diff --git a/README.md b/README.md index 9effd9765c1de60822cef23a725877fafaf4736f..82679bbf836c9851f41688c59816ce2ea2c3c0e3 100644 --- a/README.md +++ b/README.md @@ -160,6 +160,11 @@ A string to define the e-mail address to which all mail directed to root should Default: 'nobody'. Example: 'root_catch@example.com'. +##### `chroot` +A boolean to define if postfix should be run in a chroot jail or not. If not defined, '-' is used (OS dependant) +Default: Undefined. +Example: true + ##### `satellite` A Boolean to define whether to configure postfix as a satellite relay host. This setting is mutually exclusive with the mta Boolean. Default: False. diff --git a/manifests/files.pp b/manifests/files.pp index c8205f488ef3e41c8c826b134a364024a4beba4a..d8f09ba738a139b3ea172a9647b86aae11857f11 100644 --- a/manifests/files.pp +++ b/manifests/files.pp @@ -14,6 +14,7 @@ class postfix::files { $myorigin = $postfix::myorigin $manage_root_alias = $postfix::manage_root_alias $root_mail_recipient = $postfix::root_mail_recipient + $chroot = $postfix::chroot $smtp_listen = $postfix::_smtp_listen $use_amavisd = $postfix::use_amavisd $use_dovecot_lda = $postfix::use_dovecot_lda @@ -24,6 +25,12 @@ class postfix::files { assert_type(Optional[String], $master_smtp) assert_type(Optional[String], $master_smtps) + $jail = $chroot ? { + undef => '-', + true => 'y', + default => 'n', + } + File { replace => $manage_conffiles, } @@ -56,9 +63,9 @@ class postfix::files { $mastercf_content = undef } else { $mastercf_content = template( - $postfix::params::master_os_template, - 'postfix/master.cf.common.erb' - ) + $postfix::params::master_os_template, + 'postfix/master.cf.common.erb' + ) } file { '/etc/postfix/master.cf': @@ -89,7 +96,7 @@ class postfix::files { 'myorigin': value => $myorigin; } - case $::osfamily { + case $facts['os']['family'] { 'RedHat': { ::postfix::config { 'mailq_path': value => '/usr/bin/mailq.postfix'; diff --git a/manifests/init.pp b/manifests/init.pp index 23565f298810d1d1b0f9388d379f85ba09d11876..69990dd213c8d21139665281ab68a233e5eab1d3 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -50,6 +50,8 @@ # # [*root_mail_recipient*] - (string) # +# [*chroot*] - (undef/boolean) Whether postfix should be run in a chroot +# # [*satellite*] - (boolean) Whether to use as a satellite # (implies MTA) # @@ -97,6 +99,7 @@ class postfix ( Optional[String] $relayhost = undef, # postfix_relayhost Boolean $manage_root_alias = true, Variant[Array[String], String] $root_mail_recipient = 'nobody', # root_mail_recipient + Optional[Boolean] $chroot = undef, Boolean $satellite = false, String $smtp_listen = '127.0.0.1', # postfix_smtp_listen Boolean $use_amavisd = false, # postfix_use_amavisd diff --git a/spec/acceptance/postfix_spec.rb b/spec/acceptance/postfix_spec.rb index b03b54cd84605a591d8108b32668bac2f474be71..e85cdde24274683919d4f4a2ef57e705b4bf438f 100644 --- a/spec/acceptance/postfix_spec.rb +++ b/spec/acceptance/postfix_spec.rb @@ -21,7 +21,9 @@ describe 'postfix class' do } } - class { 'postfix': } + class { 'postfix': + smtp_listen => 'all', + } EOS # Run it twice and test for idempotency