Replace IPSec tunnels by app-level ephemeral TLS sessions.

For some reason giraff doesn't like IPSec.  App-level TLS sessions are
less efficient, but thanks to ansible it still scales well.

6 files changed, 77 insertions, 24 deletions

diff --git a/roles/IMAP/files/etc/dovecot/conf.d/10-master.conf b/roles/IMAP/files/etc/dovecot/conf.d/10-master.conf
index d477d01..30a6f8b 100644
--- a/roles/IMAP/files/etc/dovecot/conf.d/10-master.conf
+++ b/roles/IMAP/files/etc/dovecot/conf.d/10-master.conf
@@ -15,11 +15,6 @@ default_login_user = dovenull
 default_internal_user = dovecot
 
 service imap-login {
-  inet_listener imap {
-    address = 172.16.0.1
-    port = 143
-    ssl = no
-  }
   inet_listener imaps {
     port = 993
     ssl = yes
diff --git a/roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf b/roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf
index c5e61d7..526da9c 100644
--- a/roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf
+++ b/roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf
@@ -5,18 +5,6 @@
 # SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt>
 ssl = required
 
-# No need for SSL if the packets are protected by IPSec.
-local 172.16.0.1 {
-    protocol imap {
-        disable_plaintext_auth = no
-        ssl = no
-    }
-    protocol sieve {
-        disable_plaintext_auth = no
-        ssl = no
-    }
-}
-
 # PEM encoded X.509 SSL/TLS certificate and private key. They're opened before
 # dropping root privileges, so keep the key file unreadable by anyone but
 # root. Included doc/mkcert.sh can be used to easily generate self-signed
diff --git a/roles/IMAP/tasks/imap.yml b/roles/IMAP/tasks/imap.yml
index 5424485..3e93c53 100644
--- a/roles/IMAP/tasks/imap.yml
+++ b/roles/IMAP/tasks/imap.yml
@@ -62,6 +62,12 @@
         owner=vmail group=vmail
         mode=0700
 
+- name: Create directory /etc/dovecot/ssl
+  file: path=/etc/dovecot/ssl
+        state=directory
+        owner=root group=root
+        mode=0755
+
 - name: Generate a private key and a X.509 certificate for Dovecot
   command: genkeypair.sh x509
                          --pubkey=/etc/dovecot/ssl/imap.fripost.org.pem
@@ -73,6 +79,8 @@
   failed_when: r1.rc > 1
   notify:
     - Restart Dovecot
+  tags:
+    - genkey
 
 - name: Configure Dovecot
   copy: src=etc/dovecot/{{ item }}
diff --git a/roles/IMAP/tasks/mda.yml b/roles/IMAP/tasks/mda.yml
index 0358f12..4a74ed3 100644
--- a/roles/IMAP/tasks/mda.yml
+++ b/roles/IMAP/tasks/mda.yml
@@ -9,7 +9,7 @@
             dest=/etc/postfix-{{ postfix_instance[inst].name }}/main.cf
             owner=root group=root
             mode=0644
-  register: r
+  register: r1
   notify:
     - Restart Postfix
 
@@ -35,8 +35,30 @@
         owner=root group=root
         mode=0644
 
+- name: Build the Postfix relay clientcerts map
+  sudo: False
+  # smtpd_tls_fingerprint_digest MUST be sha256!
+  local_action: shell openssl x509 -in certs/postfix/{{ item }}.pem -noout -fingerprint -sha256 | sed -nr 's/^.*=(.*)/\1 {{ item }}/p'
+  with_items: groups.MX | difference([inventory_hostname]) | sort
+  register: relay_clientcerts
+  changed_when: False
+
+- name: Copy the Postfix relay clientcerts map
+  template: src=etc/postfix/relay_clientcerts.j2
+            dest=/etc/postfix-{{ postfix_instance[inst].name }}/relay_clientcerts
+            owner=root group=root
+            mode=0644
+
+- name: Compile the Postfix relay clientcerts map
+  postmap: cmd=postmap src=/etc/postfix-{{ postfix_instance[inst].name }}/relay_clientcerts db=cdb
+           owner=root group=root
+           mode=0644
+  register: r2
+  notify:
+    - Restart Postfix
+
 - name: Start Postfix
   service: name=postfix state=started
-  when: not r.changed
+  when: not (r1.changed or r2.changed)
 
 - meta: flush_handlers
diff --git a/roles/IMAP/templates/etc/postfix/main.cf.j2 b/roles/IMAP/templates/etc/postfix/main.cf.j2
index 46f64aa..40c8d32 100644
--- a/roles/IMAP/templates/etc/postfix/main.cf.j2
+++ b/roles/IMAP/templates/etc/postfix/main.cf.j2
@@ -28,11 +28,8 @@ multi_instance_enable = yes
 
 # This server is a Mail Delivery Agent
 mynetworks_style = host
-inet_interfaces  = 172.16.0.1
-{% if 'MX' in group_names %}
-                   127.0.0.1
-{% endif %}
-inet_protocols   = ipv4
+inet_interfaces  = all
+
 
 # No local delivery
 mydestination        =
@@ -64,3 +61,45 @@ recipient_canonical_maps    = pcre:$config_directory/recipient_canonical.pcre
 local_header_rewrite_clients =
 # Tolerate occasional high latency
 smtpd_timeout                = 1200s
+
+
+relay_clientcerts               = cdb:$config_directory/relay_clientcerts
+smtpd_tls_security_level        = may
+smtpd_tls_cert_file             = /etc/postfix/ssl/{{ ansible_fqdn }}.pem
+smtpd_tls_key_file              = /etc/postfix/ssl/{{ ansible_fqdn }}.key
+smtpd_tls_session_cache_database= btree:$data_directory/smtpd_tls_session_cache
+smtpd_tls_received_header       = yes
+smtpd_tls_ask_ccert             = yes
+smtpd_tls_session_cache_timeout = 3600s
+smtpd_tls_fingerprint_digest    = sha256
+
+
+strict_rfc821_envelopes = yes
+smtpd_delay_reject      = yes
+disable_vrfy_command    = yes
+
+smtpd_client_restrictions =
+    permit_mynetworks
+    permit_tls_clientcerts
+    # We are the only ones using this proxy, but if things go wrong we
+    # want to know why
+    defer
+
+smtpd_helo_required     = yes
+smtpd_helo_restrictions =
+    reject_invalid_helo_hostname
+
+smtpd_sender_restrictions =
+    reject_non_fqdn_sender
+    reject_unknown_sender_domain
+
+smtpd_recipient_restrictions =
+    # RFC requirements
+    reject_non_fqdn_recipient
+    reject_unknown_recipient_domain
+    permit_mynetworks
+    permit_tls_clientcerts
+    reject
+
+smtpd_data_restrictions =
+    reject_unauth_pipelining
diff --git a/roles/IMAP/templates/etc/postfix/relay_clientcerts.j2 b/roles/IMAP/templates/etc/postfix/relay_clientcerts.j2
new file mode 120000
index 0000000..b375aa0
--- /dev/null
+++ b/roles/IMAP/templates/etc/postfix/relay_clientcerts.j2
@@ -0,0 +1 @@
+../../../../out/templates/etc/postfix/relay_clientcerts.j2
\ No newline at end of file