summaryrefslogtreecommitdiffstats
path: root/roles/out
diff options
context:
space:
mode:
Diffstat (limited to 'roles/out')
-rw-r--r--roles/out/tasks/main.yml13
-rw-r--r--roles/out/templates/etc/postfix/main.cf.j25
-rw-r--r--roles/out/templates/etc/postfix/smtp_tls_policy.j212
3 files changed, 29 insertions, 1 deletions
diff --git a/roles/out/tasks/main.yml b/roles/out/tasks/main.yml
index 48c162a..7a297f1 100644
--- a/roles/out/tasks/main.yml
+++ b/roles/out/tasks/main.yml
@@ -28,6 +28,19 @@
owner=root group=root
mode=0644
+- name: Copy the SMTP TLS policy maps
+ template: src=etc/postfix/smtp_tls_policy.j2
+ dest=/etc/postfix-{{ postfix_instance[inst].name }}/smtp_tls_policy
+ owner=root group=root
+ mode=0644
+
+- name: Compile the SMTP TLS policy maps
+ postmap: cmd=postmap src=/etc/postfix-{{ postfix_instance[inst].name }}/smtp_tls_policy db=lmdb
+ owner=root group=root
+ mode=0644
+ notify:
+ - Reload Postfix
+
- meta: flush_handlers
- name: Start Postfix
diff --git a/roles/out/templates/etc/postfix/main.cf.j2 b/roles/out/templates/etc/postfix/main.cf.j2
index c05d9a5..f8aa55a 100644
--- a/roles/out/templates/etc/postfix/main.cf.j2
+++ b/roles/out/templates/etc/postfix/main.cf.j2
@@ -56,7 +56,10 @@ smtp_tls_protocols = !SSLv2, !SSLv3
smtp_tls_note_starttls_offer = yes
smtp_tls_session_cache_database = lmdb:$data_directory/smtp_tls_session_cache
-smtpd_tls_security_level = none
+smtp_tls_fingerprint_digest = sha256
+smtp_tls_policy_maps = lmdb:$config_directory/smtp_tls_policy
+
+smtpd_tls_security_level = none
strict_rfc821_envelopes = yes
smtpd_delay_reject = yes
diff --git a/roles/out/templates/etc/postfix/smtp_tls_policy.j2 b/roles/out/templates/etc/postfix/smtp_tls_policy.j2
new file mode 100644
index 0000000..7722dc8
--- /dev/null
+++ b/roles/out/templates/etc/postfix/smtp_tls_policy.j2
@@ -0,0 +1,12 @@
+# Lookup table matching next-hop destinations to TLS security policies;
+# this allows pining the key material for chosen recipient domains.
+#
+# {{ ansible_managed }}
+# Do NOT edit this file directly!
+{% for nexthop in ['fripost.org','.fripost.org'] %}
+
+{{ nexthop }} fingerprint ciphers=high protocols=!SSLv2:!SSLv3:!TLSv1:!TLSv1.1
+{% for h in groups.MX | sort %}
+ match={{ lookup('pipe', 'openssl pkey -pubin -outform DER <"certs/public/mx'+(hostvars[h].mxno | default('') | string)+'.fripost.org.pub" | openssl dgst -sha256 -c | sed "s/[^=]*=\s*//"') }}
+{% endfor %}
+{% endfor %}