Try to add firewalling to enable mail satellites to connect to the submission port...

diff --git a/modules/roles/manifests/mailrelay.pp b/modules/roles/manifests/mailrelay.pp
index 8bf8bee..87b9263 100644 (file)
--- a/modules/roles/manifests/mailrelay.pp
+++ b/modules/roles/manifests/mailrelay.pp
@@ -31,4 +31,10 @@ class roles::mailrelay {
     port        => '7', # will be overwritten on collection
     saddr       => $base::public_addresses,
   }
+
+  ferm::rule::simple { 'submission-from-satellites':
+    target => 'submission',
+    port   => 'submission',
+  }
+  Ferm::Rule::Simple <<| tag == 'smtp::server::submission::to::mail-relay' |>>
 }

diff --git a/modules/roles/manifests/mta.pp b/modules/roles/manifests/mta.pp
index 1dc8fae..d9bead4 100644 (file)
--- a/modules/roles/manifests/mta.pp
+++ b/modules/roles/manifests/mta.pp
@@ -28,6 +28,7 @@ class roles::mta(
 
   $mxdata = dig($deprecated::nodeinfo, 'ldap', 'mXRecord')
   if $mxdata and $mxdata.any |$item| { $item =~ /INCOMING-MX/ } {
+    # a mail satellite.  Gets mail via the mailrelays and sends out mail via the mail relays
     $mailport = lookup( { 'name' => 'exim::mail_port', 'default_value' => undef } )
 
     @@concat::fragment { "manualroute-to-${::fqdn}":
@@ -39,16 +40,26 @@ class roles::mta(
       }
     }
 
+    @@ferm::rule::simple { "submission-from-${::fqdn}":
+      tag   => 'smtp::server::submission::to::mail-relay',
+      chain => 'submission',
+      saddr => $base::public_addresses,
+    }
+
     Ferm::Rule::Simple <<| tag == 'smtp::server::to::mail-satellite' |>> {
       port => $mailport == undef ? {
         true    => 25,
         default => $mailport,
       }
     }
+
   } else {
+    # not a mail satellite
+
     if ! defined(Class['exim::mx']) and ! defined(Class['postfix']) {
       fail('We are not an exim::mx (or a postfix) yet do not have set our MXs to INCOMING-MX.')
     }
+
     ferm::rule::simple { 'dsa-smtp':
       description => 'Allow smtp access from the world',
       port        => '25',