Postfix MX/MSA instances: put certs in the the instance's $config_directory.

author: Guilhem Moulin <guilhem@fripost.org> 2016-07-10 05:05:46 +0200
committer: Guilhem Moulin <guilhem@fripost.org> 2016-07-10 05:05:46 +0200
commit: d6ff0c078e6d70e50c888e016a8a8b9b0d8d7782 (patch)
tree: 03dc91145b2ccf5db868ca397e3029365fdbc50a /roles/MSA
parent: 37464e75e1863a89d757077400543dea7b9317ac (diff)
2 files changed, 11 insertions, 3 deletions
diff --git a/roles/MSA/tasks/main.yml b/roles/MSA/tasks/main.yml
index 1c34720..3068e1b 100644
--- a/roles/MSA/tasks/main.yml
+++ b/roles/MSA/tasks/main.yml
@@ -5,51 +5,59 @@
     - postfix-pcre
 
 - name: Configure Postfix
   template: src=etc/postfix/{{ item }}.j2
             dest=/etc/postfix-{{ postfix_instance[inst].name }}/{{ item }}
             owner=root group=root
             mode=0644
   with_items:
     - main.cf
     - master.cf
   notify:
     - Reload Postfix
 
 - name: Copy the Regex to anonymize senders
   # no need to reload upon change, as cleanup(8) is short-running
   copy: src=etc/postfix/anonymize_sender.pcre
         dest=/etc/postfix-{{ postfix_instance[inst].name }}/anonymize_sender.pcre
         owner=root group=root
         mode=0644
 
+- name: Create directory /etc/postfix/ssl
+  file: path=/etc/postfix-{{ postfix_instance[inst].name }}/ssl
+        state=directory
+        owner=root group=root
+        mode=0755
+  tags:
+    - genkey
+
 - meta: flush_handlers
 
 - name: Start Postfix
   service: name=postfix state=started
 
 - name: Fetch Postfix's X.509 certificate
   # Ensure we don't fetch private data
   become: False
   # `/usr/sbin/postmulti -i msa -x /usr/sbin/postconf -xh smtpd_tls_cert_file`
   fetch_cmd: cmd="openssl x509 -noout -pubkey"
-             stdin=/etc/postfix/ssl/smtp.fripost.org.pem
+             stdin=/etc/postfix-{{ postfix_instance[inst].name }}/ssl/smtp.fripost.org.pem
              dest=certs/public/smtp.fripost.org.pub
   tags:
     - genkey
 
 
 - name: Install 'postfix_mailqueue_' Munin wildcard plugin
   file: src=/usr/local/share/munin/plugins/postfix_mailqueue_
         dest=/etc/munin/plugins/postfix_mailqueue_postfix-{{ postfix_instance[inst].name }}
         owner=root group=root
         state=link force=yes
   tags:
     - munin
     - munin-node
   notify:
     - Restart munin-node
 
 - name: Install 'postfix_stats_' Munin wildcard plugin
   file: src=/usr/local/share/munin/plugins/postfix_stats_
         dest=/etc/munin/plugins/postfix_stats_{{ item }}_postfix-{{ postfix_instance[inst].name }}
         owner=root group=root
diff --git a/roles/MSA/templates/etc/postfix/main.cf.j2 b/roles/MSA/templates/etc/postfix/main.cf.j2
index e998f39..838135a 100644
--- a/roles/MSA/templates/etc/postfix/main.cf.j2
+++ b/roles/MSA/templates/etc/postfix/main.cf.j2
@@ -59,42 +59,42 @@ header_checks  = pcre:$config_directory/anonymize_sender.pcre
 # TLS
 {% if 'out' in group_names %}
 smtp_tls_security_level         = none
 smtp_bind_address               = 127.0.0.1
 {% else %}
 smtp_tls_security_level         = encrypt
 smtp_tls_ciphers                = high
 smtp_tls_protocols              = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
 smtp_tls_exclude_ciphers        = EXPORT, LOW, MEDIUM, aNULL, eNULL, DES, RC4, MD5
 smtp_tls_cert_file              = /etc/postfix/ssl/{{ ansible_fqdn }}.pem
 smtp_tls_key_file               = /etc/postfix/ssl/{{ ansible_fqdn }}.key
 smtp_tls_session_cache_database = btree:$data_directory/smtp_tls_session_cache
 smtp_tls_policy_maps            = cdb:/etc/postfix/tls_policy
 smtp_tls_fingerprint_digest     = sha256
 {% endif %}
 
 smtpd_tls_security_level        = encrypt
 smtpd_tls_ciphers               = high
 smtpd_tls_protocols             = !SSLv2, !SSLv3
 smtpd_tls_exclude_ciphers       = EXPORT, LOW, MEDIUM, aNULL, eNULL, DES, RC4, MD5
-smtpd_tls_cert_file             = /etc/postfix/ssl/smtp.fripost.org.pem
-smtpd_tls_key_file              = /etc/postfix/ssl/smtp.fripost.org.key
+smtpd_tls_cert_file             = $config_directory/ssl/smtp.fripost.org.pem
+smtpd_tls_key_file              = $config_directory/ssl/smtp.fripost.org.key
 smtpd_tls_dh1024_param_file     = /etc/ssl/dhparams.pem
 smtpd_tls_session_cache_database=
 smtpd_tls_received_header       = yes
 
 # SASL
 smtpd_sasl_auth_enable          = yes
 smtpd_sasl_authenticated_header = no
 smtpd_sasl_local_domain         =
 smtpd_sasl_exceptions_networks  = $mynetworks
 smtpd_sasl_security_options     = noanonymous, noplaintext
 smtpd_sasl_tls_security_options = noanonymous
 broken_sasl_auth_clients        = yes
 smtpd_sasl_type                 = dovecot
 smtpd_sasl_path                 = unix:private/dovecot-auth
 
 
 strict_rfc821_envelopes = yes
 smtpd_delay_reject      = yes
 disable_vrfy_command    = yes
author	Guilhem Moulin <guilhem@fripost.org>	2016-07-10 05:05:46 +0200
committer	Guilhem Moulin <guilhem@fripost.org>	2016-07-10 05:05:46 +0200
commit	d6ff0c078e6d70e50c888e016a8a8b9b0d8d7782 (patch)
tree	03dc91145b2ccf5db868ca397e3029365fdbc50a /roles/MSA
parent	37464e75e1863a89d757077400543dea7b9317ac (diff)