summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem@fripost.org>2016-07-10 05:13:33 +0200
committerGuilhem Moulin <guilhem@fripost.org>2016-07-10 05:14:29 +0200
commitbf960a066466d7719ada8fe7bc3dec99d237b88a (patch)
tree5a66a7bbdc5dcf30efdfc50215e86d05cf112e46
parentd6ff0c078e6d70e50c888e016a8a8b9b0d8d7782 (diff)
Route all internal SMTP traffic through IPsec.
-rw-r--r--certs/postfix/antilop.fripost.org.pem32
-rw-r--r--certs/postfix/benjamin.skangas.se.pem32
-rw-r--r--certs/postfix/civett.friprogramvarusyndikatet.se.pem33
-rw-r--r--certs/postfix/elefant.fripost.org.pem31
-rw-r--r--certs/postfix/giraff.fripost.org.pem32
-rw-r--r--certs/postfix/mistral.fripost.org.pem31
-rw-r--r--certs/postfix/smtp.fripost.org.pem31
-rw-r--r--roles/IMAP/tasks/mda.yml15
-rw-r--r--roles/IMAP/templates/etc/postfix/main.cf.j224
-rw-r--r--roles/MSA/templates/etc/postfix/main.cf.j220
-rw-r--r--roles/MX/templates/etc/postfix/main.cf.j220
-rw-r--r--roles/MX/templates/etc/postfix/virtual/transport.j213
-rw-r--r--roles/common/tasks/mail.yml50
-rw-r--r--roles/common/templates/etc/iptables/services.j217
-rw-r--r--roles/common/templates/etc/postfix/main.cf.j227
-rw-r--r--roles/common/templates/etc/postfix/master.cf.j23
-rw-r--r--roles/lists/tasks/mail.yml15
-rw-r--r--roles/lists/templates/etc/postfix/main.cf.j224
-rw-r--r--roles/out/tasks/main.yml15
-rw-r--r--roles/out/templates/etc/postfix/main.cf.j217
20 files changed, 22 insertions, 460 deletions
diff --git a/certs/postfix/antilop.fripost.org.pem b/certs/postfix/antilop.fripost.org.pem
deleted file mode 100644
index bf51a71..0000000
--- a/certs/postfix/antilop.fripost.org.pem
+++ /dev/null
@@ -1,32 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIFijCCA3KgAwIBAgIJAJ7uWvUKTBNYMA0GCSqGSIb3DQEBDQUAMFUxEDAOBgNV
-BAoMB0ZyaXBvc3QxETAPBgNVBAsMCFNTTGNlcnRzMRAwDgYDVQQLDAdQb3N0Zml4
-MRwwGgYDVQQDDBNhbnRpbG9wLmZyaXBvc3Qub3JnMB4XDTE1MTIwMzIxNDY1MFoX
-DTI1MTEzMDIxNDY1MFowVTEQMA4GA1UECgwHRnJpcG9zdDERMA8GA1UECwwIU1NM
-Y2VydHMxEDAOBgNVBAsMB1Bvc3RmaXgxHDAaBgNVBAMME2FudGlsb3AuZnJpcG9z
-dC5vcmcwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDywIWldXJuXlb5
-wox0v9z8EAubIzCJzFHJ2THS08UrbddoqrK+ZzoTvXGqPnKGrDBu5fO7X4jtwxxc
-r2ordUbRGL7V8RyHKNTv3fiQTyG2TGPjfRWFM3132V2/UfGcgKJ7mGAU66tRw0pn
-S7MVcR4ydbH9RmxBZHixYRnp3GXVvyfQzpMs8/rGAc5gUYzTP+rQ8CinPTi5m+6B
-84Hk0iSIc6q8CrZphzB0wu5hP5CVO2p1MCewbBTbxwZWETZWG9Lvi1qqEBSfZg0Q
-eO9KtJ4nhPaRVE3bwE7WMU01/PrlyB4mxvTDRx4vev3BwJGprMSCCAFDsY1Z6f2d
-vVdCzw9kclZ2HjS8jtQrsbfkD7MG+3yH03kkDGvkVtNERGdXJZLult+HlG6ct86x
-kdnucQLyCWLzYwJLG3niuRqx6TkvlWes4Ki5LqWfuo5i/pVbMgIVCsvtTOomg8oX
-DFFiJr5nLTmyM9+Ed2irxgfZQvqA5F+hH9de0IbrWoA93LI+c4UibtM8mzxO92Xq
-FEbEOzKSHd3xmE00SJMyuXfi68YS8tMuL36gZrI0A+TOOqmgvFl7HIiTCTZm6kXe
-trJryZ2jzDgVO/fT9153g7x3cUVwYo22SaY4uCaqc2itznFxYmusFbQTnbVcKSld
-3zBBZSixoRglUsT6Dzw8MvsgL5MDWwIDAQABo10wWzAcBgNVHREEFTATgRFhZG1p
-bkBmcmlwb3N0Lm9yZzAMBgNVHRMBAf8EAjAAMA4GA1UdDwEB/wQEAwICpDAdBgNV
-HQ4EFgQUSxJXkZW0jiUsORgOclClxQr5FAcwDQYJKoZIhvcNAQENBQADggIBADja
-PwJDx/YYrzf8KTPDo3FfThVYJ4CviTK6EX9FCe4mV7bPRqvQEl0S3QJ1HYAw630H
-9nD7cBxXb1DwKEZ7s5zJ8fDRhwcOlFTCeGnzdlutPcmCKbHIfP7af5or0aluesyT
-qfeP5TqAsUfa15EuiGxqrANA6IOah6EDlZdGBlo/EkCM1hqMrWJkABy8KuedOGqA
-fXgzzdzVsMfOWOmXTnhsUw/9976hgTUvGBbGXcZ5qCi46HRs0ju7XGOYe0p8ODRO
-0LOCD/eSyyZapZFeDWKFuirq9xYsWAfxJXp8qBqK+emTqnknGGKer6oPW5bHDlLx
-JAtWDZXYsdA3CqrMI3yNgZ59MrxCkAcSVdG1fRG7xzD0uubyjnTC6d0TxBbOHkOo
-73Xm6y54b9a69ysl6qWexUYY8nfPrBEzorUmYg6jTz8bGrjuq4pTjhsdthO9mfNH
-uAuGuVEfh077OBCbH8aZzkObnd6bwJ3203rFqEDZgFoTFtR2Yc226RaoN4YvgwXi
-sqEXE7on7WpTUozLGkpwlIkx8HnassUWxzDbvr76vc14sM6haQ67SK8ca/i4qELd
-u12/7NVb8V107sqTPEtWLBQkr/9P4owPRgiu9G8cZ9+bhChpUMk+YrAycu60lBI+
-M+Bh888MoRPfA5vClWejauawJXKhkaTRkPeTZNex
------END CERTIFICATE-----
diff --git a/certs/postfix/benjamin.skangas.se.pem b/certs/postfix/benjamin.skangas.se.pem
deleted file mode 100644
index fe52149..0000000
--- a/certs/postfix/benjamin.skangas.se.pem
+++ /dev/null
@@ -1,32 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIFijCCA3KgAwIBAgIJAKbGm+B95GSyMA0GCSqGSIb3DQEBDQUAMFUxEDAOBgNV
-BAoMB0ZyaXBvc3QxETAPBgNVBAsMCFNTTGNlcnRzMRAwDgYDVQQLDAdQb3N0Zml4
-MRwwGgYDVQQDDBNiZW5qYW1pbi5za2FuZ2FzLnNlMB4XDTE1MTIwMzIxMzMyM1oX
-DTI1MTEzMDIxMzMyM1owVTEQMA4GA1UECgwHRnJpcG9zdDERMA8GA1UECwwIU1NM
-Y2VydHMxEDAOBgNVBAsMB1Bvc3RmaXgxHDAaBgNVBAMME2JlbmphbWluLnNrYW5n
-YXMuc2UwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDMQjaGYOUBYNy2
-lRyNXGUu6R95HD7GWS4drfqvzNmGoCguIgCI3G4HdRwiqDmaBBVpRBJkGBqInOgm
-uIMEWvVagIDw4hndh8BNj3GQY0qLrkOOcX5kv3faWKj6EYyVuNr0o1YOWq80K3il
-FpYELCvpywgTnT7J/j2QE83cILaOTxVHGlsnetpIQKCm8eqc/LWS1oqcyFauuw8V
-IqVgYPkCXM29mnpc7ZpJC3mCfYc+TOOp1W0CVmpi1XQRnzGvdM9LDp0XJSMoRJlh
-260AvyOXusG/f96qIEniL4MqiVZm/YbAPIzGXnouzB1c4m9D/BADfX9WB5sjhXVw
-Ir2X5nKts9oCziD7nc14UXf6YRpZS9dkJ1vgKSe9r32hYdPC/Y3855iAhdCPSk9x
-Efb8PUUrVuyzT6tg0z10gLSuUQnJfzklHKJc3EFnbAf9oMTZXr8xfmKPu6BKAz0Z
-kYppcUGE2DGuDFWKegduRzDT+GSAaOt/GWQ/yxgXPkah+bw1P4poFMa1AvGulBi3
-gAkqXMfN6lV6r7HY1Z/is1G0w4Z88x5Q6Vm4DYsnNdThFGxGENqxKqv9e4et8OrC
-dj/adKilR3d6sDnx11HaC0Z4BwnQtWM6BxMpu0BtGNWQpF/HcVLGPq0foNgbTde9
-/jwIEaEEX1DDyQeSHIZ9h4jB6ZlvIQIDAQABo10wWzAcBgNVHREEFTATgRFhZG1p
-bkBmcmlwb3N0Lm9yZzAMBgNVHRMBAf8EAjAAMA4GA1UdDwEB/wQEAwICpDAdBgNV
-HQ4EFgQU2Cyd45hFuVYkzWL11zNAV2X3pzcwDQYJKoZIhvcNAQENBQADggIBAC1x
-Uwa5zH/abkkirRfzr/6KTRcr3aoSKdHaF6oBq32wNiZ3WmHBMCDzhk/1SSDkqhB8
-i8hnwoYDXUeIqCH4l/GGFHUe6cWjabJFcZQ8wYr5QK1YEH8asV3V8XruIMUDBbZ1
-rR915VHaoWynX7FeXa722LraCodCuLJoLPbEok1HGkAP+dd80qZb8oqEDgnMHGHp
-cLjgP66bBiTSSP/rh8ODM8Dzt8sYY3NFl0bze9H5rWD4jAiRCAzJLtzgpmEiClLS
-Scb6s5NbUWV7XgmIt7Zan8SzsTKTQiOt87GW1s3bVzq8e4EYKCJmifEzqcdt5an/
-NSgkNLPMvdb3DUAuh0h0UCUiTngSkGAZqw//CtcbGfRVm0MS/n48iR0Rg1DARK54
-+iINKtIgE6aIIB14s65ZgDG7xwtn8gmToya++x7f458dNh4HtjB1ZXUlZs7oiZTh
-24aMhP6im92rAgnpBaeTZkXJAi9ryWCJ7QIVP41fUECCBeN7XBZVMzdvsjKjYghl
-0i5ukvjnatwH7d9Wd+UMEKsXr6N87Tezzj8w0yssf3TiBFT75fUbpW8x6hsllMaW
-LFaue/LwXPWpGpKnHh1S7y9/nluAS0gml0zlXBpu1gR/l4rdRnrq8bcR89pMbBA8
-jcMWl+sS6U7XWVCLK0JWr1kZie0ZDRbGKac8tULy
------END CERTIFICATE-----
diff --git a/certs/postfix/civett.friprogramvarusyndikatet.se.pem b/certs/postfix/civett.friprogramvarusyndikatet.se.pem
deleted file mode 100644
index 6c86277..0000000
--- a/certs/postfix/civett.friprogramvarusyndikatet.se.pem
+++ /dev/null
@@ -1,33 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIFqDCCA5CgAwIBAgIJAJcIUkIy3L+wMA0GCSqGSIb3DQEBDQUAMGQxEDAOBgNV
-BAoMB0ZyaXBvc3QxETAPBgNVBAsMCFNTTGNlcnRzMRAwDgYDVQQLDAdQb3N0Zml4
-MSswKQYDVQQDDCJjaXZldHQuZnJpcHJvZ3JhbXZhcnVzeW5kaWthdGV0LnNlMB4X
-DTE1MTIwMzIxNDgwMVoXDTI1MTEzMDIxNDgwMVowZDEQMA4GA1UECgwHRnJpcG9z
-dDERMA8GA1UECwwIU1NMY2VydHMxEDAOBgNVBAsMB1Bvc3RmaXgxKzApBgNVBAMM
-ImNpdmV0dC5mcmlwcm9ncmFtdmFydXN5bmRpa2F0ZXQuc2UwggIiMA0GCSqGSIb3
-DQEBAQUAA4ICDwAwggIKAoICAQC5fYriUyE8wrqD2HAhkQ90j2XZKjDi5t0g0esr
-3FjrHgQ1tQwrN3NKFEBrRSyTLKEhd4FYuvOVeE0HTfrCY9nft1fU+duMbcmtQwYt
-L/cfyZVuw/nNMvOZVzdvJJs8FMndkB+YSsPlN/SgAHH2iVMUAU/KK6MMXaXxF+Oo
-fnTztQwSAMbbJ7sW8t36BPn6Jtua22AZLdrIkUnHxTNbCD3RLkjHXaEPNDA5oHGe
-pNCD3mNS2mTvjC1vlDLwY68mTS9EmfFadDmYSf6atLuhytBNyBMIoelD6w0eZqgM
-4qhhfNCN0imfqeZzTdA7AM5ZkZE5GqtvzQUCnQEVFtu5oZyM2xmPhWkDxTmNTniF
-F973VWbt96xpJi552kttW5+X8gfkgQ64DVV9ooMjaKej3tRVWJREb0jYnCTLdB30
-ondKFbEiKakXmRPG7LAcsQMeLlgsYlEFgUqSlI+vzYR2HNIG64VikmOr7Jtkr1+B
-NrnCiCb20U9MB3JjXTfdnmxiBDnmRP7GjYM8p6LNLFPl84E7Suld+EyZ6f/uawis
-CIvw4eRM+GLAJjNQoiRUUS56UKXUP3kqkN+5xg7tPmmAR71QI7lDL8HqJrpIUJm8
-zpadVBv4FbuXx2vRPv+2KtmrFg4r28YZ0C7PMdiJXUyWVDE76rBmqmD2/IWE8ide
-EmeN3QIDAQABo10wWzAcBgNVHREEFTATgRFhZG1pbkBmcmlwb3N0Lm9yZzAMBgNV
-HRMBAf8EAjAAMA4GA1UdDwEB/wQEAwICpDAdBgNVHQ4EFgQU0VVpnljlfH41+FiB
-bIfB22bUg6owDQYJKoZIhvcNAQENBQADggIBAE2e5g2rwD2/hBKntDvXhkybxzu5
-pTO55An1wiX+PcpcaeMX8EU7QNKIN5iOtDCRI8cB9SorSVlwzKrekaMpxk3PsGNk
-J+N5eLX1pkY7vzU0nuesqLp+laDb05NwcnKNOAl6/LBwvdq9EcgyM2cTs8RvpkBp
-/xUzF9tsoZoLI3kCg+Q1MODjWxoV3eUIFHaprzqyLegklwZ5hzuzlRnBvNqkfRy0
-YeAdEzbxYc1Kei5eKdm+2kdc1nfvQwBxr32C40Fh3Hmc5UZYIsXU92FOryDiHCjG
-3Oa4oGXCdeYSMb8M6BIZhN5bksmvD4rNa5e8yaI+fGGdJY2khiLwl2SqUH5weqn+
-ndk9AIQAEsn/8W1nvsgZ4ev1Ykq4+c+Ky45waD2++q7aLwThw8jw8m/uO/w4BXZH
-Pl1Y8hUMm0MGAgK7DPduq3tNicRpJDGNwUkK+uirUaePtjlpqN59ovZkW5XP1KyQ
-G0/DBeIdSgKy4fCA4CZJsAK77BlmmZc7uzw+kGVa2gwlz66I0NwCdKm2PnokTx0S
-VZEj2niblViL/XrJLaoUwi1VPBwHvOJPNTuwin9lYqBiERPuKDRyltMIkz5qTGoM
-NUZFv2z3WhjMugqqb8NZ006KqapFSPS4Jl/d9Jp4GRLoik58E7PR93OWoGFcSTJb
-fW795CHmBVQJ2Kgk
------END CERTIFICATE-----
diff --git a/certs/postfix/elefant.fripost.org.pem b/certs/postfix/elefant.fripost.org.pem
deleted file mode 100644
index 9ca9fc9..0000000
--- a/certs/postfix/elefant.fripost.org.pem
+++ /dev/null
@@ -1,31 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIFazCCA1OgAwIBAgIJAL8cqL9fsGGzMA0GCSqGSIb3DQEBDQUAMFUxEDAOBgNV
-BAoTB0ZyaXBvc3QxETAPBgNVBAsTCFNTTGNlcnRzMRAwDgYDVQQLEwdQb3N0Zml4
-MRwwGgYDVQQDExNlbGVmYW50LmZyaXBvc3Qub3JnMB4XDTE0MDcwNzIyMDAzM1oX
-DTI0MDcwNDIyMDAzM1owVTEQMA4GA1UEChMHRnJpcG9zdDERMA8GA1UECxMIU1NM
-Y2VydHMxEDAOBgNVBAsTB1Bvc3RmaXgxHDAaBgNVBAMTE2VsZWZhbnQuZnJpcG9z
-dC5vcmcwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDXOCnwAAucpozu
-RkAp1BMHE/BwbmycuKUCazUl4bGViQUpUuklFyCbAAgg7CUz08BrcSO/1GZlKFyZ
-o6MzoYClwKjxG27zx+203oQOYd7NuY7vP4GNHlEsYlYWjq0QpYXsIAU6yZewQP82
-jB6GQqKuQphOrGpuXgMZXFA1fMD3q1UI5ep4RsU7O+rsjvLbiHUfN8A6V8ebAU0X
-Ua+1muTra6SyiBsH9FwxQ9qWCQNgx7xAfw0ZH8BuFYtbf0/sUqtX+rLiVeo/JW9T
-YLVK9ELFAXJ+DAQQZw3Lmaxbt9XXNOV7297csIJTqomDjuBIRknRBZUYRMMllkuo
-ESAi5O3c16M2Y6ho/04TYLimncK56OsRDCCzH7mAOrKVBXPzEBJDCBlDDR3L3lR8
-6mr6nusf86j8vnsk8EiTpfw/5/8fdHXZH2Skrl3Lu0+h74VuszdsY8Xkxocmx+1f
-3ImqA1kYe6owYO0O+CweVFuOY6ReFfdeCzcYGzua0dbdx4MsD9i7XImxDv+o5bI0
-KIFK9JdBz7gDIKOGw7bW+TIMGSguU3/aMvGFnf2Z/ARJMeTzvkflThj206175CJY
-rham1ENlAEk9fDGR08CFCuLQh5ZZxdZ2JnXPAc/P6vQoEHNvYzunDN281hBXAhs8
-eL1MveoN9742D23RQrYmFu6z9V7s0QIDAQABoz4wPDAcBgNVHREEFTATgRFhZG1p
-bkBmcmlwb3N0Lm9yZzAMBgNVHRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIFoDANBgkq
-hkiG9w0BAQ0FAAOCAgEANh6DvVHUaqxkdKOQHITF7243W17YB+VslfscRuJi8b8C
-Z0pQGgqb39VDOIDJv3fykFNOBT1BMow63jq8yrrD9fc++G+InRN/xGouVypGzQ4s
-ogHHiMnPuX2lWVpwLYKtJA1XrejVQpWZg+N1goLk85Y78bMKg64zh+9cMsR71QBp
-PBA9OSgHtPzUiuBhLvH1Nxkyw2/Rnqq3qp2MZyTTRajoGvhfXFxkgTah6YGulDdC
-1j0ASXM1scD7Kuv7hrJZaPRvFBxnwe0UvzL9qSkwoF17IGcpx66TPiBKruVlTrv+
-l2EVWEvat9wYZR6h30glWYKsv9ugq2sM8arx4pRJGemrRucswG3LAlB7fHhtzWe2
-CobCpOyayZ7b3oUT0a2bH1JTFTPNOIDaXZBFlxzgRaK/tPpZi8HzR2JxK8jbGLQa
-7o7h10EQFSpNkcnQcxrMAy3hvUxtwRZGbMP0Q5khSpLnDbca5D9ppg2SVHBIBoFC
-2k1L0Z0N6CrzxaUSL9exevayF2HRNCBtqqmBtfpdFCyrsJex4UbnuBYpxOgWSv2k
-U9ORmi0zG8MTHVdZtFrvvHuk4h0kA996AiG00FIyVnMg6IPTstfSssi+RIkNvDFn
-U5CrCnafSHxed31p10V7HrTr82FKJhN1yZRCZqiq3ipPBSQ2ynb8VNxXEAsmG6w=
------END CERTIFICATE-----
diff --git a/certs/postfix/giraff.fripost.org.pem b/certs/postfix/giraff.fripost.org.pem
deleted file mode 100644
index b9471c5..0000000
--- a/certs/postfix/giraff.fripost.org.pem
+++ /dev/null
@@ -1,32 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIFiDCCA3CgAwIBAgIJAPGdPDU2DXs8MA0GCSqGSIb3DQEBDQUAMFQxEDAOBgNV
-BAoMB0ZyaXBvc3QxETAPBgNVBAsMCFNTTGNlcnRzMRAwDgYDVQQLDAdQb3N0Zml4
-MRswGQYDVQQDDBJnaXJhZmYuZnJpcG9zdC5vcmcwHhcNMTUxMjAzMjE0ODM5WhcN
-MjUxMTMwMjE0ODM5WjBUMRAwDgYDVQQKDAdGcmlwb3N0MREwDwYDVQQLDAhTU0xj
-ZXJ0czEQMA4GA1UECwwHUG9zdGZpeDEbMBkGA1UEAwwSZ2lyYWZmLmZyaXBvc3Qu
-b3JnMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAoMa2XxQ2M79SfMAj
-M+pPF8RIXPmiS86vf6nw1GoIKbOAVpQqWw29j0FHlqiilii6DB+DmjvmSnAfmXN8
-ulpBCqTarlYBejzhYj9s0h3JlzmwuteuDUY8heAbXZzYmqRfDB8cwN5cWfzLqLPP
-4XXPmL+KWx61mfgf0/PtDGSf+P2ylBdGx4LoO2Xs7iDsNAb/fdhK8Vr8axTfYx5z
-gy4hf5RQr9sYHdWveo9z7YVr51eKARaaHsWgXtg8IQnLOoJq2ePcsrs/DTgleGvj
-DnO+hICzWdq0XOOVEY21SCZXF878DJdA2d2MFncn9hIyvazvUFPgEKfUtqvnSduj
-qFOGZgtO2bxM24w32pMiT/R03zQaQL+DFuCNKkBDtpHYeY8jC+/zYTbb8TLjOvj+
-rUghUAEV+YnQCVsXJ9rFVRNzYY7vZp1lvfXO4MBiD0NA7vC7VVVaxeiiH8BDpbFi
-jAHAHPw/fWQYSo14GwEwXPqj+uvAmiZAqETGMxpSdLH6X5eg+IcuBR0g0CtRbmM8
-APjJacf7rncYIzc+t2n0Y0F/5n+JiIMisHnDwE+81mMv7EU4kvoOyn3oHIXMIyot
-+JiDpSOACbfqtyhvi2Mjx1aXNgMC842wOmJfsLs2o9skEy6DeJeNvqijJb2wrSBx
-m4txm2ZwI7FdA7sgJX01ANlC1mUCAwEAAaNdMFswHAYDVR0RBBUwE4ERYWRtaW5A
-ZnJpcG9zdC5vcmcwDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMCAqQwHQYDVR0O
-BBYEFHVU0ktdfSXuZsHcHBYzDXburCRHMA0GCSqGSIb3DQEBDQUAA4ICAQCKidoO
-Z5nCg24DTFBsG5fs8fTRXpuvS6n6LFeF3EFBcviw/UQ33IzTcXKmuG+jSWNZvD1m
-KPYVpaGGkjVyygHrhIruJM4UTNyKveeqGUJzehh3uafdcj6UYmVKgZOw4WfrFQEs
-+dLq4PUww3x+6eHgHbpyLuLU1mJgzaCOYWNhqnnKBIivkUitsi2CnX1bspw9LPo5
-xx2s0/x/OLB7gPDzGwLypILUNfB15K8YBQ5nI7d7NNQRZ+VY//feAqJF4PUeaHG5
-ac97aWO/eJtsFdhzpMXgpsdCG0nIFfAgxP6RaOfaaOwSOW2XSHXw1ULiSG6xUvy8
-rYDdaM5ru92ZjIkCFaJ2RXnHMPRfFEbJi4Ukmz4KJG6DPqTnb/mRgQUWIFOUBPPp
-Y7uwH8FXmCUsWu7bBDf1YmSF2XrTdhrY6lX4b+ybFuCmHnvRcD4DWyUFwgP91nf+
-2o9MpQwJuVnHWuDF+WOwrqW7bq4M8GyUkeFZna7Sld+tQJUOlmYTURtbXH2lLue2
-h3xS3jBF4IfichrcMsMPE6rrH06PO7+es2q7vV7BjH3g8gF0uBo+LQdJol8KFCNt
-kn057HZjHs+c+npdxyoYc5BdUcyERONOEzZI1j2W0Q1JiQsnAnSKd3+eb0Ddivrf
-vrUWE8sMZpPaVwUv3yaniORcv6K2sgv253WyuQ==
------END CERTIFICATE-----
diff --git a/certs/postfix/mistral.fripost.org.pem b/certs/postfix/mistral.fripost.org.pem
deleted file mode 100644
index 4c3dd97..0000000
--- a/certs/postfix/mistral.fripost.org.pem
+++ /dev/null
@@ -1,31 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIFazCCA1OgAwIBAgIJAKKDwe2yT1pHMA0GCSqGSIb3DQEBDQUAMFUxEDAOBgNV
-BAoTB0ZyaXBvc3QxETAPBgNVBAsTCFNTTGNlcnRzMRAwDgYDVQQLEwdQb3N0Zml4
-MRwwGgYDVQQDExNtaXN0cmFsLmZyaXBvc3Qub3JnMB4XDTE0MDcwNzIyMDIxMloX
-DTI0MDcwNDIyMDIxMlowVTEQMA4GA1UEChMHRnJpcG9zdDERMA8GA1UECxMIU1NM
-Y2VydHMxEDAOBgNVBAsTB1Bvc3RmaXgxHDAaBgNVBAMTE21pc3RyYWwuZnJpcG9z
-dC5vcmcwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDFONsB9ygKq7Hl
-hk15jjab0UQGibEMSfypX+qsaCjPjPQ3HAlmKLD7jsRe6dppIO36syyAfOBi5GM8
-LpA67FPZzVrpUHsIaqA7oRLu6QSr7xjWwwJYslT1IodEhMH8ozaH98ksAHyigatH
-BhyyfOm569Kb/kopaKCsaOepSedWvxU1Nl0XMokZzvDAQDhdSbXpdBWtw+jnxKBe
-M5zBhLzo+OgkPyLO+FhFL7OZbvFq3UeucChBabCj/tlQHroBKCkWLJBC5GeRfKKy
-gH/VQGuZT7jZ85Mn48uj62IvqCp2ej2bBKV5zKXecMnt1YkyNtmF3UQKkXS55Q+m
-YzLKBvbIMTgrinGnF3jMTHlNfOkYkZbBIjKKpOGHmQPJWpoAPM9T+tGjgH151nEg
-p7TT/oiQifgbJ6Y7IrapjeZX0mVrVNl/kHmgNx63BG3XuVLgbYh4Goz/7Vi1DbA4
-C5Kxi9Cae73HRMTc+VPrmALYdDN3YkU7RlP3kqkUgcbDCd9Y1IZHWITfix11/RjL
-7Hmq7Fwysd5G8d6RBGjWk1SLi8qzyQnfyzOeMWyNcgQs94lGybFRG4rSK3LsILLO
-bYg5hRtealnUvmLmb88LH5P/D6zOUpH0S90U2+QC2NrzbmBeaDR5BkhiSTkN4EN8
-3japdWoYc9Bvrb7VVIpTha5EQYDDkwIDAQABoz4wPDAcBgNVHREEFTATgRFhZG1p
-bkBmcmlwb3N0Lm9yZzAMBgNVHRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIFoDANBgkq
-hkiG9w0BAQ0FAAOCAgEAC/IUsyBPyLmLj89nYLWS/rQLWSVjKsPrFS75Amztd67M
-hcyBo1Ed2t3zjEviBod96in4oPX+NE5pzbh19YSstaIb+ZPPtF8GtJvYSPCDJjus
-DyzoEWvaoCdzeH+em1xaYSAfxomwqjcO04iwE4AMPQM4P52416csGhmmftMblE2Q
-tkT6lh2v0gE4a1mtovDTLeZV5L3SHziXWabi50D+Bpl4pScNjavswZ/ZZTXIw0y2
-ABq77SkEFqefQkWgWwVER4D0vX7+SdqYRewXal7HdTxJx2DUG0khndmgTuVrEY3g
-oKf6T4CnXWgJ+IOfbIZ48ZTDsOvwvwq7l7Wo4tadju3o/xZgFOLId083L3forgf6
-7bU3rcEF6oDu8vsnWGYN0SgDxA12RoOwaO2PaObk4XhQrgIrYjBPREjMXfSyN3zU
-1wziqVhgSNtmxOHYbAhMLruMM+6LMNv1+FbG6gxb2LtwwvMPLCB1J0imKko12WMG
-/pj4B7LU4dkzJodtUpIQ9LgShJvXC8Juiz5tWXjymWC9I/LpgLk4Ky6i7bcYBpjh
-SlN30WGfECh9JzGNMhKi6ZErF0W4cvI+iSUB2eQtJd+8Py6Z+ICTUFpfPNqXrU2m
-9qnsueDS6DZgFfxioq3jvIOOwOo7W1/78o+qVDaRGyMLqJWifPVTQgpHFqKScpk=
------END CERTIFICATE-----
diff --git a/certs/postfix/smtp.fripost.org.pem b/certs/postfix/smtp.fripost.org.pem
deleted file mode 100644
index 2f97708..0000000
--- a/certs/postfix/smtp.fripost.org.pem
+++ /dev/null
@@ -1,31 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIFUjCCAzoCCQCy2XbMAN1DeTANBgkqhkiG9w0BAQUFADBrMQswCQYDVQQGEwJT
-RTEQMA4GA1UECgwHRnJpcG9zdDENMAsGA1UECwwEU01UUDEZMBcGA1UEAwwQc210
-cC5mcmlwb3N0Lm9yZzEgMB4GCSqGSIb3DQEJARYRYWRtaW5AZnJpcG9zdC5vcmcw
-HhcNMTQwNDA3MjMyMzMwWhcNMjQwNDA0MjMyMzMwWjBrMQswCQYDVQQGEwJTRTEQ
-MA4GA1UECgwHRnJpcG9zdDENMAsGA1UECwwEU01UUDEZMBcGA1UEAwwQc210cC5m
-cmlwb3N0Lm9yZzEgMB4GCSqGSIb3DQEJARYRYWRtaW5AZnJpcG9zdC5vcmcwggIi
-MA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC/TboO8u6v8rVtrkI8kDZ4mdxM
-5uyIPR2HODYIdMSj2YHmLohzITyysFNLpAVHOATnRkqLxhmX2zZ+Eu3uCE/kOfdR
-fVNEvnSksFSCFXjqx666k7ABtyNHOVqali2HO62JDs837EPEOnF5oVapIUExse29
-POfBDGf18ArDGgd2Tl2DLDiojZYHh1pOsFhKcsks3OOdE109BG6C9S9ZlFBz0PW/
-s9ESEicP9KsqTpIRyd8OU3x8S0p+MDudu5NJjRG+Vlk6uJ2ApC68EowuIx/h7zbp
-GEBG71GWb3OjlahOsf/EfKf/vHgkK8+CUWW1FGlvznoeS8R/fgUxRTh6+NXiSJGU
-5Eq/wez/hYnotQWBExb42tUBcZbFh6FtD1FU7QNYwALHjV0aSx6leIgkGGWeUgJc
-7o8OtDUX5QiY0Xe0s3g6qLFMGgXsfUA4IWjmOknFUA5CtJhDT5uMQLO/jF0tvugi
-wTaBxpIjYDATfA1JeEB7+cfh9Jw5Q5XmydLUoLdT7Nut8e2NjYyN9izguPBf+Rzk
-gUJZFeB+CEV62lMNWWENqgunjVXicolQ4WdWETYQWzUvVyFvR1RWVkOVw+1Wt6zU
-Vbb3t1b2avnzvp4j92pTImJUgTLLRI5QE3bzD9MMDQSH6s7/dBltGIJeepDHB07H
-yleUc/j6IdbfH5dfNwIDAQABMA0GCSqGSIb3DQEBBQUAA4ICAQAFcW7ZYxsSuv3u
-EbCa8NQ+HjecVHD8Spz4ofBZ9R0uON2VI++dz1mBdZE3udoxBt/Nj3U/YnlVToal
-W/dYGusuKQFIATiB9MFXUDl1gfKaqcyrCZUxGpi1OXOa27WPbiRiQMnBYNkD1p3D
-cz28XGQ78DswRER4eFn+76pOjqFxkxEe0Ww1oPvu+in23OWgTVTWP/6Opp6Y/epN
-XkbHKiH9OXe2StYnlXD7P89w07fXaBNfDT5vLC9PDgYJk7wN76AaqwK/ZKFithSx
-oT60db1n+fhaMC2U1R64L2clLpSrZ3lvXRplcsdII/06d+ysJn7hLV9IUca9AMoP
-Px2KIyHgp5U6VtFF6UOLBl9+BUd0zzArSh9CJnXG88+CplGN51Fv2dPqzdno1XSg
-ShbJ1onYonLbDaPG4i0LD3KyIX6ep5eU+KZZtcHwTbzKAQ/ySu5nqx2DAJbalJmj
-9qz/zfOuZMJGDuN+iHCnqyxGoC/hB20IreGHfGS4XmJDkZ3zzqjJjBV32XeZ3Sx6
-odMnwO4mLjyb1Az/C/rwCrVG3nrZQhmD/H+juJVI/cinocJtQoPPq3zPx+GxQUxe
-smR7bY7EMaTt+9EelIGmp65jEGrr+OVhZ3NudwWQyC242SMiOq+JpVRuefp+mtAN
-UGGTaC4MdXJIwWZTakrnhkgTp4uqrA==
------END CERTIFICATE-----
diff --git a/roles/IMAP/tasks/mda.yml b/roles/IMAP/tasks/mda.yml
index 6dec897..ced15cc 100644
--- a/roles/IMAP/tasks/mda.yml
+++ b/roles/IMAP/tasks/mda.yml
@@ -25,21 +25,6 @@
- recipient_canonical.pcre
- transport
-- name: Copy the Postfix relay clientcerts map
- template: src=etc/postfix/relay_clientcerts.j2
- dest=/etc/postfix-{{ postfix_instance[inst].name }}/relay_clientcerts
- owner=root group=root
- mode=0644
- tags:
- - tls_policy
-
-- name: Compile the Postfix relay clientcerts map
- postmap: cmd=postmap src=/etc/postfix-{{ postfix_instance[inst].name }}/relay_clientcerts db=cdb
- owner=root group=root
- mode=0644
- tags:
- - tls_policy
-
- name: Compile the Postfix transport maps
# trivial-rewrite(8) is a long-running process, so it's safer to reload
postmap: cmd=postmap src=/etc/postfix-{{ postfix_instance[inst].name }}/transport db=cdb
diff --git a/roles/IMAP/templates/etc/postfix/main.cf.j2 b/roles/IMAP/templates/etc/postfix/main.cf.j2
index 6c0b024..faf17de 100644
--- a/roles/IMAP/templates/etc/postfix/main.cf.j2
+++ b/roles/IMAP/templates/etc/postfix/main.cf.j2
@@ -17,7 +17,10 @@ myhostname = mda{{ imapno | default('') }}.$mydomain
mydomain = fripost.org
append_dot_mydomain = no
-mynetworks_style = host
+mynetworks = 127.0.0.0/8, [::1]/128
+{%- if groups.all | length > 1 -%}
+ , {{ ipsec_subnet }}
+{% endif %}
queue_directory = /var/spool/postfix-{{ postfix_instance[inst].name }}
data_directory = /var/lib/postfix-{{ postfix_instance[inst].name }}
@@ -56,21 +59,8 @@ recipient_canonical_maps = pcre:$config_directory/recipient_canonical.pcre
# Don't rewrite remote headers
local_header_rewrite_clients =
-
-relay_clientcerts = cdb:$config_directory/relay_clientcerts
-smtpd_tls_security_level = may
-smtpd_tls_ciphers = high
-smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
-smtpd_tls_exclude_ciphers = EXPORT, LOW, MEDIUM, aNULL, eNULL, DES, RC4, MD5
-smtpd_tls_cert_file = /etc/postfix/ssl/{{ ansible_fqdn }}.pem
-smtpd_tls_key_file = /etc/postfix/ssl/{{ ansible_fqdn }}.key
-smtpd_tls_dh1024_param_file = /etc/ssl/dhparams.pem
-smtpd_tls_session_cache_database=
-smtpd_tls_received_header = yes
-smtpd_tls_ask_ccert = yes
-smtpd_tls_session_cache_timeout = 3600s
-smtpd_tls_fingerprint_digest = sha256
-
+smtp_tls_security_level = none
+smtpd_tls_security_level = none
strict_rfc821_envelopes = yes
smtpd_delay_reject = yes
@@ -78,7 +68,6 @@ disable_vrfy_command = yes
smtpd_client_restrictions =
permit_mynetworks
- permit_tls_clientcerts
# We are the only ones using this proxy, but if things go wrong we
# want to know why
defer
@@ -93,7 +82,6 @@ smtpd_sender_restrictions =
smtpd_relay_restrictions =
reject_non_fqdn_recipient
permit_mynetworks
- permit_tls_clientcerts
reject
smtpd_data_restrictions =
diff --git a/roles/MSA/templates/etc/postfix/main.cf.j2 b/roles/MSA/templates/etc/postfix/main.cf.j2
index 838135a..3c040b0 100644
--- a/roles/MSA/templates/etc/postfix/main.cf.j2
+++ b/roles/MSA/templates/etc/postfix/main.cf.j2
@@ -36,11 +36,7 @@ message_size_limit = 67108864
recipient_delimiter = +
# Forward everything to our internal outgoing proxy
-{% if 'out' in group_names %}
-relayhost = [127.0.0.1]:{{ postfix_instance.out.port }}
-{% else %}
-relayhost = [outgoing.fripost.org]:{{ postfix_instance.out.port }}
-{% endif %}
+relayhost = [{{ postfix_instance.out.addr | ipaddr }}]:{{ postfix_instance.out.port }}
relay_domains =
@@ -57,21 +53,7 @@ header_checks = pcre:$config_directory/anonymize_sender.pcre
# TLS
-{% if 'out' in group_names %}
smtp_tls_security_level = none
-smtp_bind_address = 127.0.0.1
-{% else %}
-smtp_tls_security_level = encrypt
-smtp_tls_ciphers = high
-smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
-smtp_tls_exclude_ciphers = EXPORT, LOW, MEDIUM, aNULL, eNULL, DES, RC4, MD5
-smtp_tls_cert_file = /etc/postfix/ssl/{{ ansible_fqdn }}.pem
-smtp_tls_key_file = /etc/postfix/ssl/{{ ansible_fqdn }}.key
-smtp_tls_session_cache_database = btree:$data_directory/smtp_tls_session_cache
-smtp_tls_policy_maps = cdb:/etc/postfix/tls_policy
-smtp_tls_fingerprint_digest = sha256
-{% endif %}
-
smtpd_tls_security_level = encrypt
smtpd_tls_ciphers = high
smtpd_tls_protocols = !SSLv2, !SSLv3
diff --git a/roles/MX/templates/etc/postfix/main.cf.j2 b/roles/MX/templates/etc/postfix/main.cf.j2
index a5caf46..718be00 100644
--- a/roles/MX/templates/etc/postfix/main.cf.j2
+++ b/roles/MX/templates/etc/postfix/main.cf.j2
@@ -36,11 +36,7 @@ message_size_limit = 67108864
recipient_delimiter = +
# Forward everything to our internal outgoing proxy
-{% if 'out' in group_names %}
-relayhost = [127.0.0.1]:{{ postfix_instance.out.port }}
-{% else %}
-relayhost = [outgoing.fripost.org]:{{ postfix_instance.out.port }}
-{% endif %}
+relayhost = [{{ postfix_instance.out.addr | ipaddr }}]:{{ postfix_instance.out.port }}
relay_domains =
@@ -73,21 +69,7 @@ reserved-alias_destination_recipient_limit = 1
smtp_data_done_timeout = 1200s
-{% if 'out' in group_names %}
smtp_tls_security_level = none
-smtp_bind_address = 127.0.0.1
-{% else %}
-smtp_tls_security_level = encrypt
-smtp_tls_ciphers = high
-smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
-smtp_tls_exclude_ciphers = EXPORT, LOW, MEDIUM, aNULL, eNULL, DES, RC4, MD5
-smtp_tls_cert_file = /etc/postfix/ssl/{{ ansible_fqdn }}.pem
-smtp_tls_key_file = /etc/postfix/ssl/{{ ansible_fqdn }}.key
-smtp_tls_session_cache_database = btree:$data_directory/smtp_tls_session_cache
-smtp_tls_policy_maps = cdb:/etc/postfix/tls_policy
-smtp_tls_fingerprint_digest = sha256
-{% endif %}
-
smtpd_tls_security_level = may
smtpd_tls_ciphers = medium
smtpd_tls_protocols = !SSLv2, !SSLv3
diff --git a/roles/MX/templates/etc/postfix/virtual/transport.j2 b/roles/MX/templates/etc/postfix/virtual/transport.j2
index 49f3696..126cb72 100644
--- a/roles/MX/templates/etc/postfix/virtual/transport.j2
+++ b/roles/MX/templates/etc/postfix/virtual/transport.j2
@@ -17,14 +17,5 @@
reserved.fripost.org reserved-alias:
discard.fripost.org discard:
-{% if 'LDA' in group_names %}
-mda.fripost.org smtpl:[127.0.0.1]:{{ postfix_instance.IMAP.port }}
-{% else %}
-mda.fripost.org smtp:[mda.fripost.org]:{{ postfix_instance.IMAP.port }}
-{% endif %}
-
-{% if 'lists' in group_names %}
-sympa.fripost.org smtpl:[127.0.0.1]:{{ postfix_instance.lists.port }}
-{% else %}
-sympa.fripost.org smtp:[lists.fripost.org]:{{ postfix_instance.lists.port }}
-{% endif %}
+mda.fripost.org smtp:[{{ postfix_instance.IMAP.addr | ipaddr }}]:{{ postfix_instance.IMAP.port }}
+sympa.fripost.org smtp:[{{ postfix_instance.lists.addr | ipaddr }}]:{{ postfix_instance.lists.port }}
diff --git a/roles/common/tasks/mail.yml b/roles/common/tasks/mail.yml
index 092334f..6f690e6 100644
--- a/roles/common/tasks/mail.yml
+++ b/roles/common/tasks/mail.yml
@@ -36,37 +36,6 @@
notify:
- Reload Postfix
-- name: Create directory /etc/postfix/ssl
- file: path=/etc/postfix/ssl
- state=directory
- owner=root group=root
- mode=0755
- tags:
- - genkey
-
-- name: Generate a private key and a X.509 certificate for Postfix
- command: genkeypair.sh x509
- --pubkey=/etc/postfix/ssl/{{ ansible_fqdn }}.pem
- --privkey=/etc/postfix/ssl/{{ ansible_fqdn }}.key
- --ou=Postfix --cn={{ ansible_fqdn }}
- -t rsa -b 4096 -h sha512
- register: r3
- changed_when: r3.rc == 0
- failed_when: r3.rc > 1
- notify:
- - Restart Postfix
- tags:
- - genkey
-
-- name: Fetch Postfix's X.509 certificate
- # Ensure we don't fetch private data
- become: False
- fetch_cmd: cmd="openssl x509"
- stdin=/etc/postfix/ssl/{{ ansible_fqdn }}.pem
- dest=certs/postfix/{{ ansible_fqdn }}.pem
- tags:
- - genkey
-
- name: Add a 'root' alias
lineinfile: dest=/etc/aliases create=yes
regexp="^root{{':'}} "
@@ -81,25 +50,8 @@
- name: Delete /etc/aliases.db
file: path=/etc/aliases.db state=absent
-- name: Copy the Postfix TLS policy map
- template: src=etc/postfix/tls_policy.j2
- dest=/etc/postfix/tls_policy
- owner=root group=root
- mode=0644
- when: "'out' not in group_names or 'MX' in group_names"
- tags:
- - tls_policy
-
-- name: Compile the Postfix TLS policy map
- postmap: cmd=postmap src=/etc/postfix/tls_policy db=cdb
- owner=root group=root
- mode=0644
- when: "'out' not in group_names or 'MX' in group_names"
- tags:
- - tls_policy
-
- name: Start Postfix
service: name=postfix state=started
- when: not (r1.changed or r2.changed or r3.changed)
+ when: not (r1.changed or r2.changed)
- meta: flush_handlers
diff --git a/roles/common/templates/etc/iptables/services.j2 b/roles/common/templates/etc/iptables/services.j2
index 247f98a..2def27f 100644
--- a/roles/common/templates/etc/iptables/services.j2
+++ b/roles/common/templates/etc/iptables/services.j2
@@ -26,31 +26,14 @@ out tcp 636 # LDAPS
{% endif %}
{% if 'MX' in group_names %}
in tcp 25 # SMTP
-{% if 'MDA' not in group_names %}
-out tcp {{ postfix_instance.IMAP.port }}
-{% endif %}
-{% if 'lists' not in group_names %}
-out tcp {{ postfix_instance.lists.port }}
-{% endif %}
{% endif %}
{% if 'out' in group_names %}
-{% if groups.all | difference([inventory_hostname]) %}
-in tcp {{ postfix_instance.out.port }}
-{% endif %}
out tcp 25 # SMTP
-{% else %}
-out tcp {{ postfix_instance.out.port }}
{% endif %}
{% if 'IMAP' in group_names %}
in tcp 993 # IMAPS
in tcp 4190 # MANAGESIEVE
{% endif %}
-{% if 'MDA' in group_names and 'MX' not in group_names %}
-in tcp {{ postfix_instance.IMAP.port }}
-{% endif %}
-{% if 'lists' in group_names and 'MX' not in group_names %}
-in tcp {{ postfix_instance.lists.port }}
-{% endif %}
{% if 'MSA' in group_names %}
in tcp 587 # SMTP-AUTH
{% endif %}
diff --git a/roles/common/templates/etc/postfix/main.cf.j2 b/roles/common/templates/etc/postfix/main.cf.j2
index 3f36418..8caaa82 100644
--- a/roles/common/templates/etc/postfix/main.cf.j2
+++ b/roles/common/templates/etc/postfix/main.cf.j2
@@ -30,32 +30,11 @@ virtual_alias_maps = cdb:/etc/aliases
alias_database = $virtual_alias_maps
# Forward everything to our internal outgoing proxy
-{% if 'out' in group_names %}
-relayhost = [127.0.0.1]:{{ postfix_instance.out.port }}
-{% else %}
-relayhost = [outgoing.fripost.org]:{{ postfix_instance.out.port }}
-{% endif %}
+relayhost = [{{ postfix_instance.out.addr | ipaddr }}]:{{ postfix_instance.out.port }}
relay_domains =
-{% if 'out' in group_names %}
-smtp_tls_security_level = none
-smtp_bind_address = 127.0.0.1
-{% else %}
-smtp_tls_security_level = encrypt
-smtp_tls_ciphers = high
-smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
-smtp_tls_exclude_ciphers = EXPORT, LOW, MEDIUM, aNULL, eNULL, DES, RC4, MD5
-smtp_tls_cert_file = $config_directory/ssl/{{ ansible_fqdn }}.pem
-smtp_tls_key_file = $config_directory/ssl/{{ ansible_fqdn }}.key
-smtp_tls_session_cache_database = btree:$data_directory/smtp_tls_session_cache
-smtp_tls_policy_maps = cdb:$config_directory/tls_policy
-smtp_tls_fingerprint_digest = sha256
-{% endif %}
-smtpd_tls_security_level = none
-
-# Turn off all TCP/IP listener ports except that dedicated to
-# samhain(8), which sadly cannot use pickup through the sendmail binary.
