class exim {
- activate_munin_check {
- "ps_exim4": script => "ps_";
- "exim_mailqueue":;
- "exim_mailstats":;
- "postfix_mailqueue": ensure => absent;
- "postfix_mailstats": ensure => absent;
- "postfix_mailvolume": ensure => absent;
- }
+ munin::check { 'ps_exim4': script => 'ps_' }
+ munin::check { 'exim_mailqueue': }
+ munin::check { 'exim_mailstats': }
- package { exim4-daemon-heavy: ensure => installed }
+ munin::check { 'postfix_mailqueue': ensure => absent }
+ munin::check { 'postfix_mailstats': ensure => absent }
+ munin::check { 'postfix_mailvolume': ensure => absent }
- file {
- "/etc/exim4/":
- ensure => directory,
- owner => root,
- group => root,
- mode => 755,
- purge => true
- ;
- "/etc/exim4/Git":
- ensure => directory,
- purge => true,
- force => true,
- recurse => true,
- source => "puppet:///empty/"
- ;
- "/etc/exim4/conf.d":
- ensure => directory,
- purge => true,
- force => true,
- recurse => true,
- source => "puppet:///empty/"
- ;
- "/etc/exim4/ssl":
- ensure => directory,
- owner => root,
- group => Debian-exim,
- mode => 750,
- require => Package["exim4-daemon-heavy"],
- purge => true
- ;
- "/etc/mailname":
- content => template("exim/mailname.erb"),
- ;
- "/etc/exim4/exim4.conf":
- content => template("exim/eximconf.erb"),
- require => Package["exim4-daemon-heavy"],
- notify => Exec["exim4 reload"]
- ;
- "/etc/exim4/manualroute":
- require => Package["exim4-daemon-heavy"],
- content => template("exim/manualroute.erb")
- ;
- "/etc/exim4/host_blacklist":
- require => Package["exim4-daemon-heavy"],
- source => [ "puppet:///exim/per-host/$fqdn/host_blacklist",
- "puppet:///exim/common/host_blacklist" ]
- ;
- "/etc/exim4/blacklist":
- require => Package["exim4-daemon-heavy"],
- source => [ "puppet:///exim/per-host/$fqdn/blacklist",
- "puppet:///exim/common/blacklist" ]
- ;
- "/etc/exim4/callout_users":
- require => Package["exim4-daemon-heavy"],
- source => [ "puppet:///exim/per-host/$fqdn/callout_users",
- "puppet:///exim/common/callout_users" ]
- ;
- "/etc/exim4/grey_users":
- require => Package["exim4-daemon-heavy"],
- source => [ "puppet:///exim/per-host/$fqdn/grey_users",
- "puppet:///exim/common/grey_users" ]
- ;
- "/etc/exim4/helo-check":
- require => Package["exim4-daemon-heavy"],
- source => [ "puppet:///exim/per-host/$fqdn/helo-check",
- "puppet:///exim/common/helo-check" ]
- ;
- "/etc/exim4/locals":
- require => Package["exim4-daemon-heavy"],
- content => template("exim/locals.erb")
- ;
- "/etc/exim4/localusers":
- require => Package["exim4-daemon-heavy"],
- source => [ "puppet:///exim/per-host/$fqdn/localusers",
- "puppet:///exim/common/localusers" ]
- ;
- "/etc/exim4/rbllist":
- require => Package["exim4-daemon-heavy"],
- source => [ "puppet:///exim/per-host/$fqdn/rbllist",
- "puppet:///exim/common/rbllist" ]
- ;
- "/etc/exim4/rhsbllist":
- require => Package["exim4-daemon-heavy"],
- source => [ "puppet:///exim/per-host/$fqdn/rhsbllist",
- "puppet:///exim/common/rhsbllist" ]
- ;
- "/etc/exim4/virtualdomains":
- require => Package["exim4-daemon-heavy"],
- content => template("exim/virtualdomains.erb")
- ;
- "/etc/exim4/whitelist":
- require => Package["exim4-daemon-heavy"],
- source => [ "puppet:///exim/per-host/$fqdn/whitelist",
- "puppet:///exim/common/whitelist" ]
- ;
- "/etc/logrotate.d/exim4-base":
- require => Package["exim4-daemon-heavy"],
- source => [ "puppet:///exim/per-host/$fqdn/logrotate-exim4-base",
- "puppet:///exim/common/logrotate-exim4-base" ]
- ;
- "/etc/logrotate.d/exim4-paniclog":
- require => Package["exim4-daemon-heavy"],
- source => [ "puppet:///exim/per-host/$fqdn/logrotate-exim4-paniclog",
- "puppet:///exim/common/logrotate-exim4-paniclog" ]
- ;
- "/etc/exim4/ssl/thishost.crt":
- require => Package["exim4-daemon-heavy"],
- source => "puppet:///exim/certs/$fqdn.crt",
- owner => root,
- group => Debian-exim,
- mode => 640
- ;
- "/etc/exim4/ssl/thishost.key":
- require => Package["exim4-daemon-heavy"],
- source => "puppet:///exim/certs/$fqdn.key",
- owner => root,
- group => Debian-exim,
- mode => 640
- ;
- "/etc/exim4/ssl/ca.crt":
- require => Package["exim4-daemon-heavy"],
- source => "puppet:///exim/certs/ca.crt",
- owner => root,
- group => Debian-exim,
- mode => 640
- ;
- "/etc/exim4/ssl/ca.crl":
- require => Package["exim4-daemon-heavy"],
- source => "puppet:///exim/certs/ca.crl",
- owner => root,
- group => Debian-exim,
- mode => 640
- ;
- }
+ package { 'exim4-daemon-heavy': ensure => installed }
+
+ service { 'exim4':
+ ensure => running,
+ require => File['/etc/exim4/exim4.conf'],
+ }
+
+ file { '/etc/exim4/':
+ ensure => directory,
+ mode => '0755',
+ require => Package['exim4-daemon-heavy'],
+ purge => true,
+ }
+ file { '/etc/exim4/Git':
+ ensure => directory,
+ purge => true,
+ force => true,
+ recurse => true,
+ source => 'puppet:///files/empty/',
+ }
+ file { '/etc/exim4/conf.d':
+ ensure => directory,
+ purge => true,
+ force => true,
+ recurse => true,
+ source => 'puppet:///files/empty/',
+ }
+ file { '/etc/exim4/ssl':
+ ensure => directory,
+ group => Debian-exim,
+ mode => '0750',
+ purge => true,
+ }
+ file { '/etc/exim4/exim4.conf':
+ content => template('exim/eximconf.erb'),
+ notify => Service['exim4'],
+ }
+ file { '/etc/mailname':
+ content => template('exim/mailname.erb'),
+ }
+ file { '/etc/exim4/manualroute':
+ content => template('exim/manualroute.erb')
+ }
+ file { '/etc/exim4/locals':
+ content => template('exim/locals.erb')
+ }
+ file { '/etc/exim4/virtualdomains':
+ content => template('exim/virtualdomains.erb'),
+ }
+ file { '/etc/exim4/submission-domains':
+ content => template('exim/common/submission-domains.erb'),
+ }
+ file { '/etc/exim4/host_blacklist':
+ source => 'puppet:///modules/exim/common/host_blacklist',
+ }
+ file { '/etc/exim4/blacklist':
+ source => 'puppet:///modules/exim/common/blacklist',
+ }
+ file { '/etc/exim4/callout_users':
+ source => 'puppet:///modules/exim/common/callout_users',
+ }
+ file { '/etc/exim4/grey_users':
+ source => 'puppet:///modules/exim/common/grey_users',
+ }
+ file { '/etc/exim4/helo-check':
+ source => 'puppet:///modules/exim/common/helo-check',
+ }
+ file { '/etc/exim4/localusers':
+ source => 'puppet:///modules/exim/common/localusers',
+ }
+ file { '/etc/exim4/rbllist':
+ source => 'puppet:///modules/exim/common/rbllist',
+ }
+ file { '/etc/exim4/rhsbllist':
+ source => 'puppet:///modules/exim/common/rhsbllist',
+ }
+ file { '/etc/exim4/whitelist':
+ source => 'puppet:///modules/exim/common/whitelist',
+ }
+ file { '/etc/logrotate.d/exim4-base':
+ source => 'puppet:///modules/exim/common/logrotate-exim4-base',
+ }
+ file { '/etc/logrotate.d/exim4-paniclog':
+ source => 'puppet:///modules/exim/common/logrotate-exim4-paniclog'
+ }
+ file { '/etc/exim4/ssl/thishost.crt':
+ source => "puppet:///modules/exim/certs/${::fqdn}.crt",
+ group => Debian-exim,
+ mode => '0640',
+ }
+ file { '/etc/exim4/ssl/thishost.key':
+ source => "puppet:///modules/exim/certs/${::fqdn}.key",
+ group => Debian-exim,
+ mode => '0640',
+ }
+ file { '/etc/exim4/ssl/ca.crt':
+ source => 'puppet:///modules/exim/certs/ca.crt',
+ group => Debian-exim,
+ mode => '0640',
+ }
+ file { '/etc/exim4/ssl/ca.crl':
+ source => 'puppet:///modules/exim/certs/ca.crl',
+ group => Debian-exim,
+ mode => '0640',
+ }
+ file { '/var/log/exim4':
+ ensure => directory,
+ mode => '2750',
+ owner => Debian-exim,
+ group => maillog,
+ }
+
+ case getfromhash($site::nodeinfo, 'mail_port') {
+ /^(\d+)$/: { $mail_port = $1 }
+ default: { $mail_port = 'smtp' }
+ }
+
+ @ferm::rule { 'dsa-exim':
+ description => 'Allow SMTP',
+ rule => '&SERVICE_RANGE(tcp, $mail_port, \$SMTP_SOURCES)'
+ }
+
+ @ferm::rule { 'dsa-exim-v6':
+ description => 'Allow SMTP',
+ domain => 'ip6',
+ rule => '&SERVICE_RANGE(tcp, $mail_port, \$SMTP_V6_SOURCES)'
+ }
+
+ # Do we actually want this? I'm only doing it because it's harmless
+ # and makes the logs quiet. There are better ways of making logs quiet,
+ # though.
+ @ferm::rule { 'dsa-ident':
+ domain => '(ip ip6)',
+ description => 'Allow ident access',
+ rule => '&SERVICE(tcp, 113)'
+ }
- exec { "exim4 reload":
- path => "/etc/init.d:/usr/bin:/usr/sbin:/bin:/sbin",
- refreshonly => true,
- }
}