3 files changed, 16 insertions, 33 deletions

diff --git a/roles/lists/templates/etc/postfix/main.cf.j2 b/roles/lists/templates/etc/postfix/main.cf.j2
index b314d95..2be1b41 100644
--- a/roles/lists/templates/etc/postfix/main.cf.j2
+++ b/roles/lists/templates/etc/postfix/main.cf.j2
@@ -1,97 +1,85 @@
 ########################################################################
 # Sympa configuration
 #
 # {{ ansible_managed }}
 # Do NOT edit this file directly!
 
-smtpd_banner     = $myhostname ESMTP $mail_name (Debian/GNU)
-biff             = no
-readme_directory = no
-mail_owner       = postfix
+smtpd_banner        = $myhostname ESMTP $mail_name (Debian/GNU)
+biff                = no
+readme_directory    = no
+compatibility_level = 2
+smtputf8_enable     = no
 
 delay_warning_time     = 4h
 maximal_queue_lifetime = 5d
 
 myorigin            = /etc/mailname
 myhostname          = lists.$mydomain
 mydomain            = fripost.org
 append_dot_mydomain = no
 
-# Turn off all TCP/IP listener ports except that necessary for Sympa
-master_service_disable = !2527.inet inet
+mynetworks = 127.0.0.0/8, [::1]/128
+{%- if groups.all | length > 1 -%}
+{%- for mx in groups.MX | sort -%}
+           , {{ ipsec[ hostvars[mx].inventory_hostname_short ] | ansible.utils.ipaddr }}
+{%- endfor %}
+{% endif %}
 
 queue_directory       = /var/spool/postfix-{{ postfix_instance[inst].name }}
 data_directory        = /var/lib/postfix-{{ postfix_instance[inst].name }}
 multi_instance_group  = {{ postfix_instance[inst].group | default('') }}
 multi_instance_name   = postfix-{{ postfix_instance[inst].name }}
 multi_instance_enable = yes
 
-# This server is a Mail Delivery Agent
-mynetworks_style = host
-inet_interfaces  = all
-
 
 # No local delivery
 mydestination        =
 local_transport      = error:5.1.1 Mailbox unavailable
 alias_maps           =
 alias_database       =
 local_recipient_maps =
 
-message_size_limit  = 67108864
+message_size_limit  = 0
 recipient_delimiter = +
 
 # No relay: this server is inbound-only
 relay_transport   = error:5.1.1 Relay unavailable
 default_transport = error:5.1.1 Transport unavailable
 
 
 relay_domains                     = sympa.$mydomain
-transport_maps                    = cdb:$config_directory/transport
+transport_maps                    = lmdb:$config_directory/transport
 sympa_destination_recipient_limit = 1
 
 # Don't rewrite remote headers
 local_header_rewrite_clients =
 
-
-relay_clientcerts               = cdb:$config_directory/relay_clientcerts
-smtpd_tls_security_level        = may
-smtpd_tls_exclude_ciphers       = EXPORT, LOW, MEDIUM, aNULL, eNULL, DES, RC4, MD5
-smtpd_tls_cert_file             = /etc/postfix/ssl/{{ ansible_fqdn }}.pem
-smtpd_tls_key_file              = /etc/postfix/ssl/{{ ansible_fqdn }}.key
-smtpd_tls_dh1024_param_file     = /etc/ssl/private/dhparams.pem
-smtpd_tls_session_cache_database= btree:$data_directory/smtpd_tls_session_cache
-smtpd_tls_received_header       = yes
-smtpd_tls_ask_ccert             = yes
-smtpd_tls_session_cache_timeout = 3600s
-smtpd_tls_fingerprint_digest    = sha256
-
+smtp_tls_security_level  = none
+smtpd_tls_security_level = none
 
 strict_rfc821_envelopes = yes
 smtpd_delay_reject      = yes
 disable_vrfy_command    = yes
 
 smtpd_client_restrictions =
     permit_mynetworks
-    permit_tls_clientcerts
     # We are the only ones using this proxy, but if things go wrong we
     # want to know why
     defer
 
 smtpd_helo_required     = yes
 smtpd_helo_restrictions =
     reject_invalid_helo_hostname
 
 smtpd_sender_restrictions =
     reject_non_fqdn_sender
 
 smtpd_relay_restrictions =
     reject_non_fqdn_recipient
     permit_mynetworks
-    permit_tls_clientcerts
     reject
 
 smtpd_data_restrictions =
     reject_unauth_pipelining
 
 # vim: set filetype=pfmain :
diff --git a/roles/lists/templates/etc/postfix/master.cf.j2 b/roles/lists/templates/etc/postfix/master.cf.j2
new file mode 120000
index 0000000..011f8e0
--- /dev/null
+++ b/roles/lists/templates/etc/postfix/master.cf.j2
@@ -0,0 +1 @@
+../../../../common/templates/etc/postfix/master.cf.j2
\ No newline at end of file
diff --git a/roles/lists/templates/etc/postfix/relay_clientcerts.j2 b/roles/lists/templates/etc/postfix/relay_clientcerts.j2
deleted file mode 100644
index 42a83b5..0000000
--- a/roles/lists/templates/etc/postfix/relay_clientcerts.j2
+++ /dev/null
@@ -1,6 +0,0 @@
-# {{ ansible_managed }}
-# /!\ WARNING: smtp_tls_fingerprint_digest MUST be sha256!
-
-{% for h in groups.MX | difference([inventory_hostname]) | sort %}
-{{ lookup('pipe', 'openssl x509 -in certs/postfix/'+h+'.pem -noout -fingerprint -sha256 | cut -d= -f2') }} {{ h }}
-{% endfor %}