11 files changed, 171 insertions, 102 deletions
diff --git a/modules/postfix/manifests/init.pp b/modules/postfix/manifests/init.pp
index 5722e3e0..8a4394df 100644
--- a/modules/postfix/manifests/init.pp
+++ b/modules/postfix/manifests/init.pp
@@ -1,71 +1,24 @@
 class postfix {
-    class base {
-        package { [postfix,nail]: }
+    package { postfix: }
 
-        service { postfix:
-            subscribe => Package['postfix'],
-        }
-
-        file { '/etc/postfix/main.cf':
-            require => Package["postfix"],
-            content => "",
-            notify => Service['postfix'],
-        }
+    service { 'postfix':
+        subscribe => Package['postfix'],
     }
 
-
-    class simple_relay inherits base {
-        File['/etc/postfix/main.cf'] {
-            content => template("postfix/simple_relay_main.cf"),
-        }
+    file { '/etc/postfix/main.cf':
+        require => Package['postfix'],
+        content => '',
+        notify  => Service['postfix'],
     }
 
-    class smtp_server inherits base {
-        include postgrey
-        include amavis
-        include spamassassin
-
-        File['/etc/postfix/main.cf'] {
-            content => template("postfix/main.cf"),
-        }
-
-        file { '/etc/postfix/transport_regexp':
-            content => template("postfix/transport_regexp"),
-        }
-
-    }
-
-    class primary_smtp inherits smtp_server {
-
-        package { "postfix-ldap": }
-
-        # council is here until we fully decide who has aliases in com team, 
-        # see https://bugs.mageia.org/show_bug.cgi?id=1345 
-        # alumini is a special group for tracking previous members of
-        # the project, so they keep their aliases for a time
-        $aliases_group = ['mga-founders','mga-packagers',
-                          'mga-sysadmin','mga-council',
-                          'mga-alumni','mga-i18n-committers',
-                         ]        
-        $ldap_password = extlookup("postfix_ldap",'x')
-        $ldap_servers = get_ldap_servers()
-
-        file {
-            '/etc/postfix/master.cf': content => template("postfix/primary_master.cf");
-            '/etc/postfix/ldap_aliases.conf': content => template("postfix/ldap_aliases.conf");
-            # TODO merge the file with the previous one, for common part (ldap, etc)
-            '/etc/postfix/group_aliases.conf': content => template("postfix/group_aliases.conf");
-            # TODO make it conditional to the presence of sympa
-            '/etc/postfix/sympa_aliases': content => template("postfix/sympa_aliases");
-            '/etc/postfix/virtual_aliases': content => template("postfix/virtual_aliases");
-        }
-
-        exec { "postmap /etc/postfix/virtual_aliases":
-            refreshonly => true,
-            subscribe => File['/etc/postfix/virtual_aliases'],
-        }
+    file { '/etc/ssl/postfix/':
+        ensure => directory,
     }
 
