From 60544a57c9e2d014061d2c2775654918890a648c Mon Sep 17 00:00:00 2001 From: Varac Date: Thu, 17 Dec 2009 16:37:53 +0100 Subject: [PATCH 01/16] added postfix::amavis, no relayhost needed for postfix::mta --- README | 4 ++++ manifests/classes/postfix-amavis.pp | 7 +++++++ manifests/classes/postfix-mta.pp | 6 +++--- manifests/classes/postfix.pp | 9 ++++++++- templates/master.cf.debian-etch.erb | 29 +++++++++++++++++++++++++++++ 5 files changed, 51 insertions(+), 4 deletions(-) create mode 100644 manifests/classes/postfix-amavis.pp diff --git a/README b/README index 964125f..c2b58e9 100644 --- a/README +++ b/README @@ -4,6 +4,10 @@ This module will help install and configure postfix. A couple of classes will preconfigure postfix for common needs. +Config +------ +- set $postfix_amavis="true" to include postfix::amavis + == Example: include postfix diff --git a/manifests/classes/postfix-amavis.pp b/manifests/classes/postfix-amavis.pp new file mode 100644 index 0000000..47ba532 --- /dev/null +++ b/manifests/classes/postfix-amavis.pp @@ -0,0 +1,7 @@ +class postfix::amavis { + include amavisd-new + postfix::config { + "content_filter": value => "smtp-amavis:[localhost]:10024"; } + +} + diff --git a/manifests/classes/postfix-mta.pp b/manifests/classes/postfix-mta.pp index 9046bad..ff94c91 100644 --- a/manifests/classes/postfix-mta.pp +++ b/manifests/classes/postfix-mta.pp @@ -32,9 +32,9 @@ # class postfix::mta { - case $postfix_relayhost { - "": { fail("Required \$postfix_relayhost variable is not defined.") } - } + #case $postfix_relayhost { + # "": { fail("Required \$postfix_relayhost variable is not defined.") } + #} case $postfix_mydestination { "": { $postfix_mydestination = "\$myorigin" } diff --git a/manifests/classes/postfix.pp b/manifests/classes/postfix.pp index 8c4173e..a413664 100644 --- a/manifests/classes/postfix.pp +++ b/manifests/classes/postfix.pp @@ -41,6 +41,13 @@ class postfix { "": { $root_mail_recipient = "nobody" } } + case $postfix_amavis { + "": { $postfix_amavis = "false" } + "true": { include postfix::amavis } + } + + + package { ["postfix", "mailx"]: ensure => installed @@ -81,7 +88,7 @@ class postfix { mode => "0644", content => $operatingsystem ? { Redhat => template("postfix/master.cf.redhat5.erb"), - Debian => template("postfix/master.cf.debian-etch.erb"), + Debian,Ubuntu => template("postfix/master.cf.debian-etch.erb"), }, seltype => $postfix_seltype, notify => Service["postfix"], diff --git a/templates/master.cf.debian-etch.erb b/templates/master.cf.debian-etch.erb index 674682c..aa5f34f 100644 --- a/templates/master.cf.debian-etch.erb +++ b/templates/master.cf.debian-etch.erb @@ -75,3 +75,32 @@ mailman unix - n n - - pipe flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py ${nexthop} ${user} + +# Amavis +<% if (postfix_amavis == "true" ) -%> + +## http://www.freespamfilter.org/FC4.html#_Toc110999176 + +smtp-amavis unix - - y - 2 smtp + -o smtp_data_done_timeout=1200 + -o smtp_send_xforward_command=yes + -o disable_dns_lookups=yes + +127.0.0.1:10025 inet n - y - - smtpd + -o content_filter= + -o local_recipient_maps= + -o relay_recipient_maps= + -o smtpd_restriction_classes= + -o smtpd_helo_restrictions= + -o smtpd_sender_restrictions= + -o smtpd_recipient_restrictions=permit_mynetworks,reject + -o mynetworks=127.0.0.0/8 + -o strict_rfc821_envelopes=yes + -o smtpd_error_sleep_time=0 + -o smtpd_soft_error_limit=1001 + -o smtpd_hard_error_limit=1000 + -o receive_override_options=no_header_body_checks +<% else -%> +# Amavis not configured +<% end -%> + From 5cdb7a80b3b3205a5169e447c391ba70bf2cfc10 Mon Sep 17 00:00:00 2001 From: Jerome Charaoui Date: Thu, 23 Sep 2010 13:54:53 -0400 Subject: [PATCH 02/16] Add debian lenny master.cf template --- manifests/classes/postfix.pp | 2 +- templates/master.cf.debian-lenny.erb | 116 +++++++++++++++++++++++++++ 2 files changed, 117 insertions(+), 1 deletion(-) create mode 100644 templates/master.cf.debian-lenny.erb diff --git a/manifests/classes/postfix.pp b/manifests/classes/postfix.pp index 1d60a57..7f9e91c 100644 --- a/manifests/classes/postfix.pp +++ b/manifests/classes/postfix.pp @@ -83,7 +83,7 @@ class postfix { content => $operatingsystem ? { Redhat => template("postfix/master.cf.redhat5.erb"), CentOS => template("postfix/master.cf.redhat5.erb"), - Debian => template("postfix/master.cf.debian-etch.erb"), + Debian => template("postfix/master.cf.debian-$lsbdistcodename.erb"), Ubuntu => template("postfix/master.cf.debian-etch.erb"), }, seltype => $postfix_seltype, diff --git a/templates/master.cf.debian-lenny.erb b/templates/master.cf.debian-lenny.erb new file mode 100644 index 0000000..7a3aeae --- /dev/null +++ b/templates/master.cf.debian-lenny.erb @@ -0,0 +1,116 @@ +# file managed by puppet +# +# Postfix master process configuration file. For details on the format +# of the file, see the master(5) manual page (command: "man 5 master"). +# +# Do not forget to execute "postfix reload" after editing this file. +# +# ========================================================================== +# service type private unpriv chroot wakeup maxproc command + args +# (yes) (yes) (yes) (never) (100) +# ========================================================================== +<% if postfix_smtp_listen == 'all' %>smtp inet n - - - - smtpd +<% else %><%= postfix_smtp_listen %>:smtp inet n - - - - smtpd<% end %> +#submission inet n - - - - smtpd +# -o smtpd_tls_security_level=encrypt +# -o smtpd_sasl_auth_enable=yes +# -o smtpd_client_restrictions=permit_sasl_authenticated,reject +# -o milter_macro_daemon_name=ORIGINATING +#smtps inet n - - - - smtpd +# -o smtpd_tls_wrappermode=yes +# -o smtpd_sasl_auth_enable=yes +# -o smtpd_client_restrictions=permit_sasl_authenticated,reject +# -o milter_macro_daemon_name=ORIGINATING +#628 inet n - - - - qmqpd +pickup fifo n - - 60 1 pickup +cleanup unix n - - - 0 cleanup +qmgr fifo n - n 300 1 qmgr +#qmgr fifo n - - 300 1 oqmgr +tlsmgr unix - - - 1000? 1 tlsmgr +rewrite unix - - - - - trivial-rewrite +bounce unix - - - - 0 bounce +defer unix - - - - 0 bounce +trace unix - - - - 0 bounce +verify unix - - - - 1 verify +flush unix n - - 1000? 0 flush +proxymap unix - - n - - proxymap +proxywrite unix - - n - 1 proxymap +smtp unix - - - - - smtp +# When relaying mail as backup MX, disable fallback_relay to avoid MX loops +relay unix - - - - - smtp + -o smtp_fallback_relay= +# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5 +showq unix n - - - - showq +error unix - - - - - error +retry unix - - - - - error +discard unix - - - - - discard +local unix - n n - - local +virtual unix - n n - - virtual +lmtp unix - - - - - lmtp +anvil unix - - - - 1 anvil +scache unix - - - - 1 scache +# +# ==================================================================== +# Interfaces to non-Postfix software. Be sure to examine the manual +# pages of the non-Postfix software to find out what options it wants. +# +# Many of the following services use the Postfix pipe(8) delivery +# agent. See the pipe(8) man page for information about ${recipient} +# and other message envelope options. +# ==================================================================== +# +# maildrop. See the Postfix MAILDROP_README file for details. +# Also specify in main.cf: maildrop_destination_recipient_limit=1 +# +maildrop unix - n n - - pipe + flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient} +# +# See the Postfix UUCP_README file for configuration details. +# +uucp unix - n n - - pipe + flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient) +# +# Other external delivery methods. +# +ifmail unix - n n - - pipe + flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient) +bsmtp unix - n n - - pipe + flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient +scalemail-backend unix - n n - 2 pipe + flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension} +mailman unix - n n - - pipe + flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py + ${nexthop} ${user} +<% if postfix_use_amavisd == 'yes' %> +amavis unix - - - - 2 smtp + -o smtp_data_done_timeout=1200 + -o smtp_send_xforward_command=yes + +127.0.0.1:10025 inet n - - - - smtpd + -o content_filter= + -o local_recipient_maps= + -o relay_recipient_maps= + -o smtpd_restriction_classes= + -o smtpd_client_restrictions= + -o smtpd_helo_restrictions= + -o smtpd_sender_restrictions= + -o smtpd_recipient_restrictions=permit_mynetworks,reject + -o mynetworks=127.0.0.0/8 + -o strict_rfc821_envelopes=yes + -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks + -o smtpd_bind_address=127.0.0.1 +<% end %> +<% if postfix_use_dovecot_lda == 'yes' %> +dovecot unix - n n - - pipe + flags=DRhu user=vmail:vmail argv=/usr/lib/dovecot/deliver -d ${recipient} +<% end %> +<% if postfix_use_schleuder == 'yes' %> +schleuder unix - n n - - pipe + flags=DRhu user=schleuder argv=/usr/bin/schleuder ${user} +<% end %> +<% if postfix_use_sympa == 'yes' %> +sympa unix - n n - - pipe + flags=R user=sympa argv=/usr/lib/sympa/bin/queue ${recipient} +sympabounce unix - n n - - pipe + flags=R user=sympa argv=/usr/lib/sympa/bin/bouncequeue ${user} +<% end %> From 04d4503a18656d664fac26c772665909dd055f59 Mon Sep 17 00:00:00 2001 From: Jerome Charaoui Date: Thu, 23 Sep 2010 14:01:21 -0400 Subject: [PATCH 03/16] Correct mailalias wrapper definition --- manifests/definitions/mailalias.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/definitions/mailalias.pp b/manifests/definitions/mailalias.pp index 0d457e7..cd1af50 100644 --- a/manifests/definitions/mailalias.pp +++ b/manifests/definitions/mailalias.pp @@ -23,7 +23,7 @@ Example usage: } */ -define mailalias ($ensure = 'present', $recipient) { +define postfix::mailalias ($ensure = 'present', $recipient) { mailalias { "${name}": ensure => $ensure, recipient => $recipient, From 146a4eadee759b87d6e97a692d01090f6bb2f6c4 Mon Sep 17 00:00:00 2001 From: intrigeri Date: Mon, 18 Oct 2010 20:12:02 +0200 Subject: [PATCH 04/16] Add the possibility to append arbitrary text to master.cf templates. --- templates/master.cf.debian-etch.erb | 4 ++++ templates/master.cf.debian-lenny.erb | 4 ++++ templates/master.cf.redhat5.erb | 4 ++++ 3 files changed, 12 insertions(+) diff --git a/templates/master.cf.debian-etch.erb b/templates/master.cf.debian-etch.erb index e6bc4ec..4b39f45 100644 --- a/templates/master.cf.debian-etch.erb +++ b/templates/master.cf.debian-etch.erb @@ -108,3 +108,7 @@ sympa unix - n n - - pipe sympabounce unix - n n - - pipe flags=R user=sympa argv=/usr/lib/sympa/bin/bouncequeue ${user} <% end %> + +<%- unless postfix_mastercf_tail.to_s.empty? then -%> +<%= postfix_mastercf_tail %> +<%- end -%> diff --git a/templates/master.cf.debian-lenny.erb b/templates/master.cf.debian-lenny.erb index 7a3aeae..11d0fa0 100644 --- a/templates/master.cf.debian-lenny.erb +++ b/templates/master.cf.debian-lenny.erb @@ -114,3 +114,7 @@ sympa unix - n n - - pipe sympabounce unix - n n - - pipe flags=R user=sympa argv=/usr/lib/sympa/bin/bouncequeue ${user} <% end %> + +<%- unless postfix_mastercf_tail.to_s.empty? then -%> +<%= postfix_mastercf_tail %> +<%- end -%> diff --git a/templates/master.cf.redhat5.erb b/templates/master.cf.redhat5.erb index 8c3ee53..3d0c7d6 100644 --- a/templates/master.cf.redhat5.erb +++ b/templates/master.cf.redhat5.erb @@ -79,3 +79,7 @@ ifmail unix - n n - - pipe flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient) bsmtp unix - n n - - pipe flags=Fq. user=foo argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipient + +<%- unless postfix_mastercf_tail.to_s.empty? then -%> +<%= postfix_mastercf_tail %> +<%- end -%> From ee35af20b441aedbd26c7f4b4c6ca0a709a63e58 Mon Sep 17 00:00:00 2001 From: intrigeri Date: Mon, 18 Oct 2010 20:15:59 +0200 Subject: [PATCH 05/16] Add master.cf template for Debian Squeeze. --- templates/master.cf.debian-squeeze.erb | 143 +++++++++++++++++++++++++ 1 file changed, 143 insertions(+) create mode 100644 templates/master.cf.debian-squeeze.erb diff --git a/templates/master.cf.debian-squeeze.erb b/templates/master.cf.debian-squeeze.erb new file mode 100644 index 0000000..be86a08 --- /dev/null +++ b/templates/master.cf.debian-squeeze.erb @@ -0,0 +1,143 @@ +# +# Postfix master process configuration file. For details on the format +# of the file, see the master(5) manual page (command: "man 5 master"). +# +# Do not forget to execute "postfix reload" after editing this file. +# +# ========================================================================== +# service type private unpriv chroot wakeup maxproc command + args +# (yes) (yes) (yes) (never) (100) +# ========================================================================== +<% if postfix_smtp_listen == 'all' %>smtp inet n - - - - smtpd +<% else %><%= postfix_smtp_listen %>:smtp inet n - - - - smtpd<% end %> +#submission inet n - - - - smtpd +#smtp inet n - - - 1 postscreen +#smtpd pass - - - - - smtpd +#dnsblog unix - - - - 0 dnsblog +# -o smtpd_tls_security_level=encrypt +# -o smtpd_sasl_auth_enable=yes +# -o smtpd_client_restrictions=permit_sasl_authenticated,reject +# -o milter_macro_daemon_name=ORIGINATING +#smtps inet n - - - - smtpd +# -o smtpd_tls_wrappermode=yes +# -o smtpd_sasl_auth_enable=yes +# -o smtpd_client_restrictions=permit_sasl_authenticated,reject +# -o milter_macro_daemon_name=ORIGINATING +#628 inet n - - - - qmqpd +pickup fifo n - - 60 1 pickup +cleanup unix n - - - 0 cleanup +qmgr fifo n - n 300 1 qmgr +#qmgr fifo n - - 300 1 oqmgr +tlsmgr unix - - - 1000? 1 tlsmgr +rewrite unix - - - - - trivial-rewrite +bounce unix - - - - 0 bounce +defer unix - - - - 0 bounce +trace unix - - - - 0 bounce +verify unix - - - - 1 verify +flush unix n - - 1000? 0 flush +proxymap unix - - n - - proxymap +proxywrite unix - - n - 1 proxymap +smtp unix - - - - - smtp +# When relaying mail as backup MX, disable fallback_relay to avoid MX loops +relay unix - - - - - smtp + -o smtp_fallback_relay= +# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5 +showq unix n - - - - showq +error unix - - - - - error +retry unix - - - - - error +discard unix - - - - - discard +local unix - n n - - local +virtual unix - n n - - virtual +lmtp unix - - - - - lmtp +anvil unix - - - - 1 anvil +scache unix - - - - 1 scache +# +# ==================================================================== +# Interfaces to non-Postfix software. Be sure to examine the manual +# pages of the non-Postfix software to find out what options it wants. +# +# Many of the following services use the Postfix pipe(8) delivery +# agent. See the pipe(8) man page for information about ${recipient} +# and other message envelope options. +# ==================================================================== +# +# maildrop. See the Postfix MAILDROP_README file for details. +# Also specify in main.cf: maildrop_destination_recipient_limit=1 +# +maildrop unix - n n - - pipe + flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient} +# +# ==================================================================== +# +# Recent Cyrus versions can use the existing "lmtp" master.cf entry. +# +# Specify in cyrus.conf: +# lmtp cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4 +# +# Specify in main.cf one or more of the following: +# mailbox_transport = lmtp:inet:localhost +# virtual_transport = lmtp:inet:localhost +# +# ==================================================================== +# +# Cyrus 2.1.5 (Amos Gouaux) +# Also specify in main.cf: cyrus_destination_recipient_limit=1 +# +#cyrus unix - n n - - pipe +# user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user} +# +# ==================================================================== +# +# See the Postfix UUCP_README file for configuration details. +# +uucp unix - n n - - pipe + flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient) +# +# Other external delivery methods. +# +ifmail unix - n n - - pipe + flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient) +bsmtp unix - n n - - pipe + flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient +scalemail-backend unix - n n - 2 pipe + flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension} +mailman unix - n n - - pipe + flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py + ${nexthop} ${user} +<% if postfix_use_amavisd == 'yes' %> +amavis unix - - - - 2 smtp + -o smtp_data_done_timeout=1200 + -o smtp_send_xforward_command=yes + +127.0.0.1:10025 inet n - - - - smtpd + -o content_filter= + -o local_recipient_maps= + -o relay_recipient_maps= + -o smtpd_restriction_classes= + -o smtpd_client_restrictions= + -o smtpd_helo_restrictions= + -o smtpd_sender_restrictions= + -o smtpd_recipient_restrictions=permit_mynetworks,reject + -o mynetworks=127.0.0.0/8 + -o strict_rfc821_envelopes=yes + -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks + -o smtpd_bind_address=127.0.0.1 +<% end %> +<% if postfix_use_dovecot_lda == 'yes' %> +dovecot unix - n n - - pipe + flags=DRhu user=vmail:vmail argv=/usr/lib/dovecot/deliver -d ${recipient} +<% end %> +<% if postfix_use_schleuder == 'yes' %> +schleuder unix - n n - - pipe + flags=DRhu user=schleuder argv=/usr/bin/schleuder ${user} +<% end %> +<% if postfix_use_sympa == 'yes' %> +sympa unix - n n - - pipe + flags=R user=sympa argv=/usr/lib/sympa/bin/queue ${recipient} +sympabounce unix - n n - - pipe + flags=R user=sympa argv=/usr/lib/sympa/bin/bouncequeue ${user} +<% end %> + +<%- unless postfix_mastercf_tail.to_s.empty? then -%> +<%= postfix_mastercf_tail %> +<%- end -%> From fc9e549f46dc47ef69980aaa150361fc347b801a Mon Sep 17 00:00:00 2001 From: intrigeri Date: Mon, 18 Oct 2010 20:37:54 +0200 Subject: [PATCH 06/16] Bugfix: set defaults for all variables used in templates. At least puppet 2.6.0 demands this. --- manifests/classes/postfix.pp | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/manifests/classes/postfix.pp b/manifests/classes/postfix.pp index 7f9e91c..aa04cfc 100644 --- a/manifests/classes/postfix.pp +++ b/manifests/classes/postfix.pp @@ -40,7 +40,21 @@ class postfix { case $root_mail_recipient { "": { $root_mail_recipient = "nobody" } } - + case $postfix_use_amavisd { + "": { $postfix_use_amavisd = "no" } + } + case $postfix_use_dovecot_lda { + "": { $postfix_use_dovecot_lda = "no" } + } + case $postfix_use_schleuder { + "": { $postfix_use_schleuder = "no" } + } + case $postfix_use_sympa { + "": { $postfix_use_sympa = "no" } + } + case $postfix_mastercf_tail { + "": { $postfix_mastercf_tail = "" } + } package { ["postfix", "mailx"]: ensure => installed From b8fc529f06ce01b38142ab920388a921701c3c73 Mon Sep 17 00:00:00 2001 From: intrigeri Date: Mon, 18 Oct 2010 20:44:36 +0200 Subject: [PATCH 07/16] Documentation fix. --- manifests/classes/postfix.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/manifests/classes/postfix.pp b/manifests/classes/postfix.pp index aa04cfc..627fcf1 100644 --- a/manifests/classes/postfix.pp +++ b/manifests/classes/postfix.pp @@ -5,13 +5,13 @@ # delivery and an SMTP server listening on the loopback interface. # # Parameters: -# - *$postfix_ng_smtp_listen*: address on which the smtp service will listen to. defaults to 127.0.0.1 +# - *$postfix_smtp_listen*: address on which the smtp service will listen to. defaults to 127.0.0.1 # - *$root_mail_recipient*: who will recieve root's emails. defaults to "nobody" # # Example usage: # # node "toto.example.com" { -# $postfix_ng_smtp_listen = "192.168.1.10" +# $postfix_smtp_listen = "192.168.1.10" # include postfix # } # From e775f510cd06fb2d38367e975bbd819cd6212cd6 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 2 Nov 2010 20:33:01 +0100 Subject: [PATCH 08/16] define mailalias -> define postfix::mailalias --- manifests/definitions/mailalias.