diff --git a/docs/rolereference.rst b/docs/rolereference.rst index 087e4aa5f5ad31389d14e252de07c5f66dabc036..fcdf6782d348ededf8470b90b28c7ed57830c7a6 100644 --- a/docs/rolereference.rst +++ b/docs/rolereference.rst @@ -1102,7 +1102,7 @@ Parameters LDAP URL that should be used for connecting to the LDAP server for doing domain/user look-ups. -**mail_ldap_tls_truststore** (string, optional, ``{{ lookup('file', tls_certificate_dir + '/truststore.pem') }}``) +**mail_ldap_tls_truststore** (string, mandatory) X.509 certificate chain used for issuing certificate for the LDAP service. The file will be stored in locations ``/etc/ssl/certs/mail_ldap_tls_truststore.pem`` and ``/var/spool/postfix/etc/ssl/certs/mail_ldap_tls_truststore.pem``. @@ -1147,11 +1147,11 @@ Parameters value can be considered rather low, since two devices (computer and phone) will easily reach it. -**imap_tls_certificate** (string, optional, ``{{ lookup('file', tls_certificate_dir + '/' ansible_fqdn + '_imap.pem') }}``) +**imap_tls_certificate** (string, mandatory) X.509 certificate used for TLS for IMAP service. The file will be stored in directory ``/etc/ssl/certs/`` under name ``{{ ansible_fqdn }}_imap.pem``. -**imap_tls_key** (string, optional, ``{{ lookup('file', tls_private_key_dir + '/' ansible_fqdn + '_imap.key') }}``) +**imap_tls_key** (string, mandatory) Private key used for TLS for IMAP service. The file will be stored in directory ``/etc/ssl/private/`` under name ``{{ ansible_fqdn }}_imap.key``. @@ -1162,11 +1162,11 @@ Parameters recipients/aliases, while the value provided should be a space-separated list of mail addresses (or local users) where the mails should be forwarded. -**smtp_tls_certificate** (string, optional, ``{{ lookup('file', tls_certificate_dir + '/' ansible_fqdn + '_smtp.pem') }}``) +**smtp_tls_certificate** (string, mandatory) X.509 certificate used for TLS for SMTP service. The file will be stored in directory ``/etc/ssl/certs/`` under name ``{{ ansible_fqdn }}_smtp.pem``. -**smtp_tls_key** (string, optional, ``{{ lookup('file', tls_private_key_dir + '/' ansible_fqdn + '_smtp.key') }}``) +**smtp_tls_key** (string, mandatory) Private key used for TLS for SMTP service. The file will be stored in directory ``/etc/ssl/private/`` under name ``{{ ansible_fqdn }}_smtp.key``. diff --git a/docs/usage.rst b/docs/usage.rst index 32da358eb2dd5a3450606d8b5e38c34b10e3f6ee..0de5e5e7795f57e633faa711978272c7f25f559d 100644 --- a/docs/usage.rst +++ b/docs/usage.rst @@ -776,6 +776,18 @@ role. mail_user_uid: 5000 mail_user_gid: 5000 + # Set private keys and certificates to use for the IMAP service. + imap_tls_certificate: "{{ lookup('file', 'tls/comms.example.com_imap.pem') }}" + imap_tls_key: "{{ lookup('file', 'tls/comms.example.com_imap.key') }}" + + # Set private keys and certificates to use for the SMTP service. + smtp_tls_certificate: "{{ lookup('file', 'tls/comms.example.com_smtp.pem') }}" + smtp_tls_key: "{{ lookup('file', 'tls/comms.example.com_smtp.key') }}" + + # Set the X.509 certificate truststore to use for validating the + # LDAP server certificate. + mail_ldap_tls_truststore: "{{ lookup('file', 'tls/truststore.pem') }}" + 3. There are two distinct mail services that need to access the LDAP directory - *Postfix* (serving as an SMTP server), and *Dovecot* (serving as