Merge branch 'master' of git://gaffer.ptitcanardnoir.org/puppet-module-postfix

8 files changed, 167 insertions, 1 deletions

diff --git a/README b/README
index 337193f..4633578 100644
--- a/README
+++ b/README
@@ -7,6 +7,13 @@ A couple of classes will preconfigure postfix for common needs.
 Config
 ------
 - set $postfix_use_amavisd="yes" to include postfix::amavis
+- set $postfix_anon_sasl="yes" to hide the originating IP in email
+  relayed for an authenticated SASL client; this needs Postfix
+  2.3 or later to work; beware! Postfix logs the header replacement
+  has been done, which means that you are storing this information,
+  unless you are anonymizing your logs.
+- set $postfix_manage_header_checks="yes" to manage header checks (see
+  postfix::header_checks for details)
 - set $postfix_manage_tls_policy="yes" to manage TLS policy (see
   postfix::tlspolicy for details)
 
diff --git a/files/header_checks.d/.ignore b/files/header_checks.d/.ignore
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/files/header_checks.d/.ignore
diff --git a/manifests/classes/postfix-anonsasl.pp b/manifests/classes/postfix-anonsasl.pp
new file mode 100644
index 0000000..ca97f19
--- /dev/null
+++ b/manifests/classes/postfix-anonsasl.pp
@@ -0,0 +1,18 @@
+class postfix::anonsasl {
+
+  include postfix::header_checks
+
+  postfix::config {
+    'smtpd_sasl_authenticated_header':
+      value => 'yes';
+  }
+
+  postfix::header_checks_snippet {
+    'anonsasl':
+      content => template("postfix/anonsasl_header_checks.erb"),
+      require => [
+                  Postfix::Config['smtpd_sasl_authenticated_header'],
+                  ];
+  }
+  
+}
diff --git a/manifests/classes/postfix-header_checks.pp b/manifests/classes/postfix-header_checks.pp
new file mode 100644
index 0000000..071f6b0
--- /dev/null
+++ b/manifests/classes/postfix-header_checks.pp
@@ -0,0 +1,57 @@
+#
+# == Class: postfix::header_checks
+#
+# Manages Postfix header_checks by merging snippets shipped:
+# - in the module's files/header_checks.d/ or puppet:///files/etc/postfix/header_checks.d
+#   (the latter takes precedence if present); site-postfix module is supported
+#   as well, see the source argument of file {"$postfix_header_checks_snippets_dir"
+#   bellow for details.
+# - via postfix::header_checks_snippet defines
+#
+# Example usage:
+# 
+#   node "toto.example.com" {
+#     $postfix_manage_header_checks = yes
+#     include postfix
+#   }
+#
+class postfix::header_checks {
+
+  include common::moduledir
+  module_dir{'postfix/header_checks': }
+
+  $postfix_header_checks_dir          = "${common::moduledir::module_dir_path}/postfix/header_checks"
+  $postfix_header_checks_snippets_dir = "${postfix_header_checks_dir}/header_checks.d"
+  $postfix_merged_header_checks       = "${postfix_header_checks_dir}/merged_header_checks"
+
+  file {"$postfix_header_checks_snippets_dir":
+    ensure  => 'directory',
+    owner   => 'root',
+    group   => '0',
+    mode    => '700',
+    source  => [
+                "puppet:///modules/site-postfix/${fqdn}/header_checks.d",
+                "puppet:///modules/site-postfix/header_checks.d",
+                "puppet:///files/etc/postfix/header_checks.d",
+                "puppet:///modules/postfix/header_checks.d",
+               ],
+    recurse => true,
+    purge   => false,
+  }
+
+  concatenated_file { "$postfix_merged_header_checks":
+    dir     => "${postfix_header_checks_snippets_dir}",
+    require => File["$postfix_header_checks_snippets_dir"],
+  }
+  
+  config_file { '/etc/postfix/header_checks':
+    source    => "$postfix_merged_header_checks",
+    subscribe => File["$postfix_merged_header_checks"],
+  }
+
+  postfix::config { "header_checks":
+    value   => 'regexp:/etc/postfix/header_checks',
+    require => File['/etc/postfix/header_checks'],
+  }
+
+}
diff --git a/manifests/classes/postfix-tlspolicy.pp b/manifests/classes/postfix-tlspolicy.pp
index ec9e068..633c380 100644
--- a/manifests/classes/postfix-tlspolicy.pp
+++ b/manifests/classes/postfix-tlspolicy.pp
@@ -2,7 +2,10 @@
 # == Class: postfix::tlspolicy
 #
 # Manages Postfix TLS policy by merging policy snippets shipped:
-# - in the module's files/tls_policy.d/
+# - in the module's files/tls_policy.d/ or puppet:///files/etc/postfix/tls_policy.d
+#   (the latter takes precedence if present); site-postfix module is supported
+#   as well, see the source argument of file {"$postfix_tlspolicy_snippets_dir"
+#   bellow for details.
 # - via postfix::tlspolicy_snippet defines
 #
 # Parameters:
diff --git a/manifests/classes/postfix.pp b/manifests/classes/postfix.pp
index 588bfc8..4e9cd6f 100644
--- a/manifests/classes/postfix.pp
+++ b/manifests/classes/postfix.pp
@@ -40,6 +40,12 @@ class postfix {
   case $root_mail_recipient {
     "":   { $root_mail_recipient = "nobody" }
   }
+  case $postfix_anon_sasl {
+    "":    { $postfix_anon_sasl = "no" }
+  }
+  case $postfix_manage_header_checks {
+    "":   { $postfix_manage_header_checks = "no" }
+  }
   case $postfix_manage_tls_policy {
     "":   { $postfix_manage_tls_policy = "no" }
   }
@@ -64,6 +70,12 @@ class postfix {
   module_dir{'postfix': }
 
   # Include optional classes
+  if $postfix_anon_sasl == 'yes' {
+    include postfix::anonsasl
+  }
+  if $postfix_manage_header_checks == 'yes' {
+    include postfix::header_checks
+  }
   if $postfix_manage_tls_policy == 'yes' {
     include postfix::tlspolicy
   }
diff --git a/manifests/definitions/header_checks_snippet.pp b/manifests/definitions/header_checks_snippet.pp
new file mode 100644
index 0000000..454d219
--- /dev/null
+++ b/manifests/definitions/header_checks_snippet.pp
@@ -0,0 +1,67 @@
+/*
+== Definition: postfix::header_checks_snippet
+
+Adds a header_checks snippets to /etc/postfix/header_checks.
+See the postfix::header_checks class for details.
+
+Parameters:
+- *source* or *content*: source or content of the header_checks snippet
+- *ensure*: present (default) or absent
+
+Requires:
+- Class["postfix"]
+
+Example usage:
+
+  node "toto.example.com" {
+    include postfix
+    postfix::header_checks {
+      'wrong_date': content => 'FIXME';
+      'bla':        source => 'puppet:///files/etc/postfix/header_checks.d/bla';
+    }
+  }
+
+*/
+
+define postfix::header_checks_snippet (
+  $ensure  = "present",
+  $source = '',
+  $content = undef
+) {
+
+  if $source == '' and $content == undef {
+    fail("One of \$source or \$content must be specified for postfix::header_checks_snippet ${name}")
+  }
+
+  if $source != '' and $content != undef {
+    fail("Only one of \$source or \$content must specified for postfix::header_checks_snippet ${name}")
+  }
+
+  if ($value == false) and ($ensure == "present") {
+    fail("The value parameter must be set when using the postfix::header_checks_snippet define with ensure=present.")
+  }
+
+  include postfix::header_checks
+
+  $snippetfile = "${postfix::header_checks::postfix_header_checks_snippets_dir}/${name}"
+  
+  file { "$snippetfile":
+    ensure  => "$ensure",
+    mode    => 600,
+    owner   => root,
+    group   => 0,
+    notify => Exec["concat_${postfix::header_checks::postfix_merged_header_checks}"],
+  }
+
+  if $source {
+    File["$snippetfile"] {
+      source => $source,
+    }
+  }
+  else {
+    File["$snippetfile"] {
+      content => $content,
+    }
+  }
+
+}
diff --git a/templates/anonsasl_header_checks.erb b/templates/anonsasl_header_checks.erb
new file mode 100644
index 0000000..bca5914
--- /dev/null
+++ b/templates/anonsasl_header_checks.erb
@@ -0,0 +1,2 @@
+/^Received: from (.* \([-._[:alnum:]]+ \[[.[:digit:]]{7,15}\]\)).*?([[:space:]]+).*\(Authenticated sender: ([^)]+)\).*by (<%= fqdn.gsub(/\./, '\.') %>) \(([^)]+)\) with (E?SMTPS?A?) id ([A-F[:digit:]]+).*/
+  REPLACE Received: from [127.0.0.1] (localhost [127.0.0.1])$2(Authenticated sender: $3)${2}with $6 id $7