6 files changed, 72 insertions, 48 deletions

diff --git a/roles/out/tasks/main.yml b/roles/out/tasks/main.yml
index 10429b1..7a297f1 100644
--- a/roles/out/tasks/main.yml
+++ b/roles/out/tasks/main.yml
@@ -1,45 +1,62 @@
 - name: Install Postfix
-  apt: pkg=postfix
+  apt: pkg={{ packages }}
+  vars:
+    packages:
+    - postfix
+    - postfix-lmdb
 
 - name: Configure Postfix
-  template: src=etc/postfix/main.cf.j2
-            dest=/etc/postfix-{{ postfix_instance[inst].name }}/main.cf
+  template: src=etc/postfix/{{ item }}.j2
+            dest=/etc/postfix-{{ postfix_instance[inst].name }}/{{ item }}
             owner=root group=root
             mode=0644
+  with_items:
+    - main.cf
+    - master.cf
   notify:
     - Reload Postfix
 
-- name: Copy the Postfix relay clientcerts map
-  template: src=etc/postfix/relay_clientcerts.j2
-            dest=/etc/postfix-{{ postfix_instance[inst].name }}/relay_clientcerts
+- name: Copy the canonical maps
+  template: src=etc/postfix/canonical.j2
+            dest=/etc/postfix-{{ postfix_instance[inst].name }}/canonical
             owner=root group=root
             mode=0644
-  tags:
-    - tls_policy
 
-- name: Compile the Postfix relay clientcerts map
-  postmap: cmd=postmap src=/etc/postfix-{{ postfix_instance[inst].name }}/relay_clientcerts db=cdb
+- name: Compile the canonical maps
+  # no need to reload upon change, as cleanup(8) is short-running
+  postmap: cmd=postmap src=/etc/postfix-{{ postfix_instance[inst].name }}/canonical db=lmdb
            owner=root group=root
            mode=0644
-  tags:
-    - tls_policy
+
+- name: Copy the SMTP TLS policy maps
+  template: src=etc/postfix/smtp_tls_policy.j2
+            dest=/etc/postfix-{{ postfix_instance[inst].name }}/smtp_tls_policy
+            owner=root group=root
+            mode=0644
+
+- name: Compile the SMTP TLS policy maps
+  postmap: cmd=postmap src=/etc/postfix-{{ postfix_instance[inst].name }}/smtp_tls_policy db=lmdb
+           owner=root group=root
+           mode=0644
+  notify:
+    - Reload Postfix
 
 - meta: flush_handlers
 
 - name: Start Postfix
   service: name=postfix state=started
 
 
 - name: Install 'postfix_mailqueue_' Munin wildcard plugin
   file: src=/usr/local/share/munin/plugins/postfix_mailqueue_
         dest=/etc/munin/plugins/postfix_mailqueue_postfix-{{ postfix_instance[inst].name }}
         owner=root group=root
         state=link force=yes
   tags:
     - munin
     - munin-node
   notify:
     - Restart munin-node
 
 - name: Install 'postfix_stats_' Munin wildcard plugin
   file: src=/usr/local/share/munin/plugins/postfix_stats_
diff --git a/roles/out/templates/etc/postfix/canonical.j2 b/roles/out/templates/etc/postfix/canonical.j2
new file mode 100644
index 0000000..ed8bb4d
--- /dev/null
+++ b/roles/out/templates/etc/postfix/canonical.j2
@@ -0,0 +1,10 @@
+# {{ ansible_managed }}
+# Do NOT edit this file directly!
+
+# Addresses under $myhostname are typically not valid as envelope
+# recipients (eg, logcheck@, root@, etc.).  This breaks the sender
+# address verification, so we use the admin team's address in the
+# envelope.
+{% for host in groups.all | sort %}
+@{{ hostvars[host].inventory_hostname }}    admin@fripost.org
+{% endfor %}
diff --git a/roles/out/templates/etc/postfix/main.cf.j2 b/roles/out/templates/etc/postfix/main.cf.j2
index 8766984..f8aa55a 100644
--- a/roles/out/templates/etc/postfix/main.cf.j2
+++ b/roles/out/templates/etc/postfix/main.cf.j2
@@ -1,102 +1,92 @@
 ########################################################################
 # Outgoing MTA (outgoing SMTP proxy) configuration
 #
 # {{ ansible_managed }}
 # Do NOT edit this file directly!
 
-smtpd_banner     = $myhostname ESMTP $mail_name (Debian/GNU)
-biff             = no
-readme_directory = no
-mail_owner       = postfix
+smtpd_banner        = $myhostname ESMTP $mail_name (Debian/GNU)
+biff                = no
+readme_directory    = no
+compatibility_level = 2
+smtputf8_enable     = no
 
 delay_warning_time     = 1d
 maximal_queue_lifetime = 5d
 
 myorigin            = /etc/mailname
 myhostname          = outgoing{{ outgoingno | default('') }}.$mydomain
 mydomain            = fripost.org
 append_dot_mydomain = no
 
-# Turn off all TCP/IP listener ports except that necessary for the
-# outgoing SMTP proxy.
-master_service_disable = !{{ postfix_instance.out.port }}.inet !127.0.0.1:10025.inet inet
+mynetworks = 127.0.0.0/8, [::1]/128
+{%- if groups.all | length > 1 -%}
+           , {{ ipsec_subnet }}
+{% endif %}
 
 queue_directory       = /var/spool/postfix-{{ postfix_instance[inst].name }}
 data_directory        = /var/lib/postfix-{{ postfix_instance[inst].name }}
 multi_instance_group  = {{ postfix_instance[inst].group | default('') }}
 multi_instance_name   = postfix-{{ postfix_instance[inst].name }}
 multi_instance_enable = yes
 
