forked from infra/ansible
Prepare mail role for real ssl certs.
This commit is contained in:
parent
68cdb42b77
commit
5f42f9e70c
@ -42,12 +42,21 @@
|
||||
notify: Restart dovecot
|
||||
tags: mail
|
||||
|
||||
- name: Create dovecot ssl directory
|
||||
file: path=/etc/dovecot/ssl state=directory mode=0750 owner=dovecot group=dovecot
|
||||
tags: mail
|
||||
|
||||
- name: Create postfix ssl directory
|
||||
file: path=/etc/postfix/ssl state=directory mode=0750 owner=postfix group=postfix
|
||||
tags: mail
|
||||
|
||||
- name: Configure policyd
|
||||
copy: src={{ item }} dest=/etc/postfix-policyd-spf-python/{{ item }}
|
||||
with_items:
|
||||
- policyd-spf.conf
|
||||
tags: mail
|
||||
|
||||
# TODO run postmap
|
||||
- name: Configure postfix
|
||||
template: src={{ item }}.j2 dest=/etc/{{ item }}
|
||||
with_items:
|
||||
|
@ -15,9 +15,9 @@ mail_uid = vmail
|
||||
mail_gid = vmail
|
||||
|
||||
ssl = yes
|
||||
ssl_cert = </etc/ssl/certs/mail.binary-kitchen.com.pem
|
||||
ssl_key = </etc/ssl/private/mail.binary-kitchen.com.key
|
||||
#ssl_ca = </etc/ssl/binary-kitchen/cacert_ca.crt
|
||||
ssl_cert = </etc/dovecot/ssl/{{ ansible_fqdn }}.crt
|
||||
ssl_key = </etc/dovecot/ssl/{{ ansible_fqdn }}.key
|
||||
#ssl_ca = TODO
|
||||
ssl_protocols = !SSLv2 !SSLv3
|
||||
ssl_cipher_list = ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
|
||||
|
||||
|
@ -3,7 +3,6 @@
|
||||
# Debian specific: Specifying a file name will cause the first
|
||||
# line of that file to be used as the name. The Debian default
|
||||
# is /etc/mailname.
|
||||
#myorigin = /etc/mailname
|
||||
|
||||
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
|
||||
biff = no
|
||||
@ -35,8 +34,9 @@ relayhost =
|
||||
smtp_use_tls = yes
|
||||
smtp_tls_loglevel = 2
|
||||
|
||||
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
|
||||
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
|
||||
smtpd_tls_cert_file=/etc/postfix/ssl/{{ ansible_fqdn }}.crt
|
||||
smtpd_tls_key_file=/etc/postfix/ssl/{{ ansible_fqdn }}.key
|
||||
#smtpd_tls_CAfile=TODO
|
||||
smtpd_use_tls=yes
|
||||
|
||||
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
|
||||
|
Loading…
Reference in New Issue
Block a user