postfix: Attempt a chain fix.

postfix/manifests/init.pp

@@ -32,6 +32,9 @@
 #   $postfix_cert:
 #       Path to SSL certificate. Defaults to puppet client certificate.
 #
+#   $postfix_chain:
+#       Path to intermediary CA cert.
+#
 #   $postgrey:
 #       Whether to run postgrey or not.
 #
@@ -81,6 +84,18 @@ class postfix {
         notify  => Service["postfix"],
     }
 
+    if $postfix_chain {
+        file { "${ssl::certs}/chain.crt":
+            ensure  => present,
+            source  => $postfix_chain,
+            mode    => "0644",
+            owner   => "root",
+            group   => "root",
+            require => Package["postfix"],
+            notify  => Service["postfix"],
+        }
+    }
+
     file { "${ssl::private}/postfix.key":
         ensure  => present,
         source  => $postfix_key,

postfix/templates/main.cf.erb

@@ -731,6 +731,9 @@ smtpd_sasl_security_options = noanonymous
 # TLS
 #
 smtpd_use_tls=yes
+<% if has_variable?("postfix_chain") -%>
+smtpd_tls_CAfile = <%= postfix_chain %>
+<% end -%>
 smtpd_tls_cert_file=<%= scope.lookupvar('ssl::certs') %>/postfix.crt
 smtpd_tls_key_file=<%= scope.lookupvar('ssl::private') %>/postfix.key
 smtpd_tls_received_header = yes