From cbfcf80b2071271178ab5cad24d575decf524c70 Mon Sep 17 00:00:00 2001
From: Peter Palfrader <peter@palfrader.org>
Date: Sun, 22 Sep 2019 11:35:31 +0200
Subject: [PATCH] Try to add firewalling to enable mail satellites to connect
 to the submission port on the mail relays

---
 modules/roles/manifests/mailrelay.pp |  6 ++++++
 modules/roles/manifests/mta.pp       | 11 +++++++++++
 2 files changed, 17 insertions(+)

diff --git a/modules/roles/manifests/mailrelay.pp b/modules/roles/manifests/mailrelay.pp
index 8bf8bee88..87b926351 100644
--- a/modules/roles/manifests/mailrelay.pp
+++ b/modules/roles/manifests/mailrelay.pp
@@ -31,4 +31,10 @@ class roles::mailrelay {
     port        => '7', # will be overwritten on collection
     saddr       => $base::public_addresses,
   }
+
+  ferm::rule::simple { 'submission-from-satellites':
+    target => 'submission',
+    port   => 'submission',
+  }
+  Ferm::Rule::Simple <<| tag == 'smtp::server::submission::to::mail-relay' |>>
 }
diff --git a/modules/roles/manifests/mta.pp b/modules/roles/manifests/mta.pp
index 1dc8fae1a..d9bead43a 100644
--- a/modules/roles/manifests/mta.pp
+++ b/modules/roles/manifests/mta.pp
@@ -28,6 +28,7 @@ class roles::mta(
 
   $mxdata = dig($deprecated::nodeinfo, 'ldap', 'mXRecord')
   if $mxdata and $mxdata.any |$item| { $item =~ /INCOMING-MX/ } {
+    # a mail satellite.  Gets mail via the mailrelays and sends out mail via the mail relays
     $mailport = lookup( { 'name' => 'exim::mail_port', 'default_value' => undef } )
 
     @@concat::fragment { "manualroute-to-${::fqdn}":
@@ -39,16 +40,26 @@ class roles::mta(
       }
     }
 
+    @@ferm::rule::simple { "submission-from-${::fqdn}":
+      tag   => 'smtp::server::submission::to::mail-relay',
+      chain => 'submission',
+      saddr => $base::public_addresses,
+    }
+
     Ferm::Rule::Simple <<| tag == 'smtp::server::to::mail-satellite' |>> {
       port => $mailport == undef ? {
         true    => 25,
         default => $mailport,
       }
     }
+
   } else {
+    # not a mail satellite
+
     if ! defined(Class['exim::mx']) and ! defined(Class['postfix']) {
       fail('We are not an exim::mx (or a postfix) yet do not have set our MXs to INCOMING-MX.')
     }
+
     ferm::rule::simple { 'dsa-smtp':
       description => 'Allow smtp access from the world',
       port        => '25',
-- 
2.20.1