alter the way that SSL certificates are chosen for mail servers, and add a TLS secrets readme

2025-03-01 14:22:33 +01:00 · 2016-02-21 13:25:00 +00:00 · 2016-02-21 13:25:00 +00:00 · 58bba600b6
commit 58bba600b6
parent a8da17099e
4 changed files with 9 additions and 7 deletions
--- a/examples/sampleplaybooks/mailserver/files/mailserver/etc/dovecot/local.conf
+++ b/examples/sampleplaybooks/mailserver/files/mailserver/etc/dovecot/local.conf
@ -53,8 +53,8 @@ plugin {
 }
 disable_plaintext_auth = yes
 ssl = required
-ssl_cert = <{{ ssl[mail.ssl]["assembled"] }}
-ssl_key = <{{ ssl[mail.ssl]["key"] }}
+ssl_cert = <{{ ssl[mail.hostname]["assembled"] }}
+ssl_key = <{{ ssl[mail.hostname]["key"] }}
 ssl_protocols = !SSLv2 !SSLv3
 ssl_cipher_list = EECDH+AESGCM:AES256+EECDH:AES128+EECDH
 ssl_prefer_server_ciphers = yes # >Dovecot 2.2.6
--- a/examples/sampleplaybooks/mailserver/files/mailserver/etc/postfix/main.cf
+++ b/examples/sampleplaybooks/mailserver/files/mailserver/etc/postfix/main.cf
@ -711,8 +711,8 @@ smtpd_use_tls = yes
 smtpd_tls_loglevel = 1
 smtpd_tls_received_header = yes
 smtpd_tls_auth_only = yes
-smtpd_tls_cert_file = {{ ssl[mail.ssl]["assembled"] }}
-smtpd_tls_key_file = {{ ssl[mail.ssl]["key"] }}
+smtpd_tls_cert_file = {{ ssl[mail.hostname]["assembled"] }}
+smtpd_tls_key_file = {{ ssl[mail.hostname]["key"] }}
 smtp_tls_security_level = may
 smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
 smtpd_tls_protocols=!SSLv2,!SSLv3,!TLSv1,!TLSv1.1
--- a/examples/sampleplaybooks/mailserver/files/secrets/tls/README.md
+++ b/examples/sampleplaybooks/mailserver/files/secrets/tls/README.md
@ -0,0 +1,2 @@
+Here you deploy your SSL keys.  See the file `vars/mail.yml` relative
+to the great-grandparent directory.
--- a/examples/sampleplaybooks/mailserver/vars/mail.yml
+++ b/examples/sampleplaybooks/mailserver/vars/mail.yml
@ -29,14 +29,14 @@ mail:
  - mailserver.domain.com
  - domain.com
  - bond.name
-  ssl: mailserver.domain.com
 ssl:
  # Deploy your key files locally in the Ansible master node
  # within folder files/secrets/tls, relative to the
  # ../role-mailserver.yml file.  Edit these variables
  # to fit the file names of your keys.
-  # This dictionary is also referred by name above, so if
-  # you alter the name of the dictonary, alter it there too.
+  # The followig key mailserver.domain.com must match the
+  # `mail.hostname` variable defined in this file.  If you
+  # alter it here, alter it there too.
  mailserver.domain.com:
    key:           /etc/pki/tls/private/mailserver.domain.com.key
    intermediates: