diff options
author | Guilhem Moulin <guilhem@fripost.org> | 2016-07-10 05:13:33 +0200 |
---|---|---|
committer | Guilhem Moulin <guilhem@fripost.org> | 2016-07-10 05:14:29 +0200 |
commit | bf960a066466d7719ada8fe7bc3dec99d237b88a (patch) | |
tree | 5a66a7bbdc5dcf30efdfc50215e86d05cf112e46 | |
parent | d6ff0c078e6d70e50c888e016a8a8b9b0d8d7782 (diff) |
Route all internal SMTP traffic through IPsec.
20 files changed, 22 insertions, 460 deletions
diff --git a/certs/postfix/antilop.fripost.org.pem b/certs/postfix/antilop.fripost.org.pem deleted file mode 100644 index bf51a71..0000000 --- a/certs/postfix/antilop.fripost.org.pem +++ /dev/null @@ -1,32 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIFijCCA3KgAwIBAgIJAJ7uWvUKTBNYMA0GCSqGSIb3DQEBDQUAMFUxEDAOBgNV -BAoMB0ZyaXBvc3QxETAPBgNVBAsMCFNTTGNlcnRzMRAwDgYDVQQLDAdQb3N0Zml4 -MRwwGgYDVQQDDBNhbnRpbG9wLmZyaXBvc3Qub3JnMB4XDTE1MTIwMzIxNDY1MFoX -DTI1MTEzMDIxNDY1MFowVTEQMA4GA1UECgwHRnJpcG9zdDERMA8GA1UECwwIU1NM -Y2VydHMxEDAOBgNVBAsMB1Bvc3RmaXgxHDAaBgNVBAMME2FudGlsb3AuZnJpcG9z -dC5vcmcwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDywIWldXJuXlb5 -wox0v9z8EAubIzCJzFHJ2THS08UrbddoqrK+ZzoTvXGqPnKGrDBu5fO7X4jtwxxc -r2ordUbRGL7V8RyHKNTv3fiQTyG2TGPjfRWFM3132V2/UfGcgKJ7mGAU66tRw0pn -S7MVcR4ydbH9RmxBZHixYRnp3GXVvyfQzpMs8/rGAc5gUYzTP+rQ8CinPTi5m+6B -84Hk0iSIc6q8CrZphzB0wu5hP5CVO2p1MCewbBTbxwZWETZWG9Lvi1qqEBSfZg0Q -eO9KtJ4nhPaRVE3bwE7WMU01/PrlyB4mxvTDRx4vev3BwJGprMSCCAFDsY1Z6f2d -vVdCzw9kclZ2HjS8jtQrsbfkD7MG+3yH03kkDGvkVtNERGdXJZLult+HlG6ct86x -kdnucQLyCWLzYwJLG3niuRqx6TkvlWes4Ki5LqWfuo5i/pVbMgIVCsvtTOomg8oX -DFFiJr5nLTmyM9+Ed2irxgfZQvqA5F+hH9de0IbrWoA93LI+c4UibtM8mzxO92Xq -FEbEOzKSHd3xmE00SJMyuXfi68YS8tMuL36gZrI0A+TOOqmgvFl7HIiTCTZm6kXe -trJryZ2jzDgVO/fT9153g7x3cUVwYo22SaY4uCaqc2itznFxYmusFbQTnbVcKSld -3zBBZSixoRglUsT6Dzw8MvsgL5MDWwIDAQABo10wWzAcBgNVHREEFTATgRFhZG1p -bkBmcmlwb3N0Lm9yZzAMBgNVHRMBAf8EAjAAMA4GA1UdDwEB/wQEAwICpDAdBgNV -HQ4EFgQUSxJXkZW0jiUsORgOclClxQr5FAcwDQYJKoZIhvcNAQENBQADggIBADja -PwJDx/YYrzf8KTPDo3FfThVYJ4CviTK6EX9FCe4mV7bPRqvQEl0S3QJ1HYAw630H -9nD7cBxXb1DwKEZ7s5zJ8fDRhwcOlFTCeGnzdlutPcmCKbHIfP7af5or0aluesyT -qfeP5TqAsUfa15EuiGxqrANA6IOah6EDlZdGBlo/EkCM1hqMrWJkABy8KuedOGqA -fXgzzdzVsMfOWOmXTnhsUw/9976hgTUvGBbGXcZ5qCi46HRs0ju7XGOYe0p8ODRO -0LOCD/eSyyZapZFeDWKFuirq9xYsWAfxJXp8qBqK+emTqnknGGKer6oPW5bHDlLx -JAtWDZXYsdA3CqrMI3yNgZ59MrxCkAcSVdG1fRG7xzD0uubyjnTC6d0TxBbOHkOo -73Xm6y54b9a69ysl6qWexUYY8nfPrBEzorUmYg6jTz8bGrjuq4pTjhsdthO9mfNH -uAuGuVEfh077OBCbH8aZzkObnd6bwJ3203rFqEDZgFoTFtR2Yc226RaoN4YvgwXi -sqEXE7on7WpTUozLGkpwlIkx8HnassUWxzDbvr76vc14sM6haQ67SK8ca/i4qELd -u12/7NVb8V107sqTPEtWLBQkr/9P4owPRgiu9G8cZ9+bhChpUMk+YrAycu60lBI+ -M+Bh888MoRPfA5vClWejauawJXKhkaTRkPeTZNex ------END CERTIFICATE----- diff --git a/certs/postfix/benjamin.skangas.se.pem b/certs/postfix/benjamin.skangas.se.pem deleted file mode 100644 index fe52149..0000000 --- a/certs/postfix/benjamin.skangas.se.pem +++ /dev/null @@ -1,32 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIFijCCA3KgAwIBAgIJAKbGm+B95GSyMA0GCSqGSIb3DQEBDQUAMFUxEDAOBgNV -BAoMB0ZyaXBvc3QxETAPBgNVBAsMCFNTTGNlcnRzMRAwDgYDVQQLDAdQb3N0Zml4 -MRwwGgYDVQQDDBNiZW5qYW1pbi5za2FuZ2FzLnNlMB4XDTE1MTIwMzIxMzMyM1oX -DTI1MTEzMDIxMzMyM1owVTEQMA4GA1UECgwHRnJpcG9zdDERMA8GA1UECwwIU1NM -Y2VydHMxEDAOBgNVBAsMB1Bvc3RmaXgxHDAaBgNVBAMME2JlbmphbWluLnNrYW5n -YXMuc2UwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDMQjaGYOUBYNy2 -lRyNXGUu6R95HD7GWS4drfqvzNmGoCguIgCI3G4HdRwiqDmaBBVpRBJkGBqInOgm -uIMEWvVagIDw4hndh8BNj3GQY0qLrkOOcX5kv3faWKj6EYyVuNr0o1YOWq80K3il -FpYELCvpywgTnT7J/j2QE83cILaOTxVHGlsnetpIQKCm8eqc/LWS1oqcyFauuw8V -IqVgYPkCXM29mnpc7ZpJC3mCfYc+TOOp1W0CVmpi1XQRnzGvdM9LDp0XJSMoRJlh -260AvyOXusG/f96qIEniL4MqiVZm/YbAPIzGXnouzB1c4m9D/BADfX9WB5sjhXVw -Ir2X5nKts9oCziD7nc14UXf6YRpZS9dkJ1vgKSe9r32hYdPC/Y3855iAhdCPSk9x -Efb8PUUrVuyzT6tg0z10gLSuUQnJfzklHKJc3EFnbAf9oMTZXr8xfmKPu6BKAz0Z -kYppcUGE2DGuDFWKegduRzDT+GSAaOt/GWQ/yxgXPkah+bw1P4poFMa1AvGulBi3 -gAkqXMfN6lV6r7HY1Z/is1G0w4Z88x5Q6Vm4DYsnNdThFGxGENqxKqv9e4et8OrC -dj/adKilR3d6sDnx11HaC0Z4BwnQtWM6BxMpu0BtGNWQpF/HcVLGPq0foNgbTde9 -/jwIEaEEX1DDyQeSHIZ9h4jB6ZlvIQIDAQABo10wWzAcBgNVHREEFTATgRFhZG1p -bkBmcmlwb3N0Lm9yZzAMBgNVHRMBAf8EAjAAMA4GA1UdDwEB/wQEAwICpDAdBgNV -HQ4EFgQU2Cyd45hFuVYkzWL11zNAV2X3pzcwDQYJKoZIhvcNAQENBQADggIBAC1x -Uwa5zH/abkkirRfzr/6KTRcr3aoSKdHaF6oBq32wNiZ3WmHBMCDzhk/1SSDkqhB8 -i8hnwoYDXUeIqCH4l/GGFHUe6cWjabJFcZQ8wYr5QK1YEH8asV3V8XruIMUDBbZ1 -rR915VHaoWynX7FeXa722LraCodCuLJoLPbEok1HGkAP+dd80qZb8oqEDgnMHGHp -cLjgP66bBiTSSP/rh8ODM8Dzt8sYY3NFl0bze9H5rWD4jAiRCAzJLtzgpmEiClLS -Scb6s5NbUWV7XgmIt7Zan8SzsTKTQiOt87GW1s3bVzq8e4EYKCJmifEzqcdt5an/ -NSgkNLPMvdb3DUAuh0h0UCUiTngSkGAZqw//CtcbGfRVm0MS/n48iR0Rg1DARK54 -+iINKtIgE6aIIB14s65ZgDG7xwtn8gmToya++x7f458dNh4HtjB1ZXUlZs7oiZTh -24aMhP6im92rAgnpBaeTZkXJAi9ryWCJ7QIVP41fUECCBeN7XBZVMzdvsjKjYghl -0i5ukvjnatwH7d9Wd+UMEKsXr6N87Tezzj8w0yssf3TiBFT75fUbpW8x6hsllMaW -LFaue/LwXPWpGpKnHh1S7y9/nluAS0gml0zlXBpu1gR/l4rdRnrq8bcR89pMbBA8 -jcMWl+sS6U7XWVCLK0JWr1kZie0ZDRbGKac8tULy ------END CERTIFICATE----- diff --git a/certs/postfix/civett.friprogramvarusyndikatet.se.pem b/certs/postfix/civett.friprogramvarusyndikatet.se.pem deleted file mode 100644 index 6c86277..0000000 --- a/certs/postfix/civett.friprogramvarusyndikatet.se.pem +++ /dev/null @@ -1,33 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIFqDCCA5CgAwIBAgIJAJcIUkIy3L+wMA0GCSqGSIb3DQEBDQUAMGQxEDAOBgNV -BAoMB0ZyaXBvc3QxETAPBgNVBAsMCFNTTGNlcnRzMRAwDgYDVQQLDAdQb3N0Zml4 -MSswKQYDVQQDDCJjaXZldHQuZnJpcHJvZ3JhbXZhcnVzeW5kaWthdGV0LnNlMB4X -DTE1MTIwMzIxNDgwMVoXDTI1MTEzMDIxNDgwMVowZDEQMA4GA1UECgwHRnJpcG9z -dDERMA8GA1UECwwIU1NMY2VydHMxEDAOBgNVBAsMB1Bvc3RmaXgxKzApBgNVBAMM -ImNpdmV0dC5mcmlwcm9ncmFtdmFydXN5bmRpa2F0ZXQuc2UwggIiMA0GCSqGSIb3 -DQEBAQUAA4ICDwAwggIKAoICAQC5fYriUyE8wrqD2HAhkQ90j2XZKjDi5t0g0esr -3FjrHgQ1tQwrN3NKFEBrRSyTLKEhd4FYuvOVeE0HTfrCY9nft1fU+duMbcmtQwYt -L/cfyZVuw/nNMvOZVzdvJJs8FMndkB+YSsPlN/SgAHH2iVMUAU/KK6MMXaXxF+Oo -fnTztQwSAMbbJ7sW8t36BPn6Jtua22AZLdrIkUnHxTNbCD3RLkjHXaEPNDA5oHGe -pNCD3mNS2mTvjC1vlDLwY68mTS9EmfFadDmYSf6atLuhytBNyBMIoelD6w0eZqgM -4qhhfNCN0imfqeZzTdA7AM5ZkZE5GqtvzQUCnQEVFtu5oZyM2xmPhWkDxTmNTniF -F973VWbt96xpJi552kttW5+X8gfkgQ64DVV9ooMjaKej3tRVWJREb0jYnCTLdB30 -ondKFbEiKakXmRPG7LAcsQMeLlgsYlEFgUqSlI+vzYR2HNIG64VikmOr7Jtkr1+B -NrnCiCb20U9MB3JjXTfdnmxiBDnmRP7GjYM8p6LNLFPl84E7Suld+EyZ6f/uawis -CIvw4eRM+GLAJjNQoiRUUS56UKXUP3kqkN+5xg7tPmmAR71QI7lDL8HqJrpIUJm8 -zpadVBv4FbuXx2vRPv+2KtmrFg4r28YZ0C7PMdiJXUyWVDE76rBmqmD2/IWE8ide -EmeN3QIDAQABo10wWzAcBgNVHREEFTATgRFhZG1pbkBmcmlwb3N0Lm9yZzAMBgNV -HRMBAf8EAjAAMA4GA1UdDwEB/wQEAwICpDAdBgNVHQ4EFgQU0VVpnljlfH41+FiB -bIfB22bUg6owDQYJKoZIhvcNAQENBQADggIBAE2e5g2rwD2/hBKntDvXhkybxzu5 -pTO55An1wiX+PcpcaeMX8EU7QNKIN5iOtDCRI8cB9SorSVlwzKrekaMpxk3PsGNk -J+N5eLX1pkY7vzU0nuesqLp+laDb05NwcnKNOAl6/LBwvdq9EcgyM2cTs8RvpkBp -/xUzF9tsoZoLI3kCg+Q1MODjWxoV3eUIFHaprzqyLegklwZ5hzuzlRnBvNqkfRy0 -YeAdEzbxYc1Kei5eKdm+2kdc1nfvQwBxr32C40Fh3Hmc5UZYIsXU92FOryDiHCjG -3Oa4oGXCdeYSMb8M6BIZhN5bksmvD4rNa5e8yaI+fGGdJY2khiLwl2SqUH5weqn+ -ndk9AIQAEsn/8W1nvsgZ4ev1Ykq4+c+Ky45waD2++q7aLwThw8jw8m/uO/w4BXZH -Pl1Y8hUMm0MGAgK7DPduq3tNicRpJDGNwUkK+uirUaePtjlpqN59ovZkW5XP1KyQ -G0/DBeIdSgKy4fCA4CZJsAK77BlmmZc7uzw+kGVa2gwlz66I0NwCdKm2PnokTx0S -VZEj2niblViL/XrJLaoUwi1VPBwHvOJPNTuwin9lYqBiERPuKDRyltMIkz5qTGoM -NUZFv2z3WhjMugqqb8NZ006KqapFSPS4Jl/d9Jp4GRLoik58E7PR93OWoGFcSTJb -fW795CHmBVQJ2Kgk ------END CERTIFICATE----- diff --git a/certs/postfix/elefant.fripost.org.pem b/certs/postfix/elefant.fripost.org.pem deleted file mode 100644 index 9ca9fc9..0000000 --- a/certs/postfix/elefant.fripost.org.pem +++ /dev/null @@ -1,31 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIFazCCA1OgAwIBAgIJAL8cqL9fsGGzMA0GCSqGSIb3DQEBDQUAMFUxEDAOBgNV -BAoTB0ZyaXBvc3QxETAPBgNVBAsTCFNTTGNlcnRzMRAwDgYDVQQLEwdQb3N0Zml4 -MRwwGgYDVQQDExNlbGVmYW50LmZyaXBvc3Qub3JnMB4XDTE0MDcwNzIyMDAzM1oX -DTI0MDcwNDIyMDAzM1owVTEQMA4GA1UEChMHRnJpcG9zdDERMA8GA1UECxMIU1NM -Y2VydHMxEDAOBgNVBAsTB1Bvc3RmaXgxHDAaBgNVBAMTE2VsZWZhbnQuZnJpcG9z -dC5vcmcwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDXOCnwAAucpozu -RkAp1BMHE/BwbmycuKUCazUl4bGViQUpUuklFyCbAAgg7CUz08BrcSO/1GZlKFyZ -o6MzoYClwKjxG27zx+203oQOYd7NuY7vP4GNHlEsYlYWjq0QpYXsIAU6yZewQP82 -jB6GQqKuQphOrGpuXgMZXFA1fMD3q1UI5ep4RsU7O+rsjvLbiHUfN8A6V8ebAU0X -Ua+1muTra6SyiBsH9FwxQ9qWCQNgx7xAfw0ZH8BuFYtbf0/sUqtX+rLiVeo/JW9T -YLVK9ELFAXJ+DAQQZw3Lmaxbt9XXNOV7297csIJTqomDjuBIRknRBZUYRMMllkuo -ESAi5O3c16M2Y6ho/04TYLimncK56OsRDCCzH7mAOrKVBXPzEBJDCBlDDR3L3lR8 -6mr6nusf86j8vnsk8EiTpfw/5/8fdHXZH2Skrl3Lu0+h74VuszdsY8Xkxocmx+1f -3ImqA1kYe6owYO0O+CweVFuOY6ReFfdeCzcYGzua0dbdx4MsD9i7XImxDv+o5bI0 -KIFK9JdBz7gDIKOGw7bW+TIMGSguU3/aMvGFnf2Z/ARJMeTzvkflThj206175CJY -rham1ENlAEk9fDGR08CFCuLQh5ZZxdZ2JnXPAc/P6vQoEHNvYzunDN281hBXAhs8 -eL1MveoN9742D23RQrYmFu6z9V7s0QIDAQABoz4wPDAcBgNVHREEFTATgRFhZG1p -bkBmcmlwb3N0Lm9yZzAMBgNVHRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIFoDANBgkq -hkiG9w0BAQ0FAAOCAgEANh6DvVHUaqxkdKOQHITF7243W17YB+VslfscRuJi8b8C -Z0pQGgqb39VDOIDJv3fykFNOBT1BMow63jq8yrrD9fc++G+InRN/xGouVypGzQ4s -ogHHiMnPuX2lWVpwLYKtJA1XrejVQpWZg+N1goLk85Y78bMKg64zh+9cMsR71QBp -PBA9OSgHtPzUiuBhLvH1Nxkyw2/Rnqq3qp2MZyTTRajoGvhfXFxkgTah6YGulDdC -1j0ASXM1scD7Kuv7hrJZaPRvFBxnwe0UvzL9qSkwoF17IGcpx66TPiBKruVlTrv+ -l2EVWEvat9wYZR6h30glWYKsv9ugq2sM8arx4pRJGemrRucswG3LAlB7fHhtzWe2 -CobCpOyayZ7b3oUT0a2bH1JTFTPNOIDaXZBFlxzgRaK/tPpZi8HzR2JxK8jbGLQa -7o7h10EQFSpNkcnQcxrMAy3hvUxtwRZGbMP0Q5khSpLnDbca5D9ppg2SVHBIBoFC -2k1L0Z0N6CrzxaUSL9exevayF2HRNCBtqqmBtfpdFCyrsJex4UbnuBYpxOgWSv2k -U9ORmi0zG8MTHVdZtFrvvHuk4h0kA996AiG00FIyVnMg6IPTstfSssi+RIkNvDFn -U5CrCnafSHxed31p10V7HrTr82FKJhN1yZRCZqiq3ipPBSQ2ynb8VNxXEAsmG6w= ------END CERTIFICATE----- diff --git a/certs/postfix/giraff.fripost.org.pem b/certs/postfix/giraff.fripost.org.pem deleted file mode 100644 index b9471c5..0000000 --- a/certs/postfix/giraff.fripost.org.pem +++ /dev/null @@ -1,32 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIFiDCCA3CgAwIBAgIJAPGdPDU2DXs8MA0GCSqGSIb3DQEBDQUAMFQxEDAOBgNV -BAoMB0ZyaXBvc3QxETAPBgNVBAsMCFNTTGNlcnRzMRAwDgYDVQQLDAdQb3N0Zml4 -MRswGQYDVQQDDBJnaXJhZmYuZnJpcG9zdC5vcmcwHhcNMTUxMjAzMjE0ODM5WhcN -MjUxMTMwMjE0ODM5WjBUMRAwDgYDVQQKDAdGcmlwb3N0MREwDwYDVQQLDAhTU0xj -ZXJ0czEQMA4GA1UECwwHUG9zdGZpeDEbMBkGA1UEAwwSZ2lyYWZmLmZyaXBvc3Qu -b3JnMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAoMa2XxQ2M79SfMAj -M+pPF8RIXPmiS86vf6nw1GoIKbOAVpQqWw29j0FHlqiilii6DB+DmjvmSnAfmXN8 -ulpBCqTarlYBejzhYj9s0h3JlzmwuteuDUY8heAbXZzYmqRfDB8cwN5cWfzLqLPP -4XXPmL+KWx61mfgf0/PtDGSf+P2ylBdGx4LoO2Xs7iDsNAb/fdhK8Vr8axTfYx5z -gy4hf5RQr9sYHdWveo9z7YVr51eKARaaHsWgXtg8IQnLOoJq2ePcsrs/DTgleGvj -DnO+hICzWdq0XOOVEY21SCZXF878DJdA2d2MFncn9hIyvazvUFPgEKfUtqvnSduj -qFOGZgtO2bxM24w32pMiT/R03zQaQL+DFuCNKkBDtpHYeY8jC+/zYTbb8TLjOvj+ -rUghUAEV+YnQCVsXJ9rFVRNzYY7vZp1lvfXO4MBiD0NA7vC7VVVaxeiiH8BDpbFi -jAHAHPw/fWQYSo14GwEwXPqj+uvAmiZAqETGMxpSdLH6X5eg+IcuBR0g0CtRbmM8 -APjJacf7rncYIzc+t2n0Y0F/5n+JiIMisHnDwE+81mMv7EU4kvoOyn3oHIXMIyot -+JiDpSOACbfqtyhvi2Mjx1aXNgMC842wOmJfsLs2o9skEy6DeJeNvqijJb2wrSBx -m4txm2ZwI7FdA7sgJX01ANlC1mUCAwEAAaNdMFswHAYDVR0RBBUwE4ERYWRtaW5A -ZnJpcG9zdC5vcmcwDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMCAqQwHQYDVR0O -BBYEFHVU0ktdfSXuZsHcHBYzDXburCRHMA0GCSqGSIb3DQEBDQUAA4ICAQCKidoO -Z5nCg24DTFBsG5fs8fTRXpuvS6n6LFeF3EFBcviw/UQ33IzTcXKmuG+jSWNZvD1m -KPYVpaGGkjVyygHrhIruJM4UTNyKveeqGUJzehh3uafdcj6UYmVKgZOw4WfrFQEs -+dLq4PUww3x+6eHgHbpyLuLU1mJgzaCOYWNhqnnKBIivkUitsi2CnX1bspw9LPo5 -xx2s0/x/OLB7gPDzGwLypILUNfB15K8YBQ5nI7d7NNQRZ+VY//feAqJF4PUeaHG5 -ac97aWO/eJtsFdhzpMXgpsdCG0nIFfAgxP6RaOfaaOwSOW2XSHXw1ULiSG6xUvy8 -rYDdaM5ru92ZjIkCFaJ2RXnHMPRfFEbJi4Ukmz4KJG6DPqTnb/mRgQUWIFOUBPPp -Y7uwH8FXmCUsWu7bBDf1YmSF2XrTdhrY6lX4b+ybFuCmHnvRcD4DWyUFwgP91nf+ -2o9MpQwJuVnHWuDF+WOwrqW7bq4M8GyUkeFZna7Sld+tQJUOlmYTURtbXH2lLue2 -h3xS3jBF4IfichrcMsMPE6rrH06PO7+es2q7vV7BjH3g8gF0uBo+LQdJol8KFCNt -kn057HZjHs+c+npdxyoYc5BdUcyERONOEzZI1j2W0Q1JiQsnAnSKd3+eb0Ddivrf -vrUWE8sMZpPaVwUv3yaniORcv6K2sgv253WyuQ== ------END CERTIFICATE----- diff --git a/certs/postfix/mistral.fripost.org.pem b/certs/postfix/mistral.fripost.org.pem deleted file mode 100644 index 4c3dd97..0000000 --- a/certs/postfix/mistral.fripost.org.pem +++ /dev/null @@ -1,31 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIFazCCA1OgAwIBAgIJAKKDwe2yT1pHMA0GCSqGSIb3DQEBDQUAMFUxEDAOBgNV -BAoTB0ZyaXBvc3QxETAPBgNVBAsTCFNTTGNlcnRzMRAwDgYDVQQLEwdQb3N0Zml4 -MRwwGgYDVQQDExNtaXN0cmFsLmZyaXBvc3Qub3JnMB4XDTE0MDcwNzIyMDIxMloX -DTI0MDcwNDIyMDIxMlowVTEQMA4GA1UEChMHRnJpcG9zdDERMA8GA1UECxMIU1NM -Y2VydHMxEDAOBgNVBAsTB1Bvc3RmaXgxHDAaBgNVBAMTE21pc3RyYWwuZnJpcG9z -dC5vcmcwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDFONsB9ygKq7Hl -hk15jjab0UQGibEMSfypX+qsaCjPjPQ3HAlmKLD7jsRe6dppIO36syyAfOBi5GM8 -LpA67FPZzVrpUHsIaqA7oRLu6QSr7xjWwwJYslT1IodEhMH8ozaH98ksAHyigatH -BhyyfOm569Kb/kopaKCsaOepSedWvxU1Nl0XMokZzvDAQDhdSbXpdBWtw+jnxKBe -M5zBhLzo+OgkPyLO+FhFL7OZbvFq3UeucChBabCj/tlQHroBKCkWLJBC5GeRfKKy -gH/VQGuZT7jZ85Mn48uj62IvqCp2ej2bBKV5zKXecMnt1YkyNtmF3UQKkXS55Q+m -YzLKBvbIMTgrinGnF3jMTHlNfOkYkZbBIjKKpOGHmQPJWpoAPM9T+tGjgH151nEg -p7TT/oiQifgbJ6Y7IrapjeZX0mVrVNl/kHmgNx63BG3XuVLgbYh4Goz/7Vi1DbA4 -C5Kxi9Cae73HRMTc+VPrmALYdDN3YkU7RlP3kqkUgcbDCd9Y1IZHWITfix11/RjL -7Hmq7Fwysd5G8d6RBGjWk1SLi8qzyQnfyzOeMWyNcgQs94lGybFRG4rSK3LsILLO -bYg5hRtealnUvmLmb88LH5P/D6zOUpH0S90U2+QC2NrzbmBeaDR5BkhiSTkN4EN8 -3japdWoYc9Bvrb7VVIpTha5EQYDDkwIDAQABoz4wPDAcBgNVHREEFTATgRFhZG1p -bkBmcmlwb3N0Lm9yZzAMBgNVHRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIFoDANBgkq -hkiG9w0BAQ0FAAOCAgEAC/IUsyBPyLmLj89nYLWS/rQLWSVjKsPrFS75Amztd67M -hcyBo1Ed2t3zjEviBod96in4oPX+NE5pzbh19YSstaIb+ZPPtF8GtJvYSPCDJjus -DyzoEWvaoCdzeH+em1xaYSAfxomwqjcO04iwE4AMPQM4P52416csGhmmftMblE2Q -tkT6lh2v0gE4a1mtovDTLeZV5L3SHziXWabi50D+Bpl4pScNjavswZ/ZZTXIw0y2 -ABq77SkEFqefQkWgWwVER4D0vX7+SdqYRewXal7HdTxJx2DUG0khndmgTuVrEY3g -oKf6T4CnXWgJ+IOfbIZ48ZTDsOvwvwq7l7Wo4tadju3o/xZgFOLId083L3forgf6 -7bU3rcEF6oDu8vsnWGYN0SgDxA12RoOwaO2PaObk4XhQrgIrYjBPREjMXfSyN3zU -1wziqVhgSNtmxOHYbAhMLruMM+6LMNv1+FbG6gxb2LtwwvMPLCB1J0imKko12WMG -/pj4B7LU4dkzJodtUpIQ9LgShJvXC8Juiz5tWXjymWC9I/LpgLk4Ky6i7bcYBpjh -SlN30WGfECh9JzGNMhKi6ZErF0W4cvI+iSUB2eQtJd+8Py6Z+ICTUFpfPNqXrU2m -9qnsueDS6DZgFfxioq3jvIOOwOo7W1/78o+qVDaRGyMLqJWifPVTQgpHFqKScpk= ------END CERTIFICATE----- diff --git a/certs/postfix/smtp.fripost.org.pem b/certs/postfix/smtp.fripost.org.pem deleted file mode 100644 index 2f97708..0000000 --- a/certs/postfix/smtp.fripost.org.pem +++ /dev/null @@ -1,31 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIFUjCCAzoCCQCy2XbMAN1DeTANBgkqhkiG9w0BAQUFADBrMQswCQYDVQQGEwJT -RTEQMA4GA1UECgwHRnJpcG9zdDENMAsGA1UECwwEU01UUDEZMBcGA1UEAwwQc210 -cC5mcmlwb3N0Lm9yZzEgMB4GCSqGSIb3DQEJARYRYWRtaW5AZnJpcG9zdC5vcmcw -HhcNMTQwNDA3MjMyMzMwWhcNMjQwNDA0MjMyMzMwWjBrMQswCQYDVQQGEwJTRTEQ -MA4GA1UECgwHRnJpcG9zdDENMAsGA1UECwwEU01UUDEZMBcGA1UEAwwQc210cC5m -cmlwb3N0Lm9yZzEgMB4GCSqGSIb3DQEJARYRYWRtaW5AZnJpcG9zdC5vcmcwggIi -MA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC/TboO8u6v8rVtrkI8kDZ4mdxM -5uyIPR2HODYIdMSj2YHmLohzITyysFNLpAVHOATnRkqLxhmX2zZ+Eu3uCE/kOfdR -fVNEvnSksFSCFXjqx666k7ABtyNHOVqali2HO62JDs837EPEOnF5oVapIUExse29 -POfBDGf18ArDGgd2Tl2DLDiojZYHh1pOsFhKcsks3OOdE109BG6C9S9ZlFBz0PW/ -s9ESEicP9KsqTpIRyd8OU3x8S0p+MDudu5NJjRG+Vlk6uJ2ApC68EowuIx/h7zbp -GEBG71GWb3OjlahOsf/EfKf/vHgkK8+CUWW1FGlvznoeS8R/fgUxRTh6+NXiSJGU -5Eq/wez/hYnotQWBExb42tUBcZbFh6FtD1FU7QNYwALHjV0aSx6leIgkGGWeUgJc -7o8OtDUX5QiY0Xe0s3g6qLFMGgXsfUA4IWjmOknFUA5CtJhDT5uMQLO/jF0tvugi -wTaBxpIjYDATfA1JeEB7+cfh9Jw5Q5XmydLUoLdT7Nut8e2NjYyN9izguPBf+Rzk -gUJZFeB+CEV62lMNWWENqgunjVXicolQ4WdWETYQWzUvVyFvR1RWVkOVw+1Wt6zU -Vbb3t1b2avnzvp4j92pTImJUgTLLRI5QE3bzD9MMDQSH6s7/dBltGIJeepDHB07H -yleUc/j6IdbfH5dfNwIDAQABMA0GCSqGSIb3DQEBBQUAA4ICAQAFcW7ZYxsSuv3u -EbCa8NQ+HjecVHD8Spz4ofBZ9R0uON2VI++dz1mBdZE3udoxBt/Nj3U/YnlVToal -W/dYGusuKQFIATiB9MFXUDl1gfKaqcyrCZUxGpi1OXOa27WPbiRiQMnBYNkD1p3D -cz28XGQ78DswRER4eFn+76pOjqFxkxEe0Ww1oPvu+in23OWgTVTWP/6Opp6Y/epN -XkbHKiH9OXe2StYnlXD7P89w07fXaBNfDT5vLC9PDgYJk7wN76AaqwK/ZKFithSx -oT60db1n+fhaMC2U1R64L2clLpSrZ3lvXRplcsdII/06d+ysJn7hLV9IUca9AMoP -Px2KIyHgp5U6VtFF6UOLBl9+BUd0zzArSh9CJnXG88+CplGN51Fv2dPqzdno1XSg -ShbJ1onYonLbDaPG4i0LD3KyIX6ep5eU+KZZtcHwTbzKAQ/ySu5nqx2DAJbalJmj -9qz/zfOuZMJGDuN+iHCnqyxGoC/hB20IreGHfGS4XmJDkZ3zzqjJjBV32XeZ3Sx6 -odMnwO4mLjyb1Az/C/rwCrVG3nrZQhmD/H+juJVI/cinocJtQoPPq3zPx+GxQUxe -smR7bY7EMaTt+9EelIGmp65jEGrr+OVhZ3NudwWQyC242SMiOq+JpVRuefp+mtAN -UGGTaC4MdXJIwWZTakrnhkgTp4uqrA== ------END CERTIFICATE----- diff --git a/roles/IMAP/tasks/mda.yml b/roles/IMAP/tasks/mda.yml index 6dec897..ced15cc 100644 --- a/roles/IMAP/tasks/mda.yml +++ b/roles/IMAP/tasks/mda.yml @@ -25,21 +25,6 @@ - recipient_canonical.pcre - transport -- name: Copy the Postfix relay clientcerts map - template: src=etc/postfix/relay_clientcerts.j2 - dest=/etc/postfix-{{ postfix_instance[inst].name }}/relay_clientcerts - owner=root group=root - mode=0644 - tags: - - tls_policy - -- name: Compile the Postfix relay clientcerts map - postmap: cmd=postmap src=/etc/postfix-{{ postfix_instance[inst].name }}/relay_clientcerts db=cdb - owner=root group=root - mode=0644 - tags: - - tls_policy - - name: Compile the Postfix transport maps # trivial-rewrite(8) is a long-running process, so it's safer to reload postmap: cmd=postmap src=/etc/postfix-{{ postfix_instance[inst].name }}/transport db=cdb diff --git a/roles/IMAP/templates/etc/postfix/main.cf.j2 b/roles/IMAP/templates/etc/postfix/main.cf.j2 index 6c0b024..faf17de 100644 --- a/roles/IMAP/templates/etc/postfix/main.cf.j2 +++ b/roles/IMAP/templates/etc/postfix/main.cf.j2 @@ -17,7 +17,10 @@ myhostname = mda{{ imapno | default('') }}.$mydomain mydomain = fripost.org append_dot_mydomain = no -mynetworks_style = host +mynetworks = 127.0.0.0/8, [::1]/128 +{%- if groups.all | length > 1 -%} + , {{ ipsec_subnet }} +{% endif %} queue_directory = /var/spool/postfix-{{ postfix_instance[inst].name }} data_directory = /var/lib/postfix-{{ postfix_instance[inst].name }} @@ -56,21 +59,8 @@ recipient_canonical_maps = pcre:$config_directory/recipient_canonical.pcre # Don't rewrite remote headers local_header_rewrite_clients = - -relay_clientcerts = cdb:$config_directory/relay_clientcerts -smtpd_tls_security_level = may -smtpd_tls_ciphers = high -smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 -smtpd_tls_exclude_ciphers = EXPORT, LOW, MEDIUM, aNULL, eNULL, DES, RC4, MD5 -smtpd_tls_cert_file = /etc/postfix/ssl/{{ ansible_fqdn }}.pem -smtpd_tls_key_file = /etc/postfix/ssl/{{ ansible_fqdn }}.key -smtpd_tls_dh1024_param_file = /etc/ssl/dhparams.pem -smtpd_tls_session_cache_database= -smtpd_tls_received_header = yes -smtpd_tls_ask_ccert = yes -smtpd_tls_session_cache_timeout = 3600s -smtpd_tls_fingerprint_digest = sha256 - +smtp_tls_security_level = none +smtpd_tls_security_level = none strict_rfc821_envelopes = yes smtpd_delay_reject = yes @@ -78,7 +68,6 @@ disable_vrfy_command = yes smtpd_client_restrictions = permit_mynetworks - permit_tls_clientcerts # We are the only ones using this proxy, but if things go wrong we # want to know why defer @@ -93,7 +82,6 @@ smtpd_sender_restrictions = smtpd_relay_restrictions = reject_non_fqdn_recipient permit_mynetworks - permit_tls_clientcerts reject smtpd_data_restrictions = diff --git a/roles/MSA/templates/etc/postfix/main.cf.j2 b/roles/MSA/templates/etc/postfix/main.cf.j2 index 838135a..3c040b0 100644 --- a/roles/MSA/templates/etc/postfix/main.cf.j2 +++ b/roles/MSA/templates/etc/postfix/main.cf.j2 @@ -36,11 +36,7 @@ message_size_limit = 67108864 recipient_delimiter = + # Forward everything to our internal outgoing proxy -{% if 'out' in group_names %} -relayhost = [127.0.0.1]:{{ postfix_instance.out.port }} -{% else %} -relayhost = [outgoing.fripost.org]:{{ postfix_instance.out.port }} -{% endif %} +relayhost = [{{ postfix_instance.out.addr | ipaddr }}]:{{ postfix_instance.out.port }} relay_domains = @@ -57,21 +53,7 @@ header_checks = pcre:$config_directory/anonymize_sender.pcre # TLS -{% if 'out' in group_names %} smtp_tls_security_level = none -smtp_bind_address = 127.0.0.1 -{% else %} -smtp_tls_security_level = encrypt -smtp_tls_ciphers = high -smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 -smtp_tls_exclude_ciphers = EXPORT, LOW, MEDIUM, aNULL, eNULL, DES, RC4, MD5 -smtp_tls_cert_file = /etc/postfix/ssl/{{ ansible_fqdn }}.pem -smtp_tls_key_file = /etc/postfix/ssl/{{ ansible_fqdn }}.key -smtp_tls_session_cache_database = btree:$data_directory/smtp_tls_session_cache -smtp_tls_policy_maps = cdb:/etc/postfix/tls_policy -smtp_tls_fingerprint_digest = sha256 -{% endif %} - smtpd_tls_security_level = encrypt smtpd_tls_ciphers = high smtpd_tls_protocols = !SSLv2, !SSLv3 diff --git a/roles/MX/templates/etc/postfix/main.cf.j2 b/roles/MX/templates/etc/postfix/main.cf.j2 index a5caf46..718be00 100644 --- a/roles/MX/templates/etc/postfix/main.cf.j2 +++ b/roles/MX/templates/etc/postfix/main.cf.j2 @@ -36,11 +36,7 @@ message_size_limit = 67108864 recipient_delimiter = + # Forward everything to our internal outgoing proxy -{% if 'out' in group_names %} -relayhost = [127.0.0.1]:{{ postfix_instance.out.port }} -{% else %} -relayhost = [outgoing.fripost.org]:{{ postfix_instance.out.port }} -{% endif %} +relayhost = [{{ postfix_instance.out.addr | ipaddr }}]:{{ postfix_instance.out.port }} relay_domains = @@ -73,21 +69,7 @@ reserved-alias_destination_recipient_limit = 1 smtp_data_done_timeout = 1200s -{% if 'out' in group_names %} smtp_tls_security_level = none -smtp_bind_address = 127.0.0.1 -{% else %} -smtp_tls_security_level = encrypt -smtp_tls_ciphers = high -smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 -smtp_tls_exclude_ciphers = EXPORT, LOW, MEDIUM, aNULL, eNULL, DES, RC4, MD5 -smtp_tls_cert_file = /etc/postfix/ssl/{{ ansible_fqdn }}.pem -smtp_tls_key_file = /etc/postfix/ssl/{{ ansible_fqdn }}.key -smtp_tls_session_cache_database = btree:$data_directory/smtp_tls_session_cache -smtp_tls_policy_maps = cdb:/etc/postfix/tls_policy -smtp_tls_fingerprint_digest = sha256 -{% endif %} - smtpd_tls_security_level = may smtpd_tls_ciphers = medium smtpd_tls_protocols = !SSLv2, !SSLv3 diff --git a/roles/MX/templates/etc/postfix/virtual/transport.j2 b/roles/MX/templates/etc/postfix/virtual/transport.j2 index 49f3696..126cb72 100644 --- a/roles/MX/templates/etc/postfix/virtual/transport.j2 +++ b/roles/MX/templates/etc/postfix/virtual/transport.j2 @@ -17,14 +17,5 @@ reserved.fripost.org reserved-alias: discard.fripost.org discard: -{% if 'LDA' in group_names %} -mda.fripost.org smtpl:[127.0.0.1]:{{ postfix_instance.IMAP.port }} -{% else %} -mda.fripost.org smtp:[mda.fripost.org]:{{ postfix_instance.IMAP.port }} -{% endif %} - -{% if 'lists' in group_names %} -sympa.fripost.org smtpl:[127.0.0.1]:{{ postfix_instance.lists.port }} -{% else %} -sympa.fripost.org smtp:[lists.fripost.org]:{{ postfix_instance.lists.port }} -{% endif %} +mda.fripost.org smtp:[{{ postfix_instance.IMAP.addr | ipaddr }}]:{{ postfix_instance.IMAP.port }} +sympa.fripost.org smtp:[{{ postfix_instance.lists.addr | ipaddr }}]:{{ postfix_instance.lists.port }} diff --git a/roles/common/tasks/mail.yml b/roles/common/tasks/mail.yml index 092334f..6f690e6 100644 --- a/roles/common/tasks/mail.yml +++ b/roles/common/tasks/mail.yml @@ -36,37 +36,6 @@ notify: - Reload Postfix -- name: Create directory /etc/postfix/ssl - file: path=/etc/postfix/ssl - state=directory - owner=root group=root - mode=0755 - tags: - - genkey - -- name: Generate a private key and a X.509 certificate for Postfix - command: genkeypair.sh x509 - --pubkey=/etc/postfix/ssl/{{ ansible_fqdn }}.pem - --privkey=/etc/postfix/ssl/{{ ansible_fqdn }}.key - --ou=Postfix --cn={{ ansible_fqdn }} - -t rsa -b 4096 -h sha512 - register: r3 - changed_when: r3.rc == 0 - failed_when: r3.rc > 1 - notify: - - Restart Postfix - tags: - - genkey - -- name: Fetch Postfix's X.509 certificate - # Ensure we don't fetch private data - become: False - fetch_cmd: cmd="openssl x509" - stdin=/etc/postfix/ssl/{{ ansible_fqdn }}.pem - dest=certs/postfix/{{ ansible_fqdn }}.pem - tags: - - genkey - - name: Add a 'root' alias lineinfile: dest=/etc/aliases create=yes regexp="^root{{':'}} " @@ -81,25 +50,8 @@ - name: Delete /etc/aliases.db file: path=/etc/aliases.db state=absent -- name: Copy the Postfix TLS policy map - template: src=etc/postfix/tls_policy.j2 - dest=/etc/postfix/tls_policy - owner=root group=root - mode=0644 - when: "'out' not in group_names or 'MX' in group_names" - tags: - - tls_policy - -- name: Compile the Postfix TLS policy map - postmap: cmd=postmap src=/etc/postfix/tls_policy db=cdb - owner=root group=root - mode=0644 - when: "'out' not in group_names or 'MX' in group_names" - tags: - - tls_policy - - name: Start Postfix service: name=postfix state=started - when: not (r1.changed or r2.changed or r3.changed) + when: not (r1.changed or r2.changed) - meta: flush_handlers diff --git a/roles/common/templates/etc/iptables/services.j2 b/roles/common/templates/etc/iptables/services.j2 index 247f98a..2def27f 100644 --- a/roles/common/templates/etc/iptables/services.j2 +++ b/roles/common/templates/etc/iptables/services.j2 @@ -26,31 +26,14 @@ out tcp 636 # LDAPS {% endif %} {% if 'MX' in group_names %} in tcp 25 # SMTP -{% if 'MDA' not in group_names %} -out tcp {{ postfix_instance.IMAP.port }} -{% endif %} -{% if 'lists' not in group_names %} -out tcp {{ postfix_instance.lists.port }} -{% endif %} {% endif %} {% if 'out' in group_names %} -{% if groups.all | difference([inventory_hostname]) %} -in tcp {{ postfix_instance.out.port }} -{% endif %} out tcp 25 # SMTP -{% else %} -out tcp {{ postfix_instance.out.port }} {% endif %} {% if 'IMAP' in group_names %} in tcp 993 # IMAPS in tcp 4190 # MANAGESIEVE {% endif %} -{% if 'MDA' in group_names and 'MX' not in group_names %} -in tcp {{ postfix_instance.IMAP.port }} -{% endif %} -{% if 'lists' in group_names and 'MX' not in group_names %} -in tcp {{ postfix_instance.lists.port }} -{% endif %} {% if 'MSA' in group_names %} in tcp 587 # SMTP-AUTH {% endif %} diff --git a/roles/common/templates/etc/postfix/main.cf.j2 b/roles/common/templates/etc/postfix/main.cf.j2 index 3f36418..8caaa82 100644 --- a/roles/common/templates/etc/postfix/main.cf.j2 +++ b/roles/common/templates/etc/postfix/main.cf.j2 @@ -30,32 +30,11 @@ virtual_alias_maps = cdb:/etc/aliases alias_database = $virtual_alias_maps # Forward everything to our internal outgoing proxy -{% if 'out' in group_names %} -relayhost = [127.0.0.1]:{{ postfix_instance.out.port }} -{% else %} -relayhost = [outgoing.fripost.org]:{{ postfix_instance.out.port }} -{% endif %} +relayhost = [{{ postfix_instance.out.addr | ipaddr }}]:{{ postfix_instance.out.port }} relay_domains = -{% if 'out' in group_names %} -smtp_tls_security_level = none -smtp_bind_address = 127.0.0.1 -{% else %} -smtp_tls_security_level = encrypt -smtp_tls_ciphers = high -smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 -smtp_tls_exclude_ciphers = EXPORT, LOW, MEDIUM, aNULL, eNULL, DES, RC4, MD5 -smtp_tls_cert_file = $config_directory/ssl/{{ ansible_fqdn }}.pem -smtp_tls_key_file = $config_directory/ssl/{{ ansible_fqdn }}.key -smtp_tls_session_cache_database = btree:$data_directory/smtp_tls_session_cache -smtp_tls_policy_maps = cdb:$config_directory/tls_policy -smtp_tls_fingerprint_digest = sha256 -{% endif %} -smtpd_tls_security_level = none - -# Turn off all TCP/IP listener ports except that dedicated to -# samhain(8), which sadly cannot use pickup through the sendmail binary. -master_service_disable = !127.0.0.1:16132.inet inet +smtp_tls_security_level = none +smtpd_tls_security_level = none {% set multi_instance = False %} {%- for g in postfix_instance.keys() | sort -%} diff --git a/roles/common/templates/etc/postfix/master.cf.j2 b/roles/common/templates/etc/postfix/master.cf.j2 index 9a07dfd..c2ee395 100644 --- a/roles/common/templates/etc/postfix/master.cf.j2 +++ b/roles/common/templates/etc/postfix/master.cf.j2 @@ -23,8 +23,7 @@ cleanup_nochroot unix n - n - 0 cleanup {{ postfix_instance.MSA.port }} inet n - - - - smtpd -o tls_high_cipherlist=EECDH+AESGCM:!MEDIUM:!LOW:!EXP:!aNULL:!eNULL {% elif inst in ['IMAP', 'out', 'lists'] %} -{{ postfix_instance[inst].port }} inet n - - - - smtpd - -o tls_high_cipherlist=HIGH:!aNULL:!eNULL:!3DES:!MD5:@STRENGTH +[{{ postfix_instance[inst].addr }}]:{{ postfix_instance[inst].port }} inet n - - - - smtpd {% endif %} pickup fifo n - - 60 1 pickup cleanup unix n - - - 0 cleanup diff --git a/roles/lists/tasks/mail.yml b/roles/lists/tasks/mail.yml index 6678c52..a7c8bd6 100644 --- a/roles/lists/tasks/mail.yml +++ b/roles/lists/tasks/mail.yml @@ -22,21 +22,6 @@ mode=0644 # no need to reload upon change, as cleanup(8) is short-running -- name: Copy the Postfix relay clientcerts map - template: src=etc/postfix/relay_clientcerts.j2 - dest=/etc/postfix-{{ postfix_instance[inst].name }}/relay_clientcerts - owner=root group=root - mode=0644 - tags: - - tls_policy - -- name: Compile the Postfix relay clientcerts map - postmap: cmd=postmap src=/etc/postfix-{{ postfix_instance[inst].name }}/relay_clientcerts db=cdb - owner=root group=root - mode=0644 - tags: - - tls_policy - - name: Compile the Postfix transport maps # trivial-rewrite(8) is a long-running process, so it's safer to reload postmap: cmd=postmap src=/etc/postfix-{{ postfix_instance[inst].name }}/transport db=cdb diff --git a/roles/lists/templates/etc/postfix/main.cf.j2 b/roles/lists/templates/etc/postfix/main.cf.j2 index 397f759..933d540 100644 --- a/roles/lists/templates/etc/postfix/main.cf.j2 +++ b/roles/lists/templates/etc/postfix/main.cf.j2 @@ -17,7 +17,10 @@ myhostname = lists.$mydomain mydomain = fripost.org append_dot_mydomain = no -mynetworks_style = host +mynetworks = 127.0.0.0/8, [::1]/128 +{%- if groups.all | length > 1 -%} + , {{ ipsec_subnet }} +{% endif %} queue_directory = /var/spool/postfix-{{ postfix_instance[inst].name }} data_directory = /var/lib/postfix-{{ postfix_instance[inst].name }} @@ -48,21 +51,8 @@ sympa_destination_recipient_limit = 1 # Don't rewrite remote headers local_header_rewrite_clients = - -relay_clientcerts = cdb:$config_directory/relay_clientcerts -smtpd_tls_security_level = may -smtpd_tls_ciphers = high -smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 -smtpd_tls_exclude_ciphers = EXPORT, LOW, MEDIUM, aNULL, eNULL, DES, RC4, MD5 -smtpd_tls_cert_file = /etc/postfix/ssl/{{ ansible_fqdn }}.pem -smtpd_tls_key_file = /etc/postfix/ssl/{{ ansible_fqdn }}.key -smtpd_tls_dh1024_param_file = /etc/ssl/dhparams.pem -smtpd_tls_session_cache_database= -smtpd_tls_received_header = yes -smtpd_tls_ask_ccert = yes -smtpd_tls_session_cache_timeout = 3600s -smtpd_tls_fingerprint_digest = sha256 - +smtp_tls_security_level = none +smtpd_tls_security_level = none strict_rfc821_envelopes = yes smtpd_delay_reject = yes @@ -70,7 +60,6 @@ disable_vrfy_command = yes smtpd_client_restrictions = permit_mynetworks - permit_tls_clientcerts # We are the only ones using this proxy, but if things go wrong we # want to know why defer @@ -85,7 +74,6 @@ smtpd_sender_restrictions = smtpd_relay_restrictions = reject_non_fqdn_recipient permit_mynetworks - permit_tls_clientcerts reject smtpd_data_restrictions = diff --git a/roles/out/tasks/main.yml b/roles/out/tasks/main.yml index 0b68c83..96a557d 100644 --- a/roles/out/tasks/main.yml +++ b/roles/out/tasks/main.yml @@ -12,21 +12,6 @@ notify: - Reload Postfix -- name: Copy the Postfix relay clientcerts map - template: src=etc/postfix/relay_clientcerts.j2 - dest=/etc/postfix-{{ postfix_instance[inst].name }}/relay_clientcerts - owner=root group=root - mode=0644 - tags: - - tls_policy - -- name: Compile the Postfix relay clientcerts map - postmap: cmd=postmap src=/etc/postfix-{{ postfix_instance[inst].name }}/relay_clientcerts db=cdb - owner=root group=root - mode=0644 - tags: - - tls_policy - - meta: flush_handlers - name: Start Postfix diff --git a/roles/out/templates/etc/postfix/main.cf.j2 b/roles/out/templates/etc/postfix/main.cf.j2 index 98c0185..235b866 100644 --- a/roles/out/templates/etc/postfix/main.cf.j2 +++ b/roles/out/templates/etc/postfix/main.cf.j2 @@ -51,20 +51,7 @@ smtp_tls_protocols = !SSLv2, !SSLv3 smtp_tls_note_starttls_offer = yes smtp_tls_session_cache_database = btree:$data_directory/smtp_tls_session_cache -relay_clientcerts = cdb:$config_directory/relay_clientcerts -smtpd_tls_security_level = may -smtpd_tls_ciphers = high -smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 -smtpd_tls_exclude_ciphers = EXPORT, LOW, MEDIUM, aNULL, eNULL, DES, RC4, MD5 -smtpd_tls_cert_file = /etc/postfix/ssl/{{ ansible_fqdn }}.pem -smtpd_tls_key_file = /etc/postfix/ssl/{{ ansible_fqdn }}.key -smtpd_tls_dh1024_param_file = /etc/ssl/dhparams.pem -smtpd_tls_session_cache_database= -smtpd_tls_received_header = yes -smtpd_tls_ask_ccert = yes -smtpd_tls_session_cache_timeout = 3600s -smtpd_tls_fingerprint_digest = sha256 - +smtpd_tls_security_level = none strict_rfc821_envelopes = yes smtpd_delay_reject = yes @@ -77,7 +64,6 @@ unverified_recipient_reject_code = 550 smtpd_client_restrictions = permit_mynetworks - permit_tls_clientcerts # We are the only ones using this proxy, but if things go wrong we # want to know why defer @@ -94,7 +80,6 @@ smtpd_relay_restrictions = reject_unknown_recipient_domain reject_unverified_recipient permit_mynetworks - permit_tls_clientcerts reject smtpd_data_restrictions = |