diff options
Diffstat (limited to 'roles/common')
| -rw-r--r-- | roles/common/files/etc/postfix/master.cf | 5 | ||||
| -rw-r--r-- | roles/common/tasks/ipsec.yml | 6 | ||||
| -rw-r--r-- | roles/common/tasks/mail.yml | 59 | ||||
| -rw-r--r-- | roles/common/tasks/main.yml | 3 | ||||
| -rw-r--r-- | roles/common/templates/etc/iptables/services.j2 | 13 | ||||
| -rw-r--r-- | roles/common/templates/etc/postfix/main.cf.j2 | 17 | ||||
| -rw-r--r-- | roles/common/templates/etc/postfix/tls_policy.j2 | 6 |
7 files changed, 88 insertions, 21 deletions
diff --git a/roles/common/files/etc/postfix/master.cf b/roles/common/files/etc/postfix/master.cf index e845371..70f7f4e 100644 --- a/roles/common/files/etc/postfix/master.cf +++ b/roles/common/files/etc/postfix/master.cf @@ -25,8 +25,6 @@ proxywrite unix - - n - 1 proxymap smtp unix - - - - - smtp smtpl unix - - - - - smtp -o smtp_bind_address=127.0.0.1 -smtps unix - - - - - smtp - -o smtp_bind_address=172.16.0.1 relay unix - - - - - smtp # -o smtp_helo_timeout=5 -o smtp_connect_timeout=5 showq unix n - - - - showq @@ -42,10 +40,7 @@ scache unix - - - - 1 scache 2525 inet n - - - - smtpd 2526 inet n - - - - smtpd 2527 inet n - - - - smtpd - -o mynetworks=0.0.0.0/0 127.0.0.1:2580 inet n - - - - smtpd -127.0.0.1:smtp inet n - - - - smtpd - -o inet_interfaces=127.0.0.1 reserved-alias unix - n n - - pipe flags=Rhu user=nobody argv=/usr/local/sbin/reserved-alias.pl ${sender} ${original_recipient} @fripost.org mlmmj unix - n n - - pipe diff --git a/roles/common/tasks/ipsec.yml b/roles/common/tasks/ipsec.yml index 51d717f..36807d2 100644 --- a/roles/common/tasks/ipsec.yml +++ b/roles/common/tasks/ipsec.yml @@ -12,14 +12,18 @@ failed_when: r1.rc > 1 notify: - Restart IPSec + tags: + - genkey - name: Fetch the public part of IPSec's host key - sudo: False # Ensure we don't fetch private data + sudo: False fetch: src=/etc/ipsec.d/certs/{{ inventory_hostname }}.pem dest=certs/ipsec/ fail_on_missing=yes flat=yes + tags: + - genkey # Don't copy our pubkey due to a possible race condition. Only the # remote machine has authority regarding its key. diff --git a/roles/common/tasks/mail.yml b/roles/common/tasks/mail.yml index 8572784..74919c8 100644 --- a/roles/common/tasks/mail.yml +++ b/roles/common/tasks/mail.yml @@ -44,7 +44,37 @@ notify: - Restart Postfix -- name: Update the static local Postfix database +- name: Create directory /etc/postfix/ssl + file: path=/etc/postfix/ssl + state=directory + owner=root group=root + mode=0755 + tags: + - genkey + +- name: Generate a private key and a X.509 certificate for Postfix + command: genkeypair.sh x509 + --pubkey=/etc/postfix/ssl/{{ ansible_fqdn }}.pem + --privkey=/etc/postfix/ssl/{{ ansible_fqdn }}.key + --dns={{ ansible_fqdn }} + -t ecdsa -b secp384r1 -h sha512 + register: r4 + changed_when: r4.rc == 0 + failed_when: r4.rc > 1 + tags: + - genkey + +- name: Fetch Postfix's X.509 certificate + # Ensure we don't fetch private data + sudo: False + fetch: src=/etc/postfix/ssl/{{ ansible_fqdn }}.pem + dest=certs/postfix/ + fail_on_missing=yes + flat=yes + tags: + - genkey + +- name: Compile the static local Postfix database postmap: cmd=postalias src=/etc/aliases db=cdb owner=root group=root mode=0644 @@ -53,8 +83,33 @@ - name: Delete /etc/aliases.db file: path=/etc/aliases.db state=absent +- name: Build the Postfix TLS policy map + sudo: False + # smtp_tls_fingerprint_digest MUST be sha256! + local_action: shell openssl x509 -in certs/postfix/{{ item }}.pem -noout -fingerprint -sha256 | cut -d= -f2 + with_items: groups.out | sort + register: tls_policy + changed_when: False + when: "'out' not in group_names" + +- name: Copy the Postfix TLS policy map + template: src=etc/postfix/tls_policy.j2 + dest=/etc/postfix/tls_policy + owner=root group=root + mode=0644 + when: "'out' not in group_names" + +- name: Compile the Postfix TLS policy map + postmap: cmd=postmap src=/etc/postfix/tls_policy db=cdb + owner=root