summaryrefslogtreecommitdiffstats
path: root/roles/IMAP
diff options
context:
space:
mode:
Diffstat (limited to 'roles/IMAP')
-rw-r--r--roles/IMAP/files/etc/dovecot/conf.d/10-master.conf5
-rw-r--r--roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf12
-rw-r--r--roles/IMAP/tasks/imap.yml8
-rw-r--r--roles/IMAP/tasks/mda.yml26
-rw-r--r--roles/IMAP/templates/etc/postfix/main.cf.j249
l---------roles/IMAP/templates/etc/postfix/relay_clientcerts.j21
6 files changed, 77 insertions, 24 deletions
diff --git a/roles/IMAP/files/etc/dovecot/conf.d/10-master.conf b/roles/IMAP/files/etc/dovecot/conf.d/10-master.conf
index d477d01..30a6f8b 100644
--- a/roles/IMAP/files/etc/dovecot/conf.d/10-master.conf
+++ b/roles/IMAP/files/etc/dovecot/conf.d/10-master.conf
@@ -15,11 +15,6 @@ default_login_user = dovenull
default_internal_user = dovecot
service imap-login {
- inet_listener imap {
- address = 172.16.0.1
- port = 143
- ssl = no
- }
inet_listener imaps {
port = 993
ssl = yes
diff --git a/roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf b/roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf
index c5e61d7..526da9c 100644
--- a/roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf
+++ b/roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf
@@ -5,18 +5,6 @@
# SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt>
ssl = required
-# No need for SSL if the packets are protected by IPSec.
-local 172.16.0.1 {
- protocol imap {
- disable_plaintext_auth = no
- ssl = no
- }
- protocol sieve {
- disable_plaintext_auth = no
- ssl = no
- }
-}
-
# PEM encoded X.509 SSL/TLS certificate and private key. They're opened before
# dropping root privileges, so keep the key file unreadable by anyone but
# root. Included doc/mkcert.sh can be used to easily generate self-signed
diff --git a/roles/IMAP/tasks/imap.yml b/roles/IMAP/tasks/imap.yml
index 5424485..3e93c53 100644
--- a/roles/IMAP/tasks/imap.yml
+++ b/roles/IMAP/tasks/imap.yml
@@ -62,6 +62,12 @@
owner=vmail group=vmail
mode=0700
+- name: Create directory /etc/dovecot/ssl
+ file: path=/etc/dovecot/ssl
+ state=directory
+ owner=root group=root
+ mode=0755
+
- name: Generate a private key and a X.509 certificate for Dovecot
command: genkeypair.sh x509
--pubkey=/etc/dovecot/ssl/imap.fripost.org.pem
@@ -73,6 +79,8 @@
failed_when: r1.rc > 1
notify:
- Restart Dovecot
+ tags:
+ - genkey
- name: Configure Dovecot
copy: src=etc/dovecot/{{ item }}
diff --git a/roles/IMAP/tasks/mda.yml b/roles/IMAP/tasks/mda.yml
index 0358f12..4a74ed3 100644
--- a/roles/IMAP/tasks/mda.yml
+++ b/roles/IMAP/tasks/mda.yml
@@ -9,7 +9,7 @@
dest=/etc/postfix-{{ postfix_instance[inst].name }}/main.cf
owner=root group=root
mode=0644
- register: r
+ register: r1
notify:
- Restart Postfix
@@ -35,8 +35,30 @@
owner=root group=root
mode=0644
+- name: Build the Postfix relay clientcerts map
+ sudo: False
+ # smtpd_tls_fingerprint_digest MUST be sha256!
+ local_action: shell openssl x509 -in certs/postfix/{{ item }}.pem -noout -fingerprint -sha256 | sed -nr 's/^.*=(.*)/\1 {{ item }}/p'
+ with_items: groups.MX | difference([inventory_hostname]) | sort
+ register: relay_clientcerts
+ changed_when: False
+
+- name: Copy the Postfix relay clientcerts map
+ template: src=etc/postfix/relay_clientcerts.j2
+ dest=/etc/postfix-{{ postfix_instance[inst].name }}/relay_clientcerts
+ owner=root group=root
+ mode=0644
+
+- name: Compile the Postfix relay clientcerts map
+ postmap: cmd=postmap src=/etc/postfix-{{ postfix_instance[inst].name }}/relay_clientcerts db=cdb
+ owner=root group=root
+ mode=0644
+ register: r2
+ notify:
+ - Restart Postfix
+
- name: Start Postfix
service: name=postfix state=started
- when: not r.changed
+ when: not (r1.changed or r2.changed)
- meta: flush_handlers
diff --git a/roles/IMAP/templates/etc/postfix/main.cf.j2 b/roles/IMAP/templates/etc/postfix/main.cf.j2
index 46f64aa..40c8d32 100644
--- a/roles/IMAP/templates/etc/postfix/main.cf.j2
+++ b/roles/IMAP/templates/etc/postfix/main.cf.j2
@@ -28,11 +28,8 @@ multi_instance_enable = yes
# This server is a Mail Delivery Agent
mynetworks_style = host
-inet_interfaces = 172.16.0.1
-{% if 'MX' in group_names %}
- 127.0.0.1
-{% endif %}
-inet_protocols = ipv4
+inet_interfaces = all
+
# No local delivery
mydestination =
@@ -64,3 +61,45 @@ recipient_canonical_maps = pcre:$config_directory/recipient_canonical.pcre
local_header_rewrite_clients =
# Tolerate occasional high latency
smtpd_timeout = 1200s
+
+
+relay_clientcerts = cdb:$config_directory/relay_clientcerts
+smtpd_tls_security_level = may
+smtpd_tls_cert_file = /etc/postfix/ssl/{{ ansible_fqdn }}.pem
+smtpd_tls_key_file = /etc/postfix/ssl/{{ ansible_fqdn }}.key
+smtpd_tls_session_cache_database= btree:$data_directory/smtpd_tls_session_cache
+smtpd_tls_received_header = yes
+smtpd_tls_ask_ccert = yes
+smtpd_tls_session_cache_timeout = 3600s
+smtpd_tls_fingerprint_digest = sha256
+
+
+strict_rfc821_envelopes = yes
+smtpd_delay_reject = yes
+disable_vrfy_command = yes
+
+smtpd_client_restrictions =
+ permit_mynetworks
+ permit_tls_clientcerts
+ # We are the only ones using this proxy, but if things go wrong we
+ # want to know why
+ defer
+
+smtpd_helo_required = yes
+smtpd_helo_restrictions =
+ reject_invalid_helo_hostname
+
+smtpd_sender_restrictions =
+ reject_non_fqdn_sender
+ reject_unknown_sender_domain
+
+smtpd_recipient_restrictions =
+ # RFC requirements
+ reject_non_fqdn_recipient
+ reject_unknown_recipient_domain
+ permit_mynetworks
+ permit_tls_clientcerts
+ reject
+
+smtpd_data_restrictions =
+ reject_unauth_pipelining
diff --git a/roles/IMAP/templates/etc/postfix/relay_clientcerts.j2 b/roles/IMAP/templates/etc/postfix/relay_clientcerts.j2
new file mode 120000
index 0000000..b375aa0
--- /dev/null
+++ b/roles/IMAP/templates/etc/postfix/relay_clientcerts.j2
@@ -0,0 +1 @@
+../../../../out/templates/etc/postfix/relay_clientcerts.j2 \ No newline at end of file