From 20708ade1f56a1ef84b22ecdca42af9f9bd45c69 Mon Sep 17 00:00:00 2001
From: Guilhem Moulin <guilhem@fripost.org>
Date: Thu, 15 Feb 2024 14:21:02 +0100
Subject: Postfix: Use relay-smtps as relayhost transport.
---
files/etc/postfix/master.cf | 44 ++++++++++++++++++++++++++++++++++++++++
files/etc/postfix/tls_policy | 2 +-
tasks/mail.yml | 10 ++++++++-
templates/etc/postfix/main.cf.j2 | 5 ++---
4 files changed, 56 insertions(+), 5 deletions(-)
create mode 100644 files/etc/postfix/master.cf
diff --git a/files/etc/postfix/master.cf b/files/etc/postfix/master.cf
new file mode 100644
index 0000000..3c60f31
--- /dev/null
+++ b/files/etc/postfix/master.cf
@@ -0,0 +1,44 @@
+#
+# Postfix master process configuration file. For details on the format
+# of the file, see the master(5) manual page (command: "man 5 master" or
+# on-line: http://www.postfix.org/master.5.html).
+#
+# Do not forget to execute "postfix reload" after editing this file.
+#
+# ==========================================================================
+# service type private unpriv chroot wakeup maxproc command + args
+# (yes) (yes) (no) (never) (100)
+# ==========================================================================
+smtp inet n - y - - smtpd
+pickup unix n - y 60 1 pickup
+cleanup unix n - y - 0 cleanup
+qmgr unix n - n 300 1 qmgr
+tlsmgr unix - - y 1000? 1 tlsmgr
+rewrite unix - - y - - trivial-rewrite
+bounce unix - - y - 0 bounce
+defer unix - - y - 0 bounce
+trace unix - - y - 0 bounce
+verify unix - - y - 1 verify
+flush unix n - y 1000? 0 flush
+proxymap unix - - n - - proxymap
+proxywrite unix - - n - 1 proxymap
+smtp unix - - y - - smtp
+relay unix - - y - - smtp
+ -o syslog_name=postfix/$service_name
+# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
+ -o smtp_tls_security_level=fingerprint
+relay-smtps unix - - y - - smtp
+ -o syslog_name=postfix/$service_name
+# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
+ -o smtp_tls_wrappermode=yes
+ -o smtp_tls_security_level=fingerprint
+showq unix n - y - - showq
+error unix - - y - - error
+retry unix - - y - - error
+discard unix - - y - - discard
+local unix - n n - - local
+virtual unix - n n - - virtual
+lmtp unix - - y - - lmtp
+anvil unix - - y - 1 anvil
+scache unix - - y - 1 scache
+postlog unix-dgram n - n - 1 postlogd
diff --git a/files/etc/postfix/tls_policy b/files/etc/postfix/tls_policy
index 2af19c5..c5641d3 100644
--- a/files/etc/postfix/tls_policy
+++ b/files/etc/postfix/tls_policy
@@ -1,3 +1,3 @@
# WARN: smtp_tls_fingerprint_digest MUST be sha256!
-[smtp.guilhem.org]:587 fingerprint ciphers=high protocols=!SSLv2:!SSLv3:!TLSv1:!TLSv1.1:!TLSv1.2
+[smtp.guilhem.org]:465 fingerprint ciphers=high protocols=!SSLv2:!SSLv3:!TLSv1:!TLSv1.1:!TLSv1.2
match=B2:37:09:EC:B9:54:DC:51:FA:77:A1:31:0D:30:06:84:7E:10:81:5B:9B:30:B0:31:6E:9A:7B:53:13:C8:37:62
diff --git a/tasks/mail.yml b/tasks/mail.yml
index 89d8530..8f58c8a 100644
--- a/tasks/mail.yml
+++ b/tasks/mail.yml
@@ -13,7 +13,7 @@
notify:
- Run newaliases
-- name: Configure Postfix
+- name: Configure Postfix (main.cf)
template: src=etc/postfix/main.cf.j2
dest=/etc/postfix/main.cf
owner=root group=root
@@ -21,6 +21,14 @@
notify:
- Reload Postfix
+- name: Configure Postfix (master.cf)
+ copy: src=etc/postfix/master.cf
+ dest=/etc/postfix/master.cf
+ owner=root group=root
+ mode=0644
+ notify:
+ - Restart Postfix
+
- name: Start Postfix
service: name=postfix.service enabled=true state=started
diff --git a/templates/etc/postfix/main.cf.j2 b/templates/etc/postfix/main.cf.j2
index 9557cc4..35a6790 100644
--- a/templates/etc/postfix/main.cf.j2
+++ b/templates/etc/postfix/main.cf.j2
@@ -29,10 +29,9 @@ alias_database = $virtual_alias_maps
mailbox_size_limit = 0
# Forward everything to our internal outgoing proxy
-# TODO: User relay-smtps on 465/tcp once Hetzner opens it
relay_domains =
-relayhost = [smtp.guilhem.org]:587
-default_transport = relay
+relayhost = [smtp.guilhem.org]:465
+default_transport = relay-smtps
smtpd_tls_security_level = none
smtp_tls_exclude_ciphers = EXPORT, LOW, MEDIUM, aNULL, eNULL, DES, RC4, MD5
--
cgit v1.2.3