-master_service_disable = !127.0.0.1:16132.inet inet
+smtp_tls_security_level = none
+smtpd_tls_security_level = none
{% set multi_instance = False %}
{%- for g in postfix_instance.keys() | sort -%}
diff --git a/roles/common/templates/etc/postfix/master.cf.j2 b/roles/common/templates/etc/postfix/master.cf.j2
index 9a07dfd..c2ee395 100644
--- a/roles/common/templates/etc/postfix/master.cf.j2
+++ b/roles/common/templates/etc/postfix/master.cf.j2
@@ -23,8 +23,7 @@ cleanup_nochroot unix n - n - 0 cleanup
{{ postfix_instance.MSA.port }} inet n - - - - smtpd
-o tls_high_cipherlist=EECDH+AESGCM:!MEDIUM:!LOW:!EXP:!aNULL:!eNULL
{% elif inst in ['IMAP', 'out', 'lists'] %}
-{{ postfix_instance[inst].port }} inet n - - - - smtpd
- -o tls_high_cipherlist=HIGH:!aNULL:!eNULL:!3DES:!MD5:@STRENGTH
+[{{ postfix_instance[inst].addr }}]:{{ postfix_instance[inst].port }} inet n - - - - smtpd
{% endif %}
pickup fifo n - - 60 1 pickup
cleanup unix n - - - 0 cleanup
diff --git a/roles/lists/tasks/mail.yml b/roles/lists/tasks/mail.yml
index 6678c52..a7c8bd6 100644
--- a/roles/lists/tasks/mail.yml
+++ b/roles/lists/tasks/mail.yml
@@ -22,21 +22,6 @@
mode=0644
# no need to reload upon change, as cleanup(8) is short-running
-- name: Copy the Postfix relay clientcerts map
- template: src=etc/postfix/relay_clientcerts.j2
- dest=/etc/postfix-{{ postfix_instance[inst].name }}/relay_clientcerts
- owner=root group=root
- mode=0644
- tags:
- - tls_policy
-
-- name: Compile the Postfix relay clientcerts map
- postmap: cmd=postmap src=/etc/postfix-{{ postfix_instance[inst].name }}/relay_clientcerts db=cdb
- owner=root group=root
- mode=0644
- tags:
- - tls_policy
-
- name: Compile the Postfix transport maps
# trivial-rewrite(8) is a long-running process, so it's safer to reload
postmap: cmd=postmap src=/etc/postfix-{{ postfix_instance[inst].name }}/transport db=cdb
diff --git a/roles/lists/templates/etc/postfix/main.cf.j2 b/roles/lists/templates/etc/postfix/main.cf.j2
index 397f759..933d540 100644
--- a/roles/lists/templates/etc/postfix/main.cf.j2
+++ b/roles/lists/templates/etc/postfix/main.cf.j2
@@ -17,7 +17,10 @@ myhostname = lists.$mydomain
mydomain = fripost.org
append_dot_mydomain = no
-mynetworks_style = host
+mynetworks = 127.0.0.0/8, [::1]/128
+{%- if groups.all | length > 1 -%}
+ , {{ ipsec_subnet }}
+{% endif %}
queue_directory = /var/spool/postfix-{{ postfix_instance[inst].name }}
data_directory = /var/lib/postfix-{{ postfix_instance[inst].name }}
@@ -48,21 +51,8 @@ sympa_destination_recipient_limit = 1
# Don't rewrite remote headers
local_header_rewrite_clients =
-
-relay_clientcerts = cdb:$config_directory/relay_clientcerts
-smtpd_tls_security_level = may
-smtpd_tls_ciphers = high
-smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
-smtpd_tls_exclude_ciphers = EXPORT, LOW, MEDIUM, aNULL, eNULL, DES, RC4, MD5
-smtpd_tls_cert_file = /etc/postfix/ssl/{{ ansible_fqdn }}.pem
-smtpd_tls_key_file = /etc/postfix/ssl/{{ ansible_fqdn }}.key
-smtpd_tls_dh1024_param_file = /etc/ssl/dhparams.pem
-smtpd_tls_session_cache_database=
-smtpd_tls_received_header = yes
-smtpd_tls_ask_ccert = yes
-smtpd_tls_session_cache_timeout = 3600s
-smtpd_tls_fingerprint_digest = sha256
-
+smtp_tls_security_level = none
+smtpd_tls_security_level = none
strict_rfc821_envelopes = yes
smtpd_delay_reject = yes
@@ -70,7 +60,6 @@ disable_vrfy_command = yes
smtpd_client_restrictions =
permit_mynetworks
- permit_tls_clientcerts
# We are the only ones using this proxy, but if things go wrong we
# want to know why
defer
@@ -85,7 +74,6 @@ smtpd_sender_restrictions =
smtpd_relay_restrictions =
reject_non_fqdn_recipient
permit_mynetworks
- permit_tls_clientcerts
reject
smtpd_data_restrictions =
diff --git a/roles/out/tasks/main.yml b/roles/out/tasks/main.yml
index 0b68c83..96a557d 100644
--- a/roles/out/tasks/main.yml
+++ b/roles/out/tasks/main.yml
@@ -12,21 +12,6 @@
notify:
- Reload Postfix
-- name: Copy the Postfix relay clientcerts map
- template: src=etc/postfix/relay_clientcerts.j2
- dest=/etc/postfix-{{ postfix_instance[inst].name }}/relay_clientcerts
- owner=root group=root
- mode=0644
- tags:
- - tls_policy
-
-- name: Compile the Postfix relay clientcerts map
- postmap: cmd=postmap src=/etc/postfix-{{ postfix_instance[inst].name }}/relay_clientcerts db=cdb
- owner=root group=root
- mode=0644
- tags:
- - tls_policy
-
- meta: flush_handlers
- name: Start Postfix
diff --git a/roles/out/templates/etc/postfix/main.cf.j2 b/roles/out/templates/etc/postfix/main.cf.j2
index 98c0185..235b866 100644
--- a/roles/out/templates/etc/postfix/main.cf.j2
+++ b/roles/out/templates/etc/postfix/main.cf.j2
@@ -51,20 +51,7 @@ smtp_tls_protocols = !SSLv2, !SSLv3
smtp_tls_note_starttls_offer = yes
smtp_tls_session_cache_database = btree:$data_directory/smtp_tls_session_cache
-relay_clientcerts = cdb:$config_directory/relay_clientcerts
-smtpd_tls_security_level = may
-smtpd_tls_ciphers = high
-smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
-smtpd_tls_exclude_ciphers = EXPORT, LOW, MEDIUM, aNULL, eNULL, DES, RC4, MD5
-smtpd_tls_cert_file = /etc/postfix/ssl/{{ ansible_fqdn }}.pem
-smtpd_tls_key_file = /etc/postfix/ssl/{{ ansible_fqdn }}.key
-smtpd_tls_dh1024_param_file = /etc/ssl/dhparams.pem
-smtpd_tls_session_cache_database=
-smtpd_tls_received_header = yes
-smtpd_tls_ask_ccert = yes
-smtpd_tls_session_cache_timeout = 3600s
-smtpd_tls_fingerprint_digest = sha256
-
+smtpd_tls_security_level = none
strict_rfc821_envelopes = yes
smtpd_delay_reject = yes
@@ -77,7 +64,6 @@ unverified_recipient_reject_code = 550
smtpd_client_restrictions =
permit_mynetworks
- permit_tls_clientcerts
# We are the only ones using this proxy, but if things go wrong we
# want to know why
defer
@@ -94,7 +80,6 @@ smtpd_relay_restrictions =
reject_unknown_recipient_domain
reject_unverified_recipient
permit_mynetworks
- permit_tls_clientcerts
reject
smtpd_data_restrictions =