push the tls change out to the smtp-mm boxes

2016-09-27 17:37:21 +00:00 · 2016-09-27 17:37:21 +00:00 · e13358ccd8
commit e13358ccd8
parent 41cee6c129
2 changed files with 40 additions and 3 deletions
--- a/roles/base/files/postfix/main.cf/main.cf.smtp-mm
+++ b/roles/base/files/postfix/main.cf/main.cf.smtp-mm
@ -699,3 +699,40 @@ inet_protocols = all
 transport_maps = hash:/etc/postfix/transport

 message_size_limit = 20971520
+
+## TLS
+# enable opportunistic TLS support in the SMTP server
+smtpd_use_tls = yes
+smtpd_tls_security_level = may
+smtpd_tls_auth_only = yes
+smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
+smtpd_tls_mandatory_ciphers = high
+smtpd_tls_mandatory_exclude_ciphers = aNULL, MD5, RC4
+#tls_ssl_options = no_ticket, no_compression
+
+smtpd_tls_loglevel = 1
+smtpd_tls_cert_file = /etc/pki/tls/certs/gateway.crt
+smtpd_tls_key_file =  /etc/pki/tls/private/gateway.key
+smtpd_tls_CAfile  =   /etc/pki/tls/certs/ca-bundle.crt
+smtpd_tls_session_cache_timeout = 3600s
+smtpd_tls_session_cache_database        = btree:${queue_directory}/smtpd_scache
+smtpd_tls_received_header               = yes
+smtpd_tls_ask_ccert                     = yes
+smtpd_tls_received_header = yes
+tls_random_source                       = dev:/dev/urandom
+smtpd_tls_eecdh_grade = ultra
+tls_eecdh_strong_curve = prime256v1
+tls_eecdh_ultra_curve = secp384r1
+# TLS end
+#TLS Client
+smtp_tls_fingerprint_digest=sha1
+smtp_tls_note_starttls_offer = yes
+smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
+smtp_tls_security_level = may
+smtp_tls_mandatory_protocols = !SSLv2,!SSLv3
+smtp_tls_mandatory_ciphers = high
+smtp_tls_mandatory_exclude_ciphers= aNULL, MD5, RC4
+smtp_tls_loglevel = 1
+smtp_tls_cert_file = /etc/pki/tls/certs/gateway.crt
+smtp_tls_key_file = /etc/pki/tls/private/gateway.key
+smtp_tls_CAfile  = /etc/pki/tls/certs/ca-bundle.crt
--- a/roles/base/tasks/postfix.yml
+++ b/roles/base/tasks/postfix.yml
@ -49,7 +49,7 @@

 - name: create /etc/postfix/tls_policy
  copy: src="postfix/tls_policy" dest=/etc/postfix/tls_policy
-  when: inventory_hostname.startswith(('bastion'))
+  when: inventory_hostname.startswith(('bastion','smtp-mm'))
  notify:
  - rebuild postfix tls_policy
  - restart postfix
@ -63,7 +63,7 @@
    owner=root
    group=root
    mode=0644
-  when: inventory_hostname.startswith(('bastion'))
+  when: inventory_hostname.startswith(('bastion','smtp-mm'))
  notify:
  - restart postfix
  tags:
@ -76,7 +76,7 @@
    owner=root
    group=postfix
    mode=0640
-  when: inventory_hostname.startswith(('bastion'))
+  when: inventory_hostname.startswith(('bastion','smtp-mm'))
  notify:
  - restart postfix
  tags: