X-Git-Url: https://git.adam-barratt.org.uk/?a=blobdiff_plain;ds=sidebyside;f=modules%2Fexim%2Fmanifests%2Fmx.pp;h=0157b1439ce72edcc1ecb3624860fa044b100c2b;hb=bb3c419ae3fb9387d5e91cf1e0dc9b82d167c728;hp=70a370294b9c17b90b99ccbefdea8299eea7adea;hpb=215ea6ef7a868fe83c46a02fa84a06e3e2631ed6;p=mirror%2Fdsa-puppet.git

diff --git a/modules/exim/manifests/mx.pp b/modules/exim/manifests/mx.pp
index 70a370294..0157b1439 100644
--- a/modules/exim/manifests/mx.pp
+++ b/modules/exim/manifests/mx.pp
@@ -1,26 +1,46 @@
-class exim::mx inherits exim {
-	include clamav
-	include postgrey
+# our heavy exim class
+# @param is_mailrelay this system is a mailrelay, both in and out, for debian hosts
+class exim::mx(
+  Boolean $is_mailrelay = false,
+){
+  class { 'exim':
+    use_smarthost => false,
+    is_mailrelay  => $is_mailrelay,
+  }
 
-	file { '/etc/exim4/ccTLD.txt':
-		source => 'puppet:///modules/exim/common/ccTLD.txt',
-	}
-	file { '/etc/exim4/surbl_whitelist.txt':
-		source => 'puppet:///modules/exim/common/surbl_whitelist.txt',
-	}
-	file { '/etc/exim4/exim_surbl.pl':
-		source  => 'puppet:///modules/exim/common/exim_surbl.pl',
-		notify  => Service['exim4'],
-	}
+  include clamav
+  include postgrey
+  include fail2ban::exim
 
-	@ferm::rule { 'dsa-exim-submission':
-		description => 'Allow SMTP',
-		rule        => '&SERVICE_RANGE(tcp, submission, $SMTP_SOURCES)'
-	}
-	@ferm::rule { 'dsa-exim-v6-submission':
-		description => 'Allow SMTP',
-		domain      => 'ip6',
-		rule        => '&SERVICE_RANGE(tcp, submission, $SMTP_V6_SOURCES)',
-	}
+  file { '/etc/exim4/ccTLD.txt':
+    source => 'puppet:///modules/exim/common/ccTLD.txt',
+  }
+  file { '/etc/exim4/surbl_whitelist.txt':
+    source => 'puppet:///modules/exim/common/surbl_whitelist.txt',
+  }
+  file { '/etc/exim4/exim_surbl.pl':
+    source => 'puppet:///modules/exim/common/exim_surbl.pl',
+    notify => Service['exim4'],
+  }
 
+  # MXs used as smarthosts
+  ferm::rule { 'dsa-exim-submission':
+    description => 'Allow SMTP',
+    rule        => '&SERVICE_RANGE(tcp, submission, $SMTP_SOURCES)'
+  }
+  ferm::rule { 'dsa-exim-v6-submission':
+    description => 'Allow SMTP',
+    domain      => 'ip6',
+    rule        => '&SERVICE_RANGE(tcp, submission, $SMTP_V6_SOURCES)',
+  }
+  $autocertdir = hiera('paths.auto_certs_dir')
+  dnsextras::tlsa_record{ 'tlsa-submission':
+    zone     => 'debian.org',
+    certfile => "${autocertdir}/${::fqdn}.crt",
+    port     => 587,
+    hostname => $::fqdn,
+  }
+  package { 'monitoring-plugins-standard':
+    ensure => installed,
+  }
 }