forked from infra/ansible
Fix mail-related certificate handling.
This commit is contained in:
parent
4b22d48931
commit
157577dfcb
@ -8,6 +8,7 @@ ldap_binddn: cn=Services,ou=Roles,dc=binary-kitchen,dc=de
|
|||||||
ldap_bindpw: svcpwd
|
ldap_bindpw: svcpwd
|
||||||
|
|
||||||
mail_domain: binary-kitchen.de
|
mail_domain: binary-kitchen.de
|
||||||
|
mail_server: mail.binary-kitchen.de
|
||||||
mailman_domain: lists.binary-kitchen.de
|
mailman_domain: lists.binary-kitchen.de
|
||||||
|
|
||||||
nslcd_base_group: ou=Groups,dc=binary-kitchen,dc=de
|
nslcd_base_group: ou=Groups,dc=binary-kitchen,dc=de
|
||||||
|
@ -100,10 +100,40 @@
|
|||||||
notify: Run postmap
|
notify: Run postmap
|
||||||
tags: mail
|
tags: mail
|
||||||
|
|
||||||
|
- name: Ensure postfix certificates are available
|
||||||
|
command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/postfix/ssl/{{ mail_server }}.key -out /etc/postfix/ssl/{{ mail_server }}.crt -days 730 -subj "/CN={{ mail_server }}" creates=/etc/postfix/ssl/{{ mail_server }}.crt
|
||||||
|
notify: Restart postfix
|
||||||
|
tags: mail
|
||||||
|
|
||||||
|
- name: Ensure correct postfix certificate permissions
|
||||||
|
file: path=/etc/postfix/ssl/{{ mail_server }}.key owner=root mode=0400
|
||||||
|
notify: Restart postfix
|
||||||
|
tags: mail
|
||||||
|
|
||||||
|
- name: Ensure dovecot certificates are available
|
||||||
|
command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/dovecot/ssl/{{ mail_server }}.key -out /etc/dovecot/ssl/{{ mail_server }}.crt -days 730 -subj "/CN={{ mail_server }}" creates=/etc/dovecot/ssl/{{ mail_server }}.crt
|
||||||
|
notify: Restart dovecot
|
||||||
|
tags: mail
|
||||||
|
|
||||||
|
- name: Ensure correct dovecot certificate permissions
|
||||||
|
file: path=/etc/dovecot/ssl/{{ mail_server }}.key owner=root mode=0400
|
||||||
|
notify: Restart dovecot
|
||||||
|
tags: mail
|
||||||
|
|
||||||
- name: Configure certificate manager
|
- name: Configure certificate manager
|
||||||
template: src=certs.j2 dest=/etc/acme/domains.d/{{ ansible_fqdn }}_mail.conf
|
template: src=certs.j2 dest=/etc/acme/domains.d/{{ ansible_fqdn }}_mail.conf
|
||||||
tags: mail
|
tags: mail
|
||||||
|
|
||||||
|
- name: Ensure mailman certificates are available
|
||||||
|
command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/{{ mailman_domain }}.key -out /etc/nginx/ssl/{{ mailman_domain }}.crt -days 730 -subj "/CN={{ mailman_domain }}" creates=/etc/nginx/ssl/{{ mailman_domain }}.crt
|
||||||
|
notify: Restart nginx
|
||||||
|
tags: mail
|
||||||
|
|
||||||
|
- name: Ensure correct mailman certificate permissions
|
||||||
|
file: path=/etc/nginx/ssl/{{ mailman_domain }}.key owner=root mode=0400
|
||||||
|
notify: Restart nginx
|
||||||
|
tags: mail
|
||||||
|
|
||||||
- name: Configure certificate manager for mailman
|
- name: Configure certificate manager for mailman
|
||||||
template: src=mailman/certs.j2 dest=/etc/acme/domains.d/{{ mailman_domain }}_mailman.conf
|
template: src=mailman/certs.j2 dest=/etc/acme/domains.d/{{ mailman_domain }}_mailman.conf
|
||||||
tags: mail
|
tags: mail
|
||||||
|
@ -1,25 +1,25 @@
|
|||||||
---
|
---
|
||||||
|
|
||||||
{{ ansible_fqdn }}:
|
{{ mail_server }}:
|
||||||
- path: /etc/postfix/ssl/{{ ansible_fqdn }}.crt
|
- path: /etc/postfix/ssl/{{ mail_server }}.crt
|
||||||
user: postfix
|
user: postfix
|
||||||
group: postfix
|
group: postfix
|
||||||
perm: '400'
|
perm: '400'
|
||||||
format: crt
|
format: crt
|
||||||
notify: 'service postfix reload'
|
notify: 'service postfix reload'
|
||||||
- path: /etc/postfix/ssl/{{ ansible_fqdn }}.key
|
- path: /etc/postfix/ssl/{{ mail_server }}.key
|
||||||
user: postfix
|
user: postfix
|
||||||
group: postfix
|
group: postfix
|
||||||
perm: '400'
|
perm: '400'
|
||||||
format: key
|
format: key
|
||||||
notify: 'service postfix reload'
|
notify: 'service postfix reload'
|
||||||
- path: /etc/dovecot/ssl/{{ ansible_fqdn }}.crt
|
- path: /etc/dovecot/ssl/{{ mail_server }}.crt
|
||||||
user: dovecot
|
user: dovecot
|
||||||
group: dovecot
|
group: dovecot
|
||||||
perm: '400'
|
perm: '400'
|
||||||
format: crt
|
format: crt
|
||||||
notify: 'service dovecot reload'
|
notify: 'service dovecot reload'
|
||||||
- path: /etc/dovecot/ssl/{{ ansible_fqdn }}.key
|
- path: /etc/dovecot/ssl/{{ mail_server }}.key
|
||||||
user: dovecot
|
user: dovecot
|
||||||
group: dovecot
|
group: dovecot
|
||||||
perm: '400'
|
perm: '400'
|
||||||
|
@ -16,8 +16,8 @@ mail_uid = vmail
|
|||||||
mail_gid = vmail
|
mail_gid = vmail
|
||||||
|
|
||||||
ssl = yes
|
ssl = yes
|
||||||
ssl_cert = </etc/dovecot/ssl/{{ ansible_fqdn }}.crt
|
ssl_cert = </etc/dovecot/ssl/{{ mail_server }}.crt
|
||||||
ssl_key = </etc/dovecot/ssl/{{ ansible_fqdn }}.key
|
ssl_key = </etc/dovecot/ssl/{{ mail_server }}.key
|
||||||
#ssl_ca = TODO
|
#ssl_ca = TODO
|
||||||
ssl_protocols = !SSLv2 !SSLv3
|
ssl_protocols = !SSLv2 !SSLv3
|
||||||
ssl_cipher_list = ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
|
ssl_cipher_list = ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
|
||||||
|
@ -30,8 +30,8 @@ relayhost =
|
|||||||
smtp_use_tls = yes
|
smtp_use_tls = yes
|
||||||
smtp_tls_loglevel = 2
|
smtp_tls_loglevel = 2
|
||||||
|
|
||||||
smtpd_tls_cert_file=/etc/postfix/ssl/{{ ansible_fqdn }}.crt
|
smtpd_tls_cert_file=/etc/postfix/ssl/{{ mail_server }}.crt
|
||||||
smtpd_tls_key_file=/etc/postfix/ssl/{{ ansible_fqdn }}.key
|
smtpd_tls_key_file=/etc/postfix/ssl/{{ mail_server }}.key
|
||||||
#smtpd_tls_CAfile=TODO
|
#smtpd_tls_CAfile=TODO
|
||||||
smtpd_use_tls=yes
|
smtpd_use_tls=yes
|
||||||
|
|
||||||
|
@ -13,12 +13,12 @@
|
|||||||
tags: nginx
|
tags: nginx
|
||||||
|
|
||||||
- name: Ensure certificates are available
|
- name: Ensure certificates are available
|
||||||
command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/{{ ansible_fqdn}}.key -out /etc/nginx/ssl/{{ ansible_fqdn}}.crt -days 730 -subj "/CN={{ ansible_fqdn}}" creates=/etc/nginx/ssl/{{ ansible_fqdn}}.crt
|
command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/{{ ansible_fqdn }}.key -out /etc/nginx/ssl/{{ ansible_fqdn }}.crt -days 730 -subj "/CN={{ ansible_fqdn }}" creates=/etc/nginx/ssl/{{ ansible_fqdn }}.crt
|
||||||
notify: Restart nginx
|
notify: Restart nginx
|
||||||
tags: nginx
|
tags: nginx
|
||||||
|
|
||||||
- name: Ensure correct certificate permissions
|
- name: Ensure correct certificate permissions
|
||||||
file: path=/etc/nginx/ssl/{{ ansible_fqdn}}.key owner=root mode=0400
|
file: path=/etc/nginx/ssl/{{ ansible_fqdn }}.key owner=root mode=0400
|
||||||
notify: Restart nginx
|
notify: Restart nginx
|
||||||
tags: nginx
|
tags: nginx
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user