From af33fff61b767b8cbcd36b80a8a4e773df89fd33 Mon Sep 17 00:00:00 2001 From: gregharvey Date: Mon, 11 Mar 2024 14:23:42 +0100 Subject: [PATCH 1/3] Some Apache docs updates. --- docs/roles/debian/apache.md | 8 +++++--- roles/debian/apache/README.md | 8 +++++--- roles/debian/apache/defaults/main.yml | 8 +++++--- 3 files changed, 15 insertions(+), 9 deletions(-) diff --git a/docs/roles/debian/apache.md b/docs/roles/debian/apache.md index 1cf82d612..c39087ef8 100644 --- a/docs/roles/debian/apache.md +++ b/docs/roles/debian/apache.md @@ -55,16 +55,18 @@ apache: handling: selfsigned # Sample LetsEncrypt config, because include_role will not merge defaults these all need providing: # handling: letsencrypt - # http_01_port: 5000 + # http_01_port: 80 # autorenew: true # email: sysadm@codeenigma.com - # services: [] + # services: + # - apache2 # web_server: standalone # certbot_register_command: "/usr/bin/certbot certonly --agree-tos --preferred-challenges http -n" # certbot_renew_command: "/usr/bin/certbot certonly --agree-tos --force-renew" # reload_command: restart # reload: - # - apache + # - apache2 + # on_calendar: "Mon *-*-* 04:00:00" is_default: true basic_auth: auth_enabled: false diff --git a/roles/debian/apache/README.md b/roles/debian/apache/README.md index 1cf82d612..c39087ef8 100644 --- a/roles/debian/apache/README.md +++ b/roles/debian/apache/README.md @@ -55,16 +55,18 @@ apache: handling: selfsigned # Sample LetsEncrypt config, because include_role will not merge defaults these all need providing: # handling: letsencrypt - # http_01_port: 5000 + # http_01_port: 80 # autorenew: true # email: sysadm@codeenigma.com - # services: [] + # services: + # - apache2 # web_server: standalone # certbot_register_command: "/usr/bin/certbot certonly --agree-tos --preferred-challenges http -n" # certbot_renew_command: "/usr/bin/certbot certonly --agree-tos --force-renew" # reload_command: restart # reload: - # - apache + # - apache2 + # on_calendar: "Mon *-*-* 04:00:00" is_default: true basic_auth: auth_enabled: false diff --git a/roles/debian/apache/defaults/main.yml b/roles/debian/apache/defaults/main.yml index e08cb15b4..0b187f183 100644 --- a/roles/debian/apache/defaults/main.yml +++ b/roles/debian/apache/defaults/main.yml @@ -45,16 +45,18 @@ apache: handling: selfsigned # Sample LetsEncrypt config, because include_role will not merge defaults these all need providing: # handling: letsencrypt - # http_01_port: 5000 + # http_01_port: 80 # autorenew: true # email: sysadm@codeenigma.com - # services: [] + # services: + # - apache2 # web_server: standalone # certbot_register_command: "/usr/bin/certbot certonly --agree-tos --preferred-challenges http -n" # certbot_renew_command: "/usr/bin/certbot certonly --agree-tos --force-renew" # reload_command: restart # reload: - # - apache + # - apache2 + # on_calendar: "Mon *-*-* 04:00:00" is_default: true basic_auth: auth_enabled: false From 598dfc8caf089be11dade9b21e70e010c7cd5568 Mon Sep 17 00:00:00 2001 From: gregharvey Date: Mon, 11 Mar 2024 14:24:00 +0100 Subject: [PATCH 2/3] Sorting TLS for SMTP in Postfix config. --- docs/roles/debian/postfix.md | 11 ++++++++++- roles/debian/postfix/README.md | 11 ++++++++++- roles/debian/postfix/defaults/main.yml | 7 +++++++ roles/debian/postfix/templates/main.cf.j2 | 13 ++++++++++++- 4 files changed, 39 insertions(+), 3 deletions(-) diff --git a/docs/roles/debian/postfix.md b/docs/roles/debian/postfix.md index 0abe2aa0b..5b9b0e70d 100644 --- a/docs/roles/debian/postfix.md +++ b/docs/roles/debian/postfix.md @@ -1,5 +1,7 @@ # Postfix -Installs and configures Postfix for sending mail. Mail sending is disabled by default. +Installs and configures Postfix for sending mail. Mail sending is disabled by default using transport maps. + +Full TLS SMTP support is optional by enabling SSL. @@ -36,6 +38,13 @@ postfix: aliases: [] #- user: root # alias: admin@example.com + # Basic optional SSL handling - does not currently use the SSL role, as it is likely being handled elsewhere + ssl: + enabled: false + smtp_tls_cert_file: "" # full path to certificate, e.g. /etc/letsencrypt/live/acme.com/fullchain.pem + smtp_tls_key_file: "" # full path to key, e.g. /etc/letsencrypt/live/redmine-app1.codeenigma.net/privkey.pem + smtp_tls_CApath: /etc/ssl/certs + smtp_tls_CAfile: /etc/ssl/certs/ca-certificates.crt ``` diff --git a/roles/debian/postfix/README.md b/roles/debian/postfix/README.md index 0abe2aa0b..5b9b0e70d 100644 --- a/roles/debian/postfix/README.md +++ b/roles/debian/postfix/README.md @@ -1,5 +1,7 @@ # Postfix -Installs and configures Postfix for sending mail. Mail sending is disabled by default. +Installs and configures Postfix for sending mail. Mail sending is disabled by default using transport maps. + +Full TLS SMTP support is optional by enabling SSL. @@ -36,6 +38,13 @@ postfix: aliases: [] #- user: root # alias: admin@example.com + # Basic optional SSL handling - does not currently use the SSL role, as it is likely being handled elsewhere + ssl: + enabled: false + smtp_tls_cert_file: "" # full path to certificate, e.g. /etc/letsencrypt/live/acme.com/fullchain.pem + smtp_tls_key_file: "" # full path to key, e.g. /etc/letsencrypt/live/redmine-app1.codeenigma.net/privkey.pem + smtp_tls_CApath: /etc/ssl/certs + smtp_tls_CAfile: /etc/ssl/certs/ca-certificates.crt ``` diff --git a/roles/debian/postfix/defaults/main.yml b/roles/debian/postfix/defaults/main.yml index e0f09c009..f10931632 100644 --- a/roles/debian/postfix/defaults/main.yml +++ b/roles/debian/postfix/defaults/main.yml @@ -27,3 +27,10 @@ postfix: aliases: [] #- user: root # alias: admin@example.com + # Basic optional SSL handling - does not currently use the SSL role, as it is likely being handled elsewhere + ssl: + enabled: false + smtp_tls_cert_file: "" # full path to certificate, e.g. /etc/letsencrypt/live/acme.com/fullchain.pem + smtp_tls_key_file: "" # full path to key, e.g. /etc/letsencrypt/live/redmine-app1.codeenigma.net/privkey.pem + smtp_tls_CApath: /etc/ssl/certs + smtp_tls_CAfile: /etc/ssl/certs/ca-certificates.crt diff --git a/roles/debian/postfix/templates/main.cf.j2 b/roles/debian/postfix/templates/main.cf.j2 index d4dfa9853..4021d5b45 100644 --- a/roles/debian/postfix/templates/main.cf.j2 +++ b/roles/debian/postfix/templates/main.cf.j2 @@ -37,9 +37,20 @@ non_smtpd_milters = inet:localhost:8891 smtp_sasl_auth_enable = yes smtp_sasl_security_options = noanonymous smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd +{% endif %} +{% if postfix.use_ses or postfix.ssl.enabled %} smtp_use_tls = yes smtp_tls_note_starttls_offer = yes -smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt +smtp_tls_CApath = {{ postix.ssl.smtp_tls_CApath }} +smtp_tls_CAfile = {{ postix.ssl.smtp_tls_CAfile }} +{% endif %} +{% if postfix.ssl.enabled %} +smtp_tls_cert_file = {{ postix.ssl.smtp_tls_cert_file }} +smtp_tls_key_file = {{ postix.ssl.smtp_tls_key_file }} +smtpd_tls_cert_file = {{ postix.ssl.smtp_tls_cert_file }} +smtpd_tls_key_file = {{ postix.ssl.smtp_tls_key_file }} +smtpd_tls_CApath = {{ postix.ssl.smtp_tls_CApath }} +smtpd_tls_CAfile = {{ postix.ssl.smtp_tls_CAfile }} {% endif %} {% if (is_local is defined) and is_local %} # Force all mail to ce-dev user. From ad3be7fb499cdc72fe75590ae2eb7fb912ea0732 Mon Sep 17 00:00:00 2001 From: gregharvey Date: Mon, 11 Mar 2024 14:31:53 +0100 Subject: [PATCH 3/3] Left bad domain in example cert paths. --- docs/roles/debian/postfix.md | 2 +- roles/debian/postfix/README.md | 2 +- roles/debian/postfix/defaults/main.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/roles/debian/postfix.md b/docs/roles/debian/postfix.md index 5b9b0e70d..e63f3b70a 100644 --- a/docs/roles/debian/postfix.md +++ b/docs/roles/debian/postfix.md @@ -42,7 +42,7 @@ postfix: ssl: enabled: false smtp_tls_cert_file: "" # full path to certificate, e.g. /etc/letsencrypt/live/acme.com/fullchain.pem - smtp_tls_key_file: "" # full path to key, e.g. /etc/letsencrypt/live/redmine-app1.codeenigma.net/privkey.pem + smtp_tls_key_file: "" # full path to key, e.g. /etc/letsencrypt/live/acme.com/privkey.pem smtp_tls_CApath: /etc/ssl/certs smtp_tls_CAfile: /etc/ssl/certs/ca-certificates.crt diff --git a/roles/debian/postfix/README.md b/roles/debian/postfix/README.md index 5b9b0e70d..e63f3b70a 100644 --- a/roles/debian/postfix/README.md +++ b/roles/debian/postfix/README.md @@ -42,7 +42,7 @@ postfix: ssl: enabled: false smtp_tls_cert_file: "" # full path to certificate, e.g. /etc/letsencrypt/live/acme.com/fullchain.pem - smtp_tls_key_file: "" # full path to key, e.g. /etc/letsencrypt/live/redmine-app1.codeenigma.net/privkey.pem + smtp_tls_key_file: "" # full path to key, e.g. /etc/letsencrypt/live/acme.com/privkey.pem smtp_tls_CApath: /etc/ssl/certs smtp_tls_CAfile: /etc/ssl/certs/ca-certificates.crt diff --git a/roles/debian/postfix/defaults/main.yml b/roles/debian/postfix/defaults/main.yml index f10931632..10e373b83 100644 --- a/roles/debian/postfix/defaults/main.yml +++ b/roles/debian/postfix/defaults/main.yml @@ -31,6 +31,6 @@ postfix: ssl: enabled: false smtp_tls_cert_file: "" # full path to certificate, e.g. /etc/letsencrypt/live/acme.com/fullchain.pem - smtp_tls_key_file: "" # full path to key, e.g. /etc/letsencrypt/live/redmine-app1.codeenigma.net/privkey.pem + smtp_tls_key_file: "" # full path to key, e.g. /etc/letsencrypt/live/acme.com/privkey.pem smtp_tls_CApath: /etc/ssl/certs smtp_tls_CAfile: /etc/ssl/certs/ca-certificates.crt