Retire debian_org::mail_incoming_port which did the default firewalling for the mail...

[mirror/dsa-puppet.git] / modules / exim / manifests / init.pp

# our exim class
# @param use_smarthost use the smarthost
# @param smarthost host to relay through (if set and use_smarthost)
# @param is_bugsmx this system handles bugs.debian.org
# @param is_mailrelay this system is a mailrelay, both in and out, for debian hosts
# @param is_rtmaster this system handles rt.debian.org
# @param is_packagesmaster this system handles packagesrt.debian.org
# @param is_packagesqamaster this system handles packages.qa.debian.org
# @param mail_port override the default incoming mailport (only applicable for hosts behind an incoming relay)
# @param smarthost_port the port on which satellites send mail to the smarthost (needs to be the same on both sides)
class exim (
  Optional[String] $smarthost,
  Boolean $use_smarthost = true,
  Boolean $is_bugsmx = false,
  Boolean $is_mailrelay = false,
  Boolean $is_rtmaster = false,
  Boolean $is_packagesmaster = false,
  Boolean $is_packagesqamaster = false,
  Integer $smarthost_port = 587,
  Optional[Integer] $mail_port = undef,
) {
  include exim::vdomain::setup

  if $use_smarthost {
    $heavy = false

    if ! smarthost {
      fail('No smarthost set but use_smarthost is true')
    }
  } else {
    $heavy = true
    if $mail_port {
      fail('Cannot override mail_port in heavy/no-smarthost hosts')
    }
  }

  munin::check { 'ps_exim4': script => 'ps_' }
  munin::check { 'exim_mailqueue': }
  munin::check { 'exim_mailstats': }

  munin::check { 'postfix_mailqueue':  ensure => absent }
  munin::check { 'postfix_mailstats':  ensure => absent }
  munin::check { 'postfix_mailvolume': ensure => absent }

  package { 'exim4-daemon-heavy': ensure => installed }

  Package['exim4-daemon-heavy']->Mailalias<| |>

  concat::fragment { 'virtual_domain_template':
    target  => '/etc/exim4/virtualdomains',
    content => template('exim/virtualdomains.erb'),
    order   => '05',
  }

  service { 'exim4':
    ensure  => running,
    require => [
      File['/etc/exim4/exim4.conf'],
      Package['exim4-daemon-heavy'],
    ]
  }

  file { '/etc/exim4/':
    ensure  => directory,
    mode    => '0755',
    require => Package['exim4-daemon-heavy'],
    purge   => true,
  }
  file { '/etc/exim4/conf.d':
    ensure  => directory,
    purge   => true,
    force   => true,
    recurse => true,
    source  => 'puppet:///files/empty/',
  }
  file { '/etc/exim4/ssl':
    ensure => directory,
    group  => 'Debian-exim',
    mode   => '0750',
    purge  => true,
  }
  file { '/etc/exim4/exim4.conf':
    content => template('exim/eximconf.erb'),
    require => File['/etc/exim4/ssl/thishost.crt'],
    notify  => Service['exim4'],
  }
  file { '/etc/mailname':
    content => template('exim/mailname.erb'),
  }
  file { '/etc/exim4/manualroute':
    content => template('exim/manualroute.erb')
  }
  file { '/etc/exim4/locals':
    content => template('exim/locals.erb')
  }
  file { '/etc/exim4/submission-domains':
    content => template('exim/submission-domains.erb'),
  }
  file { '/etc/exim4/host_blacklist':
    source => 'puppet:///modules/exim/common/host_blacklist',
  }
  file { '/etc/exim4/blacklist':
    source => 'puppet:///modules/exim/common/blacklist',
  }
  file { '/etc/exim4/callout_users':
    source => 'puppet:///modules/exim/common/callout_users',
  }
  file { '/etc/exim4/grey_users':
    source => 'puppet:///modules/exim/common/grey_users',
  }
  file { '/etc/exim4/helo-check':
    source => 'puppet:///modules/exim/common/helo-check',
  }
  file { '/etc/exim4/localusers':
    source => 'puppet:///modules/exim/common/localusers',
  }
  file { '/etc/exim4/rbllist':
    source => 'puppet:///modules/exim/common/rbllist',
  }
  file { '/etc/exim4/rhsbllist':
    source => 'puppet:///modules/exim/common/rhsbllist',
  }
  file { '/etc/exim4/whitelist':
    source => 'puppet:///modules/exim/common/whitelist',
  }
  file { '/etc/logrotate.d/exim4-base':
    source => 'puppet:///modules/exim/common/logrotate-exim4-base',
  }
  file { '/etc/logrotate.d/exim4-paniclog':
    source => 'puppet:///modules/exim/common/logrotate-exim4-paniclog'
  }
  file { '/etc/exim4/ssl/thishost.crt':
    content => inline_template('<%= File.read(scope().call_function("hiera", ["paths.auto_certs_dir"]) + "/" + @fqdn + ".crt") %>'),
    group   => 'Debian-exim',
    mode    => '0640',
  }
  file { '/etc/exim4/ssl/thishost.key':
    content => inline_template('<%= File.read(scope().call_function("hiera", ["paths.auto_certs_dir"]) + "/" + @fqdn + ".key") %>'),
    group   => 'Debian-exim',
    mode    => '0640',
  }
  file { '/etc/exim4/ssl/ca.crt':
    content => inline_template('<%= File.read(scope().call_function("hiera", ["paths.auto_certs_dir"]) + "/ca.crt") %>'),
    group   => 'Debian-exim',
    mode    => '0640',
  }
  file { '/etc/exim4/ssl/ca.crl':
    content => inline_template('<%= File.read(scope().call_function("hiera", ["paths.auto_certs_dir"]) + "/ca.crl") %>'),
    group   => 'Debian-exim',
    mode    => '0640',
  }
  file { '/var/log/exim4':
    ensure => directory,
    mode   => '2750',
    owner  => 'Debian-exim',
    group  => maillog,
  }

  # Do we actually want this?  I'm only doing it because it's harmless
  # and makes the logs quiet.  There are better ways of making logs quiet,
  # though.
  ferm::rule { 'dsa-ident':
    domain      => '(ip ip6)',
    description => 'Allow ident access',
    rule        => '&SERVICE(tcp, 113)'
  }

  # These only affect the alias @$fqdn, not say, @debian.org

  mailalias { [
    'postmaster',
    'hostmaster',
    'usenet',
    'webmaster',
    'abuse',
    'noc',
    'security',
  ]:
    ensure => absent
  }
}