quota:
general: 1G
trash: +10M
- # optional: File in /etc/postfix that configures client certificates that may use
- # this server for relaying arbitrary mail.
- relay_client_cert_whitelist: relay_clientcerts
+ # optional: Hostnames and SHA1 certificate hashes that are allowed to relay email via this host.
+ relay_client_cert_whitelist:
+ - hostname: other.example.org
+ cert: 00:11:22:33:44:55:66:77:88:99:AA:BB:CC:DD:EE:FF:00:11:22:33
# optional: Configure a host to relay all outgoing email to.
# Incompatible with smtp_outgoing.
relay_host: mx.example.org
when: sender_transport_map.changed
command: postmap /etc/postfix/sender_transport_map
notify: postfix
-- name: create empty relay_clientcerts
+- name: create relay_clientcerts
when: postfix.relay_client_cert_whitelist is defined
register: relay_clientcerts
- copy:
+ template:
dest: /etc/postfix/relay_clientcerts
- content: ""
- force: no
+ src: templates/relay_clientcerts
- name: postmap relay_clientcerts
when: relay_clientcerts.changed
command: postmap /etc/postfix/relay_clientcerts
# allow relay for some TLS-authenticated clients
smtpd_tls_ask_ccert = yes
smtpd_tls_fingerprint_digest = sha1
-relay_clientcerts = hash:$config_directory/{{ postfix.relay_client_cert_whitelist }}
+relay_clientcerts = hash:$config_directory/relay_clientcerts
{% endif %}
{% if postfix.virtual_mailbox_domains is defined %}
--- /dev/null
+# Whitelist for client certificates that may relay
+{% for item in postfix.relay_client_cert_whitelist %}
+{{item.cert}} {{item.hostname}}
+{% endfor %}
projects / ansible.git / commitdiff