Quotes around alias_maps on RHEL6/postfix 2.6.6 don't work. Do they on other OSes?

-alias_maps = hash:/etc/aliases
+alias_maps = "hash:/etc/aliases, ldap:/etc/postfix/ldap-aliases.cf"

Postfix error in /var/log/maillog:

Feb  4 16:26:07 ncc16405 postfix/smtpd[9529]: fatal: unsupported dictionary type: "hash
Feb  4 16:26:08 ncc16405 postfix/master[9523]: warning: process /usr/libexec/postfix/smtpd pid 9529 exit status 1
Feb  4 16:26:08 ncc16405 postfix/master[9523]: warning: /usr/libexec/postfix/smtpd: bad command startup -- throttling

This would really be fantastically easy to use if it was available on the Puppet Forge. Then people could just list it as a dependency in their Modulefiles.

Hi,

Is there any plans of making the postcreen postfix option manageable by this module?
It needs changes in main.cf, but also in master.cf.
(http://www.postfix.org/POSTSCREEN_README.html)

Thanks,

Installing bsd-mailx probably makes the most sense.

Error: Execution of '/usr/bin/apt-get -q -y -o DPkg::Options::=--force-confold install mailx' returned 100: Reading package lists...
Building dependency tree...
Reading state information...
Package mailx is a virtual package provided by:
  mailutils 1:2.1+dfsg1-4ubuntu1
  heirloom-mailx 12.4-1.1
  bsd-mailx 8.1.2-0.20090911cvs-2ubuntu1
You should explicitly select one to install.
E: Package mailx has no installation candidate
Error: /Stage[main]/Postfix::Packages/Package[mailx]/ensure: change from purged to present failed: Execution of '/usr/bin/apt-get -q -y -o DPkg::Options::=--force-confold install mailx' returned 100: Reading package lists...
Building dependency tree...
Reading state information...
Package mailx is a virtual package provided by:
  mailutils 1:2.1+dfsg1-4ubuntu1
  heirloom-mailx 12.4-1.1
  bsd-mailx 8.1.2-0.20090911cvs-2ubuntu1
You should explicitly select one to install.
E: Package mailx has no installation candidate

The selector wants to match against lsbdistcodename, not lsbdistrelease. Please see commit 0bf96e1 in https://github.com/hakamadare/puppet-postfix for a fix.

thanks,
-steve

When acting as an mta (by setting mta to true), relayhost must be set to 'direct' for postfix to actually run as an independent mta, and not just relaying email to a smarthost. This is noted in the comments in the mta manifest, but that might be hard to find. Please add it to README.md as well.

I haven't delved deeply into the puppet code itself, but I find that the $mynetworks parameter to the main class at https://github.com/camptocamp/puppet-postfix/blob/master/manifests/init.pp#L85 is ignored. I ended up having to specify the 'mynetworks' parameter as a postfix::config item instead. Anyone else having this problem?

I had this snippet in hiera:

postfix::myorigin: '$mydomain'
postfix::mynetworks: '10.90.0.0/16, 10.91.0.0/16, 127.0.0.0/8, 10.96.0.0/16'

The 'mynetworks' parameter was not being created yet the 'myorigin' parameter was.

puppet 2.7.11, ubuntu 12.04 LTS
I try to install postfix with a specific configuration:

class { 'postfix':
     smtp_listen     => 'all',
}
postfix::config { "mynetworks": value => "192.168.0.0/24, 127.0.0.1" }
postfix::config { "relay_domains": value => "localhost" }
postfix::config { "myhostname": value => "mail.cloud.local"}
postfix::config { "queue_directory": value => "/data/mail"}
postfix::config { "mydestination": value => "mail.cloud.local, localhost"}

Mount point and directory are configured previously. After reboot and puppet run postfix is running but not usable:

Jul 15 13:28:06 mail postfix/master[13347]: fatal: open lock file /var/lib/postfix/master.lock: unable to set exclusive lock: Resource temporarily unavailable

Maybe postfix was started with standard configuration and later it was not possible to reach the lock file. A workaround described in eumel8@c202406 but it's not really the solution.

Hi all,
actually we use this postfix configuration for generic server in hiera (configures an relayhost only):

resources:
postfix::config:         
  'relayhost':           
    value: 'my.relay.host'

which works fine.
Now I want to configure, that all emails from e.g. root get forwarded to a common cron-postbox.
Current /etc/aliases looks like this:

# HEADER: This file was autogenerated at 2016-01-22 13:54:47 +0000
# HEADER: by puppet.  While it can still be managed manually, it
# HEADER: is definitely not recommended.
# /etc/aliases
mailer-daemon: postmaster
postmaster: root
nobody: root
hostmaster: root
usenet: root
news: root
webmaster: root
www: root
ftp: root
abuse: root
noc: root
security: root
root: nobody

Question: Can I change the line "root: nobody" to "root: [email protected]" within this manifest?
I saw this module uses the augtool, but it looks like this manifest can not handle e.g. "/files/etc/aliases/13/".
May this only a error in reasoning by myself - any suggestion?

Thx and Greets
Simon

It seems that changes to Class[postfix::files] will trigger a refresh of Class[postfix::service] which ends up triggering both a postfix restart and a postfix reload.

Is this intentional?

Example:

Info: Postfix::Config[myorigin]: Scheduling refresh of Class[Postfix::Service]
Info: Class[Postfix::Files]: Scheduling refresh of Class[Postfix::Service]
...
Info: Class[Postfix::Service]: Scheduling refresh of Service[postfix]
Info: Class[Postfix::Service]: Scheduling refresh of Exec[restart postfix after packages install]
Debug: Exec[restart postfix after packages install](provider=posix): Executing '/etc/init.d/postfix restart'
Debug: Executing '/etc/init.d/postfix restart'
Notice: /Stage[main]/Postfix::Service/Exec[restart postfix after packages install]: Triggered 'refresh' from 1 events
Debug: /Stage[main]/Postfix::Service/Exec[restart postfix after packages install]: The container Class[Postfix::Service] will propagate my refresh event
Debug: Executing '/sbin/service postfix status'
Debug: Executing '/sbin/chkconfig postfix'
Debug: Executing '/sbin/service postfix status'
Debug: Executing '/etc/init.d/postfix reload'
Notice: /Stage[main]/Postfix::Service/Service[postfix]: Triggered 'refresh' from 1 events

Please see #131. I can't overwrite the virtual_alias_maps setting via hiera, because it is already declared in mta.pp in line 52. Meaning, the workaround in the mentioned issue does not work.

What I want to do (some.yaml):
postfix::config:
'virtual_alias_maps':
value: 'hash:PATH'

Some for transport file.

Looking at mta.pp and init.pp, a fix would be to add $virtual_alias_maps and $transport_maps to the postfix class in init.pp and change mta.pp accordingly. (see $mydestination in postfix::mta class)

The postfix::config defined type should allow arrays for values.

This...

postfix::config { 'mydestination':
    ensure => present ,
    value => [ $::fqdn , "smtp.${::domain}" , 'localhost' , 'localhost.localdomain' , "localhost.${::domain}" ]
}

should be the same as:

postfix::config { 'mydestination':
    ensure => present ,
    value => "$::fqdn smtp.${::domain} localhost localhost.localdomain localhost.${::domain}"
}

But the first one is easier to maintain, especially when pulling values from Hiera.

include postfix postfix::config { 'master_smtp': value => 'smtp inet n - n - - smtpd', }
does not take effect in the master.cf... as the 127.0.0.1:smtp value still persists... thoughts?

The file resource that generates master.cf is missing a template() invocation. Please see commit c4b9ad6 of http://github.com/hakamadare/puppet-postfix for a fix.

The regex check used to validate the mynetworks setting does not currently allow for multiple values. For instance, I'd like to end up with:

mynetworks = 10.12.0.0/16 10.22.0.0/16 127.0.0.0/8

Easy fix would be changing the regex_check in manifests/mta.pp to allow for multiple values.

Hi,

We use pcre_table(5) format for sender_canonical_maps which doesn't require postmap execution and has a slightly different format (which the existing lens does not support).

Would it be possible to:

1. Modify the hash command to support a type and action (defaulting to hash, postmap execution) but supporting null/noop for the action
2. Modify the postfix_canonical lens, or supply an additional one to support pcre_table format?
   And use that lens as appropriate?

At present we are managing this as a separate file so this is a 'nice to have'

Using:

class { '::postfix':
    inet_interfaces => $inet_interfaces,
    mynetworks      => join($mynetworks, ','),
    smtp_listen     => 'all',
    mta             => true,
    relayhost       => 'direct'
}

With $inet_interfaces = all.

