From 379340b45672689e41c8c7df1e45053948a6099e Mon Sep 17 00:00:00 2001
From: Stephen Smoogen <smooge@redhat.com>
Date: Tue, 27 Sep 2016 03:00:03 +0000
Subject: [PATCH] and put in the items kevin asked for.

---
 ...et-on-for-size-to-get-tls-working-wi.patch | 98 +++++++++++++++++++
 0002-lets-try-another-go-at-patching.patch    | 93 ++++++++++++++++++
 roles/base/files/postfix/tls_policy           |  0
 roles/base/tasks/postfix.yml                  | 15 ++-
 4 files changed, 201 insertions(+), 5 deletions(-)
 create mode 100644 0001-try-this-patch-set-on-for-size-to-get-tls-working-wi.patch
 create mode 100644 0002-lets-try-another-go-at-patching.patch
 create mode 100644 roles/base/files/postfix/tls_policy

diff --git a/0001-try-this-patch-set-on-for-size-to-get-tls-working-wi.patch b/0001-try-this-patch-set-on-for-size-to-get-tls-working-wi.patch
new file mode 100644
index 0000000000..6b2bd6a233
--- /dev/null
+++ b/0001-try-this-patch-set-on-for-size-to-get-tls-working-wi.patch
@@ -0,0 +1,98 @@
+From d2764137e5f3b3786e7cffa15c4902dfc3ef0bf5 Mon Sep 17 00:00:00 2001
+From: Stephen Smoogen <smooge@redhat.com>
+Date: Tue, 27 Sep 2016 01:10:46 +0000
+Subject: [PATCH 1/2] try this patch set on for size to get tls working with
+ smtp
+
+---
+ roles/base/files/postfix/main.cf/main.cf.gateway | 39 ++++++++++++++++++++++++
+ roles/base/tasks/postfix.yml                     | 29 ++++++++++++++++++
+ 2 files changed, 68 insertions(+)
+
+diff --git a/roles/base/files/postfix/main.cf/main.cf.gateway b/roles/base/files/postfix/main.cf/main.cf.gateway
+index 37b6a87..7a8832a 100644
+--- a/roles/base/files/postfix/main.cf/main.cf.gateway
++++ b/roles/base/files/postfix/main.cf/main.cf.gateway
+@@ -703,3 +703,42 @@ local_header_rewrite_clients = static:all
+ 
+ 
+ message_size_limit = 20971520
++
++
++## TLS
++# enable opportunistic TLS support in the SMTP server
++smtpd_use_tls = yes
++smtpd_tls_security_level = may
++smtpd_tls_auth_only = yes
++smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3
++smtpd_tls_mandatory_ciphers = high
++smtpd_tls_mandatory_exclude_ciphers = aNULL, MD5, RC4
++smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
++tls_ssl_options = no_ticket, no_compression
++
++smtpd_tls_loglevel = 1
++smtpd_tls_cert_file = /etc/pki/tls/certs/bastion.fedoraproject.org.csr
++smtpd_tls_key_file = /etc/pki/tls/private/bastion.fedoraproject.org.key
++smtpd_tls_CAfile  = /etc/pki/tls/certs/ca-bundle.crt
++smtpd_tls_session_cache_timeout = 3600s
++smtpd_tls_session_cache_database        = btree:${queue_directory}/smtpd_scache
++smtpd_tls_received_header               = yes
++smtpd_tls_ask_ccert                     = yes
++smtpd_tls_received_header = yes
++tls_random_source                       = dev:/dev/urandom
++smtpd_tls_eecdh_grade = ultra
++tls_eecdh_strong_curve = prime256v1
++tls_eecdh_ultra_curve = secp384r1
++# TLS end
++#TLS Client
++smtp_tls_fingerprint_digest=sha1
++smtp_tls_note_starttls_offer = yes
++smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
++smtp_tls_security_level = may
++smtp_tls_mandatory_protocols = !SSLv2,!SSLv3
++smtp_tls_mandatory_ciphers = high
++smtp_tls_mandatory_exclude_ciphers= aNULL, MD5, RC4
++smtp_tls_loglevel = 1
++smtp_tls_cert_file = /etc/pki/tls/certs/bastion.fedoraproject.org.csr
++smtp_tls_key_file = /etc/pki/tls/private/bastion.fedoraproject.org.key
++smtp_tls_CAfile  = /etc/pki/tls/certs/ca-bundle.crt
+diff --git a/roles/base/tasks/postfix.yml b/roles/base/tasks/postfix.yml
+index 8ffdde1..9db1fa7 100644
+--- a/roles/base/tasks/postfix.yml
++++ b/roles/base/tasks/postfix.yml
+@@ -48,3 +48,32 @@
+   - config
+ 
+ 
++- name: install /etc/pki/tls/certs/{{name}}.csr
++  copy: >
++    src={{item}}
++    dest=/etc/pki/tls/certs/{{item | basename}}
++    owner=root
++    group=root
++    mode=0644
++  with_first_found:
++  - "{{private}}/files/httpd/{{cert}}.cert"
++  - "{{private}}/files/httpd/{{name}}.cert"
++  notify:
++  - restart postfix
++  tags:
++  - postfix
++
++- name: Copy {{name}}.key
++  copy: >
++    src={{item}}
++    dest=/etc/pki/tls/private/{{item | basename}}
++    owner=root
++    group=root
++    mode=0600
++  with_first_found:
++  - "{{private}}/files/httpd/{{key}}.key"
++  - "{{private}}/files/httpd/{{name}}.key"
++  notify:
++  - restart postfix
++  tags:
++  - postfix
+-- 
+1.8.3.1
+
diff --git a/0002-lets-try-another-go-at-patching.patch b/0002-lets-try-another-go-at-patching.patch
new file mode 100644
index 0000000000..8a30541282
--- /dev/null
+++ b/0002-lets-try-another-go-at-patching.patch
@@ -0,0 +1,93 @@
+From 6780736eb30bedd3feb17479ea0a712a38e120b4 Mon Sep 17 00:00:00 2001
+From: Stephen Smoogen <smooge@redhat.com>
+Date: Tue, 27 Sep 2016 01:46:38 +0000
+Subject: [PATCH 2/2] lets try another go at patching
+
+---
+ roles/base/files/postfix/main.cf/main.cf.gateway | 13 ++++++-------
+ roles/base/tasks/postfix.yml                     | 24 ++++++++++--------------
+ 2 files changed, 16 insertions(+), 21 deletions(-)
+
+diff --git a/roles/base/files/postfix/main.cf/main.cf.gateway b/roles/base/files/postfix/main.cf/main.cf.gateway
+index 7a8832a..1ef8dc9 100644
+--- a/roles/base/files/postfix/main.cf/main.cf.gateway
++++ b/roles/base/files/postfix/main.cf/main.cf.gateway
+@@ -710,16 +710,15 @@ message_size_limit = 20971520
+ smtpd_use_tls = yes
+ smtpd_tls_security_level = may
+ smtpd_tls_auth_only = yes
+-smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3
++smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
+ smtpd_tls_mandatory_ciphers = high
+ smtpd_tls_mandatory_exclude_ciphers = aNULL, MD5, RC4
+-smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
+ tls_ssl_options = no_ticket, no_compression
+ 
+ smtpd_tls_loglevel = 1
+-smtpd_tls_cert_file = /etc/pki/tls/certs/bastion.fedoraproject.org.csr
+-smtpd_tls_key_file = /etc/pki/tls/private/bastion.fedoraproject.org.key
+-smtpd_tls_CAfile  = /etc/pki/tls/certs/ca-bundle.crt
++smtpd_tls_cert_file = /etc/pki/tls/certs/gateway.csr
++smtpd_tls_key_file =  /etc/pki/tls/private/gateway.key
++smtpd_tls_CAfile  =   /etc/pki/tls/certs/ca-bundle.crt
+ smtpd_tls_session_cache_timeout = 3600s
+ smtpd_tls_session_cache_database        = btree:${queue_directory}/smtpd_scache
+ smtpd_tls_received_header               = yes
+@@ -739,6 +738,6 @@ smtp_tls_mandatory_protocols = !SSLv2,!SSLv3
+ smtp_tls_mandatory_ciphers = high
+ smtp_tls_mandatory_exclude_ciphers= aNULL, MD5, RC4
+ smtp_tls_loglevel = 1
+-smtp_tls_cert_file = /etc/pki/tls/certs/bastion.fedoraproject.org.csr
+-smtp_tls_key_file = /etc/pki/tls/private/bastion.fedoraproject.org.key
++smtp_tls_cert_file = /etc/pki/tls/certs/gateway.csr
++smtp_tls_key_file = /etc/pki/tls/private/gateway.key
+ smtp_tls_CAfile  = /etc/pki/tls/certs/ca-bundle.crt
+diff --git a/roles/base/tasks/postfix.yml b/roles/base/tasks/postfix.yml
+index 9db1fa7..4b09963 100644
+--- a/roles/base/tasks/postfix.yml
++++ b/roles/base/tasks/postfix.yml
+@@ -48,31 +48,27 @@
+   - config
+ 
+ 
+-- name: install /etc/pki/tls/certs/{{name}}.csr
+-  copy: >
+-    src={{item}}
+-    dest=/etc/pki/tls/certs/{{item | basename}}
++- name: install /etc/pki/tls/certs/gateway.csr
++  when: inventory_hostname.startswith(('bastion'))
++  copy: 
++    src="{{private}}/files/smtpd/gateway.crt"
++    dest=/etc/pki/tls/certs/
+     owner=root
+     group=root
+     mode=0644
+-  with_first_found:
+-  - "{{private}}/files/httpd/{{cert}}.cert"
+-  - "{{private}}/files/httpd/{{name}}.cert"
+   notify:
+   - restart postfix
+   tags:
+   - postfix
+ 
+-- name: Copy {{name}}.key
+-  copy: >
+-    src={{item}}
+-    dest=/etc/pki/tls/private/{{item | basename}}
++- name: Copy gateway.key
++  when: inventory_hostname.startswith(('bastion'))
++  copy: 
++    src="{{private}}/files/smtpd/gateway.key"
++    dest=/etc/pki/tls/private/
+     owner=root
+     group=root
+     mode=0600
+-  with_first_found:
+-  - "{{private}}/files/httpd/{{key}}.key"
+-  - "{{private}}/files/httpd/{{name}}.key"
+   notify:
+   - restart postfix
+   tags:
+-- 
+1.8.3.1
+
diff --git a/roles/base/files/postfix/tls_policy b/roles/base/files/postfix/tls_policy
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/roles/base/tasks/postfix.yml b/roles/base/tasks/postfix.yml
index 4b09963959..07a4a9474e 100644
--- a/roles/base/tasks/postfix.yml
+++ b/roles/base/tasks/postfix.yml
@@ -47,28 +47,33 @@
   - base
   - config
 
-
-- name: install /etc/pki/tls/certs/gateway.csr
+- name: create /etc/postfix/tls_policy
+  copy: src="postfix/tls_policy" dest=/etc/postfix/tls_policy
   when: inventory_hostname.startswith(('bastion'))
+  tags:
+  - postfix
+  
+- name: install /etc/pki/tls/certs/gateway.csr
   copy: 
     src="{{private}}/files/smtpd/gateway.crt"
     dest=/etc/pki/tls/certs/
     owner=root
     group=root
     mode=0644
+  when: inventory_hostname.startswith(('bastion'))
   notify:
   - restart postfix
   tags:
   - postfix
 
 - name: Copy gateway.key
-  when: inventory_hostname.startswith(('bastion'))
   copy: 
     src="{{private}}/files/smtpd/gateway.key"
     dest=/etc/pki/tls/private/
     owner=root
-    group=root
-    mode=0600
+    group=postfix
+    mode=0640
+  when: inventory_hostname.startswith(('bastion'))
   notify:
   - restart postfix
   tags: