diff --git a/hieradata/common.yaml b/hieradata/common.yaml index 3863f91..7ca2200 100644 --- a/hieradata/common.yaml +++ b/hieradata/common.yaml @@ -158,6 +158,15 @@ lookup_options: rke2::config_hash: merge: strategy: deep + postfix::configs: + merge: + strategy: deep + postfix::maps: + merge: + strategy: deep + postfix::virtuals: + merge: + strategy: deep facts_path: '/opt/puppetlabs/facter/facts.d' diff --git a/hieradata/roles/infra/mail/gateway.yaml b/hieradata/roles/infra/mail/gateway.yaml index f3069bd..ec651a6 100644 --- a/hieradata/roles/infra/mail/gateway.yaml +++ b/hieradata/roles/infra/mail/gateway.yaml @@ -1,5 +1,213 @@ --- +hiera_include: + - postfix + # additional altnames profiles::pki::vault::alt_names: - in-mta.main.unkin.net + +# postfix configuration +postfix::relayhost: 'direct' +postfix::myorigin: 'main.unkin.net' +postfix::mydestination: 'blank' +postfix::mynetworks: '127.0.0.0/8 [::1]/128' +postfix::alias_maps: 'hash:/etc/aliases, hash:/etc/postfix/aliases' +postfix::mta: true +postfix::manage_aliases: true +postfix::master_smtp: 'smtp inet n - n - 1 postscreen' +postfix::master_entries: + - 'smtpd pass - - n - - smtpd' + - 'dnsblog unix - - n - 0 dnsblog' + - 'tlsproxy unix - - n - 0 tlsproxy' + +# postfix main.cf configurations +postfix::configs: + alias_database: + value: 'hash:/etc/aliases, hash:/etc/postfix/aliases' + default_destination_recipient_limit: + value: '1' + disable_vrfy_command: + value: 'yes' + enable_long_queue_ids: + value: 'yes' + error_notice_recipient: + value: 'root' + header_checks: + value: 'regexp:/etc/postfix/header_checks' + local_recipient_maps: + ensure: 'blank' + local_transport: + value: 'error:No local mail delivery' + mailbox_size_limit: + value: '133169152' + message_size_limit: + value: '133169152' + myhostname: + value: 'in-mta.main.unkin.net' + non_smtpd_milters: + ensure: 'blank' + postscreen_access_list: + value: 'permit_mynetworks, cidr:/etc/postfix/postscreen_access' + postscreen_blacklist_action: + value: 'enforce' + postscreen_cache_map: + value: 'btree:$data_directory/postscreen_cache' + postscreen_dnsbl_action: + value: 'enforce' + postscreen_dnsbl_sites: + value: 'zen.spamhaus.org*3, b.barracudacentral.org=127.0.0.[2..11]*2, bl.spameatingmonkey.net*2, bl.spamcop.net, dnsbl.sorbs.net, swl.spamhaus.org*-4, list.dnswl.org=127.[0..255].[0..255].0*-2, list.dnswl.org=127.[0..255].[0..255].1*-4, list.dnswl.org=127.[0..255].[0..255].[2..3]*-6' + postscreen_dnsbl_threshold: + value: '2' + postscreen_greet_action: + value: 'enforce' + postscreen_greet_banner: + value: '$smtpd_banner' + postscreen_greet_wait: + value: '${stress?2}${stress:6}s' + qmqpd_authorized_clients: + value: '127.0.0.1 [::1]' + recipient_canonical_maps: + value: 'hash:/etc/postfix/recipient_canonical' + recipient_delimiter: + value: '+' + relay_domains: + value: 'hash:/etc/postfix/relay_domains' + relay_recipient_maps: + value: 'hash:/etc/postfix/relay_recipients' + sender_canonical_maps: + value: 'hash:/etc/postfix/sender_canonical' + smtp_tls_CAfile: + value: '/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem' + smtp_tls_mandatory_protocols: + value: '!SSLv2,!SSLv3' + smtp_tls_note_starttls_offer: + value: 'yes' + smtp_tls_protocols: + value: '!SSLv2,!SSLv3' + smtp_tls_security_level: + value: 'may' + smtp_tls_session_cache_database: + value: 'btree:/var/lib/postfix/smtp_tls_session_cache' + smtp_use_tls: + value: 'yes' + smtpd_banner: + value: '$myhostname ESMTP $mail_name' + smtpd_client_restrictions: + value: 'permit_sasl_authenticated, permit_mynetworks, reject_rbl_client zen.spamhaus.org' + smtpd_data_restrictions: + value: 'reject_unauth_pipelining' + smtpd_delay_reject: + value: 'yes' + smtpd_discard_ehlo_keywords: + value: 'chunking, silent-discard' + smtpd_forbid_bare_newline: + value: 'yes' + smtpd_forbid_bare_newline_exclusions: + value: '$mynetworks' + smtpd_forbid_unauth_pipelining: + value: 'yes' + smtpd_helo_required: + value: 'yes' + smtpd_helo_restrictions: + value: 'check_helo_access hash:/etc/postfix/helo_access, reject_invalid_hostname' + smtpd_milters: + value: 'inet:127.0.0.1:33333' + smtpd_recipient_restrictions: + value: 'permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, reject_non_fqdn_recipient, reject_unknown_recipient_domain, check_recipient_access hash:/etc/postfix/recipient_access, check_policy_service inet:127.0.0.1:2501, reject_unverified_recipient' + smtpd_relay_restrictions: + value: 'permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination' + smtpd_sender_restrictions: + value: 'permit_sasl_authenticated, check_sender_access hash:/etc/postfix/sender_access, reject_non_fqdn_sender, reject_unknown_sender_domain' + smtpd_tls_CAfile: + value: '/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem' + smtpd_tls_cert_file: + value: '/etc/pki/tls/vault/certificate.pem' + smtpd_tls_ciphers: + value: 'medium' + smtpd_tls_key_file: + value: '/etc/pki/tls/vault/certificate.pem' + smtpd_tls_loglevel: + value: '1' + smtpd_tls_mandatory_protocols: + value: '!SSLv2,!SSLv3' + smtpd_tls_protocols: + value: '!SSLv2,!SSLv3' + smtpd_tls_received_header: + value: 'yes' + smtpd_tls_security_level: + value: 'may' + smtpd_tls_session_cache_database: + value: 'btree:/var/lib/postfix/smtpd_tls_session_cache' + smtpd_tls_session_cache_timeout: + value: '3600s' + smtpd_use_tls: + value: 'yes' + tls_medium_cipherlist: + value: 'ECDSA+AESGCM:ECDH+AESGCM:DH+AESGCM:ECDSA+AES:ECDH+AES:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS' + tls_preempt_cipherlist: + value: 'yes' + tls_random_source: + value: 'dev:/dev/urandom' + unverified_recipient_reject_code: + value: '550' + unverified_recipient_reject_reason: + value: 'No user at this address' + +# postfix maps +postfix::maps: + postscreen_access: + ensure: present + type: 'cidr' + source: 'puppet:///modules/profiles/postfix/gateway/postscreen_access' + relay_recipients: + ensure: present + type: 'hash' + source: 'puppet:///modules/profiles/postfix/gateway/relay_recipients' + relay_domains: + ensure: present + type: 'hash' + source: 'puppet:///modules/profiles/postfix/gateway/relay_domains' + aliases: + ensure: present + type: 'hash' + source: 'puppet:///modules/profiles/postfix/gateway/aliases' + helo_access: + ensure: present + type: 'hash' + source: 'puppet:///modules/profiles/postfix/gateway/helo_access' + sender_access: + ensure: present + type: 'hash' + source: 'puppet:///modules/profiles/postfix/gateway/sender_access' + recipient_access: + ensure: present + type: 'hash' + source: 'puppet:///modules/profiles/postfix/gateway/recipient_access' + recipient_canonical: + ensure: present + type: 'hash' + source: 'puppet:///modules/profiles/postfix/gateway/recipient_canonical' + sender_canonical: + ensure: present + type: 'hash' + source: 'puppet:///modules/profiles/postfix/gateway/sender_canonical' + +# postfix transports +postfix::transports: + 'main.unkin.net': + ensure: present + destination: 'relay' + nexthop: 'ausyd1nxvm2120.main.unkin.net:25' + +# postfix virtuals +postfix::virtuals: + 'root': + ensure: present + destination: 'ben@main.unkin.net' + 'postmaster': + ensure: present + destination: 'ben@main.unkin.net' + 'abuse': + ensure: present + destination: 'ben@main.unkin.net' diff --git a/site/profiles/manifests/postfix/gateway.pp b/site/profiles/manifests/postfix/gateway.pp deleted file mode 100644 index 8b78be2..0000000 --- a/site/profiles/manifests/postfix/gateway.pp +++ /dev/null @@ -1,250 +0,0 @@ -class profiles::postfix::gateway ( - $tls_cert_file = '/etc/pki/tls/vault/certificate.pem', - $tls_key_file = '/etc/pki/tls/vault/certificate.pem', - $tls_ca_file = '/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem', -) { - - $alias_maps = 'hash:/etc/aliases, hash:/etc/postfix/aliases' - - class { 'postfix': - relayhost => 'direct', - myorigin => 'main.unkin.net', - mydestination => 'blank', - mynetworks => '127.0.0.0/8 [::1]/128', - alias_maps => $alias_maps, - mta => true, - manage_aliases => true, - master_smtp => 'smtp inet n - n - 1 postscreen', - master_entries => [ - # Postscreen backend services - 'smtpd pass - - n - - smtpd', - 'dnsblog unix - - n - 0 dnsblog', - 'tlsproxy unix - - n - 0 tlsproxy', - ], - } - - postfix::config { - 'alias_database': - value => $alias_maps; - 'default_destination_recipient_limit': - value => '1'; - 'disable_vrfy_command': - value => 'yes'; - 'enable_long_queue_ids': - value => 'yes'; - 'error_notice_recipient': - value => 'root'; - 'header_checks': - value => 'regexp:/etc/postfix/header_checks'; - 'local_recipient_maps': - ensure => 'blank'; # no local mailboxes - 'local_transport': - value => 'error:No local mail delivery'; - 'mailbox_size_limit': - value => '133169152'; # ~127MB - 'message_size_limit': - value => '133169152'; # ~127MB - 'myhostname': - value => 'in-mta.main.unkin.net'; - 'non_smtpd_milters': - ensure => 'blank'; - 'postscreen_access_list': - value => 'permit_mynetworks, cidr:/etc/postfix/postscreen_access'; - 'postscreen_blacklist_action': - value => 'enforce'; - 'postscreen_cache_map': - value => 'btree:$data_directory/postscreen_cache'; - 'postscreen_dnsbl_action': - value => 'enforce'; - 'postscreen_dnsbl_sites': - value => join([ - 'zen.spamhaus.org*3', - 'b.barracudacentral.org=127.0.0.[2..11]*2', - 'bl.spameatingmonkey.net*2', - 'bl.spamcop.net', - 'dnsbl.sorbs.net', - 'swl.spamhaus.org*-4', - 'list.dnswl.org=127.[0..255].[0..255].0*-2', - 'list.dnswl.org=127.[0..255].[0..255].1*-4', - 'list.dnswl.org=127.[0..255].[0..255].[2..3]*-6' - ], ', '); - 'postscreen_dnsbl_threshold': - value => '2'; - 'postscreen_greet_action': - value => 'enforce'; - 'postscreen_greet_banner': - value => '$smtpd_banner'; - 'postscreen_greet_wait': - value => "\${stress?2}\${stress:6}s"; - 'qmqpd_authorized_clients': - value => '127.0.0.1 [::1]'; - 'recipient_canonical_maps': - value => 'hash:/etc/postfix/recipient_canonical'; - 'recipient_delimiter': - value => '+'; - 'relay_domains': - value => 'hash:/etc/postfix/relay_domains'; - 'relay_recipient_maps': - value => 'hash:/etc/postfix/relay_recipients'; - 'sender_canonical_maps': - value => 'hash:/etc/postfix/sender_canonical'; - 'smtp_tls_CAfile': - value => $tls_ca_file; - 'smtp_tls_mandatory_protocols': - value => '!SSLv2,!SSLv3'; - 'smtp_tls_note_starttls_offer': - value => 'yes'; - 'smtp_tls_protocols': - value => '!SSLv2,!SSLv3'; - 'smtp_tls_security_level': - value => 'may'; - 'smtp_tls_session_cache_database': - value => 'btree:/var/lib/postfix/smtp_tls_session_cache'; - 'smtp_use_tls': - value => 'yes'; - 'smtpd_banner': - value => '$myhostname ESMTP $mail_name'; - 'smtpd_client_restrictions': - value => 'permit_sasl_authenticated, permit_mynetworks, reject_rbl_client zen.spamhaus.org'; - 'smtpd_data_restrictions': - value => 'reject_unauth_pipelining'; - 'smtpd_delay_reject': - value => 'yes'; - 'smtpd_discard_ehlo_keywords': - value => 'chunking, silent-discard'; - 'smtpd_forbid_bare_newline': - value => 'yes'; - 'smtpd_forbid_bare_newline_exclusions': - value => '$mynetworks'; - 'smtpd_forbid_unauth_pipelining': - value => 'yes'; - 'smtpd_helo_required': - value => 'yes'; - 'smtpd_helo_restrictions': - value => 'check_helo_access hash:/etc/postfix/helo_access, reject_invalid_hostname'; - 'smtpd_milters': - value => 'inet:127.0.0.1:33333'; - 'smtpd_recipient_restrictions': - value => join([ - 'permit_sasl_authenticated', - 'permit_mynetworks', - 'reject_unauth_destination', - 'reject_non_fqdn_recipient', - 'reject_unknown_recipient_domain', - 'check_recipient_access hash:/etc/postfix/recipient_access', - 'check_policy_service inet:127.0.0.1:2501', - 'reject_unverified_recipient' - ], ', '); - 'smtpd_relay_restrictions': - value => 'permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination'; - 'smtpd_sender_restrictions': - value => join([ - 'permit_sasl_authenticated', - 'check_sender_access hash:/etc/postfix/sender_access', - 'reject_non_fqdn_sender', - 'reject_unknown_sender_domain' - ], ', '); - 'smtpd_tls_CAfile': - value => $tls_ca_file; - 'smtpd_tls_cert_file': - value => $tls_cert_file; - 'smtpd_tls_ciphers': - value => 'medium'; - 'smtpd_tls_key_file': - value => $tls_key_file; - 'smtpd_tls_loglevel': - value => '1'; - 'smtpd_tls_mandatory_protocols': - value => '!SSLv2,!SSLv3'; - 'smtpd_tls_protocols': - value => '!SSLv2,!SSLv3'; - 'smtpd_tls_received_header': - value => 'yes'; - 'smtpd_tls_security_level': - value => 'may'; - 'smtpd_tls_session_cache_database': - value => 'btree:/var/lib/postfix/smtpd_tls_session_cache'; - 'smtpd_tls_session_cache_timeout': - value => '3600s'; - 'smtpd_use_tls': - value => 'yes'; - 'tls_medium_cipherlist': - value => join([ - 'ECDSA+AESGCM:ECDH+AESGCM:DH+AESGCM:ECDSA+AES:ECDH+AES:DH+AES', - 'ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS' - ], ':'); - 'tls_preempt_cipherlist': - value => 'yes'; - 'tls_random_source': - value => 'dev:/dev/urandom'; - 'unverified_recipient_reject_code': - value => '550'; - 'unverified_recipient_reject_reason': - value => 'No user at this address'; - } - - postfix::map { 'postscreen_access': - ensure => present, - type => 'cidr', - source => 'puppet:///modules/profiles/postfix/gateway/postscreen_access' - } - postfix::map { 'relay_recipients': - ensure => present, - type => 'hash', - source => 'puppet:///modules/profiles/postfix/gateway/relay_recipients' - } - postfix::map { 'relay_domains': - ensure => present, - type => 'hash', - source => 'puppet:///modules/profiles/postfix/gateway/relay_domains' - } - postfix::map { 'aliases': - ensure => present, - type => 'hash', - source => 'puppet:///modules/profiles/postfix/gateway/aliases' - } - postfix::map { 'helo_access': - ensure => present, - type => 'hash', - source => 'puppet:///modules/profiles/postfix/gateway/helo_access' - } - postfix::map { 'sender_access': - ensure => present, - type => 'hash', - source => 'puppet:///modules/profiles/postfix/gateway/sender_access' - } - postfix::map { 'recipient_access': - ensure => present, - type => 'hash', - source => 'puppet:///modules/profiles/postfix/gateway/recipient_access' - } - postfix::map { 'recipient_canonical': - ensure => present, - type => 'hash', - source => 'puppet:///modules/profiles/postfix/gateway/recipient_canonical' - } - postfix::map { 'sender_canonical': - ensure => present, - type => 'hash', - source => 'puppet:///modules/profiles/postfix/gateway/sender_canonical' - } - - postfix::transport { - 'main.unkin.net': - ensure => present, - destination => 'relay', - nexthop => 'ausyd1nxvm2120.main.unkin.net:25'; - } - postfix::virtual { - 'root': - ensure => present, - destination => 'ben@main.unkin.net'; - 'postmaster': - ensure => present, - destination => 'ben@main.unkin.net'; - 'abuse': - ensure => present, - destination => 'ben@main.unkin.net'; - } - -} diff --git a/site/roles/manifests/infra/mail/gateway.pp b/site/roles/manifests/infra/mail/gateway.pp index e046920..a2bd0b8 100644 --- a/site/roles/manifests/infra/mail/gateway.pp +++ b/site/roles/manifests/infra/mail/gateway.pp @@ -6,6 +6,5 @@ class roles::infra::mail::gateway { }else{ include profiles::defaults include profiles::base - include profiles::postfix::gateway } }