" - $key_path = "${x509::variables::keys}/${cert_name}.key" - - x509::key { $cert_name: - content => $key, - } + $ca_path = "${x509::variables::local_CAs}/${site_config::params::client_ca_name}.crt" + $cert_path = "${x509::variables::certs}/${site_config::params::cert_name}.crt" + $key_path = "${x509::variables::keys}/${site_config::params::cert_name}.key" - x509::cert { $cert_name: - content => $cert, - } postfix::config { 'smtpd_use_tls': value => 'yes'; - 'smtpd_tls_CAfile': value => $client_ca; + 'smtpd_tls_CAfile': value => $ca_path; 'smtpd_tls_cert_file': value => $cert_path; 'smtpd_tls_key_file': value => $key_path; 'smtpd_tls_ask_ccert': value => 'yes'; -- cgit v1.2.3 From 1ce6cb5a30c5ee73d6474ac9c1bbd4c7819d9a73 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 19 Sep 2013 12:19:00 +0200 Subject: only deploy x509 stuff for nodes if it existes in hiera (Feature #3875) --- puppet/modules/site_postfix/manifests/mx.pp | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) (limited to 'puppet/modules/site_postfix') diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index 4a7d66ed..32465e01 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -8,6 +8,9 @@ class site_postfix::mx { $root_mail_recipient = $mx_hash['contact'] $postfix_smtp_listen = 'all' + include site_config::x509::cert_key + include site_config::x509::client_ca + postfix::config { 'mydestination': value => "\$myorigin, localhost, localhost.\$mydomain, ${domain}"; @@ -44,6 +47,9 @@ submission inet n - n - - smtpd -o smtpd_tls_security_level=encrypt -o smtpd_recipient_restrictions=\$submission_recipient_restrictions -o smtpd_helo_restrictions=\$submission_helo_restrictions", - require => Class['Site_config::X509'] + require => [ + Class['Site_config::X509::Cert_key'], + Class['Site_config::X509::Client_ca'], + User['vmail'] ] } } -- cgit v1.2.3 From ffa4504f81c0abecc62b068951ec147741028128 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 24 Sep 2013 09:09:30 +0200 Subject: seperate cert and key deployment (#3918) --- puppet/modules/site_postfix/manifests/mx.pp | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) (limited to 'puppet/modules/site_postfix') diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index 32465e01..d56b526f 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -8,7 +8,8 @@ class site_postfix::mx { $root_mail_recipient = $mx_hash['contact'] $postfix_smtp_listen = 'all' - include site_config::x509::cert_key + include site_config::x509::cert + include site_config::x509::key include site_config::x509::client_ca postfix::config { @@ -48,7 +49,8 @@ submission inet n - n - - smtpd -o smtpd_recipient_restrictions=\$submission_recipient_restrictions -o smtpd_helo_restrictions=\$submission_helo_restrictions", require => [ - Class['Site_config::X509::Cert_key'], + Class['Site_config::X509::Key'], + Class['Site_config::X509::Cert'], Class['Site_config::X509::Client_ca'], User['vmail'] ] } -- cgit v1.2.3 From 1adbf7af76b10d44a53de28d23f4c7167dc4f941 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 24 Sep 2013 18:02:05 +0200 Subject: fix client_ca cert+key for mx service (Feature #3921) --- puppet/modules/site_postfix/manifests/mx.pp | 6 ++++-- puppet/modules/site_postfix/manifests/mx/smtp_auth.pp | 4 ---- 2 files changed, 4 insertions(+), 6 deletions(-) (limited to 'puppet/modules/site_postfix') diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index d56b526f..abc0ab46 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -10,7 +10,8 @@ class site_postfix::mx { include site_config::x509::cert include site_config::x509::key - include site_config::x509::client_ca + include site_config::x509::client_ca::ca + include site_config::x509::client_ca::key postfix::config { 'mydestination': @@ -51,7 +52,8 @@ submission inet n - n - - smtpd require => [ Class['Site_config::X509::Key'], Class['Site_config::X509::Cert'], - Class['Site_config::X509::Client_ca'], + Class['Site_config::X509::Client_ca::Key'], + Class['Site_config::X509::Client_ca::Ca'], User['vmail'] ] } } diff --git a/puppet/modules/site_postfix/manifests/mx/smtp_auth.pp b/puppet/modules/site_postfix/manifests/mx/smtp_auth.pp index ab75130e..afa70527 100644 --- a/puppet/modules/site_postfix/manifests/mx/smtp_auth.pp +++ b/puppet/modules/site_postfix/manifests/mx/smtp_auth.pp @@ -1,10 +1,6 @@ class site_postfix::mx::smtp_auth { - $x509 = hiera('x509') postfix::config { - 'smtpd_tls_cert_file': value => $x509['client_ca_cert']; - 'smtpd_tls_key_file': value => $x509['client_ca_key']; 'smtpd_tls_ask_ccert': value => 'yes'; - #'smtpd_tls_CAfile': value => } } -- cgit v1.2.3 From af6e944090a3b54ca605b1b6145fbb7c008fb093 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 25 Sep 2013 14:22:07 -0400 Subject: add smtp_tls_received_header to include information about the protocol and cipher used as well as the client and issuer CommonName into the "Received:" header Also, clean up the parameters to standardize them Change-Id: Ib6be27f0f93e0a9e20fbdffa1d42220a25fc8ed4 --- puppet/modules/site_postfix/manifests/mx.pp | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) (limited to 'puppet/modules/site_postfix') diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index abc0ab46..80b750d0 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -16,10 +16,16 @@ class site_postfix::mx { postfix::config { 'mydestination': value => "\$myorigin, localhost, localhost.\$mydomain, ${domain}"; - 'mailbox_size_limit': value => '0'; - 'home_mailbox': value => 'Maildir/'; - 'virtual_alias_maps': value => 'tcp:localhost:4242'; - 'luser_relay': value => 'vmail'; + 'mailbox_size_limit': + value => '0'; + 'home_mailbox': + value => 'Maildir/'; + 'virtual_alias_maps': + value => 'tcp:localhost:4242'; + 'luser_relay': + value => 'vmail'; + 'smtpd_tls_received_header': + value => 'yes'; } include site_postfix::mx::smtpd_checks -- cgit v1.2.3 From 8cbd46a5c62a4f6d91f03283ea9072e7fcc943d8 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 25 Sep 2013 13:06:42 -0400 Subject: properly set the $smtps_recipient_restrictions variable in master.cf (#3935) Change-Id: Ia5f35977b3dad08c10256f0281ab36ffb230c9fd --- puppet/modules/site_postfix/manifests/mx.pp | 1 + 1 file changed, 1 insertion(+) (limited to 'puppet/modules/site_postfix') diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index abc0ab46..88922c00 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -45,6 +45,7 @@ class site_postfix::mx { "smtps inet n - - - - smtpd -o smtpd_tls_wrappermode=yes -o smtpd_tls_security_level=encrypt + -o smtpd_recipient_restrictions=\$smtps_recipient_restrictions submission inet n - n - - smtpd -o smtpd_tls_security_level=encrypt -o smtpd_recipient_restrictions=\$submission_recipient_restrictions -- cgit v1.2.3 From a457f610aca8544b4c9e3a3f4ddcc4d00a05baf6 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 26 Sep 2013 14:53:37 -0400 Subject: Add client-side TLS configuration (#3868) Change-Id: I0b82930f6f6a453e57f1d57fd8b5df78d464e206 --- puppet/modules/site_postfix/manifests/mx/tls.pp | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) (limited to 'puppet/modules/site_postfix') diff --git a/puppet/modules/site_postfix/manifests/mx/tls.pp b/puppet/modules/site_postfix/manifests/mx/tls.pp index 34df72bb..89b63ba1 100644 --- a/puppet/modules/site_postfix/manifests/mx/tls.pp +++ b/puppet/modules/site_postfix/manifests/mx/tls.pp @@ -17,3 +17,24 @@ class site_postfix::mx::tls { } } + # smtp TLS + postfix::config { + 'smtp_use_tls': value => 'yes'; + 'smtp_tls_CApath': value => '/etc/ssl/certs/'; + 'smtp_tls_CAfile': value => $ca_path; + 'smtp_tls_cert_file': value => $cert_path; + 'smtp_tls_key_file': value => $key_path; + 'smtp_tls_ask_ccert': value => 'yes'; + 'smtp_tls_loglevel': value => '1'; + 'smtp_tls_exclude_ciphers': + value => 'aNULL, MD5, DES'; + # upstream default is md5 (since 2.5 and older used it), we force sha1 + 'smtp_tls_fingerprint_digest': + value => 'sha1'; + 'smtp_tls_session_cache_database': + value => 'btree:${queue_directory}/smtp_cache'; + 'smtp_tls_security_level': + value => 'may'; + } + + -- cgit v1.2.3 From 407fad442822e04d311ecfbc7bc54de0b037d3a9 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 26 Sep 2013 17:11:39 -0400 Subject: set myhostname in postfix the internet hostname of this mail system. The default would otherwise be set to be something like starfish.local instead of the fully qualified domain (#3869) Change-Id: I4a537402de08b41446d344d8c21973b8d09e7ad6 --- puppet/modules/site_postfix/manifests/mx.pp | 3 +++ 1 file changed, 3 insertions(+) (limited to 'puppet/modules/site_postfix') diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index 0eb7a7cd..e44b7a9a 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -2,6 +2,7 @@ class site_postfix::mx { $domain_hash = hiera ('domain') $domain = $domain_hash['full_suffix'] + $host_domain = $domain_hash['full'] $mx_hash = hiera('mx') $cert_name = hiera('name') @@ -16,6 +17,8 @@ class site_postfix::mx { postfix::config { 'mydestination': value => "\$myorigin, localhost, localhost.\$mydomain, ${domain}"; + 'myhostname': + value => $host_domain; 'mailbox_size_limit': value => '0'; 'home_mailbox': -- cgit v1.2.3 From f531ec536a55d756262329f516f1b3bdccf4f0b4 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 26 Sep 2013 17:20:19 -0400 Subject: setup smtpd_tls_eecdh_grade to 'ultra' and configure the smtpd_tls_dh1024_param file, after generating it (#3953) Change-Id: I8e88a4862cda052c2f0ca0149f1d0753c7c83cb5 --- puppet/modules/site_postfix/manifests/mx/tls.pp | 31 +++++++++++++++++++++++++ 1 file changed, 31 insertions(+) (limited to 'puppet/modules/site_postfix') diff --git a/puppet/modules/site_postfix/manifests/mx/tls.pp b/puppet/modules/site_postfix/manifests/mx/tls.pp index 34df72bb..9122a974 100644 --- a/puppet/modules/site_postfix/manifests/mx/tls.pp +++ b/puppet/modules/site_postfix/manifests/mx/tls.pp @@ -14,6 +14,37 @@ class site_postfix::mx::tls { 'smtpd_tls_ask_ccert': value => 'yes'; 'smtpd_tls_security_level': value => 'may'; + 'smtpd_tls_eecdh_grade': + value => 'ultra' + } + + # Setup DH parameters + # Instead of using the dh parameters that are created by leap cli, it is more + # secure to generate new parameter files that will only be used for postfix, + # for each machine + + include site_config::packages::gnutls + + exec { 'certtool-postfix-gendh-1024': + command => 'certtool --generate-dh-params --bits=1024 --outfile=/etc/postfix/dh_1024.pem', + user => root, + group => root, + creates => '/etc/postfix/dh_1024.pem', + require => Package['gnutls-bin'] + } + + # Make sure the dh params file has correct ownership and mode + file { + '/etc/postfix/dh_1024.pem': + owner => root, + group => root, + mode => '0600', + require => Exec['certtool-postfix-gendh-1024']; + } + + postfix::config { 'smtpd_tls_dh1024_param_file': + value => '/etc/postfix/dh_1024.pem', + require => File['/etc/postfix/dh_1024.pem'] } } -- cgit v1.2.3 From 56f7b18d03f5ea337a68d653b422834c9283cfab Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 3 Oct 2013 13:16:43 -0400 Subject: It turns out postfix's variable for 1024bit DH parameters can actually take a file of arbitrary length (#4012) Neither Postfix nor OpenSSL actually care about the size of the prime in "smtpd_tls_dh1024_param_file". You can make it 2048 bits Change-Id: Id60deec93547e7df6dfc414209afaf9d53c710b5 --- puppet/modules/site_postfix/manifests/mx/tls.pp | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) (limited to 'puppet/modules/site_postfix') diff --git a/puppet/modules/site_postfix/manifests/mx/tls.pp b/puppet/modules/site_postfix/manifests/mx/tls.pp index 9122a974..5e399f5c 100644 --- a/puppet/modules/site_postfix/manifests/mx/tls.pp +++ b/puppet/modules/site_postfix/manifests/mx/tls.pp @@ -25,17 +25,21 @@ class site_postfix::mx::tls { include site_config::packages::gnutls + # Note, the file name is called dh_1024.pem, but we are generating 2048bit dh + # parameters Neither Postfix nor OpenSSL actually care about the size of the + # prime in "smtpd_tls_dh1024_param_file". You can make it 2048 bits + exec { 'certtool-postfix-gendh-1024': - command => 'certtool --generate-dh-params --bits=1024 --outfile=/etc/postfix/dh_1024.pem', + command => 'certtool --generate-dh-params --bits=2048 --outfile=/etc/postfix/smtpd_tls_dh_param.pem', user => root, group => root, - creates => '/etc/postfix/dh_1024.pem', + creates => '/etc/postfix/smtpd_tls_dh_param.pem', require => Package['gnutls-bin'] } # Make sure the dh params file has correct ownership and mode file { - '/etc/postfix/dh_1024.pem': + '/etc/postfix/smtpd_tls_dh_param.pem': owner => root, group => root, mode => '0600', @@ -43,8 +47,8 @@ class site_postfix::mx::tls { } postfix::config { 'smtpd_tls_dh1024_param_file': - value => '/etc/postfix/dh_1024.pem', - require => File['/etc/postfix/dh_1024.pem'] + value => '/etc/postfix/smtpd_tls_dh_param.pem', + require => File['/etc/postfix/smtpd_tls_dh_param.pem'] } } -- cgit v1.2.3 From 9acb4a7c2a36f12a5ca71e5c4c74364d344e2c5f Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 3 Oct 2013 13:45:57 -0400 Subject: only use TLSv1 or later for smtp (Feature #4011) Disable on the client-side with postfix (smtp) SSLv2/SSLv3 and only allow for TLSv1 or later SMTP servers almost universally support TLSv1. There are very few servers that don't (the few that are would result sending in the clear for these, but the alternative isn't much better). This is unlikely to cause any significant problems. Change-Id: I8f98ba32973537905b71f63b100f41a420b6aa3f --- puppet/modules/site_postfix/manifests/mx/tls.pp | 3 +++ 1 file changed, 3 insertions(+) (limited to 'puppet/modules/site_postfix') diff --git a/puppet/modules/site_postfix/manifests/mx/tls.pp b/puppet/modules/site_postfix/manifests/mx/tls.pp index 3bc7d85b..96cfa911 100644 --- a/puppet/modules/site_postfix/manifests/mx/tls.pp +++ b/puppet/modules/site_postfix/manifests/mx/tls.pp @@ -70,6 +70,9 @@ class site_postfix::mx::tls { value => 'btree:${queue_directory}/smtp_cache'; 'smtp_tls_security_level': value => 'may'; + # see issue #4011 + 'smtp_tls_protocols': + value => '!SSLv2, !SSLv3'; } -- cgit v1.2.3 From ed694ff4b412c36801e17c93c0ee587da1ebc981 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 3 Oct 2013 17:57:48 -0400 Subject: implement stripping user's home IPs from Received headers (#3866) Change-Id: I6d78286f84144bba5fd3166cc0264570e4fd3ee0 --- .../modules/site_postfix/files/checks/received_anon | 2 ++ puppet/modules/site_postfix/manifests/checks.pp | 20 +++++++++++++++++++- 2 files changed, 21 insertions(+), 1 deletion(-) create mode 100644 puppet/modules/site_postfix/files/checks/received_anon (limited to 'puppet/modules/site_postfix') diff --git a/puppet/modules/site_postfix/files/checks/received_anon b/puppet/modules/site_postfix/files/checks/received_anon new file mode 100644 index 00000000..2822973e --- /dev/null +++ b/puppet/modules/site_postfix/files/checks/received_anon @@ -0,0 +1,2 @@ +/^Received: from (.* \([-._[:alnum:]]+ \[[.[:digit:]]{7,15}\]\))([[:space:]]+).*(\(using [.[:alnum:]]+ with cipher [-A-Z0-9]+ \([0-9]+\/[0-9]+ bits\)\))[[:space:]]+\(Client CN "([[:alnum:]]+)", Issuer "[[:print:]]+" \(verified OK\)\)[[:space:]]+by ([.[:alnum:]]+) \(([^)]+)\) with (E?SMTPS?A?) id ([A-F[:digit:]]+).*/ + REPLACE Received: from [127.0.0.1] (localhost [127.0.0.1])${2}${3}${2}(Authenticated sender: $4)${2}with $7 id $8 diff --git a/puppet/modules/site_postfix/manifests/checks.pp b/puppet/modules/site_postfix/manifests/checks.pp index 06f9a7a4..31399d32 100644 --- a/puppet/modules/site_postfix/manifests/checks.pp +++ b/puppet/modules/site_postfix/manifests/checks.pp @@ -6,7 +6,7 @@ class site_postfix::checks { mode => '0755', owner => root, group => postfix, - require => Class['postfix']; + require => Package['postfix']; '/etc/postfix/checks/helo_checks': content => template('site_postfix/checks/helo_access.erb'), @@ -20,4 +20,22 @@ class site_postfix::checks { refreshonly => true, subscribe => File['/etc/postfix/checks/helo_checks']; } + + # Anonymize the user's home IP from the email headers (Feature #3866) + package { 'postfix-pcre': ensure => installed } + + file { '/etc/postfix/checks/received_anon': + source => 'puppet:///modules/site_postfix/checks/received_anon', + mode => '0644', + owner => root, + group => root, + notify => Service['postfix'] + } + + postfix::config { + 'header_checks': + value => 'pcre:/etc/postfix/checks/received_anon', + require => File['/etc/postfix/checks/received_anon']; + } + } -- cgit v1.2.3 From 5d25466e8365577c48df98afdd22d2880b7ef5ce Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 3 Oct 2013 13:16:43 -0400 Subject: It turns out postfix's variable for 1024bit DH parameters can actually take a file of arbitrary length (#4012) Neither Postfix nor OpenSSL actually care about the size of the prime in "smtpd_tls_dh1024_param_file". You can make it 2048 bits Change-Id: Id60deec93547e7df6dfc414209afaf9d53c710b5 --- puppet/modules/site_postfix/manifests/mx/tls.pp | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'puppet/modules/site_postfix') diff --git a/puppet/modules/site_postfix/manifests/mx/tls.pp b/puppet/modules/site_postfix/manifests/mx/tls.pp index 96cfa911..cff686e5 100644 --- a/puppet/modules/site_postfix/manifests/mx/tls.pp +++ b/puppet/modules/site_postfix/manifests/mx/tls.pp @@ -29,8 +29,8 @@ class site_postfix::mx::tls { # parameters Neither Postfix nor OpenSSL actually care about the size of the # prime in "smtpd_tls_dh1024_param_file". You can make it 2048 bits - exec { 'certtool-postfix-gendh-1024': - command => 'certtool --generate-dh-params --bits=2048 --outfile=/etc/postfix/smtpd_tls_dh_param.pem', + exec { 'certtool-postfix-gendh': + command => 'certtool --generate-dh-params --bits 2048 --outfile /etc/postfix/smtpd_tls_dh_param.pem', user => root, group => root, creates => '/etc/postfix/smtpd_tls_dh_param.pem', @@ -43,7 +43,7 @@ class site_postfix::mx::tls { owner => root, group => root, mode => '0600', - require => Exec['certtool-postfix-gendh-1024']; + require => Exec['certtool-postfix-gendh']; } postfix::config { 'smtpd_tls_dh1024_param_file': -- cgit v1.2.3 From 9890125a57c3a06792e8d08ba15f1b636c764c61 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 8 Oct 2013 19:39:18 -0400 Subject: setup email account 'blacklist' by configuring reserved aliases, effectively implementing RFC2142 and more (#3602) Change-Id: Ic2765b25ff9e1560def4900a1bf38dc8023b0ffa --- puppet/modules/site_postfix/manifests/mx.pp | 1 + .../modules/site_postfix/manifests/mx/reserved_aliases.pp | 13 +++++++++++++ 2 files changed, 14 insertions(+) create mode 100644 puppet/modules/site_postfix/manifests/mx/reserved_aliases.pp (limited to 'puppet/modules/site_postfix') diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index e44b7a9a..a043c277 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -34,6 +34,7 @@ class site_postfix::mx { include site_postfix::mx::smtpd_checks include site_postfix::checks include site_postfix::mx::tls + include site_postfix::mx::reserved_aliases # greater verbosity for debugging, take out for production #include site_postfix::debug diff --git a/puppet/modules/site_postfix/manifests/mx/reserved_aliases.pp b/puppet/modules/site_postfix/manifests/mx/reserved_aliases.pp new file mode 100644 index 00000000..6df53355 --- /dev/null +++ b/puppet/modules/site_postfix/manifests/mx/reserved_aliases.pp @@ -0,0 +1,13 @@ +class site_postfix::reserved_aliases { + + postfix::mailalias { + [ 'postmaster', 'hostmaster', 'domainadmin', 'certmaster', 'ssladmin', + 'arin-admin', 'administrator', 'webmaster', 'www-data', 'www', + 'nobody', 'sys', 'postgresql', 'mysql', 'bin', 'cron', 'lp', 'games', + 'maildrop', 'abuse', 'noc', 'security', 'usenet', 'news', 'uucp', + 'ftp': + ensure => present, + recipient => 'root' + } + +} -- cgit v1.2.3 From b22a3524c99f9205c8078d5542718e3625e68244 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 10 Oct 2013 18:14:24 +0200 Subject: fix site_postfix::mx::reserved_aliases class name and package array --- puppet/modules/site_postfix/manifests/mx/reserved_aliases.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'puppet/modules/site_postfix') diff --git a/puppet/modules/site_postfix/manifests/mx/reserved_aliases.pp b/puppet/modules/site_postfix/manifests/mx/reserved_aliases.pp index 6df53355..aea66f78 100644 --- a/puppet/modules/site_postfix/manifests/mx/reserved_aliases.pp +++ b/puppet/modules/site_postfix/manifests/mx/reserved_aliases.pp @@ -1,11 +1,11 @@ -class site_postfix::reserved_aliases { +class site_postfix::mx::reserved_aliases { postfix::mailalias { [ 'postmaster', 'hostmaster', 'domainadmin', 'certmaster', 'ssladmin', 'arin-admin', 'administrator', 'webmaster', 'www-data', 'www', 'nobody', 'sys', 'postgresql', 'mysql', 'bin', 'cron', 'lp', 'games', 'maildrop', 'abuse', 'noc', 'security', 'usenet', 'news', 'uucp', - 'ftp': + 'ftp' ]: ensure => present, recipient => 'root' } -- cgit v1.2.3 From 2a291df14f20a3e3ac1eeebbaf50c79feb2012ed Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 10 Oct 2013 18:15:56 +0200 Subject: contacts is now a top-level hiera variable --- puppet/modules/site_postfix/manifests/mx.pp | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) (limited to 'puppet/modules/site_postfix') diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index a043c277..08d57a24 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -3,10 +3,9 @@ class site_postfix::mx { $domain_hash = hiera ('domain') $domain = $domain_hash['full_suffix'] $host_domain = $domain_hash['full'] - $mx_hash = hiera('mx') $cert_name = hiera('name') - $root_mail_recipient = $mx_hash['contact'] + $root_mail_recipient = hiera ('contacts') $postfix_smtp_listen = 'all' include site_config::x509::cert -- cgit v1.2.3 From 04e270616db7d486eeacb298aed173731c9a2fe2 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 10 Oct 2013 18:49:36 +0200 Subject: deploy postfix satellites on all nodes (Bug #1683) --- puppet/modules/site_postfix/manifests/satellite.pp | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100644 puppet/modules/site_postfix/manifests/satellite.pp (limited to 'puppet/modules/site_postfix') diff --git a/puppet/modules/site_postfix/manifests/satellite.pp b/puppet/modules/site_postfix/manifests/satellite.pp new file mode 100644 index 00000000..de20b667 --- /dev/null +++ b/puppet/modules/site_postfix/manifests/satellite.pp @@ -0,0 +1,11 @@ +class site_postfix::satellite { + + $root_mail_recipient = hiera ('contacts') + $mail = hiera ('mail') + $relayhost = $mail['smarthost'] + + class { '::postfix::satellite': + relayhost => $relayhost, + root_mail_recipient => $root_mail_recipient + } +} -- cgit v1.2.3 From 2a4ae58cc5e3f6e4a1e09ef6a9f15ade1e2c59fa Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 10 Oct 2013 18:53:13 +0200 Subject: move site_config::checks to site_config::mx::checks --- puppet/modules/site_postfix/manifests/checks.pp | 41 ---------------------- puppet/modules/site_postfix/manifests/mx.pp | 2 +- puppet/modules/site_postfix/manifests/mx/checks.pp | 41 ++++++++++++++++++++++ 3 files changed, 42 insertions(+), 42 deletions(-) delete mode 100644 puppet/modules/site_postfix/manifests/checks.pp create mode 100644 puppet/modules/site_postfix/manifests/mx/checks.pp (limited to 'puppet/modules/site_postfix') diff --git a/puppet/modules/site_postfix/manifests/checks.pp b/puppet/modules/site_postfix/manifests/checks.pp deleted file mode 100644 index 31399d32..00000000 --- a/puppet/modules/site_postfix/manifests/checks.pp +++ /dev/null @@ -1,41 +0,0 @@ -class site_postfix::checks { - - file { - '/etc/postfix/checks': - ensure => directory, - mode => '0755', - owner => root, - group => postfix, - require => Package['postfix']; - - '/etc/postfix/checks/helo_checks': - content => template('site_postfix/checks/helo_access.erb'), - mode => '0644', - owner => root, - group => root; - } - - exec { - '/usr/sbin/postmap /etc/postfix/checks/helo_checks': - refreshonly => true, - subscribe => File['/etc/postfix/checks/helo_checks']; - } - - # Anonymize the user's home IP from the email headers (Feature #3866) - package { 'postfix-pcre': ensure => installed } - - file { '/etc/postfix/checks/received_anon': - source => 'puppet:///modules/site_postfix/checks/received_anon', - mode => '0644', - owner => root, - group => root, - notify => Service['postfix'] - } - - postfix::config { - 'header_checks': - value => 'pcre:/etc/postfix/checks/received_anon', - require => File['/etc/postfix/checks/received_anon']; - } - -} diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index 08d57a24..474ed03d 