From 8684aa38ece3271a0eb0f8a1751f6c3297025afa Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 28 Jul 2015 14:35:40 -0400 Subject: Support RBL blocking of incoming mail (#5923) Set zen.spamhaus as the default rbl Change-Id: Ic3537d645c80ba42267bab370a1cf77730382158 --- puppet/modules/site_postfix/manifests/mx.pp | 1 + puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) (limited to 'puppet/modules/site_postfix') diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index 49692d24..af0f9f56 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -8,6 +8,7 @@ class site_postfix::mx { $host_domain = $domain_hash['full'] $cert_name = hiera('name') $mynetworks = join(hiera('mynetworks'), ' ') + $rbls = suffix(prefix(hiera('rbls'), 'reject_rbl_client '), ',') $root_mail_recipient = hiera('contacts') $postfix_smtp_listen = 'all' diff --git a/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp index 0ec40277..1c3e5c92 100644 --- a/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp +++ b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp @@ -6,7 +6,7 @@ class site_postfix::mx::smtpd_checks { 'checks_dir': value => '$config_directory/checks'; 'smtpd_client_restrictions': - value => 'permit_mynetworks,permit'; + value => "${site_postfix::mx::rbls}permit_mynetworks,permit"; 'smtpd_data_restrictions': value => 'permit_mynetworks, reject_unauth_pipelining, permit'; 'smtpd_delay_reject': -- cgit v1.2.3 From b5fbda1ca3832043e1636ee964a806ff222cb05f Mon Sep 17 00:00:00 2001 From: elijah Date: Fri, 21 Aug 2015 17:13:34 -0700 Subject: add support for configurable mail alias maps --- puppet/modules/site_postfix/manifests/mx.pp | 3 +- .../site_postfix/manifests/mx/reserved_aliases.pp | 15 ------ .../site_postfix/manifests/mx/static_aliases.pp | 58 ++++++++++++++++++++++ .../site_postfix/templates/custom-aliases.erb | 11 ++++ 4 files changed, 71 insertions(+), 16 deletions(-) delete mode 100644 puppet/modules/site_postfix/manifests/mx/reserved_aliases.pp create mode 100644 puppet/modules/site_postfix/manifests/mx/static_aliases.pp create mode 100644 puppet/modules/site_postfix/templates/custom-aliases.erb (limited to 'puppet/modules/site_postfix') diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index af0f9f56..334d04d0 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -51,7 +51,7 @@ class site_postfix::mx { include site_postfix::mx::checks include site_postfix::mx::smtp_tls include site_postfix::mx::smtpd_tls - include site_postfix::mx::reserved_aliases + include site_postfix::mx::static_aliases # greater verbosity for debugging, take out for production #include site_postfix::debug @@ -68,6 +68,7 @@ class site_postfix::mx { preseed => true, root_mail_recipient => $root_mail_recipient, smtp_listen => 'all', + default_alias_maps => false, mastercf_tail => "smtps inet n - - - - smtpd -o smtpd_tls_wrappermode=yes diff --git a/puppet/modules/site_postfix/manifests/mx/reserved_aliases.pp b/puppet/modules/site_postfix/manifests/mx/reserved_aliases.pp deleted file mode 100644 index 83e27376..00000000 --- a/puppet/modules/site_postfix/manifests/mx/reserved_aliases.pp +++ /dev/null @@ -1,15 +0,0 @@ -# Defines which mail addresses shouldn't be available and where they should fwd -class site_postfix::mx::reserved_aliases { - - postfix::mailalias { - [ 'abuse', 'admin', 'arin-admin', 'administrator', 'bin', 'cron', - 'certmaster', 'domainadmin', 'games', 'ftp', 'hostmaster', 'lp', - 'maildrop', 'mysql', 'news', 'nobody', 'noc', 'postmaster', 'postgresql', - 'security', 'ssladmin', 'sys', 'usenet', 'uucp', 'webmaster', 'www', - 'www-data', - ]: - ensure => present, - recipient => 'root' - } - -} diff --git a/puppet/modules/site_postfix/manifests/mx/static_aliases.pp b/puppet/modules/site_postfix/manifests/mx/static_aliases.pp new file mode 100644 index 00000000..786d74c1 --- /dev/null +++ b/puppet/modules/site_postfix/manifests/mx/static_aliases.pp @@ -0,0 +1,58 @@ +# +# Defines static, hard coded aliases that are not in the database. +# + +class site_postfix::mx::static_aliases { + + $mx = hiera('mx') + $aliases = $mx['aliases'] + + # + # Predefined aliases. + # + # Defines which mail addresses shouldn't be available and where they should + # fwd + # + # TODO: reconcile this with the node property webapp.forbidden_usernames + # + # NOTE: if you remove one of these, they will still appear in the + # /etc/aliases file + # + postfix::mailalias { + [ 'abuse', 'admin', 'arin-admin', 'administrator', 'bin', 'cron', + 'certmaster', 'domainadmin', 'games', 'ftp', 'hostmaster', 'lp', + 'maildrop', 'mysql', 'news', 'nobody', 'noc', 'postmaster', 'postgresql', + 'security', 'ssladmin', 'sys', 'usenet', 'uucp', 'webmaster', 'www', + 'www-data', + ]: + ensure => present, + recipient => 'root' + } + + # + # Custom aliases. + # + # This does not use the puppet mailalias resource because we want to be able + # to guarantee the contents of the alias file. This is needed so if you + # remove an alias from the node's config, it will get removed from the alias + # file. + # + + # both alias files must be listed under "alias_database", because once you + # specify one, then `newaliases` no longer will default to updating + # "/etc/aliases.db". + postfix::config { + 'alias_database': + value => "/etc/aliases, /etc/postfix/custom-aliases"; + 'alias_maps': + value => "hash:/etc/aliases, hash:/etc/postfix/custom-aliases"; + } + + file { '/etc/postfix/custom-aliases': + content => template('site_postfix/custom-aliases.erb'), + owner => root, + group => root, + mode => 0600, + notify => Exec['newaliases'] + } +} diff --git a/puppet/modules/site_postfix/templates/custom-aliases.erb b/puppet/modules/site_postfix/templates/custom-aliases.erb new file mode 100644 index 00000000..f261514b --- /dev/null +++ b/puppet/modules/site_postfix/templates/custom-aliases.erb @@ -0,0 +1,11 @@ +# +# This file is managed by puppet. +# +# This is a map of custom, non-standard aliases. The contents of this file +# are derived from the node property `mx.aliases`. +# + +<%- @aliases.keys.sort.each do |from| -%> +"<%= from %>": "<%= [@aliases[from]].flatten.join('", "') %>" +<%- end -%> + -- cgit v1.2.3 From ffd340e7b014bc9f35fb6f9365230d483650cc1d Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 3 Sep 2015 13:03:01 -0400 Subject: rewrite openpgp header to be always correct (#7413) The openpgp header added by the client is sometimes incorrect, because the client doesn't actually know what the proper URL is for the webapp. The server knows, however. Change-Id: I2243b19a6337d8e0be97590e2ca9c9c0b0fffdac --- puppet/modules/site_postfix/manifests/mx.pp | 6 +++++- .../site_postfix/manifests/mx/rewrite_openpgp_header.pp | 11 +++++++++++ .../templates/checks/rewrite_openpgp_headers.erb | 13 +++++++++++++ 3 files changed, 29 insertions(+), 1 deletion(-) create mode 100644 puppet/modules/site_postfix/manifests/mx/rewrite_openpgp_header.pp create mode 100644 puppet/modules/site_postfix/templates/checks/rewrite_openpgp_headers.erb (limited to 'puppet/modules/site_postfix') diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index 334d04d0..2b311e06 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -52,6 +52,7 @@ class site_postfix::mx { include site_postfix::mx::smtp_tls include site_postfix::mx::smtpd_tls include site_postfix::mx::static_aliases + include site_postfix::mx::rewrite_openpgp_header # greater verbosity for debugging, take out for production #include site_postfix::debug @@ -74,7 +75,10 @@ class site_postfix::mx { -o smtpd_tls_wrappermode=yes -o smtpd_tls_security_level=encrypt -o smtpd_recipient_restrictions=\$smtps_recipient_restrictions - -o smtpd_helo_restrictions=\$smtps_helo_restrictions", + -o smtpd_helo_restrictions=\$smtps_helo_restrictions + -o cleanup_service_name=clean_smtps +clean_smtps unix n - n - 0 cleanup + -o header_checks=pcre:/etc/postfix/checks/rewrite_openpgp_headers", require => [ Class['Site_config::X509::Key'], Class['Site_config::X509::Cert'], diff --git a/puppet/modules/site_postfix/manifests/mx/rewrite_openpgp_header.pp b/puppet/modules/site_postfix/manifests/mx/rewrite_openpgp_header.pp new file mode 100644 index 00000000..71f945b8 --- /dev/null +++ b/puppet/modules/site_postfix/manifests/mx/rewrite_openpgp_header.pp @@ -0,0 +1,11 @@ +class site_postfix::mx::rewrite_openpgp_header { + $mx = hiera('mx') + $correct_domain = $mx['key_lookup_domain'] + + file { '/etc/postfix/checks/rewrite_openpgp_headers': + content => template('site_postfix/checks/rewrite_openpgp_headers.erb'), + mode => '0644', + owner => root, + group => root; + } +} diff --git a/puppet/modules/site_postfix/templates/checks/rewrite_openpgp_headers.erb b/puppet/modules/site_postfix/templates/checks/rewrite_openpgp_headers.erb new file mode 100644 index 00000000..7af14f7d --- /dev/null +++ b/puppet/modules/site_postfix/templates/checks/rewrite_openpgp_headers.erb @@ -0,0 +1,13 @@ +# THIS FILE IS MANAGED BY PUPPET +# +# This will replace the OpenPGP header that the client adds, because it is +# sometimes incorrect (due to the client not always knowing what the proper URL +# is for the webapp). +# e.g. This will rewrite this header: +# OpenPGP: id=4C0E01CD50E2F653; url="https://leap.se/key/elijah"; preference="signencrypt +# with this replacement: +# OpenPGP: id=4C0E01CD50E2F653; url="https://user.leap.se/key/elijah"; preference="signencrypt +# +# Note: whitespace in the pattern is represented by [[:space:]] to avoid these warnings from postmap: +# "record is in "key: value" format; is this an alias file?" and "duplicate entry" +/^(OpenPGP:[[:space:]]id=[[:alnum:]]+;[[:space:]]url="https:\/\/)<%= @domain %>(\/key\/[[:alpha:]]+";.*)/i REPLACE ${1}<%= @correct_domain %>${2} -- cgit v1.2.3 From d113bf1b2cd3cb6a94fbe20aa711bf9b9b93286f Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 9 Sep 2015 09:36:59 -0400 Subject: Fix clients being blocked by RBLs (#7431) Valid users submitting mail to be delivered should not be blocked by configured RBLs. Settings in main.cf are valid and used globally, unless they are overridden in master.cf for specific Postfix daemons. We have set in main.cf the smtp_client_restrictions parameter to check for configured rbls, so we need to override that and empty it in order to allow valid clients to send mail, even when their IP is listed in an RBL. Note: most users will typically be connecting via VPN, so their IP would typically be replaced by the VPN gateway one, but there are cases where this is still useful. Change-Id: Ie4171113c78ae2814402a1ed9b5343280cbf79d1 --- puppet/modules/site_postfix/manifests/mx.pp | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'puppet/modules/site_postfix') diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index 334d04d0..bff3e291 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -74,7 +74,8 @@ class site_postfix::mx { -o smtpd_tls_wrappermode=yes -o smtpd_tls_security_level=encrypt -o smtpd_recipient_restrictions=\$smtps_recipient_restrictions - -o smtpd_helo_restrictions=\$smtps_helo_restrictions", + -o smtpd_helo_restrictions=\$smtps_helo_restrictions + -o smtpd_client_restrictions=", require => [ Class['Site_config::X509::Key'], Class['Site_config::X509::Cert'], -- cgit v1.2.3 From 0e13876bd54009bf81e7cab2abcca392ca06e32d Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 10 Sep 2015 16:04:59 -0400 Subject: Make sure hiera values have valid defaults if they are not specified (#7443) Change-Id: Ib701886ad26c5e39ccd669fadca81404b5c0426a --- puppet/modules/site_postfix/manifests/mx.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'puppet/modules/site_postfix') diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index bff3e291..bc65e370 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -7,8 +7,8 @@ class site_postfix::mx { $domain = $domain_hash['full_suffix'] $host_domain = $domain_hash['full'] $cert_name = hiera('name') - $mynetworks = join(hiera('mynetworks'), ' ') - $rbls = suffix(prefix(hiera('rbls'), 'reject_rbl_client '), ',') + $mynetworks = join(hiera('mynetworks', ''), ' ') + $rbls = suffix(prefix(hiera('rbls', []), 'reject_rbl_client '), ',') $root_mail_recipient = hiera('contacts') $postfix_smtp_listen = 'all' -- cgit v1.2.3 From 702bf139f407d60e7c297ceb67fc6c30fead1e61 Mon Sep 17 00:00:00 2001 From: elijah Date: Fri, 11 Sep 2015 10:34:56 -0700 Subject: switch aliases to use virtual_alias_maps --- puppet/modules/site_postfix/manifests/mx.pp | 9 ++++-- .../site_postfix/manifests/mx/static_aliases.pp | 32 ++++++++-------------- .../site_postfix/templates/custom-aliases.erb | 11 -------- .../site_postfix/templates/virtual-aliases.erb | 22 +++++++++++++++ 4 files changed, 40 insertions(+), 34 deletions(-) delete mode 100644 puppet/modules/site_postfix/templates/custom-aliases.erb create mode 100644 puppet/modules/site_postfix/templates/virtual-aliases.erb (limited to 'puppet/modules/site_postfix') diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index bff3e291..14c8634e 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -21,16 +21,20 @@ class site_postfix::mx { postfix::config { 'mynetworks': value => "127.0.0.0/8 [::1]/128 [fe80::]/64 ${mynetworks}"; + # Note: mydestination should not include @domain, because this is + # used in virtual alias maps. 'mydestination': - value => "\$myorigin, localhost, localhost.\$mydomain, ${domain}"; + value => "\$myorigin, localhost, localhost.\$mydomain"; 'myhostname': value => $host_domain; 'mailbox_size_limit': value => '0'; 'home_mailbox': value => 'Maildir/'; + # Note: virtual-aliases map will take precedence over leap_mx + # lookup (tcp:localhost) 'virtual_alias_maps': - value => 'tcp:localhost:4242'; + value => 'hash:/etc/postfix/virtual-aliases tcp:localhost:4242'; 'luser_relay': value => 'vmail'; 'smtpd_tls_received_header': @@ -68,7 +72,6 @@ class site_postfix::mx { preseed => true, root_mail_recipient => $root_mail_recipient, smtp_listen => 'all', - default_alias_maps => false, mastercf_tail => "smtps inet n - - - - smtpd -o smtpd_tls_wrappermode=yes diff --git a/puppet/modules/site_postfix/manifests/mx/static_aliases.pp b/puppet/modules/site_postfix/manifests/mx/static_aliases.pp index 786d74c1..d81e05b3 100644 --- a/puppet/modules/site_postfix/manifests/mx/static_aliases.pp +++ b/puppet/modules/site_postfix/manifests/mx/static_aliases.pp @@ -30,29 +30,21 @@ class site_postfix::mx::static_aliases { } # - # Custom aliases. - # - # This does not use the puppet mailalias resource because we want to be able - # to guarantee the contents of the alias file. This is needed so if you - # remove an alias from the node's config, it will get removed from the alias - # file. - # - - # both alias files must be listed under "alias_database", because once you - # specify one, then `newaliases` no longer will default to updating - # "/etc/aliases.db". - postfix::config { - 'alias_database': - value => "/etc/aliases, /etc/postfix/custom-aliases"; - 'alias_maps': - value => "hash:/etc/aliases, hash:/etc/postfix/custom-aliases"; + # Custom static virtual aliases. + # + exec { 'postmap_virtual_aliases': + command => '/usr/sbin/postmap /etc/postfix/virtual-aliases', + refreshonly => true, + user => root, + group => root, + require => Package['postfix'], + subscribe => File['/etc/postfix/virtual-aliases'] } - - file { '/etc/postfix/custom-aliases': - content => template('site_postfix/custom-aliases.erb'), + file { '/etc/postfix/virtual-aliases': + content => template('site_postfix/virtual-aliases.erb'), owner => root, group => root, mode => 0600, - notify => Exec['newaliases'] + require => Package['postfix'] } } diff --git a/puppet/modules/site_postfix/templates/custom-aliases.erb b/puppet/modules/site_postfix/templates/custom-aliases.erb deleted file mode 100644 index f261514b..00000000 --- a/puppet/modules/site_postfix/templates/custom-aliases.erb +++ /dev/null @@ -1,11 +0,0 @@ -# -# This file is managed by puppet. -# -# This is a map of custom, non-standard aliases. The contents of this file -# are derived from the node property `mx.aliases`. -# - -<%- @aliases.keys.sort.each do |from| -%> -"<%= from %>": "<%= [@aliases[from]].flatten.join('", "') %>" -<%- end -%> - diff --git a/puppet/modules/site_postfix/templates/virtual-aliases.erb b/puppet/modules/site_postfix/templates/virtual-aliases.erb new file mode 100644 index 00000000..c474e734 --- /dev/null +++ b/puppet/modules/site_postfix/templates/virtual-aliases.erb @@ -0,0 +1,22 @@ +# +# This file is managed by puppet. +# +# This is a map of custom, non-standard aliases. The contents of this file +# are derived from the node property `mx.aliases`. +# + +# +# enable these virtual domains: +# +<%= @domain %> enabled +<%- @aliases.keys.map {|addr| addr.split('@')[1] }.compact.sort.uniq.each do |virt_domain| -%> +<%= virt_domain %> enabled +<%- end %> + +# +# virtual aliases: +# +<%- @aliases.keys.sort.each do |from| -%> +<%- full_address = from =~ /@/ ? from : from + "@" + @domain -%> +<%= full_address %> <%= [@aliases[from]].flatten.map{|a| a =~ /@/ ? a : a + "@" + @domain}.join(', ') %> +<%- end -%> -- cgit v1.2.3 From 36fea3b7f448f50d500c0ec1a30b8c745b6f8c4c Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 15 Sep 2015 10:54:24 -0400 Subject: minor linting Change-Id: If92faee5f877301bf23564d5b6e71c4b1263de54 --- puppet/modules/site_postfix/manifests/mx/static_aliases.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules/site_postfix') diff --git a/puppet/modules/site_postfix/manifests/mx/static_aliases.pp b/puppet/modules/site_postfix/manifests/mx/static_aliases.pp index d81e05b3..e9118470 100644 --- a/puppet/modules/site_postfix/manifests/mx/static_aliases.pp +++ b/puppet/modules/site_postfix/manifests/mx/static_aliases.pp @@ -44,7 +44,7 @@ class site_postfix::mx::static_aliases { content => template('site_postfix/virtual-aliases.erb'), owner => root, group => root, - mode => 0600, + mode => '0600', require => Package['postfix'] } } -- cgit v1.2.3 From afd8867ba953513c6e08f957e3099f0ff3b1a3a2 Mon Sep 17 00:00:00 2001 From: elijah Date: Thu, 24 Sep 2015 13:29:15 -0700 Subject: allow certain aliases, like 'abuse', to be publicly forwardable. --- .../site_postfix/manifests/mx/static_aliases.pp | 68 +++++++++++++++++----- .../site_postfix/templates/virtual-aliases.erb | 3 +- 2 files changed, 54 insertions(+), 17 deletions(-) (limited to 'puppet/modules/site_postfix') diff --git a/puppet/modules/site_postfix/manifests/mx/static_aliases.pp b/puppet/modules/site_postfix/manifests/mx/static_aliases.pp index e9118470..71c0555a 100644 --- a/puppet/modules/site_postfix/manifests/mx/static_aliases.pp +++ b/puppet/modules/site_postfix/manifests/mx/static_aliases.pp @@ -1,37 +1,75 @@ # # Defines static, hard coded aliases that are not in the database. +# These aliases take precedence over the database aliases. +# +# There are three classes of reserved names: +# +# (1) forbidden_usernames: +# Some usernames are forbidden and cannot be registered. +# this is defined in node property webapp.forbidden_usernames +# This is enforced by the webapp. +# +# (2) public aliases: +# Some aliases for root, and are publicly exposed so that anyone +# can deliver mail to them. For example, postmaster. +# These are implemented in the virtual alias map, which takes +# precedence over the local alias map. +# +# (3) local aliases: +# Some aliases are only available locally: mail can be delivered +# to the alias if the mail originates from the local host, or is +# hostname qualified, but otherwise it will be rejected. +# These are implemented in the local alias map. +# +# The alias for local 'root' is defined elsewhere. In this file, we +# define the virtual 'root@domain' (which can be overwritten by +# defining an entry for root in node property mx.aliases). # class site_postfix::mx::static_aliases { $mx = hiera('mx') - $aliases = $mx['aliases'] + $root_recipients = hiera('contacts') # - # Predefined aliases. - # - # Defines which mail addresses shouldn't be available and where they should - # fwd - # - # TODO: reconcile this with the node property webapp.forbidden_usernames + # LOCAL ALIASES # + # NOTE: if you remove one of these, they will still appear in the # /etc/aliases file - # + $local_aliases = [ + 'admin', 'administrator', 'bin', 'cron', 'games', 'ftp', 'lp', 'maildrop', + 'mysql', 'news', 'nobody', 'noc', 'postgresql', 'ssladmin', 'sys', + 'usenet', 'uucp', 'www', 'www-data' + ] + postfix::mailalias { - [ 'abuse', 'admin', 'arin-admin', 'administrator', 'bin', 'cron', - 'certmaster', 'domainadmin', 'games', 'ftp', 'hostmaster', 'lp', - 'maildrop', 'mysql', 'news', 'nobody', 'noc', 'postmaster', 'postgresql', - 'security', 'ssladmin', 'sys', 'usenet', 'uucp', 'webmaster', 'www', - 'www-data', - ]: + $local_aliases: ensure => present, recipient => 'root' } # - # Custom static virtual aliases. + # PUBLIC ALIASES # + + $public_aliases = $mx['aliases'] + + $default_public_aliases = { + 'root' => $root_recipients, + 'abuse' => 'postmaster', + 'arin-admin' => 'root', + 'certmaster' => 'hostmaster', + 'domainadmin' => 'hostmaster', + 'hostmaster' => 'root', + 'mailer-daemon' => 'postmaster', + 'postmaster' => 'root', + 'security' => 'root', + 'webmaster' => 'hostmaster', + } + + $aliases = merge($default_public_aliases, $public_aliases) + exec { 'postmap_virtual_aliases': command => '/usr/sbin/postmap /etc/postfix/virtual-aliases', refreshonly => true, diff --git a/puppet/modules/site_postfix/templates/virtual-aliases.erb b/puppet/modules/site_postfix/templates/virtual-aliases.erb index c474e734..8373de97 100644 --- a/puppet/modules/site_postfix/templates/virtual-aliases.erb +++ b/puppet/modules/site_postfix/templates/virtual-aliases.erb @@ -1,8 +1,7 @@ # # This file is managed by puppet. # -# This is a map of custom, non-standard aliases. The contents of this file -# are derived from the node property `mx.aliases`. +# These virtual aliases take precedence over all other aliases. # # -- cgit v1.2.3 From d6b521372243b79105a1513d4559572dfab6db54 Mon Sep 17 00:00:00 2001 From: Micah Date: Tue, 22 Sep 2015 15:04:33 -0400 Subject: add clamav filtering, with sanesecurity signature updating and provider whitelisting (#3625) Change-Id: I15985ca00ee95bc62855f098a78e364ebbc32616 --- puppet/modules/site_postfix/manifests/mx.pp | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'puppet/modules/site_postfix') diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index 42313d1a..f0a2554a 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -49,6 +49,10 @@ class site_postfix::mx { # alias map 'local_recipient_maps': value => '$alias_maps'; + 'smtpd_milters': + value => 'unix:/run/clamav/milter.ctl'; + 'milter_default_action': + value => 'accept'; } include site_postfix::mx::smtpd_checks @@ -57,6 +61,7 @@ class site_postfix::mx { include site_postfix::mx::smtpd_tls include site_postfix::mx::static_aliases include site_postfix::mx::rewrite_openpgp_header + include clamav # greater verbosity for debugging, take out for production #include site_postfix::debug -- cgit v1.2.3 From e97a9d3800b173375a630e18e4b1aa0894eb96e1 Mon Sep 17 00:00:00 2001 From: Micah Date: Tue, 20 Oct 2015 17:14:21 -0400 Subject: Add basic DKIM support, this requires changes in leap_cli detailed in issue #5924 Change-Id: I6aa1e7751633407d441cbc6436d8426d37dbbfa7 --- puppet/modules/site_postfix/manifests/mx.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules/site_postfix') diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index f0a2554a..edaa506f 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -50,7 +50,7 @@ class site_postfix::mx { 'local_recipient_maps': value => '$alias_maps'; 'smtpd_milters': - value => 'unix:/run/clamav/milter.ctl'; + value => 'unix:/run/clamav/milter.ctl,unix:/var/run/opendkim/opendkim.sock'; 'milter_default_action': value => 'accept'; } -- cgit v1.2.3 From ed1ff6fa01bf110fc338b7116fdf577aa88a8d46 Mon Sep 17 00:00:00 2001 From: Micah Date: Tue, 27 Oct 2015 15:27:24 -0400 Subject: Add initial rate-limiting for outgoing SMTP, using postfwd (#5972) Change-Id: I6a6e68908b71d7499eb3ef3c7f0173b3d5b7baa2 --- puppet/modules/site_postfix/manifests/mx.pp | 1 + 1 file changed, 1 insertion(+) (limited to 'puppet/modules/site_postfix') diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index edaa506f..71d61621 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -62,6 +62,7 @@ class site_postfix::mx { include site_postfix::mx::static_aliases include site_postfix::mx::rewrite_openpgp_header include clamav + include postfwd # greater verbosity for debugging, take out for production #include site_postfix::debug -- cgit v1.2.3 From d3501d3e81a4a31248829a59ae68a15da4034bf8 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 9 Nov 2015 10:21:54 +0100 Subject: [deprec] use @ in front of erb template tags Puppet 3 shows now deprecation warnings if the "@" is missing. see https://docs.puppetlabs.com/puppet/latest/reference/lang_template_erb.html#non-printing-tags#[bug|feat|docs|style|refactor|test|pkg|i18n] --- puppet/modules/site_postfix/templates/checks/helo_access.erb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules/site_postfix') diff --git a/puppet/modules/site_postfix/templates/checks/helo_access.erb b/puppet/modules/site_postfix/templates/checks/helo_access.erb index bef3c11d..bac2c45a 100644 --- a/puppet/modules/site_postfix/templates/checks/helo_access.erb +++ b/puppet/modules/site_postfix/templates/checks/helo_access.erb @@ -18,4 +18,4 @@ # Reject anybody that HELO's as being in our own domain(s) # anyone who identifies themselves as us is a virus/spammer -<%= domain %> 554 You are not in domain <%= domain %> +<%= @domain %> 554 You are not in domain <%= @domain %> -- cgit v1.2.3 From fc9f820d0cd363e127859af23e20b61eed71dc1e Mon Sep 17 00:00:00 2001 From: Micah Date: Tue, 24 Nov 2015 15:11:47 -0500 Subject: stop delivering non-existing local user mail to leap-mx (#5431) When mail comes in to the system, a lookup is done to see if it is a valid leap user, if it is, leap_mx now returns something of the form: uuid@deliver.local (see #5959). The virtual_mailbox_domains lists deliver.local, so postfix choses to deliver to virtual_mailbox_base (/var/mail/vmail) which has been hardcoded to the 'vmail' maildir and user. We want leap related mail and leap aliases to go through the virtual alias system, all the hard-coded universal aliases we want to go through the local system and we dont want these separate. Known domains that are considered 'virtual' will be forwarded or delivered to the vmail user, the rest rejected as unknown recipient, instead of being handed off to leap-mx. Previously, the way this was done is we leaned (too heavily) on the 'luser_relay' postfix configuration which sent anything that wasn't locally configured right to the leap_mx spool. That meant everything went there, including addresses that didn't exist, and leap-mx would then have to process those and bounce them. This removes the 'luser_relay' option, so any address that doesn't resolve properly to either a local address/alias, or a leap address or alias (through tcp lookups on 2424 and 4242) will get bounced as an unknown user. Change-Id: I3c22e9383861b3794dd9adfd7aa6a0cf0a773a18 --- puppet/modules/site_postfix/manifests/mx.pp | 24 ++++++++++++++++++++++-- 1 file changed, 22 insertions(+), 2 deletions(-) (limited to 'puppet/modules/site_postfix') diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index 71d61621..de317205 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -30,13 +30,25 @@ class site_postfix::mx { 'mailbox_size_limit': value => '0'; 'home_mailbox': - value => 'Maildir/'; + value => ''; + 'virtual_mailbox_domains': + value => 'deliver.local'; + 'virtual_mailbox_base': + value => '/var/mail/vmail'; + 'virtual_mailbox_maps': + value => 'static:Maildir/'; # Note: virtual-aliases map will take precedence over leap_mx # lookup (tcp:localhost) 'virtual_alias_maps': value => 'hash:/etc/postfix/virtual-aliases tcp:localhost:4242'; 'luser_relay': - value => 'vmail'; + value => ''; + # uid and gid are set to an arbitrary hard-coded value here, this + # must match the 'vmail' user block below + 'virtual_uid_maps': + value => 'static:42424'; + 'virtual_gid_maps': + value => 'static:42424'; 'smtpd_tls_received_header': value => 'yes'; # Note: we are setting this here, instead of in site_postfix::mx::smtp_tls @@ -67,11 +79,19 @@ class site_postfix::mx { # greater verbosity for debugging, take out for production #include site_postfix::debug + # Make the 'vmail' user for leap-mx. This user is where all legitimate, + # non-system mail is delivered so leap-mx can process it. Previously, we let + # the system pick a uid/gid, but we need to know what they are set to in order + # to set the virtual_uid_maps and virtual_gid_maps. Its a bit overkill write a + # fact just for this, so instead we pick arbitrary numbers that seem unlikely + # to be used and then use them in the postfix configuration user { 'vmail': ensure => present, comment => 'Leap Mailspool', home => '/var/mail/vmail', shell => '/bin/false', + uid => '42424', + gid => '42424', managehome => true, } -- cgit v1.2.3 From 375527b1629597e35a6aeeef6c248a8b085abd87 Mon Sep 17 00:00:00 2001 From: Micah Date: Tue, 24 Nov 2015 16:03:13 -0500 Subject: Switch from 'vmail' to leap-mx's user/group (#6936, #7639) This change will make sure that the user/group for leap-mx exist, and it changes the mail location from /var/mail/vmail to the more helpful name /var/mail/leap-mx. This change requires: https://github.com/leapcode/leap_mx/pull/78 and it would replace merge request: https://github.com/leapcode/leap_mx/pull/65 and fix https://leap.se/code/issues/6936 and https://leap.se/code/issues/7635 Change-Id: Idbe678dc999e394232c2eeef2b2018d39ab7cc3b --- puppet/modules/site_postfix/manifests/mx.pp | 24 ++++-------------------- 1 file changed, 4 insertions(+), 20 deletions(-) (limited to 'puppet/modules/site_postfix') diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index de317205..7ec60d49 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -34,17 +34,17 @@ class site_postfix::mx { 'virtual_mailbox_domains': value => 'deliver.local'; 'virtual_mailbox_base': - value => '/var/mail/vmail'; + value => '/var/mail/leap-mx'; 'virtual_mailbox_maps': value => 'static:Maildir/'; - # Note: virtual-aliases map will take precedence over leap_mx + # Note: virtual-aliases map will take precedence over leap-mx # lookup (tcp:localhost) 'virtual_alias_maps': value => 'hash:/etc/postfix/virtual-aliases tcp:localhost:4242'; 'luser_relay': value => ''; # uid and gid are set to an arbitrary hard-coded value here, this - # must match the 'vmail' user block below + # must match the 'leap-mx' user/group 'virtual_uid_maps': value => 'static:42424'; 'virtual_gid_maps': @@ -79,22 +79,6 @@ class site_postfix::mx { # greater verbosity for debugging, take out for production #include site_postfix::debug - # Make the 'vmail' user for leap-mx. This user is where all legitimate, - # non-system mail is delivered so leap-mx can process it. Previously, we let - # the system pick a uid/gid, but we need to know what they are set to in order - # to set the virtual_uid_maps and virtual_gid_maps. Its a bit overkill write a - # fact just for this, so instead we pick arbitrary numbers that seem unlikely - # to be used and then use them in the postfix configuration - user { 'vmail': - ensure => present, - comment => 'Leap Mailspool', - home => '/var/mail/vmail', - shell => '/bin/false', - uid => '42424', - gid => '42424', - managehome => true, - } - class { 'postfix': preseed => true, root_mail_recipient => $root_mail_recipient, @@ -114,6 +98,6 @@ clean_smtps unix n - n - 0 cleanup Class['Site_config::X509::Cert'], Class['Site_config::X509::Client_ca::Key'], Class['Site_config::X509::Client_ca::Ca'], - User['vmail'] ] + User['leap-mx'] ] } } -- cgit v1.2.3 From 7d5b9461958cdb795990459cd0dad29a36e59fdd Mon Sep 17 00:00:00 2001 From: Micah Date: Tue, 8 Dec 2015 14:17:11 -0500 Subject: Use client cert fingerprint lookup to determine if the user is allowed to relay mail through us (#3634) Change-Id: I46cf3ffbef4261839c376f4c36a50d9c44eb1374 --- puppet/modules/site_postfix/manifests/mx.pp | 6 ++++++ puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp | 13 +++++++------ 2 files changed, 13 insertions(+), 6 deletions(-) (limited to 'puppet/modules/site_postfix') diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index 7ec60d49..75378480 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -51,6 +51,12 @@ class site_postfix::mx { value => 'static:42424'; 'smtpd_tls_received_header': value => 'yes'; + # the following is needed for matching user's client cert fingerprints to + # enable relaying (#3634) + 'smtpd_tls_fingerprint_digest': + value => 'sha1'; + 'relay_clientcerts': + value => 'tcp:localhost:2424'; # Note: we are setting this here, instead of in site_postfix::mx::smtp_tls # because the satellites need to have a different value 'smtp_tls_security_level': diff --git a/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp index 1c3e5c92..f2bd571b 100644 --- a/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp +++ b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp @@ -15,13 +15,14 @@ class site_postfix::mx::smtpd_checks { value => 'permit_mynetworks, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, check_helo_access hash:$checks_dir/helo_checks, permit'; 'smtpd_recipient_restrictions': value => 'reject_unknown_recipient_domain, permit_mynetworks, check_recipient_access tcp:localhost:2244, reject_unauth_destination, permit'; - # We should change from permit_tls_all_clientcerts to permit_tls_clientcerts - # with a lookup on $relay_clientcerts! Right now we are listing the only - # valid CA that client certificates can use in the $smtp_tls_CAfile parameter - # but we cannot cut off a certificate that should no longer be used unless - # we use permit_tls_clientcerts with the $relay_clientcerts lookup + + # permit_tls_clientcerts will lookup client cert fingerprints from the tcp + # lookup on port 2424 (based on what is configured in relay_clientcerts + # paramter, see site_postfix::mx postfix::config resource) to determine + # if a client is allowed to relay mail through us. This enables us to + # disable a user by removing their valid client cert (#3634) 'smtps_recipient_restrictions': - value => 'permit_tls_all_clientcerts, check_recipient_access tcp:localhost:2244, reject_unauth_destination, permit'; + value => 'permit_tls_clientcerts, check_recipient_access tcp:localhost:2244, reject_unauth_destination, permit'; 'smtps_helo_restrictions': value => 'permit_mynetworks, check_helo_access hash:$checks_dir/helo_checks, permit'; 'smtpd_sender_restrictions': -- cgit v1.2.3 From 5d0562cfa4d381c4819e88bb6eb825a84083693b Mon Sep 17 00:00:00 2001 From: Micah Date: Thu, 17 Dec 2015 15:51:21 -0500 Subject: Make sure values that might get set incorrectly, due to preseed or debconf selections, are set correctly (#7478) Change-Id: I3bd261fd6fe27bbf10b8994ffff9f8b7be5b9de0 --- puppet/modules/site_postfix/manifests/mx.pp | 9 +++++++++ 1 file changed, 9 insertions(+) (limited to 'puppet/modules/site_postfix') diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index 75378480..d456baf3 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -71,6 +71,15 @@ class site_postfix::mx { value => 'unix:/run/clamav/milter.ctl,unix:/var/run/opendkim/opendkim.sock'; 'milter_default_action': value => 'accept'; + # Make sure that the right values are set, these could be set to different + # things on install, depending on preseed or debconf options + # selected (see #7478) + 'relay_transport': + value => 'relay'; + 'default_transport': + value => 'smtp'; + 'mailbox_command': + value => ''; } include site_postfix::mx::smtpd_checks -- cgit v1.2.3 From ab536804b671b55d1bec2a03fd0ba1b15d887f66 Mon Sep 17 00:00:00 2001 From: Micah Date: Tue, 19 Jan 2016 13:24:00 -0500 Subject: Make sure machines in mynetworks are able to send mail through us, without getting blocked by the rbl (#7819) Change-Id: Ib7a00f810b6c49528e5f99a1d83296553a81e65e --- puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules/site_postfix') diff --git a/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp index f2bd571b..0ea452ee 100644 --- a/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp +++ b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp @@ -6,7 +6,7 @@ class site_postfix::mx::smtpd_checks { 'checks_dir': value => '$config_directory/checks'; 'smtpd_client_restrictions': - value => "${site_postfix::mx::rbls}permit_mynetworks,permit"; + value => "permit_mynetworks,${site_postfix::mx::rbls},permit"; 'smtpd_data_restrictions': value => 'permit_mynetworks, reject_unauth_pipelining, permit'; 'smtpd_delay_reject': -- cgit v1.2.3 From d87a8787908fb1c82901d9611a971c9bed0a3907 Mon Sep 17 00:00:00 2001 From: Micah Date: Tue, 19 Jan 2016 12:01:34 -0500 Subject: Make sure the certs are installed for all smtp tls clients, thus ensuring the satellite hosts are setup properly (#7611) Change-Id: I9dce57c305a6fd6a39596a941174fe1879af5e4f --- puppet/modules/site_postfix/manifests/mx.pp | 7 +++---- puppet/modules/site_postfix/manifests/mx/smtp_tls.pp | 4 ++++ puppet/modules/site_postfix/manifests/mx/smtpd_tls.pp | 2 ++ 3 files changed, 9 insertions(+), 4 deletions(-) (limited to 'puppet/modules/site_postfix') diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index d456baf3..cd493807 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -49,10 +49,9 @@ class site_postfix::mx { value => 'static:42424'; 'virtual_gid_maps': value => 'static:42424'; - 'smtpd_tls_received_header': - value => 'yes'; - # the following is needed for matching user's client cert fingerprints to - # enable relaying (#3634) + # the two following configs are needed for matching user's client cert + # fingerprints to enable relaying (#3634). Satellites do not have + # these configured. 'smtpd_tls_fingerprint_digest': value => 'sha1'; 'relay_clientcerts': diff --git a/puppet/modules/site_postfix/manifests/mx/smtp_tls.pp b/puppet/modules/site_postfix/manifests/mx/smtp_tls.pp index d56f6b54..4eb80dd6 100644 --- a/puppet/modules/site_postfix/manifests/mx/smtp_tls.pp +++ b/puppet/modules/site_postfix/manifests/mx/smtp_tls.pp @@ -2,10 +2,14 @@ class site_postfix::mx::smtp_tls { include site_config::x509::ca include x509::variables + $cert_name = hiera('name') $ca_path = "${x509::variables::local_CAs}/${site_config::params::ca_name}.crt" $cert_path = "${x509::variables::certs}/${site_config::params::cert_name}.crt" $key_path = "${x509::variables::keys}/${site_config::params::cert_name}.key" + include site_config::x509::cert + include site_config::x509::key + # smtp TLS postfix::config { 'smtp_use_tls': value => 'yes'; diff --git a/puppet/modules/site_postfix/manifests/mx/smtpd_tls.pp b/puppet/modules/site_postfix/manifests/mx/smtpd_tls.pp index 0809c75f..9fed3874 100644 --- a/puppet/modules/site_postfix/manifests/mx/smtpd_tls.pp +++ b/puppet/modules/site_postfix/manifests/mx/smtpd_tls.pp @@ -12,6 +12,8 @@ class site_postfix::mx::smtpd_tls { 'smtpd_tls_cert_file': value => $cert_path; 'smtpd_tls_key_file': value => $key_path; 'smtpd_tls_ask_ccert': value => 'yes'; + 'smtpd_tls_received_header': + value => 'yes'; 'smtpd_tls_security_level': value => 'may'; 'smtpd_tls_eecdh_grade': -- cgit v1.2.3 From 49c8a0c2a5ff413430b4bf7cc90f39f28c936b3e Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 2 Feb 2016 14:41:17 +0100 Subject: [bug] Add smtpd_relay_restrictions to postfix conf smtpd_relay_restrictions was added in postfix 2.10 (jessie has 2.11 atm). Without this, outbound mails are rejected to be relayed. from http://www.postfix.org/SMTPD_ACCESS_README.html: NOTE: Postfix versions before 2.10 did not have smtpd_relay_restrictions. They combined the mail relay and spam blocking policies, under smtpd_recipient_restrictions. This could lead to unexpected results. For example, a permissive spam blocking policy could unexpectedly result in a permissive mail relay policy. An example of this is documented under "Dangerous use of smtpd_recipient_restrictions". smtpd_relay_restrictions defaults to 'permit_mynetworks, permit_sasl_authenticated, defer_unauth_destination' and is configured here to check for a valid client cert. see http://www.postfix.org/postconf.5.html#smtpd_relay_restrictions - Resolves: #7856 --- puppet/modules/site_postfix/manifests/mx.pp | 29 +++++++++++++++------- .../site_postfix/manifests/mx/smtpd_checks.pp | 4 +++ 2 files changed, 24 insertions(+), 9 deletions(-) (limited to 'puppet/modules/site_postfix') diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index cd493807..02b9fbdd 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -93,20 +93,31 @@ class site_postfix::mx { # greater verbosity for debugging, take out for production #include site_postfix::debug - class { 'postfix': - preseed => true, - root_mail_recipient => $root_mail_recipient, - smtp_listen => 'all', - mastercf_tail => - "smtps inet n - - - - smtpd + case $::operatingsystemrelease { + /^7.*/: { + $smtpd_relay_restrictions='' + } + default: { + $smtpd_relay_restrictions=" -o smtpd_relay_restrictions=\$smtps_relay_restrictions\n" + } + } + + $mastercf_tail = " +smtps inet n - - - - smtpd -o smtpd_tls_wrappermode=yes -o smtpd_tls_security_level=encrypt - -o smtpd_recipient_restrictions=\$smtps_recipient_restrictions +${smtpd_relay_restrictions} -o smtpd_recipient_restrictions=\$smtps_recipient_restrictions -o smtpd_helo_restrictions=\$smtps_helo_restrictions -o smtpd_client_restrictions= -o cleanup_service_name=clean_smtps -clean_smtps unix n - n - 0 cleanup - -o header_checks=pcre:/etc/postfix/checks/rewrite_openpgp_headers", +clean_smtps unix n - n - 0 cleanup + -o header_checks=pcre:/etc/postfix/checks/rewrite_openpgp_headers" + + class { 'postfix': + preseed => true, + root_mail_recipient => $root_mail_recipient, + smtp_listen => 'all', + mastercf_tail => $mastercf_tail, require => [ Class['Site_config::X509::Key'], Class['Site_config::X509::Cert'], diff --git a/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp index 0ea452ee..291d7ee4 100644 --- a/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp +++ b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp @@ -1,3 +1,5 @@ +# smtpd checks for incoming mail on smtp port 25 and +# mail sent via the bitmask client using smtps port 465 class site_postfix::mx::smtpd_checks { postfix::config { @@ -23,6 +25,8 @@ class site_postfix::mx::smtpd_checks { # disable a user by removing their valid client cert (#3634) 'smtps_recipient_restrictions': value => 'permit_tls_clientcerts, check_recipient_access tcp:localhost:2244, reject_unauth_destination, permit'; + 'smtps_relay_restrictions': + value => 'permit_mynetworks, permit_tls_clientcerts, defer_unauth_destination'; 'smtps_helo_restrictions': value => 'permit_mynetworks, check_helo_access hash:$checks_dir/helo_checks, permit'; 'smtpd_sender_restrictions': -- cgit v1.2.3 From 461c682cccef760248d6c24d93c6ae47dd14fd22 Mon Sep 17 00:00:00 2001 From: Micah Date: Tue, 2 Feb 2016 15:50:13 -0500 Subject: fix postfix Received anonymizing header regexp to properly match Client CN entries (#7867) Change-Id: Ie33277a62e90f9dc0602bb963dbb96a61cebed1d --- puppet/modules/site_postfix/files/checks/received_anon | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules/site_postfix') diff --git a/puppet/modules/site_postfix/files/checks/received_anon b/puppet/modules/site_postfix/files/checks/received_anon index 2822973e..9de25e63 100644 --- a/puppet/modules/site_postfix/files/checks/received_anon +++ b/puppet/modules/site_postfix/files/checks/received_anon @@ -1,2 +1,2 @@ -/^Received: from (.* \([-._[:alnum:]]+ \[[.[:digit:]]{7,15}\]\))([[:space:]]+).*(\(using [.[:alnum:]]+ with cipher [-A-Z0-9]+ \([0-9]+\/[0-9]+ bits\)\))[[:space:]]+\(Client CN "([[:alnum:]]+)", Issuer "[[:print:]]+" \(verified OK\)\)[[:space:]]+by ([.[:alnum:]]+) \(([^)]+)\) with (E?SMTPS?A?) id ([A-F[:digit:]]+).*/ +/^Received: from (.* \([-._[:alnum:]]+ \[[.[:digit:]]{7,15}\]\))([[:space:]]+).*(\(using [.[:alnum:]]+ with cipher [-A-Z0-9]+ \([0-9]+\/[0-9]+ bits\)\))[[:space:]]+\(Client CN "([-._@[:alnum:]]+)", Issuer "[[:print:]]+" \(verified OK\)\)[[:space:]]+by ([.[:alnum:]]+) \(([^)]+)\) with (E?SMTPS?A?) id ([A-F[:digit:]]+).*/ REPLACE Received: from [127.0.0.1] (localhost [127.0.0.1])${2}${3}${2}(Authenticated sender: $4)${2}with $7 id $8 -- cgit v1.2.3 From bd8b87f076db5e800de39e570a6b42976be40435 Mon Sep 17 00:00:00 2001 From: kwadronaut Date: Wed, 27 Jan 2016 12:22:53 +0100 Subject: add postscreen greeter (Resolves: 2303) --- puppet/modules/site_postfix/manifests/mx.pp | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) (limited to 'puppet/modules/site_postfix') diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index 02b9fbdd..59a02598 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -10,8 +10,9 @@ class site_postfix::mx { $mynetworks = join(hiera('mynetworks', ''), ' ') $rbls = suffix(prefix(hiera('rbls', []), 'reject_rbl_client '), ',') - $root_mail_recipient = hiera('contacts') - $postfix_smtp_listen = 'all' + $root_mail_recipient = hiera('contacts') + $postfix_smtp_listen = 'all' + $postfix_use_postscreen = 'yes' include site_config::x509::cert include site_config::x509::key @@ -79,6 +80,10 @@ class site_postfix::mx { value => 'smtp'; 'mailbox_command': value => ''; + 'postscreen_access_list': + value => 'permit_mynetworks'; + 'postscreen_greet_action': + value => 'enforce'; } include site_postfix::mx::smtpd_checks @@ -118,6 +123,7 @@ clean_smtps unix n - n - 0 cleanup root_mail_recipient => $root_mail_recipient, smtp_listen => 'all', mastercf_tail => $mastercf_tail, + use_postscreen => 'yes', require => [ Class['Site_config::X509::Key'], Class['Site_config::X509::Cert'], -- cgit v1.2.3 From cee2702b9c66e7e303494822993f46986685d87a Mon Sep 17 00:00:00 2001 From: Micah Date: Tue, 9 Feb 2016 16:32:46 -0500 Subject: Due to the smtps transport specifying a header_check, the received_anon replacement wasn't being done. (#7890) This moves that replacement into its own class, clears the old value and sets it properly in the smtps transport. Change-Id: I27c02730597df4943761d8bcb61014aeded9dc75 --- puppet/modules/site_postfix/manifests/mx.pp | 21 ++++++++++++--------- puppet/modules/site_postfix/manifests/mx/checks.pp | 18 ------------------ .../site_postfix/manifests/mx/received_anon.pp | 13 +++++++++++++ 3 files changed, 25 insertions(+), 27 deletions(-) create mode 100644 puppet/modules/site_postfix/manifests/mx/received_anon.pp (limited to 'puppet/modules/site_postfix') diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index 02b9fbdd..c4ab1bba 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -79,16 +79,19 @@ class site_postfix::mx { value => 'smtp'; 'mailbox_command': value => ''; + 'header_checks': + value => ''; } - include site_postfix::mx::smtpd_checks - include site_postfix::mx::checks - include site_postfix::mx::smtp_tls - include site_postfix::mx::smtpd_tls - include site_postfix::mx::static_aliases - include site_postfix::mx::rewrite_openpgp_header - include clamav - include postfwd + include ::site_postfix::mx::smtpd_checks + include ::site_postfix::mx::checks + include ::site_postfix::mx::smtp_tls + include ::site_postfix::mx::smtpd_tls + include ::site_postfix::mx::static_aliases + include ::site_postfix::mx::rewrite_openpgp_header + include ::site_postfix::mx::received_anon + include ::clamav + include ::postfwd # greater verbosity for debugging, take out for production #include site_postfix::debug @@ -111,7 +114,7 @@ ${smtpd_relay_restrictions} -o smtpd_recipient_restrictions=\$smtps_recipient_r -o smtpd_client_restrictions= -o cleanup_service_name=clean_smtps clean_smtps unix n - n - 0 cleanup - -o header_checks=pcre:/etc/postfix/checks/rewrite_openpgp_headers" + -o header_checks=pcre:/etc/postfix/checks/rewrite_openpgp_headers,pcre:/etc/postfix/checks/received_anon" class { 'postfix': preseed => true, diff --git a/puppet/modules/site_postfix/manifests/mx/checks.pp b/puppet/modules/site_postfix/manifests/mx/checks.pp index 5d75a5e5..f406ad34 100644 --- a/puppet/modules/site_postfix/manifests/mx/checks.pp +++ b/puppet/modules/site_postfix/manifests/mx/checks.pp @@ -20,22 +20,4 @@ class site_postfix::mx::checks { refreshonly => true, subscribe => File['/etc/postfix/checks/helo_checks']; } - - # Anonymize the user's home IP from the email headers (Feature #3866) - package { 'postfix-pcre': ensure => installed, require => Package['postfix'] } - - file { '/etc/postfix/checks/received_anon': - source => 'puppet:///modules/site_postfix/checks/received_anon', - mode => '0644', - owner => root, - group => root, - notify => Service['postfix'] - } - - postfix::config { - 'header_checks': - value => 'pcre:/etc/postfix/checks/received_anon', - require => File['/etc/postfix/checks/received_anon']; - } - } diff --git a/puppet/modules/site_postfix/manifests/mx/received_anon.pp b/puppet/modules/site_postfix/manifests/mx/received_anon.pp new file mode 100644 index 00000000..51ba3faa --- /dev/null +++ b/puppet/modules/site_postfix/manifests/mx/received_anon.pp @@ -0,0 +1,13 @@ +# Anonymize the user's home IP from the email headers (Feature #3866) +class site_postfix::mx::received_anon { + + package { 'postfix-pcre': ensure => installed, require => Package['postfix'] } + + file { '/etc/postfix/checks/received_anon': + source => 'puppet:///modules/site_postfix/checks/received_anon', + mode => '0644', + owner => root, + group => root, + notify => Service['postfix'] + } +} -- cgit v1.2.3 From cff07b7b3642c0d53e02cb0885f24250037b8d15 Mon Sep 17 00:00:00 2001 From: Micah Date: Tue, 23 Feb 2016 14:15:17 -0500 Subject: Update opendkim platform pieces to match leap-cli. Change-Id: I9c8f9c9c3ee7cd89f013cbb08397377522ed5a4a --- puppet/modules/site_postfix/manifests/mx.pp | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) (limited to 'puppet/modules/site_postfix') diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index 2ea54d0a..3230d4f0 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -67,8 +67,12 @@ class site_postfix::mx { # alias map 'local_recipient_maps': value => '$alias_maps'; + # setup clamav and opendkim on smtpd 'smtpd_milters': - value => 'unix:/run/clamav/milter.ctl,unix:/var/run/opendkim/opendkim.sock'; + value => 'unix:/run/clamav/milter.ctl,inet:localhost:8891'; + # setup opendkim for smtp (non-smtpd) outgoing mail + 'non_smtpd_milters': + value => 'inet:localhost:8891'; 'milter_default_action': value => 'accept'; # Make sure that the right values are set, these could be set to different @@ -96,6 +100,7 @@ class site_postfix::mx { include ::site_postfix::mx::rewrite_openpgp_header include ::site_postfix::mx::received_anon include ::clamav + include ::opendkim include ::postfwd # greater verbosity for debugging, take out for production -- cgit v1.2.3 From f69f7ca97791945d0bbe61eda84e69a8ed460e04 Mon Sep 17 00:00:00 2001 From: Micah Date: Sun, 6 Mar 2016 09:23:34 -0500 Subject: Set MUA required ciphers, tighten up the mandatory protocols (#4232) Change-Id: I328aa37b393817e1764ea7e635fcefc801adbbf4 --- puppet/modules/site_postfix/manifests/mx.pp | 1 + puppet/modules/site_postfix/manifests/mx/smtp_tls.pp | 10 ++++++++++ puppet/modules/site_postfix/manifests/mx/smtpd_tls.pp | 11 +++++++++++ 3 files changed, 22 insertions(+) (limited to 'puppet/modules/site_postfix') diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index 3230d4f0..7837f415 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -119,6 +119,7 @@ class site_postfix::mx { smtps inet n - - - - smtpd -o smtpd_tls_wrappermode=yes -o smtpd_tls_security_level=encrypt + -o tls_preempt_cipherlist=yes ${smtpd_relay_restrictions} -o smtpd_recipient_restrictions=\$smtps_recipient_restrictions -o smtpd_helo_restrictions=\$smtps_helo_restrictions -o smtpd_client_restrictions= diff --git a/puppet/modules/site_postfix/manifests/mx/smtp_tls.pp b/puppet/modules/site_postfix/manifests/mx/smtp_tls.pp index 4eb80dd6..b27c0e3c 100644 --- a/puppet/modules/site_postfix/manifests/mx/smtp_tls.pp +++ b/puppet/modules/site_postfix/manifests/mx/smtp_tls.pp @@ -28,5 +28,15 @@ class site_postfix::mx::smtp_tls { # see issue #4011 'smtp_tls_protocols': value => '!SSLv2, !SSLv3'; + 'smtp_tls_mandatory_protocols': + value => '!SSLv2, !SSLv3'; + 'tls_ssl_options': + value => 'NO_COMPRESSION'; + # We can switch between the different postfix internal list of ciphers by + # using smtpd_tls_ciphers. For server-to-server connections we leave this + # at its default because of opportunistic encryption combined with many mail + # servers only support outdated protocols and ciphers and if we are too + # strict with required ciphers, then connections *will* fall-back to + # plain-text. Bad ciphers are still better than plain text transmission. } } diff --git a/puppet/modules/site_postfix/manifests/mx/smtpd_tls.pp b/puppet/modules/site_postfix/manifests/mx/smtpd_tls.pp index 9fed3874..02a59942 100644 --- a/puppet/modules/site_postfix/manifests/mx/smtpd_tls.pp +++ b/puppet/modules/site_postfix/manifests/mx/smtpd_tls.pp @@ -20,6 +20,17 @@ class site_postfix::mx::smtpd_tls { value => 'ultra'; 'smtpd_tls_session_cache_database': value => 'btree:${data_directory}/smtpd_scache'; + # see issue #4011 + 'smtpd_tls_mandatory_protocols': + value => '!SSLv2, !SSLv3'; + 'smtpd_tls_protocols': + value => '!SSLv2, !SSLv3'; + # For connections to MUAs, TLS is mandatory and the ciphersuite is modified. + # MX and SMTP client configuration + 'smtpd_tls_mandatory_ciphers': + value => 'high'; + 'tls_high_cipherlist': + value => 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!RC4:!MD5:!PSK!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; } # Setup DH parameters -- cgit v1.2.3 From eac3056c237d523f4786593922fe8f88eb65dff7 Mon Sep 17 00:00:00 2001 From: elijah Date: Tue, 29 Mar 2016 13:27:01 -0700 Subject: testing: adds mx delivery tests --- puppet/modules/site_postfix/manifests/mx/static_aliases.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules/site_postfix') diff --git a/puppet/modules/site_postfix/manifests/mx/static_aliases.pp b/puppet/modules/site_postfix/manifests/mx/static_aliases.pp index 71c0555a..9cd7ca02 100644 --- a/puppet/modules/site_postfix/manifests/mx/static_aliases.pp +++ b/puppet/modules/site_postfix/manifests/mx/static_aliases.pp @@ -40,7 +40,7 @@ class site_postfix::mx::static_aliases { $local_aliases = [ 'admin', 'administrator', 'bin', 'cron', 'games', 'ftp', 'lp', 'maildrop', 'mysql', 'news', 'nobody', 'noc', 'postgresql', 'ssladmin', 'sys', - 'usenet', 'uucp', 'www', 'www-data' + 'usenet', 'uucp', 'www', 'www-data', 'leap-mx' ] postfix::mailalias { -- cgit v1.2.3 From 15b83d88dcedab496a19cef57f11c5c8e091dd4a Mon Sep 17 00:00:00 2001 From: Micah Date: Tue, 12 Apr 2016 09:30:44 -0400 Subject: Fix postfix connection to opendkim milter (#8020) In order for postfix to access the opendkim milter socket, we need to remove the chroot option for the cleanup service. See e97a9d3800b173375a630e18e4b1aa0894eb96e1 for opendkim implementation. Change-Id: I2742650965e61273fb804ebe9ce3f9bd38796582 --- puppet/modules/site_postfix/manifests/mx.pp | 9 +++++++++ 1 file changed, 9 insertions(+) (limited to 'puppet/modules/site_postfix') diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index 7837f415..c269946b 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -92,6 +92,15 @@ class site_postfix::mx { value => 'enforce'; } + # Make sure that the cleanup serivce is not chrooted, otherwise it cannot + # access the opendkim milter socket (#8020) + exec { 'unset_cleanup_chroot': + command => '/usr/sbin/postconf -F "cleanup/unix/chroot=n"', + onlyif => '/usr/sbin/postconf -h -F "cleanup/unix/chroot" | egrep -q ^n', + notify => Service['postfix'], + require => File['/etc/postfix/master.cf'] + } + include ::site_postfix::mx::smtpd_checks include ::site_postfix::mx::checks include ::site_postfix::mx::smtp_tls -- cgit v1.2.3 From f2f2c7391056c252523730cd76ab759db9117c9c Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 25 Apr 2016 13:21:48 -0300 Subject: [style] lint further more - ignore puppet lint error about inheriting from different namespace --- puppet/modules/site_postfix/manifests/mx/smtp_tls.pp | 3 ++- puppet/modules/site_postfix/manifests/mx/smtpd_tls.pp | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) (limited to 'puppet/modules/site_postfix') diff --git a/puppet/modules/site_postfix/manifests/mx/smtp_tls.pp b/puppet/modules/site_postfix/manifests/mx/smtp_tls.pp index b27c0e3c..c93c3ba2 100644 --- a/puppet/modules/site_postfix/manifests/mx/smtp_tls.pp +++ b/puppet/modules/site_postfix/manifests/mx/smtp_tls.pp @@ -1,3 +1,4 @@ +# configure smtp tls class site_postfix::mx::smtp_tls { include site_config::x509::ca @@ -24,7 +25,7 @@ class site_postfix::mx::smtp_tls { 'smtp_tls_fingerprint_digest': value => 'sha1'; 'smtp_tls_session_cache_database': - value => 'btree:${data_directory}/smtp_cache'; + value => "btree:\${data_directory}/smtp_cache"; # see issue #4011 'smtp_tls_protocols': value => '!SSLv2, !SSLv3'; diff --git a/puppet/modules/site_postfix/manifests/mx/smtpd_tls.pp b/puppet/modules/site_postfix/manifests/mx/smtpd_tls.pp index 02a59942..66297f55 100644 --- a/puppet/modules/site_postfix/manifests/mx/smtpd_tls.pp +++ b/puppet/modules/site_postfix/manifests/mx/smtpd_tls.pp @@ -1,3 +1,4 @@ +# configure smtpd tls class site_postfix::mx::smtpd_tls { include x509::variables @@ -19,7 +20,7 @@ class site_postfix::mx::smtpd_tls { 'smtpd_tls_eecdh_grade': value => 'ultra'; 'smtpd_tls_session_cache_database': - value => 'btree:${data_directory}/smtpd_scache'; + value => "btree:\${data_directory}/smtpd_scache"; # see issue #4011 'smtpd_tls_mandatory_protocols': value => '!SSLv2, !SSLv3'; -- cgit v1.2.3