From d0196c8c00530f24f06953633d0d8c31a30b638b Mon Sep 17 00:00:00 2001 From: Otthorn Date: Thu, 4 Feb 2021 23:18:23 +0100 Subject: [PATCH] Postfix conf add certs and other security related modifications --- host_vars/mail.auro.re.yml | 5 +++++ roles/postfix/templates/main.cf.j2 | 31 ++++++++++++++++++++++++++++++ 2 files changed, 36 insertions(+) diff --git a/host_vars/mail.auro.re.yml b/host_vars/mail.auro.re.yml index cc3ff9f..64da62b 100644 --- a/host_vars/mail.auro.re.yml +++ b/host_vars/mail.auro.re.yml @@ -5,6 +5,11 @@ certbot: - smtp.auro.re mail: tech.aurore@lists.crans.org certname: auro.re + cert_path_prefix = "/etc/letsencrypt/live/{{ certbot.certname }}" + cert_path_cert = "{{ cerbot.cert_path_prefix }}/cert.pem" + cert_path_chain = "{{ cerbot.cert_path_prefix }}/chain.pem" + cert_path_fullchain = "{{ cerbot.cert_path_prefix }}/fullchain.pem" + cert_path_privkey = "{{ cerbot.cert_path_prefix }}/privkey.pem" nfs: src: "10.128.0.6:/data_mail" # caradoc diff --git a/roles/postfix/templates/main.cf.j2 b/roles/postfix/templates/main.cf.j2 index 97412c2..e312caa 100644 --- a/roles/postfix/templates/main.cf.j2 +++ b/roles/postfix/templates/main.cf.j2 @@ -33,3 +33,34 @@ relay_domains = # Allow plus delimiter recipient_delimiter = + + +# Re2o Generated files +alias_database = hash:/var/local/re2o-services/mail-server/generated/aliases +alias_maps = $alias_database +local_recipient_maps = $alias_maps unix:passwd.byname +virtual_alias_maps = hash:/var/local/re2o-services/mail-server/generated/virtual +relay_recipient_maps = hash:/var/local/re2o-services/mail-server/generated/virtual + +# Tell Postfix to deliver emails to Dovecot through LMTP +virtual_transport = lmtp:unix:private/dovecot-lmtp + +# TLS for reception +smtpd_use_tls = yes +smtpd_tls_security_level = may +smtpd_tls_cert_file = {{ certbot.cert_path_fullchain }} +smtpd_tls_key_file = {{ certbot.cert_path_privkey }} +smtpd_tls_loglevel = 0 +smtpd_tls_received_header = yes + +# TLS for sending +smtp_use_tls = yes +smtp_tls_security_level = may +smtp_tls_loglevel = 1 +smtp_tls_cert_file = +smtp_tls_key_file = +smtp_tls_CApath = /etc/ssl/certs/ + +# Caching TLS sessions +smtpd_tls_session_cache_database=btree:/var/lib/postfix/smtpd_tls_session_cache +smtp_tls_session_cache_database=btree:/var/lib/postfix/smtp_tls_session_cache +