-    class secondary_smtp inherits smtp_server {
+    openssl::self_signed_splitted_cert { "${::hostname}.${::domain}":
+        filename  => 'postfix',
+        directory => '/etc/ssl/postfix/',
+        owner     => 'postfix',
+        group     => 'postfix'
     }
 }
diff --git a/modules/postfix/manifests/server.pp b/modules/postfix/manifests/server.pp
new file mode 100644
index 00000000..85ab261c
--- /dev/null
+++ b/modules/postfix/manifests/server.pp
@@ -0,0 +1,13 @@
+class postfix::server inherits postfix {
+    include postgrey
+    include amavis
+    include spamassassin
+
+    File['/etc/postfix/main.cf'] {
+        content => template('postfix/main.cf'),
+    }
+
+    file { '/etc/postfix/transport_regexp':
+        content => template('postfix/transport_regexp'),
+    }
+}
diff --git a/modules/postfix/manifests/server/primary.pp b/modules/postfix/manifests/server/primary.pp
new file mode 100644
index 00000000..c14a8606
--- /dev/null
+++ b/modules/postfix/manifests/server/primary.pp
@@ -0,0 +1,43 @@
+class postfix::server::primary inherits postfix::server {
+
+    # Adding DKIM server
+    include opendkim
+    opendkim::domain{['mageia.org', 'sucuk.mageia.org', 'duvel.mageia.org', 'forums.mageia.org', 'madb.mageia.org','rabbit.mageia.org', 'fiona.mageia.org','identity.mageia.org', 'group.mageia.org', 'neru.mageia.org']:}
+    opendkim::trusted{['127.0.0.0/8', '212.85.158.0/24']:}
+
+    package { ['postfix-ldap', 'sqlite3-tools', 'dovecot-plugins-sqlite','rspamd']: }
+
+    # council is here until we fully decide who has aliases in com team,
+
+    # see https://bugs.mageia.org/show_bug.cgi?id=1345
+    # alumni is a special group for tracking previous members of
+    # the project, so they keep their aliases for a time
+    $aliases_group = ['mga-founders',
+                      'mga-packagers',
+                      'mga-sysadmin',
+                      'mga-council',
+                      'mga-alumni',
+                      'mga-i18n-committers']
+    $ldap_password = extlookup('postfix_ldap','x')
+    $ldap_servers = get_ldap_servers()
+
+    file {
+        '/etc/postfix/master.cf':
+            content => template('postfix/primary_master.cf');
+        '/etc/postfix/ldap_aliases.conf':
+            content => template('postfix/ldap_aliases.conf');
+        # TODO merge the file with the previous one, for common part (ldap, etc)
+        '/etc/postfix/group_aliases.conf':
+            content => template('postfix/group_aliases.conf');
+        # TODO make it conditional to the presence of sympa
+        '/etc/postfix/sympa_aliases':
+            content => template('postfix/sympa_aliases');
+        '/etc/postfix/virtual_aliases':
+            content => template('postfix/virtual_aliases');
+    }
+
+    exec { 'postmap /etc/postfix/virtual_aliases':
+        refreshonly => true,
+        subscribe   => File['/etc/postfix/virtual_aliases'],
+    }
+}
diff --git a/modules/postfix/manifests/server/secondary.pp b/modules/postfix/manifests/server/secondary.pp
new file mode 100644
index 00000000..e4dd8721
--- /dev/null
+++ b/modules/postfix/manifests/server/secondary.pp
@@ -0,0 +1 @@
+class postfix::server::secondary inherits postfix::server { }
diff --git a/modules/postfix/manifests/simple_relay.pp b/modules/postfix/manifests/simple_relay.pp
new file mode 100644
index 00000000..8911f781
--- /dev/null
+++ b/modules/postfix/manifests/simple_relay.pp
@@ -0,0 +1,9 @@
+class postfix::simple_relay inherits postfix {
+    File['/etc/postfix/main.cf'] {
+        content => template('postfix/simple_relay_main.cf'),
+    }
+    file {
+        '/etc/postfix/sympa_aliases':
+            content => template('postfix/sympa_aliases');
+    }
+}
diff --git a/modules/postfix/templates/main.cf b/modules/postfix/templates/main.cf
index fcedc936..6b42a4de 100644
--- a/modules/postfix/templates/main.cf
+++ b/modules/postfix/templates/main.cf
@@ -11,39 +11,49 @@ sendmail_path = /usr/sbin/sendmail.postfix
 setgid_group = postdrop
 command_directory = /usr/sbin
 manpage_directory = /usr/share/man
-daemon_directory = <%= lib_dir %>/postfix/
+daemon_directory = /usr/libexec/postfix
+meta_directory = /etc/postfix
+shlib_directory = /usr/lib64
+compatibility_level = 2
 data_directory = /var/lib/postfix
 newaliases_path = /usr/bin/newaliases
 mailq_path = /usr/bin/mailq
 queue_directory = /var/spool/postfix
 mail_owner = postfix
+<% if all_tags.include?('postfix::simple_relay') || all_tags.include?('postfix::server::secondary') %>
+relayhost = sucuk.<%= domain %>
+<%- end -%>
 
 # User configurable parameters
 
 <% if all_tags.include?('postfix::simple_relay') %>
-inet_interfaces = localhost
+inet_interfaces = localhost, 127.0.0.1
 <% else %>
 inet_interfaces = all
 <% end %>
 
 inet_protocols = all
-mynetworks_style = host
+<% if @hostname == 'neru' then %>
+# We do not have a reverse on ipv6 :(
+smtp_address_preference = ipv4
+<%- end -%>
+
+# FIXME Do not hardcode this
+mynetworks = 212.85.158.144/28 [2a02:2178:2:7::]/64 127.0.0.0/16 163.172.148.228 [2001:bc8:4400:2800::4115]
 myhostname = <%= fqdn %>
 mydomain = <%= domain %>
-mydestination = <%= fqdn %>
-myorigin = $mydomain
-<%- if all_tags.include?('postfix::secondary_smtp') -%>
+<%- if all_tags.include?('postfix::server::secondary') -%>
 relay_domains = <%= domain %>,
                 ml.<%= domain %>,
                 group.<%= domain %>
 <%- end -%>
 
 mydestination = <%= fqdn %>
-<%- if classes.include?('sympa::server') -%>
+<%- if all_tags.include?('postfix::server::primary') -%>
                 ml.<%= domain %>
 <%- end -%>
 
-<%- if all_tags.include?('postfix::primary_smtp') -%>
+<%- if all_tags.include?('postfix::server::primary') -%>
 
 virtual_mailbox_domains = <%= domain %>,
                           group.<%= domain %>
@@ -72,10 +82,27 @@ virtual_alias_maps = ldap:/etc/postfix/ldap_aliases.conf
 <%- if classes.include?('sympa::server') -%>
                      regexp:/etc/postfix/sympa_aliases
 <%- end -%>
+<% else %>
+<%- if classes.include?('sympa::server') -%>
+virtual_alias_maps = regexp:/etc/postfix/sympa_aliases
+<%- end -%>
 <%- end -%>
 
+<%- if all_tags.include?('postfix::server::primary') -%>
+# Adding DKIM Miler for primaryserver (sucuk)
+smtpd_milters = inet:127.0.0.1:8891
+non_smtpd_milters = $smtpd_milters
+milter_default_action = accept
+milter_protocol = 2
+
+# Adding Sender Rewriting Scheme
+sender_canonical_maps = socketmap:inet:localhost:10003:forward
+sender_canonical_classes = envelope_sender
+recipient_canonical_maps = socketmap:inet:localhost:10003:reverse
+recipient_canonical_classes= envelope_recipient,header_recipient
+<%- end -%>
 
-<%- if all_tags.include?('postfix::smtp_server') -%>
+<%- if all_tags.include?('postfix::server') -%>
 transport_maps = regexp:/etc/postfix/transport_regexp
 content_filter = smtp-filter:[127.0.0.1]:10025
 <%- end -%>
@@ -86,18 +113,21 @@ sympabounce_destination_recipient_limit = 1
 <%- end -%>
 
 #delay_warning_time = 4h
-smtpd_banner = $myhostname ESMTP $mail_name ($mail_version) (Mandriva Linux)
+smtpd_banner = $myhostname ESMTP $mail_name ($mail_version) (<%= lsbdistid %>)
 unknown_local_recipient_reject_code = 450
 smtp-filter_destination_concurrency_limit = 2
 lmtp-filter_destination_concurrency_limit = 2
-# disabled for the time being, as the certificate do not exist
-# FIXME create the cert in puppet
-smtpd_use_tls = no
-#smtpd_tls_cert_file = /etc/pki/tls/certs/postfix.pem
-#smtpd_tls_key_file = /etc/pki/tls/private/postfix.pem
-#smtpd_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
-
-<%- if all_tags.include?('postfix::smtp_server') -%>
+# enable opportunistic TLS when receiving
+smtpd_use_tls = yes
+smtpd_tls_received_header = yes
+smtpd_tls_cert_file = /etc/ssl/postfix/postfix.crt
+smtpd_tls_key_file = /etc/ssl/postfix/postfix.key
+smtpd_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
+# enable opportunistic TLS when sending
+smtp_tls_security_level = may
+smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
+
+<%- if all_tags.include?('postfix::server') -%>
 smtpd_etrn_restrictions = reject
 
 smtpd_helo_required = yes
@@ -106,13 +136,18 @@ smtpd_data_restrictions = permit_mynetworks
                           reject_unauth_pipelining 
                           reject_multi_recipient_bounce
 
-smtpd_recipient_restrictions = reject_non_fqdn_recipient
-    reject_non_fqdn_sender
+smtpd_recipient_restrictions = permit_mynetworks
 #    not done yet, not sure if we need to offer this kind of service
 #    permit_sasl_authenticated
-    permit_mynetworks
-    reject_unauth_destination
     reject_non_fqdn_helo_hostname
+    reject_non_fqdn_recipient
+    reject_non_fqdn_sender
+    check_sender_access hash:/etc/postfix/access
+    reject_rhsbl_helo sbl.spamhaus.org
+    reject_rhsbl_reverse_client sbl.spamhaus.org
+    reject_rhsbl_sender sbl.spamhaus.org
+    reject_rbl_client sbl.spamhaus.org
+    reject_unauth_destination
     reject_unknown_sender_domain
     reject_unknown_client
   <%- if classes.include?('postgrey') -%>
@@ -120,3 +155,5 @@ smtpd_recipient_restrictions = reject_non_fqdn_recipient
   <%- end -%>
 <%- end -%>
 
+# Needed for buggy clients
+always_add_missing_headers = yes
diff --git a/modules/postfix/templates/primary_master.cf b/modules/postfix/templates/primary_master.cf
index 8037d037..e05d33dc 100644
--- a/modules/postfix/templates/primary_master.cf
+++ b/modules/postfix/templates/primary_master.cf
@@ -174,4 +174,3 @@ smtp-filter	unix	-	-	y	-	-	smtp
   -o max_use=20
 #
 ##### END OF CONTENT FILTER CUSTOMIZATIONS #####
-
diff --git a/modules/postfix/templates/simple_relay_main.cf b/modules/postfix/templates/simple_relay_main.cf
index a6cf2113..e0c116a7 100644
--- a/modules/postfix/templates/simple_relay_main.cf
+++ b/modules/postfix/templates/simple_relay_main.cf
@@ -11,7 +11,7 @@ sendmail_path = /usr/sbin/sendmail.postfix
 setgid_group = postdrop
 command_directory = /usr/sbin
 manpage_directory = /usr/share/man
-daemon_directory = <%= lib_dir %>/postfix/
+daemon_directory = /usr/libexec/postfix/
 data_directory = /var/lib/postfix
 newaliases_path = /usr/bin/newaliases
 mailq_path = /usr/bin/mailq
@@ -22,11 +22,10 @@ mail_owner = postfix
 
 myhostname = <%= fqdn %>
 mydomain = <%= domain %>
-inet_interfaces = localhost
 inet_protocols = all
 mynetworks_style = host
 #delay_warning_time = 4h
-smtpd_banner = $myhostname ESMTP $mail_name ($mail_version) (Mandriva Linux)
+smtpd_banner = $myhostname ESMTP $mail_name ($mail_version) (Mageia Linux)
 unknown_local_recipient_reject_code = 450
 smtp-filter_destination_concurrency_limit = 2
 lmtp-filter_destination_concurrency_limit = 2
@@ -34,3 +33,19 @@ smtpd_use_tls = yes
 smtpd_tls_cert_file = /etc/pki/tls/certs/postfix.pem
 smtpd_tls_key_file = /etc/pki/tls/private/postfix.pem
 smtpd_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
+
+<%- if classes.include?('sympa::server') -%>
+local_recipient_maps =
+fallback_transport_maps = regexp:/etc/postfix/transport_regexp
+transport_maps = regexp:/etc/postfix/transport_regexp
+mydestination = ml.<%= domain %>
+sympa_destination_recipient_limit = 1
+sympabounce_destination_recipient_limit = 1
+virtual_alias_maps = regexp:/etc/postfix/sympa_aliases
+# needed by sympa to handle bounce, according to the doc
+recipient_delimiter = +
+# This is ugly for a simple relay but we need ml.mageia.org to accept email :(
+inet_interfaces = all
+<%- else -%>
+inet_interfaces = localhost
+<%- end -%>
diff --git a/modules/postfix/templates/sympa_aliases b/modules/postfix/templates/sympa_aliases
index e5f74c0b..436e7a28 100644
--- a/modules/postfix/templates/sympa_aliases
+++ b/modules/postfix/templates/sympa_aliases
@@ -1,5 +1,5 @@
 # everything is handled with transports in postfix,
-# but according to http://www.sympa.org/faq/postfix, we also need this one
+# but according to https://www.sympa.org/faq/postfix, we also need this one
 <% escaped_domain = ( 'ml.' + domain ).sub('.','\.') %>
 /^(.*)-owner\@<%= escaped_domain %>$/    $1+owner@ml.<%= domain %>
 # redirect the mail from the ml domain to sysadmin
diff --git a/modules/postfix/templates/transport_regexp b/modules/postfix/templates/transport_regexp
index ceb8e2fb..3eb5494f 100644
--- a/modules/postfix/templates/transport_regexp
+++ b/modules/postfix/templates/transport_regexp
@@ -3,15 +3,8 @@ ml_domain = 'ml\.' + domain.gsub('.','\.')
 %>
 <%- if classes.include?('sympa::server') -%>
 /^.*+owner\@<%= ml_domain %>$/ sympabounce:
+/^bounce+.*\@<%= ml_domain %>$/ sympabounce:
 /^.*\@<%= ml_domain %>$/       sympa:
+<%- else -%>
+/^.*\@<%= ml_domain %>$/       smtp:sucuk.mageia.org
 <%- end -%>
-
-# temporary work around for bugzilla being unable to send mail to webteam
-#
-# the current setup ( 13/02/2011 ) is that most active mls are on zarb.org,
-# using @mageia domain. But we want to start hosting aliases on the current
-# ml server ( and main smtp, ie alamut ). So we need to dispatch old mls
-# to zarb, and the rest on alamut. Old mls are all prefixed by mageia-*@mageia
-# this hack should be removed once all mls are migrated from zarb.org
-#
-/^mageia-.*\@<%= domain %>$/ smtp:ryu.zarb.org
diff --git a/modules/postfix/templates/virtual_aliases b/modules/postfix/templates/virtual_aliases
index 9dfe9670..861e79c6 100644
--- a/modules/postfix/templates/virtual_aliases
+++ b/modules/postfix/templates/virtual_aliases
@@ -1,16 +1,22 @@
 # do not forget to add $domain or it will not work
 # do not hardcode the domain, or it will be harvested by bot
 
-treasurer@<%= domain %> dams@<%= domain %>
+treasurer@<%= domain %> treasurer@group.<%= domain %>
 president@<%= domain %> ennael@<%= domain %>
-secretary@<%= domain %> misc@<%= domain %>
+secretary@<%= domain %> obgr_seneca@<%= domain %>
+
+contact@<%= domain %> council@group.<%= domain %>
+press@<%= domain %> council@group.<%= domain %>
 
 # later switch to a team alias
 root@<%= domain %> sysadmin@group.<%= domain %>
 
-security@<%= domain %> security_officers@group.<%= domain %>
+security@<%= domain %> security@group.<%= domain %>
+
+# Temporary(?) alias until there is a real board-commits@ list
+board-commits@ml.<%= domain %> board-public@ml.<%= domain %>
 
-# TODO see http://www.ietf.org/rfc/rfc2142.txt
+# TODO see https://www.ietf.org/rfc/rfc2142.txt
 <%
 ['postmaster','hostmaster','abuse','noc','listmaster','MAILER-DAEMON'].each { |a| 
 %>