From de4859456f1de54540c96ad97f62858dd089a980 Mon Sep 17 00:00:00 2001
From: Guilhem Moulin <guilhem@fripost.org>
Date: Tue, 1 Jul 2014 23:02:45 +0200
Subject: Replace IPSec tunnels by app-level ephemeral TLS sessions.

For some reason giraff doesn't like IPSec.  App-level TLS sessions are
less efficient, but thanks to ansible it still scales well.
---
 roles/out/tasks/main.yml                           | 24 +++++++++++-
 roles/out/templates/etc/postfix/main.cf.j2         | 43 +++++++++++++++-------
 .../out/templates/etc/postfix/relay_clientcerts.j2 |  5 +++
 3 files changed, 57 insertions(+), 15 deletions(-)
 create mode 100644 roles/out/templates/etc/postfix/relay_clientcerts.j2

(limited to 'roles/out')

diff --git a/roles/out/tasks/main.yml b/roles/out/tasks/main.yml
index 4bf4363..8bd8bbb 100644
--- a/roles/out/tasks/main.yml
+++ b/roles/out/tasks/main.yml
@@ -10,8 +10,30 @@
   notify:
     - Restart Postfix
 
+- name: Build the Postfix relay clientcerts map
+  sudo: False
+  # smtpd_tls_fingerprint_digest MUST be sha256!
+  local_action: shell openssl x509 -in certs/postfix/{{ item }}.pem -noout -fingerprint -sha256 | sed -nr 's/^.*=(.*)/\1 {{ item }}/p'
+  with_items: groups.all | difference([inventory_hostname]) | sort
+  register: relay_clientcerts
+  changed_when: False
+
+- name: Copy the Postfix relay clientcerts map
+  template: src=etc/postfix/relay_clientcerts.j2
+            dest=/etc/postfix-{{ postfix_instance[inst].name }}/relay_clientcerts
+            owner=root group=root
+            mode=0644
+
+- name: Compile the Postfix relay clientcerts map
+  postmap: cmd=postmap src=/etc/postfix-{{ postfix_instance[inst].name }}/relay_clientcerts db=cdb
+           owner=root group=root
+           mode=0644
+  register: r2
+  notify:
+    - Restart Postfix
+
 - name: Start Postfix
   service: name=postfix state=started
-  when: not r.changed
+  when: not (r1.changed or r2.changed)
 
 - meta: flush_handlers
diff --git a/roles/out/templates/etc/postfix/main.cf.j2 b/roles/out/templates/etc/postfix/main.cf.j2
index 1a7985f..11bcc10 100644
--- a/roles/out/templates/etc/postfix/main.cf.j2
+++ b/roles/out/templates/etc/postfix/main.cf.j2
@@ -1,5 +1,5 @@
 ########################################################################
-# Outgoing MTA configuration
+# Outgoing MTA (outgoing SMTP proxy) configuration
 #
 # {{ ansible_managed }}
 # Do NOT edit this file directly!
@@ -19,7 +19,7 @@ append_dot_mydomain = no
 
 # Turn off all TCP/IP listener ports except that necessary for the
 # outgoing SMTP proxy.
-master_service_disable = !2525.inet inet
+master_service_disable = !{{ postfix_instance.out.port }}.inet inet
 
 queue_directory       = /var/spool/postfix-{{ postfix_instance[inst].name }}
 data_directory        = /var/lib/postfix-{{ postfix_instance[inst].name }}
@@ -27,10 +27,8 @@ multi_instance_group  = {{ postfix_instance[inst].group | default('') }}
 multi_instance_name   = postfix-{{ postfix_instance[inst].name }}
 multi_instance_enable = yes
 
-# Accept everything coming through IPSec.
-# TODO: this should our virtual private subnetwork
-mynetworks      = 0.0.0.0/0
-inet_interfaces = 172.16.0.1, 127.0.0.1
+mynetworks_style = host
+inet_interfaces  = all
 
 # No local delivery
 mydestination        =
@@ -42,8 +40,8 @@ local_recipient_maps =
 message_size_limit  = 67108864
 recipient_delimiter = +
 
-relay_domains           =
-relay_transport         = error:5.3.2 Relay Transport unavailable
+relay_domains       =
+relay_transport     = error:5.3.2 Relay Transport unavailable
 
 # All header rewriting happens upstream
 local_header_rewrite_clients =
@@ -51,13 +49,29 @@ local_header_rewrite_clients =
 
 smtp_tls_security_level         = may
 smtp_tls_note_starttls_offer    = yes
-smtp_tls_cert_file              = /etc/postfix-out/ssl/smtp.fripost.org.pem
-smtp_tls_key_file               = /etc/postfix-out/ssl/smtp.fripost.org.key
-smtp_tls_CApath                 = /etc/ssl/certs/
 smtp_tls_session_cache_database = btree:$data_directory/smtp_tls_session_cache
-smtp_tls_fingerprint_digest     = sha1
-tls_random_source               = dev:/dev/urandom
 
+relay_clientcerts               = cdb:$config_directory/relay_clientcerts
+smtpd_tls_security_level        = may
+smtpd_tls_cert_file             = /etc/postfix/ssl/{{ ansible_fqdn }}.pem
+smtpd_tls_key_file              = /etc/postfix/ssl/{{ ansible_fqdn }}.key
+smtpd_tls_session_cache_database= btree:$data_directory/smtpd_tls_session_cache
+smtpd_tls_received_header       = yes
+smtpd_tls_ask_ccert             = yes
+smtpd_tls_session_cache_timeout = 3600s
+smtpd_tls_fingerprint_digest    = sha256
+
+
+strict_rfc821_envelopes = yes
+smtpd_delay_reject      = yes
+disable_vrfy_command    = yes
+
+smtpd_client_restrictions =
+    permit_mynetworks
+    permit_tls_clientcerts
+    # We are the only ones using this proxy, but if things go wrong we
+    # want to know why
+    defer
 
 smtpd_helo_required     = yes
 smtpd_helo_restrictions =
@@ -72,7 +86,8 @@ smtpd_recipient_restrictions =
     reject_non_fqdn_recipient
     reject_unknown_recipient_domain
     permit_mynetworks
-    reject_unauth_destination
+    permit_tls_clientcerts
+    reject
 
 smtpd_data_restrictions =
     reject_unauth_pipelining
diff --git a/roles/out/templates/etc/postfix/relay_clientcerts.j2 b/roles/out/templates/etc/postfix/relay_clientcerts.j2
new file mode 100644
index 0000000..3f724ea
--- /dev/null
+++ b/roles/out/templates/etc/postfix/relay_clientcerts.j2
@@ -0,0 +1,5 @@
+# {{ ansible_managed }}
+
+{% for x in relay_clientcerts.results %}
+{{ x.stdout }}
+{% endfor %}
-- 
cgit v1.2.3