refactor: recreate profiles::postfix::gateway with parameterization and templates

- refactor profiles::postfix::gateway as parameterized class
- move base postfix parameters, transports, and virtuals to hiera for flexibility
- convert SMTP restrictions to arrays for better readability using join()
- add postscreen enable/disable boolean with conditional master.cf configuration
- add per-domain TLS policy maps (smtp_tls_policy_maps)
- convert alias_maps to array parameter for flexibility
- convert all postfix map files to ERB templates with parameter hashes
- add map parameters: sender_canonical_maps, sender_access_maps, relay_recipients_maps,
  relay_domains_maps, recipient_canonical_maps, recipient_access_maps, postscreen_access_maps, helo_access_maps
- move default map data to hiera while keeping parameters as empty hashes by default

This approach balances flexibility with data-driven configuration, allowing
easy customization through parameters while keeping transport/virtual maps
and default map data in hiera for role-specific overrides.

hieradata/common.yaml

@@ -158,6 +158,15 @@ lookup_options:
   rke2::config_hash:
     merge:
       strategy: deep
+  postfix::configs:
+    merge:
+      strategy: deep
+  postfix::maps:
+    merge:
+      strategy: deep
+  postfix::virtuals:
+    merge:
+      strategy: deep
 
 facts_path: '/opt/puppetlabs/facter/facts.d'
 

hieradata/roles/infra/mail/gateway.yaml

@@ -3,3 +3,50 @@
 # additional altnames
 profiles::pki::vault::alt_names:
   - in-mta.main.unkin.net
+
+# base postfix configuration (passed to postfix class)
+postfix::relayhost: 'direct'
+postfix::myorigin: 'main.unkin.net'
+postfix::mydestination: 'blank'
+postfix::mynetworks: '127.0.0.0/8 [::1]/128'
+postfix::mta: true
+postfix::manage_aliases: true
+
+# profile parameters for customization
+profiles::postfix::gateway::myhostname: 'in-mta.main.unkin.net'
+
+# postfix map content (templates)
+profiles::postfix::gateway::relay_recipients_maps:
+  '@main.unkin.net': 'OK'
+
+profiles::postfix::gateway::relay_domains_maps:
+  'main.unkin.net': 'OK'
+
+profiles::postfix::gateway::postscreen_access_maps:
+  '127.0.0.1/32': 'permit'
+  '10.10.12.200/32': 'permit'
+
+profiles::postfix::gateway::helo_access_maps:
+  '.dynamic.': 'REJECT'
+  '.dialup.': 'REJECT'
+  'unknown': 'REJECT'
+  'localhost': 'REJECT You are not localhost'
+
+# postfix transports
+postfix::transports:
+  'main.unkin.net':
+    ensure: present
+    destination: 'relay'
+    nexthop: 'ausyd1nxvm2120.main.unkin.net:25'
+
+# postfix virtuals
+postfix::virtuals:
+  'root':
+    ensure: present
+    destination: 'ben@main.unkin.net'
+  'postmaster':
+    ensure: present
+    destination: 'ben@main.unkin.net'
+  'abuse':
+    ensure: present
+    destination: 'ben@main.unkin.net'

site/profiles/files/postfix/gateway/helo_access

@@ -1,11 +0,0 @@
-# FILE MANAGED BY PUPPET, CHANGES WILL BE REPLACED
-
-# HELO/EHLO access controls
-# Format: pattern    action
-# Actions: REJECT, OK, WARN, etc.
-
-# Block common spam patterns
-.dynamic.           REJECT
-.dialup.            REJECT
-unknown             REJECT
-localhost           REJECT You are not localhost

site/profiles/files/postfix/gateway/postscreen_access

@@ -1,4 +0,0 @@
-# FILE MANAGED BY PUPPET, CHANGES WILL BE REPLACED
-
-127.0.0.1/32 permit
-10.10.12.200/32 permit

site/profiles/files/postfix/gateway/recipient_access

@@ -1,9 +0,0 @@
-# FILE MANAGED BY PUPPET, CHANGES WILL BE REPLACED
-
-# Recipient access controls
-# Format: recipient_pattern    action
-# Actions: REJECT, OK, WARN, DISCARD, etc.
-
-# Protected recipients that require special handling
-# Example entries:
-# @main.unkin.net       OK

site/profiles/files/postfix/gateway/recipient_canonical

@@ -1,8 +0,0 @@
-# FILE MANAGED BY PUPPET, CHANGES WILL BE REPLACED
-
-# Recipient canonical address mapping
-# Format: original_address    canonical_address
-# Used to rewrite recipient addresses
-
-# Example mappings:
-# user@olddomain.com    user@main.unkin.net

site/profiles/files/postfix/gateway/relay_domains

@@ -1,3 +0,0 @@
-# FILE MANAGED BY PUPPET, CHANGES WILL BE REPLACED
-
-main.unkin.net       OK

site/profiles/files/postfix/gateway/relay_recipients

@@ -1,3 +0,0 @@
-# FILE MANAGED BY PUPPET, CHANGES WILL BE REPLACED
-
-@main.unkin.net       OK

site/profiles/files/postfix/gateway/sender_access

@@ -1,10 +0,0 @@
-# FILE MANAGED BY PUPPET, CHANGES WILL BE REPLACED
-
-# Sender access controls
-# Format: sender_pattern    action
-# Actions: REJECT, OK, WARN, DISCARD, etc.
-
-# Block known spam domains
-# Example entries:
-# spammer@example.com    REJECT
-# @badspammer.com        REJECT

site/profiles/files/postfix/gateway/sender_canonical

@@ -1,8 +0,0 @@
-# FILE MANAGED BY PUPPET, CHANGES WILL BE REPLACED
-
-# Sender canonical address mapping
-# Format: original_address    canonical_address
-# Used to rewrite sender addresses
-
-# Example mappings:
-# user@internal.local   user@main.unkin.net

