Postfix conf add certs and other security related modifications

host_vars/mail.auro.re.yml

@@ -5,6 +5,11 @@ certbot:
     - smtp.auro.re
   mail: tech.aurore@lists.crans.org
   certname: auro.re
+  cert_path_prefix = "/etc/letsencrypt/live/{{ certbot.certname }}"
+  cert_path_cert = "{{ cerbot.cert_path_prefix }}/cert.pem"
+  cert_path_chain = "{{ cerbot.cert_path_prefix }}/chain.pem"
+  cert_path_fullchain = "{{ cerbot.cert_path_prefix }}/fullchain.pem"
+  cert_path_privkey = "{{ cerbot.cert_path_prefix }}/privkey.pem"
 
 nfs:
   src: "10.128.0.6:/data_mail"  # caradoc

roles/postfix/templates/main.cf.j2

@@ -33,3 +33,34 @@ relay_domains =
 
 # Allow plus delimiter
 recipient_delimiter = +
+
+# Re2o Generated files
+alias_database = hash:/var/local/re2o-services/mail-server/generated/aliases
+alias_maps = $alias_database
+local_recipient_maps = $alias_maps unix:passwd.byname
+virtual_alias_maps = hash:/var/local/re2o-services/mail-server/generated/virtual
+relay_recipient_maps = hash:/var/local/re2o-services/mail-server/generated/virtual
+
+# Tell Postfix to deliver emails to Dovecot through LMTP
+virtual_transport = lmtp:unix:private/dovecot-lmtp
+
+# TLS for reception
+smtpd_use_tls = yes
+smtpd_tls_security_level = may
+smtpd_tls_cert_file = {{ certbot.cert_path_fullchain }} 
+smtpd_tls_key_file = {{ certbot.cert_path_privkey }} 
+smtpd_tls_loglevel = 0
+smtpd_tls_received_header = yes
+
+# TLS for sending
+smtp_use_tls = yes
+smtp_tls_security_level = may
+smtp_tls_loglevel = 1 
+smtp_tls_cert_file =
+smtp_tls_key_file =
+smtp_tls_CApath = /etc/ssl/certs/
+
+# Caching TLS sessions
+smtpd_tls_session_cache_database=btree:/var/lib/postfix/smtpd_tls_session_cache
+smtp_tls_session_cache_database=btree:/var/lib/postfix/smtp_tls_session_cache
+