3 files changed, 63 insertions, 5 deletions

diff --git a/roles/common/tasks/ipsec.yml b/roles/common/tasks/ipsec.yml
index 51d717f..36807d2 100644
--- a/roles/common/tasks/ipsec.yml
+++ b/roles/common/tasks/ipsec.yml
@@ -1,42 +1,46 @@
 - name: Install strongSwan
   apt: pkg=strongswan-ikev2
 
 - name: Generate a private key and a X.509 certificate for IPSec
   command: genkeypair.sh x509
                          --pubkey=/etc/ipsec.d/certs/{{ inventory_hostname }}.pem
                          --privkey=/etc/ipsec.d/private/{{ inventory_hostname }}.key
                          --dns={{ inventory_hostname }}
                          -t ecdsa -b secp521r1 -h sha512
   register: r1
   changed_when: r1.rc == 0
   failed_when: r1.rc > 1
   notify:
     - Restart IPSec
+  tags:
+    - genkey
 
 - name: Fetch the public part of IPSec's host key
-  sudo: False
   # Ensure we don't fetch private data
+  sudo: False
   fetch: src=/etc/ipsec.d/certs/{{ inventory_hostname }}.pem
          dest=certs/ipsec/
          fail_on_missing=yes
          flat=yes
+  tags:
+    - genkey
 
 # Don't copy our pubkey due to a possible race condition.  Only the
 # remote machine has authority regarding its key.
 - name: Copy IPSec host pubkeys (except ours)
   copy: src=certs/ipsec/{{ item }}.pem
         dest=/etc/ipsec.d/certs/{{ item }}.pem
         owner=root group=root
         mode=0644
   with_items: groups.all | difference([inventory_hostname])
   register: r2
   notify:
     - Restart IPSec
 
 - name: Configure IPSec's secrets
   template: src=etc/ipsec.secrets.j2
             dest=/etc/ipsec.secrets
             owner=root group=root
             mode=0600
   register: r3
   notify:
diff --git a/roles/common/tasks/mail.yml b/roles/common/tasks/mail.yml
index 8572784..74919c8 100644
--- a/roles/common/tasks/mail.yml
+++ b/roles/common/tasks/mail.yml
@@ -27,34 +27,89 @@
   notify:
     - Restart Postfix
 
 - name: Configure Postfix (1)
   copy: src=etc/postfix/master.cf
         dest=/etc/postfix/master.cf
         owner=root group=root
         mode=0644
   notify:
     - Reload Postfix
 
 - name: Configure Postfix (2)
   template: src=etc/postfix/main.cf.j2
             dest=/etc/postfix/main.cf
             owner=root group=root
             mode=0644
   register: r3
   notify:
     - Restart Postfix
 
-- name: Update the static local Postfix database
+- name: Create directory /etc/postfix/ssl
+  file: path=/etc/postfix/ssl
+        state=directory
+        owner=root group=root
+        mode=0755
+  tags:
+    - genkey
+
+- name: Generate a private key and a X.509 certificate for Postfix
+  command: genkeypair.sh x509
+                         --pubkey=/etc/postfix/ssl/{{ ansible_fqdn }}.pem
+                         --privkey=/etc/postfix/ssl/{{ ansible_fqdn }}.key
+                         --dns={{ ansible_fqdn }}
+                         -t ecdsa -b secp384r1 -h sha512
+  register: r4
+  changed_when: r4.rc == 0
+  failed_when: r4.rc > 1
+  tags:
+    - genkey
+
+- name: Fetch Postfix's X.509 certificate
+  # Ensure we don't fetch private data
+  sudo: False
+  fetch: src=/etc/postfix/ssl/{{ ansible_fqdn }}.pem
+         dest=certs/postfix/
+         fail_on_missing=yes
+         flat=yes
+  tags:
+    - genkey
+
+- name: Compile the static local Postfix database
   postmap: cmd=postalias src=/etc/aliases db=cdb
            owner=root group=root
            mode=0644
 
 # We're using CDB
 - name: Delete /etc/aliases.db
   file: path=/etc/aliases.db state=absent
 
+- name: Build the Postfix TLS policy map
+  sudo: False
+  # smtp_tls_fingerprint_digest MUST be sha256!
+  local_action: shell openssl x509 -in certs/postfix/{{ item }}.pem -noout -fingerprint -sha256 | cut -d= -f2
+  with_items: groups.out | sort
+  register: tls_policy
+  changed_when: False
+  when: "'out' not in group_names"
+
+- name: Copy the Postfix TLS policy map
+  template: src=etc/postfix/tls_policy.j2
+            dest=/etc/postfix/tls_policy
+            owner=root group=root
+            mode=0644
+  when: "'out' not in group_names"
+
+- name: Compile the Postfix TLS policy map
+  postmap: cmd=postmap src=/etc/postfix/tls_policy db=cdb
+           owner=root group=root
+           mode=0644
+  when: "'out' not in group_names"
+  register: r5
+  notify:
+    - Restart Postfix
+
 - name: Start Postfix
   service: name=postfix state=started
-  when: not (r1.changed or r2.changed or r3.changed)
+  when: not (r1.changed or r2.changed or r3.changed or r5.changed)
 
 - meta: flush_handlers
diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml
index 0048443..464abd0 100644
--- a/roles/common/tasks/main.yml
+++ b/roles/common/tasks/main.yml
@@ -1,38 +1,37 @@
 ---
 - include: sysctl.yml   tags=sysctl
 - include: hosts.yml
 - include: apt.yml      tags=apt
 - include: firewall.yml tags=firewall,iptables
 - include: samhain.yml  tags=samhain
 - include: rkhunter.yml tags=rkhunter
 - include: clamav.yml   tags=clamav
 - include: fail2ban.yml tags=fail2ban
 - include: smart.yml    tags=smartmontools,smart
 - include: haveged.yml  tags=haveged,entropy
 - name: Copy genkeypair.sh
   copy: src=usr/local/bin/genkeypair.sh
         dest=/usr/local/bin/genkeypair.sh
         owner=root group=root
         mode=0755
   tags:
-    - genkeypair
-- include: ipsec.yml    tags=strongswan,ipsec
+    - genkey
 - include: logging.yml  tags=logging
 - include: ntp.yml      tags=ntp
 - include: mail.yml     tags=mail,postfix
 
 - name: Install common packages
   apt: pkg={{ item }}
   with_items:
     - ca-certificates
     - daemontools
     - etckeeper
     - ethtool
     - git
     - harden-clients
     - harden-servers
     - htop
     - molly-guard
     - rsync
     - screen
     - telnet-ssl