# HG changeset patch # User IBBoard # Date 1582577391 0 # Node ID 49e66019faf7ffdb881ce14d0c00cc83dbbb6136 # Parent 490d7ec20172901d74d22a933f4059c3efaeb87e Configure Postfix for IPv6 w/proxy Also centralised and standardised some IP settings Currently untested on IPv4 - Postfix might not like the "[ip.add.re.ss]" format, *but* we can't pass the brackets as part of the parameter because then it doesn't validate as IPv6! diff -r 490d7ec20172 -r 49e66019faf7 manifests/nodes.pp --- a/manifests/nodes.pp Sun Feb 23 20:29:42 2020 +0000 +++ b/manifests/nodes.pp Mon Feb 24 20:49:51 2020 +0000 @@ -22,7 +22,6 @@ proxy_upstream => ['2a00:1098::82:1000:3b:1:1', '2a00:1098::80:1000:3b:1:1'], mailserver => 'mail.ibboard.co.uk', imapserver => 'imap.ibboard.co.uk', - imapserver_proxy => '2a00:1098:82:52::01d4:03', firewall_cmd => 'iptables', } # If the console fails to start, you may need to run "restorecon /etc/systemd/system/getty.target.wants/*" diff -r 490d7ec20172 -r 49e66019faf7 manifests/templates.pp --- a/manifests/templates.pp Sun Feb 23 20:29:42 2020 +0000 +++ b/manifests/templates.pp Mon Feb 24 20:49:51 2020 +0000 @@ -32,7 +32,6 @@ $proxy_upstream = undef, $mailserver, $imapserver, - $imapserver_proxy = undef, $firewall_cmd = 'iptables', ) { @@ -53,6 +52,18 @@ content => "${lo_ip} localhost\n${primary_ip} ${fqdn}", } + if $proxy_4to6_ip_prefix != undef { + # …:1 to …:9 for websites, …:10 for mail + $ipv6_addresses = Integer[1, 10].map |$octet| { "$proxy_4to6_ip_prefix:$octet" } + + $ipv6_secondaries = join($ipv6_addresses, " ") + + augeas {'IPv6 secondary addresses': + context => "/files/etc/sysconfig/network-scripts/ifcfg-eth0", + changes => "set IPV6ADDR_SECONDARIES '\"$ipv6_secondaries\"'", + } + } + require repos include basenode include privat @@ -63,6 +74,7 @@ class { 'webserver': primary_ip => $primary_ip, proxy_4to6_ip_prefix => $proxy_4to6_ip_prefix, + proxy_4to6_mask => 124, proxy_upstream => $proxy_upstream, } include cronjobs @@ -75,7 +87,7 @@ mailserver => $mailserver, imapserver => $imapserver, mailserver_ip => $primary_ip, - imapserver_proxy => $imapserver_proxy, + proxy_ip => $proxy_4to6_ip_prefix != undef ? { true => "${proxy_4to6_ip_prefix}:10", default => undef }, proxy_upstream => $proxy_upstream, } } @@ -145,13 +157,6 @@ chain => 'INPUT', jump => 'Fail2Ban', } - firewall { '101 allow SMTP': - dport => [25, 465], - proto => tcp, - action => accept, - } - # Note: SSH port will be managed separately as we - # put it on a different port to hide from script kiddy noise } class dnsresolver { @@ -348,23 +353,16 @@ class webserver ( $primary_ip, $proxy_4to6_ip_prefix = undef, + $proxy_4to6_mask = undef, $proxy_upstream = undef, ) { - if $proxy_4to6_ip_prefix == undef { - $ipv6_addresses = [] - } - else { - $ipv6_addresses = [1, 2, 3, 4, 5, 6, 7, 8, 9].map |$octet| { "$proxy_4to6_ip_prefix:$octet" } - } - #Setup base website parameters class { 'website': base_dir => '/srv/sites', primary_ip => $primary_ip, proxy_4to6_ip_prefix => $proxy_4to6_ip_prefix, - proxy_4to6_mask => 124, - proxy_4to6_addresses => $ipv6_addresses, + proxy_4to6_mask => $proxy_4to6_mask, proxy_upstream => $proxy_upstream, default_owner => $defaultusers::default_user, default_group => $defaultusers::default_user, @@ -468,7 +466,6 @@ $proxy_upstream = undef, $mailserver, $imapserver, - $imapserver_proxy = undef, $firewall_cmd = 'iptables', ){ class { 'basevpsnode': @@ -477,7 +474,6 @@ proxy_upstream => $proxy_upstream, mailserver => $mailserver, imapserver => $imapserver, - imapserver_proxy => $imapserver_proxy, firewall_cmd => $firewall_cmd, } @@ -709,17 +705,20 @@ $mailserver, $imapserver, $mailserver_ip, - $imapserver_proxy = undef, + $proxy_ip = undef, $proxy_upstream = [], ){ class { 'postfix': mailserver => $mailserver, - protocols => has_key($facts, 'ipaddress') ? { true => 'ipv4', default => 'ipv6' }, + mailserver_ip => $mailserver_ip, + mailserver_proxy => $proxy_ip, + proxy_upstream => $proxy_upstream, + protocols => $mailserver_ip =~ Stdlib::IP::Address::V6 ? { true => 'ipv6', default => 'ipv4' }, } class { 'dovecot': imapserver => $imapserver, imapserver_ip => $mailserver_ip, - imapserver_proxy => $imapserver_proxy, + imapserver_proxy => $proxy_ip, proxy_upstream => $proxy_upstream, } # Unspecified SpamAssassin config dependencies that started diff -r 490d7ec20172 -r 49e66019faf7 modules/postfix/manifests/init.pp --- a/modules/postfix/manifests/init.pp Sun Feb 23 20:29:42 2020 +0000 +++ b/modules/postfix/manifests/init.pp Mon Feb 24 20:49:51 2020 +0000 @@ -1,14 +1,17 @@ class postfix ( - $mailserver, - $protocols='all' + Stdlib::Fqdn $mailserver, + Stdlib::IP::Address $mailserver_ip, + Optional[Stdlib::IP::Address::V6] $mailserver_proxy = undef, + Array[Stdlib::IP::Address::V6] $proxy_upstream = [], + Enum['all', 'ipv4', 'ipv6'] $protocols='all' ){ - if has_key($facts, 'ipaddress') { + if $mailserver_ip =~ Stdlib::IP::Address::V4 { $lo_ip = '127.0.0.1' $lo_networks = '127.0.0.0/8' } else { - $lo_ip = '[::1]' - $lo_networks = '[::1]' + $lo_ip = '::1' + $lo_networks = '::1' } package { 'sendmail': @@ -24,6 +27,24 @@ ensure => running, subscribe => Package['postfix'], } + firewall { '101 allow SMTP': + destination => $mailserver_ip, + dport => [25, 465, 587], + proto => tcp, + action => accept, + } + if $mailserver_proxy != undef { + $proxy_upstream.each |Stdlib::IP::Address::V6 $upstream_addr| { + firewall { "101 limit PROXY protocol for SMTP to upstream $upstream_addr": + source => $upstream_addr, + destination => $mailserver_proxy, + dport => [25, 465, 587], + proto => tcp, + action => accept, + } + } + } + exec { 'postmap-files': command => 'for file in helo_whitelist recipient_bcc sender_access valias valias-blacklist virtual vmailbox transport; do postmap $file; done', cwd => '/etc/postfix/', @@ -37,10 +58,24 @@ require => Package['postfix'], } file { '/etc/postfix/main.cf': - content => template('postfix/main.cf.erb'), + content => epp('postfix/main.cf.epp', + { + 'mailserver' => $mailserver, + 'lo_ip' => $lo_ip, + 'lo_networks' => $lo_networks, + 'protocols' => $protocols, + } + ), } file { '/etc/postfix/master.cf': - content => template('postfix/master.cf.erb'), + content => epp('postfix/master.cf.epp', + { + 'mailserver_ip' => $mailserver_ip, + 'mailserver_proxy' => $mailserver_proxy, + 'lo_ip' => $lo_ip, + 'lo_networks' => $lo_networks, + } + ), } #Hosted domains file { '/etc/postfix/vdomains': diff -r 490d7ec20172 -r 49e66019faf7 modules/postfix/templates/main.cf.erb --- a/modules/postfix/templates/main.cf.erb Sun Feb 23 20:29:42 2020 +0000 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,90 +0,0 @@ -data_directory = /var/lib/postfix -queue_directory = /var/spool/postfix -command_directory = /usr/sbin -daemon_directory = /usr/libexec/postfix -mail_owner = postfix -myhostname = <%= @mailserver %> -myorigin = $mydomain -inet_interfaces = all -inet_protocols = <%= @protocols %> -mydestination = $myhostname, localhost.$mydomain, localhost -smtp_host_lookup = dns, native -unknown_local_recipient_reject_code = 550 -mynetworks = <%= @lo_networks %> -relay_domains = -alias_maps = hash:/etc/aliases -alias_database = hash:/etc/aliases - - -debug_peer_level = 2 -debugger_command = - PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin - ddd $daemon_directory/$process_name $process_id & sleep 5 -sendmail_path = /usr/sbin/sendmail.postfix -newaliases_path = /usr/bin/newaliases.postfix -mailq_path = /usr/bin/mailq.postfix -setgid_group = postdrop -html_directory = no -manpage_directory = /usr/share/man -smtpd_sasl_type = dovecot -smtpd_sasl_path = private/auth -smtpd_sasl_auth_enable = yes -policy_time_limit = 3600 -smtpd_tls_received_header = yes -smtpd_tls_security_level = may -smtpd_tls_auth_only = no -smtpd_tls_loglevel = 0 -smtpd_tls_ciphers = high -smtpd_tls_exclude_ciphers = aNULL, MD5 -smtpd_tls_protocols = !SSLv2 -smtpd_tls_mandatory_ciphers = high -smtpd_tls_mandatory_exclude_ciphers = aNULL, MD5 -smtpd_tls_mandatory_protocols = !SSLv2 -smtpd_tls_key_file = /etc/pki/custom/<%= @mailserver %>.key -smtpd_tls_cert_file = /etc/pki/custom/<%= @mailserver %>.crt -smtp_tls_CApath = /etc/pki/tls/certs -smtp_tls_security_level = may -smtp_tls_ciphers = export -smtp_tls_exclude_ciphers = aNULL, MD5 -smtp_tls_protocols = !SSLv2 -smtp_tls_mandatory_ciphers = high -smtp_tls_mandatory_exclude_ciphers = aNULL, MD5 -smtp_tls_mandatory_protocols = !SSLv2 -tls_preempt_cipherlist = yes -smtpd_tls_eecdh_grade = strong -virtual_mailbox_domains = /etc/postfix/vdomains -virtual_mailbox_base = /var/mail/vhosts -virtual_mailbox_maps = hash:/etc/postfix/vmailbox -virtual_uid_maps = static:505 -virtual_gid_maps = static:505 -virtual_alias_maps = hash:/etc/postfix/valias -recipient_bcc_maps = hash:/etc/postfix/recipient_bcc -smtpd_helo_required = yes -smtpd_helo_restrictions = permit_mynetworks, reject_invalid_helo_hostname, check_helo_access hash:/etc/postfix/helo_whitelist, permit -smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_non_fqdn_sender, reject_unknown_sender_domain, permit -smtpd_recipient_restrictions = reject_invalid_hostname, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_sender_domain, permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, check_sender_access hash:/etc/postfix/sender_access, check_recipient_access hash:/etc/postfix/valias-blacklist, check_recipient_access regexp:/etc/postfix/valias-blacklist-regex, check_policy_service unix:private/policy -smtpd_data_restrictions = reject_unauth_pipelining -transport_maps = hash:/etc/postfix/transport -message_size_limit = 15000000 -header_checks = regexp:/etc/postfix/header_checks -body_checks = regexp:/etc/postfix/body_checks -smtp_header_checks = regexp:/etc/postfix/smtp_header_checks - -# The following may not be used by all versions of Postfix -postscreen_dnsbl_threshold = 2 -postscreen_dnsbl_sites = zen.spamhaus.org*2 bl.spamcop.net*1 b.barracudacentral.org*1 -postscreen_dnsbl_action = enforce - -postscreen_greet_banner = Establishing connection... -postscreen_greet_action = enforce - -postscreen_pipelining_enable = yes -postscreen_pipelining_action = enforce - -postscreen_non_smtp_command_enable = yes -postscreen_non_smtp_command_action = enforce - -postscreen_access_list = permit_mynetworks, cidr:/etc/postfix/postscreen_access_private.cidr, cidr:/etc/postfix/postscreen_spf_whitelist.cidr -postscreen_blacklist_action = enforce - -content_filter = smtp-amavis:<%= @lo_ip %>:10024 diff -r 490d7ec20172 -r 49e66019faf7 modules/postfix/templates/master.cf.erb --- a/modules/postfix/templates/master.cf.erb Sun Feb 23 20:29:42 2020 +0000 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,137 +0,0 @@ -# -# Postfix master process configuration file. For details on the format -# of the file, see the master(5) manual page (command: "man 5 master"). -# -# Do not forget to execute "postfix reload" after editing this file. -# -# ========================================================================== -# service type private unpriv chroot wakeup maxproc command + args -# (yes) (yes) (yes) (never) (100) -# ========================================================================== -#smtp inet n - n - - smtpd -smtpd pass - - n - - smtpd -smtp inet n - n - 1 postscreen - -o smtpd_sasl_auth_enable=yes - -o receive_override_options=no_address_mappings - -o content_filter=smtp-amavis:<%= @lo_ip %>:10024 -tlsproxy unix - - n - 0 tlsproxy -dnsblog unix - - n - 0 dnsblog -#submission inet n - n - - smtpd -# -o smtpd_tls_security_level=encrypt -# -o smtpd_sasl_auth_enable=yes -# -o smtpd_client_restrictions=permit_sasl_authenticated,reject -# -o milter_macro_daemon_name=ORIGINATING -smtps inet n - n - - smtpd - -o smtpd_tls_wrappermode=yes - -o smtpd_sasl_auth_enable=yes - -o smtpd_client_restrictions=permit_sasl_authenticated,reject - -o milter_macro_daemon_name=ORIGINATING -#628 inet n - n - - qmqpd -pickup fifo n - n 60 1 pickup -cleanup unix n - n - 0 cleanup -qmgr fifo n - n 300 1 qmgr -#qmgr fifo n - n 300 1 oqmgr -tlsmgr unix - - n 1000? 1 tlsmgr -rewrite unix - - n - - trivial-rewrite -bounce unix - - n - 0 bounce -defer unix - - n - 0 bounce -trace unix - - n - 0 bounce -verify unix - - n - 1 verify -flush unix n - n 1000? 0 flush -proxymap unix - - n - - proxymap -proxywrite unix - - n - 1 proxymap -smtp unix - - n - - smtp -# When relaying mail as backup MX, disable fallback_relay to avoid MX loops -relay unix - - n - - smtp - -o smtp_fallback_relay= -# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5 -showq unix n - n - - showq -error unix - - n - - error -retry unix - - n - - error -discard unix - - n - - discard -local unix - n n - - local -virtual unix - n n - - virtual -lmtp unix - - n - - lmtp -anvil unix - - n - 1 anvil -scache unix - - n - 1 scache -# -# ==================================================================== -# Interfaces to non-Postfix software. Be sure to examine the manual -# pages of the non-Postfix software to find out what options it wants. -# -# Many of the following services use the Postfix pipe(8) delivery -# agent. See the pipe(8) man page for information about ${recipient} -# and other message envelope options. -# ==================================================================== -# -# maildrop. See the Postfix MAILDROP_README file for details. -# Also specify in main.cf: maildrop_destination_recipient_limit=1 -# -#maildrop unix - n n - - pipe -# flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient} -# -# ==================================================================== -# -# The Cyrus deliver program has changed incompatibly, multiple times. -# -#old-cyrus unix - n n - - pipe -# flags=R user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -m ${extension} ${user} -# -# ==================================================================== -# -# Cyrus 2.1.5 (Amos Gouaux) -# Also specify in main.cf: cyrus_destination_recipient_limit=1 -# -#cyrus unix - n n - - pipe -# user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -r ${sender} -m ${extension} ${user} -# -# ==================================================================== -# -# See the Postfix UUCP_README file for configuration details. -# -#uucp unix - n n - - pipe -# flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient) -# -# ==================================================================== -# -# Other external delivery methods. -# -#ifmail unix - n n - - pipe -# flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient) -# -#bsmtp unix - n n - - pipe -# flags=Fq. user=bsmtp argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipient -# -#scalemail-backend unix - n n - 2 pipe -# flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store -# ${nexthop} ${user} ${extension} -# -#mailman unix - n n - - pipe -# flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py -# ${nexthop} ${user} - -policy unix - n n - 0 spawn - user=nobody argv=/usr/bin/perl /usr/local/lib/postfix-policyd-spf-perl/postfix-policyd-spf-perl - -# -# spam/virus section -# -smtp-amavis unix - - y - 2 smtp - -o smtp_data_done_timeout=1200 - -o disable_dns_lookups=yes - -o smtp_send_xforward_command=yes -<%= @lo_ip %>:10025 inet n - y - - smtpd - -o content_filter= - -o smtpd_helo_restrictions= - -o smtpd_sender_restrictions= - -o smtpd_recipient_restrictions=permit_mynetworks,reject - -o mynetworks=<%= @lo_networks %> - -o smtpd_error_sleep_time=0 - -o smtpd_soft_error_limit=1001 - -o smtpd_hard_error_limit=1000 - -o receive_override_options=no_header_body_checks - -o smtpd_helo_required=no - -o smtpd_client_restrictions= - -o smtpd_restriction_classes= - -o disable_vrfy_command=no - -o strict_rfc821_envelopes=yes \ No newline at end of file diff -r 490d7ec20172 -r 49e66019faf7 modules/website/manifests/init.pp --- a/modules/website/manifests/init.pp Sun Feb 23 20:29:42 2020 +0000 +++ b/modules/website/manifests/init.pp Mon Feb 24 20:49:51 2020 +0000 @@ -4,7 +4,6 @@ Stdlib::IP::Address $primary_ip, Optional[Stdlib::IP::Address::V6] $proxy_4to6_ip_prefix = undef, Optional[Integer] $proxy_4to6_mask = undef, - Array[Stdlib::IP::Address::V6] $proxy_4to6_addresses = [], Optional[Array] $proxy_upstream = undef, String $default_owner, String $default_group, @@ -128,13 +127,6 @@ action => accept, } if ($proxy_4to6_ip_prefix != undef) and ($proxy_upstream != undef) { - $ipv6_secondaries = join($proxy_4to6_addresses, " ") - - augeas {'IPv6 secondary addresses': - context => "/files/etc/sysconfig/network-scripts/ifcfg-eth0", - changes => "set IPV6ADDR_SECONDARIES '\"$ipv6_secondaries\"'", - } - apache::mod { "remoteip": } $proxy_4to6_ip = "$proxy_4to6_ip_prefix:0000/$proxy_4to6_mask"