The reload issued by puppet-postfix is not enough to make postfix listen on 0.0.0.0:

[vagrant@relay-2008 ~]$ ss -tulpn | grep :25
tcp    LISTEN     0      100                  ::1:25                   :::*     
tcp    LISTEN     0      100            127.0.0.1:25                    *:*     
[vagrant@relay-2008 ~]$ service postfix reload
[vagrant@relay-2008 ~]$ ss -tulpn | grep :25
tcp    LISTEN     0      100                  ::1:25                   :::*     
tcp    LISTEN     0      100            127.0.0.1:25                    *:*     
[vagrant@relay-2008 ~]$ sudo service postfix reload 
Reloading postfix:                                         [  OK  ]
[vagrant@relay-2008 ~]$ ss -tulpn | grep :25
tcp    LISTEN     0      100                  ::1:25                   :::*     
tcp    LISTEN     0      100            127.0.0.1:25                    *:*     
[vagrant@relay-2008 ~]$ sudo postfix reload
postfix/postfix-script: refreshing the Postfix mail system
[vagrant@relay-2008 ~]$ ss -tulpn | grep :25
tcp    LISTEN     0      100                  ::1:25                   :::*     
tcp    LISTEN     0      100            127.0.0.1:25                    *:*     
[vagrant@relay-2008 ~]$ ss -tulpn | grep :25
tcp    LISTEN     0      100                  ::1:25                   :::*     
tcp    LISTEN     0      100            127.0.0.1:25                    *:*     
[vagrant@relay-2008 ~]$ ss -tulpn | grep :25
tcp    LISTEN     0      100                  ::1:25                   :::*     
tcp    LISTEN     0      100            127.0.0.1:25                    *:*

Restart works:

[vagrant@relay-2008 ~]$ sudo service postfix restart
Shutting down postfix:                                     [  OK  ] 
Starting postfix:                                          [  OK  ]
[vagrant@relay-2008 ~]$ ss -tulpn | grep :25
tcp    LISTEN     0      100                   :::25                   :::*     
tcp    LISTEN     0      100                    *:25                    *:*     
[vagrant@relay-2008 ~]$ 

Suggestion: change "/etc/init.d/postfix reload" to "service postfix restart" in service.pp.

I'm running Puppet 2.7 and want to use this module to manage Postfix on Debian Wheezy.

After retrieving this module and declaring a postfix::satellite, I got this error on my puppet agent

Puppet::Parser::AST::Resource failed with error ArgumentError: Invalid resource type augeas::lens

I found that I need to install camptocamp/augeas module.

I installed it and got this new error

You must declare the augeas class before using augeas::lens at /etc/puppet/modules/augeas/manifests/lens.pp:33

So I added include augeas before using postfix::satellite, but I got this third error

Unknown function validate_re at /etc/puppet/modules/augeas/manifests/lens.pp:38

Maybe you can help on how I can solve this specific problem.
Second thought: maybe the documentation (installation and usage) could be more precise.

Thanks.

Hi,

I see that using regexp in hash files like virtual, transport and canonical is not suported due the augeas len. I don't know enough about augeas to implement it. Is there any plan to implement that in the augeas or any alternative to achive this?

Thanks.

https://travis-ci.org/camptocamp/puppet-postfix/jobs/42101525 fails because the empty string is true in the future parser.

This needs to be fixed in the default values of postfix::transport (https://github.com/camptocamp/puppet-postfix/blob/master/manifests/transport.pp)

RHEL 7.2:

Notice: /Stage[main]/Postfix::Mta/Postfix::Hash[/etc/postfix/virtual]/File[/etc/postfix/virtual.db]/ensure: created
Notice: /Stage[main]/Postfix::Mta/Postfix::Hash[/etc/postfix/transport]/File[/etc/postfix/transport.db]/ensure: created

-rw-r--r--. 1 root root  13K Jan 26  2014 transport
-rw-------. 1 root root    0 Apr 28 14:25 transport.db
-rw-r--r--. 1 root root  13K Jan 26  2014 virtual
-rw-------. 1 root root    0 Apr 28 14:25 virtual.db

Currently, lines 63-64 of templates/master.cf.redhat.erb:

maildrop unix - n n - - pipe
flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}

However, user vmail does not exist for default installation of Postfix in RHEL6. Suggest using making use of the $postfix_mail_user parameter.

Example scenario:

inet_interfaces needs to be set first. However, it isn't, so the Exec['newaliases'] resource fails. Perhaps the Exec['newaliases'] ought to occur after main.cf options are managed?

As per title, this module requires elements from stdlib, but the module does not declare a dependency on that module.

I'd like to use postfix::hash to manage a file called /etc/postfix/relayhost_credentials. The problem is this file will contain passwords should not be world readable.

Could you parameterise mode in the postfix::hash define?
Much appreciated.

Using simple "Satellite" configuration:

inet_interfaces: loopback-only
mynetworks: 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
myorigin: $mydomain
relayhost: smtp.cervedgroup.com
satellite: true

I get this error:

Error: /Stage[main]/Postfix::Satellite/Postfix::Virtual[@$mydomain]/Augeas[Postfix virtual - @$mydomain]: Could not evaluate: Saving failed, see debug

Using:

satellite: false
mta: true

I get no errors.

Distribution is Red Hat 7.2.

Hello,
it seems like that due to the fact that Centos 7 is natively using systemd the restart mechanism defined in manifests/service.pp is not working:

class postfix::service {
  service { 'postfix':
    ensure    => running,
    enable    => true,
    hasstatus => true,
    restart   => '/etc/init.d/postfix reload',
  }
}

Is there a way to work around this or should I send a PR to have a case statement based on the fact operatingsystem and operatingsystemmajrelease to change the restart mechanism to systemctl reload postfix for Centos 7?

Hi,

the satellite.pp enforces the creation of a host-specific resource in line 42: "@${postfix::myorigin}"
Please make this optional. There are valid reasons for not configuring a catchall-address on a satellite.
In the meantime I have workaround that by creating a custom virtual.db-file. Meaning, the original will still be in the filesystem, unused. That's ok but I like it clean ... :)

Regards

I am using a satellite simple setup with following definition, but there is an issue with the transport.db database. When I am running the command postmap /etc/postfix/transport manually, it will work.

  class { '::postfix':
    satellite       => true,
    relayhost       => '[relayhost.example.com]',
    inet_interfaces => 'loopback-only',
    mynetworks      => 'localhost',
    root_mail_recipient => '[email protected]'
  }

/var/log/mailllog shows following entries.

Sep  1 17:20:59 localhost postfix/pickup[5616]: 8230420F9048: uid=0 from=<root>
Sep  1 17:20:59 localhost postfix/trivial-rewrite[5960]: error: open database /etc/postfix/transport.db: Invalid argument
Sep  1 17:20:59 localhost postfix/trivial-rewrite[5960]: warning: hash:/etc/postfix/transport is unavailable. open database /etc/postfix/transport.db: Invalid argument
Sep  1 17:20:59 localhost postfix/trivial-rewrite[5960]: warning: hash:/etc/postfix/transport lookup error for "*"
Sep  1 17:20:59 localhost postfix/trivial-rewrite[5960]: warning: hash:/etc/postfix/transport is unavailable. open database /etc/postfix/transport.db: Invalid argument
Sep  1 17:20:59 localhost postfix/trivial-rewrite[5960]: warning: hash:/etc/postfix/transport lookup error for "*"
Sep  1 17:20:59 localhost postfix/cleanup[5959]: 8230420F9048: message-id=<[email protected]>
Sep  1 17:20:59 localhost postfix/qmgr[5617]: 8230420F9048: from=<[email protected]>, size=493, nrcpt=1 (queue active)
Sep  1 17:20:59 localhost postfix/trivial-rewrite[5960]: warning: hash:/etc/postfix/transport is unavailable. open database /etc/postfix/transport.db: Invalid argument
Sep  1 17:20:59 localhost postfix/trivial-rewrite[5960]: warning: hash:/etc/postfix/transport lookup error for "[email protected]"
Sep  1 17:20:59 localhost postfix/trivial-rewrite[5960]: warning: transport_maps lookup failure
Sep  1 17:20:59 localhost postfix/qmgr[5617]: warning: connect to transport private/retry: Connection refused
Sep  1 17:20:59 localhost postfix/qmgr[5617]: 8230420F9048: to=<[email protected]>, relay=none, delay=0.08, delays=0.07/0.01/0/0, dsn=4.3.0, status=deferred (mail transport unavailable)

Hello have been trying to pass in an Array of options to the postfix::config class like below for the 'virtual_alias_maps' entry in the configuration to manage postfix, as shown or any other value that may take an array like 'smtpd_recipient_restrictions'

postfix::config {"virtual_alias_maps":
    ensure => present,
    value  => [
    'proxy:mysql:/etc/postfix/mysql_virtual_alias_maps.cf',
    'proxy:mysql:/etc/postfix/mysql_virtual_alias_domain_maps.cf',
    'proxy:mysql:/etc/postfix/mysql_virtual_alias_domain_catchall_maps.cf',
  ],
}

Is this feature in your module because haven't seen it on the docs and thought it must be present ... or do I have to come up with a workaround

because this is the error it throws in the image

Your say is much appreciated regards Gideon Maina.

Currently we use a regex map with this regex: /.+@.+/

This allows all of our dev machines to send email to a single address and not email customers during dev or testing.

We got the config from here: http://serverfault.com/questions/144325/how-to-redirect-all-postfix-emails-to-one-external-email-address

This works perfect if we configure by hand, but I want every machine in puppet and the lens in this project doesn't support regex map files. I've edited the lens and made it work, but only if I remove the test files. I have no idea why the test is failing and would love some help. I can submit the lens changes if you like.

Hi, i'm using this class in katello (Foreman) , I apply the top-level class postfix to some hosts where I defined an override value for the parameter relayhost. When puppet agent runs in the hosts, relayhost keeps unchanged although other parameters like myorigin, or my destination work without errors.

If i use postfix::mta instead postfix top level class, they work ok, but also change other things.
Can you help me on this?
Regards

Hi,

When attempting to use postfix::canonical this fails and I get:
Could not find dependency Augeas::Lens[postfix_canonical] for Augeas[Postfix canonical - <some_name>]

Looking in mainfests/augeas.pp I can see that the actual reference to the provided lenses is not there.

Thanks,

Brett

Currently the postfix service is hardcoded to running/enabled. Can we have a service_ensure and service_enable?

I'd like to request support for canonical and generic maps. In our organisation we do not use virtual maps, just canonical maps. I tried using postfix::virtual to do what I needed, but it did not work.

postfix::hash { "/etc/postfix/canonical":
  ensure => present,
}

postfix::config { "canonical_maps":
  value => "hash:/etc/postfix/canonical"
}

postfix::virtual { "[email protected]":
  ensure      => present,
  file        => '/etc/postfix/canonical',
  destination => "root",
}

Running the above code gives this:

Error: Could not retrieve catalog from remote server: Error 400 on SERVER: Invalid relationship: Augeas[Postfix virtual - [email protected]] { notify => Exec[generate /etc/postfix/virtual.db] }, because Exec[generate /etc/postfix/virtual.db] doesn't seem to be in the catalog

Centos file uses systemd so there's no initfile: /etc/init.d/postfix.

Suggestion:

Substitude "/etc/init.d/postfix reload" for LSB's "service postfix reload" in service.pp (or even "service postfix restart" see #81.

I have set up a couple of Ubuntu 14.04 machines with Postfix, simply by including this module without further parameters. The following Puppet run is succesful, but the postfix service is not running afterwards. There is an error message in /var/log/mail.err:

Apr 14 10:10:24 wsntbk13 postfix/master[22826]: fatal: bind 127.0.0.1 port 25: Address already in use

After the second Puppet run, everything works as expected.

How do you define multiple LDAP options?

bind = yes
bind_dn = cn=something,dc=example,dc=com
bind_pw = somepass
query_filter = (&(objectclass=person)(proxyAddresses=smtp:%s))

Hello.
I've just started looking at this module.
I'm getting an error when applying this simple manifest.

class { 'postfix':
  satellite   => true,
  smtp_listen => '127.0.0.1',
  relayhost   => '[mailout.example.com]',
}

Error: Evaluation Error: Error while evaluating a Function Call, You must declare the augeas class before using augeas::lens at /tmp/modules/augeas/manifests/lens.pp:34:5

Is the correct fix as simple as including ::augeas at the top of postfix::augeas?

Versions used:
camptocamp-augeas (v1.2.3)
camptocamp-postfix (v1.2.1)

Thanks,
Alex

I've run into this frustrating problem with this module that I don't know how to solve, I'd be interested to hear if you have any good ideas for ways to fix this.

The problem is when you deploy this module, there may be configuration values that were previously set that aren't modified in the module deployment that can break things. For example, if you install postfix on a machine the installation might result in various postfix values being set (either by the package manager, or otherwise), and then when you deploy this module some of those values may be modified, and some not resulting in a non-deterministic postfix configuration which can be quite broken.

To ensure a clean configuration in the way that you intend it, the main.cf and master.cf that exist before the module is deployed should be removed or the values somehow unset. If the main.cf/master.cf already exist on the system, the contents of those files will have the values from this module set, but the others not touched. It would be good if all those could be cleared from the beginning.

I want to be able to remove configuration options that are not managed by puppet... is there some mechanism in augeas to purge unmanaged configurations or similar?

The only ways I can think of solving this are ugly, such as making an exec that removes the main.cf/master.cf and then touches some file to indicate that it has been purged and then the onlyif parameter is passed to check if that file exists.... another option would be to change completely from the postifx::config augeas methods to using templates, but this is also not a great solution either.

thanks for any ideas you might have!

Ubuntu 16.04 comes with postfix 3.1.0 which.
Postfix 3.0 has changed the default for chroot:

Chroot (default: Postfix >= 3.0: n, Postfix <3.0: y)

For an easy fix, we should simply be explicit as to which daemons should be chrooted, while following the advise on the same page:

          Chroot should not be used with the local(8), pipe(8),  spawn(8),
          and virtual(8) daemons.  Although the proxymap(8) server can run
          chrooted, doing so defeats most of the purpose  of  having  that
          service in the first place.

postfix::config does not escape / sanitize the values being provided to the augeas resource.

A real-world example:

include postfix
postfix::config { 'smtpd_banner':
    ensure => present ,
    value => '$myhostname go away and don\'t bother me' ,
}

This tries to set the smtpd_banner to $myhostname go away and don't bother me, but what it actually gets set to is shown here:

Notice: Augeas[manage postfix 'smtpd_banner'](provider=augeas):
--- /etc/postfix/main.cf        2014-02-20 11:04:19.000000000 +0000
+++ /etc/postfix/main.cf.augnew 2015-10-28 22:06:08.329105570 +0000
@@ -674,3 +674,4 @@
 # readme_directory: The location of the Postfix README files.
 #
 readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES
+smtpd_banner = $myhostname go away and don

On RHEL 7, /etc/mailname selinux type isn't postfix_etc_t, but is a regular /etc etc_t.

Ideally this module shouldn't be changing selinux types from the distribution default.

on the has class why are the source/content params validated as strings?
this limits the possibility to use arrays to let puppet choose the content from an array of options and fallback to default. example:

     '/etc/postfix/virtual':
       source => [ "puppet:///path/to/my/repo/${hostname}/virtual",
                          "puppet:///path/to/my/repo/default/virtual" ]```

this option is given in the puppet file resource type, why remove it?

suggest: 
  remove:
    validate_string($source) and validate_string($content) for hash manifest lines 34-35 hash.pp
  add:
    if ! is_string($source) and ! is_array($source) { fail(value for source should be either String Type or Array type go "${source}") }
    if ! is_string($content) and ! is_array($content) { fail(value for source should be either String Type or Array type go "${content}") }

Hi,

When trying to define a virtual map I get the following error:

 err: /Stage[main]/Profile::Postfix_factory/Postfix::Virtual[[email protected]]/Augeas[Postfix virtual - '[email protected]']: Could not evaluate: Save failed with return code false

The parameter values are being fed from hiera:

 postfix::hash:
   /etc/postfix/virtual: {
     ensure: 'present'
   }
 postfix::config:
   virtual_alias_maps: {
     value: 'hash:/etc/postfix/virtual'
   }
 postfix::virtual:
   "[email protected]": {
     destination: 'baz'
   }

I'm using inline_template to view the hash in pe-httpd/error_log and the hashes look correct to me:

 {"virtual_alias_maps"=>{"value"=>"hash:/etc/postfix/virtual"}}
 {"/etc/postfix/virtual"=>{"ensure"=>"present"}}
 {"[email protected]"=>{"destination"=>"baz"}}

I also tried transport with no avail:

 err: /Stage[main]/Profile::Postfix_factory/Postfix::Transport[mailman.foo.com]/Augeas[Postfix transport - mailman.foo.com]: Could not evaluate: Save failed with return code false,

augeas is included.

Thanks

Error: Execution of '/usr/bin/yum -d 0 -e 0 -y list postfix-ldap' returned 1: Error: No matching Packages to list
Error: /Stage[main]/Postfix::Ldap/Package[postfix-ldap]/ensure: change from absent to present failed: Execution of '/usr/bin/yum -d 0 -e 0 -y list postfix-ldap' returned 1: Error: No matching Packages to list

It would be nice to be able to manage the inet_protocols parameter.

warning: dict_ldap_open: URL scheme ldaps requires protocol version 3

The whitelist for characters in e-mail addresses in postfix_canonical.aug is sadly lacking. In my particular case, it didn't include "+", but https://tools.ietf.org/html/rfc2822 also specifies that quite a number of other non-alpha-numeric characters are also valid (section 3.2.4). I can confirm that adding + to the regex works, so the rest are probably ok too.

you should mention this somewhere. thanks