an IMAP server). These two need their own dedicated LDAP entries on the LDAP server in diff --git a/roles/mail_server/defaults/main.yml b/roles/mail_server/defaults/main.yml index 06eef0d80344e5ec3f2bbbf5a6b9f1648d473757..7c198d9772e9a5944bef9987fd449670b8580633 100644 --- a/roles/mail_server/defaults/main.yml +++ b/roles/mail_server/defaults/main.yml @@ -1,12 +1,7 @@ --- enable_backup: false -mail_ldap_tls_truststore: "{{ lookup('file', tls_certificate_dir + '/truststore.pem') }}" mail_user: vmail -imap_tls_certificate: "{{ lookup('file', tls_certificate_dir + '/' + ansible_fqdn + '_imap.pem') }}" -imap_tls_key: "{{ lookup('file', tls_private_key_dir + '/' + ansible_fqdn + '_imap.key') }}" -smtp_tls_certificate: "{{ lookup('file', tls_certificate_dir + '/' + ansible_fqdn + '_smtp.pem') }}" -smtp_tls_key: "{{ lookup('file', tls_private_key_dir + '/' + ansible_fqdn + '_smtp.key') }}" imap_folder_separator: "/" smtp_rbl: [] mail_postmaster: "postmaster@{{ ansible_domain }}" diff --git a/roles/mail_server/molecule/default/group_vars/parameters-mandatory.yml b/roles/mail_server/molecule/default/group_vars/parameters-mandatory.yml index b30c3385ee206b75a0ff6a07178a589a2d799273..e23f203b4c07ffbc316f8d9ffd2607fdb87a1e11 100644 --- a/roles/mail_server/molecule/default/group_vars/parameters-mandatory.yml +++ b/roles/mail_server/molecule/default/group_vars/parameters-mandatory.yml @@ -2,12 +2,15 @@ mail_ldap_base_dn: dc=local mail_ldap_url: ldap://ldap-server/ +mail_ldap_tls_truststore: "{{ lookup('file', 'tests/data/x509/truststore.pem') }}" mail_ldap_postfix_password: postfixpassword mail_ldap_dovecot_password: dovecotpassword -# Common parameters (general, not role). -tls_certificate_dir: tests/data/x509/ -tls_private_key_dir: tests/data/x509/ +imap_tls_certificate: "{{ lookup('file', 'tests/data/x509/{{ inventory_hostname }}_imap.cert.pem') }}" +imap_tls_key: "{{ lookup('file', 'tests/data/x509/{{ inventory_hostname }}_imap.key.pem') }}" + +smtp_tls_certificate: "{{ lookup('file', 'tests/data/x509/{{ inventory_hostname }}_smtp.cert.pem') }}" +smtp_tls_key: "{{ lookup('file', 'tests/data/x509/{{ inventory_hostname }}_smtp.key.pem') }}" # common ca_certificates: diff --git a/roles/mail_server/molecule/default/group_vars/parameters-optional.yml b/roles/mail_server/molecule/default/group_vars/parameters-optional.yml index b8cd407acf19330f09793f7fd28dfa6433b63849..ae316e74ad990e756e4b91acb0457b840cd7f0aa 100644 --- a/roles/mail_server/molecule/default/group_vars/parameters-optional.yml +++ b/roles/mail_server/molecule/default/group_vars/parameters-optional.yml @@ -2,7 +2,7 @@ mail_ldap_base_dn: dc=local mail_ldap_url: ldap://ldap-server/ -mail_ldap_tls_truststore: "{{ lookup('file', 'tests/data/x509/ca.cert.pem') }}" +mail_ldap_tls_truststore: "{{ lookup('file', 'tests/data/x509/truststore.pem') }}" mail_ldap_postfix_password: postfixpassword mail_ldap_dovecot_password: dovecotpassword mail_server_tls_protocols: diff --git a/roles/mail_server/molecule/default/tests/data/x509/parameters-mandatory-stretch64_imap.pem b/roles/mail_server/molecule/default/tests/data/x509/parameters-mandatory-stretch64_imap.cert.pem similarity index 100% rename from roles/mail_server/molecule/default/tests/data/x509/parameters-mandatory-stretch64_imap.pem rename to roles/mail_server/molecule/default/tests/data/x509/parameters-mandatory-stretch64_imap.cert.pem diff --git a/roles/mail_server/molecule/default/tests/data/x509/parameters-mandatory-stretch64_imap.key b/roles/mail_server/molecule/default/tests/data/x509/parameters-mandatory-stretch64_imap.key.pem similarity index 100% rename from roles/mail_server/molecule/default/tests/data/x509/parameters-mandatory-stretch64_imap.key rename to roles/mail_server/molecule/default/tests/data/x509/parameters-mandatory-stretch64_imap.key.pem diff --git a/roles/mail_server/molecule/default/tests/data/x509/parameters-mandatory-stretch64_smtp.pem b/roles/mail_server/molecule/default/tests/data/x509/parameters-mandatory-stretch64_smtp.cert.pem similarity index 100% rename from roles/mail_server/molecule/default/tests/data/x509/parameters-mandatory-stretch64_smtp.pem rename to roles/mail_server/molecule/default/tests/data/x509/parameters-mandatory-stretch64_smtp.cert.pem diff --git a/roles/mail_server/molecule/default/tests/data/x509/parameters-mandatory-stretch64_smtp.key b/roles/mail_server/molecule/default/tests/data/x509/parameters-mandatory-stretch64_smtp.key.pem similarity index 100% rename from roles/mail_server/molecule/default/tests/data/x509/parameters-mandatory-stretch64_smtp.key rename to roles/mail_server/molecule/default/tests/data/x509/parameters-mandatory-stretch64_smtp.key.pem diff --git a/roles/mail_server/molecule/default/tests/test_mandatory.py b/roles/mail_server/molecule/default/tests/test_mandatory.py index f1997002a7036bd1f93a41df09db4a5b3bf59468..1e532da4601775a12bc79b94d12b5f2c4d395756 100644 --- a/roles/mail_server/molecule/default/tests/test_mandatory.py +++ b/roles/mail_server/molecule/default/tests/test_mandatory.py @@ -21,28 +21,28 @@ def test_smtp_tls_files(host): assert tls_file.user == 'root' assert tls_file.group == 'root' assert tls_file.mode == 0o640 - assert tls_file.content_string == open("tests/data/x509/%s_smtp.key" % hostname, "r").read().rstrip() + assert tls_file.content_string == open("tests/data/x509/%s_smtp.key.pem" % hostname, "r").read().rstrip() tls_file = host.file('/etc/ssl/certs/%s_smtp.pem' % hostname) assert tls_file.is_file assert tls_file.user == 'root' assert tls_file.group == 'root' assert tls_file.mode == 0o644 - assert tls_file.content_string == open("tests/data/x509/%s_smtp.pem" % hostname, "r").read().rstrip() + assert tls_file.content_string == open("tests/data/x509/%s_smtp.cert.pem" % hostname, "r").read().rstrip() tls_file = host.file('/etc/ssl/private/%s_imap.key' % hostname) assert tls_file.is_file assert tls_file.user == 'root' assert tls_file.group == 'root' assert tls_file.mode == 0o640 - assert tls_file.content_string == open("tests/data/x509/%s_imap.key" % hostname, "r").read().rstrip() + assert tls_file.content_string == open("tests/data/x509/%s_imap.key.pem" % hostname, "r").read().rstrip() tls_file = host.file('/etc/ssl/certs/%s_imap.pem' % hostname) assert tls_file.is_file assert tls_file.user == 'root' assert tls_file.group == 'root' assert tls_file.mode == 0o644 - assert tls_file.content_string == open("tests/data/x509/%s_imap.pem" % hostname, "r").read().rstrip() + assert tls_file.content_string == open("tests/data/x509/%s_imap.cert.pem" % hostname, "r").read().rstrip() def test_certificate_validity_check_configuration(host):