From 06ae3b5315b9ed5939c31346f161d2774ce5bf16 Mon Sep 17 00:00:00 2001 From: Imran Haider Date: Sat, 20 Jun 2015 16:49:09 -0400 Subject: [PATCH] Allow certs and keys to be specified in the pillar --- pillar.example | 90 ++++++++++++++++++++++++++++++++++++++++------ postfix/config.sls | 35 ++++++++++++++++++ 2 files changed, 114 insertions(+), 11 deletions(-) diff --git a/pillar.example b/pillar.example index ec2f913..0a25889 100644 --- a/pillar.example +++ b/pillar.example @@ -27,20 +27,9 @@ postfix: config: smtpd_banner: $myhostname ESMTP $mail_name biff: 'no' - append_dot_mydomain: 'no' - readme_directory: 'no' - - smtpd_tls_cert_file: /etc/ssl/certs/ssl-cert-snakeoil.pem - smtpd_tls_key_file: /etc/ssl/private/ssl-cert-snakeoil.key - smtpd_use_tls: 'yes' - smtpd_tls_session_cache_database: btree:${data_directory}/smtpd_scache - smtp_tls_session_cache_database: btree:${data_directory}/smtp_scache - myhostname: localhost - alias_maps: hash:/etc/aliases - alias_database: hash:/etc/aliases mydestination: localhost, localhost.localdomain relayhost: mynetworks: 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 @@ -48,3 +37,82 @@ postfix: recipient_delimiter: + inet_interfaces: all + # Alias + alias_maps: hash:/etc/aliases + alias_database: hash:/etc/aliases + + # SMTP server + smtpd_tls_session_cache_database: btree:${data_directory}/smtpd_scache + smtpd_use_tls: 'yes' + + # SMTP server certificate and key (already installed) + smtpd_tls_cert_file: /etc/ssl/certs/ssl-cert-snakeoil.pem + smtpd_tls_key_file: /etc/ssl/private/ssl-cert-snakeoil.key + + # SMTP server certificate and key (from pillar data) + smtpd_tls_cert_file: /etc/ssl/private/postfix-server.crt + smtpd_tls_key_file: /etc/ssl/private/postfix-server.key + + # SMTP client + smtp_tls_session_cache_database: btree:${data_directory}/smtp_scache + smtp_use_tls: 'yes' + smtp_tls_cert_file: /etc/ssl/private/postfix-client.crt + smtp_tls_key_file: /etc/ssl/private/postfix-client.key + + ssl_certs: + server: | + -----BEGIN CERTIFICATE----- + AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA + AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA + AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA + AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA + AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA + AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA + AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA + AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA + AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA + AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA + -----END CERTIFICATE----- + + client: | + -----BEGIN CERTIFICATE----- + AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA + AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA + AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA + AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA + AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA + AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA + AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA + AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA + AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA + AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA + -----END CERTIFICATE----- + + ssl_keys: + server: | + -----BEGIN RSA PRIVATE KEY----- + AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA + AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA + AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA + AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA + AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA + AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA + AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA + AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA + AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA + AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA + -----END RSA PRIVATE KEY----- + + client: | + -----BEGIN RSA PRIVATE KEY----- + AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA + AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA + AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA + AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA + AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA + AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA + AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA + AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA + AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA + AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA + -----END RSA PRIVATE KEY----- diff --git a/postfix/config.sls b/postfix/config.sls index ef4e9ec..18ae795 100644 --- a/postfix/config.sls +++ b/postfix/config.sls @@ -33,3 +33,38 @@ include: - service: postfix - template: jinja {% endif %} + +{% set ssl_certs = salt['pillar.get']('postfix:ssl_certs', {}) -%} +{% for name in ssl_certs %} +/etc/ssl/private/postfix-{{ name }}.crt: + file.managed: + - contents: | + {{ ssl_certs[name] | indent(8) }} + - user: nobody + - group: nobody + - mode: 444 + - backup: minion + - watch_in: + - service: postfix + - require: + - pkg: postfix +{% endfor %} + + +{% set ssl_keys = salt['pillar.get']('postfix:ssl_keys', {}) -%} +{% for name in ssl_keys %} +/etc/ssl/private/postfix-{{ name }}.key: + file.managed: + - contents: | + {{ ssl_keys[name] | indent(8) }} + - user: nobody + - group: nobody + - mode: 400 + - backup: minion + - watch_in: + - service: postfix + - require: + - pkg: postfix +{% endfor %} + +