From 8532689c735ba87e8c00161224e068c2ba06f640 Mon Sep 17 00:00:00 2001
From: Peter Palfrader <peter@palfrader.org>
Date: Sun, 22 Sep 2019 16:59:25 +0200
Subject: [PATCH] Move allow-all smtp from the mta class to the exim and the
 lists class

We have some hosts that get their @host mail from the smarthost,
but that still accept mail from the internet.
---
 modules/exim/manifests/mx.pp     | 5 +++++
 modules/roles/manifests/lists.pp | 5 +++++
 modules/roles/manifests/mta.pp   | 5 +----
 3 files changed, 11 insertions(+), 4 deletions(-)

diff --git a/modules/exim/manifests/mx.pp b/modules/exim/manifests/mx.pp
index bf7fd5ebf..8916c096a 100644
--- a/modules/exim/manifests/mx.pp
+++ b/modules/exim/manifests/mx.pp
@@ -26,4 +26,9 @@ class exim::mx(
   package { 'monitoring-plugins-standard':
     ensure => installed,
   }
+
+  ferm::rule::simple { 'dsa-smtp':
+    description => 'Allow smtp access from the world',
+    port        => '25',
+  }
 }
diff --git a/modules/roles/manifests/lists.pp b/modules/roles/manifests/lists.pp
index fe80ae4ce..bd9c72a09 100644
--- a/modules/roles/manifests/lists.pp
+++ b/modules/roles/manifests/lists.pp
@@ -5,4 +5,9 @@ class roles::lists {
     notify => Exec['service apache2 reload'],
     key    => true,
   }
+
+  ferm::rule::simple { 'dsa-smtp':
+    description => 'Allow smtp access from the world',
+    port        => '25',
+  }
 }
diff --git a/modules/roles/manifests/mta.pp b/modules/roles/manifests/mta.pp
index 9044803dd..22fbb6619 100644
--- a/modules/roles/manifests/mta.pp
+++ b/modules/roles/manifests/mta.pp
@@ -51,10 +51,7 @@ class roles::mta(
       fail('We are not an exim::mx (or a postfix) yet do not have set our MXs to INCOMING-MX.')
     }
 
-    ferm::rule::simple { 'dsa-smtp':
-      description => 'Allow smtp access from the world',
-      port        => '25',
-    }
+    # firewall allow is done by the exim::mx class
   }
 
   $autocertdir = hiera('paths.auto_certs_dir')
-- 
2.20.1