From f906c34e9fb767be1c89efa8c2e5396fe210f30c Mon Sep 17 00:00:00 2001
From: Stephen Gran <steve@lobefin.net>
Date: Sat, 6 Mar 2010 12:14:19 +0000
Subject: [PATCH] restrict smtp

Signed-off-by: Stephen Gran <steve@lobefin.net>
---
 modules/exim/manifests/init.pp       | 10 ++++++---
 modules/ferm/templates/defs.conf.erb | 32 +++++++++++++++++++++++++++-
 modules/ferm/templates/me.conf.erb   | 30 ++++++++++++++++++++++++++
 3 files changed, 68 insertions(+), 4 deletions(-)

diff --git a/modules/exim/manifests/init.pp b/modules/exim/manifests/init.pp
index 50484f90..61ab93ce 100644
--- a/modules/exim/manifests/init.pp
+++ b/modules/exim/manifests/init.pp
@@ -157,9 +157,13 @@ class exim {
         refreshonly => true,
     }
     @ferm::rule { "dsa-exim":
-            domain          => "(ip ip6)",
-            description     => "Allow smtp access",
-            rule            => "&SERVICE(tcp, 25)"
+            description     => "Allow SMTP",
+            rule            => "&SERVICE_RANGE(tcp, smtp, \$SSH_SOURCES)"
+    }
+    @ferm::rule { "dsa-exim-v6":
+            description     => "Allow SMTP",
+            domain          => "ip6",
+            rule            => "&SERVICE_RANGE(tcp, smtp, \$SSH_SOURCES)"
     }
     # Do we actually want this?  I'm only doing it because it's harmless
     # and makes the logs quiet.  There are better ways of making logs quiet,
diff --git a/modules/ferm/templates/defs.conf.erb b/modules/ferm/templates/defs.conf.erb
index 2c97337a..e4b72b32 100644
--- a/modules/ferm/templates/defs.conf.erb
+++ b/modules/ferm/templates/defs.conf.erb
@@ -8,13 +8,43 @@
 }
 
 @def &SERVICE_RANGE($proto, $port, $srange) = {
- proto $proto mod state state (NEW) dport $port saddr ($srange) ACCEPT;
+ proto $proto mod state state (NEW) dport $port @subchain $port { saddr ($srange) ACCEPT; }"
 }
 
 @def &TCP_UDP_SERVICE($port) = {
  proto (tcp udp) mod state state (NEW) dport $port ACCEPT;
 }
 
+@def $HOST_MAILRELAY_V4 = (<%=
+  mailrelay = []
+  localinfo.keys.sort.each do |node|
+      if localinfo[node]['mailrelay']
+          keyinfo[node][0]['ipHostNumber'].each do |ip|
+             next if ip =~ /:/
+             mailrelay << ip
+          end
+      end
+  end
+
+  mailrelay.join(' ')
+%>);
+
+@def $HOST_MAILRELAY_V6 = (<%=
+  mailrelay = []
+  localinfo.keys.sort.each do |node|
+      if localinfo[node]['mailrelay']
+          keyinfo[node][0]['ipHostNumber'].each do |ip|
+             next if ip =~ /\./
+             mailrelay << ip
+          end
+      end
+  end
+
+  mailrelay.join(' ')
+%>);
+
+@def $HOST_MAILRELAY = ( $HOST_MAILRELAY_V4 $HOST_MAILRELAY_V6 );
+
 @def $HOST_NAGIOS_V4 = (<%=
   nagii = []
   localinfo.keys.sort.each do |node|
diff --git a/modules/ferm/templates/me.conf.erb b/modules/ferm/templates/me.conf.erb
index 3aa52c21..690dc369 100644
--- a/modules/ferm/templates/me.conf.erb
+++ b/modules/ferm/templates/me.conf.erb
@@ -41,3 +41,33 @@ end
 
 sshallowed.join(' ')
 %>);
+
+def $SMTP_SOURCES =(<%=
+
+smtpallowed = []
+
+if not nodeinfo['smarthost'].empty?
+  smtpallowed = [ '$HOST_MAILRELAY_V4' ]
+end
+
+if smtpallowed.length == 0
+  smtpallowed = [ '0.0.0.0/0' ]
+end
+
+smtpallowed.join(' ')
+%>);
+
+def $SMTP_V6_SOURCES =(<%=
+
+smtpallowed = []
+
+if not nodeinfo['smarthost'].empty?
+  smtpallowed = [ '$HOST_MAILRELAY_V6' ]
+end
+
+if smtpallowed.length == 0
+  smtpallowed = [ '::' ]
+end
+
+smtpallowed.join(' ')
+%>);
-- 
2.39.2