From de4859456f1de54540c96ad97f62858dd089a980 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Tue, 1 Jul 2014 23:02:45 +0200 Subject: Replace IPSec tunnels by app-level ephemeral TLS sessions. For some reason giraff doesn't like IPSec. App-level TLS sessions are less efficient, but thanks to ansible it still scales well. --- roles/out/tasks/main.yml | 24 +++++++++++- roles/out/templates/etc/postfix/main.cf.j2 | 43 +++++++++++++++------- .../out/templates/etc/postfix/relay_clientcerts.j2 | 5 +++ 3 files changed, 57 insertions(+), 15 deletions(-) create mode 100644 roles/out/templates/etc/postfix/relay_clientcerts.j2 (limited to 'roles/out') diff --git a/roles/out/tasks/main.yml b/roles/out/tasks/main.yml index 4bf4363..8bd8bbb 100644 --- a/roles/out/tasks/main.yml +++ b/roles/out/tasks/main.yml @@ -10,8 +10,30 @@ notify: - Restart Postfix +- name: Build the Postfix relay clientcerts map + sudo: False + # smtpd_tls_fingerprint_digest MUST be sha256! + local_action: shell openssl x509 -in certs/postfix/{{ item }}.pem -noout -fingerprint -sha256 | sed -nr 's/^.*=(.*)/\1 {{ item }}/p' + with_items: groups.all | difference([inventory_hostname]) | sort + register: relay_clientcerts + changed_when: False + +- name: Copy the Postfix relay clientcerts map + template: src=etc/postfix/relay_clientcerts.j2 + dest=/etc/postfix-{{ postfix_instance[inst].name }}/relay_clientcerts + owner=root group=root + mode=0644 + +- name: Compile the Postfix relay clientcerts map + postmap: cmd=postmap src=/etc/postfix-{{ postfix_instance[inst].name }}/relay_clientcerts db=cdb + owner=root group=root + mode=0644 + register: r2 + notify: + - Restart Postfix + - name: Start Postfix service: name=postfix state=started - when: not r.changed + when: not (r1.changed or r2.changed) - meta: flush_handlers diff --git a/roles/out/templates/etc/postfix/main.cf.j2 b/roles/out/templates/etc/postfix/main.cf.j2 index 1a7985f..11bcc10 100644 --- a/roles/out/templates/etc/postfix/main.cf.j2 +++ b/roles/out/templates/etc/postfix/main.cf.j2 @@ -1,5 +1,5 @@ ######################################################################## -# Outgoing MTA configuration +# Outgoing MTA (outgoing SMTP proxy) configuration # # {{ ansible_managed }} # Do NOT edit this file directly! @@ -19,7 +19,7 @@ append_dot_mydomain = no # Turn off all TCP/IP listener ports except that necessary for the # outgoing SMTP proxy. -master_service_disable = !2525.inet inet +master_service_disable = !{{ postfix_instance.out.port }}.inet inet queue_directory = /var/spool/postfix-{{ postfix_instance[inst].name }} data_directory = /var/lib/postfix-{{ postfix_instance[inst].name }} @@ -27,10 +27,8 @@ multi_instance_group = {{ postfix_instance[inst].group | default('') }} multi_instance_name = postfix-{{ postfix_instance[inst].name }} multi_instance_enable = yes -# Accept everything coming through IPSec. -# TODO: this should our virtual private subnetwork -mynetworks = 0.0.0.0/0 -inet_interfaces = 172.16.0.1, 127.0.0.1 +mynetworks_style = host +inet_interfaces = all # No local delivery mydestination = @@ -42,8 +40,8 @@ local_recipient_maps = message_size_limit = 67108864 recipient_delimiter = + -relay_domains = -relay_transport = error:5.3.2 Relay Transport unavailable +relay_domains = +relay_transport = error:5.3.2 Relay Transport unavailable # All header rewriting happens upstream local_header_rewrite_clients = @@ -51,13 +49,29 @@ local_header_rewrite_clients = smtp_tls_security_level = may smtp_tls_note_starttls_offer = yes -smtp_tls_cert_file = /etc/postfix-out/ssl/smtp.fripost.org.pem -smtp_tls_key_file = /etc/postfix-out/ssl/smtp.fripost.org.key -smtp_tls_CApath = /etc/ssl/certs/ smtp_tls_session_cache_database = btree:$data_directory/smtp_tls_session_cache -smtp_tls_fingerprint_digest = sha1 -tls_random_source = dev:/dev/urandom +relay_clientcerts = cdb:$config_directory/relay_clientcerts +smtpd_tls_security_level = may +smtpd_tls_cert_file = /etc/postfix/ssl/{{ ansible_fqdn }}.pem +smtpd_tls_key_file = /etc/postfix/ssl/{{ ansible_fqdn }}.key +smtpd_tls_session_cache_database= btree:$data_directory/smtpd_tls_session_cache +smtpd_tls_received_header = yes +smtpd_tls_ask_ccert = yes +smtpd_tls_session_cache_timeout = 3600s +smtpd_tls_fingerprint_digest = sha256 + + +strict_rfc821_envelopes = yes +smtpd_delay_reject = yes +disable_vrfy_command = yes + +smtpd_client_restrictions = + permit_mynetworks + permit_tls_clientcerts + # We are the only ones using this proxy, but if things go wrong we + # want to know why + defer smtpd_helo_required = yes smtpd_helo_restrictions = @@ -72,7 +86,8 @@ smtpd_recipient_restrictions = reject_non_fqdn_recipient reject_unknown_recipient_domain permit_mynetworks - reject_unauth_destination + permit_tls_clientcerts + reject smtpd_data_restrictions = reject_unauth_pipelining diff --git a/roles/out/templates/etc/postfix/relay_clientcerts.j2 b/roles/out/templates/etc/postfix/relay_clientcerts.j2 new file mode 100644 index 0000000..3f724ea --- /dev/null +++ b/roles/out/templates/etc/postfix/relay_clientcerts.j2 @@ -0,0 +1,5 @@ +# {{ ansible_managed }} + +{% for x in relay_clientcerts.results %} +{{ x.stdout }} +{% endfor %} -- cgit v1.2.3