]> git.openstreetmap.org Git - chef.git/blobdiff - cookbooks/exim/recipes/default.rb
Limit mail connections from smarthosts by address
[chef.git] / cookbooks / exim / recipes / default.rb
index 30617cc8e3da18a4877fba292dae0353ef52dd19..789c4e253a1802b82d68e5e504480a914472b91b 100644 (file)
@@ -85,7 +85,7 @@ end
 relay_from_hosts = node[:exim][:relay_from_hosts]
 
 if node[:exim][:smarthost_name]
-  search(:node, "exim_smarthost_via:#{node[:exim][:smarthost_name]}\\:*").each do |host|
+  search(:node, "exim_smarthost_via:*?").each do |host|
     relay_from_hosts |= host.ipaddresses(:role => :external)
   end
 
@@ -240,10 +240,29 @@ if node[:exim][:smarthost_name]
     end
   end
 else
+  smarthosts_inet = []
+  smarthosts_inet6 = []
+
+  search(:node, "exim_smarthost_name:*?").each do |host|
+    smarthosts_inet |= host.ipaddresses(:role => :external, :family => :inet)
+    smarthosts_inet6 |= host.ipaddresses(:role => :external, :family => :inet6)
+  end
+
   node[:exim][:daemon_smtp_ports].each do |port|
     firewall_rule "accept-inbound-smtp-#{port}" do
       action :accept
-      source "bm:mail.openstreetmap.org"
+      family :inet
+      source "net:#{smarthosts_inet.sort.join(',')}"
+      dest "fw"
+      proto "tcp:syn"
+      dest_ports port
+      source_ports "1024:"
+    end
+
+    firewall_rule "accept-inbound-smtp-#{port}" do
+      action :accept
+      family :inet6
+      source "net:#{smarthosts_inet6.sort.join(',')}"
       dest "fw"
       proto "tcp:syn"
       dest_ports port