diff options
author | Silvio Rhatto <rhatto@riseup.net> | 2011-11-09 23:04:48 -0200 |
---|---|---|
committer | Silvio Rhatto <rhatto@riseup.net> | 2011-11-09 23:04:48 -0200 |
commit | 56314de3a88a634634bf895484e28539a830ba52 (patch) | |
tree | cf64da3515b41844e1755f4bd72262e9676be212 | |
parent | 3e4f48e157688adc050c5fe00b6491344d596097 (diff) | |
download | puppet-exim-56314de3a88a634634bf895484e28539a830ba52.tar.gz puppet-exim-56314de3a88a634634bf895484e28539a830ba52.tar.bz2 |
Adding exim::tls
-rw-r--r-- | files/195_exim4_config_tls_verify | 17 | ||||
-rw-r--r-- | files/30_exim4-config_remote_smtp_tls_verify | 15 | ||||
-rw-r--r-- | manifests/init.pp | 20 |
3 files changed, 52 insertions, 0 deletions
diff --git a/files/195_exim4_config_tls_verify b/files/195_exim4_config_tls_verify new file mode 100644 index 0000000..9935b46 --- /dev/null +++ b/files/195_exim4_config_tls_verify @@ -0,0 +1,17 @@ +# For domains that we do not relay for, and need to verify certs. +# Since we most probably can't have broken MX records pointing to +# site local or link local IP addresses fixed, we ignore target +# hosts pointing to these addresses. + +dnslookup_tls_verify: + debug_print = "R: dnslookup_tls_verify for $local_part@$domain" + driver = dnslookup + # Do we need to verify and force TLS for this domain ? + domains = ! +local_domains : +tls_verify_relay_to_domains + transport = remote_smtp_tls_verify + same_domain_copy_routing = yes + # ignore private rfc1918 and APIPA addresses + ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8 : 192.168.0.0/16 :\ + 172.16.0.0/12 : 10.0.0.0/8 : 169.254.0.0/16 :\ + 255.255.255.255 + no_more diff --git a/files/30_exim4-config_remote_smtp_tls_verify b/files/30_exim4-config_remote_smtp_tls_verify new file mode 100644 index 0000000..c5675d6 --- /dev/null +++ b/files/30_exim4-config_remote_smtp_tls_verify @@ -0,0 +1,15 @@ +# This transport is used for delivering messages over SMTP connections. +# and forcing/verifying tls + +remote_smtp_tls_verify: + debug_print = "T: remote_smtp_tls_verify for $local_part@$domain" + driver = smtp + # Force TLS for all hosts on this transport + hosts_require_tls = * + # Next 2 lines send our key in case server requests it + # Not needed in this example + # tls_certificate = /etc/exim4/exim.crt + # tls_privatekey = /etc/exim4/exim.key + tls_verify_certificates = ${if exists{/etc/ssl/certs/ca-certificates.crt}\ + {/etc/ssl/certs/ca-certificates.crt}\ + {/dev/null}} diff --git a/manifests/init.pp b/manifests/init.pp index 5a41e4d..d5c9d69 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -75,3 +75,23 @@ class exim::disabled inherits exim { ensure => stopped, } } + +class exim::tls inherits exim { + file { "/etc/exim4/conf.d/router/195_exim4_config_tls_verify": + ensure => present, + owner => root, + group => root, + mode => 0644, + source => "puppet:///modules/exim/195_exim4_config_tls_verify", + notify => Service["exim4"], + } + + file { "/etc/exim4/conf.d/transport/30_exim4-config_remote_smtp_tls_verify": + ensure => present, + owner => root, + group => root, + mode => 0644, + source => "puppet:///modules/exim/30_exim4-config_remote_smtp_tls_verify", + notify => Service["exim4"], + } +} |