From b20d06b37f99e4fd8015abf9f54422803ef86593 Mon Sep 17 00:00:00 2001
From: Lari Huttunen <mit-code@huttu.net>
Date: Tue, 5 Mar 2013 17:03:29 +0100
Subject: [PATCH] postfix: Attempt a chain fix.

---
 postfix/manifests/init.pp     | 15 +++++++++++++++
 postfix/templates/main.cf.erb |  3 +++
 2 files changed, 18 insertions(+)

diff --git a/postfix/manifests/init.pp b/postfix/manifests/init.pp
index db5f709..bd42e6c 100644
--- a/postfix/manifests/init.pp
+++ b/postfix/manifests/init.pp
@@ -32,6 +32,9 @@
 #   $postfix_cert:
 #       Path to SSL certificate. Defaults to puppet client certificate.
 #
+#   $postfix_chain:
+#       Path to intermediary CA cert.
+#
 #   $postgrey:
 #       Whether to run postgrey or not.
 #
@@ -81,6 +84,18 @@ class postfix {
         notify  => Service["postfix"],
     }
 
+    if $postfix_chain {
+        file { "${ssl::certs}/chain.crt":
+            ensure  => present,
+            source  => $postfix_chain,
+            mode    => "0644",
+            owner   => "root",
+            group   => "root",
+            require => Package["postfix"],
+            notify  => Service["postfix"],
+        }
+    }
+
     file { "${ssl::private}/postfix.key":
         ensure  => present,
         source  => $postfix_key,
diff --git a/postfix/templates/main.cf.erb b/postfix/templates/main.cf.erb
index 81ff2ea..99e7b23 100644
--- a/postfix/templates/main.cf.erb
+++ b/postfix/templates/main.cf.erb
@@ -731,6 +731,9 @@ smtpd_sasl_security_options = noanonymous
 # TLS
 #
 smtpd_use_tls=yes
+<% if has_variable?("postfix_chain") -%>
+smtpd_tls_CAfile = <%= postfix_chain %>
+<% end -%>
 smtpd_tls_cert_file=<%= scope.lookupvar('ssl::certs') %>/postfix.crt
 smtpd_tls_key_file=<%= scope.lookupvar('ssl::private') %>/postfix.key
 smtpd_tls_received_header = yes