From de4859456f1de54540c96ad97f62858dd089a980 Mon Sep 17 00:00:00 2001
From: Guilhem Moulin <guilhem@fripost.org>
Date: Tue, 1 Jul 2014 23:02:45 +0200
Subject: Replace IPSec tunnels by app-level ephemeral TLS sessions.

For some reason giraff doesn't like IPSec.  App-level TLS sessions are
less efficient, but thanks to ansible it still scales well.
---
 roles/MX/templates/etc/postfix/main.cf.j2 | 22 +++++++++++++---------
 1 file changed, 13 insertions(+), 9 deletions(-)

(limited to 'roles/MX/templates/etc/postfix/main.cf.j2')

diff --git a/roles/MX/templates/etc/postfix/main.cf.j2 b/roles/MX/templates/etc/postfix/main.cf.j2
index 34e38a0..4d8e53e 100644
--- a/roles/MX/templates/etc/postfix/main.cf.j2
+++ b/roles/MX/templates/etc/postfix/main.cf.j2
@@ -41,7 +41,7 @@ local_recipient_maps =
 message_size_limit  = 67108864
 recipient_delimiter = +
 
-# Forward everything to our internal mailhub
+# Forward everything to our internal outgoing proxy
 {% if 'out' in group_names %}
 relayhost     = [127.0.0.1]:{{ postfix_instance.out.port }}
 {% else %}
@@ -49,6 +49,7 @@ relayhost     = [outgoing.fripost.org]:{{ postfix_instance.out.port }}
 {% endif %}
 relay_domains =
 
+
 # Virtual transport
 # We use a dedicated "virtual" domain to decongestion potential
 # bottlenecks on trivial_rewrite(8) due to slow LDAP lookups in
@@ -67,6 +68,7 @@ virtual_alias_maps      = pcre:$config_directory/virtual/reserved_alias.pcre
 virtual_mailbox_maps    =
 transport_maps          = cdb:$config_directory/virtual/transport
 
+
 # Don't rewrite remote headers
 local_header_rewrite_clients     =
 # Pass the client information along to the content filter
@@ -77,15 +79,20 @@ reserved-alias_recipient_limit   = 1
 # Tolerate occasional high latency
 smtp_data_done_timeout           = 1200s
 
-# Tunnel everything through IPSec
-smtp_tls_security_level = none
+
 {% if 'out' in group_names %}
-smtp_bind_address       = 127.0.0.1
+smtp_tls_security_level         = none
+smtp_bind_address               = 127.0.0.1
 {% else %}
-smtp_bind_address       = 172.16.0.1
+smtp_tls_security_level         = encrypt
+smtp_tls_cert_file              = /etc/postfix/ssl/{{ ansible_fqdn }}.pem
+smtp_tls_key_file               = /etc/postfix/ssl/{{ ansible_fqdn }}.key
+smtp_tls_session_cache_database = btree:$data_directory/smtp_tls_session_cache
+smtp_tls_policy_maps            = cdb:/etc/postfix/tls_policy
+smtp_tls_fingerprint_digest     = sha256
 {% endif %}
+smtpd_tls_security_level        = none
 
-# TLS
 smtpd_tls_security_level        = may
 smtpd_tls_cert_file             = /etc/ssl/certs/ssl-cert-snakeoil.pem
 smtpd_tls_key_file              = /etc/ssl/private/ssl-cert-snakeoil.key
@@ -93,9 +100,6 @@ smtpd_tls_CApath                = /etc/ssl/certs/
 smtpd_tls_session_cache_database= btree:$data_directory/smtpd_tls_session_cache
 smtpd_tls_received_header       = yes
 smtpd_tls_ask_ccert             = yes
-smtpd_tls_fingerprint_digest    = sha1
-smtpd_tls_eecdh_grade           = strong
-tls_random_source               = dev:/dev/urandom
 
 
 # http://en.linuxreviews.org/HOWTO_Stop_spam_using_Postfix
-- 
cgit v1.2.3