ansible-playbooks/forward.yml: enabled TLS for SMTPD using self-signed cert

ansible-playbooks/forward.yml

@@ -1,10 +1,13 @@
-- hosts: [forward.example.com]
+- hosts: [forward]
   become: true
   vars:
+    hostname: forward.example.com
     virtual_alias_domains:
     - example.co
     - example.com
     - example.info
+    # docs recommend against whitelist
+    tls_protocols: ['!SSLv2', '!SSLv3', '!TLSv1', '!TLSv1.1']
   tasks:
   - docker_network:
       name: mail
@@ -30,9 +33,38 @@
       # postmap: fatal: open /etc/postfix/virtual.db: Permission denied
       owner: '{{ config_volume_stat.stat.uid }}'
     register: virtual_alias_map
+  - openssl_privatekey:
+      path: '{{ config_volume.ansible_facts.docker_volume.Mountpoint }}/key.pem'
+      type: RSA
+      size: 4096
+      owner: '{{ config_volume_stat.stat.uid }}'
+      mode: o=r,g=,o=
+  - openssl_csr:
+      path: '{{ config_volume.ansible_facts.docker_volume.Mountpoint }}/cert-request.pem'
+      privatekey_path: '{{ config_volume.ansible_facts.docker_volume.Mountpoint }}/key.pem'
+      common_name: '{{ hostname }}'
+      subject_alt_name: ['DNS:{{ hostname }}']
+      country_name: AT
+      basic_constraints: ['CA:FALSE']
+      basic_constraints_critical: yes
+      digest: sha256
+      mode: a=r
+  - openssl_certificate:
+      backup: yes
+      path: '{{ config_volume.ansible_facts.docker_volume.Mountpoint }}/cert.pem'
+      csr_path: '{{ config_volume.ansible_facts.docker_volume.Mountpoint }}/cert-request.pem'
+      privatekey_path: '{{ config_volume.ansible_facts.docker_volume.Mountpoint }}/key.pem'
+      provider: selfsigned
+      mode: a=r
   - name: create config
     copy:
       content: |
+        smtpd_tls_security_level = may
+        smtpd_tls_cert_file=/smtpd-cert.pem
+        smtpd_tls_key_file=/smtpd-key.pem
+        smtpd_tls_protocols = {{ tls_protocols | join(', ') }}
+        smtpd_tls_ciphers = high
+        smtpd_tls_session_cache_database = btree:${data_directory}/smtpd-tls-session-cache
         # $myhostname prefix is a RFC requirement
         smtpd_banner = $myhostname ESMTP $mail_name quid agis?
 
@@ -51,8 +83,7 @@
         delay_warning_time = 1h
 
         smtp_tls_security_level = encrypt
-        # docs recommend against whitelist
-        smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
+        smtp_tls_mandatory_protocols = {{ tls_protocols | join(', ') }}
         smtp_tls_session_cache_database = btree:${data_directory}/smtp-tls-session-cache
 
         # http://www.postfix.org/MAILLOG_README.html
@@ -69,11 +100,13 @@
       name: postfix
       # 1.0.1-postfix3.4.5r0-amd64
       image: fphammerle/postfix@sha256:b2d214d66f1760bdcbfa3156efa7cb08cef5d80e5f6607e181f79fdde409b82d
-      hostname: forward.example.com
+      hostname: '{{ hostname }}'
       volumes:
       - '{{ config_volume.ansible_facts.docker_volume.Mountpoint }}/main.cf:/etc/postfix/main.cf:ro'
       - '{{ config_volume.ansible_facts.docker_volume.Mountpoint }}/virtual:/etc/postfix/virtual:ro'
       - '{{ queue_volume.ansible_facts.docker_volume.Mountpoint }}:/var/spool/postfix:rw'
+      - '{{ config_volume.ansible_facts.docker_volume.Mountpoint }}/key.pem:/smtpd-key.pem:ro'
+      - '{{ config_volume.ansible_facts.docker_volume.Mountpoint }}/cert.pem:/smtpd-cert.pem:ro'
       networks: [name: mail]
       purge_networks: yes
       published_ports: ['25:25']