From cc8c37d5da948ac9a086a6e6ac6428d8231b7ff4 Mon Sep 17 00:00:00 2001 From: intrigeri Date: Sat, 26 Feb 2011 11:19:02 +0100 Subject: [PATCH 1/3] Enhance tls_policy documentation. --- manifests/classes/postfix-tlspolicy.pp | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/manifests/classes/postfix-tlspolicy.pp b/manifests/classes/postfix-tlspolicy.pp index 840a90f..494f257 100644 --- a/manifests/classes/postfix-tlspolicy.pp +++ b/manifests/classes/postfix-tlspolicy.pp @@ -2,7 +2,10 @@ # == Class: postfix::tlspolicy # # Manages Postfix TLS policy by merging policy snippets shipped: -# - in the module's files/tls_policy.d/ +# - in the module's files/tls_policy.d/ or puppet:///files/etc/postfix/tls_policy.d +# (the latter takes precedence if present); site-postfix module is supported +# as well, see the source argument of file {"$postfix_tlspolicy_snippets_dir" +# bellow for details. # - via postfix::tlspolicy_snippet defines # # Parameters: From 0583cf4988aec251f129ac4c595e38ff5bb93132 Mon Sep 17 00:00:00 2001 From: intrigeri Date: Sat, 5 Mar 2011 04:45:37 +0100 Subject: [PATCH 2/3] Add support for managing header_checks. This support is modeled after the existing TLS policy management: the header_cheks file is produced by merging snippets shipped by the Puppet fileserver, a site-module and/or postfix::header_checks_snippet defines. --- README | 2 + files/header_checks.d/.ignore | 0 manifests/classes/postfix-header_checks.pp | 57 ++++++++++++++++ manifests/classes/postfix.pp | 6 ++ .../definitions/header_checks_snippet.pp | 67 +++++++++++++++++++ 5 files changed, 132 insertions(+) create mode 100644 files/header_checks.d/.ignore create mode 100644 manifests/classes/postfix-header_checks.pp create mode 100644 manifests/definitions/header_checks_snippet.pp diff --git a/README b/README index 337193f..7d74ea9 100644 --- a/README +++ b/README @@ -7,6 +7,8 @@ A couple of classes will preconfigure postfix for common needs. Config ------ - set $postfix_use_amavisd="yes" to include postfix::amavis +- set $postfix_manage_header_checks="yes" to manage header checks (see + postfix::header_checks for details) - set $postfix_manage_tls_policy="yes" to manage TLS policy (see postfix::tlspolicy for details) diff --git a/files/header_checks.d/.ignore b/files/header_checks.d/.ignore new file mode 100644 index 0000000..e69de29 diff --git a/manifests/classes/postfix-header_checks.pp b/manifests/classes/postfix-header_checks.pp new file mode 100644 index 0000000..071f6b0 --- /dev/null +++ b/manifests/classes/postfix-header_checks.pp @@ -0,0 +1,57 @@ +# +# == Class: postfix::header_checks +# +# Manages Postfix header_checks by merging snippets shipped: +# - in the module's files/header_checks.d/ or puppet:///files/etc/postfix/header_checks.d +# (the latter takes precedence if present); site-postfix module is supported +# as well, see the source argument of file {"$postfix_header_checks_snippets_dir" +# bellow for details. +# - via postfix::header_checks_snippet defines +# +# Example usage: +# +# node "toto.example.com" { +# $postfix_manage_header_checks = yes +# include postfix +# } +# +class postfix::header_checks { + + include common::moduledir + module_dir{'postfix/header_checks': } + + $postfix_header_checks_dir = "${common::moduledir::module_dir_path}/postfix/header_checks" + $postfix_header_checks_snippets_dir = "${postfix_header_checks_dir}/header_checks.d" + $postfix_merged_header_checks = "${postfix_header_checks_dir}/merged_header_checks" + + file {"$postfix_header_checks_snippets_dir": + ensure => 'directory', + owner => 'root', + group => '0', + mode => '700', + source => [ + "puppet:///modules/site-postfix/${fqdn}/header_checks.d", + "puppet:///modules/site-postfix/header_checks.d", + "puppet:///files/etc/postfix/header_checks.d", + "puppet:///modules/postfix/header_checks.d", + ], + recurse => true, + purge => false, + } + + concatenated_file { "$postfix_merged_header_checks": + dir => "${postfix_header_checks_snippets_dir}", + require => File["$postfix_header_checks_snippets_dir"], + } + + config_file { '/etc/postfix/header_checks': + source => "$postfix_merged_header_checks", + subscribe => File["$postfix_merged_header_checks"], + } + + postfix::config { "header_checks": + value => 'regexp:/etc/postfix/header_checks', + require => File['/etc/postfix/header_checks'], + } + +} diff --git a/manifests/classes/postfix.pp b/manifests/classes/postfix.pp index 588bfc8..4446c17 100644 --- a/manifests/classes/postfix.pp +++ b/manifests/classes/postfix.pp @@ -40,6 +40,9 @@ class postfix { case $root_mail_recipient { "": { $root_mail_recipient = "nobody" } } + case $postfix_manage_header_checks { + "": { $postfix_manage_header_checks = "no" } + } case $postfix_manage_tls_policy { "": { $postfix_manage_tls_policy = "no" } } @@ -64,6 +67,9 @@ class postfix { module_dir{'postfix': } # Include optional classes + if $postfix_manage_header_checks == 'yes' { + include postfix::header_checks + } if $postfix_manage_tls_policy == 'yes' { include postfix::tlspolicy } diff --git a/manifests/definitions/header_checks_snippet.pp b/manifests/definitions/header_checks_snippet.pp new file mode 100644 index 0000000..454d219 --- /dev/null +++ b/manifests/definitions/header_checks_snippet.pp @@ -0,0 +1,67 @@ +/* +== Definition: postfix::header_checks_snippet + +Adds a header_checks snippets to /etc/postfix/header_checks. +See the postfix::header_checks class for details. + +Parameters: +- *source* or *content*: source or content of the header_checks snippet +- *ensure*: present (default) or absent + +Requires: +- Class["postfix"] + +Example usage: + + node "toto.example.com" { + include postfix + postfix::header_checks { + 'wrong_date': content => 'FIXME'; + 'bla': source => 'puppet:///files/etc/postfix/header_checks.d/bla'; + } + } + +*/ + +define postfix::header_checks_snippet ( + $ensure = "present", + $source = '', + $content = undef +) { + + if $source == '' and $content == undef { + fail("One of \$source or \$content must be specified for postfix::header_checks_snippet ${name}") + } + + if $source != '' and $content != undef { + fail("Only one of \$source or \$content must specified for postfix::header_checks_snippet ${name}") + } + + if ($value == false) and ($ensure == "present") { + fail("The value parameter must be set when using the postfix::header_checks_snippet define with ensure=present.") + } + + include postfix::header_checks + + $snippetfile = "${postfix::header_checks::postfix_header_checks_snippets_dir}/${name}" + + file { "$snippetfile": + ensure => "$ensure", + mode => 600, + owner => root, + group => 0, + notify => Exec["concat_${postfix::header_checks::postfix_merged_header_checks}"], + } + + if $source { + File["$snippetfile"] { + source => $source, + } + } + else { + File["$snippetfile"] { + content => $content, + } + } + +} From 1f99fcdfdbe73be25c7a5ea80853bbc4618d4f76 Mon Sep 17 00:00:00 2001 From: intrigeri Date: Sat, 5 Mar 2011 04:55:18 +0100 Subject: [PATCH 3/3] Support hiding the originating IP in email relayed for an authenticated SASL client. Untested as I've no Puppet-managed relaying email server yet. Reference: https://we.riseup.net/debian/anonymizing-postfix --- README | 5 +++++ manifests/classes/postfix-anonsasl.pp | 18 ++++++++++++++++++ manifests/classes/postfix.pp | 6 ++++++ templates/anonsasl_header_checks.erb | 2 ++ 4 files changed, 31 insertions(+) create mode 100644 manifests/classes/postfix-anonsasl.pp create mode 100644 templates/anonsasl_header_checks.erb diff --git a/README b/README index 7d74ea9..4633578 100644 --- a/README +++ b/README @@ -7,6 +7,11 @@ A couple of classes will preconfigure postfix for common needs. Config ------ - set $postfix_use_amavisd="yes" to include postfix::amavis +- set $postfix_anon_sasl="yes" to hide the originating IP in email + relayed for an authenticated SASL client; this needs Postfix + 2.3 or later to work; beware! Postfix logs the header replacement + has been done, which means that you are storing this information, + unless you are anonymizing your logs. - set $postfix_manage_header_checks="yes" to manage header checks (see postfix::header_checks for details) - set $postfix_manage_tls_policy="yes" to manage TLS policy (see diff --git a/manifests/classes/postfix-anonsasl.pp b/manifests/classes/postfix-anonsasl.pp new file mode 100644 index 0000000..ca97f19 --- /dev/null +++ b/manifests/classes/postfix-anonsasl.pp @@ -0,0 +1,18 @@ +class postfix::anonsasl { + + include postfix::header_checks + + postfix::config { + 'smtpd_sasl_authenticated_header': + value => 'yes'; + } + + postfix::header_checks_snippet { + 'anonsasl': + content => template("postfix/anonsasl_header_checks.erb"), + require => [ + Postfix::Config['smtpd_sasl_authenticated_header'], + ]; + } + +} diff --git a/manifests/classes/postfix.pp b/manifests/classes/postfix.pp index 4446c17..4e9cd6f 100644 --- a/manifests/classes/postfix.pp +++ b/manifests/classes/postfix.pp @@ -40,6 +40,9 @@ class postfix { case $root_mail_recipient { "": { $root_mail_recipient = "nobody" } } + case $postfix_anon_sasl { + "": { $postfix_anon_sasl = "no" } + } case $postfix_manage_header_checks { "": { $postfix_manage_header_checks = "no" } } @@ -67,6 +70,9 @@ class postfix { module_dir{'postfix': } # Include optional classes + if $postfix_anon_sasl == 'yes' { + include postfix::anonsasl + } if $postfix_manage_header_checks == 'yes' { include postfix::header_checks } diff --git a/templates/anonsasl_header_checks.erb b/templates/anonsasl_header_checks.erb new file mode 100644 index 0000000..bca5914 --- /dev/null +++ b/templates/anonsasl_header_checks.erb @@ -0,0 +1,2 @@ +/^Received: from (.* \([-._[:alnum:]]+ \[[.[:digit:]]{7,15}\]\)).*?([[:space:]]+).*\(Authenticated sender: ([^)]+)\).*by (<%= fqdn.gsub(/\./, '\.') %>) \(([^)]+)\) with (E?SMTPS?A?) id ([A-F[:digit:]]+).*/ + REPLACE Received: from [127.0.0.1] (localhost [127.0.0.1])$2(Authenticated sender: $3)${2}with $6 id $7