X-Git-Url: https://git.adam-barratt.org.uk/?a=blobdiff_plain;ds=sidebyside;f=modules%2Froles%2Fmanifests%2Fmailrelay.pp;h=6be074edcc01aec823f3cdbaf62cc5def2bf4cd3;hb=0f82767f57e613e31170d9885fc0503c18ed27a5;hp=a888531e179090aef536ee2ebde40340c0ae98c3;hpb=1f37c1198a12c740639535f69d3f42b841c0aca5;p=mirror%2Fdsa-puppet.git

diff --git a/modules/roles/manifests/mailrelay.pp b/modules/roles/manifests/mailrelay.pp
index a888531e1..6be074edc 100644
--- a/modules/roles/manifests/mailrelay.pp
+++ b/modules/roles/manifests/mailrelay.pp
@@ -7,7 +7,7 @@
 #   include roles::mailrelay
 #
 class roles::mailrelay {
-  include exim::mx
+  include exim::mailrelay
 
   include roles::pubsub::parameters
 
@@ -26,9 +26,23 @@ class roles::mailrelay {
   # smtp firewalling setup
   ###
   @@ferm::rule::simple { "dsa-smtp-from-mailrelay-${::fqdn}":
-    tag         => 'smtp::server::from::mailrelay',
+    tag         => 'smtp::server::to::mail-satellite',
     description => 'Allow smtp access from a mailrelay',
-    port        => '25',
+    port        => '7', # will be overwritten on collection
     saddr       => $base::public_addresses,
   }
+
+  ferm::rule::simple { 'submission-from-satellites':
+    target => 'submission',
+    port   => 'submission',
+  }
+  Ferm::Rule::Simple <<| tag == 'smtp::server::submission::to::mail-relay' |>>
+
+  $autocertdir = hiera('paths.auto_certs_dir')
+  dnsextras::tlsa_record{ 'tlsa-submission':
+    zone     => 'debian.org',
+    certfile => "${autocertdir}/${::fqdn}.crt",
+    port     => 587,
+    hostname => $::fqdn,
+  }
 }