From ec7c903536ebb53cb41646fa79261f686c3d1b22 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timo=20M=E4kinen?= Date: Thu, 10 May 2012 09:02:15 +0300 Subject: [PATCH] Refactored sendmail::server. --- sendmail/files/aliases | 19 +++ sendmail/files/empty | 0 sendmail/manifests/init.pp | 203 ++++++++++++++++++++++++----- sendmail/templates/sendmail.mc.erb | 43 ++++-- 4 files changed, 228 insertions(+), 37 deletions(-) create mode 100644 sendmail/files/aliases create mode 100644 sendmail/files/empty diff --git a/sendmail/files/aliases b/sendmail/files/aliases new file mode 100644 index 0000000..42a6b60 --- /dev/null +++ b/sendmail/files/aliases @@ -0,0 +1,19 @@ +# +# Aliases in this file will NOT be expanded in the header from +# Mail, but WILL be visible over networks or from /bin/mail. +# +# >>>>>>>>>> The program "newaliases" must be run after +# >> NOTE >> this file is updated for any changes to +# >>>>>>>>>> show through to sendmail. +# + +# Basic system aliases -- these MUST be present. +mailer-daemon: postmaster +postmaster: root + +# General redirections for important pseudo accounts +daemon: root + +# RFC 2142: NETWORK OPERATIONS MAILBOX NAMES +abuse: root +security: root diff --git a/sendmail/files/empty b/sendmail/files/empty new file mode 100644 index 0000000..e69de29 diff --git a/sendmail/manifests/init.pp b/sendmail/manifests/init.pp index 4edba7b..53ad628 100644 --- a/sendmail/manifests/init.pp +++ b/sendmail/manifests/init.pp @@ -112,24 +112,65 @@ class sendmail::client::msa inherits sendmail::client { # Configure Sendmail server. # -# $sendmail_domain: +# $mail_domain: # SMTP domain name. +# +# $sendmail_auth_mech: +# List of authentication mechanisms to use. Defaults to PLAIN and LOGIN. +# +# $sendmail_ssl_key: +# +# $sendmail_ssl_cert: +# class sendmail::server inherits sendmail::common { include procmail + if !$sendmail_auth_mech { + $sendmail_auth_mech = [ "PLAIN", "LOGIN", ] + } + + $ssl_key = basename($sendmail_ssl_key) + $ssl_cert = basename($sendmail_ssl_cert) + if $sendmail_ssl_chain { + $ssl_chain = basename($sendmail_ssl_chain) + } + case $operatingsystem { - centos,redhat: { - $sendmail_ostype = "linux" - $group = "root" + "centos","fedora": { File["/etc/sysconfig/sendmail"] { content => "DAEMON=yes\nQUEUE=1h\n", } - } ubuntu: { - fail("Operating system not supported.") - } openbsd: { - $sendmail_ostype = "openbsd" - $group = "wheel" + } + default: { + fail("sendmail::server not supported in '${::operatingsystem}'") + } + } + + file { "/etc/pki/tls/private/${ssl_key}": + ensure => present, + source => $sendmail_ssl_key, + mode => "0600", + owner => "root", + group => "root", + notify => Service["sendmail"], + } + file { "/etc/pki/tls/certs/${ssl_cert}": + ensure => present, + source => $sendmail_ssl_cert, + mode => "0644", + owner => "root", + group => "root", + notify => Service["sendmail"], + } + if $ssl_chain { + file { "/etc/pki/tls/certs/${ssl_chain}": + ensure => present, + source => $sendmail_ssl_chain, + mode => "0644", + owner => "root", + group => "root", + notify => Service["sendmail"], } } @@ -140,47 +181,151 @@ class sendmail::server inherits sendmail::common { }, content => template("sendmail/sendmail.mc.erb"), owner => "root", - group => $group, + group => "root", mode => "0644", notify => Exec["make sendmail.cf"], } - - file { "/etc/aliases": - ensure => present, - notify => Exec["newaliases"], - owner => "root", - group => $group, - mode => "0644", - } - exec { "make sendmail.cf": - path => "/bin:/usr/bin:/sbin:/usr/sbin", + path => "/bin:/usr/bin:/sbin:/usr/sbin:/etc/mail", cwd => $operatingsystem ? { - openbsd => "/usr/share/sendmail/cf", - default => "/etc/mail", + "openbsd" => "/usr/share/sendmail/cf", + default => "/etc/mail", }, require => $operatingsystem ? { - openbsd => undef, - default => Package["sendmail"], + "openbsd" => undef, + default => Package["sendmail"], }, refreshonly => true, } - file { "/etc/mail/sendmail.cf": ensure => present, - owner => "root", - group => $group, mode => "0644", + owner => "root", + group => "root", source => $operatingsystem ? { - openbsd => "/usr/share/sendmail/cf/sendmail.cf", - default => undef, + "openbsd" => "/usr/share/sendmail/cf/sendmail.cf", + default => undef, }, require => Exec["make sendmail.cf"], notify => Service["sendmail"], } + file { "/etc/mail/certs": + ensure => directory, + mode => "0755", + owner => "root", + group => "root", + } + exec { "populate-etc-mail-certs": + path => "/bin:/usr/bin:/sbin:/usr/sbin", + command => "csplit /etc/pki/tls/certs/ca-bundle.crt '/BEGIN/' '{*}' ; sh -c 'for i in x* ; do name=`openssl x509 -hash -noout -in \$i`.0 ; openssl x509 -hash -in \$i -out \$name ; done' && rm -f x* .0", + cwd => "/etc/mail/certs", + onlyif => "find /etc/mail/certs ! -newer /etc/pki/tls/certs/ca-bundle.crt | egrep '.*' || [ -z \"`ls /etc/mail/certs`\" ]", + require => File["/etc/mail/certs"], + before => Service["sendmail"], + } + + file { "/etc/aliases": + ensure => present, + name => $operatingsystem ? { + "openbsd" => "/etc/mail/aliases", + default => "/etc/aliases", + }, + source => [ + "puppet:///files/mail/aliases", + "puppet:///modules/sendmail/aliases", + ], + mode => "0644", + owner => "root", + group => "root", + notify => Exec["newaliases"], + } exec { "newaliases": path => "/bin:/usr/bin:/sbin:/usr/sbin", refreshonly => true, } + + file { "/etc/mail/access": + ensure => present, + source => [ + "puppet:///files/mail/access", + "puppet:///modules/sendmail/empty", + ], + mode => "0644", + owner => "root", + group => "root", + notify => Exec["make access.db"], + } + exec { "make access.db": + path => "/bin:/usr/bin:/sbin:/usr/sbin", + command => "makemap hash /etc/mail/access < /etc/mail/access", + refreshonly => true, + notify => Service["sendmail"], + } + + file { "/etc/mail/genericstable": + ensure => present, + source => [ + "puppet:///files/mail/genericstable", + "puppet:///modules/sendmail/empty", + ], + mode => "0644", + owner => "root", + group => "root", + notify => Exec["make genericstable.db"], + } + exec { "make genericstable.db": + path => "/bin:/usr/bin:/sbin:/usr/sbin", + command => "makemap hash /etc/mail/genericstable < /etc/mail/genericstable", + refreshonly => true, + notify => Service["sendmail"], + } + + file { "/etc/mail/mailertable": + ensure => present, + source => [ + "puppet:///files/mail/mailertable", + "puppet:///modules/sendmail/empty", + ], + mode => "0644", + owner => "root", + group => "root", + notify => Exec["make mailertable.db"], + } + exec { "make mailertable.db": + path => "/bin:/usr/bin:/sbin:/usr/sbin", + command => "makemap hash /etc/mail/mailertable < /etc/mail/mailertable", + refreshonly => true, + notify => Service["sendmail"], + } + + file { "/etc/mail/virtusertable": + ensure => present, + source => [ + "puppet:///files/mail/virtusertable", + "puppet:///modules/sendmail/empty", + ], + mode => "0644", + owner => "root", + group => "root", + notify => Exec["make virtusertable.db"], + } + exec { "make virtusertable.db": + path => "/bin:/usr/bin:/sbin:/usr/sbin", + command => "makemap hash /etc/mail/virtusertable < /etc/mail/virtusertable", + refreshonly => true, + notify => Service["sendmail"], + } + + file { "/etc/mail/local-host-names": + ensure => present, + source => [ + "puppet:///files/mail/local-host-names", + "puppet:///modules/sendmail/local-host-names", + ], + mode => "0644", + owner => "root", + group => "root", + } + } diff --git a/sendmail/templates/sendmail.mc.erb b/sendmail/templates/sendmail.mc.erb index c063bd5..05ec740 100644 --- a/sendmail/templates/sendmail.mc.erb +++ b/sendmail/templates/sendmail.mc.erb @@ -1,7 +1,14 @@ divert(-1)dnl +dnl # +dnl # This file is managed by puppet so hand editing is not recommended. +dnl # +<% if ['CentOS','Fedora'].index(operatingsystem) -%> include(`/usr/share/sendmail-cf/m4/cf.m4')dnl -VERSIONID(`setup for <%= sendmail_ostype %>')dnl -OSTYPE(`<%= sendmail_ostype %>')dnl +<% elsif operatingsystem == 'Ubuntu' -%> +include(`/usr/share/sendmail/cf/m4/cf.m4')dnl +<% end -%> +VERSIONID(`puppet sendmail::server')dnl +dnl # define(`confDEF_USER_ID', ``8:12'')dnl define(`confTO_CONNECT', `1m')dnl define(`confTRY_NULL_MX_LIST', `True')dnl @@ -13,6 +20,20 @@ define(`UUCP_MAILER_MAX', `2000000')dnl define(`confUSERDB_SPEC', `/etc/mail/userdb.db')dnl define(`confPRIVACY_FLAGS', `authwarnings,novrfy,noexpn,restrictqrun')dnl define(`confTO_IDENT', `0')dnl +dnl # +define(`confAUTH_OPTIONS', `A p y')dnl +TRUST_AUTH_MECH(`<%= sendmail_auth_mech.join(' ') %>')dnl +define(`confAUTH_MECHANISMS', `<%= sendmail_auth_mech.join(' ') %>')dnl +dnl # +define(`confCACERT_PATH', `/etc/mail/certs') +<% if has_variable?('ssl_chain') -%> +define(`confCACERT', `/etc/pki/tls/certs/<%= ssl_chain %>') +<% end -%> +define(`confSERVER_CERT', `/etc/pki/tls/certs/<%= ssl_cert %>') +define(`confSERVER_KEY', `/etc/pki/tls/private/<%= ssl_key %>') +define(`confCLIENT_CERT', `/etc/pki/tls/certs/<%= ssl_cert %>') +define(`confCLIENT_KEY', `/etc/pki/tls/private/<%= ssl_key %>') +dnl # FEATURE(`no_default_msa', `dnl')dnl FEATURE(`smrsh', `/usr/sbin/smrsh')dnl FEATURE(`mailertable', `hash -o /etc/mail/mailertable.db')dnl @@ -23,19 +44,25 @@ FEATURE(redirect)dnl FEATURE(always_add_domain)dnl FEATURE(use_cw_file)dnl FEATURE(use_ct_file)dnl +dnl # FEATURE(local_procmail, `', `procmail -t -Y -a $h -d $u')dnl FEATURE(`access_db', `hash -T -o /etc/mail/access.db')dnl FEATURE(`blacklist_recipients')dnl EXPOSED_USER(`root')dnl +dnl # DAEMON_OPTIONS(`Port=smtp, Name=MTA')dnl -FEATURE(`accept_unresolvable_domains')dnl -LOCAL_DOMAIN(`localhost.localdomain')dnl -MASQUERADE_AS(`<%= sendmail_domain %>')dnl +DAEMON_OPTIONS(`Port=submission, Name=MSA, M=Ea')dnl +dnl # +LOCAL_DOMAIN`localhost.localdomain')dnl +MASQUERADE_AS(`<%= mail_domain %>')dnl FEATURE(masquerade_envelope)dnl FEATURE(allmasquerade)dnl -define(`confMATCH_GECOS')dnl -define(`confDOMAIN_NAME', `<%= sendmail_domain %>')dnl -define(`confDONT_BLAME_SENDMAIL', `GroupWritableDirpathSafe,GroupWritableIncludeFileSafe,GroupWritableForwardFile,ForwardFileInGroupWritableDirPath')dnl FEATURE(masquerade_entire_domain)dnl +FEATURE(`accept_unresolvable_domains')dnl +dnl # +define(`confMATCH_GECOS')dnl +define(`confDOMAIN_NAME', `<%= mail_domain %>')dnl +define(`confDONT_BLAME_SENDMAIL', `GroupWritableDirpathSafe,GroupWritableIncludeFileSafe,GroupWritableForwardFile,ForwardFileInGroupWritableDirPath')dnl +dnl # MAILER(smtp)dnl MAILER(procmail)dnl