6 files changed, 45 insertions, 1 deletions

diff --git a/roles/MSA/tasks/main.yml b/roles/MSA/tasks/main.yml
index 4b38974..bf17702 100644
--- a/roles/MSA/tasks/main.yml
+++ b/roles/MSA/tasks/main.yml
@@ -40,6 +40,19 @@
   notify:
     - systemctl daemon-reload
 
+- name: Copy the SMTP TLS policy maps
+  template: src=etc/postfix/smtp_tls_policy.j2
+            dest=/etc/postfix-{{ postfix_instance[inst].name }}/smtp_tls_policy
+            owner=root group=root
+            mode=0644
+
+- name: Compile the SMTP TLS policy maps
+  postmap: cmd=postmap src=/etc/postfix-{{ postfix_instance[inst].name }}/smtp_tls_policy db=lmdb
+           owner=root group=root
+           mode=0644
+  notify:
+    - Reload Postfix
+
 - meta: flush_handlers
 
 - name: Enable Postfix sender login socketmap
diff --git a/roles/MSA/templates/etc/postfix/smtp_tls_policy.j2 b/roles/MSA/templates/etc/postfix/smtp_tls_policy.j2
new file mode 120000
index 0000000..b40876f
--- /dev/null
+++ b/roles/MSA/templates/etc/postfix/smtp_tls_policy.j2
@@ -0,0 +1 @@
+../../../../out/templates/etc/postfix/smtp_tls_policy.j2
\ No newline at end of file
diff --git a/roles/common/templates/etc/postfix/master.cf.j2 b/roles/common/templates/etc/postfix/master.cf.j2
index f199ed0..3954085 100644
--- a/roles/common/templates/etc/postfix/master.cf.j2
+++ b/roles/common/templates/etc/postfix/master.cf.j2
@@ -57,6 +57,8 @@ smtp_verify unix -      -       y       -       -       smtp
   -o smtp_tls_protocols=!SSLv2,!SSLv3
   -o smtp_tls_note_starttls_offer=yes
   -o smtp_tls_session_cache_database=lmdb:$data_directory/smtp_tls_session_cache
+  -o smtp_tls_fingerprint_digest=sha256
+  -o smtp_tls_policy_maps=lmdb:$config_directory/smtp_tls_policy
 {% endif %}
 relay     unix  -       -       y       -       -       smtp
 showq     unix  n       -       y       -       -       showq
diff --git a/roles/out/tasks/main.yml b/roles/out/tasks/main.yml
index 48c162a..7a297f1 100644
--- a/roles/out/tasks/main.yml
+++ b/roles/out/tasks/main.yml
@@ -28,6 +28,19 @@
            owner=root group=root
            mode=0644
 
+- name: Copy the SMTP TLS policy maps
+  template: src=etc/postfix/smtp_tls_policy.j2
+            dest=/etc/postfix-{{ postfix_instance[inst].name }}/smtp_tls_policy
+            owner=root group=root
+            mode=0644
+
+- name: Compile the SMTP TLS policy maps
+  postmap: cmd=postmap src=/etc/postfix-{{ postfix_instance[inst].name }}/smtp_tls_policy db=lmdb
+           owner=root group=root
+           mode=0644
+  notify:
+    - Reload Postfix
+
 - meta: flush_handlers
 
 - name: Start Postfix
diff --git a/roles/out/templates/etc/postfix/main.cf.j2 b/roles/out/templates/etc/postfix/main.cf.j2
index c05d9a5..f8aa55a 100644
--- a/roles/out/templates/etc/postfix/main.cf.j2
+++ b/roles/out/templates/etc/postfix/main.cf.j2
@@ -56,7 +56,10 @@ smtp_tls_protocols              = !SSLv2, !SSLv3
 smtp_tls_note_starttls_offer    = yes
 smtp_tls_session_cache_database = lmdb:$data_directory/smtp_tls_session_cache
 
-smtpd_tls_security_level        = none
+smtp_tls_fingerprint_digest = sha256
+smtp_tls_policy_maps        = lmdb:$config_directory/smtp_tls_policy
+
+smtpd_tls_security_level = none
 
 strict_rfc821_envelopes = yes
 smtpd_delay_reject      = yes
diff --git a/roles/out/templates/etc/postfix/smtp_tls_policy.j2 b/roles/out/templates/etc/postfix/smtp_tls_policy.j2
new file mode 100644
index 0000000..7722dc8
--- /dev/null
+++ b/roles/out/templates/etc/postfix/smtp_tls_policy.j2
@@ -0,0 +1,12 @@
+# Lookup table matching next-hop destinations to TLS security policies;
+# this allows pining the key material for chosen recipient domains.
+#
+# {{ ansible_managed }}
+# Do NOT edit this file directly!
+{% for nexthop in ['fripost.org','.fripost.org'] %}
+
+{{ nexthop }} fingerprint ciphers=high protocols=!SSLv2:!SSLv3:!TLSv1:!TLSv1.1
+{% for h in groups.MX | sort %}
+  match={{ lookup('pipe', 'openssl pkey -pubin -outform DER <"certs/public/mx'+(hostvars[h].mxno | default('') | string)+'.fripost.org.pub" | openssl dgst -sha256 -c | sed "s/[^=]*=\s*//"') }}
+{% endfor %}
+{% endfor %}