From 56314de3a88a634634bf895484e28539a830ba52 Mon Sep 17 00:00:00 2001
From: Silvio Rhatto <rhatto@riseup.net>
Date: Wed, 9 Nov 2011 23:04:48 -0200
Subject: Adding exim::tls

---
 files/195_exim4_config_tls_verify            | 17 +++++++++++++++++
 files/30_exim4-config_remote_smtp_tls_verify | 15 +++++++++++++++
 manifests/init.pp                            | 20 ++++++++++++++++++++
 3 files changed, 52 insertions(+)
 create mode 100644 files/195_exim4_config_tls_verify
 create mode 100644 files/30_exim4-config_remote_smtp_tls_verify

diff --git a/files/195_exim4_config_tls_verify b/files/195_exim4_config_tls_verify
new file mode 100644
index 0000000..9935b46
--- /dev/null
+++ b/files/195_exim4_config_tls_verify
@@ -0,0 +1,17 @@
+# For domains that we do not relay for, and need to verify certs.
+# Since we most probably can't have broken MX records pointing to
+# site local or link local IP addresses fixed, we ignore target
+# hosts pointing to these addresses.
+
+dnslookup_tls_verify:
+  debug_print = "R: dnslookup_tls_verify for $local_part@$domain"
+  driver = dnslookup
+  #  Do we need to verify and force TLS for this domain ?
+  domains = ! +local_domains : +tls_verify_relay_to_domains
+  transport = remote_smtp_tls_verify 
+  same_domain_copy_routing = yes
+  # ignore private rfc1918 and APIPA addresses
+  ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8 : 192.168.0.0/16 :\
+                        172.16.0.0/12 : 10.0.0.0/8 : 169.254.0.0/16 :\
+			255.255.255.255
+  no_more
diff --git a/files/30_exim4-config_remote_smtp_tls_verify b/files/30_exim4-config_remote_smtp_tls_verify
new file mode 100644
index 0000000..c5675d6
--- /dev/null
+++ b/files/30_exim4-config_remote_smtp_tls_verify
@@ -0,0 +1,15 @@
+# This transport is used for delivering messages over SMTP connections.
+# and forcing/verifying tls
+
+remote_smtp_tls_verify:
+  debug_print = "T: remote_smtp_tls_verify for $local_part@$domain"
+  driver = smtp
+  # Force TLS for all hosts on this transport
+  hosts_require_tls = *
+  #  Next 2 lines send our key in case server requests it
+  #  Not needed in this example
+  #  tls_certificate = /etc/exim4/exim.crt
+  #  tls_privatekey = /etc/exim4/exim.key
+  tls_verify_certificates =  ${if exists{/etc/ssl/certs/ca-certificates.crt}\
+                                    {/etc/ssl/certs/ca-certificates.crt}\
+                                    {/dev/null}}
diff --git a/manifests/init.pp b/manifests/init.pp
index 5a41e4d..d5c9d69 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -75,3 +75,23 @@ class exim::disabled inherits exim {
     ensure  => stopped,
   }
 }
+
+class exim::tls inherits exim {
+  file { "/etc/exim4/conf.d/router/195_exim4_config_tls_verify":
+    ensure => present,
+    owner  => root,
+    group  => root,
+    mode   => 0644,
+    source => "puppet:///modules/exim/195_exim4_config_tls_verify",
+    notify => Service["exim4"],
+  }
+
+  file { "/etc/exim4/conf.d/transport/30_exim4-config_remote_smtp_tls_verify":
+    ensure => present,
+    owner  => root,
+    group  => root,
+    mode   => 0644,
+    source => "puppet:///modules/exim/30_exim4-config_remote_smtp_tls_verify",
+    notify => Service["exim4"],
+  }
+}
-- 
cgit v1.2.3