From 157577dfcbcaefa2bf7902e2ea47d464a68ee168 Mon Sep 17 00:00:00 2001 From: Markus Hauschild Date: Fri, 1 Apr 2016 08:10:00 +0200 Subject: [PATCH] Fix mail-related certificate handling. --- group_vars/all | 1 + roles/mail/tasks/main.yml | 30 ++++++++++++++++++++++ roles/mail/templates/certs.j2 | 10 ++++---- roles/mail/templates/dovecot/local.conf.j2 | 4 +-- roles/mail/templates/postfix/main.cf.j2 | 4 +-- roles/nginx/tasks/main.yml | 4 +-- 6 files changed, 42 insertions(+), 11 deletions(-) diff --git a/group_vars/all b/group_vars/all index 16376c7..db52d50 100644 --- a/group_vars/all +++ b/group_vars/all @@ -8,6 +8,7 @@ ldap_binddn: cn=Services,ou=Roles,dc=binary-kitchen,dc=de ldap_bindpw: svcpwd mail_domain: binary-kitchen.de +mail_server: mail.binary-kitchen.de mailman_domain: lists.binary-kitchen.de nslcd_base_group: ou=Groups,dc=binary-kitchen,dc=de diff --git a/roles/mail/tasks/main.yml b/roles/mail/tasks/main.yml index 686e4ea..2e2cbd1 100644 --- a/roles/mail/tasks/main.yml +++ b/roles/mail/tasks/main.yml @@ -100,10 +100,40 @@ notify: Run postmap tags: mail +- name: Ensure postfix certificates are available + command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/postfix/ssl/{{ mail_server }}.key -out /etc/postfix/ssl/{{ mail_server }}.crt -days 730 -subj "/CN={{ mail_server }}" creates=/etc/postfix/ssl/{{ mail_server }}.crt + notify: Restart postfix + tags: mail + +- name: Ensure correct postfix certificate permissions + file: path=/etc/postfix/ssl/{{ mail_server }}.key owner=root mode=0400 + notify: Restart postfix + tags: mail + +- name: Ensure dovecot certificates are available + command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/dovecot/ssl/{{ mail_server }}.key -out /etc/dovecot/ssl/{{ mail_server }}.crt -days 730 -subj "/CN={{ mail_server }}" creates=/etc/dovecot/ssl/{{ mail_server }}.crt + notify: Restart dovecot + tags: mail + +- name: Ensure correct dovecot certificate permissions + file: path=/etc/dovecot/ssl/{{ mail_server }}.key owner=root mode=0400 + notify: Restart dovecot + tags: mail + - name: Configure certificate manager template: src=certs.j2 dest=/etc/acme/domains.d/{{ ansible_fqdn }}_mail.conf tags: mail +- name: Ensure mailman certificates are available + command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/{{ mailman_domain }}.key -out /etc/nginx/ssl/{{ mailman_domain }}.crt -days 730 -subj "/CN={{ mailman_domain }}" creates=/etc/nginx/ssl/{{ mailman_domain }}.crt + notify: Restart nginx + tags: mail + +- name: Ensure correct mailman certificate permissions + file: path=/etc/nginx/ssl/{{ mailman_domain }}.key owner=root mode=0400 + notify: Restart nginx + tags: mail + - name: Configure certificate manager for mailman template: src=mailman/certs.j2 dest=/etc/acme/domains.d/{{ mailman_domain }}_mailman.conf tags: mail diff --git a/roles/mail/templates/certs.j2 b/roles/mail/templates/certs.j2 index ab9b7bd..f0156ad 100644 --- a/roles/mail/templates/certs.j2 +++ b/roles/mail/templates/certs.j2 @@ -1,25 +1,25 @@ --- -{{ ansible_fqdn }}: -- path: /etc/postfix/ssl/{{ ansible_fqdn }}.crt +{{ mail_server }}: +- path: /etc/postfix/ssl/{{ mail_server }}.crt user: postfix group: postfix perm: '400' format: crt notify: 'service postfix reload' -- path: /etc/postfix/ssl/{{ ansible_fqdn }}.key +- path: /etc/postfix/ssl/{{ mail_server }}.key user: postfix group: postfix perm: '400' format: key notify: 'service postfix reload' -- path: /etc/dovecot/ssl/{{ ansible_fqdn }}.crt +- path: /etc/dovecot/ssl/{{ mail_server }}.crt user: dovecot group: dovecot perm: '400' format: crt notify: 'service dovecot reload' -- path: /etc/dovecot/ssl/{{ ansible_fqdn }}.key +- path: /etc/dovecot/ssl/{{ mail_server }}.key user: dovecot group: dovecot perm: '400' diff --git a/roles/mail/templates/dovecot/local.conf.j2 b/roles/mail/templates/dovecot/local.conf.j2 index 91d8f23..0460c79 100644 --- a/roles/mail/templates/dovecot/local.conf.j2 +++ b/roles/mail/templates/dovecot/local.conf.j2 @@ -16,8 +16,8 @@ mail_uid = vmail mail_gid = vmail ssl = yes -ssl_cert =