Prepare mail role for real ssl certs.

This commit is contained in:
Markus 2016-02-15 23:31:05 +01:00
parent 68cdb42b77
commit 5f42f9e70c
3 changed files with 15 additions and 6 deletions

View File

@ -42,12 +42,21 @@
notify: Restart dovecot
tags: mail
- name: Create dovecot ssl directory
file: path=/etc/dovecot/ssl state=directory mode=0750 owner=dovecot group=dovecot
tags: mail
- name: Create postfix ssl directory
file: path=/etc/postfix/ssl state=directory mode=0750 owner=postfix group=postfix
tags: mail
- name: Configure policyd
copy: src={{ item }} dest=/etc/postfix-policyd-spf-python/{{ item }}
with_items:
- policyd-spf.conf
tags: mail
# TODO run postmap
- name: Configure postfix
template: src={{ item }}.j2 dest=/etc/{{ item }}
with_items:

View File

@ -15,9 +15,9 @@ mail_uid = vmail
mail_gid = vmail
ssl = yes
ssl_cert = </etc/ssl/certs/mail.binary-kitchen.com.pem
ssl_key = </etc/ssl/private/mail.binary-kitchen.com.key
#ssl_ca = </etc/ssl/binary-kitchen/cacert_ca.crt
ssl_cert = </etc/dovecot/ssl/{{ ansible_fqdn }}.crt
ssl_key = </etc/dovecot/ssl/{{ ansible_fqdn }}.key
#ssl_ca = TODO
ssl_protocols = !SSLv2 !SSLv3
ssl_cipher_list = ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA

View File

@ -3,7 +3,6 @@
# Debian specific: Specifying a file name will cause the first
# line of that file to be used as the name. The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no
@ -35,8 +34,9 @@ relayhost =
smtp_use_tls = yes
smtp_tls_loglevel = 2
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_cert_file=/etc/postfix/ssl/{{ ansible_fqdn }}.crt
smtpd_tls_key_file=/etc/postfix/ssl/{{ ansible_fqdn }}.key
#smtpd_tls_CAfile=TODO
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache