From 90ce75f592da77241768d0f865cf21320d68dbe5 Mon Sep 17 00:00:00 2001
From: Peter Palfrader <peter@palfrader.org>
Date: Wed, 30 Aug 2017 09:14:29 +0200
Subject: [PATCH] confine allow-all smtp in postfix to role lists

---
 modules/postfix/manifests/init.pp | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/modules/postfix/manifests/init.pp b/modules/postfix/manifests/init.pp
index 6ac79cbb9..3367cbb04 100644
--- a/modules/postfix/manifests/init.pp
+++ b/modules/postfix/manifests/init.pp
@@ -1,5 +1,4 @@
 class postfix {
-
 	package { 'postfix':
 		ensure => installed
 	}
@@ -18,9 +17,11 @@ class postfix {
 	munin::check { 'ps_smtp': script => 'ps_' }
 	munin::check { 'ps_smtpd': script => 'ps_' }
 
-	@ferm::rule { 'smtp':
-		domain      => '(ip ip6)',
-		description => 'Allow smtp access',
-		rule        => '&SERVICE(tcp, 25)'
+	if has_role('lists') {
+		@ferm::rule { 'smtp':
+			domain      => '(ip ip6)',
+			description => 'Allow smtp access',
+			rule        => '&SERVICE(tcp, 25)'
+		}
 	}
 }
-- 
2.20.1