majic-ansible-roles Changeset

Changeset - 2285dcdda345

Parent rev.

Child rev.

[Not reviewed]

0 4 0

Branko Majic (branko) - 11 years ago 2015-04-27 00:23:42
branko@majic.rs

MAR-11: Force use of TLS when forwarding mails to mail relay, including proper server certificate verification. Updated testsite and docs as well.

4 files changed with 12 insertions and 0 deletions:

docs/rolereference.rst

roles/mail_forwarder/templates/main.cf.j2

testsite/group_vars/ldap.yml

testsite/group_vars/xmpp.yml

0 comments (0 inline, 0 general)

docs/rolereference.rst

➞

Show inline comments

@@ @@ -765,12 +765,14 @@ The role implements the following: @@
 * Installs SWAKS (utility for testing SMTP servers).
 Postfix is configured as follows:
 * Local destinations are set-up.
 * A relay host is set.
 * TLS is enforced for relaying mails, with configurable truststore for server
   certificate verification.
 Parameters
 ~~~~~~~~~~
 **local_mail_aliases** (dictionary, mandatory)
@@ @@ -780,12 +782,16 @@ Parameters @@
   recipients/aliases, while the value provided should be a space-separated list
   of mail addresses (or local users) where the mails should be forwarded.
 **smtp_relay_host** (string, mandatory)
   SMTP server via which the mails are sent out for non-local recipients.
 **smtp_relay_truststore** (string, mandatory)
   Path to the file containing full X.509 CA certificate chain used for
   validating the server certificate presented by the relay server.
 Examples
 ~~~~~~~~
 Here is an example configuration for setting-up the mail forwarder:
   # well.
   local_mail_aliases:
     root: "root john.doe@example.com"
   smtp_relay_host: mail.example.com
   smtp_relay_truststore: /etc/ssl/certs/example_ca_chain.pem

roles/mail_forwarder/templates/main.cf.j2

➞

Show inline comments

@@ @@ -20,12 +20,14 @@ readme_directory = no @@
 # TLS parameters
 smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
 smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
 smtpd_use_tls=yes
 smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
 smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
 smtp_tls_security_level=verify
 smtp_tls_CAfile={{ smtp_relay_truststore }}
 # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
 # information on enabling SSL in the smtp client.
 myhostname = ansible
 alias_maps = hash:/etc/aliases

testsite/group_vars/ldap.yml

➞

Show inline comments

 ---
 local_mail_aliases:
   root: "root john.doe@example.com"
 smtp_relay_host: mail.example.com
 smtp_relay_truststore: /etc/ssl/certs/example_ca_chain.pem
 ldap_client_config:
   - comment: Set the base DN
     option: BASE
     value: dc=example,dc=com
   - comment: Set the default URI

testsite/group_vars/xmpp.yml

➞

Show inline comments

@@ @@ -16,12 +16,14 @@ ldap_client_config: @@
 local_mail_aliases:
   root: "root john.doe@example.com"
 smtp_relay_host: mail.example.com
 smtp_relay_truststore: /etc/ssl/certs/example_ca_chain.pem
 prosody_administrators:
   - john.doe@example.com
 prosody_tls_key: "{{ inventory_dir }}/tls/xmpp.example.com_xmpp.key"
 prosody_tls_certificate: "{{ inventory_dir }}/tls/xmpp.example.com_xmpp.pem"

0 comments (0 inline, 0 general)