majic-ansible-roles Changeset

Changeset - a822861bea4e

Parent rev.

Child rev.

[Not reviewed]

0 8 0

Branko Majic (branko) - 20 days ago 2024-08-30 15:00:34
branko@majic.rs

MAR-239: Dropped support for Debian 11 Bullseye from the mail_server role.

8 files changed with 89 insertions and 291 deletions:

roles/mail_server/molecule/default/group_vars/parameters-optional.yml

roles/mail_server/molecule/default/host_vars/ldap-server.yml

roles/mail_server/molecule/default/molecule.yml

roles/mail_server/molecule/default/prepare.yml

roles/mail_server/molecule/default/tests/test_default.py

128

roles/mail_server/molecule/default/tests/test_mandatory.py

roles/mail_server/molecule/default/tests/test_optional.py

roles/mail_server/templates/main.cf.j2

0 comments (0 inline, 0 general)

roles/mail_server/molecule/default/group_vars/parameters-optional.yml

➞

Show inline comments

@@ @@ -31,13 +31,12 @@ mail_message_size_limit: 20480001 @@
 mail_server_smtp_additional_configuration: |
   mail_name = MySMTP
   smtp_skip_5xx_greeting = no
 # Variables dependant on distribution release.
 release_based_smtp_allow_relay_from:
   bullseye: "192.168.56.41"
   bookworm: "192.168.56.21"
 # common
 ca_certificates:
   testca: "{{ lookup('file', 'tests/data/x509/ca/level1.cert.pem') }}"

roles/mail_server/molecule/default/host_vars/ldap-server.yml

➞

Show inline comments

@@ @@ -40,13 +40,9 @@ ldap_client_config: @@
 backup_host_ssh_private_keys:
   rsa: "{{ lookup('file', 'tests/data/ssh/server_rsa') }}"
   ed25519: "{{ lookup('file', 'tests/data/ssh/server_ed25519') }}"
   ecdsa: "{{ lookup('file', 'tests/data/ssh/server_ecdsa') }}"
 backup_clients:
   - server: param-optional-bullseye
     ip: 192.168.56.52
     public_key: "{{ lookup('file', 'tests/data/ssh/parameters-optional.pub') }}"
   - server: param-optional-bookworm
     ip: 192.168.56.32
     public_key: "{{ lookup('file', 'tests/data/ssh/parameters-optional.pub') }}"

roles/mail_server/molecule/default/molecule.yml

➞

Show inline comments

@@ @@ -47,80 +47,12 @@ platforms: @@
       - auto_config: true
         ip: 192.168.56.12
         network_name: private_network
         type: static
   # Debian 11 Bullseye
   # ================
   - name: client1-bullseye
     groups:
       - client
       - client-relay-allowed
       - bullseye
       - smtp-server-requiring-tls
     box: debian/bullseye64
     memory: 256
     cpus: 1
     provider_raw_config_args:
       - "customize ['modifyvm', :id, '--paravirtprovider', 'minimal']"
     interfaces:
       - auto_config: true
         ip: 192.168.56.41
         network_name: private_network
         type: static
   - name: client2-bullseye
     groups:
       - client
       - client-relay-forbidden
       - bullseye
       - smtp-server-refusing-tls
     box: debian/bullseye64
     memory: 256
     cpus: 1
     provider_raw_config_args:
       - "customize ['modifyvm', :id, '--paravirtprovider', 'minimal']"
     interfaces:
       - auto_config: true
         ip: 192.168.56.42
         network_name: private_network
         type: static
   - name: parameters-mandatory-bullseye
     groups:
       - parameters-mandatory
       - bullseye
     box: debian/bullseye64
     memory: 2048
     cpus: 1
     provider_raw_config_args:
       - "customize ['modifyvm', :id, '--paravirtprovider', 'minimal']"
     interfaces:
       - auto_config: true
         ip: 192.168.56.51
         network_name: private_network
         type: static
   - name: parameters-optional-bullseye
     groups:
       - parameters-optional
       - bullseye
     box: debian/bullseye64
     memory: 2048
     cpus: 1
     provider_raw_config_args:
       - "customize ['modifyvm', :id, '--paravirtprovider', 'minimal']"
     interfaces:
       - auto_config: true
         ip: 192.168.56.52
         network_name: private_network
         type: static
   # Debian 11 Bookworm
   # ==================
   - name: client1-bookworm
     groups:
       - client

roles/mail_server/molecule/default/prepare.yml

➞

Show inline comments

@@ @@ -26,21 +26,12 @@ @@
       with_items:
         - name: clamav-database_https
           fqdn: database.clamav.net
         - name: ldap-server_ldap
           fqdn: ldap-server
         - name: parameters-mandatory-bullseye_imap
           fqdn: parameters-mandatory-bullseye
         - name: parameters-mandatory-bullseye_smtp
           fqdn: parameters-mandatory-bullseye
         - name: parameters-optional-bullseye_imap
           fqdn: parameters-optional-bullseye
         - name: parameters-optional-bullseye_smtp
           fqdn: parameters-optional-bullseye
         - name: parameters-mandatory-bookworm_imap
           fqdn: parameters-mandatory-bookworm
         - name: parameters-mandatory-bookworm_smtp
           fqdn: parameters-mandatory-bookworm
         - name: parameters-optional-bookworm_imap
           fqdn: parameters-optional-bookworm
@@ @@ -179,34 +170,12 @@ @@
     - name: Restart nginx
       service:
         name: nginx
         state: restarted
 - hosts: bullseye
   become: true
   tasks:
     - name: Set-up the hosts file
       lineinfile:
         path: /etc/hosts
         regexp: "^{{ item.key }}"
         line: "{{ item.key }} {{ item.value }}"
         owner: root
         group: root
         mode: 0644
         state: present
       with_dict:
         # Force mail servers to use local ClamAV database mirror.
 .168.56.11: "db.local.clamav.net database.clamav.net"
 .168.56.12: "ldap-server backup-server"
 .168.56.41: "client1 smtp-server-requiring-tls"
 .168.56.42: "client2 smtp-server-refusing-tls"
 .168.56.51: "parameters-mandatory parameters-mandatory-bullseye"
 .168.56.52: "parameters-optional parameters-optional-bullseye"
 - hosts: bookworm
   become: true
   tasks:
     - name: Enable TLSv1.0+ in global OpenSSL configuration file in order to be able to test the web_server_tls_protocols parameter
       blockinfile:

roles/mail_server/molecule/default/tests/test_default.py

➞

Show inline comments

@@ @@ -629,140 +629,74 @@ def test_certificate_validity_check_configuration(host): @@
 def test_smtp_default_port_tls_version_and_ciphers(host):
     """
     Tests TLS configuration for SMTP default port (needs to be less
     restrictive for interoperability purposes).
     """
     distribution_release = host.ansible("setup")["ansible_facts"]["ansible_distribution_release"]
     if distribution_release == "bullseye":
         expected_tls_versions = ["TLSv1.0", "TLSv1.1", "TLSv1.2"]
         expected_tls_ciphers = [
             'TLS_DHE_RSA_WITH_AES_128_CBC_SHA',
             'TLS_DHE_RSA_WITH_AES_128_CBC_SHA256',
             'TLS_DHE_RSA_WITH_AES_128_CCM',
             'TLS_DHE_RSA_WITH_AES_128_CCM_8',
             'TLS_DHE_RSA_WITH_AES_128_GCM_SHA256',
             'TLS_DHE_RSA_WITH_AES_256_CBC_SHA',
             'TLS_DHE_RSA_WITH_AES_256_CBC_SHA256',
             'TLS_DHE_RSA_WITH_AES_256_CCM',
             'TLS_DHE_RSA_WITH_AES_256_CCM_8',
             'TLS_DHE_RSA_WITH_AES_256_GCM_SHA384',
             'TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256',
             'TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384',
             'TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA',
             'TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256',
             'TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA',
             'TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256',
             'TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256',
             'TLS_DHE_RSA_WITH_SEED_CBC_SHA',
             'TLS_DH_anon_WITH_AES_128_CBC_SHA',
             'TLS_DH_anon_WITH_AES_128_CBC_SHA256',
             'TLS_DH_anon_WITH_AES_128_GCM_SHA256',
             'TLS_DH_anon_WITH_AES_256_CBC_SHA',
             'TLS_DH_anon_WITH_AES_256_CBC_SHA256',
             'TLS_DH_anon_WITH_AES_256_GCM_SHA384',
             'TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA',
             'TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256',
             'TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA',
             'TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256',
             'TLS_DH_anon_WITH_SEED_CBC_SHA',
             'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA',
             'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256',
             'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256',
             'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA',
             'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384',
             'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384',
             'TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256',
             'TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384',
             'TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256',
             'TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384',
             'TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256',
             'TLS_ECDH_anon_WITH_AES_128_CBC_SHA',
             'TLS_ECDH_anon_WITH_AES_256_CBC_SHA',
             'TLS_RSA_WITH_AES_128_CBC_SHA',
             'TLS_RSA_WITH_AES_128_CBC_SHA256',
             'TLS_RSA_WITH_AES_128_CCM',
             'TLS_RSA_WITH_AES_128_CCM_8',
             'TLS_RSA_WITH_AES_128_GCM_SHA256',
             'TLS_RSA_WITH_AES_256_CBC_SHA',
             'TLS_RSA_WITH_AES_256_CBC_SHA256',
             'TLS_RSA_WITH_AES_256_CCM',
             'TLS_RSA_WITH_AES_256_CCM_8',
             'TLS_RSA_WITH_AES_256_GCM_SHA384',
             'TLS_RSA_WITH_ARIA_128_GCM_SHA256',
             'TLS_RSA_WITH_ARIA_256_GCM_SHA384',
             'TLS_RSA_WITH_CAMELLIA_128_CBC_SHA',
             'TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256',
             'TLS_RSA_WITH_CAMELLIA_256_CBC_SHA',
             'TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256',
             'TLS_RSA_WITH_SEED_CBC_SHA',
+        ]
     else:
         expected_tls_versions = ["TLSv1.0", "TLSv1.1", "TLSv1.2", "TLSv1.3"]
         expected_tls_ciphers = [
             'TLS_AKE_WITH_AES_128_GCM_SHA256',
             'TLS_AKE_WITH_AES_256_GCM_SHA384',
             'TLS_AKE_WITH_CHACHA20_POLY1305_SHA256',
             'TLS_DHE_RSA_WITH_AES_128_CBC_SHA',
             'TLS_DHE_RSA_WITH_AES_128_CBC_SHA256',
             'TLS_DHE_RSA_WITH_AES_128_CCM',
             'TLS_DHE_RSA_WITH_AES_128_CCM_8',
             'TLS_DHE_RSA_WITH_AES_128_GCM_SHA256',
             'TLS_DHE_RSA_WITH_AES_256_CBC_SHA',
             'TLS_DHE_RSA_WITH_AES_256_CBC_SHA256',
             'TLS_DHE_RSA_WITH_AES_256_CCM',
             'TLS_DHE_RSA_WITH_AES_256_CCM_8',
             'TLS_DHE_RSA_WITH_AES_256_GCM_SHA384',
             'TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256',
             'TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384',
             'TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA',
             'TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256',
             'TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA',
             'TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256',
             'TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256',
             'TLS_DH_anon_WITH_AES_128_CBC_SHA',
             'TLS_DH_anon_WITH_AES_128_CBC_SHA256',
             'TLS_DH_anon_WITH_AES_128_GCM_SHA256',
             'TLS_DH_anon_WITH_AES_256_CBC_SHA',
             'TLS_DH_anon_WITH_AES_256_CBC_SHA256',
             'TLS_DH_anon_WITH_AES_256_GCM_SHA384',
             'TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA',
             'TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256',
             'TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA',
             'TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256',
             'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA',
             'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256',
             'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256',
             'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA',
             'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384',
             'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384',
             'TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256',
             'TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384',
             'TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256',
             'TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384',
             'TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256',
             'TLS_ECDH_anon_WITH_AES_128_CBC_SHA',
             'TLS_ECDH_anon_WITH_AES_256_CBC_SHA',
             'TLS_RSA_WITH_AES_128_CBC_SHA',
             'TLS_RSA_WITH_AES_128_CBC_SHA256',
             'TLS_RSA_WITH_AES_128_CCM',
             'TLS_RSA_WITH_AES_128_CCM_8',
             'TLS_RSA_WITH_AES_128_GCM_SHA256',
             'TLS_RSA_WITH_AES_256_CBC_SHA',
             'TLS_RSA_WITH_AES_256_CBC_SHA256',
             'TLS_RSA_WITH_AES_256_CCM',
             'TLS_RSA_WITH_AES_256_CCM_8',
             'TLS_RSA_WITH_AES_256_GCM_SHA384',
             'TLS_RSA_WITH_ARIA_128_GCM_SHA256',
             'TLS_RSA_WITH_ARIA_256_GCM_SHA384',
             'TLS_RSA_WITH_CAMELLIA_128_CBC_SHA',
             'TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256',
             'TLS_RSA_WITH_CAMELLIA_256_CBC_SHA',
             'TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256',
+        ]
     expected_tls_versions = ["TLSv1.0", "TLSv1.1", "TLSv1.2", "TLSv1.3"]
     expected_tls_ciphers = [
         'TLS_AKE_WITH_AES_128_GCM_SHA256',
         'TLS_AKE_WITH_AES_256_GCM_SHA384',
         'TLS_AKE_WITH_CHACHA20_POLY1305_SHA256',
         'TLS_DHE_RSA_WITH_AES_128_CBC_SHA',
         'TLS_DHE_RSA_WITH_AES_128_CBC_SHA256',
         'TLS_DHE_RSA_WITH_AES_128_CCM',
         'TLS_DHE_RSA_WITH_AES_128_CCM_8',
         'TLS_DHE_RSA_WITH_AES_128_GCM_SHA256',
         'TLS_DHE_RSA_WITH_AES_256_CBC_SHA',
         'TLS_DHE_RSA_WITH_AES_256_CBC_SHA256',
         'TLS_DHE_RSA_WITH_AES_256_CCM',
         'TLS_DHE_RSA_WITH_AES_256_CCM_8',
         'TLS_DHE_RSA_WITH_AES_256_GCM_SHA384',
         'TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256',
         'TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384',
         'TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA',
         'TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256',
         'TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA',
         'TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256',
         'TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256',
         'TLS_DH_anon_WITH_AES_128_CBC_SHA',
         'TLS_DH_anon_WITH_AES_128_CBC_SHA256',
         'TLS_DH_anon_WITH_AES_128_GCM_SHA256',
         'TLS_DH_anon_WITH_AES_256_CBC_SHA',
         'TLS_DH_anon_WITH_AES_256_CBC_SHA256',
         'TLS_DH_anon_WITH_AES_256_GCM_SHA384',
         'TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA',
         'TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256',
         'TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA',
         'TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256',
         'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA',
         'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256',
         'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256',
         'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA',
         'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384',
         'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384',
         'TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256',
         'TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384',
         'TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256',
         'TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384',
         'TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256',
         'TLS_ECDH_anon_WITH_AES_128_CBC_SHA',
         'TLS_ECDH_anon_WITH_AES_256_CBC_SHA',
         'TLS_RSA_WITH_AES_128_CBC_SHA',
         'TLS_RSA_WITH_AES_128_CBC_SHA256',
         'TLS_RSA_WITH_AES_128_CCM',
         'TLS_RSA_WITH_AES_128_CCM_8',
         'TLS_RSA_WITH_AES_128_GCM_SHA256',
         'TLS_RSA_WITH_AES_256_CBC_SHA',
         'TLS_RSA_WITH_AES_256_CBC_SHA256',
         'TLS_RSA_WITH_AES_256_CCM',
         'TLS_RSA_WITH_AES_256_CCM_8',
         'TLS_RSA_WITH_AES_256_GCM_SHA384',
         'TLS_RSA_WITH_ARIA_128_GCM_SHA256',
         'TLS_RSA_WITH_ARIA_256_GCM_SHA384',
         'TLS_RSA_WITH_CAMELLIA_128_CBC_SHA',
         'TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256',
         'TLS_RSA_WITH_CAMELLIA_256_CBC_SHA',
         'TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256',
+    ]
     # Run the nmap scanner against the server, and fetch the results.
     nmap = host.run("nmap -sV --script ssl-enum-ciphers -p 25 localhost -oX /tmp/report.xml")
     assert nmap.rc == 0
     report_content = host.file('/tmp/report.xml').content_string

roles/mail_server/molecule/default/tests/test_mandatory.py

➞

Show inline comments

@@ @@ -95,38 +95,24 @@ def test_mail_owner(host): @@
 def test_imap_and_smtp_submission_tls_version_and_ciphers(host, port):
     """
     Tests if the correct TLS version and ciphers have been enabled for
     IMAP and SMTP submission.
     """
     distribution_release = host.ansible("setup")["ansible_facts"]["ansible_distribution_release"]
     if distribution_release == "bullseye":
         expected_tls_versions = ["TLSv1.2"]
         expected_tls_ciphers = [
             "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
             "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
             "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
             "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
             "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
             "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
+        ]
     else:
         expected_tls_versions = ["TLSv1.2", "TLSv1.3"]
         expected_tls_ciphers = [
             "TLS_AKE_WITH_AES_128_GCM_SHA256",
             "TLS_AKE_WITH_AES_256_GCM_SHA384",
             "TLS_AKE_WITH_CHACHA20_POLY1305_SHA256",
             "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
             "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
             "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
             "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
             "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
             "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
+        ]
     expected_tls_versions = ["TLSv1.2", "TLSv1.3"]
     expected_tls_ciphers = [
         "TLS_AKE_WITH_AES_128_GCM_SHA256",
         "TLS_AKE_WITH_AES_256_GCM_SHA384",
         "TLS_AKE_WITH_CHACHA20_POLY1305_SHA256",
         "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
         "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
         "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
         "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
         "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
         "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
+    ]
     # Run the nmap scanner against the server, and fetch the results.
     nmap = host.run("nmap -sV --script ssl-enum-ciphers -p %s localhost -oX /tmp/report.xml", str(port))
     assert nmap.rc == 0
     report_content = host.file('/tmp/report.xml').content_string

roles/mail_server/molecule/default/tests/test_optional.py

➞

Show inline comments

@@ @@ -120,43 +120,27 @@ def test_mail_owner(host): @@
 def test_imap_and_smtp_submission_tls_version_and_ciphers(host, port):
     """
     Tests if the correct TLS version and ciphers have been enabled for
     IMAP and SMTP submission.
     """
     distribution_release = host.ansible("setup")["ansible_facts"]["ansible_distribution_release"]
     if distribution_release == "bullseye":
         expected_tls_versions = ["TLSv1.1", "TLSv1.2"]
         expected_tls_ciphers = [
             "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256",
             "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
             "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256",
             "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
             "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
             "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
             "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
             "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
             "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
+        ]
     else:
         expected_tls_versions = ["TLSv1.1", "TLSv1.2", "TLSv1.3"]
         expected_tls_ciphers = [
             "TLS_AKE_WITH_AES_128_GCM_SHA256",
             "TLS_AKE_WITH_AES_256_GCM_SHA384",
             "TLS_AKE_WITH_CHACHA20_POLY1305_SHA256",
             "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256",
             "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
             "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256",
             "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
             "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
             "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
             "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
             "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
             "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
+        ]
     expected_tls_versions = ["TLSv1.1", "TLSv1.2", "TLSv1.3"]
     expected_tls_ciphers = [
         "TLS_AKE_WITH_AES_128_GCM_SHA256",
         "TLS_AKE_WITH_AES_256_GCM_SHA384",
         "TLS_AKE_WITH_CHACHA20_POLY1305_SHA256",
         "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256",
         "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
         "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256",
         "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
         "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
         "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
         "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
         "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
         "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
+    ]
     # Run the nmap scanner against the server, and fetch the results.
     nmap = host.run("nmap -sV --script ssl-enum-ciphers -p %s localhost -oX /tmp/report.xml", str(port))
     assert nmap.rc == 0
     report_content = host.file('/tmp/report.xml').content_string

roles/mail_server/templates/main.cf.j2

➞

Show inline comments

@@ @@ -33,17 +33,15 @@ notify_classes = resource, software, 2bounce @@
 # Explicitly set maximum allowed mail size that should be accepted.
 message_size_limit = {{ mail_message_size_limit }}
 # Disable output of Postfix README file paths when invoking postconf.
 readme_directory = no
 {% if ansible_distribution_release != 'bullseye' %}
 # Use whitelist/blacklist instead of allowlist/denylist in log
 # entries.
 respectful_logging = no
 {% endif %}
 # Compatibility level for default values. For more details, see:
 #     https://www.postfix.org/COMPATIBILITY_README.html
 compatibility_level = 3.6

0 comments (0 inline, 0 general)