diff options
| author | Guilhem Moulin <guilhem@fripost.org> | 2015-06-04 20:26:53 +0200 |
|---|---|---|
| committer | Guilhem Moulin <guilhem@fripost.org> | 2015-06-07 02:54:26 +0200 |
| commit | 2c925ea17fcb6f71826e5c0f30f99c5daba10e14 (patch) | |
| tree | 90f0cbed686e3f5704b4440ab6239046412d91d6 /roles/webmail/templates/etc/stunnel/postfix.conf.j2 | |
| parent | f3d93ac759ee2ac08ecc7308d3019796e2285797 (diff) | |
Make the webmail connect directly to the outgoing SMTP proxy.
(Hence delete the 'webmail' Postfix instance.) This shortens the delay
caused by the recipient verification probes.
Diffstat (limited to 'roles/webmail/templates/etc/stunnel/postfix.conf.j2')
| -rw-r--r-- | roles/webmail/templates/etc/stunnel/postfix.conf.j2 | 55 |
1 files changed, 55 insertions, 0 deletions
diff --git a/roles/webmail/templates/etc/stunnel/postfix.conf.j2 b/roles/webmail/templates/etc/stunnel/postfix.conf.j2 new file mode 100644 index 0000000..78922c8 --- /dev/null +++ b/roles/webmail/templates/etc/stunnel/postfix.conf.j2 @@ -0,0 +1,55 @@ +; ************************************************************************** +; * Global options * +; ************************************************************************** + +; setuid()/setgid() to the specified user/group in daemon mode +setuid = stunnel4 +setgid = stunnel4 + +; PID is created inside the chroot jail +pid = /var/run/stunnel4/postfix.pid + +; Only log messages at severity warning (4) and higher +debug = 4 + +; ************************************************************************** +; * Service defaults may also be specified in individual service sections * +; ************************************************************************** + +; Certificate/key is needed in server mode and optional in client mode +cert = /etc/postfix/ssl/{{ ansible_fqdn }}.pem +key = /etc/postfix/ssl/{{ ansible_fqdn }}.key +client = yes +socket = a:SO_BINDTODEVICE=lo + +; Some performance tunings +socket = l:TCP_NODELAY=1 +socket = r:TCP_NODELAY=1 + +; Prevent MITM attacks +verify = 4 + +; Disable support for insecure protocols +options = NO_SSLv2 +options = NO_SSLv3 +options = NO_TLSv1 +options = NO_TLSv1.1 + +; These options provide additional security at some performance degradation +options = SINGLE_ECDH_USE +options = SINGLE_DH_USE + +; Select permitted SSL ciphers +ciphers = EECDH+AES:EDH+AES:!MEDIUM:!LOW:!EXP:!aNULL:!eNULL:!SSLv2:!SSLv3:!TLSv1:!TLSv1.1 + +; ************************************************************************** +; * Service definitions (remove all services for inetd mode) * +; ************************************************************************** + +[smtp] +accept = localhost:2525 +connect = outgoing.fripost.org:{{ postfix_instance.out.port }} +CAfile = /etc/stunnel/certs/postfix.pem +protocol = smtp + +; vim:ft=dosini |