Replace IPSec tunnels by app-level ephemeral TLS sessions.

For some reason giraff doesn't like IPSec.  App-level TLS sessions are
less efficient, but thanks to ansible it still scales well.

3 files changed, 25 insertions, 11 deletions

diff --git a/roles/common/templates/etc/iptables/services.j2 b/roles/common/templates/etc/iptables/services.j2
index 923aa35..3e31f04 100644
--- a/roles/common/templates/etc/iptables/services.j2
+++ b/roles/common/templates/etc/iptables/services.j2
@@ -4,9 +4,6 @@
 # direction              protocol     destination port            source port
 # (in|out|inout)[46]?    (tcp|udp|..) (port|port:port|port,port)  (port|port:port|port,port)
 
-inout   udp     500      500                            # ISAKMP
-#inout   udp     4500    4500    # IPSec NAT Traversal
-
 out     tcp     80,443                                  # HTTP/HTTPS
 out     udp     53                                      # DNS
 out     udp     67                                      # DHCP
@@ -20,15 +17,23 @@ in      tcp     {{ ansible_ssh_port|default('22') }}    # SSH
 in      tcp     25                                      # SMTP
 {% endif %}
 {% if 'out' in group_names %}
-#out     tcp     25                                     # SMTP
+in      tcp     {{ postfix_instance.out.port }}
+out     tcp     25                                      # SMTP
+{% else %}
+out     tcp     {{ postfix_instance.out.port }}
 {% endif %}
 {% if 'IMAP' in group_names %}
 in      tcp     993                                     # IMAPS
 in      tcp     4190                                    # ManageSieve
 {% endif %}
+{% if 'MDA' in group_names %}
+in      tcp     {{ postfix_instance.mda.port }}
+{% endif %}
 {% if 'MSA' in group_names %}
 in      tcp     587                                     # SMTP-AUTH
 {% endif %}
 {% if 'webmail' in group_names %}
 in     tcp      80,443                                  # HTTP/HTTPS
+out    tcp      993                                     # IMAP # TODO imapc
+out    tcp      4190
 {% endif %}
diff --git a/roles/common/templates/etc/postfix/main.cf.j2 b/roles/common/templates/etc/postfix/main.cf.j2
index 70d4b98..1abce71 100644
--- a/roles/common/templates/etc/postfix/main.cf.j2
+++ b/roles/common/templates/etc/postfix/main.cf.j2
@@ -17,7 +17,6 @@ append_dot_mydomain = no
 # This server is for internal use only
 mynetworks_style = host
 inet_interfaces  = loopback-only
-inet_protocols   = ipv4
 
 # No local delivery
 mydestination        =
@@ -30,7 +29,7 @@ default_database_type = cdb
 virtual_alias_maps    = cdb:/etc/aliases
 alias_database        = $virtual_alias_maps
 
-# Forward everything to our internal mailhub
+# Forward everything to our internal outgoing proxy
 {% if 'out' in group_names %}
 relayhost     = [127.0.0.1]:{{ postfix_instance.out.port }}
 {% else %}
@@ -38,14 +37,18 @@ relayhost     = [outgoing.fripost.org]:{{ postfix_instance.out.port }}
 {% endif %}
 relay_domains =
 
-# Tunnel everything through IPSec
-smtp_tls_security_level  = none
 {% if 'out' in group_names %}
-smtp_bind_address        = 127.0.0.1
+smtp_tls_security_level         = none
+smtp_bind_address               = 127.0.0.1
 {% else %}
-smtp_bind_address        = 172.16.0.1
+smtp_tls_security_level         = encrypt
+smtp_tls_cert_file              = $config_directory/ssl/{{ ansible_fqdn }}.pem
+smtp_tls_key_file               = $config_directory/ssl/{{ ansible_fqdn }}.key
+smtp_tls_session_cache_database = btree:$data_directory/smtp_tls_session_cache
+smtp_tls_policy_maps            = cdb:$config_directory/tls_policy
+smtp_tls_fingerprint_digest     = sha256
 {% endif %}
-smtpd_tls_security_level = none
+smtpd_tls_security_level        = none
 
 # Turn off all TCP/IP listener ports except that dedicated to
 # samhain(8), which sadly cannot use pickup through the sendmail binary.
diff --git a/roles/common/templates/etc/postfix/tls_policy.j2 b/roles/common/templates/etc/postfix/tls_policy.j2
new file mode 100644
index 0000000..b4fc453
--- /dev/null
+++ b/roles/common/templates/etc/postfix/tls_policy.j2
@@ -0,0 +1,6 @@
+# {{ ansible_managed }}
+
+[outgoing.fripost.org]:{{ postfix_instance.out.port }} fingerprint ciphers=high protocols=TLSv1.2
+{% for x in tls_policy.results %}
+   match={{ x.stdout }}
+{% endfor %}