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/definitions/mailalias.pp b/manifests/definitions/mailalias.pp index 0d457e7..cd1af50 100644 --- a/manifests/definitions/mailalias.pp +++ b/manifests/definitions/mailalias.pp @@ -23,7 +23,7 @@ Example usage: } */ -define mailalias ($ensure = 'present', $recipient) { +define postfix::mailalias ($ensure = 'present', $recipient) { mailalias { "${name}": ensure => $ensure, recipient => $recipient, From 000ec536a0260aaccb65968f16dcedd0728b4e0f Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 2 Nov 2010 20:34:01 +0100 Subject: [PATCH 09/16] -> as in template --- README | 2 +- manifests/classes/postfix.pp | 10 +++++----- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/README b/README index c2b58e9..c81554e 100644 --- a/README +++ b/README @@ -6,7 +6,7 @@ A couple of classes will preconfigure postfix for common needs. Config ------ -- set $postfix_amavis="true" to include postfix::amavis +- set $postfix_use_amavisd="true" to include postfix::amavis == Example: diff --git a/manifests/classes/postfix.pp b/manifests/classes/postfix.pp index 36089a6..4449629 100644 --- a/manifests/classes/postfix.pp +++ b/manifests/classes/postfix.pp @@ -5,13 +5,13 @@ # delivery and an SMTP server listening on the loopback interface. # # Parameters: -# - *$postfix_ng_smtp_listen*: address on which the smtp service will listen to. defaults to 127.0.0.1 +# - *$postfix_smtp_listen*: address on which the smtp service will listen to. defaults to 127.0.0.1 # - *$root_mail_recipient*: who will recieve root's emails. defaults to "nobody" # # Example usage: # # node "toto.example.com" { -# $postfix_ng_smtp_listen = "192.168.1.10" +# $postfix_smtp_listen = "192.168.1.10" # include postfix # } # @@ -41,9 +41,9 @@ class postfix { "": { $root_mail_recipient = "nobody" } } - case $postfix_amavis { - "": { $postfix_amavis = "false" } - "true": { include postfix::amavis } + case $postfix_use_amavisd { + "": { $postfix_use_amavisd = "no" } + "yes": { include postfix::amavis } } From 96b41a3e47819846cc8bb0b626f4f8b705b77890 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 2 Nov 2010 20:35:09 +0100 Subject: [PATCH 10/16] postfix socket synced with master.pp template --- manifests/classes/postfix-amavis.pp | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/manifests/classes/postfix-amavis.pp b/manifests/classes/postfix-amavis.pp index 47ba532..c325238 100644 --- a/manifests/classes/postfix-amavis.pp +++ b/manifests/classes/postfix-amavis.pp @@ -1,7 +1,8 @@ class postfix::amavis { include amavisd-new - postfix::config { - "content_filter": value => "smtp-amavis:[localhost]:10024"; } + postfix::config { + "content_filter": value => "amavis:[127.0.0.1]:10024"; + } } From 221fc18c8c4f8d2df01a1d120daf2e925f53ae55 Mon Sep 17 00:00:00 2001 From: intrigeri Date: Wed, 10 Nov 2010 18:33:21 +0100 Subject: [PATCH 11/16] Make indentation of postfix-amavis consistent with the rest of the module. --- manifests/classes/postfix-amavis.pp | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/manifests/classes/postfix-amavis.pp b/manifests/classes/postfix-amavis.pp index d42237d..7e17836 100644 --- a/manifests/classes/postfix-amavis.pp +++ b/manifests/classes/postfix-amavis.pp @@ -1,8 +1,6 @@ class postfix::amavis { - include amavisd-new - postfix::config { - "content_filter": value => "amavis:[127.0.0.1]:10024"; - } - + include amavisd-new + postfix::config { + "content_filter": value => "amavis:[127.0.0.1]:10024"; + } } - From 127d2972fa0f6a7a971782b0b0b168a6d1b3725c Mon Sep 17 00:00:00 2001 From: intrigeri Date: Wed, 10 Nov 2010 19:25:58 +0100 Subject: [PATCH 12/16] Fix documentation to match actual behaviour. --- README | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README b/README index c81554e..fab1db9 100644 --- a/README +++ b/README @@ -6,7 +6,7 @@ A couple of classes will preconfigure postfix for common needs. Config ------ -- set $postfix_use_amavisd="true" to