Move allow-all smtp from the mta class to the exim and the lists class

We have some hosts that get their @host mail from the smarthost,
but that still accept mail from the internet.

diff --git a/modules/exim/manifests/mx.pp b/modules/exim/manifests/mx.pp
index bf7fd5e..8916c09 100644 (file)
--- a/modules/exim/manifests/mx.pp
+++ b/modules/exim/manifests/mx.pp
@@ -26,4 +26,9 @@ class exim::mx(
   package { 'monitoring-plugins-standard':
     ensure => installed,
   }
+
+  ferm::rule::simple { 'dsa-smtp':
+    description => 'Allow smtp access from the world',
+    port        => '25',
+  }
 }

diff --git a/modules/roles/manifests/lists.pp b/modules/roles/manifests/lists.pp
index fe80ae4..bd9c72a 100644 (file)
--- a/modules/roles/manifests/lists.pp
+++ b/modules/roles/manifests/lists.pp
@@ -5,4 +5,9 @@ class roles::lists {
     notify => Exec['service apache2 reload'],
     key    => true,
   }
+
+  ferm::rule::simple { 'dsa-smtp':
+    description => 'Allow smtp access from the world',
+    port        => '25',
+  }
 }

diff --git a/modules/roles/manifests/mta.pp b/modules/roles/manifests/mta.pp
index 9044803..22fbb66 100644 (file)
--- a/modules/roles/manifests/mta.pp
+++ b/modules/roles/manifests/mta.pp
@@ -51,10 +51,7 @@ class roles::mta(
       fail('We are not an exim::mx (or a postfix) yet do not have set our MXs to INCOMING-MX.')
     }
 
-    ferm::rule::simple { 'dsa-smtp':
-      description => 'Allow smtp access from the world',
-      port        => '25',
-    }
+    # firewall allow is done by the exim::mx class
   }
 
   $autocertdir = hiera('paths.auto_certs_dir')