From de4859456f1de54540c96ad97f62858dd089a980 Mon Sep 17 00:00:00 2001
From: Guilhem Moulin <guilhem@fripost.org>
Date: Tue, 1 Jul 2014 23:02:45 +0200
Subject: Replace IPSec tunnels by app-level ephemeral TLS sessions.

For some reason giraff doesn't like IPSec.  App-level TLS sessions are
less efficient, but thanks to ansible it still scales well.
---
 roles/lists/templates/etc/postfix/main.cf.j2 | 23 ++++++++++++++++++-----
 1 file changed, 18 insertions(+), 5 deletions(-)

(limited to 'roles/lists')

diff --git a/roles/lists/templates/etc/postfix/main.cf.j2 b/roles/lists/templates/etc/postfix/main.cf.j2
index 083fa2b..b7a82fe 100644
--- a/roles/lists/templates/etc/postfix/main.cf.j2
+++ b/roles/lists/templates/etc/postfix/main.cf.j2
@@ -66,11 +66,24 @@ smtp_destination_recipient_limit = 1000
 smtp_data_done_timeout       = 1200s
 smtpd_timeout                = 1200s
 
-# Tunnel everything through IPSec
-smtp_tls_security_level  = none
+
+# Forward everything to our internal outgoing proxy
+{% if 'out' in group_names %}
+relayhost     = [127.0.0.1]:{{ postfix_instance.out.port }}
+{% else %}
+relayhost     = [outgoing.fripost.org]:{{ postfix_instance.out.port }}
+{% endif %}
+relay_domains =
+
 {% if 'out' in group_names %}
-smtp_bind_address        = 127.0.0.1
+smtp_tls_security_level         = none
+smtp_bind_address               = 127.0.0.1
 {% else %}
-smtp_bind_address        = 172.16.0.1
+smtp_tls_security_level         = encrypt
+smtp_tls_cert_file              = $config_directory/ssl/{{ ansible_fqdn }}.pem
+smtp_tls_key_file               = $config_directory/ssl/{{ ansible_fqdn }}.key
+smtp_tls_session_cache_database = btree:$data_directory/smtp_tls_session_cache
+smtp_tls_policy_maps            = cdb:$config_directory/tls_policy
+smtp_tls_fingerprint_digest     = sha256
 {% endif %}
-smtpd_tls_security_level = none
+smtpd_tls_security_level        = none
-- 
cgit v1.2.3