Add postfix relayhost class

ComputeCanada · Jan 11, 2024 · 05e5da6 · 05e5da6
1 parent 2f36a33
commit 05e5da6
Show file tree

Hide file tree

Showing 5 changed files with 217 additions and 8 deletions.
diff --git a/data/common.yaml b/data/common.yaml
@@ -238,6 +238,7 @@ profile::users::local::users:
     groups: ['adm', 'wheel', 'systemd-journal']
     sudoer: true
 
+profile::base::domain_name: "%{alias('terraform.data.domain_name')}"
 
 profile::freeipa::base::domain_name: "%{alias('terraform.data.domain_name')}"
 
@@ -250,6 +251,10 @@ profile::nfs::server::domain_name: "%{hiera('profile::freeipa::base::domain_name
 profile::nfs::client::domain_name: "%{hiera('profile::freeipa::base::domain_name')}"
 profile::nfs::client::server_ip: "%{alias('terraform.tag_ip.nfs.0')}"
 
+profile::mail::relayhost::origin: "%{alias('terraform.data.domain_name')}"
+profile::mail::sender::origin: "%{alias('terraform.data.domain_name')}"
+profile::mail::sender::relayhost_ip: "%{alias('terraform.tag_ip.public.0')}"
+
 profile::nfs::server::devices: "%{alias('terraform.volumes.nfs')}"
 
 profile::reverse_proxy::domain_name: "%{alias('terraform.data.domain_name')}"

diff --git a/site/profile/manifests/base.pp b/site/profile/manifests/base.pp
@@ -30,12 +30,12 @@
   }
 
   if $admin_email {
-    include profile::mail::server
     file { '/opt/puppetlabs/bin/postrun':
       mode    => '0700',
       content => epp('profile/base/postrun',
         {
-          'email' => $admin_email,
+          'email'  => $admin_email,
+          'domain' => $domain_name,
         }
       ),
     }

diff --git a/site/profile/manifests/mail.pp b/site/profile/manifests/mail.pp
@@ -1,9 +1,214 @@
-class profile::mail::server {
-  ensure_packages(['postfix'], { ensure => 'present' })
+class profile::mail::base {
+  $cidr = profile::getcidr()
 
-  service { 'postfix':
+  postfix::config { 'authorized_submit_users':
+    ensure => present,
+    value  => 'root, slurm',
+  }
+
+  firewall { '002 drop IPA user access to local smtp server':
+    chain       => 'OUTPUT',
+    proto       => 'tcp',
+    dport       => [25],
+    destination => '127.0.0.0/8',
+    action      => 'drop',
+    uid         => "! 0-${facts['uid_max']}"
+  }
+
+  firewall { '002 drop IPA user access to internal smtp server':
+    chain       => 'OUTPUT',
+    proto       => 'tcp',
+    dport       => [25],
+    destination => $cidr,
+    action      => 'drop',
+    uid         => "! 0-${facts['uid_max']}"
+  }
+}
+
+class profile::mail::sender(
+  String $relayhost_ip,
+  String $origin,
+) {
+  include profile::mail::base
+  class { 'postfix':
+    inet_protocols   => 'ipv4',
+    relayhost        => $relayhost_ip,
+    myorigin         => $origin,
+    satellite        => true,
+    manage_mailx     => false,
+    manage_conffiles => false,
+  }
+}
+
+class profile::mail::relayhost(
+  String $origin,
+) {
+  include profile::mail::base
+  class { 'profile::mail::dkim':
+    domain_name => $origin,
+  }
+
+  $cidr = profile::getcidr()
+  $interface = split($::interfaces, ',')[0]
+  $ipaddress = $::networking['interfaces'][$interface]['ip']
+
+  class { 'postfix':
+    inet_interfaces  => "127.0.0.1, ${ipaddress}",
+    inet_protocols   => 'ipv4',
+    mynetworks       => "127.0.0.0/8, ${cidr}",
+    myorigin         => $origin,
+    mta              => true,
+    relayhost        => 'direct',
+    smtp_listen      => 'all',
+    manage_mailx     => false,
+    manage_conffiles => false,
+  }
+}
+
+
+# profile::mail::dkim class
+#
+# This class manages OpenDKIM installation and service.
+# It is meant to be used in conjunction with puppet:mail::relayhost.
+# OpenDKIM signs emails with a private key and email providers can
+# verify the email signature authenticity using the DKIM dns record.
+
+# That the class assumes the private keys exists in /etc/opendkim/keys/default.private.
+# The class also assumes the corresponding public key is published as a TXT DNS record
+# under default._domainkey.${domain_name}.
+#
+# @example Declaring the class
+#   class { 'profile::mail::dkim':
+#     domain_name => mycluster.mydomain.tld
+#   }
+#
+# @param domain_name Domain name from which the cluster will send emails.
+class profile::mail::dkim (
+  String $domain_name
+) {
+  $cidr = profile::getcidr()
+
+  package { 'opendkim':
+    ensure  => 'installed',
+    require => Yumrepo['epel'],
+  }
+
+  file { '/etc/opendkim/keys/default.private':
+    owner   => 'opendkim',
+    group   => 'opendkim',
+    mode    => '0600',
+    require => Package['opendkim'],
+  }
+
+  service { 'opendkim':
     ensure  => running,
     enable  => true,
-    require => Package['postfix'],
+    require => [
+      Package['opendkim'],
+      File['/etc/opendkim/keys/default.private'],
+    ],
+  }
+
+  file_line { 'opendkim-Mode':
+    ensure  => present,
+    path    => '/etc/opendkim.conf',
+    line    => 'Mode sv',
+    match   => '^Mode',
+    notify  => Service['opendkim'],
+    require => Package['opendkim'],
   }
+
+  file_line { 'opendkim-Canonicalization':
+    ensure  => present,
+    path    => '/etc/opendkim.conf',
+    line    => 'Canonicalization relaxed/simple',
+    match   => '^#?Canonicalization',
+    notify  => Service['opendkim'],
+    require => Package['opendkim'],
+  }
+
+  file_line { 'opendkim-KeyFile':
+    ensure  => present,
+    path    => '/etc/opendkim.conf',
+    line    => '#KeyFile /etc/opendkim/keys/default.private',
+    match   => '^KeyFile',
+    notify  => Service['opendkim'],
+    require => Package['opendkim'],
+  }
+
+  file_line { 'opendkim-KeyTable':
+    ensure  => present,
+    path    => '/etc/opendkim.conf',
+    line    => 'KeyTable refile:/etc/opendkim/KeyTable',
+    match   => '^#?KeyTable',
+    notify  => Service['opendkim'],
+    require => Package['opendkim'],
+  }
+
+  file_line { 'opendkim-SigningTable':
+    ensure  => present,
+    path    => '/etc/opendkim.conf',
+    line    => 'SigningTable refile:/etc/opendkim/SigningTable',
+    match   => '^#?SigningTable',
+    notify  => Service['opendkim'],
+    require => Package['opendkim'],
+  }
+
+  file_line { 'opendkim-ExternalIgnoreList':
+    ensure  => present,
+    path    => '/etc/opendkim.conf',
+    line    => 'ExternalIgnoreList refile:/etc/opendkim/TrustedHosts',
+    match   => '^#?ExternalIgnoreList',
+    notify  => Service['opendkim'],
+    require => Package['opendkim'],
+  }
+
+  file_line { 'opendkim-InternalHosts':
+    ensure  => present,
+    path    => '/etc/opendkim.conf',
+    line    => 'InternalHosts refile:/etc/opendkim/TrustedHosts',
+    match   => '^#?InternalHosts',
+    notify  => Service['opendkim'],
+    require => Package['opendkim'],
+  }
+
+  file_line { 'opendkim-KeyTable-content':
+    ensure  => present,
+    path    => '/etc/opendkim/KeyTable',
+    line    => "default._domainkey.${domain_name} ${domain_name}:default:/etc/opendkim/keys/default.private",
+    notify  => Service['opendkim'],
+    require => Package['opendkim'],
+  }
+
+  file_line { 'opendkim-SigningTable-content':
+    ensure  => present,
+    path    => '/etc/opendkim/SigningTable',
+    line    => "*@${domain_name} default._domainkey.${domain_name}",
+    notify  => Service['opendkim'],
+    require => Package['opendkim'],
+  }
+
+  file_line { 'opendkim-TrustedHosts':
+    ensure  => present,
+    path    => '/etc/opendkim/TrustedHosts',
+    line    => $cidr,
+    notify  => Service['opendkim'],
+    require => Package['opendkim'],
+  }
+
+  postfix::config { 'smtpd_milters':
+    ensure => present,
+    value  => 'inet:127.0.0.1:8891',
+  }
+
+  postfix::config { 'non_smtpd_milters':
+    ensure => present,
+    value  => '$smtpd_milters',
+  }
+
+  postfix::config { 'milter_default_action':
+    ensure => present,
+    value  => 'accept',
+  }
+
 }
diff --git a/site/profile/manifests/slurm.pp b/site/profile/manifests/slurm.pp
@@ -414,7 +414,6 @@
   String $tfe_var_pool = 'pool',
 ) {
   contain profile::slurm::base
-  include profile::mail::server
 
   file { '/usr/sbin/slurm_mail':
     ensure => 'present',

diff --git a/site/profile/templates/base/postrun.epp b/site/profile/templates/base/postrun.epp
@@ -10,7 +10,7 @@ if [[ $actions -lt 2 ]] && [[ ! -z "$email" ]]; then
   lines=($(journalctl -u puppet | grep -n -E 'Starting Puppet client|Applied catalog in' | cut -f 1 -d : | tail -n 2))
   cat << EOF | /usr/sbin/sendmail $email
 To: $email
-From: puppet@$(hostname -f)
+From: $(hostname -s)-puppet-noreply@<%= $domain %>
 Subject: $(hostname -f) is online
 $(journalctl -u puppet | sed -n "${lines[0]},${lines[1]}p")
 EOF