From c515d0adea0ce6408dfaa5719a3bbf3340da7d92 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Thu, 10 Jul 2014 03:32:23 +0200 Subject: Ensure have a TLS policy for each of our host we want to relay to. --- roles/common/templates/etc/postfix/tls_policy.j2 | 23 +++++++++++++++++++++-- 1 file changed, 21 insertions(+), 2 deletions(-) (limited to 'roles/common/templates') diff --git a/roles/common/templates/etc/postfix/tls_policy.j2 b/roles/common/templates/etc/postfix/tls_policy.j2 index b4fc453..d53b0a0 100644 --- a/roles/common/templates/etc/postfix/tls_policy.j2 +++ b/roles/common/templates/etc/postfix/tls_policy.j2 @@ -1,6 +1,25 @@ # {{ ansible_managed }} +# /!\ WARNING: smtp_tls_fingerprint_digest MUST be sha256! +{% if 'out' not in group_names %} [outgoing.fripost.org]:{{ postfix_instance.out.port }} fingerprint ciphers=high protocols=TLSv1.2 -{% for x in tls_policy.results %} - match={{ x.stdout }} +{% for h in groups.out | sort %} + match={{ lookup('pipe', 'openssl x509 -in certs/postfix/'+h+'.pem -noout -fingerprint -sha256 | cut -d= -f2') }} {% endfor %} +{% endif %} + +{% if 'MX' in group_names %} +{% if 'IMAP' not in group_names %} +[mda.fripost.org]:{{ postfix_instance.IMAP.port }} fingerprint ciphers=high protocols=TLSv1.2 +{% for h in groups.IMAP | sort %} + match={{ lookup('pipe', 'openssl x509 -in certs/postfix/'+h+'.pem -noout -fingerprint -sha256 | cut -d= -f2') }} +{% endfor %} +{% endif %} + +{% if 'lists' not in group_names %} +[antilop.fripost.org]:{{ postfix_instance.lists.port }} fingerprint ciphers=high +{% for h in groups.lists | sort %} + match={{ lookup('pipe', 'openssl x509 -in certs/postfix/'+h+'.pem -noout -fingerprint -sha256 | cut -d= -f2') }} +{% endfor %} +{% endif %} +{% endif %} -- cgit v1.2.3