group=root + mode=0644 + when: "'out' not in group_names" + register: r5 + notify: + - Restart Postfix + - name: Start Postfix service: name=postfix state=started - when: not (r1.changed or r2.changed or r3.changed) + when: not (r1.changed or r2.changed or r3.changed or r5.changed) - meta: flush_handlers diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index 0048443..464abd0 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -15,8 +15,7 @@ owner=root group=root mode=0755 tags: - - genkeypair -- include: ipsec.yml tags=strongswan,ipsec + - genkey - include: logging.yml tags=logging - include: ntp.yml tags=ntp - include: mail.yml tags=mail,postfix diff --git a/roles/common/templates/etc/iptables/services.j2 b/roles/common/templates/etc/iptables/services.j2 index 923aa35..3e31f04 100644 --- a/roles/common/templates/etc/iptables/services.j2 +++ b/roles/common/templates/etc/iptables/services.j2 @@ -4,9 +4,6 @@ # direction protocol destination port source port # (in|out|inout)[46]? (tcp|udp|..) (port|port:port|port,port) (port|port:port|port,port) -inout udp 500 500 # ISAKMP -#inout udp 4500 4500 # IPSec NAT Traversal - out tcp 80,443 # HTTP/HTTPS out udp 53 # DNS out udp 67 # DHCP @@ -20,15 +17,23 @@ in tcp {{ ansible_ssh_port|default('22') }} # SSH in tcp 25 # SMTP {% endif %} {% if 'out' in group_names %} -#out tcp 25 # SMTP +in tcp {{ postfix_instance.out.port }} +out tcp 25 # SMTP +{% else %} +out tcp {{ postfix_instance.out.port }} {% endif %} {% if 'IMAP' in group_names %} in tcp 993 # IMAPS in tcp 4190 # ManageSieve {% endif %} +{% if 'MDA' in group_names %} +in tcp {{ postfix_instance.mda.port }} +{% endif %} {% if 'MSA' in group_names %} in tcp 587 # SMTP-AUTH {% endif %} {% if 'webmail' in group_names %} in tcp 80,443 # HTTP/HTTPS +out tcp 993 # IMAP # TODO imapc +out tcp 4190 {% endif %} diff --git a/roles/common/templates/etc/postfix/main.cf.j2 b/roles/common/templates/etc/postfix/main.cf.j2 index 70d4b98..1abce71 100644 --- a/roles/common/templates/etc/postfix/main.cf.j2 +++ b/roles/common/templates/etc/postfix/main.cf.j2 @@ -17,7 +17,6 @@ append_dot_mydomain = no # This server is for internal use only mynetworks_style = host inet_interfaces = loopback-only -inet_protocols = ipv4 # No local delivery mydestination = @@ -30,7 +29,7 @@ default_database_type = cdb virtual_alias_maps = cdb:/etc/aliases alias_database = $virtual_alias_maps -# Forward everything to our internal mailhub +# Forward everything to our internal outgoing proxy {% if 'out' in group_names %} relayhost = [127.0.0.1]:{{ postfix_instance.out.port }} {% else %} @@ -38,14 +37,18 @@ relayhost = [outgoing.fripost.org]:{{ postfix_instance.out.port }} {% endif %} relay_domains = -# Tunnel everything through IPSec -smtp_tls_security_level = none {% if 'out' in group_names %} -smtp_bind_address = 127.0.0.1 +smtp_tls_security_level = none +smtp_bind_address = 127.0.0.1 {% else %} -smtp_bind_address = 172.16.0.1 +smtp_tls_security_level = encrypt +smtp_tls_cert_file = $config_directory/ssl/{{ ansible_fqdn }}.pem +smtp_tls_key_file = $config_directory/ssl/{{ ansible_fqdn }}.key +smtp_tls_session_cache_database = btree:$data_directory/smtp_tls_session_cache +smtp_tls_policy_maps = cdb:$config_directory/tls_policy +smtp_tls_fingerprint_digest = sha256 {% endif %} -smtpd_tls_security_level = none +smtpd_tls_security_level = none # Turn off all TCP/IP listener ports except that dedicated to # samhain(8), which sadly cannot use pickup through the sendmail binary. diff --git a/roles/common/templates/etc/postfix/tls_policy.j2 b/roles/common/templates/etc/postfix/tls_policy.j2 new file mode 100644 index 0000000..b4fc453 --- /dev/null +++ b/roles/common/templates/etc/postfix/tls_policy.j2 @@ -0,0 +1,6 @@ +# {{ ansible_managed }} + +[outgoing.fripost.org]:{{ postfix_instance.out.port }} fingerprint ciphers=high protocols=TLSv1.2 +{% for x in tls_policy.results %} + match={{ x.stdout }} +{% endfor %} |