diff options
| author | Stonewall Jackson <stonewall@sacredheartsc.com> | 2023-02-04 01:23:43 -0500 |
|---|---|---|
| committer | Stonewall Jackson <stonewall@sacredheartsc.com> | 2023-02-04 01:52:13 -0500 |
| commit | 0261e875679f1bf63c8d689da7fc7e014597885d (patch) | |
| tree | 3f19cd74a0c1070944f75437f30b098d6ef2ffcb /roles/postfix_server/vars | |
| download | selfhosted-0261e875679f1bf63c8d689da7fc7e014597885d.tar.gz selfhosted-0261e875679f1bf63c8d689da7fc7e014597885d.zip | |
initial commit
Diffstat (limited to 'roles/postfix_server/vars')
| -rw-r--r-- | roles/postfix_server/vars/main.yml | 64 |
1 files changed, 64 insertions, 0 deletions
diff --git a/roles/postfix_server/vars/main.yml b/roles/postfix_server/vars/main.yml new file mode 100644 index 0000000..050c880 --- /dev/null +++ b/roles/postfix_server/vars/main.yml @@ -0,0 +1,64 @@ +postfix_packages: + - postfix + - postfix-ldap + - cyrus-sasl + - cyrus-sasl-gssapi + - cyrus-sasl-plain + - s-nail + +postfix_certificate_path: /etc/pki/tls/certs/postfix2.pem +postfix_certificate_key_path: /etc/pki/tls/private/postfix2.key +postfix_dhparams_path: /etc/pki/tls/misc/dhparams-postfix.pem + +postfix_hbac_service: smtp +postfix_hbac_hostgroup: mail_servers + +postfix_smtp_ca_file: /etc/pki/tls/certs/ca-bundle.crt +postfix_cipherlist: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 + +postfix_keytab: /var/lib/gssproxy/clients/postfix.keytab + +postfix_selinux_policy_te: | + require { + type postfix_exec_t; + type postfix_smtpd_exec_t; + type postfix_cleanup_t; + type postfix_cleanup_exec_t; + type postfix_master_t; + type postfix_cleanup_t; + type postfix_smtpd_t; + type gssproxy_t; + type gssproxy_var_lib_t; + class file getattr; + class dir search; + class sock_file write; + class unix_stream_socket connectto; + class process noatsecure; + class key { read view write }; + } + + #============= postfix_smtpd_t ============== + allow postfix_smtpd_t gssproxy_t:unix_stream_socket connectto; + allow postfix_smtpd_t gssproxy_var_lib_t:dir search; + allow postfix_smtpd_t gssproxy_var_lib_t:sock_file write; + allow postfix_smtpd_t postfix_master_t:key { read view write }; + + #============= postfix_master_t ============== + allow postfix_master_t postfix_smtpd_t:process noatsecure; + allow postfix_master_t postfix_smtpd_t:key { read write }; + allow postfix_master_t postfix_cleanup_t:process noatsecure; + allow postfix_master_t gssproxy_t:unix_stream_socket connectto; + allow postfix_master_t gssproxy_var_lib_t:dir search; + allow postfix_master_t gssproxy_var_lib_t:sock_file write; + + #============= postfix_cleanup_t ============== + allow postfix_cleanup_t gssproxy_var_lib_t:dir search; + allow postfix_cleanup_t gssproxy_var_lib_t:sock_file write; + allow postfix_cleanup_t gssproxy_t:unix_stream_socket connectto; + allow postfix_cleanup_t postfix_master_t:key read; + allow postfix_cleanup_t postfix_smtpd_t:key read; + + #============= gssproxy_t ============== + allow gssproxy_t postfix_cleanup_exec_t:file getattr; + allow gssproxy_t postfix_smtpd_exec_t:file getattr; + allow gssproxy_t postfix_exec_t:file getattr; |