2 files changed, 16 insertions, 1 deletions

diff --git a/roles/out/templates/etc/postfix/main.cf.j2 b/roles/out/templates/etc/postfix/main.cf.j2
index c05d9a5..f8aa55a 100644
--- a/roles/out/templates/etc/postfix/main.cf.j2
+++ b/roles/out/templates/etc/postfix/main.cf.j2
@@ -39,41 +39,44 @@ local_recipient_maps =
 message_size_limit  = 0
 recipient_delimiter = +
 
 relay_domains       =
 relay_transport     = error:5.3.2 Relay Transport unavailable
 
 # Replace internal system addresses under $myhostname with a valid address
 canonical_maps    = lmdb:$config_directory/canonical
 canonical_classes = envelope_sender, envelope_recipient
 
 # All header rewriting happens upstream
 local_header_rewrite_clients =
 
 
 smtp_tls_security_level         = may
 smtp_tls_ciphers                = medium
 smtp_tls_protocols              = !SSLv2, !SSLv3
 smtp_tls_note_starttls_offer    = yes
 smtp_tls_session_cache_database = lmdb:$data_directory/smtp_tls_session_cache
 
-smtpd_tls_security_level        = none
+smtp_tls_fingerprint_digest = sha256
+smtp_tls_policy_maps        = lmdb:$config_directory/smtp_tls_policy
+
+smtpd_tls_security_level = none
 
 strict_rfc821_envelopes = yes
 smtpd_delay_reject      = yes
 disable_vrfy_command    = yes
 
 smtpd_client_restrictions =
     permit_mynetworks
     # We are the only ones using this proxy, but if things go wrong we
     # want to know why
     defer
 
 smtpd_helo_required     = yes
 smtpd_helo_restrictions =
     reject_invalid_helo_hostname
 
 smtpd_sender_restrictions =
     reject_non_fqdn_sender
 
 smtpd_relay_restrictions =
     reject_non_fqdn_recipient
diff --git a/roles/out/templates/etc/postfix/smtp_tls_policy.j2 b/roles/out/templates/etc/postfix/smtp_tls_policy.j2
new file mode 100644
index 0000000..7722dc8
--- /dev/null
+++ b/roles/out/templates/etc/postfix/smtp_tls_policy.j2
@@ -0,0 +1,12 @@
+# Lookup table matching next-hop destinations to TLS security policies;
+# this allows pining the key material for chosen recipient domains.
+#
+# {{ ansible_managed }}
+# Do NOT edit this file directly!
+{% for nexthop in ['fripost.org','.fripost.org'] %}
+
+{{ nexthop }} fingerprint ciphers=high protocols=!SSLv2:!SSLv3:!TLSv1:!TLSv1.1
+{% for h in groups.MX | sort %}
+  match={{ lookup('pipe', 'openssl pkey -pubin -outform DER <"certs/public/mx'+(hostvars[h].mxno | default('') | string)+'.fripost.org.pub" | openssl dgst -sha256 -c | sed "s/[^=]*=\s*//"') }}
+{% endfor %}
+{% endfor %}