include postfix::amavis +- set $postfix_use_amavisd="yes" to include postfix::amavis == Example: From 78c5fbe9f2abf6dd0f15ff84d6e166022a1c016e Mon Sep 17 00:00:00 2001 From: intrigeri Date: Wed, 10 Nov 2010 21:54:59 +0100 Subject: [PATCH 13/16] mailx is a virtual package in Squeeze. Better install heirloom-mailx. This one is a real package, available in Lenny and Squeeze. --- manifests/classes/postfix.pp | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/manifests/classes/postfix.pp b/manifests/classes/postfix.pp index 5084fa6..038f155 100644 --- a/manifests/classes/postfix.pp +++ b/manifests/classes/postfix.pp @@ -64,6 +64,10 @@ class postfix { ensure => installed } + if $operatingsystem == 'debian' { + Package[mailx] { name => 'heirloom-mailx' } + } + service { "postfix": ensure => running, require => Package["postfix"], From 8ce9ae825993934113cc24d80428292aaf47b824 Mon Sep 17 00:00:00 2001 From: intrigeri Date: Wed, 10 Nov 2010 21:17:00 +0100 Subject: [PATCH 14/16] Add support for managing Postfix TLS policy. --- README | 2 + files/tls_policy.d/.ignore | 0 manifests/classes/postfix-tlspolicy.pp | 68 ++++++++++++++++++++++ manifests/classes/postfix.pp | 11 ++++ manifests/definitions/tlspolicy_snippet.pp | 47 +++++++++++++++ 5 files changed, 128 insertions(+) create mode 100644 files/tls_policy.d/.ignore create mode 100644 manifests/classes/postfix-tlspolicy.pp create mode 100644 manifests/definitions/tlspolicy_snippet.pp diff --git a/README b/README index fab1db9..337193f 100644 --- a/README +++ b/README @@ -7,6 +7,8 @@ A couple of classes will preconfigure postfix for common needs. Config ------ - set $postfix_use_amavisd="yes" to include postfix::amavis +- set $postfix_manage_tls_policy="yes" to manage TLS policy (see + postfix::tlspolicy for details) == Example: diff --git a/files/tls_policy.d/.ignore b/files/tls_policy.d/.ignore new file mode 100644 index 0000000..e69de29 diff --git a/manifests/classes/postfix-tlspolicy.pp b/manifests/classes/postfix-tlspolicy.pp new file mode 100644 index 0000000..30b1f58 --- /dev/null +++ b/manifests/classes/postfix-tlspolicy.pp @@ -0,0 +1,68 @@ +# +# == Class: postfix::tlspolicy +# +# Manages Postfix TLS policy by merging policy snippets shipped: +# - in the module's files/tls_policy.d/ +# - via postfix::tlspolicy_snippet defines +# +# Parameters: +# - $postfix_tls_fingerprint_digest (defaults to sha1) +# +# Example usage: +# +# node "toto.example.com" { +# $postfix_manage_tls_policy = yes +# include postfix +# } +# +class postfix::tlspolicy { + + # Default value for parameters + case $postfix_tls_fingerprint_digest { + "": { $postfix_tls_fingerprint_digest = 'sha1' } + } + + include common::moduledir + module_dir{'postfix/tls_policy': } + + $postfix_tlspolicy_dir = "${common::moduledir::module_dir_path}/postfix/tls_policy" + $postfix_tlspolicy_snippets_dir = "${postfix_tlspolicy_dir}/tls_policy.d" + $postfix_merged_tlspolicy = "${postfix_tlspolicy_dir}/merged_tls_policy" + + file {"$postfix_tlspolicy_snippets_dir": + ensure => 'directory', + owner => 'root', + group => '0', + mode => '700', + source => [ + "puppet:///modules/site-postfix/${fqdn}/tls_policy.d", + "puppet:///modules/site-postfix/tls_policy.d", + "puppet:///modules/postfix/tls_policy.d" + ], + recurse => true, + purge => false, + } + + concatenated_file { "$postfix_merged_tlspolicy": + dir => "${postfix_tlspolicy_snippets_dir}", + require => File["$postfix_tlspolicy_snippets_dir"], + } + + postfix::hash { '/etc/postfix/tls_policy': + source => "$postfix_merged_tlspolicy", + subscribe => File["$postfix_merged_tlspolicy"], + } + + postfix::config { + 'smtp_tls_fingerprint_digest': value => "$postfix_tls_fingerprint_digest"; + } + + postfix::config { 'smtp_tls_policy_maps': + value => 'hash:/etc/postfix/tls_policy', + require => [ + Postfix::Hash['/etc/postfix/tls_policy'], + Postfix::Config['smtp_tls_fingerprint_digest'], + ], + } + +} diff --git a/manifests/classes/postfix.pp b/manifests/classes/postfix.pp index 038f155..3d8ac3a 100644 --- a/manifests/classes/postfix.pp +++ b/manifests/classes/postfix.pp @@ -40,6 +40,9 @@ class postfix { case $root_mail_recipient { "": { $root_mail_recipient = "nobody" } } + case $postfix_manage_tls_policy { + "": { $postfix_manage_tls_policy = "no" } + } case $postfix_use_amavisd { "": { $postfix_use_amavisd = "no" } } @@ -56,6 +59,14 @@ class postfix { "": { $postfix_mastercf_tail = "" } } + # Bootstrap moduledir + include common::moduledir + module_dir{'postfix': } + + # Include optional classes + if $postfix_manage_tls_policy == 'yes' { + include postfix::tlspolicy + } if $postfix_use_amavisd == 'yes' { include postfix::amavis } diff --git a/manifests/definitions/tlspolicy_snippet.pp b/manifests/definitions/tlspolicy_snippet.pp new file mode 100644 index 0000000..2596dbc --- /dev/null +++ b/manifests/definitions/tlspolicy_snippet.pp @@ -0,0 +1,47 @@ +/* +== Definition: postfix::tlspolicy_snippet + +Adds a TLS policy snippets to /etc/postfix/tls_policy.d/. +See the postfix::tlspolicy class for details. + +Parameters: +- *name*: name of destination domain Postfix will lookup. See TLS_README. +- *value*: right-hand part of the tls_policy map +- *ensure*: present/absent, defaults to present. + +Requires: +- Class["postfix"] +- Class["postfix::tlspolicy"] + +Example usage: + + node "toto.example.com" { + $postfix_manage_tls_policy = yes + include postfix + postfix::tlspolicy_snippet { + 'example.com': value => 'encrypt'; + '.example.com': value => 'encrypt'; + 'nothing.com': value => 'fingerprint match=2A:FF:F0:EC:52:04:99:45:73:1B:C2:22:7F:FD:31:6B:8F:07:43:29'; + } + } + +*/ + +define postfix::tlspolicy_snippet ($ensure="present", $value = false) { + + include postfix::tlspolicy + + if ($value == false) and ($ensure == "present") { + fail("The value parameter must be set when using the postfix::tlspolicy_snippet define with ensure=present.") + } + + file { "${postfix::tlspolicy::postfix_tlspolicy_snippets_dir}/${name}": + ensure => "$ensure", + content => "${name} ${value}\n", + mode => 600, + owner => root, + group => 0, + notify => Exec["concat_${postfix::tlspolicy::postfix_merged_tlspolicy}"], + } + +} From 2f37d6cc9dafa6370deaa6b7e7017981a9b9f05f Mon Sep 17 00:00:00 2001 From: intrigeri Date: Tue, 14 Dec 2010 21:44:04 +0100 Subject: [PATCH 15/16] Remove bashism. In POSIX, string equality is tested using '='. --- manifests/definitions/config.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/manifests/definitions/config.pp b/manifests/definitions/config.pp index aaf73b5..8e203a6 100644 --- a/manifests/definitions/config.pp +++ b/manifests/definitions/config.pp @@ -34,8 +34,8 @@ define postfix::config ($ensure = present, $value, $nonstandard = false) { present: { exec {"postconf -e ${name}='${value}'": unless => $nonstandard ? { - false => "test \"x$(postconf -h ${name})\" == 'x${value}'", - true => "test \"x$(egrep '^${name} ' /etc/postfix/main.cf | cut -d= -f2 | cut -d' ' -f2)\" == 'x${value}'", + false => "test \"x$(postconf -h ${name})\" = 'x${value}'", + true => "test \"x$(egrep '^${name} ' /etc/postfix/main.cf | cut -d= -f2 | cut -d' ' -f2)\" = 'x${value}'", }, notify => Service["postfix"], require => File["/etc/postfix/main.cf"], From d374575bfb9f6ebe55af1ffac537e7ccd0f484a9 Mon Sep 17 00:00:00 2001 From: intrigeri Date: Wed, 15 Dec 2010 14:43:40 +0100 Subject: [PATCH 16/16] Rather use bsd-mailx on Debian. It is smaller than the feature-bloated heirloom-mailx. --- manifests/classes/postfix.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/classes/postfix.pp b/manifests/classes/postfix.pp index 3d8ac3a..588bfc8 100644 --- a/manifests/classes/postfix.pp +++ b/manifests/classes/postfix.pp @@ -76,7 +76,7 @@ class postfix { } if $operatingsystem == 'debian' { - Package[mailx] { name => 'heirloom-mailx' } + Package[mailx] { name => 'bsd-mailx' } } service { "postfix":