site/profiles/manifests/postfix/gateway.pp

@@ -1,63 +1,17 @@
 class profiles::postfix::gateway (
-  $tls_cert_file = '/etc/pki/tls/vault/certificate.pem',
+  Stdlib::Absolutepath $tls_cert_file = '/etc/pki/tls/vault/certificate.pem',
-  $tls_key_file  = '/etc/pki/tls/vault/certificate.pem',
+  Stdlib::Absolutepath $tls_key_file  = '/etc/pki/tls/vault/certificate.pem',
-  $tls_ca_file   = '/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem',
+  Stdlib::Absolutepath $tls_ca_file   = '/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem',
-) {
+  String $myhostname                  = $trusted['certname'],
-
+  String $message_size_limit          = '133169152',
-  $alias_maps = 'hash:/etc/aliases, hash:/etc/postfix/aliases'
+  String $mailbox_size_limit          = '133169152',
-
+  String $local_transport             = 'error:No local mail delivery',
-  class { 'postfix':
+  Boolean $enable_postscreen          = true,
-    relayhost      => 'direct',
+  Array[String] $alias_maps           = [
-    myorigin       => 'main.unkin.net',
+    'hash:/etc/aliases',
-    mydestination  => 'blank',
+    'hash:/etc/postfix/aliases',
-    mynetworks     => '127.0.0.0/8 [::1]/128',
-    alias_maps     => $alias_maps,
-    mta            => true,
-    manage_aliases => true,
-    master_smtp    => 'smtp      inet  n       -       n       -       1       postscreen',
-    master_entries => [
-      # Postscreen backend services
-      'smtpd     pass  -       -       n       -       -       smtpd',
-      'dnsblog   unix  -       -       n       -       0       dnsblog',
-      'tlsproxy  unix  -       -       n       -       0       tlsproxy',
   ],
-  }
+  Array[String] $postscreen_dnsbl_sites = [
-
-  postfix::config {
-    'alias_database':
-      value => $alias_maps;
-    'default_destination_recipient_limit':
-      value => '1';
-    'disable_vrfy_command':
-      value => 'yes';
-    'enable_long_queue_ids':
-      value => 'yes';
-    'error_notice_recipient':
-      value => 'root';
-    'header_checks':
-      value => 'regexp:/etc/postfix/header_checks';
-    'local_recipient_maps':
-      ensure => 'blank';      # no local mailboxes
-    'local_transport':
-      value => 'error:No local mail delivery';
-    'mailbox_size_limit':
-      value => '133169152';   # ~127MB
-    'message_size_limit':
-      value => '133169152';   # ~127MB
-    'myhostname':
-      value => 'in-mta.main.unkin.net';
-    'non_smtpd_milters':
-      ensure => 'blank';
-    'postscreen_access_list':
-      value => 'permit_mynetworks, cidr:/etc/postfix/postscreen_access';
-    'postscreen_blacklist_action':
-      value => 'enforce';
-    'postscreen_cache_map':
-      value => 'btree:$data_directory/postscreen_cache';
-    'postscreen_dnsbl_action':
-      value => 'enforce';
-    'postscreen_dnsbl_sites':
-      value => join([
     'zen.spamhaus.org*3',
     'b.barracudacentral.org=127.0.0.[2..11]*2',
     'bl.spameatingmonkey.net*2',
@@ -66,185 +20,330 @@ class profiles::postfix::gateway (
     'swl.spamhaus.org*-4',
     'list.dnswl.org=127.[0..255].[0..255].0*-2',
     'list.dnswl.org=127.[0..255].[0..255].1*-4',
-        'list.dnswl.org=127.[0..255].[0..255].[2..3]*-6'
+    'list.dnswl.org=127.[0..255].[0..255].[2..3]*-6',
-      ], ', ');
+  ],
-    'postscreen_dnsbl_threshold':
+  Array[String] $smtpd_client_restrictions = [
-      value => '2';
+    'permit_sasl_authenticated',
-    'postscreen_greet_action':
+    'permit_mynetworks',
-      value => 'enforce';
+    'reject_rbl_client zen.spamhaus.org',
-    'postscreen_greet_banner':
+  ],
-      value => '$smtpd_banner';
+  Array[String] $smtpd_sender_restrictions = [
-    'postscreen_greet_wait':
+    'permit_sasl_authenticated',
-      value => "\${stress?2}\${stress:6}s";
+    'check_sender_access hash:/etc/postfix/sender_access',
-    'qmqpd_authorized_clients':
+    'reject_non_fqdn_sender',
-      value => '127.0.0.1 [::1]';
+    'reject_unknown_sender_domain',
-    'recipient_canonical_maps':
+  ],
-      value => 'hash:/etc/postfix/recipient_canonical';
+  Array[String] $smtpd_recipient_restrictions = [
-    'recipient_delimiter':
-      value => '+';
-    'relay_domains':
-      value => 'hash:/etc/postfix/relay_domains';
-    'relay_recipient_maps':
-      value => 'hash:/etc/postfix/relay_recipients';
-    'sender_canonical_maps':
-      value => 'hash:/etc/postfix/sender_canonical';
-    'smtp_tls_CAfile':
-      value => $tls_ca_file;
-    'smtp_tls_mandatory_protocols':
-      value => '!SSLv2,!SSLv3';
-    'smtp_tls_note_starttls_offer':
-      value => 'yes';
-    'smtp_tls_protocols':
-      value => '!SSLv2,!SSLv3';
-    'smtp_tls_security_level':
-      value => 'may';
-    'smtp_tls_session_cache_database':
-      value => 'btree:/var/lib/postfix/smtp_tls_session_cache';
