1 files changed, 24 insertions, 2 deletions

diff --git a/roles/IMAP/tasks/mda.yml b/roles/IMAP/tasks/mda.yml
index 0358f12..4a74ed3 100644
--- a/roles/IMAP/tasks/mda.yml
+++ b/roles/IMAP/tasks/mda.yml
@@ -1,42 +1,64 @@
 - name: Install Postfix
   apt: pkg={{ item }}
   with_items:
     - postfix
     - postfix-ldap
 
 - name: Configure Postfix
   template: src=etc/postfix/main.cf.j2
             dest=/etc/postfix-{{ postfix_instance[inst].name }}/main.cf
             owner=root group=root
             mode=0644
-  register: r
+  register: r1
   notify:
     - Restart Postfix
 
 - name: Create directory /etc/postfix-.../virtual
   file: path=/etc/postfix-{{ postfix_instance[inst].name }}/virtual
         state=directory
         owner=root group=root
         mode=0755
 
 - name: Copy lookup tables
   copy: src=etc/postfix/virtual/{{ item }}
         dest=/etc/postfix-{{ postfix_instance[inst].name }}/virtual/{{ item }}
         owner=root group=root
         mode=0644
   with_items:
     - mailbox_domains.cf
     - mailbox.cf
     - transport_content_filter.cf
 
 - name: Copy recipient canonical
   copy: src=etc/postfix/recipient_canonical.pcre
         dest=/etc/postfix-{{ postfix_instance[inst].name }}/recipient_canonical.pcre
         owner=root group=root
         mode=0644
 
+- name: Build the Postfix relay clientcerts map
+  sudo: False
+  # smtpd_tls_fingerprint_digest MUST be sha256!
+  local_action: shell openssl x509 -in certs/postfix/{{ item }}.pem -noout -fingerprint -sha256 | sed -nr 's/^.*=(.*)/\1 {{ item }}/p'
+  with_items: groups.MX | difference([inventory_hostname]) | sort
+  register: relay_clientcerts
+  changed_when: False
+
+- name: Copy the Postfix relay clientcerts map
+  template: src=etc/postfix/relay_clientcerts.j2
+            dest=/etc/postfix-{{ postfix_instance[inst].name }}/relay_clientcerts
+            owner=root group=root
+            mode=0644
+
+- name: Compile the Postfix relay clientcerts map
+  postmap: cmd=postmap src=/etc/postfix-{{ postfix_instance[inst].name }}/relay_clientcerts db=cdb
+           owner=root group=root
+           mode=0644
+  register: r2
+  notify:
+    - Restart Postfix
+
 - name: Start Postfix
   service: name=postfix state=started
-  when: not r.changed
+  when: not (r1.changed or r2.changed)
 
 - meta: flush_handlers