Allow certs and keys to be specified in the pillar

pillar.example

@@ -27,20 +27,9 @@ postfix:
   config:
     smtpd_banner: $myhostname ESMTP $mail_name
     biff: 'no'
-
     append_dot_mydomain: 'no'
-
     readme_directory: 'no'
-
-    smtpd_tls_cert_file: /etc/ssl/certs/ssl-cert-snakeoil.pem
-    smtpd_tls_key_file: /etc/ssl/private/ssl-cert-snakeoil.key
-    smtpd_use_tls: 'yes'
-    smtpd_tls_session_cache_database: btree:${data_directory}/smtpd_scache
-    smtp_tls_session_cache_database: btree:${data_directory}/smtp_scache
-
     myhostname: localhost
-    alias_maps: hash:/etc/aliases
-    alias_database: hash:/etc/aliases
     mydestination: localhost, localhost.localdomain
     relayhost: 
     mynetworks: 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
@@ -48,3 +37,82 @@ postfix:
     recipient_delimiter: +
     inet_interfaces: all
 
+    # Alias
+    alias_maps: hash:/etc/aliases
+    alias_database: hash:/etc/aliases
+
+    # SMTP server
+    smtpd_tls_session_cache_database: btree:${data_directory}/smtpd_scache
+    smtpd_use_tls: 'yes'
+
+    # SMTP server certificate and key (already installed)
+    smtpd_tls_cert_file: /etc/ssl/certs/ssl-cert-snakeoil.pem
+    smtpd_tls_key_file: /etc/ssl/private/ssl-cert-snakeoil.key
+
+    # SMTP server certificate and key (from pillar data)
+    smtpd_tls_cert_file: /etc/ssl/private/postfix-server.crt
+    smtpd_tls_key_file: /etc/ssl/private/postfix-server.key
+
+    # SMTP client
+    smtp_tls_session_cache_database: btree:${data_directory}/smtp_scache
+    smtp_use_tls: 'yes'
+    smtp_tls_cert_file: /etc/ssl/private/postfix-client.crt
+    smtp_tls_key_file: /etc/ssl/private/postfix-client.key
+
+  ssl_certs:
+    server: |
+        -----BEGIN CERTIFICATE-----
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+        -----END CERTIFICATE-----
+
+    client: |
+        -----BEGIN CERTIFICATE-----
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+        -----END CERTIFICATE-----
+
+  ssl_keys:
+    server: |
+        -----BEGIN RSA PRIVATE KEY-----
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+        -----END RSA PRIVATE KEY-----
+
+    client: |
+        -----BEGIN RSA PRIVATE KEY-----
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+        -----END RSA PRIVATE KEY-----

postfix/config.sls

@@ -33,3 +33,38 @@ include:
       - service: postfix
     - template: jinja
 {% endif %}
+
+{% set ssl_certs = salt['pillar.get']('postfix:ssl_certs', {}) -%}
+{% for name in ssl_certs %}
+/etc/ssl/private/postfix-{{ name }}.crt:
+  file.managed:
+    - contents: |
+        {{ ssl_certs[name] | indent(8) }}
+    - user: nobody
+    - group: nobody
+    - mode: 444
+    - backup: minion
+    - watch_in:
+      - service: postfix
+    - require:
+      - pkg: postfix
+{% endfor %}
+
+
+{% set ssl_keys = salt['pillar.get']('postfix:ssl_keys', {}) -%}
+{% for name in ssl_keys %}
+/etc/ssl/private/postfix-{{ name }}.key:
+  file.managed:
+    - contents: |
+        {{ ssl_keys[name] | indent(8) }}
+    - user: nobody
+    - group: nobody
+    - mode: 400
+    - backup: minion
+    - watch_in:
+      - service: postfix
+    - require:
+      - pkg: postfix
+{% endfor %}
+
+