summaryrefslogtreecommitdiffstats
path: root/roles/MX
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem@fripost.org>2014-07-01 23:02:45 +0200
committerGuilhem Moulin <guilhem@fripost.org>2015-06-07 02:52:13 +0200
commitde4859456f1de54540c96ad97f62858dd089a980 (patch)
tree4b4904258ae3daf6a6b4f852cbc9821acdfa8cc4 /roles/MX
parent170dc68f9275dffb48fbe3f8ebb2183cd7ddf111 (diff)
Replace IPSec tunnels by app-level ephemeral TLS sessions.
For some reason giraff doesn't like IPSec. App-level TLS sessions are less efficient, but thanks to ansible it still scales well.
Diffstat (limited to 'roles/MX')
-rw-r--r--roles/MX/templates/etc/postfix/main.cf.j222
-rw-r--r--roles/MX/templates/etc/postfix/virtual/transport.j24
2 files changed, 15 insertions, 11 deletions
diff --git a/roles/MX/templates/etc/postfix/main.cf.j2 b/roles/MX/templates/etc/postfix/main.cf.j2
index 34e38a0..4d8e53e 100644
--- a/roles/MX/templates/etc/postfix/main.cf.j2
+++ b/roles/MX/templates/etc/postfix/main.cf.j2
@@ -41,7 +41,7 @@ local_recipient_maps =
message_size_limit = 67108864
recipient_delimiter = +
-# Forward everything to our internal mailhub
+# Forward everything to our internal outgoing proxy
{% if 'out' in group_names %}
relayhost = [127.0.0.1]:{{ postfix_instance.out.port }}
{% else %}
@@ -49,6 +49,7 @@ relayhost = [outgoing.fripost.org]:{{ postfix_instance.out.port }}
{% endif %}
relay_domains =
+
# Virtual transport
# We use a dedicated "virtual" domain to decongestion potential
# bottlenecks on trivial_rewrite(8) due to slow LDAP lookups in
@@ -67,6 +68,7 @@ virtual_alias_maps = pcre:$config_directory/virtual/reserved_alias.pcre
virtual_mailbox_maps =
transport_maps = cdb:$config_directory/virtual/transport
+
# Don't rewrite remote headers
local_header_rewrite_clients =
# Pass the client information along to the content filter
@@ -77,15 +79,20 @@ reserved-alias_recipient_limit = 1
# Tolerate occasional high latency
smtp_data_done_timeout = 1200s
-# Tunnel everything through IPSec
-smtp_tls_security_level = none
+
{% if 'out' in group_names %}
-smtp_bind_address = 127.0.0.1
+smtp_tls_security_level = none
+smtp_bind_address = 127.0.0.1
{% else %}
-smtp_bind_address = 172.16.0.1
+smtp_tls_security_level = encrypt
+smtp_tls_cert_file = /etc/postfix/ssl/{{ ansible_fqdn }}.pem
+smtp_tls_key_file = /etc/postfix/ssl/{{ ansible_fqdn }}.key
+smtp_tls_session_cache_database = btree:$data_directory/smtp_tls_session_cache
+smtp_tls_policy_maps = cdb:/etc/postfix/tls_policy
+smtp_tls_fingerprint_digest = sha256
{% endif %}
+smtpd_tls_security_level = none
-# TLS
smtpd_tls_security_level = may
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
@@ -93,9 +100,6 @@ smtpd_tls_CApath = /etc/ssl/certs/
smtpd_tls_session_cache_database= btree:$data_directory/smtpd_tls_session_cache
smtpd_tls_received_header = yes
smtpd_tls_ask_ccert = yes
-smtpd_tls_fingerprint_digest = sha1
-smtpd_tls_eecdh_grade = strong
-tls_random_source = dev:/dev/urandom
# http://en.linuxreviews.org/HOWTO_Stop_spam_using_Postfix
diff --git a/roles/MX/templates/etc/postfix/virtual/transport.j2 b/roles/MX/templates/etc/postfix/virtual/transport.j2
index 2250a71..a34dcad 100644
--- a/roles/MX/templates/etc/postfix/virtual/transport.j2
+++ b/roles/MX/templates/etc/postfix/virtual/transport.j2
@@ -3,11 +3,11 @@ reserved.locahost.localdomain reserved-alias:
{% if 'LDA' in group_names %}
mda.fripost.org smtpl:[127.0.0.1]:{{ postfix_instance.IMAP.port }}
{% else %}
-mda.fripost.org smtps:[mda.fripost.org]:{{ postfix_instance.IMAP.port }}
+mda.fripost.org smtp:[mda.fripost.org]:{{ postfix_instance.IMAP.port }}
{% endif %}
{% if 'lists' in group_names %}
lists.fripost.org smtpl:[127.0.0.1]:{{ postfix_instance.lists.port }}
{% else %}
-lists.fripost.org smtps:[lists.fripost.org]:{{ postfix_instance.lists.port }}
+lists.fripost.org smtp:[lists.fripost.org]:{{ postfix_instance.lists.port }}
{% endif %}