From: Peter Palfrader <peter@palfrader.org>
Date: Sun, 22 Sep 2019 14:59:25 +0000 (+0200)
Subject: Move allow-all smtp from the mta class to the exim and the lists class
X-Git-Url: https://git.adam-barratt.org.uk/?a=commitdiff_plain;h=8532689c735ba87e8c00161224e068c2ba06f640;p=mirror%2Fdsa-puppet.git

Move allow-all smtp from the mta class to the exim and the lists class

We have some hosts that get their @host mail from the smarthost,
but that still accept mail from the internet.
---

diff --git a/modules/exim/manifests/mx.pp b/modules/exim/manifests/mx.pp
index bf7fd5ebf..8916c096a 100644
--- a/modules/exim/manifests/mx.pp
+++ b/modules/exim/manifests/mx.pp
@@ -26,4 +26,9 @@ class exim::mx(
   package { 'monitoring-plugins-standard':
     ensure => installed,
   }
+
+  ferm::rule::simple { 'dsa-smtp':
+    description => 'Allow smtp access from the world',
+    port        => '25',
+  }
 }
diff --git a/modules/roles/manifests/lists.pp b/modules/roles/manifests/lists.pp
index fe80ae4ce..bd9c72a09 100644
--- a/modules/roles/manifests/lists.pp
+++ b/modules/roles/manifests/lists.pp
@@ -5,4 +5,9 @@ class roles::lists {
     notify => Exec['service apache2 reload'],
     key    => true,
   }
+
+  ferm::rule::simple { 'dsa-smtp':
+    description => 'Allow smtp access from the world',
+    port        => '25',
+  }
 }
diff --git a/modules/roles/manifests/mta.pp b/modules/roles/manifests/mta.pp
index 9044803dd..22fbb6619 100644
--- a/modules/roles/manifests/mta.pp
+++ b/modules/roles/manifests/mta.pp
@@ -51,10 +51,7 @@ class roles::mta(
       fail('We are not an exim::mx (or a postfix) yet do not have set our MXs to INCOMING-MX.')
     }
 
-    ferm::rule::simple { 'dsa-smtp':
-      description => 'Allow smtp access from the world',
-      port        => '25',
-    }
+    # firewall allow is done by the exim::mx class
   }
 
   $autocertdir = hiera('paths.auto_certs_dir')