diff options
| author | Guilhem Moulin <guilhem@fripost.org> | 2014-07-10 03:32:23 +0200 |
|---|---|---|
| committer | Guilhem Moulin <guilhem@fripost.org> | 2015-06-07 02:52:57 +0200 |
| commit | c515d0adea0ce6408dfaa5719a3bbf3340da7d92 (patch) | |
| tree | 44b154d1b60fda8a263c987ed2161d08e4d627aa /roles/common | |
| parent | 520ca74cdac5bc15b0d28f7a313730655c95d9c8 (diff) | |
Ensure have a TLS policy for each of our host we want to relay to.
Diffstat (limited to 'roles/common')
| -rw-r--r-- | roles/common/tasks/mail.yml | 15 | ||||
| -rw-r--r-- | roles/common/templates/etc/postfix/tls_policy.j2 | 23 |
2 files changed, 23 insertions, 15 deletions
diff --git a/roles/common/tasks/mail.yml b/roles/common/tasks/mail.yml index e51dfef..56a012e 100644 --- a/roles/common/tasks/mail.yml +++ b/roles/common/tasks/mail.yml @@ -85,23 +85,12 @@ - name: Delete /etc/aliases.db file: path=/etc/aliases.db state=absent -- name: Build the Postfix TLS policy map - sudo: False - # smtp_tls_fingerprint_digest MUST be sha256! - local_action: shell openssl x509 -in certs/postfix/{{ item }}.pem -noout -fingerprint -sha256 | cut -d= -f2 - with_items: groups.out | sort - register: tls_policy - changed_when: False - when: "'out' not in group_names" - tags: - - tls_policy - - name: Copy the Postfix TLS policy map template: src=etc/postfix/tls_policy.j2 dest=/etc/postfix/tls_policy owner=root group=root mode=0644 - when: "'out' not in group_names" + when: "'out' not in group_names or 'MX' in group_names" tags: - tls_policy @@ -109,7 +98,7 @@ postmap: cmd=postmap src=/etc/postfix/tls_policy db=cdb owner=root group=root mode=0644 - when: "'out' not in group_names" + when: "'out' not in group_names or 'MX' in group_names" tags: - tls_policy diff --git a/roles/common/templates/etc/postfix/tls_policy.j2 b/roles/common/templates/etc/postfix/tls_policy.j2 index b4fc453..d53b0a0 100644 --- a/roles/common/templates/etc/postfix/tls_policy.j2 +++ b/roles/common/templates/etc/postfix/tls_policy.j2 @@ -1,6 +1,25 @@ # {{ ansible_managed }} +# /!\ WARNING: smtp_tls_fingerprint_digest MUST be sha256! +{% if 'out' not in group_names %} [outgoing.fripost.org]:{{ postfix_instance.out.port }} fingerprint ciphers=high protocols=TLSv1.2 -{% for x in tls_policy.results %} - match={{ x.stdout }} +{% for h in groups.out | sort %} + match={{ lookup('pipe', 'openssl x509 -in certs/postfix/'+h+'.pem -noout -fingerprint -sha256 | cut -d= -f2') }} {% endfor %} +{% endif %} + +{% if 'MX' in group_names %} +{% if 'IMAP' not in group_names %} +[mda.fripost.org]:{{ postfix_instance.IMAP.port }} fingerprint ciphers=high protocols=TLSv1.2 +{% for h in groups.IMAP | sort %} + match={{ lookup('pipe', 'openssl x509 -in certs/postfix/'+h+'.pem -noout -fingerprint -sha256 | cut -d= -f2') }} +{% endfor %} +{% endif %} + +{% if 'lists' not in group_names %} +[antilop.fripost.org]:{{ postfix_instance.lists.port }} fingerprint ciphers=high +{% for h in groups.lists | sort %} + match={{ lookup('pipe', 'openssl x509 -in certs/postfix/'+h+'.pem -noout -fingerprint -sha256 | cut -d= -f2') }} +{% endfor %} +{% endif %} +{% endif %} |