Browse Source

playbooks/null-client: require TLS >v1.1

Fabian Peter Hammerle 3 years ago
parent
commit
10a7cf6948
3 changed files with 54 additions and 1 deletions
  1. 2 0
      Dockerfile
  2. 13 1
      ansible-playbooks/null-client.yml
  3. 39 0
      smtp-tls-trusted-ca.pem

+ 2 - 0
Dockerfile

@@ -7,6 +7,8 @@ RUN postconf -F | grep -E '^postlog/unix-dgram/service = postlog$' \
     && postconf -evv maillog_file=/dev/stdout \
     && postfix check
 
+# VOLUME /var/spool/postfix ?
+
 EXPOSE 25/tcp
 COPY postfix.sh /
 CMD ["/postfix.sh"]

+ 13 - 1
ansible-playbooks/null-client.yml

@@ -6,6 +6,11 @@
   - docker_volume:
       volume_name: postfix_config
     register: config_volume
+  - name: copy trusted CA certs
+    copy:
+      src: ../smtp-tls-trusted-ca.pem
+      dest: '{{ config_volume.ansible_facts.docker_volume.Mountpoint }}/smtp-tls-trusted-ca.pem'
+    register: smtp_trusted_ca_certs
   - name: create config
     copy:
       content: |
@@ -24,6 +29,12 @@
         smtpd_sasl_authenticated_header = yes
 
         relayhost = relay.example.com:submission
+        smtp_tls_security_level = secure
+        smtp_tls_secure_cert_match = nexthop
+        smtp_tls_CAfile = /etc/postfix/smtp-tls-trusted-ca.pem
+        # docs recommend against whitelist
+        smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
+        smtp_tls_session_cache_database = btree:${data_directory}/smtp-tls-session-cache
 
         # http://www.postfix.org/MAILLOG_README.html
         maillog_file = /dev/stdout
@@ -40,8 +51,9 @@
       hostname: postfix-test
       volumes:
       - '{{ config_volume.ansible_facts.docker_volume.Mountpoint }}/main.cf:/etc/postfix/main.cf:ro'
+      - '{{ config_volume.ansible_facts.docker_volume.Mountpoint }}/smtp-tls-trusted-ca.pem:/etc/postfix/smtp-tls-trusted-ca.pem:ro'
       networks: [name: mail]
       purge_networks: yes
       published_ports: ['localhost:25:25']
       restart_policy: unless-stopped
-      restart: '{{ config.changed }}'
+      restart: '{{ config.changed or smtp_trusted_ca_certs.changed }}'

+ 39 - 0
smtp-tls-trusted-ca.pem

@@ -0,0 +1,39 @@
+Subject: C=AT, CN=Fabian Peter Hammerle
+Validity
+    Not Before: May  8 18:31:41 2017 GMT
+    Not After : Jan  1 00:00:00 2027 GMT
+X509v3 Subject Key Identifier:
+    C2:E0:4B:00:B3:F0:87:DB:14:3B:4B:B6:41:18:13:BA:22:0E:D4:BA
+-----BEGIN CERTIFICATE-----
+MIIFnzCCA4egAwIBAgIKRWuaA5ml2i8RpjANBgkqhkiG9w0BAQsFADAtMQswCQYD
+VQQGEwJBVDEeMBwGA1UEAxMVRmFiaWFuIFBldGVyIEhhbW1lcmxlMB4XDTE3MDUw
+ODE4MzE0MVoXDTI3MDEwMTAwMDAwMFowLTELMAkGA1UEBhMCQVQxHjAcBgNVBAMT
+FUZhYmlhbiBQZXRlciBIYW1tZXJsZTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCC
+AgoCggIBALX8fhBdVeTNDVS48uBcHgeL3lxfnPBX7aK8i/9uPfp29zfhIidQxJAt
+PonOCrlmLwQMA+Cg2c0Yhf9+Lrg2Toior8c5JJbAsdqsrl/VY+xGOsz0AheHmSNp
+nHbJqMO0ZmAJuhJVzmsj1In37mLFinmK04ONjU0czQLuyABU35jy9jhDLFa4EZxn
+J7kfCtPlR1L+ZbqA0XakPyZdA/XPBW5QMWzyMKjx7F9LtuOknTcxG0HQ+KOwu5ul
+NmCbSZ1azRMzKZyjnbzwlBXbJe8gLN5aID7c1onEqik6i06hyju/au1uU7D5iG60
+hmQL+85LIRXiuM1+IIJyvLWp4rghMmnGE/pPdmF4bqJQfsswkFBmPZj4vgQpRPJn
+IUH3o9XhRd6RNjz10Sdm3tZZ31G1l+dzeqnHoXDZ5RmUNabByg0lWCppRLnMgEH4
+CjZ3QN2pkVwHW3z3k5trtCZoHne16MfRmX88uM0arapUFbfYNuKOV1/a/Hy2xze2
+ry1aKTUFET8iyFPepLps4Rz2AYi+bZ3F30em4ngzdYxcAj1V7qpQn/xRgUhxgosT
+0ABaaJWcLRd/QJH4wb+/S1gzIYbpAjjfrJoiBkZ5NPkvzphdhaomNeUT2mz4rSAS
+bPmSWYT+xM3vlmcOe4ZHamBz5kZpnf2scyIXSBcOC9m4OhjDQVqXAgMBAAGjgcAw
+gb0wWgYDVR0RBFMwUYESZmFiaWFuQGhhbW1lcmxlLm1lgRlmYWJpYW4uaGFtbWVy
+bGVAZ21haWwuY29tgSBmYWJpYW4uaGFtbWVybGVAbWVkdW5pd2llbi5hYy5hdDAP
+BgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTC4EsAs/CH2xQ7S7ZBGBO6Ig7UujAf
+BgNVHSMEGDAWgBTC4EsAs/CH2xQ7S7ZBGBO6Ig7UujAOBgNVHQ8BAf8EBAMCAcYw
+DQYJKoZIhvcNAQELBQADggIBAGMC4ya82j9IGePhl9l2hMgB0ZB48RSTZelNEm8M
+KFCGMRIGBuzAIdIY+0ugJuK6jHIfRtGHXFJlBkm+/vJwuwRqQib8+Nt1ZCSqv7/R
+k0jR4BUdAWSsnskZwYivYKQgANjtmDOpO19tpTcgeptw8AIAfuuglYP5wH5FA2RX
+cvkfHLtd9HJaj62CM5f+A2QTEHvat7KJSme7qZ6I47BiTA//+4SK8vjDoPir0Kx7
+NK7awpzjEzWbQrVwU3YhDuHbZlaHhPini6AlhEqvz/wpPYXUzgmJy0K1m4vWcxsT
+D/nf3LT1wJs5Ph1tO9gdF/yZC7o2QIKVjPF4mQiv/1EkYRY7zV52JcsWRrWlHN0x
+tqinxjY0aN4v6uoybJXHSiergibasDv4MicnW0c3ZE7dLs3iT6+5PAhjNoLdrG6v
+n9RZLZOrACYiPd+thoGQYVB496bobz2hHUUu7MoHxlZks6RVpxUm7jMGDoqZtvGp
+0VRCTglMyrpq26yYeUkE69sCm09EMHyZowOrnoTfqsk+sscuWqbmh2uPEIgqgKjz
+Ock5i72I47uTRUpG4WbYGXKfGaXUzd9A/6Rj6z2u+0z/dgNg/r3nrAAzIvV8Dh0q
+exCOYc3vQ+DdLKCMSMuCjXb6/Mpg5gR5za405RePcFaCoM74jxRScY+gOFguqdr4
+Qqjv
+-----END CERTIFICATE-----