Add support for managing Postfix TLS policy.

2010-11-10 21:17:00 +01:00 · 2010-11-10 21:17:00 +01:00 · 8ce9ae8259
commit 8ce9ae8259
parent 78c5fbe9f2
5 changed files with 128 additions and 0 deletions
--- a/2
+++ b/2
@ -7,6 +7,8 @@ A couple of classes will preconfigure postfix for common needs.
 Config
 ------
 - set $postfix_use_amavisd="yes" to include postfix::amavis
+- set $postfix_manage_tls_policy="yes" to manage TLS policy (see
+  postfix::tlspolicy for details)

 == Example:

--- a/files/tls_policy.d/.ignore
+++ b/files/tls_policy.d/.ignore
--- a/manifests/classes/postfix-tlspolicy.pp
+++ b/manifests/classes/postfix-tlspolicy.pp
@ -0,0 +1,68 @@
+#
+# == Class: postfix::tlspolicy
+#
+# Manages Postfix TLS policy by merging policy snippets shipped:
+# - in the module's files/tls_policy.d/
+# - via postfix::tlspolicy_snippet defines
+#
+# Parameters:
+# - $postfix_tls_fingerprint_digest (defaults to sha1)
+#
+# Example usage:
+# 
+#   node "toto.example.com" {
+#     $postfix_manage_tls_policy = yes
+#     include postfix
+#   }
+#
+class postfix::tlspolicy {
+
+  # Default value for parameters
+  case $postfix_tls_fingerprint_digest {
+    "": { $postfix_tls_fingerprint_digest = 'sha1' }
+  }
+
+  include common::moduledir
+  module_dir{'postfix/tls_policy': }
+
+  $postfix_tlspolicy_dir          = "${common::moduledir::module_dir_path}/postfix/tls_policy"
+  $postfix_tlspolicy_snippets_dir = "${postfix_tlspolicy_dir}/tls_policy.d"
+  $postfix_merged_tlspolicy       = "${postfix_tlspolicy_dir}/merged_tls_policy"
+
+  file {"$postfix_tlspolicy_snippets_dir":
+    ensure  => 'directory',
+    owner   => 'root',
+    group   => '0',
+    mode    => '700',
+    source  => [
+                "puppet:///modules/site-postfix/${fqdn}/tls_policy.d",
+                "puppet:///modules/site-postfix/tls_policy.d",
+                "puppet:///modules/postfix/tls_policy.d"
+               ],
+    recurse => true,
+    purge   => false,
+  }
+
+  concatenated_file { "$postfix_merged_tlspolicy":
+    dir     => "${postfix_tlspolicy_snippets_dir}",
+    require => File["$postfix_tlspolicy_snippets_dir"],
+  }
+
+  postfix::hash { '/etc/postfix/tls_policy':
+    source    => "$postfix_merged_tlspolicy",
+    subscribe => File["$postfix_merged_tlspolicy"],
+  }
+
+  postfix::config {
+    'smtp_tls_fingerprint_digest': value => "$postfix_tls_fingerprint_digest";
+  }
+
+  postfix::config { 'smtp_tls_policy_maps':
+    value   => 'hash:/etc/postfix/tls_policy',
+    require => [
+                Postfix::Hash['/etc/postfix/tls_policy'],
+                Postfix::Config['smtp_tls_fingerprint_digest'],
+               ],
+  }
+
+}
--- a/manifests/classes/postfix.pp
+++ b/manifests/classes/postfix.pp
@ -40,6 +40,9 @@ class postfix {
  case $root_mail_recipient {
    "":   { $root_mail_recipient = "nobody" }
  }
+  case $postfix_manage_tls_policy {
+    "":   { $postfix_manage_tls_policy = "no" }
+  }
  case $postfix_use_amavisd {
    "":   { $postfix_use_amavisd = "no" }
  }
@ -56,6 +59,14 @@ class postfix {
    "":   { $postfix_mastercf_tail = "" }
  }

+  # Bootstrap moduledir
+  include common::moduledir
+  module_dir{'postfix': }
+
+  # Include optional classes
+  if $postfix_manage_tls_policy == 'yes' {
+    include postfix::tlspolicy
+  }
  if $postfix_use_amavisd == 'yes' {
    include postfix::amavis
  }
--- a/manifests/definitions/tlspolicy_snippet.pp
+++ b/manifests/definitions/tlspolicy_snippet.pp
@ -0,0 +1,47 @@
+/*
+== Definition: postfix::tlspolicy_snippet
+
+Adds a TLS policy snippets to /etc/postfix/tls_policy.d/.
+See the postfix::tlspolicy class for details.
+
+Parameters:
+- *name*: name of destination domain Postfix will lookup. See TLS_README.
+- *value*: right-hand part of the tls_policy map
+- *ensure*: present/absent, defaults to present.
+
+Requires:
+- Class["postfix"]
+- Class["postfix::tlspolicy"]
+
+Example usage:
+
+  node "toto.example.com" {
+    $postfix_manage_tls_policy = yes
+    include postfix
+    postfix::tlspolicy_snippet {
+      'example.com':  value => 'encrypt';
+      '.example.com': value => 'encrypt';
+      'nothing.com':  value => 'fingerprint match=2A:FF:F0:EC:52:04:99:45:73:1B:C2:22:7F:FD:31:6B:8F:07:43:29';
+    }
+  }
+
+*/
+
+define postfix::tlspolicy_snippet ($ensure="present", $value = false) {
+
+  include postfix::tlspolicy
+
+  if ($value == false) and ($ensure == "present") {
+    fail("The value parameter must be set when using the postfix::tlspolicy_snippet define with ensure=present.")
+  }
+
+  file { "${postfix::tlspolicy::postfix_tlspolicy_snippets_dir}/${name}":
+    ensure  => "$ensure",
+    content => "${name}		${value}\n",
+    mode    => 600,
+    owner   => root,
+    group   => 0,
+    notify => Exec["concat_${postfix::tlspolicy::postfix_merged_tlspolicy}"],
+  }
+
+}