changeset 313:49e66019faf7

Configure Postfix for IPv6 w/proxy Also centralised and standardised some IP settings Currently untested on IPv4 - Postfix might not like the "[ip.add.re.ss]" format, *but* we can't pass the brackets as part of the parameter because then it doesn't validate as IPv6!
author IBBoard <dev@ibboard.co.uk>
date Mon, 24 Feb 2020 20:49:51 +0000
parents 490d7ec20172
children 0cddcd21c45e
files manifests/nodes.pp manifests/templates.pp modules/postfix/manifests/init.pp modules/postfix/templates/main.cf.erb modules/postfix/templates/master.cf.erb modules/website/manifests/init.pp
diffstat 6 files changed, 64 insertions(+), 266 deletions(-) [+]
line wrap: on
line diff
--- a/manifests/nodes.pp	Sun Feb 23 20:29:42 2020 +0000
+++ b/manifests/nodes.pp	Mon Feb 24 20:49:51 2020 +0000
@@ -22,7 +22,6 @@
 		proxy_upstream => ['2a00:1098::82:1000:3b:1:1', '2a00:1098::80:1000:3b:1:1'],
 		mailserver => 'mail.ibboard.co.uk',
 		imapserver => 'imap.ibboard.co.uk',
-		imapserver_proxy => '2a00:1098:82:52::01d4:03',
 		firewall_cmd => 'iptables',
 	}
 	# If the console fails to start, you may need to run "restorecon /etc/systemd/system/getty.target.wants/*"
--- a/manifests/templates.pp	Sun Feb 23 20:29:42 2020 +0000
+++ b/manifests/templates.pp	Mon Feb 24 20:49:51 2020 +0000
@@ -32,7 +32,6 @@
 	$proxy_upstream = undef,
 	$mailserver,
 	$imapserver,
-	$imapserver_proxy = undef,
 	$firewall_cmd = 'iptables',
 	) {
 
@@ -53,6 +52,18 @@
 		content => "${lo_ip}   localhost\n${primary_ip} ${fqdn}",
 	}
 
+	if $proxy_4to6_ip_prefix != undef {
+		# …:1 to …:9 for websites, …:10 for mail
+		$ipv6_addresses = Integer[1, 10].map |$octet| { "$proxy_4to6_ip_prefix:$octet" }
+
+		$ipv6_secondaries = join($ipv6_addresses, " ")
+
+		augeas {'IPv6 secondary addresses':
+			context => "/files/etc/sysconfig/network-scripts/ifcfg-eth0",
+			changes => "set IPV6ADDR_SECONDARIES '\"$ipv6_secondaries\"'",
+		}
+	}
+
 	require repos
 	include basenode
 	include privat
@@ -63,6 +74,7 @@
 	class { 'webserver':
 		primary_ip => $primary_ip,
 		proxy_4to6_ip_prefix => $proxy_4to6_ip_prefix,
+		proxy_4to6_mask => 124,
 		proxy_upstream => $proxy_upstream,
 	}
 	include cronjobs
@@ -75,7 +87,7 @@
 		mailserver => $mailserver,
 		imapserver => $imapserver,
 		mailserver_ip => $primary_ip,
-		imapserver_proxy => $imapserver_proxy,
+		proxy_ip => $proxy_4to6_ip_prefix != undef ? { true => "${proxy_4to6_ip_prefix}:10", default => undef },
 		proxy_upstream => $proxy_upstream,
 	}
 }
@@ -145,13 +157,6 @@
 		chain => 'INPUT',
 		jump => 'Fail2Ban',
 	}
-	firewall { '101 allow SMTP':
-		dport => [25, 465],
-		proto => tcp,
-		action => accept,
-	}
-	# Note: SSH port will be managed separately as we 
-	# put it on a different port to hide from script kiddy noise
 }
 
 class dnsresolver {
@@ -348,23 +353,16 @@
 class webserver (
 	$primary_ip,
 	$proxy_4to6_ip_prefix = undef,
+	$proxy_4to6_mask = undef,
 	$proxy_upstream = undef,
 	) {
 
-	if $proxy_4to6_ip_prefix == undef {
-		$ipv6_addresses = []
-	}
-	else {
-		$ipv6_addresses = [1, 2, 3, 4, 5, 6, 7, 8, 9].map |$octet| { "$proxy_4to6_ip_prefix:$octet" }
-	}
-
 	#Setup base website parameters
 	class { 'website':
 		base_dir => '/srv/sites',
 		primary_ip => $primary_ip,
 		proxy_4to6_ip_prefix => $proxy_4to6_ip_prefix,
-		proxy_4to6_mask => 124,
-		proxy_4to6_addresses => $ipv6_addresses,
+		proxy_4to6_mask => $proxy_4to6_mask,
 		proxy_upstream => $proxy_upstream,
 		default_owner => $defaultusers::default_user,
 		default_group => $defaultusers::default_user,
@@ -468,7 +466,6 @@
 	$proxy_upstream = undef,
 	$mailserver,
 	$imapserver,
-	$imapserver_proxy = undef,
 	$firewall_cmd = 'iptables',
 	){
 	class { 'basevpsnode':
@@ -477,7 +474,6 @@
 		proxy_upstream => $proxy_upstream,
 		mailserver => $mailserver,
 		imapserver => $imapserver,
-		imapserver_proxy => $imapserver_proxy,
 		firewall_cmd => $firewall_cmd,
 	}
 
@@ -709,17 +705,20 @@
 	$mailserver,
 	$imapserver,
 	$mailserver_ip,
-	$imapserver_proxy = undef,
+	$proxy_ip = undef,
 	$proxy_upstream = [],
 	){
 	class { 'postfix':
 		mailserver => $mailserver,
-		protocols  => has_key($facts, 'ipaddress') ? { true => 'ipv4', default => 'ipv6' },
+		mailserver_ip => $mailserver_ip,
+		mailserver_proxy => $proxy_ip,
+		proxy_upstream => $proxy_upstream,
+		protocols  => $mailserver_ip =~ Stdlib::IP::Address::V6 ? { true => 'ipv6', default => 'ipv4' },
 	}
 	class { 'dovecot':
 		imapserver => $imapserver,
 		imapserver_ip => $mailserver_ip,
-		imapserver_proxy => $imapserver_proxy,
+		imapserver_proxy => $proxy_ip,
 		proxy_upstream => $proxy_upstream,
 	}
 	# Unspecified SpamAssassin config dependencies that started
--- a/modules/postfix/manifests/init.pp	Sun Feb 23 20:29:42 2020 +0000
+++ b/modules/postfix/manifests/init.pp	Mon Feb 24 20:49:51 2020 +0000
@@ -1,14 +1,17 @@
 class postfix (
-  $mailserver,
-  $protocols='all'
+  Stdlib::Fqdn $mailserver,
+  Stdlib::IP::Address $mailserver_ip,
+  Optional[Stdlib::IP::Address::V6] $mailserver_proxy = undef,
+  Array[Stdlib::IP::Address::V6] $proxy_upstream = [],
+  Enum['all', 'ipv4', 'ipv6'] $protocols='all'
   ){
 
-  if has_key($facts, 'ipaddress') {
+  if $mailserver_ip =~ Stdlib::IP::Address::V4 {
     $lo_ip = '127.0.0.1'
     $lo_networks = '127.0.0.0/8'
   } else {
-    $lo_ip = '[::1]'
-    $lo_networks = '[::1]'
+    $lo_ip = '::1'
+    $lo_networks = '::1'
   }
   
   package { 'sendmail':
@@ -24,6 +27,24 @@
     ensure    => running,
     subscribe => Package['postfix'],
   }
+  firewall { '101 allow SMTP':
+    destination => $mailserver_ip,
+    dport => [25, 465, 587],
+    proto => tcp,
+    action => accept,
+  }
+  if $mailserver_proxy != undef {
+    $proxy_upstream.each |Stdlib::IP::Address::V6 $upstream_addr| {
+      firewall { "101 limit PROXY protocol for SMTP to upstream $upstream_addr":
+        source => $upstream_addr,
+        destination => $mailserver_proxy,
+        dport => [25, 465, 587],
+        proto => tcp,
+        action => accept,
+      }
+    }
+  }
+
   exec { 'postmap-files':
     command     => 'for file in helo_whitelist recipient_bcc sender_access valias valias-blacklist virtual vmailbox transport; do postmap $file; done',
     cwd         => '/etc/postfix/',
@@ -37,10 +58,24 @@
     require => Package['postfix'],
   }
   file { '/etc/postfix/main.cf':
-    content => template('postfix/main.cf.erb'),
+    content => epp('postfix/main.cf.epp',
+                   {
+                     'mailserver' => $mailserver,
+                     'lo_ip' => $lo_ip,
+                     'lo_networks' => $lo_networks,
+                     'protocols' => $protocols,
+                   }
+                  ),
   }
   file { '/etc/postfix/master.cf':
-    content => template('postfix/master.cf.erb'),
+    content => epp('postfix/master.cf.epp',
+                   {
+                     'mailserver_ip' => $mailserver_ip,
+                     'mailserver_proxy' => $mailserver_proxy,
+                     'lo_ip' => $lo_ip,
+                     'lo_networks' => $lo_networks,
+                   }
+                  ),
   }
   #Hosted domains
   file { '/etc/postfix/vdomains':
--- a/modules/postfix/templates/main.cf.erb	Sun Feb 23 20:29:42 2020 +0000
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,90 +0,0 @@
-data_directory = /var/lib/postfix
-queue_directory = /var/spool/postfix
-command_directory = /usr/sbin
-daemon_directory = /usr/libexec/postfix
-mail_owner = postfix
-myhostname = <%= @mailserver %>
-myorigin = $mydomain
-inet_interfaces = all
-inet_protocols = <%= @protocols %>
-mydestination = $myhostname, localhost.$mydomain, localhost
-smtp_host_lookup = dns, native
-unknown_local_recipient_reject_code = 550
-mynetworks = <%= @lo_networks %>
-relay_domains = 
-alias_maps = hash:/etc/aliases
-alias_database = hash:/etc/aliases
- 
-  
-debug_peer_level = 2
-debugger_command =
-	 PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
-	 ddd $daemon_directory/$process_name $process_id & sleep 5
-sendmail_path = /usr/sbin/sendmail.postfix
-newaliases_path = /usr/bin/newaliases.postfix
-mailq_path = /usr/bin/mailq.postfix
-setgid_group = postdrop
-html_directory = no
-manpage_directory = /usr/share/man
-smtpd_sasl_type = dovecot
-smtpd_sasl_path = private/auth
-smtpd_sasl_auth_enable = yes
-policy_time_limit = 3600
-smtpd_tls_received_header = yes
-smtpd_tls_security_level = may
-smtpd_tls_auth_only = no
-smtpd_tls_loglevel = 0
-smtpd_tls_ciphers = high
-smtpd_tls_exclude_ciphers = aNULL, MD5
-smtpd_tls_protocols = !SSLv2
-smtpd_tls_mandatory_ciphers = high
-smtpd_tls_mandatory_exclude_ciphers = aNULL, MD5
-smtpd_tls_mandatory_protocols = !SSLv2
-smtpd_tls_key_file = /etc/pki/custom/<%= @mailserver %>.key
-smtpd_tls_cert_file = /etc/pki/custom/<%= @mailserver %>.crt
-smtp_tls_CApath = /etc/pki/tls/certs
-smtp_tls_security_level = may
-smtp_tls_ciphers = export
-smtp_tls_exclude_ciphers = aNULL, MD5
-smtp_tls_protocols = !SSLv2
-smtp_tls_mandatory_ciphers = high
-smtp_tls_mandatory_exclude_ciphers = aNULL, MD5
-smtp_tls_mandatory_protocols = !SSLv2
-tls_preempt_cipherlist = yes
-smtpd_tls_eecdh_grade = strong
-virtual_mailbox_domains = /etc/postfix/vdomains
-virtual_mailbox_base = /var/mail/vhosts
-virtual_mailbox_maps = hash:/etc/postfix/vmailbox
-virtual_uid_maps = static:505
-virtual_gid_maps = static:505
-virtual_alias_maps = hash:/etc/postfix/valias
-recipient_bcc_maps = hash:/etc/postfix/recipient_bcc
-smtpd_helo_required = yes
-smtpd_helo_restrictions  = permit_mynetworks, reject_invalid_helo_hostname, check_helo_access hash:/etc/postfix/helo_whitelist, permit
-smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_non_fqdn_sender, reject_unknown_sender_domain, permit
-smtpd_recipient_restrictions = reject_invalid_hostname, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_sender_domain, permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, check_sender_access hash:/etc/postfix/sender_access, check_recipient_access hash:/etc/postfix/valias-blacklist, check_recipient_access regexp:/etc/postfix/valias-blacklist-regex, check_policy_service unix:private/policy
-smtpd_data_restrictions = reject_unauth_pipelining
-transport_maps = hash:/etc/postfix/transport
-message_size_limit = 15000000
-header_checks = regexp:/etc/postfix/header_checks
-body_checks  = regexp:/etc/postfix/body_checks
-smtp_header_checks = regexp:/etc/postfix/smtp_header_checks
-
-# The following may not be used by all versions of Postfix
-postscreen_dnsbl_threshold = 2
-postscreen_dnsbl_sites = zen.spamhaus.org*2 bl.spamcop.net*1 b.barracudacentral.org*1
-postscreen_dnsbl_action = enforce
-
-postscreen_greet_banner = Establishing connection...