-    'smtp_use_tls':
-      value => 'yes';
-    'smtpd_banner':
-      value => '$myhostname ESMTP $mail_name';
-    'smtpd_client_restrictions':
-      value => 'permit_sasl_authenticated, permit_mynetworks, reject_rbl_client zen.spamhaus.org';
-    'smtpd_data_restrictions':
-      value => 'reject_unauth_pipelining';
-    'smtpd_delay_reject':
-      value => 'yes';
-    'smtpd_discard_ehlo_keywords':
-      value => 'chunking, silent-discard';
-    'smtpd_forbid_bare_newline':
-      value => 'yes';
-    'smtpd_forbid_bare_newline_exclusions':
-      value => '$mynetworks';
-    'smtpd_forbid_unauth_pipelining':
-      value => 'yes';
-    'smtpd_helo_required':
-      value => 'yes';
-    'smtpd_helo_restrictions':
-      value => 'check_helo_access hash:/etc/postfix/helo_access, reject_invalid_hostname';
-    'smtpd_milters':
-      value => 'inet:127.0.0.1:33333';
-    'smtpd_recipient_restrictions':
-      value => join([
     'permit_sasl_authenticated',
     'permit_mynetworks',
     'reject_unauth_destination',
     'reject_non_fqdn_recipient',
     'reject_unknown_recipient_domain',
     'check_recipient_access hash:/etc/postfix/recipient_access',
-        'check_policy_service inet:127.0.0.1:2501',
+    'reject_unverified_recipient',
-        'reject_unverified_recipient'
+  ],
-      ], ', ');
+  Array[String] $smtpd_relay_restrictions = [
-    'smtpd_relay_restrictions':
-      value => 'permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination';
-    'smtpd_sender_restrictions':
-      value => join([
     'permit_sasl_authenticated',
-        'check_sender_access hash:/etc/postfix/sender_access',
+    'permit_mynetworks',
-        'reject_non_fqdn_sender',
+    'reject_unauth_destination',
-        'reject_unknown_sender_domain'
+  ],
-      ], ', ');
+  Hash[String, String] $smtp_tls_policy_maps = {},
-    'smtpd_tls_CAfile':
+  Hash[String, String] $sender_canonical_maps = {},
-      value => $tls_ca_file;
+  Hash[String, String] $sender_access_maps = {},
-    'smtpd_tls_cert_file':
+  Hash[String, String] $relay_recipients_maps = {},
-      value => $tls_cert_file;
+  Hash[String, String] $relay_domains_maps = {},
-    'smtpd_tls_ciphers':
+  Hash[String, String] $recipient_canonical_maps = {},
-      value => 'medium';
+  Hash[String, String] $recipient_access_maps = {},
-    'smtpd_tls_key_file':
+  Hash[String, String] $postscreen_access_maps = {},
-      value => $tls_key_file;
+  Hash[String, String] $helo_access_maps = {},
-    'smtpd_tls_loglevel':
+) {
-      value => '1';
+
-    'smtpd_tls_mandatory_protocols':
+  $alias_maps_string = join($alias_maps, ', ')
-      value => '!SSLv2,!SSLv3';
+
-    'smtpd_tls_protocols':
+  # Set master.cf configuration based on postscreen setting
-      value => '!SSLv2,!SSLv3';
+  if $enable_postscreen {
-    'smtpd_tls_received_header':
+    $master_smtp = 'smtp      inet  n       -       n       -       1       postscreen'
-      value => 'yes';
+    $master_entries = [
-    'smtpd_tls_security_level':
+      'smtpd     pass  -       -       n       -       -       smtpd',
-      value => 'may';
+      'dnsblog   unix  -       -       n       -       0       dnsblog',
-    'smtpd_tls_session_cache_database':
+      'tlsproxy  unix  -       -       n       -       0       tlsproxy',
-      value => 'btree:/var/lib/postfix/smtpd_tls_session_cache';
+    ]
-    'smtpd_tls_session_cache_timeout':
+    $postscreen_configs = {
-      value => '3600s';
+      'postscreen_access_list' => {
-    'smtpd_use_tls':
+        'value' => 'permit_mynetworks, cidr:/etc/postfix/postscreen_access'
-      value => 'yes';
+      },
-    'tls_medium_cipherlist':
+      'postscreen_blacklist_action' => {
-      value => join([
+        'value' => 'enforce'
+      },
+      'postscreen_cache_map' => {
+        'value' => 'btree:$data_directory/postscreen_cache'
+      },
+      'postscreen_dnsbl_action' => {
+        'value' => 'enforce'
+      },
+      'postscreen_dnsbl_sites' => {
+        'value' => join($postscreen_dnsbl_sites, ', ')
+      },
+      'postscreen_dnsbl_threshold' => {
+        'value' => '2'
+      },
+      'postscreen_greet_action' => {
+        'value' => 'enforce'
+      },
+      'postscreen_greet_banner' => {
+        'value' => '$smtpd_banner'
+      },
+      'postscreen_greet_wait' => {
+        'value' => "\${stress?2}\${stress:6}s"
+      },
+    }
+  } else {
+    $master_smtp = undef
+    $master_entries = []
+    $postscreen_configs = {}
+  }
+
+  # Base postfix configuration
+  $base_configs = {
+    'alias_database' => {
+      'value' => $alias_maps_string
+    },
+    'default_destination_recipient_limit' => {
+      'value' => '1'
+    },
+    'disable_vrfy_command' => {
+      'value' => 'yes'
+    },
+    'enable_long_queue_ids' => {
+      'value' => 'yes'
+    },
+    'error_notice_recipient' => {
+      'value' => 'root'
+    },
+    'header_checks' => {
+      'value' => 'regexp:/etc/postfix/header_checks'
+    },
+    'local_recipient_maps' => {
+      'ensure' => 'blank'
+    },
+    'local_transport' => {
+      'value' => $local_transport
+    },
+    'mailbox_size_limit' => {
+      'value' => $mailbox_size_limit
+    },
+    'message_size_limit' => {
+      'value' => $message_size_limit
+    },
+    'myhostname' => {
+      'value' => $myhostname
+    },
+    'non_smtpd_milters' => {
+      'ensure' => 'blank'
+    },
+    'qmqpd_authorized_clients' => {
+      'value' => '127.0.0.1 [::1]'
+    },
+    'recipient_canonical_maps' => {
+      'value' => 'hash:/etc/postfix/recipient_canonical'
+    },
+    'recipient_delimiter' => {
+      'value' => '+'
+    },
+    'relay_domains' => {
+      'value' => 'hash:/etc/postfix/relay_domains'
+    },
+    'relay_recipient_maps' => {
+      'value' => 'hash:/etc/postfix/relay_recipients'
+    },
+    'sender_canonical_maps' => {
+      'value' => 'hash:/etc/postfix/sender_canonical'
+    },
+    'smtp_tls_CAfile' => {
+      'value' => $tls_ca_file
+    },
+    'smtp_tls_mandatory_protocols' => {
+      'value' => '!SSLv2,!SSLv3'
+    },
+    'smtp_tls_note_starttls_offer' => {
+      'value' => 'yes'
+    },
+    'smtp_tls_protocols' => {
+      'value' => '!SSLv2,!SSLv3'
+    },
+    'smtp_tls_security_level' => {
+      'value' => 'may'
+    },
+    'smtp_tls_session_cache_database' => {
+      'value' => 'btree:/var/lib/postfix/smtp_tls_session_cache'
+    },
+    'smtp_use_tls' => {
+      'value' => 'yes'
+    },
+    'smtpd_banner' => {
+      'value' => '$myhostname ESMTP $mail_name'
+    },
+    'smtpd_client_restrictions' => {
+      'value' => join($smtpd_client_restrictions, ', ')
+    },
+    'smtpd_data_restrictions' => {
+      'value' => 'reject_unauth_pipelining'
+    },
+    'smtpd_delay_reject' => {
+      'value' => 'yes'
+    },
+    'smtpd_discard_ehlo_keywords' => {
+      'value' => 'chunking, silent-discard'
+    },
+    'smtpd_forbid_bare_newline' => {
+      'value' => 'yes'
+    },
+    'smtpd_forbid_bare_newline_exclusions' => {
+      'value' => '$mynetworks'
+    },
+    'smtpd_forbid_unauth_pipelining' => {
+      'value' => 'yes'
+    },
+    'smtpd_helo_required' => {
+      'value' => 'yes'
+    },
+    'smtpd_helo_restrictions' => {
+      'value' => 'check_helo_access hash:/etc/postfix/helo_access, reject_invalid_hostname'
+    },
+    'smtpd_milters' => {
+      'value' => 'inet:127.0.0.1:33333'
+    },
+    'smtpd_recipient_restrictions' => {
+      'value' => join($smtpd_recipient_restrictions, ', ')
+    },
+    'smtpd_relay_restrictions' => {
+      'value' => join($smtpd_relay_restrictions, ', ')
+    },
+    'smtpd_sender_restrictions' => {
+      'value' => join($smtpd_sender_restrictions, ', ')
+    },
+    'smtpd_tls_CAfile' => {
+      'value' => $tls_ca_file
+    },
+    'smtpd_tls_cert_file' => {
+      'value' => $tls_cert_file
+    },
+    'smtpd_tls_ciphers' => {
+      'value' => 'medium'
+    },
+    'smtpd_tls_key_file' => {
+      'value' => $tls_key_file
+    },
+    'smtpd_tls_loglevel' => {
+      'value' => '1'
+    },
+    'smtpd_tls_mandatory_protocols' => {
+      'value' => '!SSLv2,!SSLv3'
+    },
+    'smtpd_tls_protocols' => {
+      'value' => '!SSLv2,!SSLv3'
+    },
+    'smtpd_tls_received_header' => {
+      'value' => 'yes'
+    },
+    'smtpd_tls_security_level' => {
+      'value' => 'may'
+    },
+    'smtpd_tls_session_cache_database' => {
+      'value' => 'btree:/var/lib/postfix/smtpd_tls_session_cache'
+    },
+    'smtpd_tls_session_cache_timeout' => {
+      'value' => '3600s'
+    },
+    'smtpd_use_tls' => {
+      'value' => 'yes'
+    },
+    'tls_medium_cipherlist' => {
+      'value' => join([
         'ECDSA+AESGCM:ECDH+AESGCM:DH+AESGCM:ECDSA+AES:ECDH+AES:DH+AES',
         'ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS'
-      ], ':');
+      ], ':')
-    'tls_preempt_cipherlist':
+    },
-      value => 'yes';
+    'tls_preempt_cipherlist' => {
-    'tls_random_source':
+      'value' => 'yes'
-      value => 'dev:/dev/urandom';
+    },
-    'unverified_recipient_reject_code':
+    'tls_random_source' => {
-      value => '550';
+      'value' => 'dev:/dev/urandom'
-    'unverified_recipient_reject_reason':
+    },
-      value => 'No user at this address';
+    'unverified_recipient_reject_code' => {
+      'value' => '550'
+    },
+    'unverified_recipient_reject_reason' => {
+      'value' => 'No user at this address'
+    },
+    'smtp_tls_policy_maps' => {
+      'value' => 'hash:/etc/postfix/smtp_tls_policy_maps'
+    },
   }
 
-  postfix::map { 'postscreen_access':
+  # Postfix maps (all using templates now)
-    ensure => present,
+  $postfix_maps = {
-    type   => 'cidr',
+    'postscreen_access' => {
-    source => 'puppet:///modules/profiles/postfix/gateway/postscreen_access'
+      'ensure'  => 'present',
-  }
+      'type'    => 'cidr',
-  postfix::map { 'relay_recipients':
+      'content' => template('profiles/postfix/gateway/postscreen_access.erb')
-    ensure => present,
+    },
-    type   => 'hash',
+    'relay_recipients' => {
-    source => 'puppet:///modules/profiles/postfix/gateway/relay_recipients'
+      'ensure'  => 'present',
-  }
+      'type'    => 'hash',
-  postfix::map { 'relay_domains':
+      'content' => template('profiles/postfix/gateway/relay_recipients.erb')
-    ensure => present,
+    },
-    type   => 'hash',
+    'relay_domains' => {
-    source => 'puppet:///modules/profiles/postfix/gateway/relay_domains'
+      'ensure'  => 'present',
-  }
+      'type'    => 'hash',
-  postfix::map { 'aliases':
+      'content' => template('profiles/postfix/gateway/relay_domains.erb')
-    ensure => present,
+    },
-    type   => 'hash',
+    'aliases' => {
-    source => 'puppet:///modules/profiles/postfix/gateway/aliases'
+      'ensure' => 'present',
-  }
+      'type'   => 'hash',
-  postfix::map { 'helo_access':
+      'source' => 'puppet:///modules/profiles/postfix/gateway/aliases'
-    ensure => present,
+    },
-    type   => 'hash',
+    'helo_access' => {
-    source => 'puppet:///modules/profiles/postfix/gateway/helo_access'
+      'ensure'  => 'present',
-  }
+      'type'    => 'hash',
-  postfix::map { 'sender_access':
+      'content' => template('profiles/postfix/gateway/helo_access.erb')
-    ensure => present,
+    },
-    type   => 'hash',
+    'sender_access' => {
-    source => 'puppet:///modules/profiles/postfix/gateway/sender_access'
+      'ensure'  => 'present',
-  }
+      'type'    => 'hash',
-  postfix::map { 'recipient_access':
+      'content' => template('profiles/postfix/gateway/sender_access.erb')
-    ensure => present,
+    },
-    type   => 'hash',
+    'recipient_access' => {
-    source => 'puppet:///modules/profiles/postfix/gateway/recipient_access'
+      'ensure'  => 'present',
-  }
+      'type'    => 'hash',
-  postfix::map { 'recipient_canonical':
+      'content' => template('profiles/postfix/gateway/recipient_access.erb')
-    ensure => present,
+    },
-    type   => 'hash',
+    'recipient_canonical' => {
-    source => 'puppet:///modules/profiles/postfix/gateway/recipient_canonical'
+      'ensure'  => 'present',
-  }
+      'type'    => 'hash',
-  postfix::map { 'sender_canonical':
+      'content' => template('profiles/postfix/gateway/recipient_canonical.erb')
-    ensure => present,
+    },
-    type   => 'hash',
+    'sender_canonical' => {
-    source => 'puppet:///modules/profiles/postfix/gateway/sender_canonical'
+      'ensure'  => 'present',
+      'type'    => 'hash',
+      'content' => template('profiles/postfix/gateway/sender_canonical.erb')
+    },
+    'smtp_tls_policy_maps' => {
+      'ensure'  => 'present',
+      'type'    => 'hash',
+      'content' => template('profiles/postfix/gateway/smtp_tls_policy_maps.erb')
+    },
   }
 
-  postfix::transport {
+  # Merge base configs with postscreen configs
-    'main.unkin.net':
+  $all_configs = $base_configs + $postscreen_configs
-      ensure      => present,
+
-      destination => 'relay',
+  class { 'postfix':
-      nexthop     => 'ausyd1nxvm2120.main.unkin.net:25';
+    master_smtp    => $master_smtp,
-  }
+    master_entries => $master_entries,
-  postfix::virtual {
+    alias_maps     => $alias_maps_string,
-    'root':
+    configs        => $all_configs,
-      ensure      => present,
+    maps           => $postfix_maps,
-      destination => 'ben@main.unkin.net';
-    'postmaster':
-      ensure      => present,
-      destination => 'ben@main.unkin.net';
-    'abuse':
-      ensure      => present,
-      destination => 'ben@main.unkin.net';
   }
 
 }

site/profiles/templates/postfix/gateway/helo_access.erb

@@ -0,0 +1,11 @@
+# FILE MANAGED BY PUPPET, CHANGES WILL BE REPLACED
+#
+# Controls access based on HELO/EHLO hostnames to block spam patterns
+# HELO/EHLO access controls
+# Format: pattern    action
+# Example: .dynamic.example.com    REJECT
+# Example: localhost    REJECT You are not localhost
+
+<% @helo_access_maps.each do |pattern, action| -%>
+<%= pattern %>             <%= action %>
+<% end -%>

site/profiles/templates/postfix/gateway/postscreen_access.erb

@@ -0,0 +1,10 @@
+# FILE MANAGED BY PUPPET, CHANGES WILL BE REPLACED
+#
+# Controls which IP addresses/networks are allowed through postscreen
+# Postscreen access controls (CIDR format)
+# Format: network/mask    action
+# Example: 192.168.1.0/24    permit
+
+<% @postscreen_access_maps.each do |network, action| -%>
+<%= network %> <%= action %>
+<% end -%>

site/profiles/templates/postfix/gateway/recipient_access.erb

@@ -0,0 +1,11 @@
+# FILE MANAGED BY PUPPET, CHANGES WILL BE REPLACED
+#
+# Controls access based on recipient email addresses or domains
+# Recipient access controls
+# Format: recipient_pattern    action
+# Example: @example.com    OK
+# Example: admin@foo.net    REJECT
+
+<% @recipient_access_maps.each do |recipient, action| -%>
+<%= recipient %>    <%= action %>
+<% end -%>

site/profiles/templates/postfix/gateway/recipient_canonical.erb

@@ -0,0 +1,10 @@
+# FILE MANAGED BY PUPPET, CHANGES WILL BE REPLACED
+#
+# Rewrites recipient addresses before delivery (address normalization)
+# Recipient canonical address mapping
+# Format: original_address    canonical_address
+# Example: user@olddomain.com    user@example.com
+
+<% @recipient_canonical_maps.each do |original, canonical| -%>
+<%= original %>    <%= canonical %>
+<% end -%>

site/profiles/templates/postfix/gateway/relay_domains.erb

@@ -0,0 +1,10 @@
+# FILE MANAGED BY PUPPET, CHANGES WILL BE REPLACED
+#
+# Defines which domains are allowed for mail relaying
+# Relay domains control
+# Format: domain    action
+# Example: example.com    OK
+
+<% @relay_domains_maps.each do |domain, action| -%>
+<%= domain %>       <%= action %>
+<% end -%>

site/profiles/templates/postfix/gateway/relay_recipients.erb

@@ -0,0 +1,10 @@
+# FILE MANAGED BY PUPPET, CHANGES WILL BE REPLACED
+#
+# Defines which recipient addresses are allowed for mail relaying
+# Relay recipients control
+# Format: recipient_pattern    action
+# Example: @example.com    OK
+
+<% @relay_recipients_maps.each do |recipient, action| -%>
+<%= recipient %>       <%= action %>
+<% end -%>

site/profiles/templates/postfix/gateway/sender_access.erb

@@ -0,0 +1,11 @@
+# FILE MANAGED BY PUPPET, CHANGES WILL BE REPLACED
+#
+# Controls access based on sender email addresses or domains
+# Sender access controls
+# Format: sender_pattern    action
+# Example: spammer@foo.net    REJECT
+# Example: @badspammer.com   REJECT
+
+<% @sender_access_maps.each do |sender, action| -%>
+<%= sender %>    <%= action %>
+<% end -%>

site/profiles/templates/postfix/gateway/sender_canonical.erb

@@ -0,0 +1,10 @@
+# FILE MANAGED BY PUPPET, CHANGES WILL BE REPLACED
+#
+# Rewrites sender addresses before sending (address masquerading)
+# Sender canonical address mapping
+# Format: original_address    canonical_address
+# Example: user@internal.local    user@example.com
+
+<% @sender_canonical_maps.each do |original, canonical| -%>
+<%= original %>    <%= canonical %>
+<% end -%>

site/profiles/templates/postfix/gateway/smtp_tls_policy_maps.erb

@@ -0,0 +1,11 @@
+# FILE MANAGED BY PUPPET, CHANGES WILL BE REPLACED
+#
+# Enforces TLS security policies for outbound mail per destination domain
+# SMTP TLS policy map for outbound connections
+# Format: destination    policy
+# Example: gmail.com    encrypt
+# Example: secure-bank.example.com    secure
+
+<% @smtp_tls_policy_maps.each do |destination, policy| -%>
+<%= destination %>    <%= policy %>
+<% end -%>