From 8684aa38ece3271a0eb0f8a1751f6c3297025afa Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 28 Jul 2015 14:35:40 -0400 Subject: Support RBL blocking of incoming mail (#5923) Set zen.spamhaus as the default rbl Change-Id: Ic3537d645c80ba42267bab370a1cf77730382158 --- puppet/modules/site_postfix/manifests/mx.pp | 1 + puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) (limited to 'puppet/modules/site_postfix') diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index 49692d24..af0f9f56 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -8,6 +8,7 @@ class site_postfix::mx { $host_domain = $domain_hash['full'] $cert_name = hiera('name') $mynetworks = join(hiera('mynetworks'), ' ') + $rbls = suffix(prefix(hiera('rbls'), 'reject_rbl_client '), ',') $root_mail_recipient = hiera('contacts') $postfix_smtp_listen = 'all' diff --git a/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp index 0ec40277..1c3e5c92 100644 --- a/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp +++ b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp @@ -6,7 +6,7 @@ class site_postfix::mx::smtpd_checks { 'checks_dir': value => '$config_directory/checks'; 'smtpd_client_restrictions': - value => 'permit_mynetworks,permit'; + value => "${site_postfix::mx::rbls}permit_mynetworks,permit"; 'smtpd_data_restrictions': value => 'permit_mynetworks, reject_unauth_pipelining, permit'; 'smtpd_delay_reject': -- cgit v1.2.3 From b5fbda1ca3832043e1636ee964a806ff222cb05f Mon Sep 17 00:00:00 2001 From: elijah Date: Fri, 21 Aug 2015 17:13:34 -0700 Subject: add support for configurable mail alias maps --- puppet/modules/site_postfix/manifests/mx.pp | 3 +- .../site_postfix/manifests/mx/reserved_aliases.pp | 15 ------ .../site_postfix/manifests/mx/static_aliases.pp | 58 ++++++++++++++++++++++ .../site_postfix/templates/custom-aliases.erb | 11 ++++ 4 files changed, 71 insertions(+), 16 deletions(-) delete mode 100644 puppet/modules/site_postfix/manifests/mx/reserved_aliases.pp create mode 100644 puppet/modules/site_postfix/manifests/mx/static_aliases.pp create mode 100644 puppet/modules/site_postfix/templates/custom-aliases.erb (limited to 'puppet/modules/site_postfix') diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index af0f9f56..334d04d0 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -51,7 +51,7 @@ class site_postfix::mx { include site_postfix::mx::checks include site_postfix::mx::smtp_tls include site_postfix::mx::smtpd_tls - include site_postfix::mx::reserved_aliases + include site_postfix::mx::static_aliases # greater verbosity for debugging, take out for production #include site_postfix::debug @@ -68,6 +68,7 @@ class site_postfix::mx { preseed => true, root_mail_recipient => $root_mail_recipient, smtp_listen => 'all', + default_alias_maps => false, mastercf_tail => "smtps inet n - - - - smtpd -o smtpd_tls_wrappermode=yes diff --git a/puppet/modules/site_postfix/manifests/mx/reserved_aliases.pp b/puppet/modules/site_postfix/manifests/mx/reserved_aliases.pp deleted file mode 100644 index 83e27376..00000000 --- a/puppet/modules/site_postfix/manifests/mx/reserved_aliases.pp +++ /dev/null @@ -1,15 +0,0 @@ -# Defines which mail addresses shouldn't be available and where they should fwd -class site_postfix::mx::reserved_aliases { - - postfix::mailalias { - [ 'abuse', 'admin', 'arin-admin', 'administrator', 'bin', 'cron', - 'certmaster', 'domainadmin', 'games', 'ftp', 'hostmaster', 'lp', - 'maildrop', 'mysql', 'news', 'nobody', 'noc', 'postmaster', 'postgresql', - 'security', 'ssladmin', 'sys', 'usenet', 'uucp', 'webmaster', 'www', - 'www-data', - ]: - ensure => present, - recipient => 'root' - } - -} diff --git a/puppet/modules/site_postfix/manifests/mx/static_aliases.pp b/puppet/modules/site_postfix/manifests/mx/static_aliases.pp new file mode 100644 index 00000000..786d74c1 --- /dev/null +++ b/puppet/modules/site_postfix/manifests/mx/static_aliases.pp @@ -0,0 +1,58 @@ +# +# Defines static, hard coded aliases that are not in the database. +# + +class site_postfix::mx::static_aliases { + + $mx = hiera('mx') + $aliases = $mx['aliases'] + + # + # Predefined aliases. + # + # Defines which mail addresses shouldn't be available and where they should + # fwd + # + # TODO: reconcile this with the node property webapp.forbidden_usernames + # + # NOTE: if you remove one of these, they will still appear in the + # /etc/aliases file + # + postfix::mailalias { + [ 'abuse', 'admin', 'arin-admin', 'administrator', 'bin', 'cron', + 'certmaster', 'domainadmin', 'games', 'ftp', 'hostmaster', 'lp', + 'maildrop', 'mysql', 'news', 'nobody', 'noc', 'postmaster', 'postgresql', + 'security', 'ssladmin', 'sys', 'usenet', 'uucp', 'webmaster', 'www', + 'www-data', + ]: + ensure => present, + recipient => 'root' + } + + # + # Custom aliases. + # + # This does not use the puppet mailalias resource because we want to be able + # to guarantee the contents of the alias file. This is needed so if you + # remove an alias from the node's config, it will get removed from the alias + # file. + # + + # both alias files must be listed under "alias_database", because once you + # specify one, then `newaliases` no longer will default to updating + # "/etc/aliases.db". + postfix::config { + 'alias_database': + value => "/etc/aliases, /etc/postfix/custom-aliases"; + 'alias_maps': + value => "hash:/etc/aliases, hash:/etc/postfix/custom-aliases"; + } + + file { '/etc/postfix/custom-aliases': + content => template('site_postfix/custom-aliases.erb'), + owner => root, + group => root, + mode => 0600, + notify => Exec['newaliases'] + } +} diff --git a/puppet/modules/site_postfix/templates/custom-aliases.erb b/puppet/modules/site_postfix/templates/custom-aliases.erb new file mode 100644 index 00000000..f261514b --- /dev/null +++ b/puppet/modules/site_postfix/templates/custom-aliases.erb @@ -0,0 +1,11 @@ +# +# This file is managed by puppet. +# +# This is a map of custom, non-standard aliases. The contents of this file +# are derived from the node property `mx.aliases`. +# + +<%- @aliases.keys.sort.each do |from| -%> +"<%= from %>": "<%= [@aliases[from]].flatten.join('", "') %>" +<%- end -%> + -- cgit v1.2.3 From ffd340e7b014bc9f35fb6f9365230d483650cc1d Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 3 Sep 2015 13:03:01 -0400 Subject: rewrite openpgp header to be always correct (#7413) The openpgp header added by the client is sometimes incorrect, because the client doesn't actually know what the proper URL is for the webapp. The server knows, however. Change-Id: I2243b19a6337d8e0be97590e2ca9c9c0b0fffdac --- puppet/modules/site_postfix/manifests/mx.pp | 6 +++++- .../site_postfix/manifests/mx/rewrite_openpgp_header.pp | 11 +++++++++++ .../templates/checks/rewrite_openpgp_headers.erb | 13 +++++++++++++ 3 files changed, 29 insertions(+), 1 deletion(-) create mode 100644 puppet/modules/site_postfix/manifests/mx/rewrite_openpgp_header.pp create mode 100644 puppet/modules/site_postfix/templates/checks/rewrite_openpgp_headers.erb (limited to 