Mercurial > repos > other > Puppet
view modules/postfix/manifests/init.pp @ 482:d83de9b3a62b default tip
Update hiera.yaml within Puppet config
Forgot that we manage it from here. Now has content to match
new packages
author | IBBoard <dev@ibboard.co.uk> |
---|---|
date | Fri, 30 Aug 2024 16:10:36 +0100 |
parents | 2c3e745be8d2 |
children |
line wrap: on
line source
class postfix ( Stdlib::Fqdn $mailserver, Stdlib::IP::Address $mailserver_ip, Optional[Stdlib::IP::Address::V6] $mailserver_proxy = undef, Array[Stdlib::IP::Address::V6] $proxy_upstream = [], Optional[Array[Stdlib::Host]] $mailrelays = [], Optional[Array[Stdlib::IP::Address::V6]] $nat64_ranges = [], Enum['all', 'ipv4', 'ipv6'] $protocols='all' ){ if $mailserver_ip =~ Stdlib::IP::Address::V4 { $lo_ip = '127.0.0.1' $lo_networks = '127.0.0.0/8' } else { $lo_ip = '::1' $lo_networks = '::1' } package { 'sendmail': ensure => 'absent', } service { 'sendmail': ensure => stopped, } package { 'postfix': ensure => installed; } service { 'postfix': ensure => running, enable => true, subscribe => Package['postfix'], } exec { 'Postfix/LetsEncrypt sync restart trigger': command => "/usr/bin/true", unless => "[ /var/spool/postfix/private/auth -nt $(readlink -e /etc/pki/custom/$mailserver.crt) ]", notify => Service['postfix'], } firewall { '101 allow SMTP': destination => $mailserver_ip, dport => [25, 465, 587], proto => tcp, jump => accept, } if $mailserver_proxy != undef { $proxy_upstream.each |Stdlib::IP::Address::V6 $upstream_addr| { firewall { "101 limit PROXY protocol for SMTP to upstream $upstream_addr": source => $upstream_addr, destination => $mailserver_proxy, dport => [25, 465, 587], proto => tcp, jump => accept, } } } $nat64_ranges.each |Stdlib::IP::Address::V6 $nat64_range| { # Block SMTP to the NAT64 range so that we don't fail SPF checks # The server *should* attempt it then fall back to the relay firewall { "200 Prevent SMTP over NAT64 to $nat64_range": destination => $nat64_range, dport => [25, 265, 587], proto => tcp, jump => 'reject', chain => 'OUTPUT', } } exec { 'postmap-files': command => 'for file in helo_whitelist recipient_bcc sender_access valias valias-blacklist virtual vmailbox; do postmap $file; done', cwd => '/etc/postfix/', provider => 'shell', refreshonly => true, notify => Service['postfix'], } File { ensure => present, notify => Exec['postmap-files'], require => Package['postfix'], } if $facts["os"]["family"] == 'RedHat' { $policyd_script = '/usr/libexec/postfix/policyd-spf' } elsif $facts["os"]["family"] == 'Debian' { $policyd_script = '/usr/bin/policyd-spf' } file { '/etc/postfix/main.cf': content => epp('postfix/main.cf.epp', { 'mailserver' => $mailserver, 'lo_ip' => $lo_ip, 'lo_networks' => $lo_networks, 'protocols' => $protocols, } ), } file { '/etc/postfix/master.cf': content => epp('postfix/master.cf.epp', { 'mailserver_ip' => $mailserver_ip, 'mailserver_proxy' => $mailserver_proxy, 'lo_ip' => $lo_ip, 'lo_networks' => $lo_networks, 'policyd_script' => $policyd_script, 'fallback_relays' => $mailrelays, } ), } #Hosted domains file { '/etc/postfix/vdomains': source => 'puppet:///private/postfix/vdomains', } #Hosted mailboxes file { '/etc/postfix/vmailbox': source => 'puppet:///private/postfix/vmailbox', } #Catch-alls file { '/etc/postfix/virtual': source => 'puppet:///private/postfix/virtual', } #Forwarders/aliases file { '/etc/postfix/valias': source => 'puppet:///private/postfix/valias', } #BCCing of inbound email file { '/etc/postfix/recipient_bcc': source => 'puppet:///private/postfix/recipient_bcc', } #Spammed/removed addresses file { '/etc/postfix/valias-blacklist': source => 'puppet:///private/postfix/valias-blacklist', } #Spammed/removed address patterns file { '/etc/postfix/valias-blacklist-regex': source => 'puppet:///private/postfix/valias-blacklist-regex', } #Bad headers (use sparingly) file { '/etc/postfix/header_checks': source => 'puppet:///private/postfix/header_checks', } #Bad body (use even more sparingly!) file { '/etc/postfix/body_checks': source => 'puppet:///private/postfix/body_checks', } # Outbound header manipulation file { '/etc/postfix/smtp_header_checks': source => 'puppet:///private/postfix/smtp_header_checks', } #Whitelisted HELO names file { '/etc/postfix/helo_whitelist': source => 'puppet:///private/postfix/helo_whitelist', } #Private whitelisted IPs for greylisting process file { '/etc/postfix/postscreen_access_private.cidr': source => 'puppet:///private/postfix/postscreen_access_private.cidr', } #Blacklist some domains (e.g. banks who don't do SPF that we don't bank with) file { '/etc/postfix/sender_access': source => 'puppet:///private/postfix/sender_access', } # Certificates file { "/etc/pki/custom/$mailserver.crt": ensure => present, source => "puppet:///private/pki/custom/$mailserver.crt", owner => 'postfix', mode => '0600', } file { "/etc/pki/custom/$mailserver.key": ensure => present, source => "puppet:///private/pki/custom/$mailserver.key", owner => 'postfix', mode => '0600', } # Mail base dir file { '/var/mail/vhosts/': ensure => directory, owner => 505, group => 505, mode => '0700', } #SPF checking if $facts["os"]["family"] == 'RedHat' { $pypolicyd_package = 'pypolicyd-spf' $pypolicyd_config = '/etc/python-policyd-spf/policyd-spf.conf' } elsif $facts["os"]["family"] == 'Debian' { $pypolicyd_package = 'postfix-policyd-spf-python' $pypolicyd_config = '/etc/postfix-policyd-spf-python/policyd-spf.conf' } package { $pypolicyd_package: ensure => installed; } -> file { $pypolicyd_config: content => epp('postfix/policyd-spf.conf', { 'fallback_relays' => $mailrelays, } ), } }