class postfix (
  Stdlib::Fqdn $mailserver,
  Stdlib::IP::Address $mailserver_ip,
  Optional[Stdlib::IP::Address::V6] $mailserver_proxy = undef,
  Array[Stdlib::IP::Address::V6] $proxy_upstream = [],
  Optional[Array[Stdlib::Host]] $mailrelays = [],
  Optional[Array[Stdlib::IP::Address::V6]] $nat64_ranges = [],
  Enum['all', 'ipv4', 'ipv6'] $protocols='all'
  if $mailserver_ip =~ Stdlib::IP::Address::V4 {
    $lo_ip = ''
    $lo_networks = ''
  } else {
    $lo_ip = '::1'
    $lo_networks = '::1'
  package { 'sendmail':
    ensure => 'absent',
  service { 'sendmail':
    ensure => stopped,
  package { 'postfix':
    ensure => installed;
  service { 'postfix':
    ensure    => running,
    enable    => true,
    subscribe => Package['postfix'],
  exec { 'Postfix/LetsEncrypt sync restart trigger':
    command => "/usr/bin/true",
    unless => "[ /var/spool/postfix/private/auth -nt $(readlink -e /etc/pki/custom/$mailserver.crt) ]",
    notify => Service['postfix'],
  firewall { '101 allow SMTP':
    destination => $mailserver_ip,
    dport => [25, 465, 587],
    proto => tcp,
    jump => accept,
  if $mailserver_proxy != undef {
    $proxy_upstream.each |Stdlib::IP::Address::V6 $upstream_addr| {
      firewall { "101 limit PROXY protocol for SMTP to upstream $upstream_addr":
        source => $upstream_addr,
        destination => $mailserver_proxy,
        dport => [25, 465, 587],
        proto => tcp,
        jump => accept,

  $nat64_ranges.each |Stdlib::IP::Address::V6 $nat64_range| {
    # Block SMTP to the NAT64 range so that we don't fail SPF checks
    # The server *should* attempt it then fall back to the relay
    firewall { "200 Prevent SMTP over NAT64 to $nat64_range":
      destination => $nat64_range,
      dport => [25, 265, 587],
      proto => tcp,
      jump => 'reject',
      chain => 'OUTPUT',

  exec { 'postmap-files':
    command     => 'for file in helo_whitelist recipient_bcc sender_access valias valias-blacklist virtual vmailbox; do postmap $file; done',
    cwd         => '/etc/postfix/',
    provider    => 'shell',
    refreshonly => true,
    notify      => Service['postfix'],
  File {
    ensure  => present,
    notify  => Exec['postmap-files'],
    require => Package['postfix'],
  if $facts["os"]["family"] == 'RedHat' {
    $policyd_script = '/usr/libexec/postfix/policyd-spf'
  elsif $facts["os"]["family"] == 'Debian' {
    $policyd_script = '/usr/bin/policyd-spf'
  file { '/etc/postfix/':
    content => epp('postfix/',
                     'mailserver' => $mailserver,
                     'lo_ip' => $lo_ip,
                     'lo_networks' => $lo_networks,
                     'protocols' => $protocols,
  file { '/etc/postfix/':
    content => epp('postfix/',
                     'mailserver_ip' => $mailserver_ip,
                     'mailserver_proxy' => $mailserver_proxy,
                     'lo_ip' => $lo_ip,
                     'lo_networks' => $lo_networks,
                     'policyd_script' => $policyd_script,
                     'fallback_relays' => $mailrelays,
  #Hosted domains
  file { '/etc/postfix/vdomains':
    source => 'puppet:///private/postfix/vdomains',
  #Hosted mailboxes
  file { '/etc/postfix/vmailbox':
    source => 'puppet:///private/postfix/vmailbox',
  file { '/etc/postfix/virtual':
    source => 'puppet:///private/postfix/virtual',
  file { '/etc/postfix/valias':
    source => 'puppet:///private/postfix/valias',
  #BCCing of inbound email
  file { '/etc/postfix/recipient_bcc':
    source => 'puppet:///private/postfix/recipient_bcc',
  #Spammed/removed addresses
  file { '/etc/postfix/valias-blacklist':
    source => 'puppet:///private/postfix/valias-blacklist',
  #Spammed/removed address patterns
  file { '/etc/postfix/valias-blacklist-regex':
    source => 'puppet:///private/postfix/valias-blacklist-regex',
  #Bad headers (use sparingly)
  file { '/etc/postfix/header_checks':
    source => 'puppet:///private/postfix/header_checks',
  #Bad body (use even more sparingly!)
  file { '/etc/postfix/body_checks':
    source => 'puppet:///private/postfix/body_checks',
  # Outbound header manipulation
  file { '/etc/postfix/smtp_header_checks':
    source => 'puppet:///private/postfix/smtp_header_checks',
  #Whitelisted HELO names
  file { '/etc/postfix/helo_whitelist':
    source => 'puppet:///private/postfix/helo_whitelist',
  #Private whitelisted IPs for greylisting process
  file { '/etc/postfix/postscreen_access_private.cidr':
    source => 'puppet:///private/postfix/postscreen_access_private.cidr',
  #Blacklist some domains (e.g. banks who don't do SPF that we don't bank with)
  file { '/etc/postfix/sender_access':
    source => 'puppet:///private/postfix/sender_access',
  # Certificates
  file { "/etc/pki/custom/$mailserver.crt":
    ensure => present,
    source => "puppet:///private/pki/custom/$mailserver.crt",
    owner  => 'postfix',
    mode   => '0600',
  file { "/etc/pki/custom/$mailserver.key":
    ensure => present,
    source => "puppet:///private/pki/custom/$mailserver.key",
    owner  => 'postfix',
    mode   => '0600',

  # Mail base dir
  file { '/var/mail/vhosts/':
    ensure => directory,
    owner => 505,
    group => 505,
    mode => '0700',

  #SPF checking
  if $facts["os"]["family"] == 'RedHat' {
    $pypolicyd_package = 'pypolicyd-spf'
    $pypolicyd_config = '/etc/python-policyd-spf/policyd-spf.conf'
  elsif $facts["os"]["family"] == 'Debian' {
    $pypolicyd_package = 'postfix-policyd-spf-python'
    $pypolicyd_config = '/etc/postfix-policyd-spf-python/policyd-spf.conf'
  package { $pypolicyd_package:
    ensure => installed;
  file { $pypolicyd_config:
    content => epp('postfix/policyd-spf.conf',
                     'fallback_relays' => $mailrelays,