cd_postfix | Release Notes


Postfix is a powerful Mail Transfer Agent ( MTA) on Linux and Unix platforms. It can also be used as fully fledged email storage in combination with Dovecot, Cyril or Roundcube etc. YOu can choose between plain MTA functionality or ful email store configuration via parameter.

Our cd_postfix puppet module is fully parameterized and allows to install and configure Postfix for either use case. It is designed in particular to work with Foreman as ENC.


**__!!! Attention: Never use this puppet module on systems which have been previously configured manually. It is impossible to predict how and what would have been configured, hence previuos configurations outside the scope of this module may be overwritten! Automated configurations require a test environment to verify that the module suits the purpose intended by the user, as well as tune the parameters, before deploying into live production!!! __**




  • install required packages Configuration
  • manage service user
  • manage required directories (file system permissions, selinux context)
  • manage firewall (optional, requires cd_firewall or puppetlabs-firewall module)
  • manage configuation files (optional, requires $px_manage_config set to true)
  • manage access rules (the regular 'access' file is split into sender access and recipient access)
    • sender_access
    • recipient_access
  • manage maps
    • canonical
    • generic
    • virtual
    • virtual domains
    • network table
    • relay recipients
    • relocated
    • transport
  • manage checks
    • header checks
    • mime header checks
    • nested header checks
    • body_checks
  • auto-map changes in configuation files via postmap Maintenance
  • manage service


You can use this puppet module to configure your email server for the following modes:

  • headless MTA: Run Postfix as regular MTA with default settings (typical for regular servers to send on notifications to a central mail server)
  • managed mail server:
    • email store: regular email endpoint for email users
    • relay server
    • backup MX server
    • multiple postfix MTAs for scalability

Repo Structure

Repostructure has been moved to


All dependencies must be included in the catalogue.

Note that cd_firewall, cd_concat and cd_stdlib are forked from older versions from puppetlabs, as the original modules broke backwards compatibility at some stage. You can also try to include the originals, but in our tests this did not work correctly.


native Puppet deployment

via site.pp or nodes.pp

node '' {
  include cd_puppetdb

through Foreman:

In order to apply parameters through Foreman, cd_postfix::params must be added to the host or hostgroup in question.

See more details about class deployment on


The following parameters are editable via params.pp or can be overriden through ENC (recommended). Values changed will take immediate effect at next puppet run. Services will be restarted where necessary.

Mandatory Parameters

  • px_manage_config : Whether or not to install a fully fledged email server or just a Mail Transfer Agent (MTA) fowarding emails. Set to true for full email server.

See the full list of all available parameters


All files and directories are configured with correct selinux context. If selinux is disabled, these contexts are ignored.

Known Problems

  • Foreman and parameter inheritance with nested host groups: Foreman does not inherit declared parameters, they must be declared directly to the server or hostgroup in question. Since Postfix usually runs on all servers, but with different configurations, overriding parameters based for nested hostgroups does not work. You will need to override parameters through FQDN, or directly in the hostgroup / parameters section, not through the class/smart-parameters.


  • OS: CentOS 6, 7
  • Puppet: 3.x


  • Puppet Lint
    • excluded tests:
    • --no-class_inherits_from_params_class-check:relavant only to non-supported outdated puppet versions
    • --no-variable_scope-check: not applicable as we are inheriting parameters from params class. the lint check does not distinguish between facts and inherited parameters.
    • --no-80chars-check: it is not always possible to stay within 80 characters, although typically only occurring on the parameter vault params.pp.
    • --no-arrow_alignment-check: this check leads to actually not having am easily readable arrow alignment, as this checks per block, not per class.
  • Puppet Parser
  • ERB Template Parser

Contact Us

Click here to contact us


ConfDroid as entity is entirely independent from Puppet. We provide custom configuration modules, written for specific purposes and specific environments. The modules are tested and supported only as documented, and require testing in designated environments (i.e. lab or development environments) for parameter tuning etc. before deploying into production environments.

Leave a Reply