'puppet/modules/site_postfix') diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index 334d04d0..2b311e06 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -52,6 +52,7 @@ class site_postfix::mx { include site_postfix::mx::smtp_tls include site_postfix::mx::smtpd_tls include site_postfix::mx::static_aliases + include site_postfix::mx::rewrite_openpgp_header # greater verbosity for debugging, take out for production #include site_postfix::debug @@ -74,7 +75,10 @@ class site_postfix::mx { -o smtpd_tls_wrappermode=yes -o smtpd_tls_security_level=encrypt -o smtpd_recipient_restrictions=\$smtps_recipient_restrictions - -o smtpd_helo_restrictions=\$smtps_helo_restrictions", + -o smtpd_helo_restrictions=\$smtps_helo_restrictions + -o cleanup_service_name=clean_smtps +clean_smtps unix n - n - 0 cleanup + -o header_checks=pcre:/etc/postfix/checks/rewrite_openpgp_headers", require => [ Class['Site_config::X509::Key'], Class['Site_config::X509::Cert'], diff --git a/puppet/modules/site_postfix/manifests/mx/rewrite_openpgp_header.pp b/puppet/modules/site_postfix/manifests/mx/rewrite_openpgp_header.pp new file mode 100644 index 00000000..71f945b8 --- /dev/null +++ b/puppet/modules/site_postfix/manifests/mx/rewrite_openpgp_header.pp @@ -0,0 +1,11 @@ +class site_postfix::mx::rewrite_openpgp_header { + $mx = hiera('mx') + $correct_domain = $mx['key_lookup_domain'] + + file { '/etc/postfix/checks/rewrite_openpgp_headers': + content => template('site_postfix/checks/rewrite_openpgp_headers.erb'), + mode => '0644', + owner => root, + group => root; + } +} diff --git a/puppet/modules/site_postfix/templates/checks/rewrite_openpgp_headers.erb b/puppet/modules/site_postfix/templates/checks/rewrite_openpgp_headers.erb new file mode 100644 index 00000000..7af14f7d --- /dev/null +++ b/puppet/modules/site_postfix/templates/checks/rewrite_openpgp_headers.erb @@ -0,0 +1,13 @@ +# THIS FILE IS MANAGED BY PUPPET +# +# This will replace the OpenPGP header that the client adds, because it is +# sometimes incorrect (due to the client not always knowing what the proper URL +# is for the webapp). +# e.g. This will rewrite this header: +# OpenPGP: id=4C0E01CD50E2F653; url="https://leap.se/key/elijah"; preference="signencrypt +# with this replacement: +# OpenPGP: id=4C0E01CD50E2F653; url="https://user.leap.se/key/elijah"; preference="signencrypt +# +# Note: whitespace in the pattern is represented by [[:space:]] to avoid these warnings from postmap: +# "record is in "key: value" format; is this an alias file?" and "duplicate entry" +/^(OpenPGP:[[:space:]]id=[[:alnum:]]+;[[:space:]]url="https:\/\/)<%= @domain %>(\/key\/[[:alpha:]]+";.*)/i REPLACE ${1}<%= @correct_domain %>${2} -- cgit v1.2.3 From d113bf1b2cd3cb6a94fbe20aa711bf9b9b93286f Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 9 Sep 2015 09:36:59 -0400 Subject: Fix clients being blocked by RBLs (#7431) Valid users submitting mail to be delivered should not be blocked by configured RBLs. Settings in main.cf are valid and used globally, unless they are overridden in master.cf for specific Postfix daemons. We have set in main.cf the smtp_client_restrictions parameter to check for configured rbls, so we need to override that and empty it in order to allow valid clients to send mail, even when their IP is listed in an RBL. Note: most users will typically be connecting via VPN, so their IP would typically be replaced by the VPN gateway one, but there are cases where this is still useful. Change-Id: Ie4171113c78ae2814402a1ed9b5343280cbf79d1 --- puppet/modules/site_postfix/manifests/mx.pp | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'puppet/modules/site_postfix') diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index 334d04d0..bff3e291 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -74,7 +74,8 @@ class site_postfix::mx { -o smtpd_tls_wrappermode=yes -o smtpd_tls_security_level=encrypt -o smtpd_recipient_restrictions=\$smtps_recipient_restrictions - -o smtpd_helo_restrictions=\$smtps_helo_restrictions", + -o smtpd_helo_restrictions=\$smtps_helo_restrictions + -o smtpd_client_restrictions=", require => [ Class['Site_config::X509::Key'], Class['Site_config::X509::Cert'], -- cgit v1.2.3 From 0e13876bd54009bf81e7cab2abcca392ca06e32d Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 10 Sep 2015 16:04:59 -0400 Subject: Make sure hiera values have valid defaults if they are not specified (#7443) Change-Id: Ib701886ad26c5e39ccd669fadca81404b5c0426a --- puppet/modules/site_postfix/manifests/mx.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'puppet/modules/site_postfix') diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index bff3e291..bc65e370 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -7,8 +7,8 @@ class site_postfix::mx { $domain = $domain_hash['full_suffix'] $host_domain = $domain_hash['full'] $cert_name = hiera('name') - $mynetworks = join(hiera('mynetworks'), ' ') - $rbls = suffix(prefix(hiera('rbls'), 'reject_rbl_client '), ',') + $mynetworks = join(hiera('mynetworks', ''), ' ') + $rbls = suffix(prefix(hiera('rbls', []), 'reject_rbl_client '), ',') $root_mail_recipient = hiera('contacts') $postfix_smtp_listen = 'all' -- cgit v1.2.3 From 702bf139f407d60e7c297ceb67fc6c30fead1e61 Mon Sep 17 00:00:00 2001 From: elijah Date: Fri, 11 Sep 2015 10:34:56 -0700 Subject: switch aliases to use virtual_alias_maps --- puppet/modules/site_postfix/manifests/mx.pp | 9 ++++-- .../site_postfix/manifests/mx/static_aliases.pp | 32 ++++++++-------------- .../site_postfix/templates/custom-aliases.erb | 11 -------- .../site_postfix/templates/virtual-aliases.erb | 22 +++++++++++++++ 4 files changed, 40 insertions(+), 34 deletions(-) delete mode 100644 puppet/modules/site_postfix/templates/custom-aliases.erb create mode 100644 puppet/modules/site_postfix/templates/virtual-aliases.erb (limited to 'puppet/modules/site_postfix') diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index bff3e291..14c8634e 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -21,16 +21,20 @@ class site_postfix::mx { postfix::config { 'mynetworks': value => "127.0.0.0/8 [::1]/128 [fe80::]/64 ${mynetworks}"; + # Note: mydestination should not include @domain, because this is + # used in virtual alias maps. 'mydestination': - value => "\$myorigin, localhost, localhost.\$mydomain, ${domain}"; + value => "\$myorigin, localhost, localhost.\$mydomain"; 'myhostname': value => $host_domain; 'mailbox_size_limit': value => '0'; 'home_mailbox': value => 'Maildir/'; + # Note: virtual-aliases map will take precedence over leap_mx + # lookup (tcp:localhost) 'virtual_alias_maps': - value => 'tcp:localhost:4242'; + value => 'hash:/etc/postfix/virtual-aliases tcp:localhost:4242'; 'luser_relay': value => 'vmail'; 'smtpd_tls_received_header': @@ -68,7 +72,6 @@ class site_postfix::mx { preseed => true, root_mail_recipient => $root_mail_recipient, smtp_listen => 'all', - default_alias_maps => false, mastercf_tail => "smtps inet n - - - - smtpd -o smtpd_tls_wrappermode=yes diff --git a/puppet/modules/site_postfix/manifests/mx/static_aliases.pp b/puppet/modules/site_postfix/manifests/mx/static_aliases.pp index 786d74c1..d81e05b3 100644 --- a/puppet/modules/site_postfix/manifests/mx/static_aliases.pp +++ b/puppet/modules/site_postfix/manifests/mx/static_aliases.pp @@ -30,29 +30,21 @@ class site_postfix::mx::static_aliases { } # - # Custom aliases. - # - # This does not use the puppet mailalias resource because we want to be able - # to guarantee the contents of the alias file. This is needed so if you - # remove an alias from the node's config, it will get removed from the alias - # file. - # - - # both alias files must be listed under "alias_database", because once you - # specify one, then `newaliases` no longer will default to updating - # "/etc/aliases.db". - postfix::config { - 'alias_database': - value => "/etc/aliases, /etc/postfix/custom-aliases"; - 'alias_maps': - value => "hash:/etc/aliases, hash:/etc/postfix/custom-aliases"; + # Custom static virtual aliases. + # + exec { 'postmap_virtual_aliases': + command => '/usr/sbin/postmap /etc/postfix/virtual-aliases', + refreshonly => true, + user => root, + group => root, + require => Package['postfix'], + subscribe => File['/etc/postfix/virtual-aliases'] } - - file { '/etc/postfix/custom-aliases': - content => template('site_postfix/custom-aliases.erb'), + file { '/etc/postfix/virtual-aliases': + content => template('site_postfix/virtual-aliases.erb'), owner => root, group => root, mode => 0600, - notify => Exec['newaliases'] + require => Package['postfix'] } } diff --git a/puppet/modules/site_postfix/templates/custom-aliases.erb b/puppet/modules/site_postfix/templates/custom-aliases.erb deleted file mode 100644 index f261514b..00000000 --- a/puppet/modules/site_postfix/templates/custom-aliases.erb +++ /dev/null @@ -1,11 +0,0 @@ -# -# This file is managed by puppet. -# -# This is a map of custom, non-standard aliases. The contents of this file -# are derived from the node property `mx.aliases`. -# - -<%- @aliases.keys.sort.each do |from| -%> -"<%= from %>": "<%= [@aliases[from]].flatten.join('", "') %>" -<%- end -%> - diff --git a/puppet/modules/site_postfix/templates/virtual-aliases.erb b/puppet/modules/site_postfix/templates/virtual-aliases.erb new file mode 100644 index 00000000..c474e734 --- /dev/null +++ b/puppet/modules/site_postfix/templates/virtual-aliases.erb @@ -0,0 +1,22 @@ +# +# This file is managed by puppet. +# +# This is a map of custom, non-standard aliases. The contents of this file +# are derived from the node property `mx.aliases`. +# + +# +# enable these virtual domains: +# +<%= @domain %> enabled +<%- @aliases.keys.map {|addr| addr.split('@')[1] }.compact.sort.uniq.each do |virt_domain| -%> +<%= virt_domain %> enabled +<%- end %> + +# +# virtual aliases: +# +<%- @aliases.keys.sort.each do |from| -%> +<%- full_address = from =~ /@/ ? from : from + "@" + @domain -%> +<%= full_address %> <%= [@aliases[from]].flatten.map{|a| a =~ /@/ ? a : a + "@" + @domain}.join(', ') %> +<%- end -%> -- cgit v1.2.3 From 36fea3b7f448f50d500c0ec1a30b8c745b6f8c4c Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 15 Sep 2015 10:54:24 -0400 Subject: minor linting Change-Id: If92faee5f877301bf23564d5b6e71c4b1263de54 --- puppet/modules/site_postfix/manifests/mx/static_aliases.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules/site_postfix') diff --git a/puppet/modules/site_postfix/manifests/mx/static_aliases.pp b/puppet/modules/site_postfix/manifests/mx/static_aliases.pp index d81e05b3..e9118470 100644 --- a/puppet/modules/site_postfix/manifests/mx/static_aliases.pp +++ b/puppet/modules/site_postfix/manifests/mx/static_aliases.pp @@ -44,7 +44,7 @@ class site_postfix::mx::static_aliases { content => template('site_postfix/virtual-aliases.erb'), owner => root, group => root, - mode => 0600, + mode => '0600', require => Package['postfix'] } } -- cgit v1.2.3 From afd8867ba953513c6e08f957e3099f0ff3b1a3a2 Mon Sep 17 00:00:00 2001 From: elijah Date: Thu, 24 Sep 2015 13:29:15 -0700 Subject: allow certain aliases, like 'abuse', to be publicly forwardable. --- .../site_postfix/manifests/mx/static_aliases.pp | 68 +++++++++++++++++----- .../site_postfix/templates/virtual-aliases.erb | 3 +- 2 files changed, 54 insertions(+), 17 deletions(-) (limited to 'puppet/modules/site_postfix') diff --git a/puppet/modules/site_postfix/manifests/mx/static_aliases.pp b/puppet/modules/site_postfix/manifests/mx/static_aliases.pp index e9118470..71c0555a 100644 --- a/puppet/modules/site_postfix/manifests/mx/static_aliases.pp +++ b/puppet/modules/site_postfix/manifests/mx/static_aliases.pp @@ -1,37 +1,75 @@ # # Defines static, hard coded aliases that are not in the database. +# These aliases take precedence over the database aliases. +# +# There are three classes of reserved names: +# +# (1) forbidden_usernames: +# Some usernames are forbidden and cannot be registered. +# this is defined in node property webapp.forbidden_usernames +# This is enforced by the webapp. +# +# (2) public aliases: +# Some aliases for root, and are publicly exposed so that anyone +# can deliver mail to them. For example, postmaster. +# These are implemented in the virtual alias map, which takes +# precedence over the local alias map. +# +# (3) local aliases: +# Some aliases are only available locally: mail can be delivered +# to the alias if the mail originates from the local host, or is +# hostname qualified, but otherwise it will be rejected. +# These are implemented in the local alias map. +# +# The alias for local 'root' is defined elsewhere. In this file, we +# define the virtual 'root@domain' (which can be overwritten by +# defining an entry for root in node property mx.aliases). # class site_postfix::mx::static_aliases { $mx = hiera('mx') - $aliases = $mx['aliases'] + $root_recipients = hiera('contacts') # - # Predefined aliases. - # - # Defines which mail addresses shouldn't be available and where they should - # fwd - # - # TODO: reconcile this with the node property webapp.forbidden_usernames + # LOCAL ALIASES # + # NOTE: if you remove one of these, they will still appear in the # /etc/aliases file - # + $local_aliases = [ + 'admin', 'administrator', 'bin', 'cron', 'games', 'ftp', 'lp', 'maildrop', + 'mysql', 'news', 'nobody', 'noc', 'postgresql', 'ssladmin', 'sys', + 'usenet', 'uucp', 'www', 'www-data' + ] + postfix::mailalias { - [ 'abuse', 'admin', 'arin-admin', 'administrator', 'bin', 'cron', - 'certmaster', 'domainadmin', 'games', 'ftp', 'hostmaster', 'lp', - 'maildrop', 'mysql', 'news', 'nobody', 'noc', 'postmaster', 'postgresql', - 'security', 'ssladmin', 'sys', 'usenet', 'uucp', 'webmaster', 'www', - 'www-data', - ]: + $local_aliases: ensure => present, recipient => 'root' } # - # Custom static virtual aliases. + # PUBLIC ALIASES # + + $public_aliases = $mx['aliases'] + + $default_public_aliases = { + 'root' => $root_recipients, + 'abuse' => 'postmaster', + 'arin-admin' => 'root', + 'certmaster' => 'hostmaster', + 'domainadmin' => 'hostmaster', + 'hostmaster' => 'root', + 'mailer-daemon' => 'postmaster', + 'postmaster' => 'root', + 'security' => 'root', + 'webmaster' => 'hostmaster', + } + + $aliases = merge($default_public_aliases, $public_aliases) + exec { 'postmap_virtual_aliases': command => '/usr/sbin/postmap /etc/postfix/virtual-aliases', refreshonly => true, diff --git a/puppet/modules/site_postfix/templates/virtual-aliases.erb b/puppet/modules/site_postfix/templates/virtual-aliases.erb index c474e734..8373de97 100644 --- a/puppet/modules/site_postfix/templates/virtual-aliases.erb +++ b/puppet/modules/site_postfix/templates/virtual-aliases.erb @@ -1,8 +1,7 @@ # # This file is managed by puppet. # -# This is a map of custom, non-standard aliases. The contents of this file -# are derived from the node property `mx.aliases`. +# These virtual aliases take precedence over all other aliases. # # -- cgit v1.2.3 From d6b521372243b79105a1513d4559572dfab6db54 Mon Sep 17 00:00:00 2001 From: Micah Date: Tue, 22 Sep 2015 15:04:33 -0400 Subject: add clamav filtering, with sanesecurity signature updating and provider whitelisting (#3625) Change-Id: I15985ca00ee95bc62855f098a78e364ebbc32616 --- puppet/modules/site_postfix/manifests/mx.pp | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'puppet/modules/site_postfix') diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index 42313d1a..f0a2554a 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -49,6 +49,10 @@ class site_postfix::mx { # alias map 'local_recipient_maps': value => '$alias_maps'; + 'smtpd_milters': + value => 'unix:/run/clamav/milter.ctl'; + 'milter_default_action': + value => 'accept'; } include site_postfix::mx::smtpd_checks @@ -57,6 +61,7 @@ class site_postfix::mx { include site_postfix::mx::smtpd_tls include site_postfix::mx::static_aliases include site_postfix::mx::rewrite_openpgp_header + include clamav # greater verbosity for debugging, take out for production #include site_postfix::debug -- cgit v1.2.3 From e97a9d3800b173375a630e18e4b1aa0894eb96e1 Mon Sep 17 00:00:00 2001 From: Micah Date: Tue, 20 Oct 2015 17:14:21 -0400 Subject: Add basic DKIM support, this requires changes in leap_cli detailed in issue #5924 Change-Id: I6aa1e7751633407d441cbc6436d8426d37dbbfa7 --- puppet/modules/site_postfix/manifests/mx.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules/site_postfix') diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index f0a2554a..edaa506f 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -50,7 +50,7 @@ class site_postfix::mx { 'local_recipient_maps': value => '$alias_maps'; 'smtpd_milters': - value => 'unix:/run/clamav/milter.ctl'; + value => 'unix:/run/clamav/milter.ctl,unix:/var/run/opendkim/opendkim.sock'; 'milter_default_action': value => 'accept'; } -- cgit v1.2.3 From ed1ff6fa01bf110fc338b7116fdf577aa88a8d46 Mon Sep 17 00:00:00 2001 From: Micah Date: Tue, 27 Oct 2015 15:27:24 -0400 Subject: Add initial rate-limiting for outgoing SMTP, using postfwd (#5972) Change-Id: I6a6e68908b71d7499eb3ef3c7f0173b3d5b7baa2 --- puppet/modules/site_postfix/manifests/mx.pp | 1 + 1 file changed, 1 insertion(+) (limited to 'puppet/modules/site_postfix') diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index edaa506f..71d61621 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -62,6 +62,7 @@ class site_postfix::mx { include site_postfix::mx::static_aliases include site_postfix::mx::rewrite_openpgp_header include clamav + include postfwd # greater verbosity for debugging, take out for production #include site_postfix::debug -- cgit v1.2.3