--- /dev/null
+# For domains that we do not relay for, and need to verify certs.
+# Since we most probably can't have broken MX records pointing to
+# site local or link local IP addresses fixed, we ignore target
+# hosts pointing to these addresses.
+
+dnslookup_tls_verify:
+ debug_print = "R: dnslookup_tls_verify for $local_part@$domain"
+ driver = dnslookup
+ # Do we need to verify and force TLS for this domain ?
+ domains = ! +local_domains : +tls_verify_relay_to_domains
+ transport = remote_smtp_tls_verify
+ same_domain_copy_routing = yes
+ # ignore private rfc1918 and APIPA addresses
+ ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8 : 192.168.0.0/16 :\
+ 172.16.0.0/12 : 10.0.0.0/8 : 169.254.0.0/16 :\
+ 255.255.255.255
+ no_more
--- /dev/null
+# This transport is used for delivering messages over SMTP connections.
+# and forcing/verifying tls
+
+remote_smtp_tls_verify:
+ debug_print = "T: remote_smtp_tls_verify for $local_part@$domain"
+ driver = smtp
+ # Force TLS for all hosts on this transport
+ hosts_require_tls = *
+ # Next 2 lines send our key in case server requests it
+ # Not needed in this example
+ # tls_certificate = /etc/exim4/exim.crt
+ # tls_privatekey = /etc/exim4/exim.key
+ tls_verify_certificates = ${if exists{/etc/ssl/certs/ca-certificates.crt}\
+ {/etc/ssl/certs/ca-certificates.crt}\
+ {/dev/null}}
ensure => stopped,
}
}
+
+class exim::tls inherits exim {
+ file { "/etc/exim4/conf.d/router/195_exim4_config_tls_verify":
+ ensure => present,
+ owner => root,
+ group => root,
+ mode => 0644,
+ source => "puppet:///modules/exim/195_exim4_config_tls_verify",
+ notify => Service["exim4"],
+ }
+
+ file { "/etc/exim4/conf.d/transport/30_exim4-config_remote_smtp_tls_verify":
+ ensure => present,
+ owner => root,
+ group => root,
+ mode => 0644,
+ source => "puppet:///modules/exim/30_exim4-config_remote_smtp_tls_verify",
+ notify => Service["exim4"],
+ }
+}
projects / puppet-exim.git / commitdiff