class exim {
+ activate_munin_check {
+ "ps_exim4": script => "ps_";
+ "exim_mailqueue":;
+ "exim_mailstats":;
+ "postfix_mailqueue": ensure => absent;
+ "postfix_mailstats": ensure => absent;
+ "postfix_mailvolume": ensure => absent;
+ }
+
- package { exim4-daemon-heavy: ensure => latest }
+ package { exim4-daemon-heavy: ensure => installed }
file {
"/etc/exim4/":
mode => 755,
purge => true
;
+ "/etc/exim4/Git":
+ ensure => directory,
+ purge => true,
+ force => true,
+ recurse => true,
+ source => "puppet:///files/empty/"
+ ;
+ "/etc/exim4/conf.d":
+ ensure => directory,
+ purge => true,
+ force => true,
+ recurse => true,
+ source => "puppet:///files/empty/"
+ ;
+ "/etc/exim4/ssl":
+ ensure => directory,
+ owner => root,
+ group => Debian-exim,
+ mode => 750,
+ require => Package["exim4-daemon-heavy"],
+ purge => true
+ ;
+ "/etc/mailname":
+ content => template("exim/mailname.erb"),
+ ;
"/etc/exim4/exim4.conf":
- source => [ "puppet:///exim/per-host/$fqdn/exim4.conf",
- "puppet:///exim/common/exim4.conf" ],
+ content => template("exim/eximconf.erb"),
require => Package["exim4-daemon-heavy"],
notify => Exec["exim4 reload"]
+ ;
+ "/etc/exim4/manualroute":
+ require => Package["exim4-daemon-heavy"],
+ content => template("exim/manualroute.erb")
+ ;
+ "/etc/exim4/host_blacklist":
+ require => Package["exim4-daemon-heavy"],
+ source => [ "puppet:///exim/per-host/$fqdn/host_blacklist",
+ "puppet:///exim/common/host_blacklist" ]
;
"/etc/exim4/blacklist":
require => Package["exim4-daemon-heavy"],
;
"/etc/exim4/locals":
require => Package["exim4-daemon-heavy"],
- source => [ "puppet:///exim/per-host/$fqdn/locals",
- "puppet:///exim/common/locals" ]
+ content => template("exim/locals.erb")
;
"/etc/exim4/localusers":
require => Package["exim4-daemon-heavy"],
source => [ "puppet:///exim/per-host/$fqdn/rbllist",
"puppet:///exim/common/rbllist" ]
;
- "/etc/exim4/rcpthosts":
- require => Package["exim4-daemon-heavy"],
- source => [ "puppet:///exim/per-host/$fqdn/rcpthosts",
- "puppet:///exim/common/rcpthosts" ]
- ;
"/etc/exim4/rhsbllist":
require => Package["exim4-daemon-heavy"],
source => [ "puppet:///exim/per-host/$fqdn/rhsbllist",
;
"/etc/exim4/virtualdomains":
require => Package["exim4-daemon-heavy"],
- source => [ "puppet:///exim/per-host/$fqdn/virtualdomains",
- "puppet:///exim/common/virtualdomains" ]
+ content => template("exim/virtualdomains.erb")
;
"/etc/exim4/whitelist":
require => Package["exim4-daemon-heavy"],
source => [ "puppet:///exim/per-host/$fqdn/logrotate-exim4-paniclog",
"puppet:///exim/common/logrotate-exim4-paniclog" ]
;
+ "/etc/exim4/ssl/thishost.crt":
+ require => Package["exim4-daemon-heavy"],
+ source => "puppet:///exim/certs/$fqdn.crt",
+ owner => root,
+ group => Debian-exim,
+ mode => 640
+ ;
+ "/etc/exim4/ssl/thishost.key":
+ require => Package["exim4-daemon-heavy"],
+ source => "puppet:///exim/certs/$fqdn.key",
+ owner => root,
+ group => Debian-exim,
+ mode => 640
+ ;
+ "/etc/exim4/ssl/ca.crt":
+ require => Package["exim4-daemon-heavy"],
+ source => "puppet:///exim/certs/ca.crt",
+ owner => root,
+ group => Debian-exim,
+ mode => 640
+ ;
+ "/etc/exim4/ssl/ca.crl":
+ require => Package["exim4-daemon-heavy"],
+ source => "puppet:///exim/certs/ca.crl",
+ owner => root,
+ group => Debian-exim,
+ mode => 640
+ ;
+ "/var/log/exim4":
+ mode => 2750,
+ ensure => directory,
+ owner => Debian-exim,
+ group => maillog
+ ;
}
exec { "exim4 reload":
path => "/etc/init.d:/usr/bin:/usr/sbin:/bin:/sbin",
refreshonly => true,
}
-}
-
-class exim-extended inherits exim {
- file {
- "/etc/exim4/test":
- require => Package["exim4-daemon-heavy"],
- content => template("exim-test.erb")
- ;
+ @ferm::rule { "dsa-exim":
+ description => "Allow SMTP",
+ rule => "&SERVICE_RANGE(tcp, smtp, \$SSH_SOURCES)"
+ }
+ @ferm::rule { "dsa-exim-v6":
+ description => "Allow SMTP",
+ domain => "ip6",
+ rule => "&SERVICE_RANGE(tcp, smtp, \$SSH_SOURCES)"
+ }
+ # Do we actually want this? I'm only doing it because it's harmless
+ # and makes the logs quiet. There are better ways of making logs quiet,
+ # though.
+ @ferm::rule { "dsa-ident":
+ domain => "(ip ip6)",
+ description => "Allow ident access",
+ rule => "&SERVICE(tcp, 113)"
}
}