diff options
Diffstat (limited to 'roles/out/templates/etc')
-rw-r--r-- | roles/out/templates/etc/postfix/main.cf.j2 | 43 | ||||
-rw-r--r-- | roles/out/templates/etc/postfix/relay_clientcerts.j2 | 5 |
2 files changed, 34 insertions, 14 deletions
diff --git a/roles/out/templates/etc/postfix/main.cf.j2 b/roles/out/templates/etc/postfix/main.cf.j2 index 1a7985f..11bcc10 100644 --- a/roles/out/templates/etc/postfix/main.cf.j2 +++ b/roles/out/templates/etc/postfix/main.cf.j2 @@ -1,5 +1,5 @@ ######################################################################## -# Outgoing MTA configuration +# Outgoing MTA (outgoing SMTP proxy) configuration # # {{ ansible_managed }} # Do NOT edit this file directly! @@ -19,7 +19,7 @@ append_dot_mydomain = no # Turn off all TCP/IP listener ports except that necessary for the # outgoing SMTP proxy. -master_service_disable = !2525.inet inet +master_service_disable = !{{ postfix_instance.out.port }}.inet inet queue_directory = /var/spool/postfix-{{ postfix_instance[inst].name }} data_directory = /var/lib/postfix-{{ postfix_instance[inst].name }} @@ -27,10 +27,8 @@ multi_instance_group = {{ postfix_instance[inst].group | default('') }} multi_instance_name = postfix-{{ postfix_instance[inst].name }} multi_instance_enable = yes -# Accept everything coming through IPSec. -# TODO: this should our virtual private subnetwork -mynetworks = 0.0.0.0/0 -inet_interfaces = 172.16.0.1, 127.0.0.1 +mynetworks_style = host +inet_interfaces = all # No local delivery mydestination = @@ -42,8 +40,8 @@ local_recipient_maps = message_size_limit = 67108864 recipient_delimiter = + -relay_domains = -relay_transport = error:5.3.2 Relay Transport unavailable +relay_domains = +relay_transport = error:5.3.2 Relay Transport unavailable # All header rewriting happens upstream local_header_rewrite_clients = @@ -51,13 +49,29 @@ local_header_rewrite_clients = smtp_tls_security_level = may smtp_tls_note_starttls_offer = yes -smtp_tls_cert_file = /etc/postfix-out/ssl/smtp.fripost.org.pem -smtp_tls_key_file = /etc/postfix-out/ssl/smtp.fripost.org.key -smtp_tls_CApath = /etc/ssl/certs/ smtp_tls_session_cache_database = btree:$data_directory/smtp_tls_session_cache -smtp_tls_fingerprint_digest = sha1 -tls_random_source = dev:/dev/urandom +relay_clientcerts = cdb:$config_directory/relay_clientcerts +smtpd_tls_security_level = may +smtpd_tls_cert_file = /etc/postfix/ssl/{{ ansible_fqdn }}.pem +smtpd_tls_key_file = /etc/postfix/ssl/{{ ansible_fqdn }}.key +smtpd_tls_session_cache_database= btree:$data_directory/smtpd_tls_session_cache +smtpd_tls_received_header = yes +smtpd_tls_ask_ccert = yes +smtpd_tls_session_cache_timeout = 3600s +smtpd_tls_fingerprint_digest = sha256 + + +strict_rfc821_envelopes = yes +smtpd_delay_reject = yes +disable_vrfy_command = yes + +smtpd_client_restrictions = + permit_mynetworks + permit_tls_clientcerts + # We are the only ones using this proxy, but if things go wrong we + # want to know why + defer smtpd_helo_required = yes smtpd_helo_restrictions = @@ -72,7 +86,8 @@ smtpd_recipient_restrictions = reject_non_fqdn_recipient reject_unknown_recipient_domain permit_mynetworks - reject_unauth_destination + permit_tls_clientcerts + reject smtpd_data_restrictions = reject_unauth_pipelining diff --git a/roles/out/templates/etc/postfix/relay_clientcerts.j2 b/roles/out/templates/etc/postfix/relay_clientcerts.j2 new file mode 100644 index 0000000..3f724ea --- /dev/null +++ b/roles/out/templates/etc/postfix/relay_clientcerts.j2 @@ -0,0 +1,5 @@ +# {{ ansible_managed }} + +{% for x in relay_clientcerts.results %} +{{ x.stdout }} +{% endfor %} |