6 files changed, 77 insertions, 24 deletions

diff --git a/roles/IMAP/files/etc/dovecot/conf.d/10-master.conf b/roles/IMAP/files/etc/dovecot/conf.d/10-master.conf
index d477d01..30a6f8b 100644
--- a/roles/IMAP/files/etc/dovecot/conf.d/10-master.conf
+++ b/roles/IMAP/files/etc/dovecot/conf.d/10-master.conf
@@ -1,42 +1,37 @@
 #default_process_limit = 100
 #default_client_limit = 1000
 
 # Default VSZ (virtual memory size) limit for service processes. This is mainly
 # intended to catch and kill processes that leak memory before they eat up
 # everything.
 #default_vsz_limit = 256M
 
 # Login user is internally used by login processes. This is the most untrusted
 # user in Dovecot system. It shouldn't have access to anything at all.
 default_login_user = dovenull
 
 # Internal user is used by unprivileged processes. It should be separate from
 # login user, so that login processes can't disturb other processes.
 default_internal_user = dovecot
 
 service imap-login {
-  inet_listener imap {
-    address = 172.16.0.1
-    port = 143
-    ssl = no
-  }
   inet_listener imaps {
     port = 993
     ssl = yes
   }
 
   # Number of connections to handle before starting a new process. Typically
   # the only useful values are 0 (unlimited) or 1. 1 is more secure, but 0
   # is faster. <doc/wiki/LoginProcess.txt>
   service_count = 1
 
   # Number of processes to always keep waiting for more connections.
   #process_min_avail = 0
 
   # If you set service_count=0, you probably need to grow this.
   #vsz_limit = $default_vsz_limit
 }
 
 service pop3-login {
   inet_listener pop3 {
     #port = 110
diff --git a/roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf b/roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf
index c5e61d7..526da9c 100644
--- a/roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf
+++ b/roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf
@@ -1,39 +1,27 @@
 ##
 ## SSL settings
 ##
 
 # SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt>
 ssl = required
 
-# No need for SSL if the packets are protected by IPSec.
-local 172.16.0.1 {
-    protocol imap {
-        disable_plaintext_auth = no
-        ssl = no
-    }
-    protocol sieve {
-        disable_plaintext_auth = no
-        ssl = no
-    }
-}
-
 # PEM encoded X.509 SSL/TLS certificate and private key. They're opened before
 # dropping root privileges, so keep the key file unreadable by anyone but
 # root. Included doc/mkcert.sh can be used to easily generate self-signed
 # certificate, just make sure to update the domains in dovecot-openssl.cnf
 ssl_cert = </etc/dovecot/ssl/imap.fripost.org.pem
 ssl_key = </etc/dovecot/ssl/imap.fripost.org.key
 
 # If key file is password protected, give the password here. Alternatively
 # give it when starting dovecot with -p parameter. Since this file is often
 # world-readable, you may want to place this setting instead to a different
 # root owned 0600 file by using ssl_key_password = <path.
 #ssl_key_password =
 
 # PEM encoded trusted certificate authority. Set this only if you intend to use
 # ssl_verify_client_cert=yes. The file should contain the CA certificate(s)
 # followed by the matching CRL(s). (e.g. ssl_ca = </etc/ssl/certs/ca.pem)
 #ssl_ca = 
 
 # Require that CRL check succeeds for client certificates.
 #ssl_require_crl = yes
diff --git a/roles/IMAP/tasks/imap.yml b/roles/IMAP/tasks/imap.yml
index 5424485..3e93c53 100644
--- a/roles/IMAP/tasks/imap.yml
+++ b/roles/IMAP/tasks/imap.yml
@@ -45,51 +45,59 @@
 
 - name: Create virtual mailboxes
   copy: src=etc/dovecot/virtual/{{ item }}/dovecot-virtual
         dest=/etc/dovecot/virtual/{{ item }}/dovecot-virtual
         owner=root group=root
         mode=0644
   with_items:
     - all
     - flagged
     - recent
     - unseen
 
 - name: Create directory /home/mail/spamspool
   # There is no possibility for a name clash, since 'spamspool' isn't a
   # valid domain
   file: path=/home/mail/spamspool
         state=directory
         owner=vmail group=vmail
         mode=0700
 
+- name: Create directory /etc/dovecot/ssl
+  file: path=/etc/dovecot/ssl
+        state=directory
+        owner=root group=root
+        mode=0755
+
 - name: Generate a private key and a X.509 certificate for Dovecot
   command: genkeypair.sh x509
                          --pubkey=/etc/dovecot/ssl/imap.fripost.org.pem
                          --privkey=/etc/dovecot/ssl/imap.fripost.org.key
                          --dns=imap.fripost.org
                          -t rsa -b 4096 -h sha512
   register: r1
   changed_when: r1.rc == 0
   failed_when: r1.rc > 1
   notify:
     - Restart Dovecot
+  tags:
+    - genkey
 
 - name: Configure Dovecot
   copy: src=etc/dovecot/{{ item }}
         dest=/etc/dovecot/{{ item }}
         owner=root group=root
         mode=0644
   register: r2
   with_items:
     - conf.d/10-auth.conf
     - conf.d/10-logging.conf
     - conf.d/10-mail.conf
     - conf.d/10-master.conf
     - conf.d/10-ssl.conf
     - conf.d/15-mailboxes.conf
     - conf.d/20-imap.conf
     - conf.d/20-lmtp.conf
     - conf.d/90-plugin.conf
     - conf.d/90-sieve.conf
     - conf.d/auth-ldap.conf.ext
     - dovecot-ldap.conf.ext
diff --git a/roles/IMAP/tasks/mda.yml b/roles/IMAP/tasks/mda.yml
index 0358f12..4a74ed3 100644
--- a/roles/IMAP/tasks/mda.yml
+++ b/roles/IMAP/tasks/mda.yml
@@ -1,42 +1,64 @@
 - name: Install Postfix
   apt: pkg={{ item }}
   with_items:
     - postfix
     - postfix-ldap
 
 - name: Configure Postfix
   template: src=etc/postfix/main.cf.j2
             dest=/etc/postfix-{{ postfix_instance[inst].name }}/main.cf
             owner=root group=root
             mode=0644
-  register: r
+  register: r1
   notify:
     - Restart Postfix
 
 - name: Create directory /etc/postfix-.../virtual
   file: path=/etc/postfix-{{ postfix_instance[inst].name }}/virtual
         state=directory
         owner=root group=root
         mode=0755
 
 - name: Copy lookup tables
   copy: src=etc/postfix/virtual/{{ item }}
         dest=/etc/postfix-{{ postfix_instance[inst].name }}/virtual/{{ item }}
         owner=root group=root
         mode=0644
   with_items:
     - mailbox_domains.cf
     - mailbox.cf
     - transport_content_filter.cf
 
 - name: Copy recipient canonical
   copy: src=etc/postfix/recipient_canonical.pcre
         dest=/etc/postfix-{{ postfix_instance[inst].name }}/recipient_canonical.pcre
         owner=root group=root
         mode=0644
 
+- name: Build the Postfix relay clientcerts map
+  sudo: False
+  # smtpd_tls_fingerprint_digest MUST be sha256!
+  local_action: shell openssl x509 -in certs/postfix/{{ item }}.pem -noout -fingerprint -sha256 | sed -nr 's/^.*=(.*)/\1 {{ item }}/p'
+  with_items: groups.MX | difference([inventory_hostname]) | sort
+  register: relay_clientcerts
+  changed_when: False
+
+- name: Copy the Postfix relay clientcerts map
+  template: src=etc/postfix/relay_clientcerts.j2
+            dest=/etc/postfix-{{ postfix_instance[inst].name }}/relay_clientcerts
+            owner=root group=root
+            mode=0644
+
+- name: Compile the Postfix relay clientcerts map
+  postmap: cmd=postmap src=/etc/postfix-{{ postfix_instance[inst].name }}/relay_clientcerts db=cdb
+           owner=root group=root
+           mode=0644
+  register: r2
+  notify:
+    - Restart Postfix
+
 - name: Start Postfix
   service: name=postfix state=started
-  when: not r.changed
+  when: not (r1.changed or r2.changed)
 
 - meta: flush_handlers
diff --git a/roles/IMAP/templates/etc/postfix/main.cf.j2 b/roles/IMAP/templates/etc/postfix/main.cf.j2
index 46f64aa..40c8d32 100644
--- a/roles/IMAP/templates/etc/postfix/main.cf.j2
+++ b/roles/IMAP/templates/etc/postfix/main.cf.j2
@@ -11,56 +11,95 @@ mail_owner       = postfix
 
 delay_warning_time     = 4h
 maximal_queue_lifetime = 5d
 
 myorigin            = /etc/mailname
 myhostname          = mda{{ imapno | default('') }}.$mydomain
 mydomain            = fripost.org
 append_dot_mydomain = no
 
 # Turn off all TCP/IP listener ports except that necessary for the MDA.
 master_service_disable = !2526.inet inet
 
 queue_directory       = /var/spool/postfix-{{ postfix_instance[inst].name }}
 data_directory        = /var/lib/postfix-{{ postfix_instance[inst].name }}
 multi_instance_group  = {{ postfix_instance[inst].group | default('') }}
 multi_instance_name   = postfix-{{ postfix_instance[inst].name }}
 multi_instance_enable = yes
 
 # This server is a Mail Delivery Agent
 mynetworks_style = host
-inet_interfaces  = 172.16.0.1
-{% if 'MX' in group_names %}
-                   127.0.0.1
-{% endif %}
-inet_protocols   = ipv4
+inet_interfaces  = all
+
 
 # No local delivery
 mydestination        =
 local_transport      = error:5.1.1 Mailbox unavailable
 alias_maps           =
 alias_database       =
 local_recipient_maps =
 
 message_size_limit  = 67108864
 recipient_delimiter = +
 
 # No relay: this server is inbound-only
 relay_transport   = error:5.1.1 Relay unavailable
 default_transport = error:5.1.1 Transport unavailable
 
 # Virtual transport (the alias resolution is already done by the MX:es)
 virtual_transport       = lmtp:unix:private/dovecot-lmtpd
 lmtp_bind_address       = 127.0.0.1
 virtual_mailbox_domains = ldap:$config_directory/virtual/mailbox_domains.cf
 virtual_mailbox_maps    = ldap:$config_directory/virtual/mailbox.cf
 transport_maps          = ldap:$config_directory/virtual/transport_content_filter.cf
 
 # Restore the original envelope recipient
 relay_domains               = $myhostname
 recipient_canonical_classes = envelope_recipient
 recipient_canonical_maps    = pcre:$config_directory/recipient_canonical.pcre
 
 # Don't rewrite remote headers
 local_header_rewrite_clients =
 # Tolerate occasional high latency
 smtpd_timeout                = 1200s
+
+
+relay_clientcerts               = cdb:$config_directory/relay_clientcerts
+smtpd_tls_security_level        = may
+smtpd_tls_cert_file             = /etc/postfix/ssl/{{ ansible_fqdn }}.pem
+smtpd_tls_key_file              = /etc/postfix/ssl/{{ ansible_fqdn }}.key
+smtpd_tls_session_cache_database= btree:$data_directory/smtpd_tls_session_cache
+smtpd_tls_received_header       = yes
+smtpd_tls_ask_ccert             = yes
+smtpd_tls_session_cache_timeout = 3600s
+smtpd_tls_fingerprint_digest    = sha256
+
+
+strict_rfc821_envelopes = yes
+smtpd_delay_reject      = yes
+disable_vrfy_command    = yes
+
+smtpd_client_restrictions =
+    permit_mynetworks
+    permit_tls_clientcerts
+    # We are the only ones using this proxy, but if things go wrong we
+    # want to know why
+    defer
+
+smtpd_helo_required     = yes
+smtpd_helo_restrictions =
+    reject_invalid_helo_hostname
+
+smtpd_sender_restrictions =
+    reject_non_fqdn_sender
+    reject_unknown_sender_domain
+
+smtpd_recipient_restrictions =
+    # RFC requirements
+    reject_non_fqdn_recipient
+    reject_unknown_recipient_domain
+    permit_mynetworks
+    permit_tls_clientcerts
+    reject
+
+smtpd_data_restrictions =
+    reject_unauth_pipelining
diff --git a/roles/IMAP/templates/etc/postfix/relay_clientcerts.j2 b/roles/IMAP/templates/etc/postfix/relay_clientcerts.j2
new file mode 120000
index 0000000..b375aa0
--- /dev/null
+++ b/roles/IMAP/templates/etc/postfix/relay_clientcerts.j2
@@ -0,0 +1 @@
+../../../../out/templates/etc/postfix/relay_clientcerts.j2
\ No newline at end of file