Mercurial > repos > other > Puppet

comparison modules/postfix/manifests/init.pp @ 326:63e0b5149cfb

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Add fallback relays to Postfix This allows us to reliably send to IPv4 servers via Mythic-Beasts' mailserver rather than getting random IPs from the NAT64 servers. The firewall rules should ensure Postfix doesn't try to send email out via NAT64 and falls back to the relay. IPv6 will still go directly.
author IBBoard <dev@ibboard.co.uk>
date Sat, 07 Mar 2020 14:29:34 +0000
parents 49e66019faf7
children 38bb323e8231
comparison
equal deleted inserted replaced
325:49b7689da25b 326:63e0b5149cfb
1 class postfix ( 1 class postfix (
2 Stdlib::Fqdn $mailserver, 2 Stdlib::Fqdn $mailserver,
3 Stdlib::IP::Address $mailserver_ip, 3 Stdlib::IP::Address $mailserver_ip,
4 Optional[Stdlib::IP::Address::V6] $mailserver_proxy = undef, 4 Optional[Stdlib::IP::Address::V6] $mailserver_proxy = undef,
5 Array[Stdlib::IP::Address::V6] $proxy_upstream = [], 5 Array[Stdlib::IP::Address::V6] $proxy_upstream = [],
6 Optional[Array[Stdlib::Host]] $mailrelays = [],
7 Optional[Array[Stdlib::IP::Address::V6]] $nat64_ranges = [],
6 Enum['all', 'ipv4', 'ipv6'] $protocols='all' 8 Enum['all', 'ipv4', 'ipv6'] $protocols='all'
7 ){ 9 ){
8
9 if $mailserver_ip =~ Stdlib::IP::Address::V4 { 10 if $mailserver_ip =~ Stdlib::IP::Address::V4 {
10 $lo_ip = '127.0.0.1' 11 $lo_ip = '127.0.0.1'
11 $lo_networks = '127.0.0.0/8' 12 $lo_networks = '127.0.0.0/8'
12 } else { 13 } else {
13 $lo_ip = '::1' 14 $lo_ip = '::1'
43 action => accept, 44 action => accept,
44 } 45 }
45 } 46 }
46 } 47 }
47 48
49 $nat64_ranges.each |Stdlib::IP::Address::V6 $nat64_range| {
50 # Block SMTP to the NAT64 range so that we don't fail SPF checks
51 # The server *should* attempt it then fall back to the relay
52 firewall { "200 Prevent SMTP over NAT64 to $nat64_range":
53 destination => $nat64_range,
54 dport => [25, 265, 587],
55 proto => tcp,
56 action => 'reject',
57 chain => 'OUTPUT',
58 }
59 }
60
48 exec { 'postmap-files': 61 exec { 'postmap-files':
49 command => 'for file in helo_whitelist recipient_bcc sender_access valias valias-blacklist virtual vmailbox transport; do postmap $file; done', 62 command => 'for file in helo_whitelist recipient_bcc sender_access valias valias-blacklist virtual vmailbox transport; do postmap $file; done',
50 cwd => '/etc/postfix/', 63 cwd => '/etc/postfix/',
51 provider => 'shell', 64 provider => 'shell',
52 refreshonly => true, 65 refreshonly => true,
72 { 85 {
73 'mailserver_ip' => $mailserver_ip, 86 'mailserver_ip' => $mailserver_ip,
74 'mailserver_proxy' => $mailserver_proxy, 87 'mailserver_proxy' => $mailserver_proxy,
75 'lo_ip' => $lo_ip, 88 'lo_ip' => $lo_ip,
76 'lo_networks' => $lo_networks, 89 'lo_networks' => $lo_networks,
90 'fallback_relays' => $mailrelays,
77 } 91 }
78 ), 92 ),
79 } 93 }
80 #Hosted domains 94 #Hosted domains
81 file { '/etc/postfix/vdomains': 95 file { '/etc/postfix/vdomains':