diff options
-rw-r--r-- | README | 7 | ||||
-rw-r--r-- | files/header_checks.d/.ignore | 0 | ||||
-rw-r--r-- | manifests/classes/postfix-anonsasl.pp | 18 | ||||
-rw-r--r-- | manifests/classes/postfix-header_checks.pp | 57 | ||||
-rw-r--r-- | manifests/classes/postfix-tlspolicy.pp | 5 | ||||
-rw-r--r-- | manifests/classes/postfix.pp | 12 | ||||
-rw-r--r-- | manifests/definitions/header_checks_snippet.pp | 67 | ||||
-rw-r--r-- | templates/anonsasl_header_checks.erb | 2 |
8 files changed, 167 insertions, 1 deletions
@@ -7,6 +7,13 @@ A couple of classes will preconfigure postfix for common needs. Config ------ - set $postfix_use_amavisd="yes" to include postfix::amavis +- set $postfix_anon_sasl="yes" to hide the originating IP in email + relayed for an authenticated SASL client; this needs Postfix + 2.3 or later to work; beware! Postfix logs the header replacement + has been done, which means that you are storing this information, + unless you are anonymizing your logs. +- set $postfix_manage_header_checks="yes" to manage header checks (see + postfix::header_checks for details) - set $postfix_manage_tls_policy="yes" to manage TLS policy (see postfix::tlspolicy for details) diff --git a/files/header_checks.d/.ignore b/files/header_checks.d/.ignore new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/files/header_checks.d/.ignore diff --git a/manifests/classes/postfix-anonsasl.pp b/manifests/classes/postfix-anonsasl.pp new file mode 100644 index 0000000..ca97f19 --- /dev/null +++ b/manifests/classes/postfix-anonsasl.pp @@ -0,0 +1,18 @@ +class postfix::anonsasl { + + include postfix::header_checks + + postfix::config { + 'smtpd_sasl_authenticated_header': + value => 'yes'; + } + + postfix::header_checks_snippet { + 'anonsasl': + content => template("postfix/anonsasl_header_checks.erb"), + require => [ + Postfix::Config['smtpd_sasl_authenticated_header'], + ]; + } + +} diff --git a/manifests/classes/postfix-header_checks.pp b/manifests/classes/postfix-header_checks.pp new file mode 100644 index 0000000..071f6b0 --- /dev/null +++ b/manifests/classes/postfix-header_checks.pp @@ -0,0 +1,57 @@ +# +# == Class: postfix::header_checks +# +# Manages Postfix header_checks by merging snippets shipped: +# - in the module's files/header_checks.d/ or puppet:///files/etc/postfix/header_checks.d +# (the latter takes precedence if present); site-postfix module is supported +# as well, see the source argument of file {"$postfix_header_checks_snippets_dir" +# bellow for details. +# - via postfix::header_checks_snippet defines +# +# Example usage: +# +# node "toto.example.com" { +# $postfix_manage_header_checks = yes +# include postfix +# } +# +class postfix::header_checks { + + include common::moduledir + module_dir{'postfix/header_checks': } + + $postfix_header_checks_dir = "${common::moduledir::module_dir_path}/postfix/header_checks" + $postfix_header_checks_snippets_dir = "${postfix_header_checks_dir}/header_checks.d" + $postfix_merged_header_checks = "${postfix_header_checks_dir}/merged_header_checks" + + file {"$postfix_header_checks_snippets_dir": + ensure => 'directory', + owner => 'root', + group => '0', + mode => '700', + source => [ + "puppet:///modules/site-postfix/${fqdn}/header_checks.d", + "puppet:///modules/site-postfix/header_checks.d", + "puppet:///files/etc/postfix/header_checks.d", + "puppet:///modules/postfix/header_checks.d", + ], + recurse => true, + purge => false, + } + + concatenated_file { "$postfix_merged_header_checks": + dir => "${postfix_header_checks_snippets_dir}", + require => File["$postfix_header_checks_snippets_dir"], + } + + config_file { '/etc/postfix/header_checks': + source => "$postfix_merged_header_checks", + subscribe => File["$postfix_merged_header_checks"], + } + + postfix::config { "header_checks": + value => 'regexp:/etc/postfix/header_checks', + require => File['/etc/postfix/header_checks'], + } + +} diff --git a/manifests/classes/postfix-tlspolicy.pp b/manifests/classes/postfix-tlspolicy.pp index ec9e068..633c380 100644 --- a/manifests/classes/postfix-tlspolicy.pp +++ b/manifests/classes/postfix-tlspolicy.pp @@ -2,7 +2,10 @@ # == Class: postfix::tlspolicy # # Manages Postfix TLS policy by merging policy snippets shipped: -# - in the module's files/tls_policy.d/ +# - in the module's files/tls_policy.d/ or puppet:///files/etc/postfix/tls_policy.d +# (the latter takes precedence if present); site-postfix module is supported +# as well, see the source argument of file {"$postfix_tlspolicy_snippets_dir" +# bellow for details. # - via postfix::tlspolicy_snippet defines # # Parameters: diff --git a/manifests/classes/postfix.pp b/manifests/classes/postfix.pp index 588bfc8..4e9cd6f 100644 --- a/manifests/classes/postfix.pp +++ b/manifests/classes/postfix.pp @@ -40,6 +40,12 @@ class postfix { case $root_mail_recipient { "": { $root_mail_recipient = "nobody" } } + case $postfix_anon_sasl { + "": { $postfix_anon_sasl = "no" } + } + case $postfix_manage_header_checks { + "": { $postfix_manage_header_checks = "no" } + } case $postfix_manage_tls_policy { "": { $postfix_manage_tls_policy = "no" } } @@ -64,6 +70,12 @@ class postfix { module_dir{'postfix': } # Include optional classes + if $postfix_anon_sasl == 'yes' { + include postfix::anonsasl + } + if $postfix_manage_header_checks == 'yes' { + include postfix::header_checks + } if $postfix_manage_tls_policy == 'yes' { include postfix::tlspolicy } diff --git a/manifests/definitions/header_checks_snippet.pp b/manifests/definitions/header_checks_snippet.pp new file mode 100644 index 0000000..454d219 --- /dev/null +++ b/manifests/definitions/header_checks_snippet.pp @@ -0,0 +1,67 @@ +/* +== Definition: postfix::header_checks_snippet + +Adds a header_checks snippets to /etc/postfix/header_checks. +See the postfix::header_checks class for details. + +Parameters: +- *source* or *content*: source or content of the header_checks snippet +- *ensure*: present (default) or absent + +Requires: +- Class["postfix"] + +Example usage: + + node "toto.example.com" { + include postfix + postfix::header_checks { + 'wrong_date': content => 'FIXME'; + 'bla': source => 'puppet:///files/etc/postfix/header_checks.d/bla'; + } + } + +*/ + +define postfix::header_checks_snippet ( + $ensure = "present", + $source = '', + $content = undef +) { + + if $source == '' and $content == undef { + fail("One of \$source or \$content must be specified for postfix::header_checks_snippet ${name}") + } + + if $source != '' and $content != undef { + fail("Only one of \$source or \$content must specified for postfix::header_checks_snippet ${name}") + } + + if ($value == false) and ($ensure == "present") { + fail("The value parameter must be set when using the postfix::header_checks_snippet define with ensure=present.") + } + + include postfix::header_checks + + $snippetfile = "${postfix::header_checks::postfix_header_checks_snippets_dir}/${name}" + + file { "$snippetfile": + ensure => "$ensure", + mode => 600, + owner => root, + group => 0, + notify => Exec["concat_${postfix::header_checks::postfix_merged_header_checks}"], + } + + if $source { + File["$snippetfile"] { + source => $source, + } + } + else { + File["$snippetfile"] { + content => $content, + } + } + +} diff --git a/templates/anonsasl_header_checks.erb b/templates/anonsasl_header_checks.erb new file mode 100644 index 0000000..bca5914 --- /dev/null +++ b/templates/anonsasl_header_checks.erb @@ -0,0 +1,2 @@ +/^Received: from (.* \([-._[:alnum:]]+ \[[.[:digit:]]{7,15}\]\)).*?([[:space:]]+).*\(Authenticated sender: ([^)]+)\).*by (<%= fqdn.gsub(/\./, '\.') %>) \(([^)]+)\) with (E?SMTPS?A?) id ([A-F[:digit:]]+).*/ + REPLACE Received: from [127.0.0.1] (localhost [127.0.0.1])$2(Authenticated sender: $3)${2}with $6 id $7 |