fripost-ansible/roles/out/tasks, branch master

Postfix: pin key material to our MX:es for fripost.org and its subdomains.

2021-01-26T12:35:40+00:00

This solves an issue where an attacker would strip the STARTTLS keyword
from the EHLO response, thereby preventing connection upgrade; or spoof
DNS responses to route outgoing messages to an attacker-controlled
SMTPd, thereby allowing message MiTM'ing.  With key material pinning in
place, smtp(8postfix) immediately aborts the connection (before the MAIL
command) and places the message into the deferred queue instead:

    postfix-out/smtp[NNN]: … dsn=4.7.5, status=undeliverable (Server certificate not verified)

This applies to the smarthost as well as for verification probes on the
Mail Submission Agent.  Placing message into the deferred queue might
yield denial of service, but we argue that it's better than a privacy
leak.

This only covers *internal messages* (from Fripost to Fripost) though:
only messages with ‘fripost.org’ (or a subdomain of such) as recipient
domain.  Other domains, even those using mx[12].fripost.org as MX, are
not covered.  A scalable solution for arbitrary domains would involve
either DANE and TLSA records, or MTA-STS [RFC8461].  Regardless, there
is some merit in hardcoding our internal policy (when the client and
server are both under our control) in the configuration.  It for
instance enables us to harden TLS ciphers and protocols, and makes the
verification logic independent of DNS.

Postfix: Install -lmdb in all roles using db=lmdb.

2020-05-21T01:42:54+00:00

And drop -ldap from all roles other than MX.  -lmdb is included in
roles/common but it can be helpful to have it individual roles as well
as they can be run individually.

Outgoing SMTP: masquerade internal hostnames.

2018-12-12T12:46:44+00:00

Use admin@fripost.org instead.  We were sending out (to the admin team)
system messages with non-existing or invalid envelope sender addresses,
such as  or .

Route all internal SMTP traffic through IPsec.

2016-07-10T03:14:29+00:00

Postfix: don't share the master.cf between the instances.

2016-07-10T02:53:37+00:00

Configure munin nodes & master.

2015-06-10T16:37:19+00:00

Interhost communications are protected by stunnel4.  The graphs are only
visible on the master itself, and content is generated by Fast CGI.

Hash certs using a lookup in the template instead of add a new task.

2015-06-07T00:52:58+00:00

Add a tag 'tls_policy' to facilitate rekeying.

2015-06-07T00:52:43+00:00

First generate all certs (-t genkey), then build the TLS policy maps (
-t tls_policy).

Reload Postfix upon configuration change, but don't restart it.

2015-06-07T00:52:24+00:00

(Unless a new instance is created, or the master.cf change is modified.)
Changing some variables, such as inet_protocols, require a full restart,
but most of the time it's overkill.

Don't restart/reload Postifx upon change of a file based database.

2015-06-07T00:52:23+00:00

And don't restart or reload either upon change of pcre: files that are
used by smtpd(8), cleanup(8) or local(8), following the suggestion from
http://www.postfix.org/DATABASE_README.html#detect .