X-Git-Url: https://git.adam-barratt.org.uk/?a=blobdiff_plain;f=modules%2Froles%2Fmanifests%2Fmta.pp;h=22fbb6619fb6a0082986c89e2f86c566c0cb1eb2;hb=33a685862291e6f3c0c7f9df702b930430bbe419;hp=3ce44436a4dfa1e026e4e9415a3385004a5fdcc8;hpb=1f37c1198a12c740639535f69d3f42b841c0aca5;p=mirror%2Fdsa-puppet.git

diff --git a/modules/roles/manifests/mta.pp b/modules/roles/manifests/mta.pp
index 3ce44436a..22fbb6619 100644
--- a/modules/roles/manifests/mta.pp
+++ b/modules/roles/manifests/mta.pp
@@ -24,4 +24,41 @@ class roles::mta(
   } else {
     fail("Unexpected mta type ${type}")
   }
+
+
+  $mxdata = dig($deprecated::nodeinfo, 'ldap', 'mXRecord')
+  $mailport = lookup( { 'name' => 'exim::mail_port', 'default_value' => 25 } )
+
+  if $mxdata and $mxdata.any |$item| { $item =~ /INCOMING-MX/ } {
+    # a mail satellite.  Gets mail via the mailrelays and sends out mail via the mail relays
+
+    exim::manualroute{ $::fqdn: }
+
+    @@ferm::rule::simple { "submission-from-${::fqdn}":
+      tag   => 'smtp::server::submission::to::mail-relay',
+      chain => 'submission',
+      saddr => $base::public_addresses,
+    }
+
+    Ferm::Rule::Simple <<| tag == 'smtp::server::to::mail-satellite' |>> {
+      port => $mailport
+    }
+
+  } else {
+    # not a mail satellite
+
+    if ! defined(Class['exim::mx']) and ! defined(Class['postfix']) {
+      fail('We are not an exim::mx (or a postfix) yet do not have set our MXs to INCOMING-MX.')
+    }
+
+    # firewall allow is done by the exim::mx class
+  }
+
+  $autocertdir = hiera('paths.auto_certs_dir')
+  dnsextras::tlsa_record{ 'tlsa-mailport':
+    zone     => 'debian.org',
+    certfile => "${autocertdir}/${::fqdn}.crt",
+    port     => $mailport,
+    hostname => $::fqdn,
+  }
 }