From c515d0adea0ce6408dfaa5719a3bbf3340da7d92 Mon Sep 17 00:00:00 2001
From: Guilhem Moulin <guilhem@fripost.org>
Date: Thu, 10 Jul 2014 03:32:23 +0200
Subject: Ensure have a TLS policy for each of our host we want to relay to.

---
 roles/common/templates/etc/postfix/tls_policy.j2 | 23 +++++++++++++++++++++--
 1 file changed, 21 insertions(+), 2 deletions(-)

(limited to 'roles/common/templates/etc')

diff --git a/roles/common/templates/etc/postfix/tls_policy.j2 b/roles/common/templates/etc/postfix/tls_policy.j2
index b4fc453..d53b0a0 100644
--- a/roles/common/templates/etc/postfix/tls_policy.j2
+++ b/roles/common/templates/etc/postfix/tls_policy.j2
@@ -1,6 +1,25 @@
 # {{ ansible_managed }}
+# /!\ WARNING: smtp_tls_fingerprint_digest MUST be sha256!
 
+{% if 'out' not in group_names %}
 [outgoing.fripost.org]:{{ postfix_instance.out.port }} fingerprint ciphers=high protocols=TLSv1.2
-{% for x in tls_policy.results %}
-   match={{ x.stdout }}
+{% for h in groups.out | sort %}
+    match={{ lookup('pipe', 'openssl x509 -in certs/postfix/'+h+'.pem -noout -fingerprint -sha256 | cut -d= -f2') }}
 {% endfor %}
+{% endif %}
+
+{% if 'MX' in group_names %}
+{% if 'IMAP' not in group_names %}
+[mda.fripost.org]:{{ postfix_instance.IMAP.port }} fingerprint ciphers=high protocols=TLSv1.2
+{% for h in groups.IMAP | sort %}
+    match={{ lookup('pipe', 'openssl x509 -in certs/postfix/'+h+'.pem -noout -fingerprint -sha256 | cut -d= -f2') }}
+{% endfor %}
+{% endif %}
+
+{% if 'lists' not in group_names %}
+[antilop.fripost.org]:{{ postfix_instance.lists.port }} fingerprint ciphers=high
+{% for h in groups.lists | sort %}
+   match={{ lookup('pipe', 'openssl x509 -in certs/postfix/'+h+'.pem -noout -fingerprint -sha256 | cut -d= -f2') }}
+{% endfor %}
+{% endif %}
+{% endif %}
-- 
cgit v1.2.3