X-Git-Url: https://git.adam-barratt.org.uk/?a=blobdiff_plain;f=modules%2Fexim%2Fmanifests%2Fmx.pp;h=dce03586f0ed168b2211bc14d161e60fd8f53204;hb=4658098c84ab6b11f6419fee7cc0e70f7eeb25df;hp=1e77aa925a999d7c2d9f78955fac3a3d6c4c13a6;hpb=6223d29ea525ff1ef4626af124280d5f10fea746;p=mirror%2Fdsa-puppet.git

diff --git a/modules/exim/manifests/mx.pp b/modules/exim/manifests/mx.pp
index 1e77aa925..dce03586f 100644
--- a/modules/exim/manifests/mx.pp
+++ b/modules/exim/manifests/mx.pp
@@ -1,22 +1,56 @@
 class exim::mx inherits exim {
-    file {
-        "/etc/exim4/ccTLD.txt":
-          require => Package["exim4-daemon-heavy"],
-          source  => [ "puppet:///exim/common/ccTLD.txt" ]
-          ;
-        "/etc/exim4/surbl_whitelist.txt":
-          require => Package["exim4-daemon-heavy"],
-          source  => [ "puppet:///exim/common/surbl_whitelist.txt" ]
-          ;
-        "/etc/exim4/exim_surbl.pl":
-          require => Package["exim4-daemon-heavy"],
-          source  => [ "puppet:///exim/common/exim_surbl.pl" ],
-          notify  => Exec["exim4 restart"]
-          ;
-    }
-    exec { "exim4 restart":
-        path        => "/etc/init.d:/usr/bin:/usr/sbin:/bin:/sbin",
-        refreshonly => true,
-    }
-}
+	include clamav
+	include postgrey
+
+	file { '/etc/exim4/ccTLD.txt':
+		source => 'puppet:///modules/exim/common/ccTLD.txt',
+	}
+	file { '/etc/exim4/surbl_whitelist.txt':
+		source => 'puppet:///modules/exim/common/surbl_whitelist.txt',
+	}
+	file { '/etc/exim4/exim_surbl.pl':
+		source  => 'puppet:///modules/exim/common/exim_surbl.pl',
+		notify  => Service['exim4'],
+	}
+
+	# 20181010 many connections:
+	#  188.165.219.27
+	#  125.72.232.*
+	#  140.224.61.*
+	#  117.24.38.*
+	@ferm::rule { 'dsa-mail-abusers':
+		prio  => "000",
+		rule  => "saddr (188.165.219.27 125.72.232.0/24 140.224.61.0/24 117.24.38.0/24) DROP",
+	}
 
+	# MXs used as smarthosts
+	@ferm::rule { 'dsa-exim-submission':
+		description => 'Allow SMTP',
+		rule        => '&SERVICE_RANGE(tcp, submission, $SMTP_SOURCES)'
+	}
+	@ferm::rule { 'dsa-exim-v6-submission':
+		description => 'Allow SMTP',
+		domain      => 'ip6',
+		rule        => '&SERVICE_RANGE(tcp, submission, $SMTP_V6_SOURCES)',
+	}
+	$autocertdir = hiera('paths.auto_certs_dir')
+	dnsextras::tlsa_record{ "tlsa-submission":
+		zone => 'debian.org',
+		certfile => "${autocertdir}/${::fqdn}.crt",
+		port => 587,
+		hostname => "$::fqdn",
+	}
+	package { 'nagios-plugins-standard':
+		ensure => installed,
+	}
+
+	if has_role('mailrelay') {
+		concat::fragment { 'dsa-puppet-stuff--email-virtualdomains':
+			target => '/etc/cron.d/dsa-puppet-stuff',
+			content  => @(EOF)
+				@hourly  root if [ ! -d /etc/exim4/email-virtualdomains ]; then cd /etc/exim4 && git clone mail-git:email-virtualdomains ; fi && cd /etc/exim4/email-virtualdomains && git pull --quiet --ff-only
+				| EOF
+		}
+	}
+	file { '/etc/cron.d/dsa-email-virtualdomains': ensure => absent, }
+}