generate relay_clientcerts whitelist from host_vars

diff --git a/host_vars/template.yml b/host_vars/template.yml
index abe746ca52c3f73269caccf0aee309df0b7fbc86..99d2b4b00b441e7f758096a57668fe3852bdcb92 100644 (file)
--- a/host_vars/template.yml
+++ b/host_vars/template.yml
@@ -46,9 +46,10 @@ postfix:
     quota:
       general: 1G
       trash: +10M
     quota:
       general: 1G
       trash: +10M

-  # optional: File in /etc/postfix that configures client certificates that may use
-  # this server for relaying arbitrary mail.
-  relay_client_cert_whitelist: relay_clientcerts
+  # optional: Hostnames and SHA1 certificate hashes that are allowed to relay email via this host.
+  relay_client_cert_whitelist:
+    - hostname: other.example.org
+      cert: 00:11:22:33:44:55:66:77:88:99:AA:BB:CC:DD:EE:FF:00:11:22:33

   # optional: Configure a host to relay all outgoing email to.
   # Incompatible with smtp_outgoing.
   relay_host: mx.example.org
   # optional: Configure a host to relay all outgoing email to.
   # Incompatible with smtp_outgoing.
   relay_host: mx.example.org

diff --git a/roles/email/tasks/postfix.yml b/roles/email/tasks/postfix.yml
index 2602fb0fde0dc258813ba01798a9a713f0964b07..f9f88563a835500cc6dc5bb2373714afd0e147c3 100644 (file)
--- a/roles/email/tasks/postfix.yml
+++ b/roles/email/tasks/postfix.yml
@@ -60,13 +60,12 @@
   when: sender_transport_map.changed
   command: postmap /etc/postfix/sender_transport_map
   notify: postfix
   when: sender_transport_map.changed
   command: postmap /etc/postfix/sender_transport_map
   notify: postfix

-- name: create empty relay_clientcerts
+- name: create relay_clientcerts

   when: postfix.relay_client_cert_whitelist is defined
   register: relay_clientcerts
   when: postfix.relay_client_cert_whitelist is defined
   register: relay_clientcerts

-  copy:
+  template:

     dest: /etc/postfix/relay_clientcerts
     dest: /etc/postfix/relay_clientcerts

-    content: ""
-    force: no
+    src: templates/relay_clientcerts

 - name: postmap relay_clientcerts
   when: relay_clientcerts.changed
   command: postmap /etc/postfix/relay_clientcerts
 - name: postmap relay_clientcerts
   when: relay_clientcerts.changed
   command: postmap /etc/postfix/relay_clientcerts

diff --git a/roles/email/templates/main.cf b/roles/email/templates/main.cf
index 1049ed2d2b19c7f77b9e3c8ae6e5ef63d3beb985..97f07bdf4ce598c5c4329ffd2a301c301a2a3740 100644 (file)
--- a/roles/email/templates/main.cf
+++ b/roles/email/templates/main.cf
@@ -76,7 +76,7 @@ smtpd_sasl_path = private/auth
 # allow relay for some TLS-authenticated clients
 smtpd_tls_ask_ccert = yes
 smtpd_tls_fingerprint_digest = sha1
 # allow relay for some TLS-authenticated clients
 smtpd_tls_ask_ccert = yes
 smtpd_tls_fingerprint_digest = sha1

-relay_clientcerts = hash:$config_directory/{{ postfix.relay_client_cert_whitelist }}
+relay_clientcerts = hash:$config_directory/relay_clientcerts

 {% endif %}
 
 {% if postfix.virtual_mailbox_domains is defined %}
 {% endif %}
 
 {% if postfix.virtual_mailbox_domains is defined %}

diff --git a/roles/email/templates/relay_clientcerts b/roles/email/templates/relay_clientcerts
new file mode 100644 (file)
index 0000000..e1ed3ea
--- /dev/null
+++ b/roles/email/templates/relay_clientcerts
@@ -0,0 +1,4 @@
+# Whitelist for client certificates that may relay
+{% for item in postfix.relay_client_cert_whitelist %}
+{{item.cert}}          {{item.hostname}}
+{% endfor %}