class profiles::postfix::gateway ( $tls_cert_file = '/etc/pki/tls/vault/certificate.pem', $tls_key_file = '/etc/pki/tls/vault/certificate.pem', $tls_ca_file = '/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem', ) { $alias_maps = 'hash:/etc/aliases, hash:/etc/postfix/aliases' class { 'postfix': relayhost => 'direct', myorigin => 'main.unkin.net', mydestination => 'blank', mynetworks => '127.0.0.0/8 [::1]/128', alias_maps => $alias_maps, mta => true, manage_aliases => true, master_smtp => 'smtp inet n - n - 1 postscreen', master_entries => [ # Postscreen backend services 'smtpd pass - - n - - smtpd', 'dnsblog unix - - n - 0 dnsblog', 'tlsproxy unix - - n - 0 tlsproxy', ], } postfix::config { 'alias_database': value => $alias_maps; 'default_destination_recipient_limit': value => '1'; 'disable_vrfy_command': value => 'yes'; 'enable_long_queue_ids': value => 'yes'; 'error_notice_recipient': value => 'root'; 'header_checks': value => 'regexp:/etc/postfix/header_checks'; 'local_recipient_maps': ensure => 'blank'; # no local mailboxes 'local_transport': value => 'error:No local mail delivery'; 'mailbox_size_limit': value => '133169152'; # ~127MB 'message_size_limit': value => '133169152'; # ~127MB 'myhostname': value => 'in-mta.main.unkin.net'; 'non_smtpd_milters': ensure => 'blank'; 'postscreen_access_list': value => 'permit_mynetworks, cidr:/etc/postfix/postscreen_access'; 'postscreen_blacklist_action': value => 'enforce'; 'postscreen_cache_map': value => 'btree:$data_directory/postscreen_cache'; 'postscreen_dnsbl_action': value => 'enforce'; 'postscreen_dnsbl_sites': value => join([ 'zen.spamhaus.org*3', 'b.barracudacentral.org=127.0.0.[2..11]*2', 'bl.spameatingmonkey.net*2', 'bl.spamcop.net', 'dnsbl.sorbs.net', 'swl.spamhaus.org*-4', 'list.dnswl.org=127.[0..255].[0..255].0*-2', 'list.dnswl.org=127.[0..255].[0..255].1*-4', 'list.dnswl.org=127.[0..255].[0..255].[2..3]*-6' ], ', '); 'postscreen_dnsbl_threshold': value => '2'; 'postscreen_greet_action': value => 'enforce'; 'postscreen_greet_banner': value => '$smtpd_banner'; 'postscreen_greet_wait': value => "\${stress?2}\${stress:6}s"; 'qmqpd_authorized_clients': value => '127.0.0.1 [::1]'; 'recipient_canonical_maps': value => 'hash:/etc/postfix/recipient_canonical'; 'recipient_delimiter': value => '+'; 'relay_domains': value => 'hash:/etc/postfix/relay_domains'; 'relay_recipient_maps': value => 'hash:/etc/postfix/relay_recipients'; 'sender_canonical_maps': value => 'hash:/etc/postfix/sender_canonical'; 'smtp_tls_CAfile': value => $tls_ca_file; 'smtp_tls_mandatory_protocols': value => '!SSLv2,!SSLv3'; 'smtp_tls_note_starttls_offer': value => 'yes'; 'smtp_tls_protocols': value => '!SSLv2,!SSLv3'; 'smtp_tls_security_level': value => 'may'; 'smtp_tls_session_cache_database': value => 'btree:/var/lib/postfix/smtp_tls_session_cache'; 'smtp_use_tls': value => 'yes'; 'smtpd_banner': value => '$myhostname ESMTP $mail_name'; 'smtpd_client_restrictions': value => 'permit_sasl_authenticated, permit_mynetworks, reject_rbl_client zen.spamhaus.org'; 'smtpd_data_restrictions': value => 'reject_unauth_pipelining'; 'smtpd_delay_reject': value => 'yes'; 'smtpd_discard_ehlo_keywords': value => 'chunking, silent-discard'; 'smtpd_forbid_bare_newline': value => 'yes'; 'smtpd_forbid_bare_newline_exclusions': value => '$mynetworks'; 'smtpd_forbid_unauth_pipelining': value => 'yes'; 'smtpd_helo_required': value => 'yes'; 'smtpd_helo_restrictions': value => 'check_helo_access hash:/etc/postfix/helo_access, reject_invalid_hostname'; 'smtpd_milters': value => 'inet:127.0.0.1:33333'; 'smtpd_recipient_restrictions': value => join([ 'permit_sasl_authenticated', 'permit_mynetworks', 'reject_unauth_destination', 'reject_non_fqdn_recipient', 'reject_unknown_recipient_domain', 'check_recipient_access hash:/etc/postfix/recipient_access', 'check_policy_service inet:127.0.0.1:2501', 'reject_unverified_recipient' ], ', '); 'smtpd_relay_restrictions': value => 'permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination'; 'smtpd_sender_restrictions': value => join([ 'permit_sasl_authenticated', 'check_sender_access hash:/etc/postfix/sender_access', 'reject_non_fqdn_sender', 'reject_unknown_sender_domain' ], ', '); 'smtpd_tls_CAfile': value => $tls_ca_file; 'smtpd_tls_cert_file': value => $tls_cert_file; 'smtpd_tls_ciphers': value => 'medium'; 'smtpd_tls_key_file': value => $tls_key_file; 'smtpd_tls_loglevel': value => '1'; 'smtpd_tls_mandatory_protocols': value => '!SSLv2,!SSLv3'; 'smtpd_tls_protocols': value => '!SSLv2,!SSLv3'; 'smtpd_tls_received_header': value => 'yes'; 'smtpd_tls_security_level': value => 'may'; 'smtpd_tls_session_cache_database': value => 'btree:/var/lib/postfix/smtpd_tls_session_cache'; 'smtpd_tls_session_cache_timeout': value => '3600s'; 'smtpd_use_tls': value => 'yes'; 'tls_medium_cipherlist': value => join([ 'ECDSA+AESGCM:ECDH+AESGCM:DH+AESGCM:ECDSA+AES:ECDH+AES:DH+AES', 'ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS' ], ':'); 'tls_preempt_cipherlist': value => 'yes'; 'tls_random_source': value => 'dev:/dev/urandom'; 'unverified_recipient_reject_code': value => '550'; 'unverified_recipient_reject_reason': value => 'No user at this address'; } postfix::map { 'postscreen_access': ensure => present, type => 'cidr', source => 'puppet:///modules/profiles/postfix/gateway/postscreen_access' } postfix::map { 'relay_recipients': ensure => present, type => 'hash', source => 'puppet:///modules/profiles/postfix/gateway/relay_recipients' } postfix::map { 'relay_domains': ensure => present, type => 'hash', source => 'puppet:///modules/profiles/postfix/gateway/relay_domains' } postfix::map { 'aliases': ensure => present, type => 'hash', source => 'puppet:///modules/profiles/postfix/gateway/aliases' } postfix::map { 'helo_access': ensure => present, type => 'hash', source => 'puppet:///modules/profiles/postfix/gateway/helo_access' } postfix::map { 'sender_access': ensure => present, type => 'hash', source => 'puppet:///modules/profiles/postfix/gateway/sender_access' } postfix::map { 'recipient_access': ensure => present, type => 'hash', source => 'puppet:///modules/profiles/postfix/gateway/recipient_access' } postfix::map { 'recipient_canonical': ensure => present, type => 'hash', source => 'puppet:///modules/profiles/postfix/gateway/recipient_canonical' } postfix::map { 'sender_canonical': ensure => present, type => 'hash', source => 'puppet:///modules/profiles/postfix/gateway/sender_canonical' } postfix::transport { 'main.unkin.net': ensure => present, destination => 'relay', nexthop => 'ausyd1nxvm2120.main.unkin.net:25'; } postfix::virtual { 'root': ensure => present, destination => 'ben@main.unkin.net'; 'postmaster': ensure => present, destination => 'ben@main.unkin.net'; 'abuse': ensure => present, destination => 'ben@main.unkin.net'; } }