adrien/ansible-role-postfix
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Update for EL8
All checks were successful
continuous-integration/drone/push Build is passing
Details

Browse source
This commit is contained in:
Adrien Reslinger 2021-03-18 23:30:15 +01:00
parent d7ce4b38c4
commit 7fa0a362a3
Signed by: adrien
GPG key ID: DA7B27055C66D6DE
1 changed files with 15 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

16
templates/etc/postfix/main.cf.j2
View file

@ -748,13 +748,21 @@ readme_directory = /usr/share/doc/postfix/README_FILES
# in PEM format. Intermediate certificates should be included in general,
# the server certificate first, then the issuing CA(s) (bottom-up order).
#
{% if postfix_mydestination is defined %}
smtpd_tls_cert_file = /etc/lego/certificates/{{ postfix_myhostname }}.crt
{% else %}
smtpd_tls_cert_file = /etc/pki/tls/certs/postfix.pem
{% endif %}
# The full pathname of a file with the Postfix SMTP server RSA private key
# in PEM format. The private key must be accessible without a pass-phrase,
# i.e. it must not be encrypted.
#
{% if postfix_mydestination is defined %}
smtpd_tls_key_file = /etc/lego/certificates/{{ postfix_myhostname }}.key
{% else %}
smtpd_tls_key_file = /etc/pki/tls/private/postfix.key
{% endif %}
# Announce STARTTLS support to remote SMTP clients, but do not require that
# clients use TLS encryption (opportunistic TLS inbound).
@ -770,7 +778,11 @@ smtp_tls_CApath = /etc/pki/tls/certs
# trusted to sign either remote SMTP server certificates or intermediate CA
# certificates.
#
{% if postfix_mydestination is defined %}
smtp_tls_CAfile = /etc/lego/certificates/{{ postfix_myhostname }}.issuer.crt
{% else %}
smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
{% endif %}
# Use TLS if this is supported by the remote SMTP server, otherwise use
# plaintext (opportunistic TLS outbound).
@ -780,6 +792,7 @@ meta_directory = /etc/postfix
shlib_directory = /usr/lib64/postfix
{% else %}
readme_directory = /usr/share/doc/postfix-2.10.1/README_FILES
{% endif %}
{% if postfix_mydestination is defined %}
# Taille mail
@ -807,10 +820,12 @@ tls_random_source = dev:/dev/urandom
tls_high_cipherlist=EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
#tls_high_cipherlist=EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:!SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
{% if ansible_os_family == "RedHat" and ansible_distribution_major_version < '8' %}
smtpd_tls_security_level = may
smtpd_tls_key_file = /etc/lego/certificates/{{ postfix_myhostname }}.key
smtpd_tls_cert_file = /etc/lego/certificates/{{ postfix_myhostname }}.crt
smtpd_tls_CAfile = /etc/lego/certificates/{{ postfix_myhostname }}.issuer.crt
{% endif %}
smtpd_tls_loglevel = 1
smtpd_tls_session_cache_timeout = 3600s
smtpd_tls_session_cache_database = btree:/var/spool/postfix/smtpd_tls_cache
@ -878,4 +893,3 @@ smtpd_recipient_restrictions =
# reject_rbl_client bl.spamcop.net,
permit
{% endif %}
{% endif %}