Prepare mail role for real ssl certs.

2016-02-15 23:31:05 +01:00 · 2016-02-15 23:31:05 +01:00 · 5f42f9e70c
commit 5f42f9e70c
parent 68cdb42b77
3 changed files with 15 additions and 6 deletions
--- a/roles/mail/tasks/main.yml
+++ b/roles/mail/tasks/main.yml
@ -42,12 +42,21 @@
  notify: Restart dovecot
  tags: mail
 - name: Create dovecot ssl directory
  file: path=/etc/dovecot/ssl state=directory mode=0750 owner=dovecot group=dovecot
  tags: mail
 - name: Create postfix ssl directory
  file: path=/etc/postfix/ssl state=directory mode=0750 owner=postfix group=postfix
  tags: mail
 - name: Configure policyd
  copy: src={{ item }} dest=/etc/postfix-policyd-spf-python/{{ item }}
  with_items:
  - policyd-spf.conf
  tags: mail
 # TODO run postmap
 - name: Configure postfix
  template: src={{ item }}.j2 dest=/etc/{{ item }}
  with_items:
--- a/roles/mail/templates/dovecot/local.conf.j2
+++ b/roles/mail/templates/dovecot/local.conf.j2
@ -15,9 +15,9 @@ mail_uid = vmail
 mail_gid = vmail
 ssl = yes
-ssl_cert = </etc/ssl/certs/mail.binary-kitchen.com.pem
+ssl_cert = </etc/dovecot/ssl/{{ ansible_fqdn }}.crt
-ssl_key = </etc/ssl/private/mail.binary-kitchen.com.key
+ssl_key = </etc/dovecot/ssl/{{ ansible_fqdn }}.key
-#ssl_ca = </etc/ssl/binary-kitchen/cacert_ca.crt
+#ssl_ca = TODO
 ssl_protocols = !SSLv2 !SSLv3
 ssl_cipher_list = ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
--- a/roles/mail/templates/postfix/main.cf.j2
+++ b/roles/mail/templates/postfix/main.cf.j2
@ -3,7 +3,6 @@
 # Debian specific:  Specifying a file name will cause the first
 # line of that file to be used as the name.  The Debian default
 # is /etc/mailname.
 #myorigin = /etc/mailname
 smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
 biff = no
@ -35,8 +34,9 @@ relayhost =
 smtp_use_tls = yes
 smtp_tls_loglevel = 2
-smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
+smtpd_tls_cert_file=/etc/postfix/ssl/{{ ansible_fqdn }}.crt
-smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
+smtpd_tls_key_file=/etc/postfix/ssl/{{ ansible_fqdn }}.key
 #smtpd_tls_CAfile=TODO
 smtpd_use_tls=yes
 smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache