unkin/puppet-prod
2
0
Fork 0
Code Issues 10 Pull Requests Actions Packages Projects Releases Wiki Activity

refactor: recreate profiles::postfix::gateway with parameterization and templates (#416)

Browse Source 
- refactor profiles::postfix::gateway as parameterized class
- move base postfix parameters, transports, and virtuals to hiera for flexibility
- convert SMTP restrictions to arrays for better readability using join()
- add postscreen enable/disable boolean with conditional master.cf configuration
- add per-domain TLS policy maps (smtp_tls_policy_maps)
- convert alias_maps to array parameter for flexibility
- convert all postfix map files to ERB templates with parameter hashes
- add map parameters: sender_canonical_maps, sender_access_maps, relay_recipients_maps,
  relay_domains_maps, recipient_canonical_maps, recipient_access_maps, postscreen_access_maps, helo_access_maps
- move default map data to hiera while keeping parameters as empty hashes by default

This approach balances flexibility with data-driven configuration, allowing
easy customization through parameters while keeping transport/virtual maps
and default map data in hiera for role-specific overrides.

Reviewed-on: #416
This commit is contained in:
Ben Vincent 2025-11-01 17:26:00 +11:00
parent 81f289a185
commit 78adef0eee
20 changed files with 481 additions and 288 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
hieradata/common.yaml
View File

@ -158,6 +158,15 @@ lookup_options:
rke2::config_hash: rke2::config_hash:
merge: merge:
strategy: deep strategy: deep
postfix::configs:
merge:
strategy: deep
postfix::maps:
merge:
strategy: deep
postfix::virtuals:
merge:
strategy: deep
facts_path: '/opt/puppetlabs/facter/facts.d' facts_path: '/opt/puppetlabs/facter/facts.d'

47
hieradata/roles/infra/mail/gateway.yaml
View File

@ -3,3 +3,50 @@
# additional altnames # additional altnames
profiles::pki::vault::alt_names: profiles::pki::vault::alt_names:
- in-mta.main.unkin.net - in-mta.main.unkin.net
# base postfix configuration (passed to postfix class)
postfix::relayhost: 'direct'
postfix::myorigin: 'main.unkin.net'
postfix::mydestination: 'blank'
postfix::mynetworks: '127.0.0.0/8 [::1]/128'
postfix::mta: true
postfix::manage_aliases: true
# profile parameters for customization
profiles::postfix::gateway::myhostname: 'in-mta.main.unkin.net'
# postfix map content (templates)
profiles::postfix::gateway::relay_recipients_maps:
'@main.unkin.net': 'OK'
profiles::postfix::gateway::relay_domains_maps:
'main.unkin.net': 'OK'
profiles::postfix::gateway::postscreen_access_maps:
'127.0.0.1/32': 'permit'
'10.10.12.200/32': 'permit'
profiles::postfix::gateway::helo_access_maps:
'.dynamic.': 'REJECT'
'.dialup.': 'REJECT'
'unknown': 'REJECT'
'localhost': 'REJECT You are not localhost'
# postfix transports
postfix::transports:
'main.unkin.net':
ensure: present
destination: 'relay'
nexthop: 'ausyd1nxvm2120.main.unkin.net:25'
# postfix virtuals
postfix::virtuals:
'root':
ensure: present
destination: 'ben@main.unkin.net'
'postmaster':
ensure: present
destination: 'ben@main.unkin.net'
'abuse':
ensure: present
destination: 'ben@main.unkin.net'

11
site/profiles/files/postfix/gateway/helo_access
View File

@ -1,11 +0,0 @@
# FILE MANAGED BY PUPPET, CHANGES WILL BE REPLACED
# HELO/EHLO access controls
# Format: pattern action
# Actions: REJECT, OK, WARN, etc.
# Block common spam patterns
.dynamic. REJECT
.dialup. REJECT
unknown REJECT
localhost REJECT You are not localhost

4
site/profiles/files/postfix/gateway/postscreen_access
View File

@ -1,4 +0,0 @@
# FILE MANAGED BY PUPPET, CHANGES WILL BE REPLACED
127.0.0.1/32 permit
10.10.12.200/32 permit

9
site/profiles/files/postfix/gateway/recipient_access
View File

@ -1,9 +0,0 @@
# FILE MANAGED BY PUPPET, CHANGES WILL BE REPLACED
# Recipient access controls
# Format: recipient_pattern action
# Actions: REJECT, OK, WARN, DISCARD, etc.
# Protected recipients that require special handling
# Example entries:
# @main.unkin.net OK

8
site/profiles/files/postfix/gateway/recipient_canonical
View File

@ -1,8 +0,0 @@
# FILE MANAGED BY PUPPET, CHANGES WILL BE REPLACED
# Recipient canonical address mapping
# Format: original_address canonical_address
# Used to rewrite recipient addresses
# Example mappings:
# user@olddomain.com user@main.unkin.net

3
site/profiles/files/postfix/gateway/relay_domains
View File

@ -1,3 +0,0 @@
# FILE MANAGED BY PUPPET, CHANGES WILL BE REPLACED
main.unkin.net OK

3
site/profiles/files/postfix/gateway/relay_recipients
View File

@ -1,3 +0,0 @@
# FILE MANAGED BY PUPPET, CHANGES WILL BE REPLACED
@main.unkin.net OK

10
site/profiles/files/postfix/gateway/sender_access
View File

@ -1,10 +0,0 @@
# FILE MANAGED BY PUPPET, CHANGES WILL BE REPLACED
# Sender access controls
# Format: sender_pattern action
# Actions: REJECT, OK, WARN, DISCARD, etc.
# Block known spam domains
# Example entries:
# spammer@example.com REJECT
# @badspammer.com REJECT

8
site/profiles/files/postfix/gateway/sender_canonical
View File

@ -1,8 +0,0 @@
# FILE MANAGED BY PUPPET, CHANGES WILL BE REPLACED
# Sender canonical address mapping
# Format: original_address canonical_address
# Used to rewrite sender addresses
# Example mappings:
# user@internal.local user@main.unkin.net

563
site/profiles/manifests/postfix/gateway.pp
View File

@ -1,250 +1,349 @@
class profiles::postfix::gateway ( class profiles::postfix::gateway (
$tls_cert_file = '/etc/pki/tls/vault/certificate.pem', Stdlib::Absolutepath $tls_cert_file = '/etc/pki/tls/vault/certificate.pem',
$tls_key_file = '/etc/pki/tls/vault/certificate.pem', Stdlib::Absolutepath $tls_key_file = '/etc/pki/tls/vault/certificate.pem',
$tls_ca_file = '/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem', Stdlib::Absolutepath $tls_ca_file = '/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem',
String $myhostname = $trusted['certname'],
String $message_size_limit = '133169152',
String $mailbox_size_limit = '133169152',
String $local_transport = 'error:No local mail delivery',
Boolean $enable_postscreen = true,
Array[String] $alias_maps = [
'hash:/etc/aliases',
'hash:/etc/postfix/aliases',
],
Array[String] $postscreen_dnsbl_sites = [
'zen.spamhaus.org*3',
'b.barracudacentral.org=127.0.0.[2..11]*2',
'bl.spameatingmonkey.net*2',
'bl.spamcop.net',
'dnsbl.sorbs.net',
'swl.spamhaus.org*-4',
'list.dnswl.org=127.[0..255].[0..255].0*-2',
'list.dnswl.org=127.[0..255].[0..255].1*-4',
'list.dnswl.org=127.[0..255].[0..255].[2..3]*-6',
],
Array[String] $smtpd_client_restrictions = [
'permit_sasl_authenticated',
'permit_mynetworks',
'reject_rbl_client zen.spamhaus.org',
],
Array[String] $smtpd_sender_restrictions = [
'permit_sasl_authenticated',
'check_sender_access hash:/etc/postfix/sender_access',
'reject_non_fqdn_sender',
'reject_unknown_sender_domain',
],
Array[String] $smtpd_recipient_restrictions = [
'permit_sasl_authenticated',
'permit_mynetworks',
'reject_unauth_destination',
'reject_non_fqdn_recipient',
'reject_unknown_recipient_domain',
'check_recipient_access hash:/etc/postfix/recipient_access',
'reject_unverified_recipient',
],
Array[String] $smtpd_relay_restrictions = [
'permit_sasl_authenticated',
'permit_mynetworks',
'reject_unauth_destination',
],
Hash[String, String] $smtp_tls_policy_maps = {},
Hash[String, String] $sender_canonical_maps = {},
Hash[String, String] $sender_access_maps = {},
Hash[String, String] $relay_recipients_maps = {},
Hash[String, String] $relay_domains_maps = {},
Hash[String, String] $recipient_canonical_maps = {},
Hash[String, String] $recipient_access_maps = {},
Hash[String, String] $postscreen_access_maps = {},
Hash[String, String] $helo_access_maps = {},
) { ) {
$alias_maps = 'hash:/etc/aliases, hash:/etc/postfix/aliases' $alias_maps_string = join($alias_maps, ', ')
class { 'postfix': # Set master.cf configuration based on postscreen setting
relayhost => 'direct', if $enable_postscreen {
myorigin => 'main.unkin.net', $master_smtp = 'smtp inet n - n - 1 postscreen'
mydestination => 'blank', $master_entries = [
mynetworks => '127.0.0.0/8 [::1]/128',
alias_maps => $alias_maps,
mta => true,
manage_aliases => true,
master_smtp => 'smtp inet n - n - 1 postscreen',
master_entries => [
# Postscreen backend services
'smtpd pass - - n - - smtpd', 'smtpd pass - - n - - smtpd',
'dnsblog unix - - n - 0 dnsblog', 'dnsblog unix - - n - 0 dnsblog',
'tlsproxy unix - - n - 0 tlsproxy', 'tlsproxy unix - - n - 0 tlsproxy',
], ]
$postscreen_configs = {
'postscreen_access_list' => {
'value' => 'permit_mynetworks, cidr:/etc/postfix/postscreen_access'
},
'postscreen_blacklist_action' => {
'value' => 'enforce'
},
'postscreen_cache_map' => {
'value' => 'btree:$data_directory/postscreen_cache'
},
'postscreen_dnsbl_action' => {
'value' => 'enforce'
},
'postscreen_dnsbl_sites' => {
'value' => join($postscreen_dnsbl_sites, ', ')
},
'postscreen_dnsbl_threshold' => {
'value' => '2'
},
'postscreen_greet_action' => {
'value' => 'enforce'
},
'postscreen_greet_banner' => {
'value' => '$smtpd_banner'
},
'postscreen_greet_wait' => {
'value' => "\${stress?2}\${stress:6}s"
},
}
} else {
$master_smtp = undef
$master_entries = []
$postscreen_configs = {}
} }
postfix::config { # Base postfix configuration
'alias_database': $base_configs = {
value => $alias_maps; 'alias_database' => {
'default_destination_recipient_limit': 'value' => $alias_maps_string
value => '1'; },
'disable_vrfy_command': 'default_destination_recipient_limit' => {
value => 'yes'; 'value' => '1'
'enable_long_queue_ids': },
value => 'yes'; 'disable_vrfy_command' => {
'error_notice_recipient': 'value' => 'yes'
value => 'root'; },
'header_checks': 'enable_long_queue_ids' => {
value => 'regexp:/etc/postfix/header_checks'; 'value' => 'yes'
'local_recipient_maps': },
ensure => 'blank'; # no local mailboxes 'error_notice_recipient' => {
'local_transport': 'value' => 'root'
value => 'error:No local mail delivery'; },
'mailbox_size_limit': 'header_checks' => {
value => '133169152'; # ~127MB 'value' => 'regexp:/etc/postfix/header_checks'
'message_size_limit': },
value => '133169152'; # ~127MB 'local_recipient_maps' => {
'myhostname': 'ensure' => 'blank'
value => 'in-mta.main.unkin.net'; },
'non_smtpd_milters': 'local_transport' => {
ensure => 'blank'; 'value' => $local_transport
'postscreen_access_list': },
value => 'permit_mynetworks, cidr:/etc/postfix/postscreen_access'; 'mailbox_size_limit' => {
'postscreen_blacklist_action': 'value' => $mailbox_size_limit
value => 'enforce'; },
'postscreen_cache_map': 'message_size_limit' => {
value => 'btree:$data_directory/postscreen_cache'; 'value' => $message_size_limit
'postscreen_dnsbl_action': },
value => 'enforce'; 'myhostname' => {
'postscreen_dnsbl_sites': 'value' => $myhostname
value => join([ },
'zen.spamhaus.org*3', 'non_smtpd_milters' => {
'b.barracudacentral.org=127.0.0.[2..11]*2', 'ensure' => 'blank'
'bl.spameatingmonkey.net*2', },
'bl.spamcop.net', 'qmqpd_authorized_clients' => {
'dnsbl.sorbs.net', 'value' => '127.0.0.1 [::1]'
'swl.spamhaus.org*-4', },
'list.dnswl.org=127.[0..255].[0..255].0*-2', 'recipient_canonical_maps' => {
'list.dnswl.org=127.[0..255].[0..255].1*-4', 'value' => 'hash:/etc/postfix/recipient_canonical'
'list.dnswl.org=127.[0..255].[0..255].[2..3]*-6' },
], ', '); 'recipient_delimiter' => {
'postscreen_dnsbl_threshold': 'value' => '+'
value => '2'; },
'postscreen_greet_action': 'relay_domains' => {
value => 'enforce'; 'value' => 'hash:/etc/postfix/relay_domains'
'postscreen_greet_banner': },
value => '$smtpd_banner'; 'relay_recipient_maps' => {
'postscreen_greet_wait': 'value' => 'hash:/etc/postfix/relay_recipients'
value => "\${stress?2}\${stress:6}s"; },
'qmqpd_authorized_clients': 'sender_canonical_maps' => {
value => '127.0.0.1 [::1]'; 'value' => 'hash:/etc/postfix/sender_canonical'
'recipient_canonical_maps': },
value => 'hash:/etc/postfix/recipient_canonical'; 'smtp_tls_CAfile' => {
'recipient_delimiter': 'value' => $tls_ca_file
value => '+'; },
'relay_domains': 'smtp_tls_mandatory_protocols' => {
value => 'hash:/etc/postfix/relay_domains'; 'value' => '!SSLv2,!SSLv3'
'relay_recipient_maps': },
value => 'hash:/etc/postfix/relay_recipients'; 'smtp_tls_note_starttls_offer' => {
'sender_canonical_maps': 'value' => 'yes'
value => 'hash:/etc/postfix/sender_canonical'; },
'smtp_tls_CAfile': 'smtp_tls_protocols' => {
value => $tls_ca_file; 'value' => '!SSLv2,!SSLv3'
'smtp_tls_mandatory_protocols': },
value => '!SSLv2,!SSLv3'; 'smtp_tls_security_level' => {
'smtp_tls_note_starttls_offer': 'value' => 'may'
value => 'yes'; },
'smtp_tls_protocols': 'smtp_tls_session_cache_database' => {
value => '!SSLv2,!SSLv3'; 'value' => 'btree:/var/lib/postfix/smtp_tls_session_cache'
'smtp_tls_security_level': },
value => 'may'; 'smtp_use_tls' => {
'smtp_tls_session_cache_database': 'value' => 'yes'
value => 'btree:/var/lib/postfix/smtp_tls_session_cache'; },
'smtp_use_tls': 'smtpd_banner' => {
value => 'yes'; 'value' => '$myhostname ESMTP $mail_name'
'smtpd_banner': },
value => '$myhostname ESMTP $mail_name'; 'smtpd_client_restrictions' => {
'smtpd_client_restrictions': 'value' => join($smtpd_client_restrictions, ', ')
value => 'permit_sasl_authenticated, permit_mynetworks, reject_rbl_client zen.spamhaus.org'; },
'smtpd_data_restrictions': 'smtpd_data_restrictions' => {
value => 'reject_unauth_pipelining'; 'value' => 'reject_unauth_pipelining'
'smtpd_delay_reject': },
value => 'yes'; 'smtpd_delay_reject' => {
'smtpd_discard_ehlo_keywords': 'value' => 'yes'
value => 'chunking, silent-discard'; },
'smtpd_forbid_bare_newline': 'smtpd_discard_ehlo_keywords' => {
value => 'yes'; 'value' => 'chunking, silent-discard'
'smtpd_forbid_bare_newline_exclusions': },
value => '$mynetworks'; 'smtpd_forbid_bare_newline' => {
'smtpd_forbid_unauth_pipelining': 'value' => 'yes'
value => 'yes'; },
'smtpd_helo_required': 'smtpd_forbid_bare_newline_exclusions' => {
value => 'yes'; 'value' => '$mynetworks'
'smtpd_helo_restrictions': },
value => 'check_helo_access hash:/etc/postfix/helo_access, reject_invalid_hostname'; 'smtpd_forbid_unauth_pipelining' => {
'smtpd_milters': 'value' => 'yes'
value => 'inet:127.0.0.1:33333'; },
'smtpd_recipient_restrictions': 'smtpd_helo_required' => {
value => join([ 'value' => 'yes'
'permit_sasl_authenticated', },
'permit_mynetworks', 'smtpd_helo_restrictions' => {
'reject_unauth_destination', 'value' => 'check_helo_access hash:/etc/postfix/helo_access, reject_invalid_hostname'
'reject_non_fqdn_recipient', },
'reject_unknown_recipient_domain', 'smtpd_milters' => {
'check_recipient_access hash:/etc/postfix/recipient_access', 'value' => 'inet:127.0.0.1:33333'
'check_policy_service inet:127.0.0.1:2501', },
'reject_unverified_recipient' 'smtpd_recipient_restrictions' => {
], ', '); 'value' => join($smtpd_recipient_restrictions, ', ')
'smtpd_relay_restrictions': },
value => 'permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination'; 'smtpd_relay_restrictions' => {
'smtpd_sender_restrictions': 'value' => join($smtpd_relay_restrictions, ', ')
value => join([ },
'permit_sasl_authenticated', 'smtpd_sender_restrictions' => {
'check_sender_access hash:/etc/postfix/sender_access', 'value' => join($smtpd_sender_restrictions, ', ')
'reject_non_fqdn_sender', },
'reject_unknown_sender_domain' 'smtpd_tls_CAfile' => {
], ', '); 'value' => $tls_ca_file
'smtpd_tls_CAfile': },
value => $tls_ca_file; 'smtpd_tls_cert_file' => {
'smtpd_tls_cert_file': 'value' => $tls_cert_file
value => $tls_cert_file; },
'smtpd_tls_ciphers': 'smtpd_tls_ciphers' => {
value => 'medium'; 'value' => 'medium'
'smtpd_tls_key_file': },
value => $tls_key_file; 'smtpd_tls_key_file' => {
'smtpd_tls_loglevel': 'value' => $tls_key_file
value => '1'; },
'smtpd_tls_mandatory_protocols': 'smtpd_tls_loglevel' => {
value => '!SSLv2,!SSLv3'; 'value' => '1'
'smtpd_tls_protocols': },
value => '!SSLv2,!SSLv3'; 'smtpd_tls_mandatory_protocols' => {
'smtpd_tls_received_header': 'value' => '!SSLv2,!SSLv3'
value => 'yes'; },
'smtpd_tls_security_level': 'smtpd_tls_protocols' => {
value => 'may'; 'value' => '!SSLv2,!SSLv3'
'smtpd_tls_session_cache_database': },
value => 'btree:/var/lib/postfix/smtpd_tls_session_cache'; 'smtpd_tls_received_header' => {
'smtpd_tls_session_cache_timeout': 'value' => 'yes'
value => '3600s'; },
'smtpd_use_tls': 'smtpd_tls_security_level' => {
value => 'yes'; 'value' => 'may'
'tls_medium_cipherlist': },
value => join([ 'smtpd_tls_session_cache_database' => {
'value' => 'btree:/var/lib/postfix/smtpd_tls_session_cache'
},
'smtpd_tls_session_cache_timeout' => {
'value' => '3600s'
},
'smtpd_use_tls' => {
'value' => 'yes'
},
'tls_medium_cipherlist' => {
'value' => join([
'ECDSA+AESGCM:ECDH+AESGCM:DH+AESGCM:ECDSA+AES:ECDH+AES:DH+AES', 'ECDSA+AESGCM:ECDH+AESGCM:DH+AESGCM:ECDSA+AES:ECDH+AES:DH+AES',
'ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS' 'ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS'
], ':'); ], ':')
'tls_preempt_cipherlist': },
value => 'yes'; 'tls_preempt_cipherlist' => {
'tls_random_source': 'value' => 'yes'
value => 'dev:/dev/urandom'; },
'unverified_recipient_reject_code': 'tls_random_source' => {
value => '550'; 'value' => 'dev:/dev/urandom'
'unverified_recipient_reject_reason': },
value => 'No user at this address'; 'unverified_recipient_reject_code' => {
'value' => '550'
},
'unverified_recipient_reject_reason' => {
'value' => 'No user at this address'
},
'smtp_tls_policy_maps' => {
'value' => 'hash:/etc/postfix/smtp_tls_policy_maps'
},
} }
postfix::map { 'postscreen_access': # Postfix maps (all using templates now)
ensure => present, $postfix_maps = {
type => 'cidr', 'postscreen_access' => {
source => 'puppet:///modules/profiles/postfix/gateway/postscreen_access' 'ensure' => 'present',
} 'type' => 'cidr',
postfix::map { 'relay_recipients': 'content' => template('profiles/postfix/gateway/postscreen_access.erb')
ensure => present, },
type => 'hash', 'relay_recipients' => {
source => 'puppet:///modules/profiles/postfix/gateway/relay_recipients' 'ensure' => 'present',
} 'type' => 'hash',
postfix::map { 'relay_domains': 'content' => template('profiles/postfix/gateway/relay_recipients.erb')
ensure => present, },
type => 'hash', 'relay_domains' => {
source => 'puppet:///modules/profiles/postfix/gateway/relay_domains' 'ensure' => 'present',
} 'type' => 'hash',
postfix::map { 'aliases': 'content' => template('profiles/postfix/gateway/relay_domains.erb')
ensure => present, },
type => 'hash', 'aliases' => {
source => 'puppet:///modules/profiles/postfix/gateway/aliases' 'ensure' => 'present',
} 'type' => 'hash',
postfix::map { 'helo_access': 'source' => 'puppet:///modules/profiles/postfix/gateway/aliases'
ensure => present, },
type => 'hash', 'helo_access' => {
source => 'puppet:///modules/profiles/postfix/gateway/helo_access' 'ensure' => 'present',
} 'type' => 'hash',
postfix::map { 'sender_access': 'content' => template('profiles/postfix/gateway/helo_access.erb')
ensure => present, },
type => 'hash', 'sender_access' => {
source => 'puppet:///modules/profiles/postfix/gateway/sender_access' 'ensure' => 'present',
} 'type' => 'hash',
postfix::map { 'recipient_access': 'content' => template('profiles/postfix/gateway/sender_access.erb')
ensure => present, },
type => 'hash', 'recipient_access' => {
source => 'puppet:///modules/profiles/postfix/gateway/recipient_access' 'ensure' => 'present',
} 'type' => 'hash',
postfix::map { 'recipient_canonical': 'content' => template('profiles/postfix/gateway/recipient_access.erb')
ensure => present, },
type => 'hash', 'recipient_canonical' => {
source => 'puppet:///modules/profiles/postfix/gateway/recipient_canonical' 'ensure' => 'present',
} 'type' => 'hash',
postfix::map { 'sender_canonical': 'content' => template('profiles/postfix/gateway/recipient_canonical.erb')
ensure => present, },
type => 'hash', 'sender_canonical' => {
source => 'puppet:///modules/profiles/postfix/gateway/sender_canonical' 'ensure' => 'present',
'type' => 'hash',
'content' => template('profiles/postfix/gateway/sender_canonical.erb')
},
'smtp_tls_policy_maps' => {
'ensure' => 'present',
'type' => 'hash',
'content' => template('profiles/postfix/gateway/smtp_tls_policy_maps.erb')
},
} }
postfix::transport { # Merge base configs with postscreen configs
'main.unkin.net': $all_configs = $base_configs + $postscreen_configs
ensure => present,
destination => 'relay', class { 'postfix':
nexthop => 'ausyd1nxvm2120.main.unkin.net:25'; master_smtp => $master_smtp,
} master_entries => $master_entries,
postfix::virtual { alias_maps => $alias_maps_string,
'root': configs => $all_configs,
ensure => present, maps => $postfix_maps,
destination => 'ben@main.unkin.net';
'postmaster':
ensure => present,
destination => 'ben@main.unkin.net';
'abuse':
ensure => present,
destination => 'ben@main.unkin.net';
} }
} }

11
site/profiles/templates/postfix/gateway/helo_access.erb Normal file
View File

@ -0,0 +1,11 @@
# FILE MANAGED BY PUPPET, CHANGES WILL BE REPLACED
#
# Controls access based on HELO/EHLO hostnames to block spam patterns
# HELO/EHLO access controls
# Format: pattern action
# Example: .dynamic.example.com REJECT
# Example: localhost REJECT You are not localhost
<% @helo_access_maps.each do |pattern, action| -%>
<%= pattern %> <%= action %>
<% end -%>

10
site/profiles/templates/postfix/gateway/postscreen_access.erb Normal file
View File

@ -0,0 +1,10 @@
# FILE MANAGED BY PUPPET, CHANGES WILL BE REPLACED
#
# Controls which IP addresses/networks are allowed through postscreen
# Postscreen access controls (CIDR format)
# Format: network/mask action
# Example: 192.168.1.0/24 permit
<% @postscreen_access_maps.each do |network, action| -%>
<%= network %> <%= action %>
<% end -%>

11
site/profiles/templates/postfix/gateway/recipient_access.erb Normal file
View File

@ -0,0 +1,11 @@
# FILE MANAGED BY PUPPET, CHANGES WILL BE REPLACED
#
# Controls access based on recipient email addresses or domains
# Recipient access controls
# Format: recipient_pattern action
# Example: @example.com OK
# Example: admin@foo.net REJECT
<% @recipient_access_maps.each do |recipient, action| -%>
<%= recipient %> <%= action %>
<% end -%>

10
site/profiles/templates/postfix/gateway/recipient_canonical.erb Normal file
View File

@ -0,0 +1,10 @@
# FILE MANAGED BY PUPPET, CHANGES WILL BE REPLACED
#
# Rewrites recipient addresses before delivery (address normalization)
# Recipient canonical address mapping
# Format: original_address canonical_address
# Example: user@olddomain.com user@example.com
<% @recipient_canonical_maps.each do |original, canonical| -%>
<%= original %> <%= canonical %>
<% end -%>

10
site/profiles/templates/postfix/gateway/relay_domains.erb Normal file
View File

@ -0,0 +1,10 @@
# FILE MANAGED BY PUPPET, CHANGES WILL BE REPLACED
#
# Defines which domains are allowed for mail relaying
# Relay domains control
# Format: domain action
# Example: example.com OK
<% @relay_domains_maps.each do |domain, action| -%>
<%= domain %> <%= action %>
<% end -%>

10
site/profiles/templates/postfix/gateway/relay_recipients.erb Normal file
View File

@ -0,0 +1,10 @@
# FILE MANAGED BY PUPPET, CHANGES WILL BE REPLACED
#
# Defines which recipient addresses are allowed for mail relaying
# Relay recipients control
# Format: recipient_pattern action
# Example: @example.com OK
<% @relay_recipients_maps.each do |recipient, action| -%>
<%= recipient %> <%= action %>
<% end -%>

11
site/profiles/templates/postfix/gateway/sender_access.erb Normal file
View File

@ -0,0 +1,11 @@
# FILE MANAGED BY PUPPET, CHANGES WILL BE REPLACED
#
# Controls access based on sender email addresses or domains
# Sender access controls
# Format: sender_pattern action
# Example: spammer@foo.net REJECT
# Example: @badspammer.com REJECT
<% @sender_access_maps.each do |sender, action| -%>
<%= sender %> <%= action %>
<% end -%>

10
site/profiles/templates/postfix/gateway/sender_canonical.erb Normal file
View File

@ -0,0 +1,10 @@
# FILE MANAGED BY PUPPET, CHANGES WILL BE REPLACED
#
# Rewrites sender addresses before sending (address masquerading)
# Sender canonical address mapping
# Format: original_address canonical_address
# Example: user@internal.local user@example.com
<% @sender_canonical_maps.each do |original, canonical| -%>
<%= original %> <%= canonical %>
<% end -%>

11
site/profiles/templates/postfix/gateway/smtp_tls_policy_maps.erb Normal file
View File

@ -0,0 +1,11 @@
# FILE MANAGED BY PUPPET, CHANGES WILL BE REPLACED
#
# Enforces TLS security policies for outbound mail per destination domain
# SMTP TLS policy map for outbound connections
# Format: destination policy
# Example: gmail.com encrypt
# Example: secure-bank.example.com secure
<% @smtp_tls_policy_maps.each do |destination, policy| -%>
<%= destination %> <%= policy %>
<% end -%>