Email settings - permit TLSv1.2 only, mail utility

cesnet-central/playbooks/k8s.yaml

@@ -47,19 +47,38 @@
         dest: /etc/cron-apt/action.d/9-upgrade
         content: -q -q dist-upgrade
         mode: 0644
-    - name: Site setup postfix
+    - name: Mails settings
       vars:
-        main:
-          myhostname: "{{ lookup('dig', groups['fip'][0] + '/PTR') | regex_replace('\\.$', '') }}"
-          relayhost: relay.muni.cz
-          inet_protocols: ipv4
-      lineinfile:
-        regexp: '^{{ item.key }}\s*=\s*.*'
-        line: "{{ item.key }} = {{ item.value }}"
-        path: /etc/postfix/main.cf
-      loop: "{{ main | dict2items }}"
-      notify: Reload postfix
-      when: site_name == "cesnet" or site_name == "cesnet-mcc"
+        main_global:
+          # disable everything except TLSv1.2
+          smtpd_tls_mandatory_protocols: "!SSLv2, !SSLv3, !TLSv1, !TLSv1.1"
+          smtpd_tls_protocols: "!SSLv2, !SSLv3, !TLSv1, !TLSv1.1"
+          smtp_tls_mandatory_protocols: "!SSLv2, !SSLv3, !TLSv1, !TLSv1.1"
+          smtp_tls_protocols: "!SSLv2, !SSLv3, !TLSv1, !TLSv1.1"
+        fromdomain: "{{ lookup('dig', groups['fip'][0] + '/PTR') | regex_replace('\\.$', '') }}"
+      block:
+        - name: Site-specific postfix settings
+          set_fact:
+            main_cesnet:
+              myhostname: "{{ fromdomain }}"
+              relayhost: relay.muni.cz
+              inet_protocols: ipv4
+          when: site_name == "cesnet" or site_name == "cesnet-mcc"
+        - name: Setup postfix
+          vars:
+            main: "{{ main_global | combine(main_cesnet | default({})) }}"
+          lineinfile:
+            regexp: '^{{ item.key }}\s*=\s*.*'
+            line: "{{ item.key }} = {{ item.value }}"
+            path: /etc/postfix/main.cf
+          loop: "{{ main | dict2items }}"
+          notify: Reload postfix
+        - name: Setup mailutils
+          template:
+            src: templates/etc/mailutils.conf
+            dest: /etc/mailutils.conf
+            mode: 0644
+          when: site_name == "cesnet" or site_name == "cesnet-mcc"
     - name: Site touch
       file:
         path: "/EOSC-{{ site_name | upper }}"

cesnet-central/playbooks/templates/etc/mailutils.conf

+address {
+  email-domain {{ fromdomain }};
+};

cesnet-mcc/playbooks/templates/etc/mailutils.conf

+../../../../cesnet-central/playbooks/templates/etc/mailutils.conf
\ No newline at end of file

demo/playbooks/templates/etc/mailutils.conf

+../../../../cesnet-central/playbooks/templates/etc/mailutils.conf
\ No newline at end of file