diff --git a/templates/master.cf.SLES11.2.erb b/templates/master.cf.SLES11.2.erb index 0cccd7ea27c0df80370bb371aebe6791e5e91c89..855519c3258277320358860c4160c30199efde27 100644 --- a/templates/master.cf.SLES11.2.erb +++ b/templates/master.cf.SLES11.2.erb @@ -10,9 +10,9 @@ # (yes) (yes) (yes) (never) (100) # ========================================================================== <% if @smtp_listen == 'all' -%> -smtp inet n - n - - smtpd +smtp inet n - <%= @jail %> - - smtpd <% else -%> -<%= @smtp_listen %>:smtp inet n - n - - smtpd +<%= @smtp_listen %>:smtp inet n - <%= @jail %> - - smtpd <% end -%> #smtp inet n - n - - smtpd #submission inet n - n - - smtpd @@ -24,32 +24,32 @@ smtp inet n - n - - smtpd # -o smtpd_etrn_restrictions=reject # -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes #628 inet n - n - - qmqpd -pickup fifo n - n 60 1 pickup -cleanup unix n - n - 0 cleanup +pickup fifo n - <%= @jail %> 60 1 pickup +cleanup unix n - <%= @jail %> - 0 cleanup qmgr fifo n - n 300 1 qmgr #qmgr fifo n - n 300 1 oqmgr #tlsmgr unix - - n 1000? 1 tlsmgr -rewrite unix - - n - - trivial-rewrite -bounce unix - - n - 0 bounce -defer unix - - n - 0 bounce -trace unix - - n - 0 bounce -verify unix - - n - 1 verify -flush unix n - n 1000? 0 flush +rewrite unix - - <%= @jail %> - - trivial-rewrite +bounce unix - - <%= @jail %> - 0 bounce +defer unix - - <%= @jail %> - 0 bounce +trace unix - - <%= @jail %> - 0 bounce +verify unix - - <%= @jail %> - 1 verify +flush unix n - <%= @jail %> 1000? 0 flush proxymap unix - - n - - proxymap -smtp unix - - n - - smtp +smtp unix - - <%= @jail %> - - smtp # When relaying mail as backup MX, disable fallback_relay to avoid MX loops -relay unix - - n - - smtp +relay unix - - <%= @jail %> - - smtp -o fallback_relay= # -o smtp_helo_timeout=5 -o smtp_connect_timeout=5 -showq unix n - n - - showq -error unix - - n - - error -discard unix - - n - - discard +showq unix n - <%= @jail %> - - showq +error unix - - <%= @jail %> - - error +discard unix - - <%= @jail %> - - discard local unix - n n - - local virtual unix - n n - - virtual -lmtp unix - - n - - lmtp -anvil unix - - n - 1 anvil +lmtp unix - - <%= @jail %> - - lmtp +anvil unix - - <%= @jail %> - 1 anvil #localhost:10025 inet n - n - - smtpd -o content_filter= -scache unix - - n - 1 scache +scache unix - - <%= @jail %> - 1 scache # # ==================================================================== # Interfaces to non-Postfix software. Be sure to examine the manual diff --git a/templates/master.cf.SLES11.3.erb b/templates/master.cf.SLES11.3.erb index 2b7c296eff94a14371c6e3ebbb2ab83006dbebd0..af5d34e23f55096dc244b8957b009fb48c125beb 100644 --- a/templates/master.cf.SLES11.3.erb +++ b/templates/master.cf.SLES11.3.erb @@ -10,9 +10,9 @@ # (yes) (yes) (yes) (never) (100) # ========================================================================== <% if @smtp_listen == 'all' -%> -smtp inet n - n - - smtpd +smtp inet n - <%= @jail %> - - smtpd <% else -%> -<%= @smtp_listen %>:smtp inet n - n - - smtpd +<%= @smtp_listen %>:smtp inet n - <%= @jail %> - - smtpd <% end -%> #smtp inet n - n - - smtpd #submission inet n - n - - smtpd @@ -24,32 +24,32 @@ smtp inet n - n - - smtpd # -o smtpd_etrn_restrictions=reject # -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes #628 inet n - n - - qmqpd -pickup fifo n - n 60 1 pickup -cleanup unix n - n - 0 cleanup +pickup fifo n - <%= @jail %> 60 1 pickup +cleanup unix n - <%= @jail %> - 0 cleanup qmgr fifo n - n 300 1 qmgr #qmgr fifo n - n 300 1 oqmgr #tlsmgr unix - - n 1000? 1 tlsmgr -rewrite unix - - n - - trivial-rewrite -bounce unix - - n - 0 bounce -defer unix - - n - 0 bounce -trace unix - - n - 0 bounce -verify unix - - n - 1 verify -flush unix n - n 1000? 0 flush +rewrite unix - - <%= @jail %> - - trivial-rewrite +bounce unix - - <%= @jail %> - 0 bounce +defer unix - - <%= @jail %> - 0 bounce +trace unix - - <%= @jail %> - 0 bounce +verify unix - - <%= @jail %> - 1 verify +flush unix n - <%= @jail %> 1000? 0 flush proxymap unix - - n - - proxymap -smtp unix - - n - - smtp +smtp unix - - <%= @jail %> - - smtp # When relaying mail as backup MX, disable fallback_relay to avoid MX loops -relay unix - - n - - smtp +relay unix - - <%= @jail %> - - smtp -o smtp_fallback_relay= # -o smtp_helo_timeout=5 -o smtp_connect_timeout=5 -showq unix n - n - - showq -error unix - - n - - error -discard unix - - n - - discard +showq unix n - <%= @jail %> - - showq +error unix - - <%= @jail %> - - error +discard unix - - <%= @jail %> - - discard local unix - n n - - local virtual unix - n n - - virtual -lmtp unix - - n - - lmtp -anvil unix - - n - 1 anvil +lmtp unix - - <%= @jail %> - - lmtp +anvil unix - - <%= @jail %> - 1 anvil #localhost:10025 inet n - n - - smtpd -o content_filter= -scache unix - - n - 1 scache +scache unix - - <%= @jail %> - 1 scache # # ==================================================================== # Interfaces to non-Postfix software. Be sure to examine the manual diff --git a/templates/master.cf.SLES11.4.erb b/templates/master.cf.SLES11.4.erb index 9f621478e2d44aa30ee6d0c9be3371f0f7401b89..0518183036e0199396131b6d6a603334a58aca2f 100644 --- a/templates/master.cf.SLES11.4.erb +++ b/templates/master.cf.SLES11.4.erb @@ -10,9 +10,9 @@ # (yes) (yes) (yes) (never) (100) # ========================================================================== <% if @smtp_listen == 'all' -%> -smtp inet n - n - - smtpd +smtp inet n - <%= @jail %> - - smtpd <% else -%> -<%= @smtp_listen %>:smtp inet n - n - - smtpd +<%= @smtp_listen %>:smtp inet n - <%= @jail %> - - smtpd <% end -%> #submission inet n - n - - smtpd # -o smtpd_etrn_restrictions=reject @@ -23,32 +23,32 @@ smtp inet n - n - - smtpd # -o smtpd_etrn_restrictions=reject # -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes #628 inet n - n - - qmqpd -pickup fifo n - n 60 1 pickup -cleanup unix n - n - 0 cleanup +pickup fifo n - <%= @jail %> 60 1 pickup +cleanup unix n - <%= @jail %> - 0 cleanup qmgr fifo n - n 300 1 qmgr #qmgr fifo n - n 300 1 oqmgr -tlsmgr unix - - n 1000? 1 tlsmgr -rewrite unix - - n - - trivial-rewrite -bounce unix - - n - 0 bounce -defer unix - - n - 0 bounce -trace unix - - n - 0 bounce -verify unix - - n - 1 verify -flush unix n - n 1000? 0 flush +tlsmgr unix - - <%= @jail %> 1000? 1 tlsmgr +rewrite unix - - <%= @jail %> - - trivial-rewrite +bounce unix - - <%= @jail %> - 0 bounce +defer unix - - <%= @jail %> - 0 bounce +trace unix - - <%= @jail %> - 0 bounce +verify unix - - <%= @jail %> - 1 verify +flush unix n - <%= @jail %> 1000? 0 flush proxymap unix - - n - - proxymap -smtp unix - - n - - smtp +smtp unix - - <%= @jail %> - - smtp # When relaying mail as backup MX, disable smtp_fallback_relay to avoid MX loops -relay unix - - n - - smtp +relay unix - - <%= @jail %> - - smtp -o smtp_fallback_relay= # -o smtp_helo_timeout=5 -o smtp_connect_timeout=5 -showq unix n - n - - showq -error unix - - n - - error -discard unix - - n - - discard +showq unix n - <%= @jail %> - - showq +error unix - - <%= @jail %> - - error +discard unix - - <%= @jail %> - - discard local unix - n n - - local virtual unix - n n - - virtual -lmtp unix - - n - - lmtp -anvil unix - - n - 1 anvil +lmtp unix - - <%= @jail %> - - lmtp +anvil unix - - <%= @jail %> - 1 anvil #localhost:10025 inet n - n - - smtpd -o content_filter= -scache unix - - n - 1 scache +scache unix - - <%= @jail %> - 1 scache # # ==================================================================== # Interfaces to non-Postfix software. Be sure to examine the manual diff --git a/templates/master.cf.common.erb b/templates/master.cf.common.erb index c21f0e23ae25e69dd03468fe4ba4f4fc8efee493..fdd6c11c762d6c3a1c9973e1c4c9d940c104a2d9 100644 --- a/templates/master.cf.common.erb +++ b/templates/master.cf.common.erb @@ -1,9 +1,9 @@ <% if @use_amavisd %> -amavis unix - - - - 2 smtp +amavis unix - - <%= @jail %> - 2 smtp -o smtp_data_done_timeout=1200 -o smtp_send_xforward_command=yes -127.0.0.1:10025 inet n - - - - smtpd +127.0.0.1:10025 inet n - <%= @jail %> - - smtpd -o content_filter= -o local_recipient_maps= -o relay_recipient_maps= diff --git a/templates/master.cf.debian.erb b/templates/master.cf.debian.erb index aadcc286b90d39b363ebd60d5ae5c9fa95314078..748d9d9e7304b35c14ddd05466dc8ccc95bc8dbb 100644 --- a/templates/master.cf.debian.erb +++ b/templates/master.cf.debian.erb @@ -10,9 +10,9 @@ <% if @master_smtp -%> <%= @master_smtp %> <% elsif @smtp_listen == 'all' -%> -smtp inet n - - - - smtpd +smtp inet n - <%= @jail %> - - smtpd <% else -%> -<%= @smtp_listen %>:smtp inet n - - - - smtpd +<%= @smtp_listen %>:smtp inet n - <%= @jail %> - - smtpd <% end -%> <% if @master_submission -%> <%= @master_submission %> @@ -29,31 +29,31 @@ smtp inet n - - - - smtpd # -o smtpd_sasl_auth_enable=yes # -o smtpd_client_restrictions=permit_sasl_authenticated,reject #628 inet n - - - - qmqpd -pickup fifo n - - 60 1 pickup -cleanup unix n - - - 0 cleanup +pickup fifo n - <%= @jail %> 60 1 pickup +cleanup unix n - <%= @jail %> - 0 cleanup qmgr fifo n - n 300 1 qmgr -#qmgr fifo n - - 300 1 oqmgr -tlsmgr unix - - - 1000? 1 tlsmgr -rewrite unix - - - - - trivial-rewrite -bounce unix - - - - 0 bounce -defer unix - - - - 0 bounce -trace unix - - - - 0 bounce -verify unix - - - - 1 verify -flush unix n - - 1000? 0 flush +#qmgr fifo n - n 300 1 oqmgr +tlsmgr unix - - <%= @jail %> 1000? 1 tlsmgr +rewrite unix - - <%= @jail %> - - trivial-rewrite +bounce unix - - <%= @jail %> - 0 bounce +defer unix - - <%= @jail %> - 0 bounce +trace unix - - <%= @jail %> - 0 bounce +verify unix - - <%= @jail %> - 1 verify +flush unix n - <%= @jail %> 1000? 0 flush proxymap unix - - n - - proxymap -smtp unix - - - - - smtp +smtp unix - - <%= @jail %> - - smtp # When relaying mail as backup MX, disable fallback_relay to avoid MX loops -relay unix - - - - - smtp +relay unix - - <%= @jail %> - - smtp -o fallback_relay= # -o smtp_helo_timeout=5 -o smtp_connect_timeout=5 -showq unix n - - - - showq -error unix - - - - - error -discard unix - - - - - discard +showq unix n - <%= @jail %> - - showq +error unix - - <%= @jail %> - - error +discard unix - - <%= @jail %> - - discard local unix - n n - - local virtual unix - n n - - virtual -lmtp unix - - - - - lmtp -anvil unix - - - - 1 anvil -scache unix - - - - 1 scache +lmtp unix - - <%= @jail %> - - lmtp +anvil unix - - <%= @jail %> - 1 anvil +scache unix - - <%= @jail %> - 1 scache # # ==================================================================== # Interfaces to non-Postfix software. Be sure to examine the manual diff --git a/templates/master.cf.redhat.erb b/templates/master.cf.redhat.erb index bfaf972847fbd0dbab78919518d88ec5b66844a9..91a2aee33e4ff08eb30fb330528d1732fece1180 100644 --- a/templates/master.cf.redhat.erb +++ b/templates/master.cf.redhat.erb @@ -10,9 +10,9 @@ <% if @master_smtp -%> <%= @master_smtp %> <% elsif @smtp_listen == 'all' -%> -smtp inet n - n - - smtpd +smtp inet n - <%= @jail %> - - smtpd <% else -%> -<%= @smtp_listen %>:smtp inet n - n - - smtpd +<%= @smtp_listen %>:smtp inet n - <%= @jail %> - - smtpd <% end -%> <% if @master_submission -%> <%= @master_submission %> @@ -30,31 +30,31 @@ smtp inet n - n - - smtpd # -o smtpd_sasl_auth_enable=yes # -o smtpd_client_restrictions=permit_sasl_authenticated,reject #628 inet n - n - - qmqpd -pickup fifo n - n 60 1 pickup -cleanup unix n - n - 0 cleanup +pickup fifo n - <%= @jail %> 60 1 pickup +cleanup unix n - <%= @jail %> - 0 cleanup qmgr fifo n - n 300 1 qmgr #qmgr fifo n - n 300 1 oqmgr -tlsmgr unix - - n 1000? 1 tlsmgr -rewrite unix - - n - - trivial-rewrite -bounce unix - - n - 0 bounce -defer unix - - n - 0 bounce -trace unix - - n - 0 bounce -verify unix - - n - 1 verify -flush unix n - n 1000? 0 flush +tlsmgr unix - - <%= @jail %> 1000? 1 tlsmgr +rewrite unix - - <%= @jail %> - - trivial-rewrite +bounce unix - - <%= @jail %> - 0 bounce +defer unix - - <%= @jail %> - 0 bounce +trace unix - - <%= @jail %> - 0 bounce +verify unix - - <%= @jail %> - 1 verify +flush unix n - <%= @jail %> 1000? 0 flush proxymap unix - - n - - proxymap -smtp unix - - n - - smtp +smtp unix - - <%= @jail %> - - smtp # When relaying mail as backup MX, disable fallback_relay to avoid MX loops -relay unix - - n - - smtp +relay unix - - <%= @jail %> - - smtp -o fallback_relay= # -o smtp_helo_timeout=5 -o smtp_connect_timeout=5 -showq unix n - n - - showq -error unix - - n - - error -discard unix - - n - - discard +showq unix n - <%= @jail %> - - showq +error unix - - <%= @jail %> - - error +discard