From 0261e875679f1bf63c8d689da7fc7e014597885d Mon Sep 17 00:00:00 2001
From: Stonewall Jackson <stonewall@sacredheartsc.com>
Date: Sat, 4 Feb 2023 01:23:43 -0500
Subject: initial commit

---
 roles/postfix_server/vars/main.yml | 64 ++++++++++++++++++++++++++++++++++++++
 1 file changed, 64 insertions(+)
 create mode 100644 roles/postfix_server/vars/main.yml

(limited to 'roles/postfix_server/vars/main.yml')

diff --git a/roles/postfix_server/vars/main.yml b/roles/postfix_server/vars/main.yml
new file mode 100644
index 0000000..050c880
--- /dev/null
+++ b/roles/postfix_server/vars/main.yml
@@ -0,0 +1,64 @@
+postfix_packages:
+  - postfix
+  - postfix-ldap
+  - cyrus-sasl
+  - cyrus-sasl-gssapi
+  - cyrus-sasl-plain
+  - s-nail
+
+postfix_certificate_path: /etc/pki/tls/certs/postfix2.pem
+postfix_certificate_key_path: /etc/pki/tls/private/postfix2.key
+postfix_dhparams_path: /etc/pki/tls/misc/dhparams-postfix.pem
+
+postfix_hbac_service: smtp
+postfix_hbac_hostgroup: mail_servers
+
+postfix_smtp_ca_file: /etc/pki/tls/certs/ca-bundle.crt
+postfix_cipherlist: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
+
+postfix_keytab: /var/lib/gssproxy/clients/postfix.keytab
+
+postfix_selinux_policy_te: |
+  require {
+    type postfix_exec_t;
+    type postfix_smtpd_exec_t;
+    type postfix_cleanup_t;
+    type postfix_cleanup_exec_t;
+    type postfix_master_t;
+    type postfix_cleanup_t;
+    type postfix_smtpd_t;
+    type gssproxy_t;
+    type gssproxy_var_lib_t;
+    class file getattr;
+    class dir search;
+    class sock_file write;
+    class unix_stream_socket connectto;
+    class process noatsecure;
+    class key { read view write };
+  }
+
+  #============= postfix_smtpd_t ==============
+  allow postfix_smtpd_t gssproxy_t:unix_stream_socket connectto;
+  allow postfix_smtpd_t gssproxy_var_lib_t:dir search;
+  allow postfix_smtpd_t gssproxy_var_lib_t:sock_file write;
+  allow postfix_smtpd_t postfix_master_t:key { read view write };
+
+  #============= postfix_master_t ==============
+  allow postfix_master_t postfix_smtpd_t:process noatsecure;
+  allow postfix_master_t postfix_smtpd_t:key { read write };
+  allow postfix_master_t postfix_cleanup_t:process noatsecure;
+  allow postfix_master_t gssproxy_t:unix_stream_socket connectto;
+  allow postfix_master_t gssproxy_var_lib_t:dir search;
+  allow postfix_master_t gssproxy_var_lib_t:sock_file write;
+
+  #============= postfix_cleanup_t ==============
+  allow postfix_cleanup_t gssproxy_var_lib_t:dir search;
+  allow postfix_cleanup_t gssproxy_var_lib_t:sock_file write;
+  allow postfix_cleanup_t gssproxy_t:unix_stream_socket connectto;
+  allow postfix_cleanup_t postfix_master_t:key read;
+  allow postfix_cleanup_t postfix_smtpd_t:key read;
+
+  #============= gssproxy_t ==============
+  allow gssproxy_t postfix_cleanup_exec_t:file getattr;
+  allow gssproxy_t postfix_smtpd_exec_t:file getattr;
+  allow gssproxy_t postfix_exec_t:file getattr;
-- 
cgit