1 files changed, 14 insertions, 11 deletions
diff --git a/roles/MSA/templates/etc/postfix/main.cf.j2 b/roles/MSA/templates/etc/postfix/main.cf.j2
index e3014aa..036a887 100644
--- a/roles/MSA/templates/etc/postfix/main.cf.j2
+++ b/roles/MSA/templates/etc/postfix/main.cf.j2
@@ -23,77 +23,80 @@ master_service_disable = !submission.inet inet
 queue_directory       = /var/spool/postfix-{{ postfix_instance[inst].name }}
 data_directory        = /var/lib/postfix-{{ postfix_instance[inst].name }}
 multi_instance_group  = {{ postfix_instance[inst].group | default('') }}
 multi_instance_name   = postfix-{{ postfix_instance[inst].name }}
 multi_instance_enable = yes
 
 # This server is a Mail Submission Agent
 mynetworks_style = host
 inet_interfaces  = all
 
 # No local delivery
 mydestination        =
 local_transport      = error:5.1.1 Mailbox unavailable
 alias_maps           =
 alias_database       =
 local_recipient_maps =
 
 message_size_limit  = 67108864
 recipient_delimiter = +
 
-# Forward everything to our internal mailhub
+# Forward everything to our internal outgoing proxy
 {% if 'out' in group_names %}
 relayhost     = [127.0.0.1]:{{ postfix_instance.out.port }}
 {% else %}
 relayhost     = [outgoing.fripost.org]:{{ postfix_instance.out.port }}
 {% endif %}
 relay_domains =
 
+
 # Don't rewrite remote headers
 local_header_rewrite_clients     =
 # Avoid splitting the envelope and scanning messages multiple times
 smtp_destination_recipient_limit = 1000
 # Tolerate occasional high latency
 smtp_data_done_timeout           = 1200s
 
 # Anonymize the (authenticated) sender; pass the mail to the antivirus
 header_checks  = pcre:$config_directory/anonymize_sender.pcre
 #content_filter = amavisfeed:unix:public/amavisfeed-antivirus
 
-# Tunnel everything through IPSec
-smtp_tls_security_level = none
+
+# TLS
 {% if 'out' in group_names %}
-smtp_bind_address       = 127.0.0.1
+smtp_tls_security_level         = none
+smtp_bind_address               = 127.0.0.1
 {% else %}
-smtp_bind_address       = 172.16.0.1
+smtp_tls_security_level         = encrypt
+smtp_tls_cert_file              = /etc/postfix/ssl/{{ ansible_fqdn }}.pem
+smtp_tls_key_file               = /etc/postfix/ssl/{{ ansible_fqdn }}.key
+smtp_tls_session_cache_database = btree:$data_directory/smtp_tls_session_cache
+smtp_tls_policy_maps            = cdb:/etc/postfix/tls_policy
+smtp_tls_fingerprint_digest     = sha256
 {% endif %}
 
-# TLS
 smtpd_tls_security_level        = encrypt
-smtpd_tls_cert_file             = /etc/ssl/certs/ssl-cert-snakeoil.pem
-smtpd_tls_key_file              = /etc/ssl/private/ssl-cert-snakeoil.key
+smtpd_tls_cert_file             = /etc/postfix/ssl/smtp.fripost.org.pem
+smtpd_tls_key_file              = /etc/postfix/ssl/private/smtp.fripost.org.key
 smtpd_tls_session_cache_database= btree:$data_directory/smtpd_tls_session_cache
 smtpd_tls_received_header       = yes
 smtpd_tls_ask_ccert             = yes
-smtpd_tls_fingerprint_digest    = sha1
-smtpd_tls_eecdh_grade           = strong
-tls_random_source               = dev:/dev/urandom
 
 # SASL
 smtpd_sasl_auth_enable          = yes
 smtpd_sasl_authenticated_header = no
 smtpd_sasl_local_domain         =
 smtpd_sasl_exceptions_networks  = $mynetworks
 smtpd_sasl_security_options     = noanonymous, noplaintext
 smtpd_sasl_tls_security_options = noanonymous
 broken_sasl_auth_clients        = yes
 smtpd_sasl_type                 = dovecot
 smtpd_sasl_path                 = unix:private/dovecot-auth
 
 
 strict_rfc821_envelopes = yes
 smtpd_delay_reject      = yes
 disable_vrfy_command    = yes
 
 # UCE control
 unknown_client_reject_code = 554