senselab/ansible-role-postfix
4
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity
101 commits 1 branch 0 tags 332 KiB
Jinja 99.4%
Shell 0.6%
Go to file
phil 45c7bf0c50 Enable dual use of RSA and ECDSA certificates 
for submission und smtp port
2024-06-27 18:52:09 +02:00
defaults Add missing variables 2023-11-08 09:03:26 +01:00
files Configure restart behaviour 2023-11-19 19:26:40 +01:00
handlers Restart postfix service via systemd 2023-11-03 21:37:22 +01:00
meta Initial commit 2023-03-20 20:01:04 +01:00
tasks Use Ansible defaults to insert comments 2024-03-27 17:39:16 +01:00
templates Enable dual use of RSA and ECDSA certificates 2024-06-27 18:52:09 +02:00
.gitignore Add gitignore file 2023-06-11 09:38:41 +02:00
README.md Add section about dual use of RSA and ECDSA certificates 2024-06-27 00:29:01 +02:00

README.md

Postfix

Use this role to setup a Postfix mail server. It comes with the following additions:

General type of mail server configuration

You can select via the variable postfix_type a pre-defined set of configuraion options that best meets your needs.

  • internet: Mail is send received directly using SMTP. TLS is enabled.
  • internal: Mail is sent to another machine on the same network for delivery. TLS is disabled. Only listens on port 25.

Dual use of RSA and ECDSA certificates

Newer versions of Let's Encrypt clients (as of Certbot 2.0.0 or Dehydrated ) defaults to ECDSA certificates. This could be a problem with older mail servers which only support RSA ciphers. Postfix can use both RSA and ECDSA certificates at the same time.

If you use Dehydrated follow these steps:

  • Add your domain to /etc/dehydrated/domains.txt: 
    mx.example.org
  • Add another entry to /etc/dehydrated/domains.txt for the RSA certificate and use the alias to force a different directory name: 
    mx.example.org
mx.example.org > mx.example.org_rsa
  • Create the certificate's directory: 
    mkdir /var/lib/dehydrated/certs/mx.example.org_rsa
chmod 0700 /var/lib/dehydrated/certs/mx.example.org_rsa
  • Create a config /var/lib/dehydrated/certs/mx.example.org_rsa/config with the following setting: 
    KEY_ALGO="rsa"
  • Obtain the certificate: 
    dehydrated --cron
  • Add all certificates to Postfix' main.cf: 
    smtpd_tls_cert_file = /var/lib/dehydrated/certs/mx.example.org_rsa/fullchain.pem
smtpd_tls_key_file = /var/lib/dehydrated/certs/mx.example.org_rsa/privkey.pem
smtpd_tls_eccert_file = /var/lib/dehydrated/certs/mx.example.org/fullchain.pem
smtpd_tls_eckey_file = /var/lib/dehydrated/certs/mx.example.org/privkey.pem

Variables

Required

Variable Value Default Note
postfix_type str internet Determines how to setup Postfix. Choose internet or internal

Scope: misc

Variable Value Default Note
unbound_install bool True if you whish to install unbound
postfix_onionmx bool True to setup OnionMX delivery
postfix_tls_herlp bool True to setup Mail-TLS-Helper
postfix_mydestination List List with hostnames
postfix_mynetworks List List with network addresses

Scope: submission

Variable Value Default Note
postfix_submission bool Set True to configure submission port settings
postfix_submission_smtpd_tls_cert_file string Path to TLS cert file
postfix_submission_smtpd_tls_key_file string Path to TLS key file
postfix_submission_non_tls_port int Port number for an additional (internal) submission port without TLS

Scope: SASL Auth

Variable Value Default Note
postfix_smtpd_sasl_type string
postfix_smtpd_sasl_path string
postfix_smtp_sasl_auth_enabled bool no
postfix_smtp_sasl_auth_relay string Relay server which provides SASL-Auth
postfix_smtp_sasl_auth_user string Username for SASL authentication
postfix_smtp_sasl_auth_password string Password for SASL authenticatio