Version information
This version is compatible with:
- Puppet Enterprise 2023.7.x, 2023.6.x, 2023.5.x, 2023.4.x, 2023.3.x, 2023.2.x, 2023.1.x, 2023.0.x, 2021.7.x, 2021.6.x, 2021.5.x, 2021.4.x, 2021.3.x, 2021.2.x, 2021.1.x, 2021.0.x
- Puppet >= 7.0.0 < 9.0.0
- , , , ,
Start using this module
Add this module to your Puppetfile:
mod 'simp-postfix', '5.11.0'
Learn more about managing modules with a PuppetfileDocumentation
This is a SIMP module
This module is a component of the System Integrity Management Platform, a compliance-management framework built on Puppet.
If you find any issues, they can be submitted to our JIRA.
Please read our Contribution Guide.
Module Description
This module provides for the configuration of the postfix mail server.
Reference
Plesae see REFERENCE.md for a full reference.
Development
Please read our Contribution Guide.
Visit the project homepage and look at our issues on JIRA.
Reference
Table of Contents
Classes
postfix
: Set up the postfix mail server. This also aliases 'mail' to 'mutt' for root.postfix::config
: Configuration class called from postfix. Configures settings in the main.cf file. Builds the alias database so most system users mail wipostfix::config::aliases
: aliases configuration class called from postfix::config.postfix::config::main_cf
: main.cf configuration class called from postfix::config. Set settings in /etc/postfix/main.cf based on postfix:: main_cf_hash and postfix::ipostfix::config::root
: root user postfix Configuration class called from postfix::config.postfix::install
: Install the packages, users and groups needed for the postfix server.postfix::server
: This sets up an outward facing Postfix server Any configuration settings not set below can be set using the postfix_main_cf type.postfix::service
: Service class called from postfix
Defined types
postfix::alias
: Add an alias to the postalias file. See aliases(5) for details of the internal format.
Resource types
postfix_main_cf
: Modifies settings in the postfix main.cf configuration file.
Data types
Postfix::InetProtocols
: Allowed inet protocol settingsPostfix::ManCiphers
: Allowed mandatory ciphers
Classes
postfix
Set up the postfix mail server. This also aliases 'mail' to 'mutt' for root.
Parameters
The following parameters are available in the postfix
class:
main_cf_hash
Data type: Hash
Hash of main.cf configuration parameters
- Is a deep merge of hieradata and data-in-module settings.
- For backward compatibility, all main.cf settings already set
from other sources in this module (
$inet_procotols
and numerouspostfix::server parameters
) CANNOT be also set in$main_cf_hash
. Otherwise, the catalog will fail to compile because of duplicatepostfix_main_cf
resource declarations.
enable_server
Data type: Boolean
Whether or not to enable the externally facing server.
Default value: false
postfix_ensure
Data type: String
String to pass to the postfix
package ensure attribute
Default value: simplib::lookup('simp_options::package_ensure', { 'default_value' => 'installed' })
mutt_ensure
Data type: String
String to pass to the mutt
package ensure attribute
Default value: simplib::lookup('simp_options::package_ensure', { 'default_value' => 'installed' })
inet_protocols
Data type: Postfix::InetProtocols
The protocols to use when enabling the service
Default value: fact('ipv6_enabled') ? { true => ['all'], default => ['ipv4']
aliases
Data type: Optional[Hash]
Hash of alias key/value pairs that can be set in hieradata Example:
postfix::aliases: 'root': 'system.administrator@mail.mil' 'foo.bar': 'fbar, fbar@example.com'
postfix::config
Configuration class called from postfix.
- Configures settings in the main.cf file.
- Builds the alias database so most system users mail will get sent to the root mailbox.
- Setup root's mail alias to be mutt and set up the mutt configuration to read the Maildir in root's home directory.
- Sets permissions on other postfix configuration files.
- Creates postfix processing directories.
postfix::config::aliases
aliases configuration class called from postfix::config.
postfix::config::main_cf
main.cf configuration class called from postfix::config.
Set settings in /etc/postfix/main.cf based on postfix:: main_cf_hash and postfix::inet_protocols.
IMPORTANT:
- postfix::main_cf_hash value is a deep merge of hieradata and data-in-module settings.
- For backward compatibility, all main.cf settings already set
from other sources in this module (postfix::inet_procotols
and numerous postfix::server parameters) CANNOT be
also set in postfix::main_cf_hash. Otherwise, the catalog
will fail to compile because of duplicate
postfix_main_cf
resource declarations.
postfix::config::root
root user postfix Configuration class called from postfix::config.
postfix::install
Install the packages, users and groups needed for the postfix server.
postfix::server
This sets up an outward facing Postfix server
Any configuration settings not set below can be set using the postfix_main_cf type.
Parameters
The following parameters are available in the postfix::server
class:
inet_interfaces
firewall
trusted_nets
enable_user_connect
enable_tls
enforce_tls
mandatory_ciphers
haveged
pki
app_pki_external_source
app_pki_dir
app_pki_key
app_pki_cert
app_pki_ca_dir
inet_interfaces
Data type: Array[String[1]]
The interfaces upon which to listen per the inet_interfaces option in main.cf.
- This defaults to
all
since it is assumed that you would not be using this class if you didn't want an externally listening server.
Default value: ['all']
firewall
Data type: Boolean
If the externally facing server is enabled, whether or not to use the SIMP iptables class.
Default value: simplib::lookup('simp_options::firewall', { 'default_value' => false })
trusted_nets
Data type: Simplib::Netlist
The list of clients to allow through IPTables
Default value: simplib::lookup('simp_options::trusted_nets', { 'default_value' => ['127.0.0.1'] })
enable_user_connect
Data type: Boolean
If set to 'true', allows users to connect on port 587 directly. This probably is what you want for an internal server, but not what you want for an externally facing bastion server.
Default value: true
enable_tls
Data type: Boolean
Whether or not to enable TLS.
Default value: true
enforce_tls
Data type: Boolean
Whether or not to enforce the use of TLS, even over port 25.
Default value: true
mandatory_ciphers
Data type: Postfix::ManCiphers
The ciphers that must be used for TLS connections.
Default value: 'high'
haveged
Data type: Boolean
If true, include haveged to assist with entropy generation.
Default value: simplib::lookup('simp_options::haveged', { 'default_value' => false })
pki
Data type: Variant[Enum['simp'],Boolean]
- If 'simp', include SIMP's pki module and use pki::copy to manage application certs in /etc/pki/simp_apps/postfix/x509
- If true, do not include SIMP's pki module, but still use pki::copy to manage certs in /etc/pki/simp_apps/postfix/x509
- If false, do not include SIMP's pki module and do not use pki::copy
to manage certs. You will need to appropriately assign a subset of:
- app_pki_dir
- app_pki_key
- app_pki_cert
- app_pki_ca
- app_pki_ca_dir
Default value: simplib::lookup('simp_options::pki', { 'default_value' => false })
app_pki_external_source
Data type: String
-
If pki = 'simp' or true, this is the directory from which certs will be copied, via pki::copy. Defaults to /etc/pki/simp/x509.
-
If pki = false, this variable has no effect.
Default value: simplib::lookup('simp_options::pki::source', { 'default_value' => '/etc/pki/simp/x509' })
app_pki_dir
Data type: Stdlib::Absolutepath
This variable controls the basepath of $app_pki_key, $app_pki_cert, $app_pki_ca, $app_pki_ca_dir, and $app_pki_crl. It defaults to /etc/pki/simp_apps/postfix/pki.
Default value: '/etc/pki/simp_apps/postfix/x509'
app_pki_key
Data type: Stdlib::Absolutepath
Path and name of the private SSL key file
Default value: "${app_pki_dir}/private/${facts['fqdn']}.pem"
app_pki_cert
Data type: Stdlib::Absolutepath
Path and name of the public SSL certificate
Default value: "${app_pki_dir}/public/${facts['fqdn']}.pub"
app_pki_ca_dir
Data type: Stdlib::Absolutepath
Path to the CA.
Default value: "${app_pki_dir}/cacerts"
postfix::service
Service class called from postfix
Defined types
postfix::alias
Add an alias to the postalias file. See aliases(5) for details of the internal format.
Parameters
The following parameters are available in the postfix::alias
defined type:
name
The account to receive the alias.
values
Data type: String[1]
The RHS values of the postalias file in accordance with aliases(5).
Resource types
postfix_main_cf
Modifies settings in the postfix main.cf configuration file.
Properties
The following properties are available in the postfix_main_cf
type.
value
The value to which to set the named parameter.
Parameters
The following parameters are available in the postfix_main_cf
type.
name
namevar
The parameter to modify.
provider
The specific backend to use for this postfix_main_cf
resource. You will seldom need to specify this --- Puppet will
usually discover the appropriate provider for your platform.
Data types
Postfix::InetProtocols
Allowed inet protocol settings
Alias of Array[Enum['all','ipv4','ipv6']]
Postfix::ManCiphers
Allowed mandatory ciphers
Alias of Enum['export', 'low', 'medium', 'high', 'null']
- Mon Oct 23 2023 Steven Pritchard steve@sicura.us - 5.11.0
- [puppetsync] Add EL9 support
- Wed Oct 11 2023 Steven Pritchard steve@sicura.us - 5.10.0
- [puppetsync] Updates for Puppet 8
- These updates may include the following:
- Update Gemfile
- Add support for Puppet 8
- Drop support for Puppet 6
- Update module dependencies
- These updates may include the following:
- Thu Sep 07 2023 Steven Pritchard steve@sicura.us - 5.9.0
- Add AlmaLinux 8 support
- Mon Jul 24 2023 Chris Tessmer chris.tessmer@onyxpoint.com - 5.8.0
- Add RockyLinux 8 support
- Tue Aug 02 2022 Mike Riddle mike@sicura.us - 5.7.0
- Added the ability for users to specify aliases via hieradata
- Wed Jun 16 2021 Chris Tessmer chris.tessmer@onyxpoint.com - 5.6.0
- Removed support for Puppet 5
- Ensured support for Puppet 7 in requirements and stdlib
- Sat Dec 19 2020 Chris Tessmer chris.tessmer@onyxpoint.com - 5.5.1
- Removed EL6 support
- Tue Dec 24 2019 Trevor Vaughan tvaughan@onyxpoint.com - 5.5.0-0
- Add EL8 support
- Wed Sep 11 2019 Trevor Vaughan tvaughan@onyxpoint.com - 5.4.0-0
- Add support for simp-simplib 4
- Fri Aug 02 2019 Robert Vincent pillarsdotnet@gmail.com - 5.4.0-0
- Drop Puppet 4 support
- Add Puppet 6 support
- Add puppetlabs-stdlib 6 support
- Add puppetlabs-concat 6 support
- Thu Jun 06 2019 Steven Pritchard steven.pritchard@onypoint.com - 5.3.0-0
- Add v2 compliance_markup data
- Tue Mar 05 2019 Chris Tessmer chris.tessmer@onypoint.com - 5.2.1-0
- Fixed "unrecognized escape `\''" error in /root/.muttrc
- Fix DOS formatting of CHANGELOG
- Mon Mar 04 2019 Liz Nemsick lnemsick.simp@gmail.com - 5.2.1-0
- Expanded the upper limit of the concat and stdlib Puppet module versions
- Updated a URL in the README.md
- Tue Sep 11 2018 Nicholas Markowski nicholas.markowski@onyxpoint.com - 5.2.0-0
- Updated $app_pki_external_source to accept any string. This matches the functionality of pki::copy.
- Update badges and contribution guide URL in README.md
- Mon Sep 10 2018 Liz Nemsick lnemsick.simp@gmail.com - 5.2.0-0
- Update Hiera 4 to Hiera 5
- Mon Jul 16 2018 Trevor Vaughan tvaughan@onyxpoint.com - 5.2.0-0
- Ensure that only IPv4 is used if IPv6 is disabled on the system
- Add support for OEL and Puppet 5
- Tue Jun 19 2018 Nick Miller nick.miller@onyxpoint.com - 5.1.0-0
- Avoid changing the permissions from the vendored RPM
- /etc/postfix/* perms from 0640 to 0644
- /usr/libexec/postfix management is no longer recursive
- /var/spool/mail perms from 0755 to 0775
- Cleanup unneeded fixtures and update CI assets
- Thu May 17 2018 Jeanne Greulich jeanne.greulich@onyxpoint.com - 5.1.0-0
- Added main_cf_hash parameter so a list of additional settings for main.cf file can be added without the need for entering a resource for each one.
- Added the smtpd_client_restrict entry to main.cf per the STIG.
- Updated simpcat to concat.
- Rearranged code into sub-classes to make it easier to follow.
- Tue Mar 13 2018 Trevor Vaughan tvaughan@onyxpoint.com - 5.0.3-0
- Ensure that only IPv4 is used if IPv6 is disabled on the system
- Fri May 19 2017 Nick Miller nick.miller@onyxpoint.com - 5.0.2-0
- Removed
audit
metaparameter - Implemented
package_ensure
catalyst - Cleaned up some code formatting
- Update puppet requirement and remove OBE pe requirement in metadata.json
- Tue Jan 10 2017 Nick Markowski nmarkowski@keywcorp.com - 5.0.1-0
- Updated the pki scheme
- Application certs now managed in /etc/pki/simp_apps/postfix/x509
- Wed Jan 04 2017 Nick Miller nick.miller@onyxpoint.com - 5.0.1-0
- Strong type module
- Use simp_options catalyst lookups and parameter names
- Tue Nov 22 2016 Chris Tessmer chris.tessmer@onyxpoint.com - 5.0.0-0
- Minor cleanup
- Wed Nov 16 2016 Liz Nemsick lnemsick.simp@gmail.com - 5.0.0-0
- Updated iptables dependency version
- Thu Nov 10 2016 Liz Nemsick lnemsick.simp@gmail.com - 5.0.0-0
- Eliminated use of deprecated Puppet.newtype
- Updated to compliance_markup version 2
- Fri Sep 30 2016 Trevor Vaughan tvaughan@onyxpoint.com - 5.0.0-0
- Updated to use the version of 'simpcat' that does not conflict with 'puppetlabs/concat'.
- Wed Sep 28 2016 Chris Tessmer chris.tessmer@onyxpoint.com - 4.1.4-0
- Fix Forge
haveged
dependency name
- Mon Jul 11 2016 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.3-0
- Migration to semantic versioning and fix of the build system
- Added basic acceptance tests
- Thu Jun 30 2016 Nick Markowski nmarkowski@keywcorp.com - 4.1.2-0
- Use_haveged is now a global catalyst.
- Mon Jun 27 2016 Nick Markowski nmarkowski@keywcorp.com - 4.1.1-0
- Pupmod-haveged included by default to assist with entropy generation.
- Tue Feb 23 2016 Ralph Wright ralph.wright@onyxpoint.com - 4.1.0-7
- Added compliance function support
- Mon Feb 15 2016 Chris Tessmer chris.tessmer@onypoint.com - 4.1.0-6
- Removed common dependency (simplib takes care of it)
- Mon Nov 09 2015 Chris Tessmer chris.tessmer@onypoint.com - 4.1.0-5
- Migration to simplib and simpcat (lib/ only)
- Thu Feb 19 2015 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-4
- Migrated to the new 'simp' environment.
- Fri Jan 16 2015 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-3
- Changed puppet-server requirement to puppet
- Tue Jun 24 2014 Nick Markowski nmarkowski@keywcorp.com - 4.1.0-2
- Changed all checksums to sha256 instead of md5 in an effort to enable FIPS.
- Tue Mar 18 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-1
- Added rspec tests.
- Removed the postfix::conf::main_cf::set define and replaced it with the postfix_main_cf native type.
- Updated all classes to be Puppet3 and Hiera compatible.
- Fleshed out the postfix::server class in such a way that it now provides a fully functioning server when called.
- Tue Jan 28 2014 Kendall Moore kmoore@keywcorp.com 4.1.0-0
- Update to remove warnings about IPTables not being detected. This is a nuisance when allowing other applications to manage iptables legitimately.
- Fri Jul 26 2013 Trevor Vaughan tvaughan@onyxpoint.com - 2.0.1-5
- Updated to use simp_file_line instead of file_line from stdlib.
- Tue Jan 15 2013 Maintenance 2.0.1-4
- Created a Cucumber test which installs and confiugres a postfix server and checks to make sure a user is created and the postfix service is running.
- Mon Aug 20 2012 Maintenance 2.0.1-3
- Ensure that /etc/postfix is world readable.
- Wed Apr 11 2012 Maintenance 2.0.1-2
- Now use the Puppet Labs stdlib function 'file_line' instead of 'functions::append_if_no_such_line'
- Moved mit-tests to /usr/share/simp...
- Updated pp files to better meet Puppet's recommended style guide.
- Fri Mar 02 2012 Maintenance 2.0.1-1
- Improved test stubs.
- Wed Feb 22 2012 Maintenance 2.0.1-0
- Postfix now no longer attempts to copy the content of any file into place except those that you piece together with the aliases commands. It was simply too restrictive for successful mail server usage. was getting copied into /etc/postfix.
- Loosened up some of the permissions to allow people to do crazy things in their /etc/postfix directory manually if they so choose.
- Mon Dec 26 2011 Maintenance 2.0.0-4
- Updated the spec file to not require a separate file list.
- Mon Dec 05 2011 Maintenance 2.0.0-3
- Removed the conflicting 'tidy' statement from init.pp and replaced it with a 'purge' in the associated file statment.
- Mon Oct 10 2011 Maintenance 2.0.0-2
- Modified all multi-line exec statements to act as defined on a single line to address bugs in puppet 2.7.5
- Mon Apr 18 2011 Maintenance - 2.0.0-1
- Changed puppet://$puppet_server/ to puppet:///
- Changed all instances of defined(Class['foo']) to defined('foo') per the directions from the Puppet mailing list.
- Updated to use concat_build and concat_fragment types
- Tue Jan 11 2011 Maintenance 2.0.0-0
- Refactored for SIMP-2.0.0-alpha release
- Tue Oct 26 2010 Maintenance - 1-1
- Converting all spec files to check for directories prior to copy.
- Mon May 24 2010 Maintenance 1.0-0
- Doc update and code refactor.
- Thu Jan 28 2010 Maintenance 0.1-11
- Root's .muttrc now properly points to /var/spool/mail/root for newly delivered mail and pulls it into a Maildir in ~root/Maildir.
- Wed Dec 16 2009 Maintenance 0.1-10
- Added a conf::main_cf::set define that calls the postconf application to set any value in main.cf that you like.
- Fri Dec 04 2009 Maintenance 0.1-9
- Removed dependence on rsync.
- Added templates for files that should be templated.
- Moved static files into 'files' section of the module.
Dependencies
- puppetlabs/concat (>= 6.4.0 < 10.0.0)
- simp/simplib (>= 4.9.0 < 5.0.0)
- puppetlabs/stdlib (>= 8.0.0 < 10.0.0)
pupmod-simp-postfix - A Puppet Module for managing Postfix -- Per Section 105 of the Copyright Act of 1976, these works are not entitled to domestic copyright protection under US Federal law. The US Government retains the right to pursue copyright protections outside of the United States. The United States Government has unlimited rights in this software and all derivatives thereof, pursuant to the contracts under which it was developed and the License under which it falls. --- Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.