aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--manifests/mail.pp38
1 files changed, 35 insertions, 3 deletions
diff --git a/manifests/mail.pp b/manifests/mail.pp
index 06d633b..54b3045 100644
--- a/manifests/mail.pp
+++ b/manifests/mail.pp
@@ -14,8 +14,8 @@ class nodo::mail {
ensure => installed,
}
- package { [ 'libauthen-sasl-cyrus-perl', 'libpam-mysql', 'libsasl2-modules', 'sasl2-bin',
- 'libsasl2-modules-sql', 'libgsasl7', 'libsasl2-modules-sql' ]:
+ package { [ 'libauthen-sasl-cyrus-perl', 'libpam-mysql', 'libsasl2-modules',
+ 'libsasl2-modules-sql', 'libgsasl7', 'sasl2-bin' ]:
ensure => installed,
}
@@ -32,5 +32,37 @@ class nodo::mail {
}
# Postfix configuration
- postfix::config { "myhostname": value => "$fqdn" }
+ postfix::config { "myhostname": value => "$fqdn" }
+ postfix::config { "mailbox_command": value => '/usr/bin/maildrop -d ${USER}' }
+
+ # SASL
+ postfix::config { "smtpd_sasl_auth_enable": value => 'yes' }
+ postfix::config { "smtpd_sasl_local_domain": value => '$myhostname' }
+ postfix::config { "smtpd_sasl_security_options": value => 'noanonymous' }
+ postfix::config { "broken_sasl_auth_clients": value => 'yes' }
+ postfix::config { "smtpd_sasl_authenticated_header" value => 'yes' }
+
+ # Whitelisting: local clients may specify any destination. Others may not.
+ postfix::config { "smtpd_recipient_restrictions":
+ value => 'permit_mynetworks,
+ permit_sasl_authenticated,
+ reject_unauth_destination,
+ #reject_non_fqdn_hostname,
+ #reject_non_fqdn_sender,
+ #reject_non_fqdn_recipient,
+ #reject_unauth_destination,
+ #reject_unauth_pipelining,
+ #reject_invalid_hostname,
+ #reject_rbl_client multi.uribl.com,
+ #reject_rbl_client dsn.rfc-ignorant.org,
+ #reject_rbl_client dul.dnsbl.sorbs.net,
+ #reject_rbl_client dnsbl.sorbs.net,
+ #reject_rbl_client cbl.abuseat.org,
+ #reject_rbl_client ix.dnsbl.manitu.net,
+ #reject_rbl_client combined.rbl.msrbl.net,
+ #reject_rbl_client rabl.nuclearelephant.com,
+ #reject_rbl_client bl.spamcop.net,
+ #reject_rbl_client zen.spamhaus.org,
+ reject_rbl_client psbl.surriel.com,
+ check_policy_service inet:127.0.0.1:10023' }
}