diff --git a/postfix-relay/defaults/main.yml b/postfix-relay/defaults/main.yml index fc5782ad..eceb23bb 100644 --- a/postfix-relay/defaults/main.yml +++ b/postfix-relay/defaults/main.yml @@ -7,6 +7,7 @@ postfix_biff: "no" postfix_append_dot_mydomain: "no" postfix_use_relay_host: True +postfix_use_letsencrypt: False # Accepted values: none, may, encrypt postfix_smtpd_tls_security_level: encrypt # Accepted values: none, may, encrypt, fingerprint, verify, secure. And from 2.11: dane, dane-only diff --git a/postfix-relay/tasks/main.yml b/postfix-relay/tasks/main.yml index 2f2fd7fe..3887806e 100644 --- a/postfix-relay/tasks/main.yml +++ b/postfix-relay/tasks/main.yml @@ -6,3 +6,6 @@ - postfix_relay_client - import_tasks: postfix-relay-server.yml when: postfix_relay_server +- import_tasks: postfix-letsencrypt-hook.yml + when: postfix_use_letsencrypt + diff --git a/postfix-relay/tasks/postfix-letsencrypt-hook.yml b/postfix-relay/tasks/postfix-letsencrypt-hook.yml new file mode 100644 index 00000000..d391d0be --- /dev/null +++ b/postfix-relay/tasks/postfix-letsencrypt-hook.yml @@ -0,0 +1,4 @@ +--- +- name: Install a hook for letsencrypt + template: src=postfix-letsencrypt-hook dest=/usr/lib/acme/hooks/postfix owner=root group=root mode=4555 + tags: [ 'postfix', 'postfix-relay' ] diff --git a/postfix-relay/templates/main.cf.j2 b/postfix-relay/templates/main.cf.j2 index da98616f..60fef877 100644 --- a/postfix-relay/templates/main.cf.j2 +++ b/postfix-relay/templates/main.cf.j2 @@ -16,8 +16,18 @@ readme_directory = no # TLS parameters # Server +{% if letsencrypt_acme_install is defined and letsencrypt_acme_install %} +{% if postfix_use_letsencrypt %} +smtpd_tls_cert_file={{ letsencrypt_acme_certs_dir }}/cert +smtpd_tls_key_file={{ letsencrypt_acme_certs_dir }}/privkey +{% else %} smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key +{% else %} +smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem +smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key +{% endif %} +{% endif %} smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache {% if postfix_relay_server %} smtpd_tls_security_level = encrypt diff --git a/postfix-relay/templates/postfix-letsencrypt-hook b/postfix-relay/templates/postfix-letsencrypt-hook new file mode 100644 index 00000000..22416392 --- /dev/null +++ b/postfix-relay/templates/postfix-letsencrypt-hook @@ -0,0 +1,25 @@ +#!/bin/bash + +LE_SERVICES_SCRIPT_DIR=/usr/lib/acme/hooks +LE_LOG_DIR=/var/log/letsencrypt +DATE=$( date ) + +[ ! -d $LE_LOG_DIR ] && mkdir $LE_LOG_DIR +echo "$DATE" >> $LE_LOG_DIR/postfix.log + +if [ -f /etc/default/letsencrypt ] ; then + . /etc/default/letsencrypt +else + echo "No letsencrypt default file" >> $LE_LOG_DIR/postfix.log +fi + +echo "Reload the postfix service" >> $LE_LOG_DIR/postfix.log +if [ -x /bin/systemctl ] ; then + systemctl reload postfix >> $LE_LOG_DIR/postfix.log 2>&1 +else + service postfix reload >> $LE_LOG_DIR/postfix.log 2>&1 +fi + +echo "Done." >> $LE_LOG_DIR/postfix.log + +exit 0 \ No newline at end of file