Switch to SSL management method used in nginx.ng formula
Also change path to certificates since previous ones are distribution specific. They look like Debian path, Gentoo uses different ones. New path uses same logic as nginx's formula, use known to exist folder which server most likely has permission to read too since it is its configuration folder.
This commit is contained in:
parent
06ae3b5315
commit
159c9e81ac
2 changed files with 35 additions and 84 deletions
|
@ -45,74 +45,39 @@ postfix:
|
|||
smtpd_tls_session_cache_database: btree:${data_directory}/smtpd_scache
|
||||
smtpd_use_tls: 'yes'
|
||||
|
||||
# SMTP server certificate and key (already installed)
|
||||
smtpd_tls_cert_file: /etc/ssl/certs/ssl-cert-snakeoil.pem
|
||||
smtpd_tls_key_file: /etc/ssl/private/ssl-cert-snakeoil.key
|
||||
|
||||
# SMTP server certificate and key (from pillar data)
|
||||
smtpd_tls_cert_file: /etc/ssl/private/postfix-server.crt
|
||||
smtpd_tls_key_file: /etc/ssl/private/postfix-server.key
|
||||
smtpd_tls_cert_file: /etc/postfix/ssl/server-cert.crt
|
||||
smtpd_tls_key_file: /etc/postfix/ssl/server-cert.key
|
||||
|
||||
# SMTP client
|
||||
smtp_tls_session_cache_database: btree:${data_directory}/smtp_scache
|
||||
smtp_use_tls: 'yes'
|
||||
smtp_tls_cert_file: /etc/ssl/private/postfix-client.crt
|
||||
smtp_tls_key_file: /etc/ssl/private/postfix-client.key
|
||||
smtp_tls_cert_file: /etc/postfix/ssl/example.com-relay-client-cert.crt
|
||||
smtp_tls_key_file: /etc/postfix/ssl/example.com-relay-client-cert.key
|
||||
|
||||
ssl_certs:
|
||||
server: |
|
||||
certificates:
|
||||
server-cert:
|
||||
public_cert: |
|
||||
-----BEGIN CERTIFICATE-----
|
||||
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
||||
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
||||
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
||||
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
||||
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
||||
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
||||
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
||||
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
||||
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
||||
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
||||
(Your primary SSL certificate: smtp.example.com.crt)
|
||||
-----END CERTIFICATE-----
|
||||
|
||||
client: |
|
||||
-----BEGIN CERTIFICATE-----
|
||||
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
||||
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
||||
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
||||
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
||||
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
||||
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
||||
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
||||
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
||||
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
||||
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
||||
(Your intermediate certificate: example-ca.crt)
|
||||
-----END CERTIFICATE-----
|
||||
|
||||
ssl_keys:
|
||||
server: |
|
||||
-----BEGIN CERTIFICATE-----
|
||||
(Your root certificate: trusted-root.crt)
|
||||
-----END CERTIFICATE-----
|
||||
private_key: |
|
||||
-----BEGIN RSA PRIVATE KEY-----
|
||||
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
||||
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
||||
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
||||
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
||||
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
||||
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
||||
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
||||
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
||||
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
||||
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
||||
(Your Private key)
|
||||
-----END RSA PRIVATE KEY-----
|
||||
|
||||
client: |
|
||||
example.com-relay-client-cert:
|
||||
public_cert: |
|
||||
-----BEGIN CERTIFICATE-----
|
||||
(Your primary SSL certificate: smtp.example.com.crt)
|
||||
-----END CERTIFICATE-----
|
||||
private_key: |
|
||||
-----BEGIN RSA PRIVATE KEY-----
|
||||
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
||||
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
||||
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
||||
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
||||
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
||||
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
||||
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
||||
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
||||
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
||||
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
||||
(Your Private key)
|
||||
-----END RSA PRIVATE KEY-----
|
||||
|
|
|
@ -34,37 +34,23 @@ include:
|
|||
- template: jinja
|
||||
{% endif %}
|
||||
|
||||
{% set ssl_certs = salt['pillar.get']('postfix:ssl_certs', {}) -%}
|
||||
{% for name in ssl_certs %}
|
||||
/etc/ssl/private/postfix-{{ name }}.crt:
|
||||
{%- for domain in salt['pillar.get']('postfix:certificates', {}).keys() %}
|
||||
|
||||
postfix_{{ domain }}_ssl_certificate:
|
||||
file.managed:
|
||||
- contents: |
|
||||
{{ ssl_certs[name] | indent(8) }}
|
||||
- user: nobody
|
||||
- group: nobody
|
||||
- mode: 444
|
||||
- backup: minion
|
||||
- name: /etc/postfix/ssl/{{ domain }}.crt
|
||||
- makedirs: True
|
||||
- contents_pillar: postfix:certificates:{{ domain }}:public_cert
|
||||
- watch_in:
|
||||
- service: postfix
|
||||
- require:
|
||||
- pkg: postfix
|
||||
{% endfor %}
|
||||
- service: postfix
|
||||
|
||||
|
||||
{% set ssl_keys = salt['pillar.get']('postfix:ssl_keys', {}) -%}
|
||||
{% for name in ssl_keys %}
|
||||
/etc/ssl/private/postfix-{{ name }}.key:
|
||||
postfix_{{ domain }}_ssl_key:
|
||||
file.managed:
|
||||
- contents: |
|
||||
{{ ssl_keys[name] | indent(8) }}
|
||||
- user: nobody
|
||||
- group: nobody
|
||||
- mode: 400
|
||||
- backup: minion
|
||||
- name: /etc/postfix/ssl/{{ domain }}.key
|
||||
- mode: 600
|
||||
- makedirs: True
|
||||
- contents_pillar: postfix:certificates:{{ domain }}:private_key
|
||||
- watch_in:
|
||||
- service: postfix
|
||||
- require:
|
||||
- pkg: postfix
|
||||
- service: postfix
|
||||
|
||||
{% endfor %}
|
||||
|
||||
|
||||
|
|
Loading…
Reference in a new issue