X-Git-Url: https://git.adam-barratt.org.uk/?a=blobdiff_plain;f=modules%2Froles%2Fmanifests%2Fmta.pp;h=22fbb6619fb6a0082986c89e2f86c566c0cb1eb2;hb=e9b0dc298740c07aff9b54bb93d40c453a9c23b7;hp=d9bead43aff9d5379cc67ccb41c122f3f0cb198c;hpb=cbfcf80b2071271178ab5cad24d575decf524c70;p=mirror%2Fdsa-puppet.git diff --git a/modules/roles/manifests/mta.pp b/modules/roles/manifests/mta.pp index d9bead43a..22fbb6619 100644 --- a/modules/roles/manifests/mta.pp +++ b/modules/roles/manifests/mta.pp @@ -27,18 +27,12 @@ class roles::mta( $mxdata = dig($deprecated::nodeinfo, 'ldap', 'mXRecord') + $mailport = lookup( { 'name' => 'exim::mail_port', 'default_value' => 25 } ) + if $mxdata and $mxdata.any |$item| { $item =~ /INCOMING-MX/ } { # a mail satellite. Gets mail via the mailrelays and sends out mail via the mail relays - $mailport = lookup( { 'name' => 'exim::mail_port', 'default_value' => undef } ) - @@concat::fragment { "manualroute-to-${::fqdn}": - tag => 'exim::manualroute::to::mailrelay', - target => '/etc/exim4/manualroute', - content => $mailport == undef ? { - true => "${::fqdn}: ${::fqdn}", - default => "${::fqdn}: ${::fqdn}::${mailport}", - } - } + exim::manualroute{ $::fqdn: } @@ferm::rule::simple { "submission-from-${::fqdn}": tag => 'smtp::server::submission::to::mail-relay', @@ -47,10 +41,7 @@ class roles::mta( } Ferm::Rule::Simple <<| tag == 'smtp::server::to::mail-satellite' |>> { - port => $mailport == undef ? { - true => 25, - default => $mailport, - } + port => $mailport } } else { @@ -60,9 +51,14 @@ class roles::mta( fail('We are not an exim::mx (or a postfix) yet do not have set our MXs to INCOMING-MX.') } - ferm::rule::simple { 'dsa-smtp': - description => 'Allow smtp access from the world', - port => '25', - } + # firewall allow is done by the exim::mx class + } + + $autocertdir = hiera('paths.auto_certs_dir') + dnsextras::tlsa_record{ 'tlsa-mailport': + zone => 'debian.org', + certfile => "${autocertdir}/${::fqdn}.crt", + port => $mailport, + hostname => $::fqdn, } }