generate relay_clientcerts whitelist from host_vars
authorRalf Jung <post@ralfj.de>
Sun, 20 May 2018 19:46:04 +0000 (21:46 +0200)
committerRalf Jung <post@ralfj.de>
Sun, 20 May 2018 19:46:04 +0000 (21:46 +0200)
host_vars/template.yml
roles/email/tasks/postfix.yml
roles/email/templates/main.cf
roles/email/templates/relay_clientcerts [new file with mode: 0644]

index abe746c..99d2b4b 100644 (file)
@@ -46,9 +46,10 @@ postfix:
     quota:
       general: 1G
       trash: +10M
-  # optional: File in /etc/postfix that configures client certificates that may use
-  # this server for relaying arbitrary mail.
-  relay_client_cert_whitelist: relay_clientcerts
+  # optional: Hostnames and SHA1 certificate hashes that are allowed to relay email via this host.
+  relay_client_cert_whitelist:
+    - hostname: other.example.org
+      cert: 00:11:22:33:44:55:66:77:88:99:AA:BB:CC:DD:EE:FF:00:11:22:33
   # optional: Configure a host to relay all outgoing email to.
   # Incompatible with smtp_outgoing.
   relay_host: mx.example.org
index 2602fb0..f9f8856 100644 (file)
   when: sender_transport_map.changed
   command: postmap /etc/postfix/sender_transport_map
   notify: postfix
-- name: create empty relay_clientcerts
+- name: create relay_clientcerts
   when: postfix.relay_client_cert_whitelist is defined
   register: relay_clientcerts
-  copy:
+  template:
     dest: /etc/postfix/relay_clientcerts
-    content: ""
-    force: no
+    src: templates/relay_clientcerts
 - name: postmap relay_clientcerts
   when: relay_clientcerts.changed
   command: postmap /etc/postfix/relay_clientcerts
index 1049ed2..97f07bd 100644 (file)
@@ -76,7 +76,7 @@ smtpd_sasl_path = private/auth
 # allow relay for some TLS-authenticated clients
 smtpd_tls_ask_ccert = yes
 smtpd_tls_fingerprint_digest = sha1
-relay_clientcerts = hash:$config_directory/{{ postfix.relay_client_cert_whitelist }}
+relay_clientcerts = hash:$config_directory/relay_clientcerts
 {% endif %}
 
 {% if postfix.virtual_mailbox_domains is defined %}
diff --git a/roles/email/templates/relay_clientcerts b/roles/email/templates/relay_clientcerts
new file mode 100644 (file)
index 0000000..e1ed3ea
--- /dev/null
@@ -0,0 +1,4 @@
+# Whitelist for client certificates that may relay
+{% for item in postfix.relay_client_cert_whitelist %}
+{{item.cert}}          {{item.hostname}}
+{% endfor %}