$mxdata = dig($deprecated::nodeinfo, 'ldap', 'mXRecord')
+ $mailport = lookup( { 'name' => 'exim::mail_port', 'default_value' => 25 } )
+
if $mxdata and $mxdata.any |$item| { $item =~ /INCOMING-MX/ } {
- $mailport = lookup( { 'name' => 'exim::mail_port', 'default_value' => undef } )
+ # a mail satellite. Gets mail via the mailrelays and sends out mail via the mail relays
@@concat::fragment { "manualroute-to-${::fqdn}":
tag => 'exim::manualroute::to::mailrelay',
target => '/etc/exim4/manualroute',
- content => $mailport == undef ? {
- true => "${::fqdn}: ${::fqdn}",
- default => "${::fqdn}: ${::fqdn}::${mailport}",
- }
+ content => "${::fqdn}: ${::fqdn}::${mailport}",
+ }
+
+ @@ferm::rule::simple { "submission-from-${::fqdn}":
+ tag => 'smtp::server::submission::to::mail-relay',
+ chain => 'submission',
+ saddr => $base::public_addresses,
}
- Ferm::Rule::Simple <<| tag == 'smtp::server::from::mailrelay' |>> {
- port => $mailport == undef ? {
- true => 25,
- default => $mailport,
- }
+ Ferm::Rule::Simple <<| tag == 'smtp::server::to::mail-satellite' |>> {
+ port => $mailport
}
+
} else {
+ # not a mail satellite
+
if ! defined(Class['exim::mx']) and ! defined(Class['postfix']) {
fail('We are not an exim::mx (or a postfix) yet do not have set our MXs to INCOMING-MX.')
}
+
ferm::rule::simple { 'dsa-smtp':
description => 'Allow smtp access from the world',
port => '25',
}
}
+
+ $autocertdir = hiera('paths.auto_certs_dir')
+ dnsextras::tlsa_record{ 'tlsa-mailport':
+ zone => 'debian.org',
+ certfile => "${autocertdir}/${::fqdn}.crt",
+ port => $mailport,
+ hostname => $::fqdn,
+ }
}