diff options
20 files changed, 22 insertions, 460 deletions
diff --git a/certs/postfix/antilop.fripost.org.pem b/certs/postfix/antilop.fripost.org.pem deleted file mode 100644 index bf51a71..0000000 --- a/certs/postfix/antilop.fripost.org.pem +++ /dev/null @@ -1,32 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIFijCCA3KgAwIBAgIJAJ7uWvUKTBNYMA0GCSqGSIb3DQEBDQUAMFUxEDAOBgNV -BAoMB0ZyaXBvc3QxETAPBgNVBAsMCFNTTGNlcnRzMRAwDgYDVQQLDAdQb3N0Zml4 -MRwwGgYDVQQDDBNhbnRpbG9wLmZyaXBvc3Qub3JnMB4XDTE1MTIwMzIxNDY1MFoX -DTI1MTEzMDIxNDY1MFowVTEQMA4GA1UECgwHRnJpcG9zdDERMA8GA1UECwwIU1NM -Y2VydHMxEDAOBgNVBAsMB1Bvc3RmaXgxHDAaBgNVBAMME2FudGlsb3AuZnJpcG9z -dC5vcmcwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDywIWldXJuXlb5 -wox0v9z8EAubIzCJzFHJ2THS08UrbddoqrK+ZzoTvXGqPnKGrDBu5fO7X4jtwxxc -r2ordUbRGL7V8RyHKNTv3fiQTyG2TGPjfRWFM3132V2/UfGcgKJ7mGAU66tRw0pn -S7MVcR4ydbH9RmxBZHixYRnp3GXVvyfQzpMs8/rGAc5gUYzTP+rQ8CinPTi5m+6B -84Hk0iSIc6q8CrZphzB0wu5hP5CVO2p1MCewbBTbxwZWETZWG9Lvi1qqEBSfZg0Q -eO9KtJ4nhPaRVE3bwE7WMU01/PrlyB4mxvTDRx4vev3BwJGprMSCCAFDsY1Z6f2d -vVdCzw9kclZ2HjS8jtQrsbfkD7MG+3yH03kkDGvkVtNERGdXJZLult+HlG6ct86x -kdnucQLyCWLzYwJLG3niuRqx6TkvlWes4Ki5LqWfuo5i/pVbMgIVCsvtTOomg8oX -DFFiJr5nLTmyM9+Ed2irxgfZQvqA5F+hH9de0IbrWoA93LI+c4UibtM8mzxO92Xq -FEbEOzKSHd3xmE00SJMyuXfi68YS8tMuL36gZrI0A+TOOqmgvFl7HIiTCTZm6kXe -trJryZ2jzDgVO/fT9153g7x3cUVwYo22SaY4uCaqc2itznFxYmusFbQTnbVcKSld -3zBBZSixoRglUsT6Dzw8MvsgL5MDWwIDAQABo10wWzAcBgNVHREEFTATgRFhZG1p -bkBmcmlwb3N0Lm9yZzAMBgNVHRMBAf8EAjAAMA4GA1UdDwEB/wQEAwICpDAdBgNV -HQ4EFgQUSxJXkZW0jiUsORgOclClxQr5FAcwDQYJKoZIhvcNAQENBQADggIBADja -PwJDx/YYrzf8KTPDo3FfThVYJ4CviTK6EX9FCe4mV7bPRqvQEl0S3QJ1HYAw630H -9nD7cBxXb1DwKEZ7s5zJ8fDRhwcOlFTCeGnzdlutPcmCKbHIfP7af5or0aluesyT -qfeP5TqAsUfa15EuiGxqrANA6IOah6EDlZdGBlo/EkCM1hqMrWJkABy8KuedOGqA -fXgzzdzVsMfOWOmXTnhsUw/9976hgTUvGBbGXcZ5qCi46HRs0ju7XGOYe0p8ODRO -0LOCD/eSyyZapZFeDWKFuirq9xYsWAfxJXp8qBqK+emTqnknGGKer6oPW5bHDlLx -JAtWDZXYsdA3CqrMI3yNgZ59MrxCkAcSVdG1fRG7xzD0uubyjnTC6d0TxBbOHkOo -73Xm6y54b9a69ysl6qWexUYY8nfPrBEzorUmYg6jTz8bGrjuq4pTjhsdthO9mfNH -uAuGuVEfh077OBCbH8aZzkObnd6bwJ3203rFqEDZgFoTFtR2Yc226RaoN4YvgwXi -sqEXE7on7WpTUozLGkpwlIkx8HnassUWxzDbvr76vc14sM6haQ67SK8ca/i4qELd -u12/7NVb8V107sqTPEtWLBQkr/9P4owPRgiu9G8cZ9+bhChpUMk+YrAycu60lBI+ -M+Bh888MoRPfA5vClWejauawJXKhkaTRkPeTZNex ------END CERTIFICATE----- diff --git a/certs/postfix/benjamin.skangas.se.pem b/certs/postfix/benjamin.skangas.se.pem deleted file mode 100644 index fe52149..0000000 --- a/certs/postfix/benjamin.skangas.se.pem +++ /dev/null @@ -1,32 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIFijCCA3KgAwIBAgIJAKbGm+B95GSyMA0GCSqGSIb3DQEBDQUAMFUxEDAOBgNV -BAoMB0ZyaXBvc3QxETAPBgNVBAsMCFNTTGNlcnRzMRAwDgYDVQQLDAdQb3N0Zml4 -MRwwGgYDVQQDDBNiZW5qYW1pbi5za2FuZ2FzLnNlMB4XDTE1MTIwMzIxMzMyM1oX -DTI1MTEzMDIxMzMyM1owVTEQMA4GA1UECgwHRnJpcG9zdDERMA8GA1UECwwIU1NM -Y2VydHMxEDAOBgNVBAsMB1Bvc3RmaXgxHDAaBgNVBAMME2JlbmphbWluLnNrYW5n -YXMuc2UwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDMQjaGYOUBYNy2 -lRyNXGUu6R95HD7GWS4drfqvzNmGoCguIgCI3G4HdRwiqDmaBBVpRBJkGBqInOgm -uIMEWvVagIDw4hndh8BNj3GQY0qLrkOOcX5kv3faWKj6EYyVuNr0o1YOWq80K3il -FpYELCvpywgTnT7J/j2QE83cILaOTxVHGlsnetpIQKCm8eqc/LWS1oqcyFauuw8V -IqVgYPkCXM29mnpc7ZpJC3mCfYc+TOOp1W0CVmpi1XQRnzGvdM9LDp0XJSMoRJlh -260AvyOXusG/f96qIEniL4MqiVZm/YbAPIzGXnouzB1c4m9D/BADfX9WB5sjhXVw -Ir2X5nKts9oCziD7nc14UXf6YRpZS9dkJ1vgKSe9r32hYdPC/Y3855iAhdCPSk9x -Efb8PUUrVuyzT6tg0z10gLSuUQnJfzklHKJc3EFnbAf9oMTZXr8xfmKPu6BKAz0Z -kYppcUGE2DGuDFWKegduRzDT+GSAaOt/GWQ/yxgXPkah+bw1P4poFMa1AvGulBi3 -gAkqXMfN6lV6r7HY1Z/is1G0w4Z88x5Q6Vm4DYsnNdThFGxGENqxKqv9e4et8OrC -dj/adKilR3d6sDnx11HaC0Z4BwnQtWM6BxMpu0BtGNWQpF/HcVLGPq0foNgbTde9 -/jwIEaEEX1DDyQeSHIZ9h4jB6ZlvIQIDAQABo10wWzAcBgNVHREEFTATgRFhZG1p -bkBmcmlwb3N0Lm9yZzAMBgNVHRMBAf8EAjAAMA4GA1UdDwEB/wQEAwICpDAdBgNV -HQ4EFgQU2Cyd45hFuVYkzWL11zNAV2X3pzcwDQYJKoZIhvcNAQENBQADggIBAC1x -Uwa5zH/abkkirRfzr/6KTRcr3aoSKdHaF6oBq32wNiZ3WmHBMCDzhk/1SSDkqhB8 -i8hnwoYDXUeIqCH4l/GGFHUe6cWjabJFcZQ8wYr5QK1YEH8asV3V8XruIMUDBbZ1 -rR915VHaoWynX7FeXa722LraCodCuLJoLPbEok1HGkAP+dd80qZb8oqEDgnMHGHp -cLjgP66bBiTSSP/rh8ODM8Dzt8sYY3NFl0bze9H5rWD4jAiRCAzJLtzgpmEiClLS -Scb6s5NbUWV7XgmIt7Zan8SzsTKTQiOt87GW1s3bVzq8e4EYKCJmifEzqcdt5an/ -NSgkNLPMvdb3DUAuh0h0UCUiTngSkGAZqw//CtcbGfRVm0MS/n48iR0Rg1DARK54 -+iINKtIgE6aIIB14s65ZgDG7xwtn8gmToya++x7f458dNh4HtjB1ZXUlZs7oiZTh -24aMhP6im92rAgnpBaeTZkXJAi9ryWCJ7QIVP41fUECCBeN7XBZVMzdvsjKjYghl -0i5ukvjnatwH7d9Wd+UMEKsXr6N87Tezzj8w0yssf3TiBFT75fUbpW8x6hsllMaW -LFaue/LwXPWpGpKnHh1S7y9/nluAS0gml0zlXBpu1gR/l4rdRnrq8bcR89pMbBA8 -jcMWl+sS6U7XWVCLK0JWr1kZie0ZDRbGKac8tULy ------END CERTIFICATE----- diff --git a/certs/postfix/civett.friprogramvarusyndikatet.se.pem b/certs/postfix/civett.friprogramvarusyndikatet.se.pem deleted file mode 100644 index 6c86277..0000000 --- a/certs/postfix/civett.friprogramvarusyndikatet.se.pem +++ /dev/null @@ -1,33 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIFqDCCA5CgAwIBAgIJAJcIUkIy3L+wMA0GCSqGSIb3DQEBDQUAMGQxEDAOBgNV -BAoMB0ZyaXBvc3QxETAPBgNVBAsMCFNTTGNlcnRzMRAwDgYDVQQLDAdQb3N0Zml4 -MSswKQYDVQQDDCJjaXZldHQuZnJpcHJvZ3JhbXZhcnVzeW5kaWthdGV0LnNlMB4X -DTE1MTIwMzIxNDgwMVoXDTI1MTEzMDIxNDgwMVowZDEQMA4GA1UECgwHRnJpcG9z -dDERMA8GA1UECwwIU1NMY2VydHMxEDAOBgNVBAsMB1Bvc3RmaXgxKzApBgNVBAMM -ImNpdmV0dC5mcmlwcm9ncmFtdmFydXN5bmRpa2F0ZXQuc2UwggIiMA0GCSqGSIb3 -DQEBAQUAA4ICDwAwggIKAoICAQC5fYriUyE8wrqD2HAhkQ90j2XZKjDi5t0g0esr -3FjrHgQ1tQwrN3NKFEBrRSyTLKEhd4FYuvOVeE0HTfrCY9nft1fU+duMbcmtQwYt -L/cfyZVuw/nNMvOZVzdvJJs8FMndkB+YSsPlN/SgAHH2iVMUAU/KK6MMXaXxF+Oo -fnTztQwSAMbbJ7sW8t36BPn6Jtua22AZLdrIkUnHxTNbCD3RLkjHXaEPNDA5oHGe -pNCD3mNS2mTvjC1vlDLwY68mTS9EmfFadDmYSf6atLuhytBNyBMIoelD6w0eZqgM -4qhhfNCN0imfqeZzTdA7AM5ZkZE5GqtvzQUCnQEVFtu5oZyM2xmPhWkDxTmNTniF -F973VWbt96xpJi552kttW5+X8gfkgQ64DVV9ooMjaKej3tRVWJREb0jYnCTLdB30 -ondKFbEiKakXmRPG7LAcsQMeLlgsYlEFgUqSlI+vzYR2HNIG64VikmOr7Jtkr1+B -NrnCiCb20U9MB3JjXTfdnmxiBDnmRP7GjYM8p6LNLFPl84E7Suld+EyZ6f/uawis -CIvw4eRM+GLAJjNQoiRUUS56UKXUP3kqkN+5xg7tPmmAR71QI7lDL8HqJrpIUJm8 -zpadVBv4FbuXx2vRPv+2KtmrFg4r28YZ0C7PMdiJXUyWVDE76rBmqmD2/IWE8ide -EmeN3QIDAQABo10wWzAcBgNVHREEFTATgRFhZG1pbkBmcmlwb3N0Lm9yZzAMBgNV -HRMBAf8EAjAAMA4GA1UdDwEB/wQEAwICpDAdBgNVHQ4EFgQU0VVpnljlfH41+FiB -bIfB22bUg6owDQYJKoZIhvcNAQENBQADggIBAE2e5g2rwD2/hBKntDvXhkybxzu5 -pTO55An1wiX+PcpcaeMX8EU7QNKIN5iOtDCRI8cB9SorSVlwzKrekaMpxk3PsGNk -J+N5eLX1pkY7vzU0nuesqLp+laDb05NwcnKNOAl6/LBwvdq9EcgyM2cTs8RvpkBp -/xUzF9tsoZoLI3kCg+Q1MODjWxoV3eUIFHaprzqyLegklwZ5hzuzlRnBvNqkfRy0 -YeAdEzbxYc1Kei5eKdm+2kdc1nfvQwBxr32C40Fh3Hmc5UZYIsXU92FOryDiHCjG -3Oa4oGXCdeYSMb8M6BIZhN5bksmvD4rNa5e8yaI+fGGdJY2khiLwl2SqUH5weqn+ -ndk9AIQAEsn/8W1nvsgZ4ev1Ykq4+c+Ky45waD2++q7aLwThw8jw8m/uO/w4BXZH -Pl1Y8hUMm0MGAgK7DPduq3tNicRpJDGNwUkK+uirUaePtjlpqN59ovZkW5XP1KyQ -G0/DBeIdSgKy4fCA4CZJsAK77BlmmZc7uzw+kGVa2gwlz66I0NwCdKm2PnokTx0S -VZEj2niblViL/XrJLaoUwi1VPBwHvOJPNTuwin9lYqBiERPuKDRyltMIkz5qTGoM -NUZFv2z3WhjMugqqb8NZ006KqapFSPS4Jl/d9Jp4GRLoik58E7PR93OWoGFcSTJb -fW795CHmBVQJ2Kgk ------END CERTIFICATE----- diff --git a/certs/postfix/elefant.fripost.org.pem b/certs/postfix/elefant.fripost.org.pem deleted file mode 100644 index 9ca9fc9..0000000 --- a/certs/postfix/elefant.fripost.org.pem +++ /dev/null @@ -1,31 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIFazCCA1OgAwIBAgIJAL8cqL9fsGGzMA0GCSqGSIb3DQEBDQUAMFUxEDAOBgNV -BAoTB0ZyaXBvc3QxETAPBgNVBAsTCFNTTGNlcnRzMRAwDgYDVQQLEwdQb3N0Zml4 -MRwwGgYDVQQDExNlbGVmYW50LmZyaXBvc3Qub3JnMB4XDTE0MDcwNzIyMDAzM1oX -DTI0MDcwNDIyMDAzM1owVTEQMA4GA1UEChMHRnJpcG9zdDERMA8GA1UECxMIU1NM -Y2VydHMxEDAOBgNVBAsTB1Bvc3RmaXgxHDAaBgNVBAMTE2VsZWZhbnQuZnJpcG9z -dC5vcmcwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDXOCnwAAucpozu -RkAp1BMHE/BwbmycuKUCazUl4bGViQUpUuklFyCbAAgg7CUz08BrcSO/1GZlKFyZ -o6MzoYClwKjxG27zx+203oQOYd7NuY7vP4GNHlEsYlYWjq0QpYXsIAU6yZewQP82 -jB6GQqKuQphOrGpuXgMZXFA1fMD3q1UI5ep4RsU7O+rsjvLbiHUfN8A6V8ebAU0X -Ua+1muTra6SyiBsH9FwxQ9qWCQNgx7xAfw0ZH8BuFYtbf0/sUqtX+rLiVeo/JW9T -YLVK9ELFAXJ+DAQQZw3Lmaxbt9XXNOV7297csIJTqomDjuBIRknRBZUYRMMllkuo -ESAi5O3c16M2Y6ho/04TYLimncK56OsRDCCzH7mAOrKVBXPzEBJDCBlDDR3L3lR8 -6mr6nusf86j8vnsk8EiTpfw/5/8fdHXZH2Skrl3Lu0+h74VuszdsY8Xkxocmx+1f -3ImqA1kYe6owYO0O+CweVFuOY6ReFfdeCzcYGzua0dbdx4MsD9i7XImxDv+o5bI0 -KIFK9JdBz7gDIKOGw7bW+TIMGSguU3/aMvGFnf2Z/ARJMeTzvkflThj206175CJY -rham1ENlAEk9fDGR08CFCuLQh5ZZxdZ2JnXPAc/P6vQoEHNvYzunDN281hBXAhs8 -eL1MveoN9742D23RQrYmFu6z9V7s0QIDAQABoz4wPDAcBgNVHREEFTATgRFhZG1p -bkBmcmlwb3N0Lm9yZzAMBgNVHRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIFoDANBgkq -hkiG9w0BAQ0FAAOCAgEANh6DvVHUaqxkdKOQHITF7243W17YB+VslfscRuJi8b8C -Z0pQGgqb39VDOIDJv3fykFNOBT1BMow63jq8yrrD9fc++G+InRN/xGouVypGzQ4s -ogHHiMnPuX2lWVpwLYKtJA1XrejVQpWZg+N1goLk85Y78bMKg64zh+9cMsR71QBp -PBA9OSgHtPzUiuBhLvH1Nxkyw2/Rnqq3qp2MZyTTRajoGvhfXFxkgTah6YGulDdC -1j0ASXM1scD7Kuv7hrJZaPRvFBxnwe0UvzL9qSkwoF17IGcpx66TPiBKruVlTrv+ -l2EVWEvat9wYZR6h30glWYKsv9ugq2sM8arx4pRJGemrRucswG3LAlB7fHhtzWe2 -CobCpOyayZ7b3oUT0a2bH1JTFTPNOIDaXZBFlxzgRaK/tPpZi8HzR2JxK8jbGLQa -7o7h10EQFSpNkcnQcxrMAy3hvUxtwRZGbMP0Q5khSpLnDbca5D9ppg2SVHBIBoFC -2k1L0Z0N6CrzxaUSL9exevayF2HRNCBtqqmBtfpdFCyrsJex4UbnuBYpxOgWSv2k -U9ORmi0zG8MTHVdZtFrvvHuk4h0kA996AiG00FIyVnMg6IPTstfSssi+RIkNvDFn -U5CrCnafSHxed31p10V7HrTr82FKJhN1yZRCZqiq3ipPBSQ2ynb8VNxXEAsmG6w= ------END CERTIFICATE----- diff --git a/certs/postfix/giraff.fripost.org.pem b/certs/postfix/giraff.fripost.org.pem deleted file mode 100644 index b9471c5..0000000 --- a/certs/postfix/giraff.fripost.org.pem +++ /dev/null @@ -1,32 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIFiDCCA3CgAwIBAgIJAPGdPDU2DXs8MA0GCSqGSIb3DQEBDQUAMFQxEDAOBgNV -BAoMB0ZyaXBvc3QxETAPBgNVBAsMCFNTTGNlcnRzMRAwDgYDVQQLDAdQb3N0Zml4 -MRswGQYDVQQDDBJnaXJhZmYuZnJpcG9zdC5vcmcwHhcNMTUxMjAzMjE0ODM5WhcN -MjUxMTMwMjE0ODM5WjBUMRAwDgYDVQQKDAdGcmlwb3N0MREwDwYDVQQLDAhTU0xj -ZXJ0czEQMA4GA1UECwwHUG9zdGZpeDEbMBkGA1UEAwwSZ2lyYWZmLmZyaXBvc3Qu -b3JnMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAoMa2XxQ2M79SfMAj -M+pPF8RIXPmiS86vf6nw1GoIKbOAVpQqWw29j0FHlqiilii6DB+DmjvmSnAfmXN8 -ulpBCqTarlYBejzhYj9s0h3JlzmwuteuDUY8heAbXZzYmqRfDB8cwN5cWfzLqLPP -4XXPmL+KWx61mfgf0/PtDGSf+P2ylBdGx4LoO2Xs7iDsNAb/fdhK8Vr8axTfYx5z -gy4hf5RQr9sYHdWveo9z7YVr51eKARaaHsWgXtg8IQnLOoJq2ePcsrs/DTgleGvj -DnO+hICzWdq0XOOVEY21SCZXF878DJdA2d2MFncn9hIyvazvUFPgEKfUtqvnSduj -qFOGZgtO2bxM24w32pMiT/R03zQaQL+DFuCNKkBDtpHYeY8jC+/zYTbb8TLjOvj+ -rUghUAEV+YnQCVsXJ9rFVRNzYY7vZp1lvfXO4MBiD0NA7vC7VVVaxeiiH8BDpbFi -jAHAHPw/fWQYSo14GwEwXPqj+uvAmiZAqETGMxpSdLH6X5eg+IcuBR0g0CtRbmM8 -APjJacf7rncYIzc+t2n0Y0F/5n+JiIMisHnDwE+81mMv7EU4kvoOyn3oHIXMIyot -+JiDpSOACbfqtyhvi2Mjx1aXNgMC842wOmJfsLs2o9skEy6DeJeNvqijJb2wrSBx -m4txm2ZwI7FdA7sgJX01ANlC1mUCAwEAAaNdMFswHAYDVR0RBBUwE4ERYWRtaW5A -ZnJpcG9zdC5vcmcwDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMCAqQwHQYDVR0O -BBYEFHVU0ktdfSXuZsHcHBYzDXburCRHMA0GCSqGSIb3DQEBDQUAA4ICAQCKidoO -Z5nCg24DTFBsG5fs8fTRXpuvS6n6LFeF3EFBcviw/UQ33IzTcXKmuG+jSWNZvD1m -KPYVpaGGkjVyygHrhIruJM4UTNyKveeqGUJzehh3uafdcj6UYmVKgZOw4WfrFQEs -+dLq4PUww3x+6eHgHbpyLuLU1mJgzaCOYWNhqnnKBIivkUitsi2CnX1bspw9LPo5 -xx2s0/x/OLB7gPDzGwLypILUNfB15K8YBQ5nI7d7NNQRZ+VY//feAqJF4PUeaHG5 -ac97aWO/eJtsFdhzpMXgpsdCG0nIFfAgxP6RaOfaaOwSOW2XSHXw1ULiSG6xUvy8 -rYDdaM5ru92ZjIkCFaJ2RXnHMPRfFEbJi4Ukmz4KJG6DPqTnb/mRgQUWIFOUBPPp -Y7uwH8FXmCUsWu7bBDf1YmSF2XrTdhrY6lX4b+ybFuCmHnvRcD4DWyUFwgP91nf+ -2o9MpQwJuVnHWuDF+WOwrqW7bq4M8GyUkeFZna7Sld+tQJUOlmYTURtbXH2lLue2 -h3xS3jBF4IfichrcMsMPE6rrH06PO7+es2q7vV7BjH3g8gF0uBo+LQdJol8KFCNt -kn057HZjHs+c+npdxyoYc5BdUcyERONOEzZI1j2W0Q1JiQsnAnSKd3+eb0Ddivrf -vrUWE8sMZpPaVwUv3yaniORcv6K2sgv253WyuQ== ------END CERTIFICATE----- diff --git a/certs/postfix/mistral.fripost.org.pem b/certs/postfix/mistral.fripost.org.pem deleted file mode 100644 index 4c3dd97..0000000 --- a/certs/postfix/mistral.fripost.org.pem +++ /dev/null @@ -1,31 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIFazCCA1OgAwIBAgIJAKKDwe2yT1pHMA0GCSqGSIb3DQEBDQUAMFUxEDAOBgNV -BAoTB0ZyaXBvc3QxETAPBgNVBAsTCFNTTGNlcnRzMRAwDgYDVQQLEwdQb3N0Zml4 -MRwwGgYDVQQDExNtaXN0cmFsLmZyaXBvc3Qub3JnMB4XDTE0MDcwNzIyMDIxMloX -DTI0MDcwNDIyMDIxMlowVTEQMA4GA1UEChMHRnJpcG9zdDERMA8GA1UECxMIU1NM -Y2VydHMxEDAOBgNVBAsTB1Bvc3RmaXgxHDAaBgNVBAMTE21pc3RyYWwuZnJpcG9z -dC5vcmcwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDFONsB9ygKq7Hl -hk15jjab0UQGibEMSfypX+qsaCjPjPQ3HAlmKLD7jsRe6dppIO36syyAfOBi5GM8 -LpA67FPZzVrpUHsIaqA7oRLu6QSr7xjWwwJYslT1IodEhMH8ozaH98ksAHyigatH -BhyyfOm569Kb/kopaKCsaOepSedWvxU1Nl0XMokZzvDAQDhdSbXpdBWtw+jnxKBe -M5zBhLzo+OgkPyLO+FhFL7OZbvFq3UeucChBabCj/tlQHroBKCkWLJBC5GeRfKKy -gH/VQGuZT7jZ85Mn48uj62IvqCp2ej2bBKV5zKXecMnt1YkyNtmF3UQKkXS55Q+m -YzLKBvbIMTgrinGnF3jMTHlNfOkYkZbBIjKKpOGHmQPJWpoAPM9T+tGjgH151nEg -p7TT/oiQifgbJ6Y7IrapjeZX0mVrVNl/kHmgNx63BG3XuVLgbYh4Goz/7Vi1DbA4 -C5Kxi9Cae73HRMTc+VPrmALYdDN3YkU7RlP3kqkUgcbDCd9Y1IZHWITfix11/RjL -7Hmq7Fwysd5G8d6RBGjWk1SLi8qzyQnfyzOeMWyNcgQs94lGybFRG4rSK3LsILLO -bYg5hRtealnUvmLmb88LH5P/D6zOUpH0S90U2+QC2NrzbmBeaDR5BkhiSTkN4EN8 -3japdWoYc9Bvrb7VVIpTha5EQYDDkwIDAQABoz4wPDAcBgNVHREEFTATgRFhZG1p -bkBmcmlwb3N0Lm9yZzAMBgNVHRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIFoDANBgkq -hkiG9w0BAQ0FAAOCAgEAC/IUsyBPyLmLj89nYLWS/rQLWSVjKsPrFS75Amztd67M -hcyBo1Ed2t3zjEviBod96in4oPX+NE5pzbh19YSstaIb+ZPPtF8GtJvYSPCDJjus -DyzoEWvaoCdzeH+em1xaYSAfxomwqjcO04iwE4AMPQM4P52416csGhmmftMblE2Q -tkT6lh2v0gE4a1mtovDTLeZV5L3SHziXWabi50D+Bpl4pScNjavswZ/ZZTXIw0y2 -ABq77SkEFqefQkWgWwVER4D0vX7+SdqYRewXal7HdTxJx2DUG0khndmgTuVrEY3g -oKf6T4CnXWgJ+IOfbIZ48ZTDsOvwvwq7l7Wo4tadju3o/xZgFOLId083L3forgf6 -7bU3rcEF6oDu8vsnWGYN0SgDxA12RoOwaO2PaObk4XhQrgIrYjBPREjMXfSyN3zU -1wziqVhgSNtmxOHYbAhMLruMM+6LMNv1+FbG6gxb2LtwwvMPLCB1J0imKko12WMG -/pj4B7LU4dkzJodtUpIQ9LgShJvXC8Juiz5tWXjymWC9I/LpgLk4Ky6i7bcYBpjh -SlN30WGfECh9JzGNMhKi6ZErF0W4cvI+iSUB2eQtJd+8Py6Z+ICTUFpfPNqXrU2m -9qnsueDS6DZgFfxioq3jvIOOwOo7W1/78o+qVDaRGyMLqJWifPVTQgpHFqKScpk= ------END CERTIFICATE----- diff --git a/certs/postfix/smtp.fripost.org.pem b/certs/postfix/smtp.fripost.org.pem deleted file mode 100644 index 2f97708..0000000 --- a/certs/postfix/smtp.fripost.org.pem +++ /dev/null @@ -1,31 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIFUjCCAzoCCQCy2XbMAN1DeTANBgkqhkiG9w0BAQUFADBrMQswCQYDVQQGEwJT -RTEQMA4GA1UECgwHRnJpcG9zdDENMAsGA1UECwwEU01UUDEZMBcGA1UEAwwQc210 -cC5mcmlwb3N0Lm9yZzEgMB4GCSqGSIb3DQEJARYRYWRtaW5AZnJpcG9zdC5vcmcw -HhcNMTQwNDA3MjMyMzMwWhcNMjQwNDA0MjMyMzMwWjBrMQswCQYDVQQGEwJTRTEQ -MA4GA1UECgwHRnJpcG9zdDENMAsGA1UECwwEU01UUDEZMBcGA1UEAwwQc210cC5m -cmlwb3N0Lm9yZzEgMB4GCSqGSIb3DQEJARYRYWRtaW5AZnJpcG9zdC5vcmcwggIi -MA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC/TboO8u6v8rVtrkI8kDZ4mdxM -5uyIPR2HODYIdMSj2YHmLohzITyysFNLpAVHOATnRkqLxhmX2zZ+Eu3uCE/kOfdR -fVNEvnSksFSCFXjqx666k7ABtyNHOVqali2HO62JDs837EPEOnF5oVapIUExse29 -POfBDGf18ArDGgd2Tl2DLDiojZYHh1pOsFhKcsks3OOdE109BG6C9S9ZlFBz0PW/ -s9ESEicP9KsqTpIRyd8OU3x8S0p+MDudu5NJjRG+Vlk6uJ2ApC68EowuIx/h7zbp -GEBG71GWb3OjlahOsf/EfKf/vHgkK8+CUWW1FGlvznoeS8R/fgUxRTh6+NXiSJGU -5Eq/wez/hYnotQWBExb42tUBcZbFh6FtD1FU7QNYwALHjV0aSx6leIgkGGWeUgJc -7o8OtDUX5QiY0Xe0s3g6qLFMGgXsfUA4IWjmOknFUA5CtJhDT5uMQLO/jF0tvugi -wTaBxpIjYDATfA1JeEB7+cfh9Jw5Q5XmydLUoLdT7Nut8e2NjYyN9izguPBf+Rzk -gUJZFeB+CEV62lMNWWENqgunjVXicolQ4WdWETYQWzUvVyFvR1RWVkOVw+1Wt6zU -Vbb3t1b2avnzvp4j92pTImJUgTLLRI5QE3bzD9MMDQSH6s7/dBltGIJeepDHB07H -yleUc/j6IdbfH5dfNwIDAQABMA0GCSqGSIb3DQEBBQUAA4ICAQAFcW7ZYxsSuv3u -EbCa8NQ+HjecVHD8Spz4ofBZ9R0uON2VI++dz1mBdZE3udoxBt/Nj3U/YnlVToal -W/dYGusuKQFIATiB9MFXUDl1gfKaqcyrCZUxGpi1OXOa27WPbiRiQMnBYNkD1p3D -cz28XGQ78DswRER4eFn+76pOjqFxkxEe0Ww1oPvu+in23OWgTVTWP/6Opp6Y/epN -XkbHKiH9OXe2StYnlXD7P89w07fXaBNfDT5vLC9PDgYJk7wN76AaqwK/ZKFithSx -oT60db1n+fhaMC2U1R64L2clLpSrZ3lvXRplcsdII/06d+ysJn7hLV9IUca9AMoP -Px2KIyHgp5U6VtFF6UOLBl9+BUd0zzArSh9CJnXG88+CplGN51Fv2dPqzdno1XSg -ShbJ1onYonLbDaPG4i0LD3KyIX6ep5eU+KZZtcHwTbzKAQ/ySu5nqx2DAJbalJmj -9qz/zfOuZMJGDuN+iHCnqyxGoC/hB20IreGHfGS4XmJDkZ3zzqjJjBV32XeZ3Sx6 -odMnwO4mLjyb1Az/C/rwCrVG3nrZQhmD/H+juJVI/cinocJtQoPPq3zPx+GxQUxe -smR7bY7EMaTt+9EelIGmp65jEGrr+OVhZ3NudwWQyC242SMiOq+JpVRuefp+mtAN -UGGTaC4MdXJIwWZTakrnhkgTp4uqrA== ------END CERTIFICATE----- diff --git a/roles/IMAP/tasks/mda.yml b/roles/IMAP/tasks/mda.yml index 6dec897..ced15cc 100644 --- a/roles/IMAP/tasks/mda.yml +++ b/roles/IMAP/tasks/mda.yml @@ -8,55 +8,40 @@ template: src=etc/postfix/{{ item }}.j2 dest=/etc/postfix-{{ postfix_instance[inst].name }}/{{ item }} owner=root group=root mode=0644 with_items: - main.cf - master.cf notify: - Reload Postfix - name: Copy the transport and recipient canonical maps copy: src=etc/postfix/{{ item }} dest=/etc/postfix-{{ postfix_instance[inst].name }}/{{ item }} owner=root group=root mode=0644 with_items: # no need to reload upon change, as cleanup(8) is short-running - recipient_canonical.pcre - transport -- name: Copy the Postfix relay clientcerts map - template: src=etc/postfix/relay_clientcerts.j2 - dest=/etc/postfix-{{ postfix_instance[inst].name }}/relay_clientcerts - owner=root group=root - mode=0644 - tags: - - tls_policy - -- name: Compile the Postfix relay clientcerts map - postmap: cmd=postmap src=/etc/postfix-{{ postfix_instance[inst].name }}/relay_clientcerts db=cdb - owner=root group=root - mode=0644 - tags: - - tls_policy - - name: Compile the Postfix transport maps # trivial-rewrite(8) is a long-running process, so it's safer to reload postmap: cmd=postmap src=/etc/postfix-{{ postfix_instance[inst].name }}/transport db=cdb owner=root group=root mode=0644 notify: - Reload Postfix - meta: flush_handlers - name: Start Postfix service: name=postfix state=started - name: Install 'postfix_mailqueue_' Munin wildcard plugin file: src=/usr/local/share/munin/plugins/postfix_mailqueue_ dest=/etc/munin/plugins/postfix_mailqueue_postfix-{{ postfix_instance[inst].name }} owner=root group=root state=link force=yes tags: diff --git a/roles/IMAP/templates/etc/postfix/main.cf.j2 b/roles/IMAP/templates/etc/postfix/main.cf.j2 index 6c0b024..faf17de 100644 --- a/roles/IMAP/templates/etc/postfix/main.cf.j2 +++ b/roles/IMAP/templates/etc/postfix/main.cf.j2 @@ -1,102 +1,90 @@ ######################################################################## # Mail Delivery Agent (MDA) configuration # # {{ ansible_managed }} # Do NOT edit this file directly! smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU) biff = no readme_directory = no mail_owner = postfix delay_warning_time = 4h maximal_queue_lifetime = 5d myorigin = /etc/mailname myhostname = mda{{ imapno | default('') }}.$mydomain mydomain = fripost.org append_dot_mydomain = no -mynetworks_style = host +mynetworks = 127.0.0.0/8, [::1]/128 +{%- if groups.all | length > 1 -%} + , {{ ipsec_subnet }} +{% endif %} queue_directory = /var/spool/postfix-{{ postfix_instance[inst].name }} data_directory = /var/lib/postfix-{{ postfix_instance[inst].name }} multi_instance_group = {{ postfix_instance[inst].group | default('') }} multi_instance_name = postfix-{{ postfix_instance[inst].name }} multi_instance_enable = yes # No local delivery mydestination = local_transport = error:5.1.1 Mailbox unavailable alias_maps = alias_database = local_recipient_maps = message_size_limit = 0 recipient_delimiter = + # No relay: this server is inbound-only relay_transport = error:5.1.1 Relay unavailable default_transport = error:5.1.1 Transport unavailable # Virtual transport (the alias resolution and address validation is # performed on the MX:es only) virtual_transport = lmtp:unix:private/dovecot-lmtpd lmtp_bind_address = 127.0.0.1 virtual_mailbox_domains = static:all virtual_mailbox_maps = static:all #transport_maps = cdb:$config_directory/transport # Restore the original envelope recipient relay_domains = recipient_canonical_classes = envelope_recipient recipient_canonical_maps = pcre:$config_directory/recipient_canonical.pcre # Don't rewrite remote headers local_header_rewrite_clients = - -relay_clientcerts = cdb:$config_directory/relay_clientcerts -smtpd_tls_security_level = may -smtpd_tls_ciphers = high -smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 -smtpd_tls_exclude_ciphers = EXPORT, LOW, MEDIUM, aNULL, eNULL, DES, RC4, MD5 -smtpd_tls_cert_file = /etc/postfix/ssl/{{ ansible_fqdn }}.pem -smtpd_tls_key_file = /etc/postfix/ssl/{{ ansible_fqdn }}.key -smtpd_tls_dh1024_param_file = /etc/ssl/dhparams.pem -smtpd_tls_session_cache_database= -smtpd_tls_received_header = yes -smtpd_tls_ask_ccert = yes -smtpd_tls_session_cache_timeout = 3600s -smtpd_tls_fingerprint_digest = sha256 - +smtp_tls_security_level = none +smtpd_tls_security_level = none strict_rfc821_envelopes = yes smtpd_delay_reject = yes disable_vrfy_command = yes smtpd_client_restrictions = permit_mynetworks - permit_tls_clientcerts # We are the only ones using this proxy, but if things go wrong we # want to know why defer smtpd_helo_required = yes smtpd_helo_restrictions = reject_invalid_helo_hostname smtpd_sender_restrictions = reject_non_fqdn_sender smtpd_relay_restrictions = reject_non_fqdn_recipient permit_mynetworks - permit_tls_clientcerts reject smtpd_data_restrictions = reject_unauth_pipelining # vim: set filetype=pfmain : diff --git a/roles/MSA/templates/etc/postfix/main.cf.j2 b/roles/MSA/templates/etc/postfix/main.cf.j2 index 838135a..3c040b0 100644 --- a/roles/MSA/templates/etc/postfix/main.cf.j2 +++ b/roles/MSA/templates/etc/postfix/main.cf.j2 @@ -19,76 +19,58 @@ append_dot_mydomain = no mynetworks_style = host queue_directory = /var/spool/postfix-{{ postfix_instance[inst].name }} data_directory = /var/lib/postfix-{{ postfix_instance[inst].name }} multi_instance_group = {{ postfix_instance[inst].group | default('') }} multi_instance_name = postfix-{{ postfix_instance[inst].name }} multi_instance_enable = yes # No local delivery mydestination = local_transport = error:5.1.1 Mailbox unavailable alias_maps = alias_database = local_recipient_maps = message_size_limit = 67108864 recipient_delimiter = + # Forward everything to our internal outgoing proxy -{% if 'out' in group_names %} -relayhost = [127.0.0.1]:{{ postfix_instance.out.port }} -{% else %} -relayhost = [outgoing.fripost.org]:{{ postfix_instance.out.port }} -{% endif %} +relayhost = [{{ postfix_instance.out.addr | ipaddr }}]:{{ postfix_instance.out.port }} relay_domains = # Don't rewrite remote headers local_header_rewrite_clients = # Avoid splitting the envelope and scanning messages multiple times smtp_destination_recipient_limit = 1000 # Tolerate occasional high latency smtp_data_done_timeout = 1200s # Anonymize the (authenticated) sender; pass the mail to the antivirus header_checks = pcre:$config_directory/anonymize_sender.pcre #content_filter = amavisfeed:unix:public/amavisfeed-antivirus # TLS -{% if 'out' in group_names %} smtp_tls_security_level = none -smtp_bind_address = 127.0.0.1 -{% else %} -smtp_tls_security_level = encrypt -smtp_tls_ciphers = high -smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 -smtp_tls_exclude_ciphers = EXPORT, LOW, MEDIUM, aNULL, eNULL, DES, RC4, MD5 -smtp_tls_cert_file = /etc/postfix/ssl/{{ ansible_fqdn }}.pem -smtp_tls_key_file = /etc/postfix/ssl/{{ ansible_fqdn }}.key -smtp_tls_session_cache_database = btree:$data_directory/smtp_tls_session_cache -smtp_tls_policy_maps = cdb:/etc/postfix/tls_policy -smtp_tls_fingerprint_digest = sha256 -{% endif %} - smtpd_tls_security_level = encrypt smtpd_tls_ciphers = high smtpd_tls_protocols = !SSLv2, !SSLv3 smtpd_tls_exclude_ciphers = EXPORT, LOW, MEDIUM, aNULL, eNULL, DES, RC4, MD5 smtpd_tls_cert_file = $config_directory/ssl/smtp.fripost.org.pem smtpd_tls_key_file = $config_directory/ssl/smtp.fripost.org.key smtpd_tls_dh1024_param_file = /etc/ssl/dhparams.pem smtpd_tls_session_cache_database= smtpd_tls_received_header = yes # SASL smtpd_sasl_auth_enable = yes smtpd_sasl_authenticated_header = no smtpd_sasl_local_domain = smtpd_sasl_exceptions_networks = $mynetworks smtpd_sasl_security_options = noanonymous, noplaintext smtpd_sasl_tls_security_options = noanonymous broken_sasl_auth_clients = yes smtpd_sasl_type = dovecot smtpd_sasl_path = unix:private/dovecot-auth diff --git a/roles/MX/templates/etc/postfix/main.cf.j2 b/roles/MX/templates/etc/postfix/main.cf.j2 index a5caf46..718be00 100644 --- a/roles/MX/templates/etc/postfix/main.cf.j2 +++ b/roles/MX/templates/etc/postfix/main.cf.j2 @@ -19,92 +19,74 @@ append_dot_mydomain = no mynetworks_style = host queue_directory = /var/spool/postfix-{{ postfix_instance[inst].name }} data_directory = /var/lib/postfix-{{ postfix_instance[inst].name }} multi_instance_group = {{ postfix_instance[inst].group | default('') }} multi_instance_name = postfix-{{ postfix_instance[inst].name }} multi_instance_enable = yes # No local delivery mydestination = local_transport = error:5.1.1 Mailbox unavailable alias_maps = alias_database = local_recipient_maps = message_size_limit = 67108864 recipient_delimiter = + # Forward everything to our internal outgoing proxy -{% if 'out' in group_names %} -relayhost = [127.0.0.1]:{{ postfix_instance.out.port }} -{% else %} -relayhost = [outgoing.fripost.org]:{{ postfix_instance.out.port }} -{% endif %} +relayhost = [{{ postfix_instance.out.addr | ipaddr }}]:{{ postfix_instance.out.port }} relay_domains = # Virtual transport # We use a dedicated "virtual" domain to decongestion potential # bottlenecks on trivial_rewrite(8) due to slow LDAP lookups in # tranport_maps. virtual_transport = error:5.1.1 Virtual transport unavailable virtual_alias_domains = !cdb:$config_directory/virtual/transport ldap:$config_directory/virtual/domains.cf virtual_alias_maps = pcre:$config_directory/virtual/reserved_alias.pcre # unless there is a matching user/alias/list... ldap:$config_directory/virtual/mailbox.cf ldap:$config_directory/virtual/alias.cf ldap:$config_directory/virtual/list.cf # ...we resolve alias domains and catch alls ldap:$config_directory/virtual/alias_domains.cf ldap:$config_directory/virtual/catchall.cf transport_maps = cdb:$config_directory/virtual/transport # Don't rewrite remote headers local_header_rewrite_clients = # Pass the client information along to the content filter smtp_send_xforward_command = yes # Avoid splitting the envelope and scanning messages multiple times smtp_destination_recipient_limit = 1000 reserved-alias_destination_recipient_limit = 1 # Tolerate occasional high latency smtp_data_done_timeout = 1200s -{% if 'out' in group_names %} smtp_tls_security_level = none -smtp_bind_address = 127.0.0.1 -{% else %} -smtp_tls_security_level = encrypt -smtp_tls_ciphers = high -smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 -smtp_tls_exclude_ciphers = EXPORT, LOW, MEDIUM, aNULL, eNULL, DES, RC4, MD5 -smtp_tls_cert_file = /etc/postfix/ssl/{{ ansible_fqdn }}.pem -smtp_tls_key_file = /etc/postfix/ssl/{{ ansible_fqdn }}.key -smtp_tls_session_cache_database = btree:$data_directory/smtp_tls_session_cache -smtp_tls_policy_maps = cdb:/etc/postfix/tls_policy -smtp_tls_fingerprint_digest = sha256 -{% endif %} - smtpd_tls_security_level = may smtpd_tls_ciphers = medium smtpd_tls_protocols = !SSLv2, !SSLv3 smtpd_tls_cert_file = $config_directory/ssl/mx.fripost.org.pem smtpd_tls_key_file = $config_directory/ssl/mx.fripost.org.key smtpd_tls_dh1024_param_file = /etc/ssl/dhparams.pem smtpd_tls_CApath = /etc/ssl/certs/ smtpd_tls_session_cache_database= smtpd_tls_received_header = yes # http://en.linuxreviews.org/HOWTO_Stop_spam_using_Postfix # http://www.howtoforge.com/block_spam_at_mta_level_postfix strict_rfc821_envelopes = yes smtpd_delay_reject = yes disable_vrfy_command = yes # UCE control invalid_hostname_reject_code = 554 diff --git a/roles/MX/templates/etc/postfix/virtual/transport.j2 b/roles/MX/templates/etc/postfix/virtual/transport.j2 index 49f3696..126cb72 100644 --- a/roles/MX/templates/etc/postfix/virtual/transport.j2 +++ b/roles/MX/templates/etc/postfix/virtual/transport.j2 @@ -1,30 +1,21 @@ # Each valid address user@example.org is aliased (on the MX) into some # example.org/user@xxx.fripost.org, and non-defaults next-hop:port are # chosen here in that table, depending on 'xxx'. The reason for such # indirection is that there is only one qmgr(8) daemon, which delegate # the routing strategy to the trivial-rewrite(8), which in turns queries # transport_maps. Hence high latency maps such as LDAP or SQL would # congestion the queue manager. On the other hand, virtual aliasing is # performed by cleanup(8), multiples instances of which can run in # parallel. See http://www.postfix.org/ADDRESS_REWRITING_README.html . # # /!\ WARNING: xxx.fripost.org should NOT be in the list of valid # domains ($virtual_alias_domains)! Otherwise at the next iteration of # the alias resolution loop the domain will be validated but not the # address, and the MTA will reply with "Recipient address rejected: User # unknown in virtual alias table". reserved.fripost.org reserved-alias: discard.fripost.org discard: -{% if 'LDA' in group_names %} -mda.fripost.org smtpl:[127.0.0.1]:{{ postfix_instance.IMAP.port }} -{% else %} -mda.fripost.org smtp:[mda.fripost.org]:{{ postfix_instance.IMAP.port }} -{% endif %} - -{% if 'lists' in group_names %} -sympa.fripost.org smtpl:[127.0.0.1]:{{ postfix_instance.lists.port }} -{% else %} -sympa.fripost.org smtp:[lists.fripost.org]:{{ postfix_instance.lists.port }} -{% endif %} +mda.fripost.org smtp:[{{ postfix_instance.IMAP.addr | ipaddr }}]:{{ postfix_instance.IMAP.port }} +sympa.fripost.org smtp:[{{ postfix_instance.lists.addr | ipaddr }}]:{{ postfix_instance.lists.port }} diff --git a/roles/common/tasks/mail.yml b/roles/common/tasks/mail.yml index 092334f..6f690e6 100644 --- a/roles/common/tasks/mail.yml +++ b/roles/common/tasks/mail.yml @@ -19,87 +19,39 @@ file: src=../postfix/dynamicmaps.cf dest=/etc/postfix-{{ postfix_instance[item].name }}/dynamicmaps.cf owner=root group=root state=link force=yes register: r2 with_items: "{{ postfix_instance.keys() | intersect(group_names) | list }}" notify: - Restart Postfix - name: Configure Postfix template: src=etc/postfix/{{ item }}.j2 dest=/etc/postfix/{{ item }} owner=root group=root mode=0644 with_items: - main.cf - master.cf notify: - Reload Postfix -- name: Create directory /etc/postfix/ssl - file: path=/etc/postfix/ssl - state=directory - owner=root group=root - mode=0755 - tags: - - genkey - -- name: Generate a private key and a X.509 certificate for Postfix - command: genkeypair.sh x509 - --pubkey=/etc/postfix/ssl/{{ ansible_fqdn }}.pem - --privkey=/etc/postfix/ssl/{{ ansible_fqdn }}.key - --ou=Postfix --cn={{ ansible_fqdn }} - -t rsa -b 4096 -h sha512 - register: r3 - changed_when: r3.rc == 0 - failed_when: r3.rc > 1 - notify: - - Restart Postfix - tags: - - genkey - -- name: Fetch Postfix's X.509 certificate - # Ensure we don't fetch private data - become: False - fetch_cmd: cmd="openssl x509" - stdin=/etc/postfix/ssl/{{ ansible_fqdn }}.pem - dest=certs/postfix/{{ ansible_fqdn }}.pem - tags: - - genkey - - name: Add a 'root' alias lineinfile: dest=/etc/aliases create=yes regexp="^root{{':'}} " line="root{{':'}} root@fripost.org" - name: Compile the static local Postfix database postmap: cmd=postalias src=/etc/aliases db=cdb owner=root group=root mode=0644 # We're using CDB - name: Delete /etc/aliases.db file: path=/etc/aliases.db state=absent -- name: Copy the Postfix TLS policy map - template: src=etc/postfix/tls_policy.j2 - dest=/etc/postfix/tls_policy - owner=root group=root - mode=0644 - when: "'out' not in group_names or 'MX' in group_names" - tags: - - tls_policy - -- name: Compile the Postfix TLS policy map - postmap: cmd=postmap src=/etc/postfix/tls_policy db=cdb - owner=root group=root - mode=0644 - when: "'out' not in group_names or 'MX' in group_names" - tags: - - tls_policy - - name: Start Postfix service: name=postfix state=started - when: not (r1.changed or r2.changed or r3.changed) + when: not (r1.changed or r2.changed) - meta: flush_handlers diff --git a/roles/common/templates/etc/iptables/services.j2 b/roles/common/templates/etc/iptables/services.j2 index 247f98a..2def27f 100644 --- a/roles/common/templates/etc/iptables/services.j2 +++ b/roles/common/templates/etc/iptables/services.j2 @@ -9,59 +9,42 @@ inout4 udp 500 500 # ISAKMP {% if groups.NATed | length > 0 %} inout4 udp 4500 4500 # IPsec NAT Traversal {% endif %} {% endif %} out tcp 80,443 # HTTP/HTTPS out tcp 9418 # GIT out udp 53 # DNS out udp 67 # DHCP out tcp 22 # SSH out udp 123 123 # NTP in tcp {{ ansible_port|default('22') }} # SSH {% if 'LDAP-provider' in group_names %} in tcp 636 # LDAPS {% elif 'MX' in group_names or 'lists' in group_names %} out tcp 636 # LDAPS {% endif %} {% if 'MX' in group_names %} in tcp 25 # SMTP -{% if 'MDA' not in group_names %} -out tcp {{ postfix_instance.IMAP.port }} -{% endif %} -{% if 'lists' not in group_names %} -out tcp {{ postfix_instance.lists.port }} -{% endif %} {% endif %} {% if 'out' in group_names %} -{% if groups.all | difference([inventory_hostname]) %} -in tcp {{ postfix_instance.out.port }} -{% endif %} out tcp 25 # SMTP -{% else %} -out tcp {{ postfix_instance.out.port }} {% endif %} {% if 'IMAP' in group_names %} in tcp 993 # IMAPS in tcp 4190 # MANAGESIEVE {% endif %} -{% if 'MDA' in group_names and 'MX' not in group_names %} -in tcp {{ postfix_instance.IMAP.port }} -{% endif %} -{% if 'lists' in group_names and 'MX' not in group_names %} -in tcp {{ postfix_instance.lists.port }} -{% endif %} {% if 'MSA' in group_names %} in tcp 587 # SMTP-AUTH {% endif %} {% if 'webmail' in group_names or 'lists' in group_names or 'wiki' in group_names %} in tcp 80,443 # HTTP/HTTPS {% endif %} {% if 'webmail' in group_names and 'IMAP' not in group_names %} out tcp 993 # IMAP out tcp 4190 # MANAGESIEVE {% endif %} {% if 'LDAP-provider' in group_names %} out tcp 11371 # HKP out tcp 43 # WHOIS {% endif %} diff --git a/roles/common/templates/etc/postfix/main.cf.j2 b/roles/common/templates/etc/postfix/main.cf.j2 index 3f36418..8caaa82 100644 --- a/roles/common/templates/etc/postfix/main.cf.j2 +++ b/roles/common/templates/etc/postfix/main.cf.j2 @@ -13,61 +13,40 @@ myorigin = /etc/mailname myhostname = {{ ansible_fqdn }} mydomain = {{ ansible_domain }} append_dot_mydomain = no # This server is for internal use only mynetworks_style = host inet_interfaces = loopback-only # No local delivery mydestination = local_transport = error:5.1.1 Mailbox unavailable alias_maps = local_recipient_maps = # All aliases are virtual default_database_type = cdb virtual_alias_maps = cdb:/etc/aliases alias_database = $virtual_alias_maps # Forward everything to our internal outgoing proxy -{% if 'out' in group_names %} -relayhost = [127.0.0.1]:{{ postfix_instance.out.port }} -{% else %} -relayhost = [outgoing.fripost.org]:{{ postfix_instance.out.port }} -{% endif %} +relayhost = [{{ postfix_instance.out.addr | ipaddr }}]:{{ postfix_instance.out.port }} relay_domains = -{% if 'out' in group_names %} -smtp_tls_security_level = none -smtp_bind_address = 127.0.0.1 -{% else %} -smtp_tls_security_level = encrypt -smtp_tls_ciphers = high -smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 -smtp_tls_exclude_ciphers = EXPORT, LOW, MEDIUM, aNULL, eNULL, DES, RC4, MD5 -smtp_tls_cert_file = $config_directory/ssl/{{ ansible_fqdn }}.pem -smtp_tls_key_file = $config_directory/ssl/{{ ansible_fqdn }}.key -smtp_tls_session_cache_database = btree:$data_directory/smtp_tls_session_cache -smtp_tls_policy_maps = cdb:$config_directory/tls_policy -smtp_tls_fingerprint_digest = sha256 -{% endif %} -smtpd_tls_security_level = none - -# Turn off all TCP/IP listener ports except that dedicated to -# samhain(8), which sadly cannot use pickup through the sendmail binary. -master_service_disable = !127.0.0.1:16132.inet inet +smtp_tls_security_level = none +smtpd_tls_security_level = none {% set multi_instance = False %} {%- for g in postfix_instance.keys() | sort -%} {%- if g in group_names -%} {%- if not multi_instance -%} {%- set multi_instance = True -%} ## Other postfix instances multi_instance_wrapper = $command_directory/postmulti -p -- multi_instance_enable = yes multi_instance_directories = {%- endif %} /etc/postfix-{{ postfix_instance[g].name }} {%- endif %} {% endfor %} # vim: set filetype=pfmain : diff --git a/roles/common/templates/etc/postfix/master.cf.j2 b/roles/common/templates/etc/postfix/master.cf.j2 index 9a07dfd..c2ee395 100644 --- a/roles/common/templates/etc/postfix/master.cf.j2 +++ b/roles/common/templates/etc/postfix/master.cf.j2 @@ -6,42 +6,41 @@ # Do NOT edit this file directly! # # ========================================================================== # service type private unpriv chroot wakeup maxproc command + args # (yes) (yes) (yes) (never) (100) # ========================================================================== {% if inst is not defined %} [127.0.0.1]:16132 inet n - - - - smtpd {% elif inst == 'MX' %} smtpd pass - - n - - smtpd -o cleanup_service_name=cleanup_nochroot smtp inet n - n - 1 postscreen tlsproxy unix - - n - 0 tlsproxy dnsblog unix - - n - 0 dnsblog cleanup_nochroot unix n - n - 0 cleanup {% elif inst == 'MSA' %} {{ postfix_instance.MSA.port }} inet n - - - - smtpd -o tls_high_cipherlist=EECDH+AESGCM:!MEDIUM:!LOW:!EXP:!aNULL:!eNULL {% elif inst in ['IMAP', 'out', 'lists'] %} -{{ postfix_instance[inst].port }} inet n - - - - smtpd - -o tls_high_cipherlist=HIGH:!aNULL:!eNULL:!3DES:!MD5:@STRENGTH +[{{ postfix_instance[inst].addr }}]:{{ postfix_instance[inst].port }} inet n - - - - smtpd {% endif %} pickup fifo n - - 60 1 pickup cleanup unix n - - - 0 cleanup qmgr fifo n - n 300 1 qmgr tlsmgr unix - - - 1000? 1 tlsmgr rewrite unix - - - - - trivial-rewrite bounce unix - - - - 0 bounce defer unix - - - - 0 bounce trace unix - - - - 0 bounce verify unix - - - - 1 verify flush unix n - - 1000? 0 flush proxymap unix - - n - - proxymap proxywrite unix - - n - 1 proxymap smtp unix - - - - - smtp relay unix - - - - - smtp # -o smtp_helo_timeout=5 -o smtp_connect_timeout=5 showq unix n - - - - showq error unix - - - - - error retry unix - - - - - error discard unix - - - - - discard diff --git a/roles/lists/tasks/mail.yml b/roles/lists/tasks/mail.yml index 6678c52..a7c8bd6 100644 --- a/roles/lists/tasks/mail.yml +++ b/roles/lists/tasks/mail.yml @@ -5,55 +5,40 @@ - postfix-ldap - name: Configure Postfix template: src=etc/postfix/{{ item }}.j2 dest=/etc/postfix-{{ postfix_instance[inst].name }}/{{ item }} owner=root group=root mode=0644 with_items: - main.cf - master.cf notify: - Reload Postfix - name: Copy the transport maps copy: src=etc/postfix/transport dest=/etc/postfix-{{ postfix_instance[inst].name }}/transport owner=root group=root mode=0644 # no need to reload upon change, as cleanup(8) is short-running -- name: Copy the Postfix relay clientcerts map - template: src=etc/postfix/relay_clientcerts.j2 - dest=/etc/postfix-{{ postfix_instance[inst].name }}/relay_clientcerts - owner=root group=root - mode=0644 - tags: - - tls_policy - -- name: Compile the Postfix relay clientcerts map - postmap: cmd=postmap src=/etc/postfix-{{ postfix_instance[inst].name }}/relay_clientcerts db=cdb - owner=root group=root - mode=0644 - tags: - - tls_policy - - name: Compile the Postfix transport maps # trivial-rewrite(8) is a long-running process, so it's safer to reload postmap: cmd=postmap src=/etc/postfix-{{ postfix_instance[inst].name }}/transport db=cdb owner=root group=root mode=0644 notify: - Reload Postfix - meta: flush_handlers - name: Start Postfix service: name=postfix state=started - name: Copy the 'sympa-queue' wrapper copy: src=usr/local/bin/sympa-queue dest=/usr/local/bin/sympa-queue owner=root group=root mode=0755 diff --git a/roles/lists/templates/etc/postfix/main.cf.j2 b/roles/lists/templates/etc/postfix/main.cf.j2 index 397f759..933d540 100644 --- a/roles/lists/templates/etc/postfix/main.cf.j2 +++ b/roles/lists/templates/etc/postfix/main.cf.j2 @@ -1,94 +1,82 @@ ######################################################################## # Sympa configuration # # {{ ansible_managed }} # Do NOT edit this file directly! smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU) biff = no readme_directory = no mail_owner = postfix delay_warning_time = 4h maximal_queue_lifetime = 5d myorigin = /etc/mailname myhostname = lists.$mydomain mydomain = fripost.org append_dot_mydomain = no -mynetworks_style = host +mynetworks = 127.0.0.0/8, [::1]/128 +{%- if groups.all | length > 1 -%} + , {{ ipsec_subnet }} +{% endif %} queue_directory = /var/spool/postfix-{{ postfix_instance[inst].name }} data_directory = /var/lib/postfix-{{ postfix_instance[inst].name }} multi_instance_group = {{ postfix_instance[inst].group | default('') }} multi_instance_name = postfix-{{ postfix_instance[inst].name }} multi_instance_enable = yes # No local delivery mydestination = local_transport = error:5.1.1 Mailbox unavailable alias_maps = alias_database = local_recipient_maps = message_size_limit = 0 recipient_delimiter = + # No relay: this server is inbound-only relay_transport = error:5.1.1 Relay unavailable default_transport = error:5.1.1 Transport unavailable relay_domains = sympa.$mydomain transport_maps = cdb:$config_directory/transport sympa_destination_recipient_limit = 1 # Don't rewrite remote headers local_header_rewrite_clients = - -relay_clientcerts = cdb:$config_directory/relay_clientcerts -smtpd_tls_security_level = may -smtpd_tls_ciphers = high -smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 -smtpd_tls_exclude_ciphers = EXPORT, LOW, MEDIUM, aNULL, eNULL, DES, RC4, MD5 -smtpd_tls_cert_file = /etc/postfix/ssl/{{ ansible_fqdn }}.pem -smtpd_tls_key_file = /etc/postfix/ssl/{{ ansible_fqdn }}.key -smtpd_tls_dh1024_param_file = /etc/ssl/dhparams.pem -smtpd_tls_session_cache_database= -smtpd_tls_received_header = yes -smtpd_tls_ask_ccert = yes -smtpd_tls_session_cache_timeout = 3600s -smtpd_tls_fingerprint_digest = sha256 - +smtp_tls_security_level = none +smtpd_tls_security_level = none strict_rfc821_envelopes = yes smtpd_delay_reject = yes disable_vrfy_command = yes smtpd_client_restrictions = permit_mynetworks - permit_tls_clientcerts # We are the only ones using this proxy, but if things go wrong we # want to know why defer smtpd_helo_required = yes smtpd_helo_restrictions = reject_invalid_helo_hostname smtpd_sender_restrictions = reject_non_fqdn_sender smtpd_relay_restrictions = reject_non_fqdn_recipient permit_mynetworks - permit_tls_clientcerts reject smtpd_data_restrictions = reject_unauth_pipelining # vim: set filetype=pfmain : diff --git a/roles/out/tasks/main.yml b/roles/out/tasks/main.yml index 0b68c83..96a557d 100644 --- a/roles/out/tasks/main.yml +++ b/roles/out/tasks/main.yml @@ -1,49 +1,34 @@ - name: Install Postfix apt: pkg=postfix - name: Configure Postfix template: src=etc/postfix/{{ item }}.j2 dest=/etc/postfix-{{ postfix_instance[inst].name }}/{{ item }} owner=root group=root mode=0644 with_items: - main.cf - master.cf notify: - Reload Postfix -- name: Copy the Postfix relay clientcerts map - template: src=etc/postfix/relay_clientcerts.j2 - dest=/etc/postfix-{{ postfix_instance[inst].name }}/relay_clientcerts - owner=root group=root - mode=0644 - tags: - - tls_policy - -- name: Compile the Postfix relay clientcerts map - postmap: cmd=postmap src=/etc/postfix-{{ postfix_instance[inst].name }}/relay_clientcerts db=cdb - owner=root group=root - mode=0644 - tags: - - tls_policy - - meta: flush_handlers - name: Start Postfix service: name=postfix state=started - name: Install 'postfix_mailqueue_' Munin wildcard plugin file: src=/usr/local/share/munin/plugins/postfix_mailqueue_ dest=/etc/munin/plugins/postfix_mailqueue_postfix-{{ postfix_instance[inst].name }} owner=root group=root state=link force=yes tags: - munin - munin-node notify: - Restart munin-node - name: Install 'postfix_stats_' Munin wildcard plugin file: src=/usr/local/share/munin/plugins/postfix_stats_ dest=/etc/munin/plugins/postfix_stats_{{ item }}_postfix-{{ postfix_instance[inst].name }} diff --git a/roles/out/templates/etc/postfix/main.cf.j2 b/roles/out/templates/etc/postfix/main.cf.j2 index 98c0185..235b866 100644 --- a/roles/out/templates/etc/postfix/main.cf.j2 +++ b/roles/out/templates/etc/postfix/main.cf.j2 @@ -34,72 +34,57 @@ local_transport = error:5.1.1 Mailbox unavailable alias_maps = alias_database = local_recipient_maps = message_size_limit = 0 recipient_delimiter = + relay_domains = relay_transport = error:5.3.2 Relay Transport unavailable # All header rewriting happens upstream local_header_rewrite_clients = smtp_tls_security_level = may smtp_tls_ciphers = medium smtp_tls_protocols = !SSLv2, !SSLv3 smtp_tls_note_starttls_offer = yes smtp_tls_session_cache_database = btree:$data_directory/smtp_tls_session_cache -relay_clientcerts = cdb:$config_directory/relay_clientcerts -smtpd_tls_security_level = may -smtpd_tls_ciphers = high -smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 -smtpd_tls_exclude_ciphers = EXPORT, LOW, MEDIUM, aNULL, eNULL, DES, RC4, MD5 -smtpd_tls_cert_file = /etc/postfix/ssl/{{ ansible_fqdn }}.pem -smtpd_tls_key_file = /etc/postfix/ssl/{{ ansible_fqdn }}.key -smtpd_tls_dh1024_param_file = /etc/ssl/dhparams.pem -smtpd_tls_session_cache_database= -smtpd_tls_received_header = yes -smtpd_tls_ask_ccert = yes -smtpd_tls_session_cache_timeout = 3600s -smtpd_tls_fingerprint_digest = sha256 - +smtpd_tls_security_level = none strict_rfc821_envelopes = yes smtpd_delay_reject = yes disable_vrfy_command = yes address_verify_sender = $double_bounce_sender@$mydomain address_verify_sender_ttl = 24h unverified_recipient_defer_code = 250 unverified_recipient_reject_code = 550 smtpd_client_restrictions = permit_mynetworks - permit_tls_clientcerts # We are the only ones using this proxy, but if things go wrong we # want to know why defer smtpd_helo_required = yes smtpd_helo_restrictions = reject_invalid_helo_hostname smtpd_sender_restrictions = reject_non_fqdn_sender smtpd_relay_restrictions = reject_non_fqdn_recipient reject_unknown_recipient_domain reject_unverified_recipient permit_mynetworks - permit_tls_clientcerts reject smtpd_data_restrictions = reject_unauth_pipelining content_filter = amavisfeed:[127.0.0.1]:10040 # vim: set filetype=pfmain : |