From 49c8a0c2a5ff413430b4bf7cc90f39f28c936b3e Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 2 Feb 2016 14:41:17 +0100 Subject: [bug] Add smtpd_relay_restrictions to postfix conf smtpd_relay_restrictions was added in postfix 2.10 (jessie has 2.11 atm). Without this, outbound mails are rejected to be relayed. from http://www.postfix.org/SMTPD_ACCESS_README.html: NOTE: Postfix versions before 2.10 did not have smtpd_relay_restrictions. They combined the mail relay and spam blocking policies, under smtpd_recipient_restrictions. This could lead to unexpected results. For example, a permissive spam blocking policy could unexpectedly result in a permissive mail relay policy. An example of this is documented under "Dangerous use of smtpd_recipient_restrictions". smtpd_relay_restrictions defaults to 'permit_mynetworks, permit_sasl_authenticated, defer_unauth_destination' and is configured here to check for a valid client cert. see http://www.postfix.org/postconf.5.html#smtpd_relay_restrictions - Resolves: #7856 --- puppet/modules/site_postfix/manifests/mx.pp | 29 +++++++++++++++------- .../site_postfix/manifests/mx/smtpd_checks.pp | 4 +++ 2 files changed, 24 insertions(+), 9 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index cd493807..02b9fbdd 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -93,20 +93,31 @@ class site_postfix::mx { # greater verbosity for debugging, take out for production #include site_postfix::debug - class { 'postfix': - preseed => true, - root_mail_recipient => $root_mail_recipient, - smtp_listen => 'all', - mastercf_tail => - "smtps inet n - - - - smtpd + case $::operatingsystemrelease { + /^7.*/: { + $smtpd_relay_restrictions='' + } + default: { + $smtpd_relay_restrictions=" -o smtpd_relay_restrictions=\$smtps_relay_restrictions\n" + } + } + + $mastercf_tail = " +smtps inet n - - - - smtpd -o smtpd_tls_wrappermode=yes -o smtpd_tls_security_level=encrypt - -o smtpd_recipient_restrictions=\$smtps_recipient_restrictions +${smtpd_relay_restrictions} -o smtpd_recipient_restrictions=\$smtps_recipient_restrictions -o smtpd_helo_restrictions=\$smtps_helo_restrictions -o smtpd_client_restrictions= -o cleanup_service_name=clean_smtps -clean_smtps unix n - n - 0 cleanup - -o header_checks=pcre:/etc/postfix/checks/rewrite_openpgp_headers", +clean_smtps unix n - n - 0 cleanup + -o header_checks=pcre:/etc/postfix/checks/rewrite_openpgp_headers" + + class { 'postfix': + preseed => true, + root_mail_recipient => $root_mail_recipient, + smtp_listen => 'all', + mastercf_tail => $mastercf_tail, require => [ Class['Site_config::X509::Key'], Class['Site_config::X509::Cert'], diff --git a/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp index 0ea452ee..291d7ee4 100644 --- a/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp +++ b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp @@ -1,3 +1,5 @@ +# smtpd checks for incoming mail on smtp port 25 and +# mail sent via the bitmask client using smtps port 465 class site_postfix::mx::smtpd_checks { postfix::config { @@ -23,6 +25,8 @@ class site_postfix::mx::smtpd_checks { # disable a user by removing their valid client cert (#3634) 'smtps_recipient_restrictions': value => 'permit_tls_clientcerts, check_recipient_access tcp:localhost:2244, reject_unauth_destination, permit'; + 'smtps_relay_restrictions': + value => 'permit_mynetworks, permit_tls_clientcerts, defer_unauth_destination'; 'smtps_helo_restrictions': value => 'permit_mynetworks, check_helo_access hash:$checks_dir/helo_checks, permit'; 'smtpd_sender_restrictions': -- cgit v1.2.3