Mercurial > repos > other > Puppet
view modules/postfix/manifests/init.pp @ 326:63e0b5149cfb
Add fallback relays to Postfix
This allows us to reliably send to IPv4 servers via Mythic-Beasts'
mailserver rather than getting random IPs from the NAT64 servers.
The firewall rules should ensure Postfix doesn't try to send
email out via NAT64 and falls back to the relay. IPv6 will still
go directly.
author | IBBoard <dev@ibboard.co.uk> |
---|---|
date | Sat, 07 Mar 2020 14:29:34 +0000 |
parents | 49e66019faf7 |
children | 38bb323e8231 |
line wrap: on
line source
class postfix ( Stdlib::Fqdn $mailserver, Stdlib::IP::Address $mailserver_ip, Optional[Stdlib::IP::Address::V6] $mailserver_proxy = undef, Array[Stdlib::IP::Address::V6] $proxy_upstream = [], Optional[Array[Stdlib::Host]] $mailrelays = [], Optional[Array[Stdlib::IP::Address::V6]] $nat64_ranges = [], Enum['all', 'ipv4', 'ipv6'] $protocols='all' ){ if $mailserver_ip =~ Stdlib::IP::Address::V4 { $lo_ip = '127.0.0.1' $lo_networks = '127.0.0.0/8' } else { $lo_ip = '::1' $lo_networks = '::1' } package { 'sendmail': ensure => 'absent', } service { 'sendmail': ensure => stopped, } package { 'postfix': ensure => installed; } service { 'postfix': ensure => running, subscribe => Package['postfix'], } firewall { '101 allow SMTP': destination => $mailserver_ip, dport => [25, 465, 587], proto => tcp, action => accept, } if $mailserver_proxy != undef { $proxy_upstream.each |Stdlib::IP::Address::V6 $upstream_addr| { firewall { "101 limit PROXY protocol for SMTP to upstream $upstream_addr": source => $upstream_addr, destination => $mailserver_proxy, dport => [25, 465, 587], proto => tcp, action => accept, } } } $nat64_ranges.each |Stdlib::IP::Address::V6 $nat64_range| { # Block SMTP to the NAT64 range so that we don't fail SPF checks # The server *should* attempt it then fall back to the relay firewall { "200 Prevent SMTP over NAT64 to $nat64_range": destination => $nat64_range, dport => [25, 265, 587], proto => tcp, action => 'reject', chain => 'OUTPUT', } } exec { 'postmap-files': command => 'for file in helo_whitelist recipient_bcc sender_access valias valias-blacklist virtual vmailbox transport; do postmap $file; done', cwd => '/etc/postfix/', provider => 'shell', refreshonly => true, notify => Service['postfix'], } File { ensure => present, notify => Exec['postmap-files'], require => Package['postfix'], } file { '/etc/postfix/main.cf': content => epp('postfix/main.cf.epp', { 'mailserver' => $mailserver, 'lo_ip' => $lo_ip, 'lo_networks' => $lo_networks, 'protocols' => $protocols, } ), } file { '/etc/postfix/master.cf': content => epp('postfix/master.cf.epp', { 'mailserver_ip' => $mailserver_ip, 'mailserver_proxy' => $mailserver_proxy, 'lo_ip' => $lo_ip, 'lo_networks' => $lo_networks, 'fallback_relays' => $mailrelays, } ), } #Hosted domains file { '/etc/postfix/vdomains': source => 'puppet:///private/postfix/vdomains', } #Hosted mailboxes file { '/etc/postfix/vmailbox': source => 'puppet:///private/postfix/vmailbox', } #Catch-alls file { '/etc/postfix/virtual': source => 'puppet:///private/postfix/virtual', } #Forwarders/aliases file { '/etc/postfix/valias': source => 'puppet:///private/postfix/valias', } #BCCing of inbound email file { '/etc/postfix/recipient_bcc': source => 'puppet:///private/postfix/recipient_bcc', } #Spammed/removed addresses file { '/etc/postfix/valias-blacklist': source => 'puppet:///private/postfix/valias-blacklist', } #Spammed/removed address patterns file { '/etc/postfix/valias-blacklist-regex': source => 'puppet:///private/postfix/valias-blacklist-regex', } #Bad headers (use sparingly) file { '/etc/postfix/header_checks': source => 'puppet:///private/postfix/header_checks', } #Bad body (use even more sparingly!) file { '/etc/postfix/body_checks': source => 'puppet:///private/postfix/body_checks', } # Outbound header manipulation file { '/etc/postfix/smtp_header_checks': source => 'puppet:///private/postfix/smtp_header_checks', } #Whitelisted HELO names file { '/etc/postfix/helo_whitelist': source => 'puppet:///private/postfix/helo_whitelist', } #Private whitelisted IPs for greylisting process file { '/etc/postfix/postscreen_access_private.cidr': source => 'puppet:///private/postfix/postscreen_access_private.cidr', } #Blacklist some domains (e.g. banks who don't do SPF that we don't bank with) file { '/etc/postfix/sender_access': source => 'puppet:///private/postfix/sender_access', } # Certificates file { "/etc/pki/custom/$mailserver.crt": ensure => present, source => "puppet:///private/pki/custom/$mailserver.crt", owner => 'postfix', mode => '0600', } file { "/etc/pki/custom/$mailserver.key": ensure => present, source => "puppet:///private/pki/custom/$mailserver.key", owner => 'postfix', mode => '0600', } # Mail base dir file { '/var/mail/vhosts/': ensure => directory, owner => 505, group => 505, mode => '0700', } #SPF checking file { '/usr/local/lib/postfix-policyd-spf-perl/': ensure => directory } file { '/usr/local/lib/postfix-policyd-spf-perl/postfix-policyd-spf-perl': source => 'puppet:///modules/postfix/postfix-policyd-spf-perl', } $perl_pkgs = [ 'perl', 'perl-NetAddr-IP', 'perl-Mail-SPF', 'perl-version', 'perl-Sys-Hostname-Long'] package { $perl_pkgs: ensure => installed, } }