Fix mail-related certificate handling.

2016-04-01 08:10:00 +02:00 · 2016-04-01 08:10:00 +02:00 · 157577dfcb
parent 4b22d48931
commit 157577dfcb
6 changed files with 42 additions and 11 deletions
--- a/group_vars/all
+++ b/group_vars/all
@ -8,6 +8,7 @@ ldap_binddn: cn=Services,ou=Roles,dc=binary-kitchen,dc=de
 ldap_bindpw: svcpwd

 mail_domain: binary-kitchen.de
+mail_server: mail.binary-kitchen.de
 mailman_domain: lists.binary-kitchen.de

 nslcd_base_group: ou=Groups,dc=binary-kitchen,dc=de
--- a/roles/mail/tasks/main.yml
+++ b/roles/mail/tasks/main.yml
@ -100,10 +100,40 @@
  notify: Run postmap
  tags: mail

+- name: Ensure postfix certificates are available
+  command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/postfix/ssl/{{ mail_server }}.key -out /etc/postfix/ssl/{{ mail_server }}.crt -days 730 -subj "/CN={{ mail_server }}" creates=/etc/postfix/ssl/{{ mail_server }}.crt
+  notify: Restart postfix
+  tags: mail
+
+- name: Ensure correct postfix certificate permissions
+  file: path=/etc/postfix/ssl/{{ mail_server }}.key owner=root mode=0400
+  notify: Restart postfix
+  tags: mail
+
+- name: Ensure dovecot certificates are available
+  command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/dovecot/ssl/{{ mail_server }}.key -out /etc/dovecot/ssl/{{ mail_server }}.crt -days 730 -subj "/CN={{ mail_server }}" creates=/etc/dovecot/ssl/{{ mail_server }}.crt
+  notify: Restart dovecot
+  tags: mail
+
+- name: Ensure correct dovecot certificate permissions
+  file: path=/etc/dovecot/ssl/{{ mail_server }}.key owner=root mode=0400
+  notify: Restart dovecot
+  tags: mail
+
 - name: Configure certificate manager
  template: src=certs.j2 dest=/etc/acme/domains.d/{{ ansible_fqdn }}_mail.conf
  tags: mail

+- name: Ensure mailman certificates are available
+  command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/{{ mailman_domain }}.key -out /etc/nginx/ssl/{{ mailman_domain }}.crt -days 730 -subj "/CN={{ mailman_domain }}" creates=/etc/nginx/ssl/{{ mailman_domain }}.crt
+  notify: Restart nginx
+  tags: mail
+
+- name: Ensure correct mailman certificate permissions
+  file: path=/etc/nginx/ssl/{{ mailman_domain }}.key owner=root mode=0400
+  notify: Restart nginx
+  tags: mail
+
 - name: Configure certificate manager for mailman
  template: src=mailman/certs.j2 dest=/etc/acme/domains.d/{{ mailman_domain }}_mailman.conf
  tags: mail
--- a/roles/mail/templates/certs.j2
+++ b/roles/mail/templates/certs.j2
@ -1,25 +1,25 @@
 ---

-{{ ansible_fqdn }}:
- path: /etc/postfix/ssl/{{ ansible_fqdn }}.crt
+{{ mail_server }}:
+- path: /etc/postfix/ssl/{{ mail_server }}.crt
  user: postfix
  group: postfix
  perm: '400'
  format: crt
  notify: 'service postfix reload'
- path: /etc/postfix/ssl/{{ ansible_fqdn }}.key
+- path: /etc/postfix/ssl/{{ mail_server }}.key
  user: postfix
  group: postfix
  perm: '400'
  format: key
  notify: 'service postfix reload'
- path: /etc/dovecot/ssl/{{ ansible_fqdn }}.crt
+- path: /etc/dovecot/ssl/{{ mail_server }}.crt
  user: dovecot
  group: dovecot
  perm: '400'
  format: crt
  notify: 'service dovecot reload'
- path: /etc/dovecot/ssl/{{ ansible_fqdn }}.key
+- path: /etc/dovecot/ssl/{{ mail_server }}.key
  user: dovecot
  group: dovecot
  perm: '400'
--- a/roles/mail/templates/dovecot/local.conf.j2
+++ b/roles/mail/templates/dovecot/local.conf.j2
@ -16,8 +16,8 @@ mail_uid = vmail
 mail_gid = vmail

 ssl = yes
-ssl_cert = </etc/dovecot/ssl/{{ ansible_fqdn }}.crt
-ssl_key = </etc/dovecot/ssl/{{ ansible_fqdn }}.key
+ssl_cert = </etc/dovecot/ssl/{{ mail_server }}.crt
+ssl_key = </etc/dovecot/ssl/{{ mail_server }}.key
 #ssl_ca = TODO
 ssl_protocols = !SSLv2 !SSLv3
 ssl_cipher_list = ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
--- a/roles/mail/templates/postfix/main.cf.j2
+++ b/roles/mail/templates/postfix/main.cf.j2
@ -30,8 +30,8 @@ relayhost =
 smtp_use_tls = yes
 smtp_tls_loglevel = 2

-smtpd_tls_cert_file=/etc/postfix/ssl/{{ ansible_fqdn }}.crt
-smtpd_tls_key_file=/etc/postfix/ssl/{{ ansible_fqdn }}.key
+smtpd_tls_cert_file=/etc/postfix/ssl/{{ mail_server }}.crt
+smtpd_tls_key_file=/etc/postfix/ssl/{{ mail_server }}.key
 #smtpd_tls_CAfile=TODO
 smtpd_use_tls=yes

--- a/roles/nginx/tasks/main.yml
+++ b/roles/nginx/tasks/main.yml
@ -13,12 +13,12 @@
  tags: nginx

 - name: Ensure certificates are available
-  command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/{{ ansible_fqdn}}.key -out /etc/nginx/ssl/{{ ansible_fqdn}}.crt -days 730 -subj "/CN={{ ansible_fqdn}}" creates=/etc/nginx/ssl/{{ ansible_fqdn}}.crt
+  command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/{{ ansible_fqdn }}.key -out /etc/nginx/ssl/{{ ansible_fqdn }}.crt -days 730 -subj "/CN={{ ansible_fqdn }}" creates=/etc/nginx/ssl/{{ ansible_fqdn }}.crt
  notify: Restart nginx
  tags: nginx

 - name: Ensure correct certificate permissions
-  file: path=/etc/nginx/ssl/{{ ansible_fqdn}}.key owner=root mode=0400
+  file: path=/etc/nginx/ssl/{{ ansible_fqdn }}.key owner=root mode=0400
  notify: Restart nginx
  tags: nginx