Commit 93ec96b9 authored by Angel L. Mateo's avatar Angel L. Mateo Committed by Raphaël Pinson

Add chroot parameter (#170)

To be able to configure master.cf with chroot
parent c3aa7982
......@@ -160,6 +160,11 @@ A string to define the e-mail address to which all mail directed to root should
Default: 'nobody'.
Example: 'root_catch@example.com'.
##### `chroot`
A boolean to define if postfix should be run in a chroot jail or not. If not defined, '-' is used (OS dependant)
Default: Undefined.
Example: true
##### `satellite`
A Boolean to define whether to configure postfix as a satellite relay host. This setting is mutually exclusive with the mta Boolean.
Default: False.
......
......@@ -14,6 +14,7 @@ class postfix::files {
$myorigin = $postfix::myorigin
$manage_root_alias = $postfix::manage_root_alias
$root_mail_recipient = $postfix::root_mail_recipient
$chroot = $postfix::chroot
$smtp_listen = $postfix::_smtp_listen
$use_amavisd = $postfix::use_amavisd
$use_dovecot_lda = $postfix::use_dovecot_lda
......@@ -24,6 +25,12 @@ class postfix::files {
assert_type(Optional[String], $master_smtp)
assert_type(Optional[String], $master_smtps)
$jail = $chroot ? {
undef => '-',
true => 'y',
default => 'n',
}
File {
replace => $manage_conffiles,
}
......@@ -56,9 +63,9 @@ class postfix::files {
$mastercf_content = undef
} else {
$mastercf_content = template(
$postfix::params::master_os_template,
'postfix/master.cf.common.erb'
)
$postfix::params::master_os_template,
'postfix/master.cf.common.erb'
)
}
file { '/etc/postfix/master.cf':
......@@ -89,7 +96,7 @@ class postfix::files {
'myorigin': value => $myorigin;
}
case $::osfamily {
case $facts['os']['family'] {
'RedHat': {
::postfix::config {
'mailq_path': value => '/usr/bin/mailq.postfix';
......
......@@ -50,6 +50,8 @@
#
# [*root_mail_recipient*] - (string)
#
# [*chroot*] - (undef/boolean) Whether postfix should be run in a chroot
#
# [*satellite*] - (boolean) Whether to use as a satellite
# (implies MTA)
#
......@@ -97,6 +99,7 @@ class postfix (
Optional[String] $relayhost = undef, # postfix_relayhost
Boolean $manage_root_alias = true,
Variant[Array[String], String] $root_mail_recipient = 'nobody', # root_mail_recipient
Optional[Boolean] $chroot = undef,
Boolean $satellite = false,
String $smtp_listen = '127.0.0.1', # postfix_smtp_listen
Boolean $use_amavisd = false, # postfix_use_amavisd
......
......@@ -21,7 +21,9 @@ describe 'postfix class' do
}
}
class { 'postfix': }
class { 'postfix':
smtp_listen => 'all',
}
EOS
# Run it twice and test for idempotency
......
......@@ -10,9 +10,9 @@
# (yes) (yes) (yes) (never) (100)
# ==========================================================================
<% if @smtp_listen == 'all' -%>
smtp inet n - n - - smtpd
smtp inet n - <%= @jail %> - - smtpd
<% else -%>
<%= @smtp_listen %>:smtp inet n - n - - smtpd
<%= @smtp_listen %>:smtp inet n - <%= @jail %> - - smtpd
<% end -%>
#smtp inet n - n - - smtpd
#submission inet n - n - - smtpd
......@@ -24,32 +24,32 @@ smtp inet n - n - - smtpd
# -o smtpd_etrn_restrictions=reject
# -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes
#628 inet n - n - - qmqpd
pickup fifo n - n 60 1 pickup
cleanup unix n - n - 0 cleanup
pickup fifo n - <%= @jail %> 60 1 pickup
cleanup unix n - <%= @jail %> - 0 cleanup
qmgr fifo n - n 300 1 qmgr
#qmgr fifo n - n 300 1 oqmgr
#tlsmgr unix - - n 1000? 1 tlsmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verify unix - - n - 1 verify
flush unix n - n 1000? 0 flush
rewrite unix - - <%= @jail %> - - trivial-rewrite
bounce unix - - <%= @jail %> - 0 bounce
defer unix - - <%= @jail %> - 0 bounce
trace unix - - <%= @jail %> - 0 bounce
verify unix - - <%= @jail %> - 1 verify
flush unix n - <%= @jail %> 1000? 0 flush
proxymap unix - - n - - proxymap
smtp unix - - n - - smtp
smtp unix - - <%= @jail %> - - smtp
# When relaying mail as backup MX, disable fallback_relay to avoid MX loops
relay unix - - n - - smtp
relay unix - - <%= @jail %> - - smtp
-o fallback_relay=
# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq unix n - n - - showq
error unix - - n - - error
discard unix - - n - - discard
showq unix n - <%= @jail %> - - showq
error unix - - <%= @jail %> - - error
discard unix - - <%= @jail %> - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
lmtp unix - - <%= @jail %> - - lmtp
anvil unix - - <%= @jail %> - 1 anvil
#localhost:10025 inet n - n - - smtpd -o content_filter=
scache unix - - n - 1 scache
scache unix - - <%= @jail %> - 1 scache
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
......
......@@ -10,9 +10,9 @@
# (yes) (yes) (yes) (never) (100)
# ==========================================================================
<% if @smtp_listen == 'all' -%>
smtp inet n - n - - smtpd
smtp inet n - <%= @jail %> - - smtpd
<% else -%>
<%= @smtp_listen %>:smtp inet n - n - - smtpd
<%= @smtp_listen %>:smtp inet n - <%= @jail %> - - smtpd
<% end -%>
#smtp inet n - n - - smtpd
#submission inet n - n - - smtpd
......@@ -24,32 +24,32 @@ smtp inet n - n - - smtpd
# -o smtpd_etrn_restrictions=reject
# -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes
#628 inet n - n - - qmqpd
pickup fifo n - n 60 1 pickup
cleanup unix n - n - 0 cleanup
pickup fifo n - <%= @jail %> 60 1 pickup
cleanup unix n - <%= @jail %> - 0 cleanup
qmgr fifo n - n 300 1 qmgr
#qmgr fifo n - n 300 1 oqmgr
#tlsmgr unix - - n 1000? 1 tlsmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verify unix - - n - 1 verify
flush unix n - n 1000? 0 flush
rewrite unix - - <%= @jail %> - - trivial-rewrite
bounce unix - - <%= @jail %> - 0 bounce
defer unix - - <%= @jail %> - 0 bounce
trace unix - - <%= @jail %> - 0 bounce
verify unix - - <%= @jail %> - 1 verify
flush unix n - <%= @jail %> 1000? 0 flush
proxymap unix - - n - - proxymap
smtp unix - - n - - smtp
smtp unix - - <%= @jail %> - - smtp
# When relaying mail as backup MX, disable fallback_relay to avoid MX loops
relay unix - - n - - smtp
relay unix - - <%= @jail %> - - smtp
-o smtp_fallback_relay=
# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq unix n - n - - showq
error unix - - n - - error
discard unix - - n - - discard
showq unix n - <%= @jail %> - - showq
error unix - - <%= @jail %> - - error
discard unix - - <%= @jail %> - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
lmtp unix - - <%= @jail %> - - lmtp
anvil unix - - <%= @jail %> - 1 anvil
#localhost:10025 inet n - n - - smtpd -o content_filter=
scache unix - - n - 1 scache
scache unix - - <%= @jail %> - 1 scache
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
......
......@@ -10,9 +10,9 @@
# (yes) (yes) (yes) (never) (100)
# ==========================================================================
<% if @smtp_listen == 'all' -%>
smtp inet n - n - - smtpd
smtp inet n - <%= @jail %> - - smtpd
<% else -%>
<%= @smtp_listen %>:smtp inet n - n - - smtpd
<%= @smtp_listen %>:smtp inet n - <%= @jail %> - - smtpd
<% end -%>
#submission inet n - n - - smtpd
# -o smtpd_etrn_restrictions=reject
......@@ -23,32 +23,32 @@ smtp inet n - n - - smtpd
# -o smtpd_etrn_restrictions=reject
# -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes
#628 inet n - n - - qmqpd
pickup fifo n - n 60 1 pickup
cleanup unix n - n - 0 cleanup
pickup fifo n - <%= @jail %> 60 1 pickup
cleanup unix n - <%= @jail %> - 0 cleanup
qmgr fifo n - n 300 1 qmgr
#qmgr fifo n - n 300 1 oqmgr
tlsmgr unix - - n 1000? 1 tlsmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verify unix - - n - 1 verify
flush unix n - n 1000? 0 flush
tlsmgr unix - - <%= @jail %> 1000? 1 tlsmgr
rewrite unix - - <%= @jail %> - - trivial-rewrite
bounce unix - - <%= @jail %> - 0 bounce
defer unix - - <%= @jail %> - 0 bounce
trace unix - - <%= @jail %> - 0 bounce
verify unix - - <%= @jail %> - 1 verify
flush unix n - <%= @jail %> 1000? 0 flush
proxymap unix - - n - - proxymap
smtp unix - - n - - smtp
smtp unix - - <%= @jail %> - - smtp
# When relaying mail as backup MX, disable smtp_fallback_relay to avoid MX loops
relay unix - - n - - smtp
relay unix - - <%= @jail %> - - smtp
-o smtp_fallback_relay=
# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq unix n - n - - showq
error unix - - n - - error
discard unix - - n - - discard
showq unix n - <%= @jail %> - - showq
error unix - - <%= @jail %> - - error
discard unix - - <%= @jail %> - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
lmtp unix - - <%= @jail %> - - lmtp
anvil unix - - <%= @jail %> - 1 anvil
#localhost:10025 inet n - n - - smtpd -o content_filter=
scache unix - - n - 1 scache
scache unix - - <%= @jail %> - 1 scache
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
......
<% if @use_amavisd %>
amavis unix - - - - 2 smtp
amavis unix - - <%= @jail %> - 2 smtp
-o smtp_data_done_timeout=1200
-o smtp_send_xforward_command=yes
127.0.0.1:10025 inet n - - - - smtpd
127.0.0.1:10025 inet n - <%= @jail %> - - smtpd
-o content_filter=
-o local_recipient_maps=
-o relay_recipient_maps=
......
......@@ -10,9 +10,9 @@
<% if @master_smtp -%>
<%= @master_smtp %>
<% elsif @smtp_listen == 'all' -%>
smtp inet n - - - - smtpd
smtp inet n - <%= @jail %> - - smtpd
<% else -%>
<%= @smtp_listen %>:smtp inet n - - - - smtpd
<%= @smtp_listen %>:smtp inet n - <%= @jail %> - - smtpd
<% end -%>
<% if @master_submission -%>
<%= @master_submission %>
......@@ -29,31 +29,31 @@ smtp inet n - - - - smtpd
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#628 inet n - - - - qmqpd
pickup fifo n - - 60 1 pickup
cleanup unix n - - - 0 cleanup
pickup fifo n - <%= @jail %> 60 1 pickup
cleanup unix n - <%= @jail %> - 0 cleanup
qmgr fifo n - n 300 1 qmgr
#qmgr fifo n - - 300 1 oqmgr
tlsmgr unix - - - 1000? 1 tlsmgr
rewrite unix - - - - - trivial-rewrite
bounce unix - - - - 0 bounce
defer unix - - - - 0 bounce
trace unix - - - - 0 bounce
verify unix - - - - 1 verify
flush unix n - - 1000? 0 flush
#qmgr fifo n - n 300 1 oqmgr
tlsmgr unix - - <%= @jail %> 1000? 1 tlsmgr
rewrite unix - - <%= @jail %> - - trivial-rewrite
bounce unix - - <%= @jail %> - 0 bounce
defer unix - - <%= @jail %> - 0 bounce
trace unix - - <%= @jail %> - 0 bounce
verify unix - - <%= @jail %> - 1 verify
flush unix n - <%= @jail %> 1000? 0 flush
proxymap unix - - n - - proxymap
smtp unix - - - - - smtp
smtp unix - - <%= @jail %> - - smtp
# When relaying mail as backup MX, disable fallback_relay to avoid MX loops
relay unix - - - - - smtp
relay unix - - <%= @jail %> - - smtp
-o fallback_relay=
# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq unix n - - - - showq
error unix - - - - - error
discard unix - - - - - discard
showq unix n - <%= @jail %> - - showq
error unix - - <%= @jail %> - - error
discard unix - - <%= @jail %> - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - - - - lmtp
anvil unix - - - - 1 anvil
scache unix - - - - 1 scache
lmtp unix - - <%= @jail %> - - lmtp
anvil unix - - <%= @jail %> - 1 anvil
scache unix - - <%= @jail %> - 1 scache
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
......
......@@ -10,9 +10,9 @@
<% if @master_smtp -%>
<%= @master_smtp %>
<% elsif @smtp_listen == 'all' -%>
smtp inet n - n - - smtpd
smtp inet n - <%= @jail %> - - smtpd
<% else -%>
<%= @smtp_listen %>:smtp inet n - n - - smtpd
<%= @smtp_listen %>:smtp inet n - <%= @jail %> - - smtpd
<% end -%>
<% if @master_submission -%>
<%= @master_submission %>
......@@ -30,31 +30,31 @@ smtp inet n - n - - smtpd
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#628 inet n - n - - qmqpd
pickup fifo n - n 60 1 pickup
cleanup unix n - n - 0 cleanup
pickup fifo n - <%= @jail %> 60 1 pickup
cleanup unix n - <%= @jail %> - 0 cleanup
qmgr fifo n - n 300 1 qmgr
#qmgr fifo n - n 300 1 oqmgr
tlsmgr unix - - n 1000? 1 tlsmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verify unix - - n - 1 verify
flush unix n - n 1000? 0 flush
tlsmgr unix - - <%= @jail %> 1000? 1 tlsmgr
rewrite unix - - <%= @jail %> - - trivial-rewrite
bounce unix - - <%= @jail %> - 0 bounce
defer unix - - <%= @jail %> - 0 bounce
trace unix - - <%= @jail %> - 0 bounce
verify unix - - <%= @jail %> - 1 verify
flush unix n - <%= @jail %> 1000? 0 flush
proxymap unix - - n - - proxymap
smtp unix - - n - - smtp
smtp unix - - <%= @jail %> - - smtp
# When relaying mail as backup MX, disable fallback_relay to avoid MX loops
relay unix - - n - - smtp
relay unix - - <%= @jail %> - - smtp
-o fallback_relay=
# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq unix n - n - - showq
error unix - - n - - error
discard unix - - n - - discard
showq unix n - <%= @jail %> - - showq
error unix - - <%= @jail %> - - error
discard unix - - <%= @jail %> - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
scache unix - - n - 1 scache
lmtp unix - - <%= @jail %> - - lmtp
anvil unix - - <%= @jail %> - 1 anvil
scache unix - - <%= @jail %> - 1 scache
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
......
......@@ -13,9 +13,9 @@
<% if @master_smtp -%>
<%= @master_smtp %>
<% elsif @smtp_listen == 'all' -%>
smtp inet n - n - - smtpd
smtp inet n - <%= @jail %> - - smtpd
<% else -%>
<%= @smtp_listen %>:smtp inet n - n - - smtpd
<%= @smtp_listen %>:smtp inet n - <%= @jail %> - - smtpd
<% end -%>
<% if @master_submission -%>
<%= @master_submission %>
......@@ -56,32 +56,32 @@ smtp inet n - n - - smtpd
# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
#628 inet n - n - - qmqpd
pickup unix n - n 60 1 pickup
cleanup unix n - n - 0 cleanup
pickup unix n - <%= @jail %> 60 1 pickup
cleanup unix n - <%= @jail %> - 0 cleanup
qmgr unix n - n 300 1 qmgr
#qmgr unix n - n 300 1 oqmgr
tlsmgr unix - - n 1000? 1 tlsmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verify unix - - n - 1 verify
flush unix n - n 1000? 0 flush
tlsmgr unix - - <%= @jail %> 1000? 1 tlsmgr
rewrite unix - - <%= @jail %> - - trivial-rewrite
bounce unix - - <%= @jail %> - 0 bounce
defer unix - - <%= @jail %> - 0 bounce
trace unix - - <%= @jail %> - 0 bounce
verify unix - - <%= @jail %> - 1 verify
flush unix n - <%= @jail %> 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - n - - smtp
smtp unix - - <%= @jail %> - - smtp
# When relaying mail as backup MX, disable fallback_relay to avoid MX loops
relay unix - - n - - smtp
relay unix - - <%= @jail %> - - smtp
-o fallback_relay=
# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq unix n - n - - showq
error unix - - n - - error
retry unix - - n - - error
discard unix - - n - - discard
showq unix n - <%= @jail %> - - showq
error unix - - <%= @jail %> - - error
retry unix - - <%= @jail %> - - error
discard unix - - <%= @jail %> - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
lmtp unix - - <%= @jail %> - - lmtp
anvil unix - - <%= @jail %> - 1 anvil
#localhost:10025 inet n - n - - smtpd
# -o content_filter=
# -o smtpd_delay_reject=no
......@@ -102,7 +102,7 @@ anvil unix - - n - 1 anvil
# -o local_header_rewrite_clients=
# -o local_recipient_maps=
# -o relay_recipient_maps=
scache unix - - n - 1 scache
scache unix - - <%= @jail %> - 1 scache
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment