From de4859456f1de54540c96ad97f62858dd089a980 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Tue, 1 Jul 2014 23:02:45 +0200 Subject: Replace IPSec tunnels by app-level ephemeral TLS sessions. For some reason giraff doesn't like IPSec. App-level TLS sessions are less efficient, but thanks to ansible it still scales well. --- roles/MX/templates/etc/postfix/main.cf.j2 | 22 +++++++++++++--------- .../MX/templates/etc/postfix/virtual/transport.j2 | 4 ++-- 2 files changed, 15 insertions(+), 11 deletions(-) (limited to 'roles/MX') diff --git a/roles/MX/templates/etc/postfix/main.cf.j2 b/roles/MX/templates/etc/postfix/main.cf.j2 index 34e38a0..4d8e53e 100644 --- a/roles/MX/templates/etc/postfix/main.cf.j2 +++ b/roles/MX/templates/etc/postfix/main.cf.j2 @@ -41,7 +41,7 @@ local_recipient_maps = message_size_limit = 67108864 recipient_delimiter = + -# Forward everything to our internal mailhub +# Forward everything to our internal outgoing proxy {% if 'out' in group_names %} relayhost = [127.0.0.1]:{{ postfix_instance.out.port }} {% else %} @@ -49,6 +49,7 @@ relayhost = [outgoing.fripost.org]:{{ postfix_instance.out.port }} {% endif %} relay_domains = + # Virtual transport # We use a dedicated "virtual" domain to decongestion potential # bottlenecks on trivial_rewrite(8) due to slow LDAP lookups in @@ -67,6 +68,7 @@ virtual_alias_maps = pcre:$config_directory/virtual/reserved_alias.pcre virtual_mailbox_maps = transport_maps = cdb:$config_directory/virtual/transport + # Don't rewrite remote headers local_header_rewrite_clients = # Pass the client information along to the content filter @@ -77,15 +79,20 @@ reserved-alias_recipient_limit = 1 # Tolerate occasional high latency smtp_data_done_timeout = 1200s -# Tunnel everything through IPSec -smtp_tls_security_level = none + {% if 'out' in group_names %} -smtp_bind_address = 127.0.0.1 +smtp_tls_security_level = none +smtp_bind_address = 127.0.0.1 {% else %} -smtp_bind_address = 172.16.0.1 +smtp_tls_security_level = encrypt +smtp_tls_cert_file = /etc/postfix/ssl/{{ ansible_fqdn }}.pem +smtp_tls_key_file = /etc/postfix/ssl/{{ ansible_fqdn }}.key +smtp_tls_session_cache_database = btree:$data_directory/smtp_tls_session_cache +smtp_tls_policy_maps = cdb:/etc/postfix/tls_policy +smtp_tls_fingerprint_digest = sha256 {% endif %} +smtpd_tls_security_level = none -# TLS smtpd_tls_security_level = may smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key @@ -93,9 +100,6 @@ smtpd_tls_CApath = /etc/ssl/certs/ smtpd_tls_session_cache_database= btree:$data_directory/smtpd_tls_session_cache smtpd_tls_received_header = yes smtpd_tls_ask_ccert = yes -smtpd_tls_fingerprint_digest = sha1 -smtpd_tls_eecdh_grade = strong -tls_random_source = dev:/dev/urandom # http://en.linuxreviews.org/HOWTO_Stop_spam_using_Postfix diff --git a/roles/MX/templates/etc/postfix/virtual/transport.j2 b/roles/MX/templates/etc/postfix/virtual/transport.j2 index 2250a71..a34dcad 100644 --- a/roles/MX/templates/etc/postfix/virtual/transport.j2 +++ b/roles/MX/templates/etc/postfix/virtual/transport.j2 @@ -3,11 +3,11 @@ reserved.locahost.localdomain reserved-alias: {% if 'LDA' in group_names %} mda.fripost.org smtpl:[127.0.0.1]:{{ postfix_instance.IMAP.port }} {% else %} -mda.fripost.org smtps:[mda.fripost.org]:{{ postfix_instance.IMAP.port }} +mda.fripost.org smtp:[mda.fripost.org]:{{ postfix_instance.IMAP.port }} {% endif %} {% if 'lists' in group_names %} lists.fripost.org smtpl:[127.0.0.1]:{{ postfix_instance.lists.port }} {% else %} -lists.fripost.org smtps:[lists.fripost.org]:{{ postfix_instance.lists.port }} +lists.fripost.org smtp:[lists.fripost.org]:{{ postfix_instance.lists.port }} {% endif %} -- cgit v1.2.3