diff options
author | Guilhem Moulin <guilhem@fripost.org> | 2016-07-09 23:46:21 +0200 |
---|---|---|
committer | Guilhem Moulin <guilhem@fripost.org> | 2016-07-10 01:07:39 +0200 |
commit | b441dd4a7c3ce72008968d324a12e5c342d164a3 (patch) | |
tree | 8375a25dfb8a91d3d16cf426851cd1049bb508b3 /group_vars | |
parent | 418b3303f17776e64341f990d13e98ce6f662bf5 (diff) |
Route SMTP traffic from the webmail through IPsec.
Diffstat (limited to 'group_vars')
-rw-r--r-- | group_vars/all.yml | 38 |
1 files changed, 27 insertions, 11 deletions
diff --git a/group_vars/all.yml b/group_vars/all.yml index a9bfda9..96f723b 100644 --- a/group_vars/all.yml +++ b/group_vars/all.yml @@ -1,15 +1,4 @@ --- -postfix_instance: - # The keys are the group names associated with a Postfix role, and the - # values are the name and group (optional) of the instance dedicated - # to that role. - IMAP: { name: mda, port: 2526 } - MX: { name: mx, group: mta } - out: { name: out, group: mta, port: 2525 } - MSA: { name: msa } - lists: { name: lists, port: 2527 } - - # Virtual (non-routable) IPv4 subnet for IPsec. It is always nullrouted # in the absence of xfrm lookup (i.e., when there is no matching IPsec # Security Association) to avoid data leaks. @@ -23,3 +12,30 @@ ipsec: elefant: 172.16.0.4 giraff: 172.16.0.5 mistral: 172.16.0.6 + + +postfix_instance: + # The keys are the group names associated with a Postfix role, and the + # values are the name and group (optional) of the instance dedicated + # to that role. + # For internal services, we also specify its (non-routable) IP address + # and port. + # XXX it's unfortunate that we can only specify a single address, and + # therefore have to limit the number of outgoing SMTP proxy and + # IMAP server to one. Since hosts(5) files cannot map and IP + # address to multiple hostnames, a workaround would be to use + # round-robin DNS, but we can't rely on DNS as long as our zone is + # unsigned. + IMAP: { name: mda + , addr: "{{ (groups.all | length > 1) | ternary( ipsec[ hostvars[groups.IMAP[0]].inventory_hostname_short ], '127.0.0.1') }}" + , port: 2526 } + MX: { name: mx, group: mta } + out: { name: out, group: mta + , addr: "{{ (groups.all | length > 1) | ternary( ipsec[ hostvars[groups.out[0]].inventory_hostname_short ], '127.0.0.1') }}" + , port: 2525 } + MSA: { name: msa } + lists: { name: lists + , addr: "{{ (groups.all | length > 1) | ternary( ipsec[ hostvars[groups.lists[0]].inventory_hostname_short ], '127.0.0.1') }}" + , port: 2527 } + +imapsvr_addr: "{{ postfix_instance.IMAP.addr | ipaddr }}" |