diff options
Diffstat (limited to 'roles/out/templates')
| -rw-r--r-- | roles/out/templates/etc/postfix/canonical.j2 | 10 | ||||
| -rw-r--r-- | roles/out/templates/etc/postfix/main.cf.j2 | 50 | ||||
| l--------- | roles/out/templates/etc/postfix/master.cf.j2 | 1 | ||||
| -rw-r--r-- | roles/out/templates/etc/postfix/relay_clientcerts.j2 | 6 | ||||
| -rw-r--r-- | roles/out/templates/etc/postfix/smtp_tls_policy.j2 | 12 |
5 files changed, 43 insertions, 36 deletions
diff --git a/roles/out/templates/etc/postfix/canonical.j2 b/roles/out/templates/etc/postfix/canonical.j2 new file mode 100644 index 0000000..ed8bb4d --- /dev/null +++ b/roles/out/templates/etc/postfix/canonical.j2 @@ -0,0 +1,10 @@ +# {{ ansible_managed }} +# Do NOT edit this file directly! + +# Addresses under $myhostname are typically not valid as envelope +# recipients (eg, logcheck@, root@, etc.). This breaks the sender +# address verification, so we use the admin team's address in the +# envelope. +{% for host in groups.all | sort %} +@{{ hostvars[host].inventory_hostname }} admin@fripost.org +{% endfor %} diff --git a/roles/out/templates/etc/postfix/main.cf.j2 b/roles/out/templates/etc/postfix/main.cf.j2 index 8766984..f8aa55a 100644 --- a/roles/out/templates/etc/postfix/main.cf.j2 +++ b/roles/out/templates/etc/postfix/main.cf.j2 @@ -1,102 +1,92 @@ ######################################################################## # Outgoing MTA (outgoing SMTP proxy) configuration # # {{ ansible_managed }} # Do NOT edit this file directly! -smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU) -biff = no -readme_directory = no -mail_owner = postfix +smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU) +biff = no +readme_directory = no +compatibility_level = 2 +smtputf8_enable = no delay_warning_time = 1d maximal_queue_lifetime = 5d myorigin = /etc/mailname myhostname = outgoing{{ outgoingno | default('') }}.$mydomain mydomain = fripost.org append_dot_mydomain = no -# Turn off all TCP/IP listener ports except that necessary for the -# outgoing SMTP proxy. -master_service_disable = !{{ postfix_instance.out.port }}.inet !127.0.0.1:10025.inet inet +mynetworks = 127.0.0.0/8, [::1]/128 +{%- if groups.all | length > 1 -%} + , {{ ipsec_subnet }} +{% endif %} queue_directory = /var/spool/postfix-{{ postfix_instance[inst].name }} data_directory = /var/lib/postfix-{{ postfix_instance[inst].name }} multi_instance_group = {{ postfix_instance[inst].group | default('') }} multi_instance_name = postfix-{{ postfix_instance[inst].name }} multi_instance_enable = yes -mynetworks_style = host -inet_interfaces = all - # No local delivery mydestination = local_transport = error:5.1.1 Mailbox unavailable alias_maps = alias_database = local_recipient_maps = -message_size_limit = 67108864 +message_size_limit = 0 recipient_delimiter = + relay_domains = relay_transport = error:5.3.2 Relay Transport unavailable +# Replace internal system addresses under $myhostname with a valid address +canonical_maps = lmdb:$config_directory/canonical +canonical_classes = envelope_sender, envelope_recipient + # All header rewriting happens upstream local_header_rewrite_clients = smtp_tls_security_level = may +smtp_tls_ciphers = medium +smtp_tls_protocols = !SSLv2, !SSLv3 smtp_tls_note_starttls_offer = yes -smtp_tls_session_cache_database = btree:$data_directory/smtp_tls_session_cache +smtp_tls_session_cache_database = lmdb:$data_directory/smtp_tls_session_cache -relay_clientcerts = cdb:$config_directory/relay_clientcerts -smtpd_tls_security_level = may -smtpd_tls_exclude_ciphers = EXPORT, LOW, MEDIUM, aNULL, eNULL, DES, RC4, MD5 -smtpd_tls_cert_file = /etc/postfix/ssl/{{ ansible_fqdn }}.pem -smtpd_tls_key_file = /etc/postfix/ssl/{{ ansible_fqdn }}.key -smtpd_tls_dh1024_param_file = /etc/ssl/private/dhparams.pem -smtpd_tls_session_cache_database= btree:$data_directory/smtpd_tls_session_cache -smtpd_tls_received_header = yes -smtpd_tls_ask_ccert = yes -smtpd_tls_session_cache_timeout = 3600s -smtpd_tls_fingerprint_digest = sha256 +smtp_tls_fingerprint_digest = sha256 +smtp_tls_policy_maps = lmdb:$config_directory/smtp_tls_policy +smtpd_tls_security_level = none strict_rfc821_envelopes = yes smtpd_delay_reject = yes disable_vrfy_command = yes -address_verify_sender = $double_bounce_sender@$mydomain -unverified_recipient_defer_code = 250 -unverified_recipient_reject_code = 550 - smtpd_client_restrictions = permit_mynetworks - permit_tls_clientcerts # We are the only ones using this proxy, but if things go wrong we # want to know why defer smtpd_helo_required = yes smtpd_helo_restrictions = reject_invalid_helo_hostname smtpd_sender_restrictions = reject_non_fqdn_sender smtpd_relay_restrictions = reject_non_fqdn_recipient reject_unknown_recipient_domain - reject_unverified_recipient permit_mynetworks - permit_tls_clientcerts reject smtpd_data_restrictions = reject_unauth_pipelining content_filter = amavisfeed:[127.0.0.1]:10040 # vim: set filetype=pfmain : diff --git a/roles/out/templates/etc/postfix/master.cf.j2 b/roles/out/templates/etc/postfix/master.cf.j2 new file mode 120000 index 0000000..011f8e0 --- /dev/null +++ b/roles/out/templates/etc/postfix/master.cf.j2 @@ -0,0 +1 @@ +../../../../common/templates/etc/postfix/master.cf.j2
\ No newline at end of file diff --git a/roles/out/templates/etc/postfix/relay_clientcerts.j2 b/roles/out/templates/etc/postfix/relay_clientcerts.j2 deleted file mode 100644 index d70432e..0000000 --- a/roles/out/templates/etc/postfix/relay_clientcerts.j2 +++ /dev/null @@ -1,6 +0,0 @@ -# {{ ansible_managed }} -# /!\ WARNING: smtp_tls_fingerprint_digest MUST be sha256! - -{% for h in groups.all | difference([inventory_hostname]) | sort %} -{{ lookup('pipe', 'openssl x509 -in certs/postfix/'+h+'.pem -noout -fingerprint -sha256 | cut -d= -f2') }} {{ h }} -{% endfor %} diff --git a/roles/out/templates/etc/postfix/smtp_tls_policy.j2 b/roles/out/templates/etc/postfix/smtp_tls_policy.j2 new file mode 100644 index 0000000..7722dc8 --- /dev/null +++ b/roles/out/templates/etc/postfix/smtp_tls_policy.j2 @@ -0,0 +1,12 @@ +# Lookup table matching next-hop destinations to TLS security policies; +# this allows pining the key material for chosen recipient domains. +# +# {{ ansible_managed }} +# Do NOT edit this file directly! +{% for nexthop in ['fripost.org','.fripost.org'] %} + +{{ nexthop }} fingerprint ciphers=high protocols=!SSLv2:!SSLv3:!TLSv1:!TLSv1.1 +{% for h in groups.MX | sort %} + match={{ lookup('pipe', 'openssl pkey -pubin -outform DER <"certs/public/mx'+(hostvars[h].mxno | default('') | string)+'.fripost.org.pub" | openssl dgst -sha256 -c | sed "s/[^=]*=\s*//"') }} +{% endfor %} +{% endfor %} |