From 9531b13447ff204a00a138a137818054603fe1c9 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 17 Dec 2013 12:58:22 -0500 Subject: add a smtp_tls class and include that on both mx servers and satellites Change-Id: I779ea60e6d726d042203fa0756d73b4af079d728 --- puppet/modules/site_postfix/manifests/mx.pp | 3 ++- .../modules/site_postfix/manifests/mx/smtp_tls.pp | 29 ++++++++++++++++++++++ puppet/modules/site_postfix/manifests/satellite.pp | 3 +++ 3 files changed, 34 insertions(+), 1 deletion(-) create mode 100644 puppet/modules/site_postfix/manifests/mx/smtp_tls.pp (limited to 'puppet/modules/site_postfix') diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index 59d3030d..441252f2 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -32,7 +32,8 @@ class site_postfix::mx { include site_postfix::mx::smtpd_checks include site_postfix::mx::checks - include site_postfix::mx::tls + include site_postfix::mx::smtp_tls + include site_postfix::mx::smtpd_tls include site_postfix::mx::reserved_aliases # greater verbosity for debugging, take out for production diff --git a/puppet/modules/site_postfix/manifests/mx/smtp_tls.pp b/puppet/modules/site_postfix/manifests/mx/smtp_tls.pp new file mode 100644 index 00000000..4b9c2fd9 --- /dev/null +++ b/puppet/modules/site_postfix/manifests/mx/smtp_tls.pp @@ -0,0 +1,29 @@ +class site_postfix::mx::smtp_tls { + + include x509::variables + $ca_path = "${x509::variables::local_CAs}/${site_config::params::ca_name}.crt" + $cert_path = "${x509::variables::certs}/${site_config::params::cert_name}.crt" + $key_path = "${x509::variables::keys}/${site_config::params::cert_name}.key" + + # smtp TLS + postfix::config { + 'smtp_use_tls': value => 'yes'; + 'smtp_tls_CApath': value => '/etc/ssl/certs/'; + 'smtp_tls_CAfile': value => $ca_path; + 'smtp_tls_cert_file': value => $cert_path; + 'smtp_tls_key_file': value => $key_path; + 'smtp_tls_loglevel': value => '1'; + 'smtp_tls_exclude_ciphers': + value => 'aNULL, MD5, DES'; + # upstream default is md5 (since 2.5 and older used it), we force sha1 + 'smtp_tls_fingerprint_digest': + value => 'sha1'; + 'smtp_tls_session_cache_database': + value => 'btree:${queue_directory}/smtp_cache'; + 'smtp_tls_security_level': + value => 'may'; + # see issue #4011 + 'smtp_tls_protocols': + value => '!SSLv2, !SSLv3'; + } +} diff --git a/puppet/modules/site_postfix/manifests/satellite.pp b/puppet/modules/site_postfix/manifests/satellite.pp index de20b667..7be51b22 100644 --- a/puppet/modules/site_postfix/manifests/satellite.pp +++ b/puppet/modules/site_postfix/manifests/satellite.pp @@ -3,9 +3,12 @@ class site_postfix::satellite { $root_mail_recipient = hiera ('contacts') $mail = hiera ('mail') $relayhost = $mail['smarthost'] + $cert_name = hiera('name') class { '::postfix::satellite': relayhost => $relayhost, root_mail_recipient => $root_mail_recipient } + + include site_postfix::mx::smtp_tls } -- cgit v1.2.3