-mynetworks_style = host
-inet_interfaces  = all
-
 # No local delivery
 mydestination        =
 local_transport      = error:5.1.1 Mailbox unavailable
 alias_maps           =
 alias_database       =
 local_recipient_maps =
 
-message_size_limit  = 67108864
+message_size_limit  = 0
 recipient_delimiter = +
 
 relay_domains       =
 relay_transport     = error:5.3.2 Relay Transport unavailable
 
+# Replace internal system addresses under $myhostname with a valid address
+canonical_maps    = lmdb:$config_directory/canonical
+canonical_classes = envelope_sender, envelope_recipient
+
 # All header rewriting happens upstream
 local_header_rewrite_clients =
 
 
 smtp_tls_security_level         = may
+smtp_tls_ciphers                = medium
+smtp_tls_protocols              = !SSLv2, !SSLv3
 smtp_tls_note_starttls_offer    = yes
-smtp_tls_session_cache_database = btree:$data_directory/smtp_tls_session_cache
+smtp_tls_session_cache_database = lmdb:$data_directory/smtp_tls_session_cache
 
-relay_clientcerts               = cdb:$config_directory/relay_clientcerts
-smtpd_tls_security_level        = may
-smtpd_tls_exclude_ciphers       = EXPORT, LOW, MEDIUM, aNULL, eNULL, DES, RC4, MD5
-smtpd_tls_cert_file             = /etc/postfix/ssl/{{ ansible_fqdn }}.pem
-smtpd_tls_key_file              = /etc/postfix/ssl/{{ ansible_fqdn }}.key
-smtpd_tls_dh1024_param_file     = /etc/ssl/private/dhparams.pem
-smtpd_tls_session_cache_database= btree:$data_directory/smtpd_tls_session_cache
-smtpd_tls_received_header       = yes
-smtpd_tls_ask_ccert             = yes
-smtpd_tls_session_cache_timeout = 3600s
-smtpd_tls_fingerprint_digest    = sha256
+smtp_tls_fingerprint_digest = sha256
+smtp_tls_policy_maps        = lmdb:$config_directory/smtp_tls_policy
 
+smtpd_tls_security_level = none
 
 strict_rfc821_envelopes = yes
 smtpd_delay_reject      = yes
 disable_vrfy_command    = yes
 
-address_verify_sender            = $double_bounce_sender@$mydomain
-unverified_recipient_defer_code  = 250
-unverified_recipient_reject_code = 550
-
 smtpd_client_restrictions =
     permit_mynetworks
-    permit_tls_clientcerts
     # We are the only ones using this proxy, but if things go wrong we
     # want to know why
     defer
 
 smtpd_helo_required     = yes
 smtpd_helo_restrictions =
     reject_invalid_helo_hostname
 
 smtpd_sender_restrictions =
     reject_non_fqdn_sender
 
 smtpd_relay_restrictions =
     reject_non_fqdn_recipient
     reject_unknown_recipient_domain
-    reject_unverified_recipient
     permit_mynetworks
-    permit_tls_clientcerts
     reject
 
 smtpd_data_restrictions =
     reject_unauth_pipelining
 
 content_filter = amavisfeed:[127.0.0.1]:10040
 
 # vim: set filetype=pfmain :
diff --git a/roles/out/templates/etc/postfix/master.cf.j2 b/roles/out/templates/etc/postfix/master.cf.j2
new file mode 120000
index 0000000..011f8e0
--- /dev/null
+++ b/roles/out/templates/etc/postfix/master.cf.j2
@@ -0,0 +1 @@
+../../../../common/templates/etc/postfix/master.cf.j2
\ No newline at end of file
diff --git a/roles/out/templates/etc/postfix/relay_clientcerts.j2 b/roles/out/templates/etc/postfix/relay_clientcerts.j2
deleted file mode 100644
index d70432e..0000000
--- a/roles/out/templates/etc/postfix/relay_clientcerts.j2
+++ /dev/null
@@ -1,6 +0,0 @@
-# {{ ansible_managed }}
-# /!\ WARNING: smtp_tls_fingerprint_digest MUST be sha256!
-
-{% for h in groups.all | difference([inventory_hostname]) | sort %}
-{{ lookup('pipe', 'openssl x509 -in certs/postfix/'+h+'.pem -noout -fingerprint -sha256 | cut -d= -f2') }} {{ h }}
-{% endfor %}
diff --git a/roles/out/templates/etc/postfix/smtp_tls_policy.j2 b/roles/out/templates/etc/postfix/smtp_tls_policy.j2
new file mode 100644
index 0000000..7722dc8
--- /dev/null
+++ b/roles/out/templates/etc/postfix/smtp_tls_policy.j2
@@ -0,0 +1,12 @@
+# Lookup table matching next-hop destinations to TLS security policies;
+# this allows pining the key material for chosen recipient domains.
+#
+# {{ ansible_managed }}
+# Do NOT edit this file directly!
+{% for nexthop in ['fripost.org','.fripost.org'] %}
+
+{{ nexthop }} fingerprint ciphers=high protocols=!SSLv2:!SSLv3:!TLSv1:!TLSv1.1
+{% for h in groups.MX | sort %}
+  match={{ lookup('pipe', 'openssl pkey -pubin -outform DER <"certs/public/mx'+(hostvars[h].mxno | default('') | string)+'.fripost.org.pub" | openssl dgst -sha256 -c | sed "s/[^=]*=\s*//"') }}
+{% endfor %}
+{% endfor %}