From: Ralf Jung Date: Sun, 20 May 2018 19:46:04 +0000 (+0200) Subject: generate relay_clientcerts whitelist from host_vars X-Git-Url: https://git.ralfj.de/ansible.git/commitdiff_plain/e103cc2f91aa9efc164969bdc146ff87f8cff276?ds=inline;hp=b820d6d92e4c558f45c2288d99428b7bbd915312 generate relay_clientcerts whitelist from host_vars --- diff --git a/host_vars/template.yml b/host_vars/template.yml index abe746c..99d2b4b 100644 --- a/host_vars/template.yml +++ b/host_vars/template.yml @@ -46,9 +46,10 @@ postfix: quota: general: 1G trash: +10M - # optional: File in /etc/postfix that configures client certificates that may use - # this server for relaying arbitrary mail. - relay_client_cert_whitelist: relay_clientcerts + # optional: Hostnames and SHA1 certificate hashes that are allowed to relay email via this host. + relay_client_cert_whitelist: + - hostname: other.example.org + cert: 00:11:22:33:44:55:66:77:88:99:AA:BB:CC:DD:EE:FF:00:11:22:33 # optional: Configure a host to relay all outgoing email to. # Incompatible with smtp_outgoing. relay_host: mx.example.org diff --git a/roles/email/tasks/postfix.yml b/roles/email/tasks/postfix.yml index 2602fb0..f9f8856 100644 --- a/roles/email/tasks/postfix.yml +++ b/roles/email/tasks/postfix.yml @@ -60,13 +60,12 @@ when: sender_transport_map.changed command: postmap /etc/postfix/sender_transport_map notify: postfix -- name: create empty relay_clientcerts +- name: create relay_clientcerts when: postfix.relay_client_cert_whitelist is defined register: relay_clientcerts - copy: + template: dest: /etc/postfix/relay_clientcerts - content: "" - force: no + src: templates/relay_clientcerts - name: postmap relay_clientcerts when: relay_clientcerts.changed command: postmap /etc/postfix/relay_clientcerts diff --git a/roles/email/templates/main.cf b/roles/email/templates/main.cf index 1049ed2..97f07bd 100644 --- a/roles/email/templates/main.cf +++ b/roles/email/templates/main.cf @@ -76,7 +76,7 @@ smtpd_sasl_path = private/auth # allow relay for some TLS-authenticated clients smtpd_tls_ask_ccert = yes smtpd_tls_fingerprint_digest = sha1 -relay_clientcerts = hash:$config_directory/{{ postfix.relay_client_cert_whitelist }} +relay_clientcerts = hash:$config_directory/relay_clientcerts {% endif %} {% if postfix.virtual_mailbox_domains is defined %} diff --git a/roles/email/templates/relay_clientcerts b/roles/email/templates/relay_clientcerts new file mode 100644 index 0000000..e1ed3ea --- /dev/null +++ b/roles/email/templates/relay_clientcerts @@ -0,0 +1,4 @@ +# Whitelist for client certificates that may relay +{% for item in postfix.relay_client_cert_whitelist %} +{{item.cert}} {{item.hostname}} +{% endfor %}