-class exim {
+# our exim class
+# @param use_smarthost use the smarthost
+# @param smarthost host to relay through (if set and use_smarthost)
+# @param is_bugsmx this system handles bugs.debian.org
+# @param is_mailrelay this system is a mailrelay, both in and out, for debian hosts
+# @param is_rtmaster this system handles rt.debian.org
+# @param is_packagesmaster this system handles packages.debian.org
+# @param is_packagesqamaster this system handles packages.qa.debian.org
+# @param mail_port override the default incoming mailport (only applicable for hosts behind an incoming relay)
+# @param smarthost_port the port on which satellites send mail to the smarthost (needs to be the same on both sides)
+class exim (
+ Optional[String] $smarthost,
+ Boolean $use_smarthost = true,
+ Boolean $is_bugsmx = false,
+ Boolean $is_mailrelay = false,
+ Boolean $is_rtmaster = false,
+ Boolean $is_packagesmaster = false,
+ Boolean $is_packagesqamaster = false,
+ Integer $smarthost_port = 587,
+ Optional[Integer] $mail_port = undef,
+) {
+ if $use_smarthost {
+ $heavy = false
- munin::check { 'ps_exim4': script => 'ps_' }
- munin::check { 'exim_mailqueue': }
- munin::check { 'exim_mailstats': }
+ if ! smarthost {
+ fail('No smarthost set but use_smarthost is true')
+ }
+ } else {
+ $heavy = true
+ if $mail_port {
+ fail('Cannot override mail_port in heavy/no-smarthost hosts')
+ }
+ }
- munin::check { 'postfix_mailqueue': ensure => absent }
- munin::check { 'postfix_mailstats': ensure => absent }
- munin::check { 'postfix_mailvolume': ensure => absent }
+ munin::check { 'ps_exim4': script => 'ps_' }
+ munin::check { 'exim_mailqueue': }
+ munin::check { 'exim_mailstats': }
- package { 'exim4-daemon-heavy': ensure => installed }
+ munin::check { 'postfix_mailqueue': ensure => absent }
+ munin::check { 'postfix_mailstats': ensure => absent }
+ munin::check { 'postfix_mailvolume': ensure => absent }
- Package['exim4-daemon-heavy']->Mailalias<| |>
+ package { 'exim4-daemon-heavy': ensure => installed }
- service { 'exim4':
- ensure => running,
- require => [
- File['/etc/exim4/exim4.conf'],
- Package['exim4-daemon-heavy'],
- ]
- }
+ Package['exim4-daemon-heavy']->Mailalias<| |>
- file { '/etc/exim4/':
- ensure => directory,
- mode => '0755',
- require => Package['exim4-daemon-heavy'],
- purge => true,
- }
- file { '/etc/exim4/Git':
- ensure => directory,
- purge => true,
- force => true,
- recurse => true,
- source => 'puppet:///files/empty/',
- }
- file { '/etc/exim4/conf.d':
- ensure => directory,
- purge => true,
- force => true,
- recurse => true,
- source => 'puppet:///files/empty/',
- }
- file { '/etc/exim4/ssl':
- ensure => directory,
- group => Debian-exim,
- mode => '0750',
- purge => true,
- }
- file { '/etc/exim4/exim4.conf':
- content => template('exim/eximconf.erb'),
- require => File['/etc/exim4/ssl/thishost.crt'],
- notify => Service['exim4'],
- }
- file { '/etc/mailname':
- content => template('exim/mailname.erb'),
- }
- file { '/etc/exim4/manualroute':
- content => template('exim/manualroute.erb')
- }
- file { '/etc/exim4/locals':
- content => template('exim/locals.erb')
- }
- file { '/etc/exim4/virtualdomains':
- content => template('exim/virtualdomains.erb'),
- }
- file { '/etc/exim4/submission-domains':
- content => template('exim/submission-domains.erb'),
- }
- file { '/etc/exim4/host_blacklist':
- source => 'puppet:///modules/exim/common/host_blacklist',
- }
- file { '/etc/exim4/blacklist':
- source => 'puppet:///modules/exim/common/blacklist',
- }
- file { '/etc/exim4/callout_users':
- source => 'puppet:///modules/exim/common/callout_users',
- }
- file { '/etc/exim4/grey_users':
- source => 'puppet:///modules/exim/common/grey_users',
- }
- file { '/etc/exim4/helo-check':
- source => 'puppet:///modules/exim/common/helo-check',
- }
- file { '/etc/exim4/localusers':
- source => 'puppet:///modules/exim/common/localusers',
- }
- file { '/etc/exim4/rbllist':
- source => 'puppet:///modules/exim/common/rbllist',
- }
- file { '/etc/exim4/rhsbllist':
- source => 'puppet:///modules/exim/common/rhsbllist',
- }
- file { '/etc/exim4/whitelist':
- source => 'puppet:///modules/exim/common/whitelist',
- }
- file { '/etc/logrotate.d/exim4-base':
- source => 'puppet:///modules/exim/common/logrotate-exim4-base',
- }
- file { '/etc/logrotate.d/exim4-paniclog':
- source => 'puppet:///modules/exim/common/logrotate-exim4-paniclog'
- }
- file { '/etc/exim4/ssl/thishost.crt':
- source => "puppet:///modules/exim/certs/${::fqdn}.crt",
- group => Debian-exim,
- mode => '0640',
- }
- file { '/etc/exim4/ssl/thishost.key':
- source => "puppet:///modules/exim/certs/${::fqdn}.key",
- group => Debian-exim,
- mode => '0640',
- }
- file { '/etc/exim4/ssl/ca.crt':
- source => 'puppet:///modules/exim/certs/ca.crt',
- group => Debian-exim,
- mode => '0640',
- }
- file { '/etc/exim4/ssl/ca.crl':
- source => 'puppet:///modules/exim/certs/ca.crl',
- group => Debian-exim,
- mode => '0640',
- }
- file { '/var/log/exim4':
- ensure => directory,
- mode => '2750',
- owner => Debian-exim,
- group => maillog,
- }
+ service { 'exim4':
+ ensure => running,
+ require => [
+ File['/etc/exim4/exim4.conf'],
+ Package['exim4-daemon-heavy'],
+ ]
+ }
- case getfromhash($site::nodeinfo, 'mail_port') {
- /^(\d+)$/: { $mail_port = $1 }
- default: { $mail_port = 'smtp' }
- }
+ file { '/etc/exim4/':
+ ensure => directory,
+ mode => '0755',
+ require => Package['exim4-daemon-heavy'],
+ purge => true,
+ }
+ file { '/etc/exim4/conf.d':
+ ensure => directory,
+ purge => true,
+ force => true,
+ recurse => true,
+ source => 'puppet:///files/empty/',
+ }
+ file { '/etc/exim4/ssl':
+ ensure => directory,
+ group => 'Debian-exim',
+ mode => '0750',
+ purge => true,
+ }
+ file { '/etc/exim4/exim4.conf':
+ content => template('exim/eximconf.erb'),
+ require => File['/etc/exim4/ssl/thishost.crt'],
+ notify => Service['exim4'],
+ }
+ file { '/etc/mailname':
+ content => template('exim/mailname.erb'),
+ }
- @ferm::rule { 'dsa-exim':
- description => 'Allow SMTP',
- rule => "&SERVICE_RANGE(tcp, $mail_port, \$SMTP_SOURCES)"
- }
+ concat { '/etc/exim4/virtualdomains': }
+ concat::fragment { 'virtualdomains_header':
+ target => '/etc/exim4/virtualdomains',
+ content => template('exim/virtualdomains.header.erb'),
+ order => '00',
+ }
- @ferm::rule { 'dsa-exim-v6':
- description => 'Allow SMTP',
- domain => 'ip6',
- rule => "&SERVICE_RANGE(tcp, $mail_port, \$SMTP_V6_SOURCES)"
- }
+ file { '/etc/exim4/locals':
+ content => template('exim/locals.erb')
+ }
- # Do we actually want this? I'm only doing it because it's harmless
- # and makes the logs quiet. There are better ways of making logs quiet,
- # though.
- @ferm::rule { 'dsa-ident':
- domain => '(ip ip6)',
- description => 'Allow ident access',
- rule => '&SERVICE(tcp, 113)'
- }
+ concat { '/etc/exim4/submission-domains':
+ ensure_newline => true,
+ warn => @(EOF),
+ ## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
+ | EOF
+ target => '/etc/exim4/submission-domains',
+ order => '00',
+ }
+ file { '/etc/exim4/host_blacklist':
+ source => 'puppet:///modules/exim/common/host_blacklist',
+ }
+ file { '/etc/exim4/blacklist':
+ source => 'puppet:///modules/exim/common/blacklist',
+ }
+ file { '/etc/exim4/callout_users':
+ source => 'puppet:///modules/exim/common/callout_users',
+ }
+ file { '/etc/exim4/grey_users':
+ source => 'puppet:///modules/exim/common/grey_users',
+ }
+ file { '/etc/exim4/helo-check':
+ source => 'puppet:///modules/exim/common/helo-check',
+ }
+ file { '/etc/exim4/localusers':
+ source => 'puppet:///modules/exim/common/localusers',
+ }
+ file { '/etc/exim4/rbllist':
+ source => 'puppet:///modules/exim/common/rbllist',
+ }
+ file { '/etc/exim4/rhsbllist':
+ source => 'puppet:///modules/exim/common/rhsbllist',
+ }
+ file { '/etc/exim4/whitelist':
+ source => 'puppet:///modules/exim/common/whitelist',
+ }
+ file { '/etc/logrotate.d/exim4-base':
+ source => 'puppet:///modules/exim/common/logrotate-exim4-base',
+ }
+ file { '/etc/logrotate.d/exim4-paniclog':
+ source => 'puppet:///modules/exim/common/logrotate-exim4-paniclog'
+ }
+ file { '/etc/exim4/ssl/thishost.crt':
+ content => inline_template('<%= File.read(scope().call_function("hiera", ["paths.auto_certs_dir"]) + "/" + @fqdn + ".crt") %>'),
+ group => 'Debian-exim',
+ mode => '0640',
+ }
+ file { '/etc/exim4/ssl/thishost.key':
+ content => inline_template('<%= File.read(scope().call_function("hiera", ["paths.auto_certs_dir"]) + "/" + @fqdn + ".key") %>'),
+ group => 'Debian-exim',
+ mode => '0640',
+ }
+ file { '/etc/exim4/ssl/ca.crt':
+ content => inline_template('<%= File.read(scope().call_function("hiera", ["paths.auto_certs_dir"]) + "/ca.crt") %>'),
+ group => 'Debian-exim',
+ mode => '0640',
+ }
+ file { '/etc/exim4/ssl/ca.crl':
+ content => inline_template('<%= File.read(scope().call_function("hiera", ["paths.auto_certs_dir"]) + "/ca.crl") %>'),
+ group => 'Debian-exim',
+ mode => '0640',
+ }
+ file { '/var/log/exim4':
+ ensure => directory,
+ mode => '2750',
+ owner => 'Debian-exim',
+ group => maillog,
+ }
+
+ # Do we actually want this? I'm only doing it because it's harmless
+ # and makes the logs quiet. There are better ways of making logs quiet,
+ # though.
+ ferm::rule { 'dsa-ident':
+ domain => '(ip ip6)',
+ description => 'Allow ident access',
+ rule => '&SERVICE(tcp, 113)'
+ }
+
+ # These only affect the alias @$fqdn, not say, @debian.org
+
+ mailalias { [
+ 'postmaster',
+ 'hostmaster',
+ 'usenet',
+ 'webmaster',
+ 'abuse',
+ 'noc',
+ 'security',
+ ]:
+ ensure => absent
+ }
}