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -31,7 +31,7 @@ class site_postfix::mx { } include site_postfix::mx::smtpd_checks - include site_postfix::checks + include site_postfix::mx::checks include site_postfix::mx::tls include site_postfix::mx::reserved_aliases diff --git a/puppet/modules/site_postfix/manifests/mx/checks.pp b/puppet/modules/site_postfix/manifests/mx/checks.pp new file mode 100644 index 00000000..31399d32 --- /dev/null +++ b/puppet/modules/site_postfix/manifests/mx/checks.pp @@ -0,0 +1,41 @@ +class site_postfix::checks { + + file { + '/etc/postfix/checks': + ensure => directory, + mode => '0755', + owner => root, + group => postfix, + require => Package['postfix']; + + '/etc/postfix/checks/helo_checks': + content => template('site_postfix/checks/helo_access.erb'), + mode => '0644', + owner => root, + group => root; + } + + exec { + '/usr/sbin/postmap /etc/postfix/checks/helo_checks': + refreshonly => true, + subscribe => File['/etc/postfix/checks/helo_checks']; + } + + # Anonymize the user's home IP from the email headers (Feature #3866) + package { 'postfix-pcre': ensure => installed } + + file { '/etc/postfix/checks/received_anon': + source => 'puppet:///modules/site_postfix/checks/received_anon', + mode => '0644', + owner => root, + group => root, + notify => Service['postfix'] + } + + postfix::config { + 'header_checks': + value => 'pcre:/etc/postfix/checks/received_anon', + require => File['/etc/postfix/checks/received_anon']; + } + +} -- cgit v1.2.3 From f2cd05902a9dd64beb1417ddb1d9994c4dc29b14 Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 11 Oct 2013 22:08:07 +0200 Subject: class moved but forgot to rename --- puppet/modules/site_postfix/manifests/mx/checks.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules/site_postfix') diff --git a/puppet/modules/site_postfix/manifests/mx/checks.pp b/puppet/modules/site_postfix/manifests/mx/checks.pp index 31399d32..6b19891c 100644 --- a/puppet/modules/site_postfix/manifests/mx/checks.pp +++ b/puppet/modules/site_postfix/manifests/mx/checks.pp @@ -1,4 +1,4 @@ -class site_postfix::checks { +class site_postfix::mx::checks { file { '/etc/postfix/checks': -- cgit v1.2.3 From 747bfed900f53461fa342d7fa2c44b9275d3a8d1 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 30 Oct 2013 13:31:26 -0400 Subject: require postfix is installed before installing postfix-pcre (#4223) Change-Id: I547b99becb8b16fec0ac89f06fb6d833cbde3c2b --- puppet/modules/site_postfix/manifests/mx/checks.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules/site_postfix') diff --git a/puppet/modules/site_postfix/manifests/mx/checks.pp b/puppet/modules/site_postfix/manifests/mx/checks.pp index 6b19891c..5d75a5e5 100644 --- a/puppet/modules/site_postfix/manifests/mx/checks.pp +++ b/puppet/modules/site_postfix/manifests/mx/checks.pp @@ -22,7 +22,7 @@ class site_postfix::mx::checks { } # Anonymize the user's home IP from the email headers (Feature #3866) - package { 'postfix-pcre': ensure => installed } + package { 'postfix-pcre': ensure => installed, require => Package['postfix'] } file { '/etc/postfix/checks/received_anon': source => 'puppet:///modules/site_postfix/checks/received_anon', -- cgit v1.2.3 From 12f13e38f0776f801907841b8fe4ab65f67ad060 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 30 Oct 2013 14:34:27 -0400 Subject: certtool-postfix-gendh attempted before postfix is installed (Bug #4340) Change-Id: I4ffb5b9203741d1152dfd93ef9ecc45f6a6088d4 --- puppet/modules/site_postfix/manifests/mx/tls.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules/site_postfix') diff --git a/puppet/modules/site_postfix/manifests/mx/tls.pp b/puppet/modules/site_postfix/manifests/mx/tls.pp index cff686e5..08978efd 100644 --- a/puppet/modules/site_postfix/manifests/mx/tls.pp +++ b/puppet/modules/site_postfix/manifests/mx/tls.pp @@ -34,7 +34,7 @@ class site_postfix::mx::tls { user => root, group => root, creates => '/etc/postfix/smtpd_tls_dh_param.pem', - require => Package['gnutls-bin'] + require => [ Package['gnutls-bin'], Package['postfix'] ] } # Make sure the dh params file has correct ownership and mode -- cgit v1.2.3 From fee571ccc4cd0cf8c665cf7446a0bb99c6dd30cf Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 27 Nov 2013 13:10:01 -0500 Subject: disable starttls over submission for client connections, we are using TLS wrapper mode on the smtps port 465 now (#4366) enable the missing smtpd_helo_restrictions for smtps Change-Id: Iac497369d65c5ad8fd7e93e6fcabb830b855b4f6 --- puppet/modules/site_postfix/manifests/mx.pp | 5 +---- puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp | 4 +--- 2 files changed, 2 insertions(+), 7 deletions(-) (limited to 'puppet/modules/site_postfix') diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index 474ed03d..59d3030d 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -55,10 +55,7 @@ class site_postfix::mx { -o smtpd_tls_wrappermode=yes -o smtpd_tls_security_level=encrypt -o smtpd_recipient_restrictions=\$smtps_recipient_restrictions -submission inet n - n - - smtpd - -o smtpd_tls_security_level=encrypt - -o smtpd_recipient_restrictions=\$submission_recipient_restrictions - -o smtpd_helo_restrictions=\$submission_helo_restrictions", + -o smtpd_helo_restrictions=\$smtps_helo_restrictions", require => [ Class['Site_config::X509::Key'], Class['Site_config::X509::Cert'], diff --git a/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp index 0f1500a4..0ec40277 100644 --- a/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp +++ b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp @@ -22,9 +22,7 @@ class site_postfix::mx::smtpd_checks { # we use permit_tls_clientcerts with the $relay_clientcerts lookup 'smtps_recipient_restrictions': value => 'permit_tls_all_clientcerts, check_recipient_access tcp:localhost:2244, reject_unauth_destination, permit'; - 'submission_recipient_restrictions': - value => 'permit_tls_all_clientcerts, check_recipient_access tcp:localhost:2244, reject_unauth_destination, permit'; - 'submission_helo_restrictions': + 'smtps_helo_restrictions': value => 'permit_mynetworks, check_helo_access hash:$checks_dir/helo_checks, permit'; 'smtpd_sender_restrictions': value => 'permit_mynetworks, reject_non_fqdn_sender, reject_unknown_sender_domain, permit'; -- cgit v1.2.3 From 411b7ebb8bce00a81002d1abb9f7c488571ddb47 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 17 Dec 2013 12:57:20 -0500 Subject: rename the tls.pp to be smtpd_tls.pp, this allows us to have a separate class for smtp vs. smtpd tls configurations Change-Id: Ic1cc560c76924fcbbc15e245bec7b78ac2de83d3 --- .../modules/site_postfix/manifests/mx/smtpd_tls.pp | 53 +++++++++++++++ puppet/modules/site_postfix/manifests/mx/tls.pp | 78 ---------------------- 2 files changed, 53 insertions(+), 78 deletions(-) create mode 100644 puppet/modules/site_postfix/manifests/mx/smtpd_tls.pp delete mode 100644 puppet/modules/site_postfix/manifests/mx/tls.pp (limited to 'puppet/modules/site_postfix') diff --git a/puppet/modules/site_postfix/manifests/mx/smtpd_tls.pp b/puppet/modules/site_postfix/manifests/mx/smtpd_tls.pp new file mode 100644 index 00000000..5714218c --- /dev/null +++ b/puppet/modules/site_postfix/manifests/mx/smtpd_tls.pp @@ -0,0 +1,53 @@ +class site_postfix::mx::smtpd_tls { + + include x509::variables + $ca_path = "${x509::variables::local_CAs}/${site_config::params::client_ca_name}.crt" + $cert_path = "${x509::variables::certs}/${site_config::params::cert_name}.crt" + $key_path = "${x509::variables::keys}/${site_config::params::cert_name}.key" + + + postfix::config { + 'smtpd_use_tls': value => 'yes'; + 'smtpd_tls_CAfile': value => $ca_path; + 'smtpd_tls_cert_file': value => $cert_path; + 'smtpd_tls_key_file': value => $key_path; + 'smtpd_tls_ask_ccert': value => 'yes'; + 'smtpd_tls_security_level': + value => 'may'; + 'smtpd_tls_eecdh_grade': + value => 'ultra' + } + + # Setup DH parameters + # Instead of using the dh parameters that are created by leap cli, it is more + # secure to generate new parameter files that will only be used for postfix, + # for each machine + + include site_config::packages::gnutls + + # Note, the file name is called dh_1024.pem, but we are generating 2048bit dh + # parameters Neither Postfix nor OpenSSL actually care about the size of the + # prime in "smtpd_tls_dh1024_param_file". You can make it 2048 bits + + exec { 'certtool-postfix-gendh': + command => 'certtool --generate-dh-params --bits 2048 --outfile /etc/postfix/smtpd_tls_dh_param.pem', + user => root, + group => root, + creates => '/etc/postfix/smtpd_tls_dh_param.pem', + require => [ Package['gnutls-bin'], Package['postfix'] ] + } + + # Make sure the dh params file has correct ownership and mode + file { + '/etc/postfix/smtpd_tls_dh_param.pem': + owner => root, + group => root, + mode => '0600', + require => Exec['certtool-postfix-gendh']; + } + + postfix::config { 'smtpd_tls_dh1024_param_file': + value => '/etc/postfix/smtpd_tls_dh_param.pem', + require => File['/etc/postfix/smtpd_tls_dh_param.pem'] + } +} diff --git a/puppet/modules/site_postfix/manifests/mx/tls.pp b/puppet/modules/site_postfix/manifests/mx/tls.pp deleted file mode 100644 index 08978efd..00000000 --- a/puppet/modules/site_postfix/manifests/mx/tls.pp +++ /dev/null @@ -1,78 +0,0 @@ -class site_postfix::mx::tls { - - include x509::variables - $ca_path = "${x509::variables::local_CAs}/${site_config::params::client_ca_name}.crt" - $cert_path = "${x509::variables::certs}/${site_config::params::cert_name}.crt" - $key_path = "${x509::variables::keys}/${site_config::params::cert_name}.key" - - - postfix::config { - 'smtpd_use_tls': value => 'yes'; - 'smtpd_tls_CAfile': value => $ca_path; - 'smtpd_tls_cert_file': value => $cert_path; - 'smtpd_tls_key_file': value => $key_path; - 'smtpd_tls_ask_ccert': value => 'yes'; - 'smtpd_tls_security_level': - value => 'may'; - 'smtpd_tls_eecdh_grade': - value => 'ultra' - } - - # Setup DH parameters - # Instead of using the dh parameters that are created by leap cli, it is more - # secure to generate new parameter files that will only be used for postfix, - # for each machine - - include site_config::packages::gnutls - - # Note, the file name is called dh_1024.pem, but we are generating 2048bit dh - # parameters Neither Postfix nor OpenSSL actually care about the size of the - # prime in "smtpd_tls_dh1024_param_file". You can make it 2048 bits - - exec { 'certtool-postfix-gendh': - command => 'certtool --generate-dh-params --bits 2048 --outfile /etc/postfix/smtpd_tls_dh_param.pem', - user => root, - group => root, - creates => '/etc/postfix/smtpd_tls_dh_param.pem', - require => [ Package['gnutls-bin'], Package['postfix'] ] - } - - # Make sure the dh params file has correct ownership and mode - file { - '/etc/postfix/smtpd_tls_dh_param.pem': - owner => root, - group => root, - mode => '0600', - require => Exec['certtool-postfix-gendh']; - } - - postfix::config { 'smtpd_tls_dh1024_param_file': - value => '/etc/postfix/smtpd_tls_dh_param.pem', - require => File['/etc/postfix/smtpd_tls_dh_param.pem'] - } - -} - # smtp TLS - postfix::config { - 'smtp_use_tls': value => 'yes'; - 'smtp_tls_CApath': value => '/etc/ssl/certs/'; - 'smtp_tls_CAfile': value => $ca_path; - 'smtp_tls_cert_file': value => $cert_path; - 'smtp_tls_key_file': value => $key_path; - 'smtp_tls_ask_ccert': value => 'yes'; - 'smtp_tls_loglevel': value => '1'; - 'smtp_tls_exclude_ciphers': - value => 'aNULL, MD5, DES'; - # upstream default is md5 (since 2.5 and older used it), we force sha1 - 'smtp_tls_fingerprint_digest': - value => 'sha1'; - 'smtp_tls_session_cache_database': - value => 'btree:${queue_directory}/smtp_cache'; - 'smtp_tls_security_level': - value => 'may'; - # see issue #4011 - 'smtp_tls_protocols': - value => '!SSLv2, !SSLv3'; - } - - -- cgit v1.2.3 From 9531b13447ff204a00a138a137818054603fe1c9 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 17 Dec 2013 12:58:22 -0500 Subject: add a smtp_tls class and include that on both mx servers and satellites Change-Id: I779ea60e6d726d042203fa0756d73b4af079d728 --- puppet/modules/site_postfix/manifests/mx.pp | 3 ++- .../modules/site_postfix/manifests/mx/smtp_tls.pp | 29 ++++++++++++++++++++++ puppet/modules/site_postfix/manifests/satellite.pp | 3 +++ 3 files changed, 34 insertions(+), 1 deletion(-) create mode 100644 puppet/modules/site_postfix/manifests/mx/smtp_tls.pp (limited to 'puppet/modules/site_postfix') diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index 59d3030d..441252f2 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -32,7 +32,8 @@ class site_postfix::mx { include site_postfix::mx::smtpd_checks include site_postfix::mx::checks - include site_postfix::mx::tls + include site_postfix::mx::smtp_tls + include site_postfix::mx::smtpd_tls include site_postfix::mx::reserved_aliases # greater verbosity for debugging, take out for production diff --git a/puppet/modules/site_postfix/manifests/mx/smtp_tls.pp b/puppet/modules/site_postfix/manifests/mx/smtp_tls.pp new file mode 100644 index 00000000..4b9c2fd9 --- /dev/null +++ b/puppet/modules/site_postfix/manifests/mx/smtp_tls.pp @@ -0,0 +1,29 @@ +class site_postfix::mx::smtp_tls { + + include x509::variables + $ca_path = "${x509::variables::local_CAs}/${site_config::params::ca_name}.crt" + $cert_path = "${x509::variables::certs}/${site_config::params::cert_name}.crt" + $key_path = "${x509::variables::keys}/${site_config::params::cert_name}.key" + + # smtp TLS + postfix::config { + 'smtp_use_tls': value => 'yes'; + 'smtp_tls_CApath': value => '/etc/ssl/certs/'; + 'smtp_tls_CAfile': value => $ca_path; + 'smtp_tls_cert_file': value => $cert_path; + 'smtp_tls_key_file': value => $key_path; + 'smtp_tls_loglevel': value => '1'; + 'smtp_tls_exclude_ciphers': + value => 'aNULL, MD5, DES'; + # upstream default is md5 (since 2.5 and older used it), we force sha1 + 'smtp_tls_fingerprint_digest': + value => 'sha1'; + 'smtp_tls_session_cache_database': + value => 'btree:${queue_directory}/smtp_cache'; + 'smtp_tls_security_level': + value => 'may'; + # see issue #4011 + 'smtp_tls_protocols': + value => '!SSLv2, !SSLv3'; + } +} diff --git a/puppet/modules/site_postfix/manifests/satellite.pp b/puppet/modules/site_postfix/manifests/satellite.pp index de20b667..7be51b22 100644 --- a/puppet/modules/site_postfix/manifests/satellite.pp +++ b/puppet/modules/site_postfix/manifests/satellite.pp @@ -3,9 +3,12 @@ class site_postfix::satellite { $root_mail_recipient = hiera ('contacts') $mail = hiera ('mail') $relayhost = $mail['smarthost'] + $cert_name = hiera('name') class { '::postfix::satellite': relayhost => $relayhost, root_mail_recipient => $root_mail_recipient } + + include site_postfix::mx::smtp_tls } -- cgit v1.2.3 From 66ad58f2bc3b285bd17d5e61a21afece11d2c293 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 19 Dec 2013 14:22:43 -0500 Subject: Fix the location of the smtp/smtpd_tls_session_cache_database (#4813) Change-Id: I959fa40ff508bbeaf7baa0b6ba90c10c9e6b0ef7 --- puppet/modules/site_postfix/manifests/mx/smtp_tls.pp | 2 +- puppet/modules/site_postfix/manifests/mx/smtpd_tls.pp | 4 +++- 2 files changed, 4 insertions(+), 2 deletions(-) (limited to 'puppet/modules/site_postfix') diff --git a/puppet/modules/site_postfix/manifests/mx/smtp_tls.pp b/puppet/modules/site_postfix/manifests/mx/smtp_tls.pp index 4b9c2fd9..3cc7ea72 100644 --- a/puppet/modules/site_postfix/manifests/mx/smtp_tls.pp +++ b/puppet/modules/site_postfix/manifests/mx/smtp_tls.pp @@ -19,7 +19,7 @@ class site_postfix::mx::smtp_tls { 'smtp_tls_fingerprint_digest': value => 'sha1'; 'smtp_tls_session_cache_database': - value => 'btree:${queue_directory}/smtp_cache'; + value => 'btree:${data_directory}/smtp_cache'; 'smtp_tls_security_level': value => 'may'; # see issue #4011 diff --git a/puppet/modules/site_postfix/manifests/mx/smtpd_tls.pp b/puppet/modules/site_postfix/manifests/mx/smtpd_tls.pp index 5714218c..0809c75f 100644 --- a/puppet/modules/site_postfix/manifests/mx/smtpd_tls.pp +++ b/puppet/modules/site_postfix/manifests/mx/smtpd_tls.pp @@ -15,7 +15,9 @@ class site_postfix::mx::smtpd_tls { 'smtpd_tls_security_level': value => 'may'; 'smtpd_tls_eecdh_grade': - value => 'ultra' + value => 'ultra'; + 'smtpd_tls_session_cache_database': + value => 'btree:${data_directory}/smtpd_scache'; } # Setup DH parameters -- cgit v1.2.3 From 5f7f2cd3a61aafb1afc81b74b3ef03afe3a64221 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 19 Dec 2013 16:03:45 -0500 Subject: Set mynetworks to include any mx server in the provider to allow them to Helo as the domain (#4495) Change-Id: I6c8ac28faceb8b0c6129a606ede04837efd3d261 --- puppet/modules/site_postfix/manifests/mx.pp | 3 +++ 1 file changed, 3 insertions(+) (limited to 'puppet/modules/site_postfix') diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index 441252f2..de89c26e 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -4,6 +4,7 @@ class site_postfix::mx { $domain = $domain_hash['full_suffix'] $host_domain = $domain_hash['full'] $cert_name = hiera('name') + $mynetworks = join(hiera('mx_nodes'), ' ') $root_mail_recipient = hiera ('contacts') $postfix_smtp_listen = 'all' @@ -14,6 +15,8 @@ class site_postfix::mx { include site_config::x509::client_ca::key postfix::config { + 'mynetworks': + value => "127.0.0.0/8 [::1]/128 [fe80::]/64 ${mynetworks}"; 'mydestination': value => "\$myorigin, localhost, localhost.\$mydomain, ${domain}"; 'myhostname': -- cgit v1.2.3 From b45d265a08884a65e7100e34067a0d8c390da8f0 Mon Sep 17 00:00:00 2001 From: kwadronaut Date: Mon, 24 Mar 2014 08:07:18 +0100 Subject: fixes #5360 adds admin@ as reserved address + linting --- puppet/modules/site_postfix/manifests/mx/reserved_aliases.pp | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) (limited to 'puppet/modules/site_postfix') diff --git a/puppet/modules/site_postfix/manifests/mx/reserved_aliases.pp b/puppet/modules/site_postfix/manifests/mx/reserved_aliases.pp index aea66f78..83e27376 100644 --- a/puppet/modules/site_postfix/manifests/mx/reserved_aliases.pp +++ b/puppet/modules/site_postfix/manifests/mx/reserved_aliases.pp @@ -1,11 +1,13 @@ +# Defines which mail addresses shouldn't be available and where they should fwd class site_postfix::mx::reserved_aliases { postfix::mailalias { - [ 'postmaster', 'hostmaster', 'domainadmin', 'certmaster', 'ssladmin', - 'arin-admin', 'administrator', 'webmaster', 'www-data', 'www', - 'nobody', 'sys', 'postgresql', 'mysql', 'bin', 'cron', 'lp', 'games', - 'maildrop', 'abuse', 'noc', 'security', 'usenet', 'news', 'uucp', - 'ftp' ]: + [ 'abuse', 'admin', 'arin-admin', 'administrator', 'bin', 'cron', + 'certmaster', 'domainadmin', 'games', 'ftp', 'hostmaster', 'lp', + 'maildrop', 'mysql', 'news', 'nobody', 'noc', 'postmaster', 'postgresql', + 'security', 'ssladmin', 'sys', 'usenet', 'uucp', 'webmaster', 'www', + 'www-data', + ]: ensure => present, recipient => 'root' } -- cgit v1.2.3 From 1906f13a7df02522bcd83a3c25101555870b5279 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 1 Apr 2014 15:28:54 -0400 Subject: Include all the ips that are allowed to send mail through the relay in the mynetworks parameter. Previously we only allowed other mx servers to relay to each other, but this prevents system mail from non-mx nodes from getting out. Fixes "Helo command rejected: You are not in domain bitmask.net (in reply to RCPT TO command))" (#5343) Change-Id: I5e204958cb235808eedc3a1724fb2dc6c7a5b73b --- puppet/modules/site_postfix/manifests/mx.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules/site_postfix') diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index de89c26e..a37c7af9 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -4,7 +4,7 @@ class site_postfix::mx { $domain = $domain_hash['full_suffix'] $host_domain = $domain_hash['full'] $cert_name = hiera('name') - $mynetworks = join(hiera('mx_nodes'), ' ') + $mynetworks = join(hiera('mynetworks'), ' ') $root_mail_recipient = hiera ('contacts') $postfix_smtp_listen = 'all' -- cgit v1.2.3 From b12c315edef56515321306a692d0f2098f4e8ee0 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 2 Apr 2014 12:38:28 -0400 Subject: Fix for satellite hosts that are unable to contact their relayhost because the DNS lookup is either impossible (.local domain), or incorrect (certain openstack/amazon/piston cloud configurations create this setup when the relayhost is in the same cluster as the satellite). Fixes #5225 Change-Id: Ifbc201678f2c0e97ee0e12bbf1c7f71d035d45c1 --- puppet/modules/site_postfix/manifests/satellite.pp | 24 ++++++++++++++++++++++ 1 file changed, 24 insertions(+) (limited to 'puppet/modules/site_postfix') diff --git a/puppet/modules/site_postfix/manifests/satellite.pp b/puppet/modules/site_postfix/manifests/satellite.pp index 7be51b22..f5d5c7b7 100644 --- a/puppet/modules/site_postfix/manifests/satellite.pp +++ b/puppet/modules/site_postfix/manifests/satellite.pp @@ -10,5 +10,29 @@ class site_postfix::satellite { root_mail_recipient => $root_mail_recipient } + # There are special conditions for satellite hosts that will make them not be + # able to contact their relayhost: + # + # 1. they are on openstack/amazon/PC and are on the same cluster as the relay + # host, the MX lookup for the relay host will use the public IP, which cannot + # be contacted + # + # 2. When a domain is used that is not in DNS, because it is internal, + # a testing domain, etc. eg. a .local domain cannot be looked up in DNS + # + # to resolve this, so the satellite can contact the relayhost, we need to set + # the http://www.postfix.org/postconf.5.html#smtp_host_lookup to be 'native' + # which will cause the lookup to use the native naming service + # (nsswitch.conf), which typically defaults to 'files, dns' allowing the + # /etc/hosts to be consulted first, then DNS if the entry doesn't exist. + # + # NOTE: this will make it not possible to enable DANE support through DNSSEC + # with http://www.postfix.org/postconf.5.html#smtp_dns_support_level - but + # this parameter is not available until 2.11. If this ends up being important + # we could also make this an optional parameter for providers without + # dns / local domains + + postfix::config { 'smtp_host_lookup': value => 'native'; } + include site_postfix::mx::smtp_tls } -- cgit v1.2.3 From 1551f785c5c7c515781995928eec7659365d8988 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 2 Apr 2014 15:35:01 -0400 Subject: Force satellite hosts that only speak to relayhost to have a smtp_tls_security_level of 'encrypt', so it is not optional (#1902) Change-Id: I61ad0823e3eb8df6c224767d63f0911dcba42a16 --- puppet/modules/site_postfix/manifests/mx.pp | 4 ++++ puppet/modules/site_postfix/manifests/mx/smtp_tls.pp | 2 -- puppet/modules/site_postfix/manifests/satellite.pp | 11 ++++++++++- 3 files changed, 14 insertions(+), 3 deletions(-) (limited to 'puppet/modules/site_postfix') diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index a37c7af9..bdfee665 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -31,6 +31,10 @@ class site_postfix::mx { value => 'vmail'; 'smtpd_tls_received_header': value => 'yes'; + # Note: we are setting this here, instead of in site_postfix::mx::smtp_tls + # because the satellites need to have a different value + 'smtp_tls_security_level': + value => 'may'; } include site_postfix::mx::smtpd_checks diff --git a/puppet/modules/site_postfix/manifests/mx/smtp_tls.pp b/puppet/modules/site_postfix/manifests/mx/smtp_tls.pp index 3cc7ea72..d9b59f40 100644 --- a/puppet/modules/site_postfix/manifests/mx/smtp_tls.pp +++ b/puppet/modules/site_postfix/manifests/mx/smtp_tls.pp @@ -20,8 +20,6 @@ class site_postfix::mx::smtp_tls { value => 'sha1'; 'smtp_tls_session_cache_database': value => 'btree:${data_directory}/smtp_cache'; - 'smtp_tls_security_level': - value => 'may'; # see issue #4011 'smtp_tls_protocols': value => '!SSLv2, !SSLv3'; diff --git a/puppet/modules/site_postfix/manifests/satellite.pp b/puppet/modules/site_postfix/manifests/satellite.pp index f5d5c7b7..5725e6b8 100644 --- a/puppet/modules/site_postfix/manifests/satellite.pp +++ b/puppet/modules/site_postfix/manifests/satellite.pp @@ -32,7 +32,16 @@ class site_postfix::satellite { # we could also make this an optional parameter for providers without # dns / local domains - postfix::config { 'smtp_host_lookup': value => 'native'; } + postfix::config { + 'smtp_host_lookup': + value => 'native'; + + # Note: we are setting this here, instead of in site_postfix::mx::smtp_tls + # because the mx server has to have a different value + 'smtp_tls_security_level': + value => 'encrypt'; + } include site_postfix::mx::smtp_tls + } -- cgit v1.2.3