From 58bba600b6b652c44ed368636d3acc41e788ad79 Mon Sep 17 00:00:00 2001 From: "Manuel Amador (Rudd-O)" Date: Sun, 21 Feb 2016 13:25:00 +0000 Subject: [PATCH] alter the way that SSL certificates are chosen for mail servers, and add a TLS secrets readme --- .../mailserver/files/mailserver/etc/dovecot/local.conf | 4 ++-- .../mailserver/files/mailserver/etc/postfix/main.cf | 4 ++-- .../sampleplaybooks/mailserver/files/secrets/tls/README.md | 2 ++ examples/sampleplaybooks/mailserver/vars/mail.yml | 6 +++--- 4 files changed, 9 insertions(+), 7 deletions(-) create mode 100644 examples/sampleplaybooks/mailserver/files/secrets/tls/README.md diff --git a/examples/sampleplaybooks/mailserver/files/mailserver/etc/dovecot/local.conf b/examples/sampleplaybooks/mailserver/files/mailserver/etc/dovecot/local.conf index cce4b55..91c79a3 100644 --- a/examples/sampleplaybooks/mailserver/files/mailserver/etc/dovecot/local.conf +++ b/examples/sampleplaybooks/mailserver/files/mailserver/etc/dovecot/local.conf @@ -53,8 +53,8 @@ plugin { } disable_plaintext_auth = yes ssl = required -ssl_cert = <{{ ssl[mail.ssl]["assembled"] }} -ssl_key = <{{ ssl[mail.ssl]["key"] }} +ssl_cert = <{{ ssl[mail.hostname]["assembled"] }} +ssl_key = <{{ ssl[mail.hostname]["key"] }} ssl_protocols = !SSLv2 !SSLv3 ssl_cipher_list = EECDH+AESGCM:AES256+EECDH:AES128+EECDH ssl_prefer_server_ciphers = yes # >Dovecot 2.2.6 diff --git a/examples/sampleplaybooks/mailserver/files/mailserver/etc/postfix/main.cf b/examples/sampleplaybooks/mailserver/files/mailserver/etc/postfix/main.cf index 5ee5c70..df8ba4d 100644 --- a/examples/sampleplaybooks/mailserver/files/mailserver/etc/postfix/main.cf +++ b/examples/sampleplaybooks/mailserver/files/mailserver/etc/postfix/main.cf @@ -711,8 +711,8 @@ smtpd_use_tls = yes smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_auth_only = yes -smtpd_tls_cert_file = {{ ssl[mail.ssl]["assembled"] }} -smtpd_tls_key_file = {{ ssl[mail.ssl]["key"] }} +smtpd_tls_cert_file = {{ ssl[mail.hostname]["assembled"] }} +smtpd_tls_key_file = {{ ssl[mail.hostname]["key"] }} smtp_tls_security_level = may smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1 smtpd_tls_protocols=!SSLv2,!SSLv3,!TLSv1,!TLSv1.1 diff --git a/examples/sampleplaybooks/mailserver/files/secrets/tls/README.md b/examples/sampleplaybooks/mailserver/files/secrets/tls/README.md new file mode 100644 index 0000000..9a2024b --- /dev/null +++ b/examples/sampleplaybooks/mailserver/files/secrets/tls/README.md @@ -0,0 +1,2 @@ +Here you deploy your SSL keys. See the file `vars/mail.yml` relative +to the great-grandparent directory. diff --git a/examples/sampleplaybooks/mailserver/vars/mail.yml b/examples/sampleplaybooks/mailserver/vars/mail.yml index 003b49b..4a4d489 100644 --- a/examples/sampleplaybooks/mailserver/vars/mail.yml +++ b/examples/sampleplaybooks/mailserver/vars/mail.yml @@ -29,14 +29,14 @@ mail: - mailserver.domain.com - domain.com - bond.name - ssl: mailserver.domain.com ssl: # Deploy your key files locally in the Ansible master node # within folder files/secrets/tls, relative to the # ../role-mailserver.yml file. Edit these variables # to fit the file names of your keys. - # This dictionary is also referred by name above, so if - # you alter the name of the dictonary, alter it there too. + # The followig key mailserver.domain.com must match the + # `mail.hostname` variable defined in this file. If you + # alter it here, alter it there too. mailserver.domain.com: key: /etc/pki/tls/private/mailserver.domain.com.key intermediates: