6 files changed, 84 insertions, 33 deletions

diff --git a/modules/postfix/templates/main.cf b/modules/postfix/templates/main.cf
index ffda06b3..6b42a4de 100644
--- a/modules/postfix/templates/main.cf
+++ b/modules/postfix/templates/main.cf
@@ -11,26 +11,37 @@ sendmail_path = /usr/sbin/sendmail.postfix
 setgid_group = postdrop
 command_directory = /usr/sbin
 manpage_directory = /usr/share/man
-daemon_directory = <%= lib_dir %>/postfix/
+daemon_directory = /usr/libexec/postfix
+meta_directory = /etc/postfix
+shlib_directory = /usr/lib64
+compatibility_level = 2
 data_directory = /var/lib/postfix
 newaliases_path = /usr/bin/newaliases
 mailq_path = /usr/bin/mailq
 queue_directory = /var/spool/postfix
 mail_owner = postfix
+<% if all_tags.include?('postfix::simple_relay') || all_tags.include?('postfix::server::secondary') %>
+relayhost = sucuk.<%= domain %>
+<%- end -%>
 
 # User configurable parameters
 
 <% if all_tags.include?('postfix::simple_relay') %>
-inet_interfaces = localhost
+inet_interfaces = localhost, 127.0.0.1
 <% else %>
 inet_interfaces = all
 <% end %>
 
 inet_protocols = all
-mynetworks_style = host
+<% if @hostname == 'neru' then %>
+# We do not have a reverse on ipv6 :(
+smtp_address_preference = ipv4
+<%- end -%>
+
+# FIXME Do not hardcode this
+mynetworks = 212.85.158.144/28 [2a02:2178:2:7::]/64 127.0.0.0/16 163.172.148.228 [2001:bc8:4400:2800::4115]
 myhostname = <%= fqdn %>
 mydomain = <%= domain %>
-myorigin = $mydomain
 <%- if all_tags.include?('postfix::server::secondary') -%>
 relay_domains = <%= domain %>,
                 ml.<%= domain %>,
@@ -38,7 +49,7 @@ relay_domains = <%= domain %>,
 <%- end -%>
 
 mydestination = <%= fqdn %>
-<%- if classes.include?('sympa::server') -%>
+<%- if all_tags.include?('postfix::server::primary') -%>
                 ml.<%= domain %>
 <%- end -%>
 
@@ -71,8 +82,25 @@ virtual_alias_maps = ldap:/etc/postfix/ldap_aliases.conf
 <%- if classes.include?('sympa::server') -%>
                      regexp:/etc/postfix/sympa_aliases
 <%- end -%>
+<% else %>
+<%- if classes.include?('sympa::server') -%>
+virtual_alias_maps = regexp:/etc/postfix/sympa_aliases
+<%- end -%>
 <%- end -%>
 
+<%- if all_tags.include?('postfix::server::primary') -%>
+# Adding DKIM Miler for primaryserver (sucuk)
+smtpd_milters = inet:127.0.0.1:8891
+non_smtpd_milters = $smtpd_milters
+milter_default_action = accept
+milter_protocol = 2
+
+# Adding Sender Rewriting Scheme
+sender_canonical_maps = socketmap:inet:localhost:10003:forward
+sender_canonical_classes = envelope_sender
+recipient_canonical_maps = socketmap:inet:localhost:10003:reverse
+recipient_canonical_classes= envelope_recipient,header_recipient
+<%- end -%>
 
 <%- if all_tags.include?('postfix::server') -%>
 transport_maps = regexp:/etc/postfix/transport_regexp
@@ -89,12 +117,15 @@ smtpd_banner = $myhostname ESMTP $mail_name ($mail_version) (<%= lsbdistid %>)
 unknown_local_recipient_reject_code = 450
 smtp-filter_destination_concurrency_limit = 2
 lmtp-filter_destination_concurrency_limit = 2
-# disabled for the time being, as the certificate do not exist
-# FIXME create the cert in puppet
-smtpd_use_tls = no
-#smtpd_tls_cert_file = /etc/pki/tls/certs/postfix.pem
-#smtpd_tls_key_file = /etc/pki/tls/private/postfix.pem
-#smtpd_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
+# enable opportunistic TLS when receiving
+smtpd_use_tls = yes
+smtpd_tls_received_header = yes
+smtpd_tls_cert_file = /etc/ssl/postfix/postfix.crt
+smtpd_tls_key_file = /etc/ssl/postfix/postfix.key
+smtpd_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
+# enable opportunistic TLS when sending
+smtp_tls_security_level = may
+smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
 
 <%- if all_tags.include?('postfix::server') -%>
 smtpd_etrn_restrictions = reject
@@ -105,13 +136,18 @@ smtpd_data_restrictions = permit_mynetworks
                           reject_unauth_pipelining 
                           reject_multi_recipient_bounce
 
-smtpd_recipient_restrictions = reject_non_fqdn_recipient
-    reject_non_fqdn_sender
+smtpd_recipient_restrictions = permit_mynetworks
 #    not done yet, not sure if we need to offer this kind of service
 #    permit_sasl_authenticated
-    permit_mynetworks
-    reject_unauth_destination
     reject_non_fqdn_helo_hostname
+    reject_non_fqdn_recipient
+    reject_non_fqdn_sender
+    check_sender_access hash:/etc/postfix/access
+    reject_rhsbl_helo sbl.spamhaus.org
+    reject_rhsbl_reverse_client sbl.spamhaus.org
+    reject_rhsbl_sender sbl.spamhaus.org
+    reject_rbl_client sbl.spamhaus.org
+    reject_unauth_destination
     reject_unknown_sender_domain
     reject_unknown_client
   <%- if classes.include?('postgrey') -%>
@@ -119,3 +155,5 @@ smtpd_recipient_restrictions = reject_non_fqdn_recipient
   <%- end -%>
 <%- end -%>
 
+# Needed for buggy clients
+always_add_missing_headers = yes
diff --git a/modules/postfix/templates/primary_master.cf b/modules/postfix/templates/primary_master.cf
index 8037d037..e05d33dc 100644
--- a/modules/postfix/templates/primary_master.cf
+++ b/modules/postfix/templates/primary_master.cf
@@ -174,4 +174,3 @@ smtp-filter	unix	-	-	y	-	-	smtp
   -o max_use=20
 #
 ##### END OF CONTENT FILTER CUSTOMIZATIONS #####
-
diff --git a/modules/postfix/templates/simple_relay_main.cf b/modules/postfix/templates/simple_relay_main.cf
index a6cf2113..e0c116a7 100644
--- a/modules/postfix/templates/simple_relay_main.cf
+++ b/modules/postfix/templates/simple_relay_main.cf
@@ -11,7 +11,7 @@ sendmail_path = /usr/sbin/sendmail.postfix
 setgid_group = postdrop
 command_directory = /usr/sbin
 manpage_directory = /usr/share/man
-daemon_directory = <%= lib_dir %>/postfix/
+daemon_directory = /usr/libexec/postfix/
 data_directory = /var/lib/postfix
 newaliases_path = /usr/bin/newaliases
 mailq_path = /usr/bin/mailq
@@ -22,11 +22,10 @@ mail_owner = postfix
 
 myhostname = <%= fqdn %>
 mydomain = <%= domain %>
-inet_interfaces = localhost
 inet_protocols = all
 mynetworks_style = host
 #delay_warning_time = 4h
-smtpd_banner = $myhostname ESMTP $mail_name ($mail_version) (Mandriva Linux)
+smtpd_banner = $myhostname ESMTP $mail_name ($mail_version) (Mageia Linux)
 unknown_local_recipient_reject_code = 450
 smtp-filter_destination_concurrency_limit = 2
 lmtp-filter_destination_concurrency_limit = 2
@@ -34,3 +33,19 @@ smtpd_use_tls = yes
 smtpd_tls_cert_file = /etc/pki/tls/certs/postfix.pem
 smtpd_tls_key_file = /etc/pki/tls/private/postfix.pem
 smtpd_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
+
+<%- if classes.include?('sympa::server') -%>
+local_recipient_maps =
+fallback_transport_maps = regexp:/etc/postfix/transport_regexp
+transport_maps = regexp:/etc/postfix/transport_regexp
+mydestination = ml.<%= domain %>
+sympa_destination_recipient_limit = 1
+sympabounce_destination_recipient_limit = 1
+virtual_alias_maps = regexp:/etc/postfix/sympa_aliases
+# needed by sympa to handle bounce, according to the doc
+recipient_delimiter = +
+# This is ugly for a simple relay but we need ml.mageia.org to accept email :(
+inet_interfaces = all
+<%- else -%>
+inet_interfaces = localhost
+<%- end -%>
diff --git a/modules/postfix/templates/sympa_aliases b/modules/postfix/templates/sympa_aliases
index e5f74c0b..436e7a28 100644
--- a/modules/postfix/templates/sympa_aliases
+++ b/modules/postfix/templates/sympa_aliases
@@ -1,5 +1,5 @@
 # everything is handled with transports in postfix,
-# but according to http://www.sympa.org/faq/postfix, we also need this one
+# but according to https://www.sympa.org/faq/postfix, we also need this one
 <% escaped_domain = ( 'ml.' + domain ).sub('.','\.') %>
 /^(.*)-owner\@<%= escaped_domain %>$/    $1+owner@ml.<%= domain %>
 # redirect the mail from the ml domain to sysadmin
diff --git a/modules/postfix/templates/transport_regexp b/modules/postfix/templates/transport_regexp
index ceb8e2fb..3eb5494f 100644
--- a/modules/postfix/templates/transport_regexp
+++ b/modules/postfix/templates/transport_regexp
@@ -3,15 +3,8 @@ ml_domain = 'ml\.' + domain.gsub('.','\.')
 %>
 <%- if classes.include?('sympa::server') -%>
 /^.*+owner\@<%= ml_domain %>$/ sympabounce:
+/^bounce+.*\@<%= ml_domain %>$/ sympabounce:
 /^.*\@<%= ml_domain %>$/       sympa:
+<%- else -%>
+/^.*\@<%= ml_domain %>$/       smtp:sucuk.mageia.org
 <%- end -%>
-
-# temporary work around for bugzilla being unable to send mail to webteam
-#
-# the current setup ( 13/02/2011 ) is that most active mls are on zarb.org,
-# using @mageia domain. But we want to start hosting aliases on the current
-# ml server ( and main smtp, ie alamut ). So we need to dispatch old mls
-# to zarb, and the rest on alamut. Old mls are all prefixed by mageia-*@mageia
-# this hack should be removed once all mls are migrated from zarb.org
-#
-/^mageia-.*\@<%= domain %>$/ smtp:ryu.zarb.org
diff --git a/modules/postfix/templates/virtual_aliases b/modules/postfix/templates/virtual_aliases
index 0890dd06..861e79c6 100644
--- a/modules/postfix/templates/virtual_aliases
+++ b/modules/postfix/templates/virtual_aliases
@@ -1,16 +1,22 @@
 # do not forget to add $domain or it will not work
 # do not hardcode the domain, or it will be harvested by bot
 
-treasurer@<%= domain %> rda@<%= domain %>
+treasurer@<%= domain %> treasurer@group.<%= domain %>
 president@<%= domain %> ennael@<%= domain %>
 secretary@<%= domain %> obgr_seneca@<%= domain %>
 
+contact@<%= domain %> council@group.<%= domain %>
+press@<%= domain %> council@group.<%= domain %>
+
 # later switch to a team alias
 root@<%= domain %> sysadmin@group.<%= domain %>
 
-security@<%= domain %> security_officers@group.<%= domain %>
+security@<%= domain %> security@group.<%= domain %>
+
+# Temporary(?) alias until there is a real board-commits@ list
+board-commits@ml.<%= domain %> board-public@ml.<%= domain %>
 
-# TODO see http://www.ietf.org/rfc/rfc2142.txt
+# TODO see https://www.ietf.org/rfc/rfc2142.txt
 <%
 ['postmaster','hostmaster','abuse','noc','listmaster','MAILER-DAEMON'].each { |a| 
 %>