Changeset - 2285dcdda345
Parent rev.
Child rev.
[Not reviewed]
0 4 0
Branko Majic (branko) - 9 years ago 2015-04-27 00:23:42
branko@majic.rs
MAR-11: Force use of TLS when forwarding mails to mail relay, including proper server certificate verification. Updated testsite and docs as well.
4 files changed with 12 insertions and 0 deletions:
docs/rolereference.rst
7
roles/mail_forwarder/templates/main.cf.j2
2
testsite/group_vars/ldap.yml
1
testsite/group_vars/xmpp.yml
2
0 comments (0 inline, 0 general)
docs/rolereference.rst
Show inline comments
 
@@ -768,6 +768,8 @@ Postfix is configured as follows:
 

			




	
	
	
		
 
* Local destinations are set-up.

			




	
	
	
		
 
* A relay host is set.

			




	
	
	
		
 
* TLS is enforced for relaying mails, with configurable truststore for server

			




	
	
	
		
 
  certificate verification.

			




	
	
	
		
 

			




	
	
	
		
 

			




	
	
	
		
 
Parameters

			




	
	
		
 
@@ -783,6 +785,10 @@ Parameters

			




	
	
	
		
 
**smtp_relay_host** (string, mandatory)

			




	
	
	
		
 
  SMTP server via which the mails are sent out for non-local recipients.

			




	
	
	
		
 

			




	
	
	
		
 
**smtp_relay_truststore** (string, mandatory)

			




	
	
	
		
 
  Path to the file containing full X.509 CA certificate chain used for

			




	
	
	
		
 
  validating the server certificate presented by the relay server.

			




	
	
	
		
 

			




	
	
	
		
 

			




	
	
	
		
 
Examples

			




	
	
	
		
 
~~~~~~~~

			




	
	
		
 
@@ -800,3 +806,4 @@ Here is an example configuration for setting-up the mail forwarder:

			




	
	
	
		
 

			




	
	
	
		
 
  smtp_relay_host: mail.example.com

			




	
	
	
		
 

			




	
	
	
		
 
  smtp_relay_truststore: /etc/ssl/certs/example_ca_chain.pem

			




        

    


    
    

    

        

                

                    roles/mail_forwarder/templates/main.cf.j2
                

                

                  
                      
                        

                      

                      
                        
                  

                  
                      
                  
                      
                  
                      
                  
                      
                  
                  
                

                

                    Show inline comments
                    
                

        

        

            



	
	
		
 
@@ -23,6 +23,8 @@ smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key

			




	
	
	
		
 
smtpd_use_tls=yes

			




	
	
	
		
 
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache

			




	
	
	
		
 
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

			




	
	
	
		
 
smtp_tls_security_level=verify

			




	
	
	
		
 
smtp_tls_CAfile={{ smtp_relay_truststore }}

			




	
	
	
		
 

			




	
	
	
		
 
# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for

			




	
	
	
		
 
# information on enabling SSL in the smtp client.

			




        

    


    
    

    

        

                

                    testsite/group_vars/ldap.yml
                

                

                  
                      
                        

                      

                      
                        
                  

                  
                      
                  
                      
                  
                      
                  
                      
                  
                  
                

                

                    Show inline comments
                    
                

        

        

            



	
	
		
 
@@ -4,6 +4,7 @@ local_mail_aliases:

			




	
	
	
		
 
  root: "root john.doe@example.com"

			




	
	
	
		
 

			




	
	
	
		
 
smtp_relay_host: mail.example.com

			




	
	
	
		
 
smtp_relay_truststore: /etc/ssl/certs/example_ca_chain.pem

			




	
	
	
		
 

			




	
	
	
		
 
ldap_client_config:

			




	
	
	
		
 
  - comment: Set the base DN

			




        

    


    
    

    

        

                

                    testsite/group_vars/xmpp.yml
                

                

                  
                      
                        

                      

                      
                        
                  

                  
                      
                  
                      
                  
                      
                  
                      
                  
                  
                

                

                    Show inline comments
                    
                

        

        

            



	
	
		
 
@@ -19,6 +19,8 @@ local_mail_aliases:

			




	
	
	
		
 

			




	
	
	
		
 
smtp_relay_host: mail.example.com

			




	
	
	
		
 

			




	
	
	
		
 
smtp_relay_truststore: /etc/ssl/certs/example_ca_chain.pem

			




	
	
	
		
 

			




	
	
	
		
 
prosody_administrators:

			




	
	
	
		
 
  - john.doe@example.com

			




	
	
	
		
 

			




        

    



    


    



    



      

      





    
    0 comments (0 inline, 0 general)
    





    


  

  







  


    




    








    
        
    
    
        This site is powered by
            Kallithea 0.7.0,
        which is
        © 2010–2023 by various authors & licensed under GPLv3.