From 159c9e81acda19c091d02e325d2cb83dcca70e4e Mon Sep 17 00:00:00 2001 From: Gilles Dartiguelongue Date: Sun, 30 Aug 2015 19:30:08 +0200 Subject: [PATCH] Switch to SSL management method used in nginx.ng formula Also change path to certificates since previous ones are distribution specific. They look like Debian path, Gentoo uses different ones. New path uses same logic as nginx's formula, use known to exist folder which server most likely has permission to read too since it is its configuration folder. --- pillar.example | 77 +++++++++++++--------------------------------- postfix/config.sls | 42 +++++++++---------------- 2 files changed, 35 insertions(+), 84 deletions(-) diff --git a/pillar.example b/pillar.example index 0a25889..a053198 100644 --- a/pillar.example +++ b/pillar.example @@ -45,74 +45,39 @@ postfix: smtpd_tls_session_cache_database: btree:${data_directory}/smtpd_scache smtpd_use_tls: 'yes' - # SMTP server certificate and key (already installed) - smtpd_tls_cert_file: /etc/ssl/certs/ssl-cert-snakeoil.pem - smtpd_tls_key_file: /etc/ssl/private/ssl-cert-snakeoil.key - # SMTP server certificate and key (from pillar data) - smtpd_tls_cert_file: /etc/ssl/private/postfix-server.crt - smtpd_tls_key_file: /etc/ssl/private/postfix-server.key + smtpd_tls_cert_file: /etc/postfix/ssl/server-cert.crt + smtpd_tls_key_file: /etc/postfix/ssl/server-cert.key # SMTP client smtp_tls_session_cache_database: btree:${data_directory}/smtp_scache smtp_use_tls: 'yes' - smtp_tls_cert_file: /etc/ssl/private/postfix-client.crt - smtp_tls_key_file: /etc/ssl/private/postfix-client.key + smtp_tls_cert_file: /etc/postfix/ssl/example.com-relay-client-cert.crt + smtp_tls_key_file: /etc/postfix/ssl/example.com-relay-client-cert.key - ssl_certs: - server: | + certificates: + server-cert: + public_cert: | -----BEGIN CERTIFICATE----- - AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA - AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA - AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA - AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA - AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA - AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA - AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA - AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA - AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA - AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA + (Your primary SSL certificate: smtp.example.com.crt) -----END CERTIFICATE----- - - client: | -----BEGIN CERTIFICATE----- - AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA - AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA - AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA - AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA - AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA - AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA - AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA - AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA - AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA - AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA + (Your intermediate certificate: example-ca.crt) -----END CERTIFICATE----- - - ssl_keys: - server: | + -----BEGIN CERTIFICATE----- + (Your root certificate: trusted-root.crt) + -----END CERTIFICATE----- + private_key: | -----BEGIN RSA PRIVATE KEY----- - AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA - AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA - AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA - AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA - AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA - AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA - AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA - AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA - AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA - AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA + (Your Private key) -----END RSA PRIVATE KEY----- - client: | + example.com-relay-client-cert: + public_cert: | + -----BEGIN CERTIFICATE----- + (Your primary SSL certificate: smtp.example.com.crt) + -----END CERTIFICATE----- + private_key: | -----BEGIN RSA PRIVATE KEY----- - AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA - AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA - AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA - AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA - AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA - AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA - AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA - AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA - AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA - AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA + (Your Private key) -----END RSA PRIVATE KEY----- diff --git a/postfix/config.sls b/postfix/config.sls index 18ae795..2dd21b4 100644 --- a/postfix/config.sls +++ b/postfix/config.sls @@ -34,37 +34,23 @@ include: - template: jinja {% endif %} -{% set ssl_certs = salt['pillar.get']('postfix:ssl_certs', {}) -%} -{% for name in ssl_certs %} -/etc/ssl/private/postfix-{{ name }}.crt: +{%- for domain in salt['pillar.get']('postfix:certificates', {}).keys() %} + +postfix_{{ domain }}_ssl_certificate: file.managed: - - contents: | - {{ ssl_certs[name] | indent(8) }} - - user: nobody - - group: nobody - - mode: 444 - - backup: minion + - name: /etc/postfix/ssl/{{ domain }}.crt + - makedirs: True + - contents_pillar: postfix:certificates:{{ domain }}:public_cert - watch_in: - - service: postfix - - require: - - pkg: postfix -{% endfor %} + - service: postfix - -{% set ssl_keys = salt['pillar.get']('postfix:ssl_keys', {}) -%} -{% for name in ssl_keys %} -/etc/ssl/private/postfix-{{ name }}.key: +postfix_{{ domain }}_ssl_key: file.managed: - - contents: | - {{ ssl_keys[name] | indent(8) }} - - user: nobody - - group: nobody - - mode: 400 - - backup: minion + - name: /etc/postfix/ssl/{{ domain }}.key + - mode: 600 + - makedirs: True + - contents_pillar: postfix:certificates:{{ domain }}:private_key - watch_in: - - service: postfix - - require: - - pkg: postfix + - service: postfix + {% endfor %} - -