From 5bb64c9704fa1bc4373a338e582a56d70d0866a8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Franti=C5=A1ek=20Dvo=C5=99=C3=A1k?= <valtri@civ.zcu.cz>
Date: Fri, 24 May 2024 15:48:09 +0000
Subject: [PATCH] Email settings - permit TLSv1.2 only, mail utility
---
cesnet-central/playbooks/k8s.yaml | 43 +++++++++++++------
.../playbooks/templates/etc/mailutils.conf | 3 ++
.../playbooks/templates/etc/mailutils.conf | 1 +
demo/playbooks/templates/etc/mailutils.conf | 1 +
4 files changed, 36 insertions(+), 12 deletions(-)
create mode 100644 cesnet-central/playbooks/templates/etc/mailutils.conf
create mode 120000 cesnet-mcc/playbooks/templates/etc/mailutils.conf
create mode 120000 demo/playbooks/templates/etc/mailutils.conf
diff --git a/cesnet-central/playbooks/k8s.yaml b/cesnet-central/playbooks/k8s.yaml
index ee87d59..9de8222 100644
--- a/cesnet-central/playbooks/k8s.yaml
+++ b/cesnet-central/playbooks/k8s.yaml
@@ -47,19 +47,38 @@
dest: /etc/cron-apt/action.d/9-upgrade
content: -q -q dist-upgrade
mode: 0644
- - name: Site setup postfix
+ - name: Mails settings
vars:
- main:
- myhostname: "{{ lookup('dig', groups['fip'][0] + '/PTR') | regex_replace('\\.$', '') }}"
- relayhost: relay.muni.cz
- inet_protocols: ipv4
- lineinfile:
- regexp: '^{{ item.key }}\s*=\s*.*'
- line: "{{ item.key }} = {{ item.value }}"
- path: /etc/postfix/main.cf
- loop: "{{ main | dict2items }}"
- notify: Reload postfix
- when: site_name == "cesnet" or site_name == "cesnet-mcc"
+ main_global:
+ # disable everything except TLSv1.2
+ smtpd_tls_mandatory_protocols: "!SSLv2, !SSLv3, !TLSv1, !TLSv1.1"
+ smtpd_tls_protocols: "!SSLv2, !SSLv3, !TLSv1, !TLSv1.1"
+ smtp_tls_mandatory_protocols: "!SSLv2, !SSLv3, !TLSv1, !TLSv1.1"
+ smtp_tls_protocols: "!SSLv2, !SSLv3, !TLSv1, !TLSv1.1"
+ fromdomain: "{{ lookup('dig', groups['fip'][0] + '/PTR') | regex_replace('\\.$', '') }}"
+ block:
+ - name: Site-specific postfix settings
+ set_fact:
+ main_cesnet:
+ myhostname: "{{ fromdomain }}"
+ relayhost: relay.muni.cz
+ inet_protocols: ipv4
+ when: site_name == "cesnet" or site_name == "cesnet-mcc"
+ - name: Setup postfix
+ vars:
+ main: "{{ main_global | combine(main_cesnet | default({})) }}"
+ lineinfile:
+ regexp: '^{{ item.key }}\s*=\s*.*'
+ line: "{{ item.key }} = {{ item.value }}"
+ path: /etc/postfix/main.cf
+ loop: "{{ main | dict2items }}"
+ notify: Reload postfix
+ - name: Setup mailutils
+ template:
+ src: templates/etc/mailutils.conf
+ dest: /etc/mailutils.conf
+ mode: 0644
+ when: site_name == "cesnet" or site_name == "cesnet-mcc"
- name: Site touch
file:
path: "/EOSC-{{ site_name | upper }}"
diff --git a/cesnet-central/playbooks/templates/etc/mailutils.conf b/cesnet-central/playbooks/templates/etc/mailutils.conf
new file mode 100644
index 0000000..9e38faa
--- /dev/null
+++ b/cesnet-central/playbooks/templates/etc/mailutils.conf
@@ -0,0 +1,3 @@
+address {
+ email-domain {{ fromdomain }};
+};
diff --git a/cesnet-mcc/playbooks/templates/etc/mailutils.conf b/cesnet-mcc/playbooks/templates/etc/mailutils.conf
new file mode 120000
index 0000000..c67eb7d
--- /dev/null
+++ b/cesnet-mcc/playbooks/templates/etc/mailutils.conf
@@ -0,0 +1 @@
+../../../../cesnet-central/playbooks/templates/etc/mailutils.conf
\ No newline at end of file
diff --git a/demo/playbooks/templates/etc/mailutils.conf b/demo/playbooks/templates/etc/mailutils.conf
new file mode 120000
index 0000000..c67eb7d
--- /dev/null
+++ b/demo/playbooks/templates/etc/mailutils.conf
@@ -0,0 +1 @@
+../../../../cesnet-central/playbooks/templates/etc/mailutils.conf
\ No newline at end of file
--
GitLab