unix - - <%= @jail %> - - discard local unix - n n - - local virtual unix - n n - - virtual -lmtp unix - - n - - lmtp -anvil unix - - n - 1 anvil -scache unix - - n - 1 scache +lmtp unix - - <%= @jail %> - - lmtp +anvil unix - - <%= @jail %> - 1 anvil +scache unix - - <%= @jail %> - 1 scache # # ==================================================================== # Interfaces to non-Postfix software. Be sure to examine the manual diff --git a/templates/master.cf.sles.erb b/templates/master.cf.sles.erb index 6297e4e9fb042c768692066a04e3fd36e0acb40f..9c8fa01f07192d1aaca832cb833391da1c18ff4f 100644 --- a/templates/master.cf.sles.erb +++ b/templates/master.cf.sles.erb @@ -13,9 +13,9 @@ <% if @master_smtp -%> <%= @master_smtp %> <% elsif @smtp_listen == 'all' -%> -smtp inet n - n - - smtpd +smtp inet n - <%= @jail %> - - smtpd <% else -%> -<%= @smtp_listen %>:smtp inet n - n - - smtpd +<%= @smtp_listen %>:smtp inet n - <%= @jail %> - - smtpd <% end -%> <% if @master_submission -%> <%= @master_submission %> @@ -56,32 +56,32 @@ smtp inet n - n - - smtpd # -o smtpd_relay_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING #628 inet n - n - - qmqpd -pickup unix n - n 60 1 pickup -cleanup unix n - n - 0 cleanup +pickup unix n - <%= @jail %> 60 1 pickup +cleanup unix n - <%= @jail %> - 0 cleanup qmgr unix n - n 300 1 qmgr #qmgr unix n - n 300 1 oqmgr -tlsmgr unix - - n 1000? 1 tlsmgr -rewrite unix - - n - - trivial-rewrite -bounce unix - - n - 0 bounce -defer unix - - n - 0 bounce -trace unix - - n - 0 bounce -verify unix - - n - 1 verify -flush unix n - n 1000? 0 flush +tlsmgr unix - - <%= @jail %> 1000? 1 tlsmgr +rewrite unix - - <%= @jail %> - - trivial-rewrite +bounce unix - - <%= @jail %> - 0 bounce +defer unix - - <%= @jail %> - 0 bounce +trace unix - - <%= @jail %> - 0 bounce +verify unix - - <%= @jail %> - 1 verify +flush unix n - <%= @jail %> 1000? 0 flush proxymap unix - - n - - proxymap proxywrite unix - - n - 1 proxymap -smtp unix - - n - - smtp +smtp unix - - <%= @jail %> - - smtp # When relaying mail as backup MX, disable fallback_relay to avoid MX loops -relay unix - - n - - smtp +relay unix - - <%= @jail %> - - smtp -o fallback_relay= # -o smtp_helo_timeout=5 -o smtp_connect_timeout=5 -showq unix n - n - - showq -error unix - - n - - error -retry unix - - n - - error -discard unix - - n - - discard +showq unix n - <%= @jail %> - - showq +error unix - - <%= @jail %> - - error +retry unix - - <%= @jail %> - - error +discard unix - - <%= @jail %> - - discard local unix - n n - - local virtual unix - n n - - virtual -lmtp unix - - n - - lmtp -anvil unix - - n - 1 anvil +lmtp unix - - <%= @jail %> - - lmtp +anvil unix - - <%= @jail %> - 1 anvil #localhost:10025 inet n - n - - smtpd # -o content_filter= # -o smtpd_delay_reject=no @@ -102,7 +102,7 @@ anvil unix - - n - 1 anvil # -o local_header_rewrite_clients= # -o local_recipient_maps= # -o relay_recipient_maps= -scache unix - - n - 1 scache +scache unix - - <%= @jail %> - 1 scache # # ==================================================================== # Interfaces to non-Postfix software. Be sure to examine the manual