summaryrefslogtreecommitdiffstats
path: root/roles/IMAP/templates/etc
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem@fripost.org>2014-07-01 23:02:45 +0200
committerGuilhem Moulin <guilhem@fripost.org>2015-06-07 02:52:13 +0200
commitde4859456f1de54540c96ad97f62858dd089a980 (patch)
tree4b4904258ae3daf6a6b4f852cbc9821acdfa8cc4 /roles/IMAP/templates/etc
parent170dc68f9275dffb48fbe3f8ebb2183cd7ddf111 (diff)
Replace IPSec tunnels by app-level ephemeral TLS sessions.
For some reason giraff doesn't like IPSec. App-level TLS sessions are less efficient, but thanks to ansible it still scales well.
Diffstat (limited to 'roles/IMAP/templates/etc')
-rw-r--r--roles/IMAP/templates/etc/postfix/main.cf.j249
l---------roles/IMAP/templates/etc/postfix/relay_clientcerts.j21
2 files changed, 45 insertions, 5 deletions
diff --git a/roles/IMAP/templates/etc/postfix/main.cf.j2 b/roles/IMAP/templates/etc/postfix/main.cf.j2
index 46f64aa..40c8d32 100644
--- a/roles/IMAP/templates/etc/postfix/main.cf.j2
+++ b/roles/IMAP/templates/etc/postfix/main.cf.j2
@@ -28,11 +28,8 @@ multi_instance_enable = yes
# This server is a Mail Delivery Agent
mynetworks_style = host
-inet_interfaces = 172.16.0.1
-{% if 'MX' in group_names %}
- 127.0.0.1
-{% endif %}
-inet_protocols = ipv4
+inet_interfaces = all
+
# No local delivery
mydestination =
@@ -64,3 +61,45 @@ recipient_canonical_maps = pcre:$config_directory/recipient_canonical.pcre
local_header_rewrite_clients =
# Tolerate occasional high latency
smtpd_timeout = 1200s
+
+
+relay_clientcerts = cdb:$config_directory/relay_clientcerts
+smtpd_tls_security_level = may
+smtpd_tls_cert_file = /etc/postfix/ssl/{{ ansible_fqdn }}.pem
+smtpd_tls_key_file = /etc/postfix/ssl/{{ ansible_fqdn }}.key
+smtpd_tls_session_cache_database= btree:$data_directory/smtpd_tls_session_cache
+smtpd_tls_received_header = yes
+smtpd_tls_ask_ccert = yes
+smtpd_tls_session_cache_timeout = 3600s
+smtpd_tls_fingerprint_digest = sha256
+
+
+strict_rfc821_envelopes = yes
+smtpd_delay_reject = yes
+disable_vrfy_command = yes
+
+smtpd_client_restrictions =
+ permit_mynetworks
+ permit_tls_clientcerts
+ # We are the only ones using this proxy, but if things go wrong we
+ # want to know why
+ defer
+
+smtpd_helo_required = yes
+smtpd_helo_restrictions =
+ reject_invalid_helo_hostname
+
+smtpd_sender_restrictions =
+ reject_non_fqdn_sender
+ reject_unknown_sender_domain
+
+smtpd_recipient_restrictions =
+ # RFC requirements
+ reject_non_fqdn_recipient
+ reject_unknown_recipient_domain
+ permit_mynetworks
+ permit_tls_clientcerts
+ reject
+
+smtpd_data_restrictions =
+ reject_unauth_pipelining
diff --git a/roles/IMAP/templates/etc/postfix/relay_clientcerts.j2 b/roles/IMAP/templates/etc/postfix/relay_clientcerts.j2
new file mode 120000
index 0000000..b375aa0
--- /dev/null
+++ b/roles/IMAP/templates/etc/postfix/relay_clientcerts.j2
@@ -0,0 +1 @@
+../../../../out/templates/etc/postfix/relay_clientcerts.j2 \ No newline at end of file