diff --git a/pillar.example b/pillar.example index 0a25889..a053198 100644 --- a/pillar.example +++ b/pillar.example @@ -45,74 +45,39 @@ postfix: smtpd_tls_session_cache_database: btree:${data_directory}/smtpd_scache smtpd_use_tls: 'yes' - # SMTP server certificate and key (already installed) - smtpd_tls_cert_file: /etc/ssl/certs/ssl-cert-snakeoil.pem - smtpd_tls_key_file: /etc/ssl/private/ssl-cert-snakeoil.key - # SMTP server certificate and key (from pillar data) - smtpd_tls_cert_file: /etc/ssl/private/postfix-server.crt - smtpd_tls_key_file: /etc/ssl/private/postfix-server.key + smtpd_tls_cert_file: /etc/postfix/ssl/server-cert.crt + smtpd_tls_key_file: /etc/postfix/ssl/server-cert.key # SMTP client smtp_tls_session_cache_database: btree:${data_directory}/smtp_scache smtp_use_tls: 'yes' - smtp_tls_cert_file: /etc/ssl/private/postfix-client.crt - smtp_tls_key_file: /etc/ssl/private/postfix-client.key + smtp_tls_cert_file: /etc/postfix/ssl/example.com-relay-client-cert.crt + smtp_tls_key_file: /etc/postfix/ssl/example.com-relay-client-cert.key - ssl_certs: - server: | + certificates: + server-cert: + public_cert: | -----BEGIN CERTIFICATE----- - AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA - AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA - AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA - AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA - AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA - AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA - AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA - AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA - AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA - AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA + (Your primary SSL certificate: smtp.example.com.crt) -----END CERTIFICATE----- - - client: | -----BEGIN CERTIFICATE----- - AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA - AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA - AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA - AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA - AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA - AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA - AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA - AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA - AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA - AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA + (Your intermediate certificate: example-ca.crt) -----END CERTIFICATE----- - - ssl_keys: - server: | + -----BEGIN CERTIFICATE----- + (Your root certificate: trusted-root.crt) + -----END CERTIFICATE----- + private_key: | -----BEGIN RSA PRIVATE KEY----- - AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA - AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA - AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA - AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA - AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA - AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA - AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA - AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA - AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA - AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA + (Your Private key) -----END RSA PRIVATE KEY----- - client: | + example.com-relay-client-cert: + public_cert: | + -----BEGIN CERTIFICATE----- + (Your primary SSL certificate: smtp.example.com.crt) + -----END CERTIFICATE----- + private_key: | -----BEGIN RSA PRIVATE KEY----- - AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA - AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA - AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA - AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA - AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA - AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA - AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA - AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA - AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA - AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA + (Your Private key) -----END RSA PRIVATE KEY----- diff --git a/postfix/config.sls b/postfix/config.sls index 18ae795..2dd21b4 100644 --- a/postfix/config.sls +++ b/postfix/config.sls @@ -34,37 +34,23 @@ include: - template: jinja {% endif %} -{% set ssl_certs = salt['pillar.get']('postfix:ssl_certs', {}) -%} -{% for name in ssl_certs %} -/etc/ssl/private/postfix-{{ name }}.crt: +{%- for domain in salt['pillar.get']('postfix:certificates', {}).keys() %} + +postfix_{{ domain }}_ssl_certificate: file.managed: - - contents: | - {{ ssl_certs[name] | indent(8) }} - - user: nobody - - group: nobody - - mode: 444 - - backup: minion + - name: /etc/postfix/ssl/{{ domain }}.crt + - makedirs: True + - contents_pillar: postfix:certificates:{{ domain }}:public_cert - watch_in: - - service: postfix - - require: - - pkg: postfix -{% endfor %} + - service: postfix - -{% set ssl_keys = salt['pillar.get']('postfix:ssl_keys', {}) -%} -{% for name in ssl_keys %} -/etc/ssl/private/postfix-{{ name }}.key: +postfix_{{ domain }}_ssl_key: file.managed: - - contents: | - {{ ssl_keys[name] | indent(8) }} - - user: nobody - - group: nobody - - mode: 400 - - backup: minion + - name: /etc/postfix/ssl/{{ domain }}.key + - mode: 600 + - makedirs: True + - contents_pillar: postfix:certificates:{{ domain }}:private_key - watch_in: - - service: postfix - - require: - - pkg: postfix + - service: postfix + {% endfor %} - -