-postscreen_greet_action = enforce
-
-postscreen_pipelining_enable = yes
-postscreen_pipelining_action = enforce
-
-postscreen_non_smtp_command_enable = yes
-postscreen_non_smtp_command_action = enforce
-
-postscreen_access_list = permit_mynetworks, cidr:/etc/postfix/postscreen_access_private.cidr, cidr:/etc/postfix/postscreen_spf_whitelist.cidr
-postscreen_blacklist_action = enforce
-
-content_filter = smtp-amavis:<%= @lo_ip %>:10024
--- a/modules/postfix/templates/master.cf.erb	Sun Feb 23 20:29:42 2020 +0000
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,137 +0,0 @@
-#
-# Postfix master process configuration file.  For details on the format
-# of the file, see the master(5) manual page (command: "man 5 master").
-#
-# Do not forget to execute "postfix reload" after editing this file.
-#
-# ==========================================================================
-# service type  private unpriv  chroot  wakeup  maxproc command + args
-#               (yes)   (yes)   (yes)   (never) (100)
-# ==========================================================================
-#smtp      inet  n       -       n       -       -       smtpd
-smtpd     pass  -       -       n       -       -       smtpd
-smtp      inet  n       -       n       -       1       postscreen
-	-o smtpd_sasl_auth_enable=yes
-	-o receive_override_options=no_address_mappings
-	-o content_filter=smtp-amavis:<%= @lo_ip %>:10024
-tlsproxy  unix  -       -       n       -       0       tlsproxy
-dnsblog   unix  -       -       n       -       0       dnsblog
-#submission inet n       -       n       -       -       smtpd
-#  -o smtpd_tls_security_level=encrypt
-#  -o smtpd_sasl_auth_enable=yes
-#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
-#  -o milter_macro_daemon_name=ORIGINATING
-smtps     inet  n       -       n       -       -       smtpd
-  -o smtpd_tls_wrappermode=yes
-  -o smtpd_sasl_auth_enable=yes
-  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
-  -o milter_macro_daemon_name=ORIGINATING
-#628      inet  n       -       n       -       -       qmqpd
-pickup    fifo  n       -       n       60      1       pickup
-cleanup   unix  n       -       n       -       0       cleanup
-qmgr      fifo  n       -       n       300     1       qmgr
-#qmgr     fifo  n       -       n       300     1       oqmgr
-tlsmgr    unix  -       -       n       1000?   1       tlsmgr
-rewrite   unix  -       -       n       -       -       trivial-rewrite
-bounce    unix  -       -       n       -       0       bounce
-defer     unix  -       -       n       -       0       bounce
-trace     unix  -       -       n       -       0       bounce
-verify    unix  -       -       n       -       1       verify
-flush     unix  n       -       n       1000?   0       flush
-proxymap  unix  -       -       n       -       -       proxymap
-proxywrite unix -       -       n       -       1       proxymap
-smtp      unix  -       -       n       -       -       smtp
-# When relaying mail as backup MX, disable fallback_relay to avoid MX loops
-relay     unix  -       -       n       -       -       smtp
-	-o smtp_fallback_relay=
-#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
-showq     unix  n       -       n       -       -       showq
-error     unix  -       -       n       -       -       error
-retry     unix  -       -       n       -       -       error
-discard   unix  -       -       n       -       -       discard
-local     unix  -       n       n       -       -       local
-virtual   unix  -       n       n       -       -       virtual
-lmtp      unix  -       -       n       -       -       lmtp
-anvil     unix  -       -       n       -       1       anvil
-scache    unix  -       -       n       -       1       scache
-#
-# ====================================================================
-# Interfaces to non-Postfix software. Be sure to examine the manual
-# pages of the non-Postfix software to find out what options it wants.
-#
-# Many of the following services use the Postfix pipe(8) delivery
-# agent.  See the pipe(8) man page for information about ${recipient}
-# and other message envelope options.
-# ====================================================================
-#
-# maildrop. See the Postfix MAILDROP_README file for details.
-# Also specify in main.cf: maildrop_destination_recipient_limit=1
-#
-#maildrop  unix  -       n       n       -       -       pipe
-#  flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
-#
-# ====================================================================
-#
-# The Cyrus deliver program has changed incompatibly, multiple times.
-#
-#old-cyrus unix  -       n       n       -       -       pipe
-#  flags=R user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -m ${extension} ${user}
-#
-# ====================================================================
-#
-# Cyrus 2.1.5 (Amos Gouaux)
-# Also specify in main.cf: cyrus_destination_recipient_limit=1
-#
-#cyrus     unix  -       n       n       -       -       pipe
-#  user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -r ${sender} -m ${extension} ${user}
-#
-# ====================================================================
-#
-# See the Postfix UUCP_README file for configuration details.
-#
-#uucp      unix  -       n       n       -       -       pipe
-#  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
-#
-# ====================================================================
-#
-# Other external delivery methods.
-#
-#ifmail    unix  -       n       n       -       -       pipe
-#  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
-#
-#bsmtp     unix  -       n       n       -       -       pipe
-#  flags=Fq. user=bsmtp argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipient
-#
-#scalemail-backend unix -       n       n       -       2       pipe
-#  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store
-#  ${nexthop} ${user} ${extension}
-#
-#mailman   unix  -       n       n       -       -       pipe
-#  flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
-#  ${nexthop} ${user}
-
-policy  unix  -       n       n       -       0       spawn 
-        user=nobody argv=/usr/bin/perl /usr/local/lib/postfix-policyd-spf-perl/postfix-policyd-spf-perl
-
-#
-# spam/virus section
-#
-smtp-amavis  unix  -    -       y       -       2       smtp
-	-o smtp_data_done_timeout=1200
-	-o disable_dns_lookups=yes
-	-o smtp_send_xforward_command=yes
-<%= @lo_ip %>:10025 inet n  -       y       -       -       smtpd
-	-o content_filter=
-	-o smtpd_helo_restrictions=
-	-o smtpd_sender_restrictions=
-	-o smtpd_recipient_restrictions=permit_mynetworks,reject
-	-o mynetworks=<%= @lo_networks %>
-	-o smtpd_error_sleep_time=0
-	-o smtpd_soft_error_limit=1001
-	-o smtpd_hard_error_limit=1000
-	-o receive_override_options=no_header_body_checks
-	-o smtpd_helo_required=no
-	-o smtpd_client_restrictions=
-	-o smtpd_restriction_classes=
-	-o disable_vrfy_command=no
-	-o strict_rfc821_envelopes=yes
\ No newline at end of file
--- a/modules/website/manifests/init.pp	Sun Feb 23 20:29:42 2020 +0000
+++ b/modules/website/manifests/init.pp	Mon Feb 24 20:49:51 2020 +0000
@@ -4,7 +4,6 @@
   Stdlib::IP::Address $primary_ip,
   Optional[Stdlib::IP::Address::V6] $proxy_4to6_ip_prefix = undef,
   Optional[Integer] $proxy_4to6_mask = undef,
-  Array[Stdlib::IP::Address::V6] $proxy_4to6_addresses = [],
   Optional[Array] $proxy_upstream = undef,
   String $default_owner,
   String $default_group,
@@ -128,13 +127,6 @@
     action => accept,
   }
   if ($proxy_4to6_ip_prefix != undef) and ($proxy_upstream != undef) {
-    $ipv6_secondaries = join($proxy_4to6_addresses, " ")
-
-    augeas {'IPv6 secondary addresses':
-      context => "/files/etc/sysconfig/network-scripts/ifcfg-eth0",
-      changes => "set IPV6ADDR_SECONDARIES '\"$ipv6_secondaries\"'",
-    }
-
     apache::mod { "remoteip": }
     $proxy_4to6_ip = "$proxy_4to6_ip_prefix:0000/$proxy_4to6_mask"