From 06ae3b5315b9ed5939c31346f161d2774ce5bf16 Mon Sep 17 00:00:00 2001 From: Imran Haider Date: Sat, 20 Jun 2015 16:49:09 -0400 Subject: [PATCH 1/2] Allow certs and keys to be specified in the pillar --- pillar.example | 90 ++++++++++++++++++++++++++++++++++++++++------ postfix/config.sls | 35 ++++++++++++++++++ 2 files changed, 114 insertions(+), 11 deletions(-) diff --git a/pillar.example b/pillar.example index ec2f913..0a25889 100644 --- a/pillar.example +++ b/pillar.example @@ -27,20 +27,9 @@ postfix: config: smtpd_banner: $myhostname ESMTP $mail_name biff: 'no' - append_dot_mydomain: 'no' - readme_directory: 'no' - - smtpd_tls_cert_file: /etc/ssl/certs/ssl-cert-snakeoil.pem - smtpd_tls_key_file: /etc/ssl/private/ssl-cert-snakeoil.key - smtpd_use_tls: 'yes' - smtpd_tls_session_cache_database: btree:${data_directory}/smtpd_scache - smtp_tls_session_cache_database: btree:${data_directory}/smtp_scache - myhostname: localhost - alias_maps: hash:/etc/aliases - alias_database: hash:/etc/aliases mydestination: localhost, localhost.localdomain relayhost: mynetworks: 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 @@ -48,3 +37,82 @@ postfix: recipient_delimiter: + inet_interfaces: all + # Alias + alias_maps: hash:/etc/aliases + alias_database: hash:/etc/aliases + + # SMTP server + smtpd_tls_session_cache_database: btree:${data_directory}/smtpd_scache + smtpd_use_tls: 'yes' + + # SMTP server certificate and key (already installed) + smtpd_tls_cert_file: /etc/ssl/certs/ssl-cert-snakeoil.pem + smtpd_tls_key_file: /etc/ssl/private/ssl-cert-snakeoil.key + + # SMTP server certificate and key (from pillar data) + smtpd_tls_cert_file: /etc/ssl/private/postfix-server.crt + smtpd_tls_key_file: /etc/ssl/private/postfix-server.key + + # SMTP client + smtp_tls_session_cache_database: btree:${data_directory}/smtp_scache + smtp_use_tls: 'yes' + smtp_tls_cert_file: /etc/ssl/private/postfix-client.crt + smtp_tls_key_file: /etc/ssl/private/postfix-client.key + + ssl_certs: + server: | + -----BEGIN CERTIFICATE----- + AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA + AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA + AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA + AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA + AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA + AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA + AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA + AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA + AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA + AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA + -----END CERTIFICATE----- + + client: | + -----BEGIN CERTIFICATE----- + AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA + AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA + AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA + AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA + AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA + AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA + AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA + AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA + AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA + AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA + -----END CERTIFICATE----- + + ssl_keys: + server: | + -----BEGIN RSA PRIVATE KEY----- + AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA + AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA + AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA + AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA + AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA + AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA + AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA + AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA + AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA + AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA + -----END RSA PRIVATE KEY----- + + client: | + -----BEGIN RSA PRIVATE KEY----- + AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA + AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA + AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA + AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA + AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA + AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA + AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA + AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA + AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA + AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA + -----END RSA PRIVATE KEY----- diff --git a/postfix/config.sls b/postfix/config.sls index ef4e9ec..18ae795 100644 --- a/postfix/config.sls +++ b/postfix/config.sls @@ -33,3 +33,38 @@ include: - service: postfix - template: jinja {% endif %} + +{% set ssl_certs = salt['pillar.get']('postfix:ssl_certs', {}) -%} +{% for name in ssl_certs %} +/etc/ssl/private/postfix-{{ name }}.crt: + file.managed: + - contents: | + {{ ssl_certs[name] | indent(8) }} + - user: nobody + - group: nobody + - mode: 444 + - backup: minion + - watch_in: + - service: postfix + - require: + - pkg: postfix +{% endfor %} + + +{% set ssl_keys = salt['pillar.get']('postfix:ssl_keys', {}) -%} +{% for name in ssl_keys %} +/etc/ssl/private/postfix-{{ name }}.key: + file.managed: + - contents: | + {{ ssl_keys[name] | indent(8) }} + - user: nobody + - group: nobody + - mode: 400 + - backup: minion + - watch_in: + - service: postfix + - require: + - pkg: postfix +{% endfor %} + + From 159c9e81acda19c091d02e325d2cb83dcca70e4e Mon Sep 17 00:00:00 2001 From: Gilles Dartiguelongue Date: Sun, 30 Aug 2015 19:30:08 +0200 Subject: [PATCH 2/2] Switch to SSL management method used in nginx.ng formula Also change path to certificates since previous ones are distribution specific. They look like Debian path, Gentoo uses different ones. New path uses same logic as nginx's formula, use known to exist folder which server most likely has permission to read too since it is its configuration folder. --- pillar.example | 77 +++++++++++++--------------------------------- postfix/config.sls | 42 +++++++++---------------- 2 files changed, 35 insertions(+), 84 deletions(-) diff --git a/pillar.example b/pillar.example index 0a25889..a053198 100644 --- a/pillar.example +++ b/pillar.example @@ -45,74 +45,39 @@ postfix: smtpd_tls_session_cache_database: btree:${data_directory}/smtpd_scache smtpd_use_tls: 'yes' - # SMTP server certificate and key (already installed) - smtpd_tls_cert_file: /etc/ssl/certs/ssl-cert-snakeoil.pem - smtpd_tls_key_file: /etc/ssl/private/ssl-cert-snakeoil.key - # SMTP server certificate and key (from pillar data) - smtpd_tls_cert_file: /etc/ssl/private/postfix-server.crt - smtpd_tls_key_file: /etc/ssl/private/postfix-server.key + smtpd_tls_cert_file: /etc/postfix/ssl/server-cert.crt + smtpd_tls_key_file: /etc/postfix/ssl/server-cert.key # SMTP client smtp_tls_session_cache_database: btree:${data_directory}/smtp_scache smtp_use_tls: 'yes' - smtp_tls_cert_file: /etc/ssl/private/postfix-client.crt - smtp_tls_key_file: /etc/ssl/private/postfix-client.key + smtp_tls_cert_file: /etc/postfix/ssl/example.com-relay-client-cert.crt + smtp_tls_key_file: /etc/postfix/ssl/example.com-relay-client-cert.key - ssl_certs: - server: | + certificates: + server-cert: + public_cert: | -----BEGIN CERTIFICATE----- - AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA - AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA - AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA - AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA - AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA - AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA - AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA - AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA - AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA - AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA + (Your primary SSL certificate: smtp.example.com.crt) -----END CERTIFICATE----- - - client: | -----BEGIN CERTIFICATE----- - AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA - AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA - AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA - AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA - AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA - AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA - AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA - AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA - AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA - AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA + (Your intermediate certificate: example-ca.crt) -----END CERTIFICATE----- - - ssl_keys: - server: | + -----BEGIN CERTIFICATE----- + (Your root certificate: trusted-root.crt) + -----END CERTIFICATE----- + private_key: | -----BEGIN RSA PRIVATE KEY----- - AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA - AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA - AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA - AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA - AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA - AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA - AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA - AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA - AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA - AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA + (Your Private key) -----END RSA PRIVATE KEY----- - client: | + example.com-relay-client-cert: + public_cert: | + -----BEGIN CERTIFICATE----- + (Your primary SSL certificate: smtp.example.com.crt) + -----END CERTIFICATE----- + private_key: | -----BEGIN RSA PRIVATE KEY----- - AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA - AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA - AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA - AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA - AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA - AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA - AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA - AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA - AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA - AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA + (Your Private key) -----END RSA PRIVATE KEY----- diff --git a/postfix/config.sls b/postfix/config.sls index 18ae795..2dd21b4 100644 --- a/postfix/config.sls +++ b/postfix/config.sls @@ -34,37 +34,23 @@ include: - template: jinja {% endif %} -{% set ssl_certs = salt['pillar.get']('postfix:ssl_certs', {}) -%} -{% for name in ssl_certs %} -/etc/ssl/private/postfix-{{ name }}.crt: +{%- for domain in salt['pillar.get']('postfix:certificates', {}).keys() %} + +postfix_{{ domain }}_ssl_certificate: file.managed: - - contents: | - {{ ssl_certs[name] | indent(8) }} - - user: nobody - - group: nobody - - mode: 444 - - backup: minion + - name: /etc/postfix/ssl/{{ domain }}.crt + - makedirs: True + - contents_pillar: postfix:certificates:{{ domain }}:public_cert - watch_in: - - service: postfix - - require: - - pkg: postfix -{% endfor %} + - service: postfix - -{% set ssl_keys = salt['pillar.get']('postfix:ssl_keys', {}) -%} -{% for name in ssl_keys %} -/etc/ssl/private/postfix-{{ name }}.key: +postfix_{{ domain }}_ssl_key: file.managed: - - contents: | - {{ ssl_keys[name] | indent(8) }} - - user: nobody - - group: nobody - - mode: 400 - - backup: minion + - name: /etc/postfix/ssl/{{ domain }}.key + - mode: 600 + - makedirs: True + - contents_pillar: postfix:certificates:{{ domain }}:private_key - watch_in: - - service: postfix - - require: - - pkg: postfix + - service: postfix + {% endfor %} - -