From cce2b27ae751af0aa97c711feeba142c37c9c023 Mon Sep 17 00:00:00 2001 From: missytake Date: Wed, 11 Feb 2026 16:11:50 +0100 Subject: [PATCH] postfix: accept self-signed certificates for IP-only relays --- cmdeploy/src/cmdeploy/postfix/deployer.py | 14 + cmdeploy/src/cmdeploy/postfix/main.cf.j2 | 2 +- .../src/cmdeploy/postfix/smtp_tls_policy_map | 257 ++++++++++++++++++ 3 files changed, 272 insertions(+), 1 deletion(-) create mode 100644 cmdeploy/src/cmdeploy/postfix/smtp_tls_policy_map diff --git a/cmdeploy/src/cmdeploy/postfix/deployer.py b/cmdeploy/src/cmdeploy/postfix/deployer.py index 34cbffa4..96197bd7 100644 --- a/cmdeploy/src/cmdeploy/postfix/deployer.py +++ b/cmdeploy/src/cmdeploy/postfix/deployer.py @@ -61,6 +61,20 @@ class PostfixDeployer(Deployer): ) need_restart |= lmtp_header_cleanup.changed + tls_policy_map = files.put( + name="Upload SMTP TLS Policy that accepts self-signed certificates for IP-only hosts", + src=get_resource("postfix/smtp_tls_policy_map"), + dest="/etc/postfix/smtp_tls_policy_map", + user="root", + group="root", + mode="644", + ) + need_restart |= tls_policy_map.changed + if tls_policy_map.changed: + server.shell( + commands=["postmap /etc/postfix/smtp_tls_policy_map"], + ) + # Login map that 1:1 maps email address to login. login_map = files.put( src=get_resource("postfix/login_map"), diff --git a/cmdeploy/src/cmdeploy/postfix/main.cf.j2 b/cmdeploy/src/cmdeploy/postfix/main.cf.j2 index bc537783..74a6593a 100644 --- a/cmdeploy/src/cmdeploy/postfix/main.cf.j2 +++ b/cmdeploy/src/cmdeploy/postfix/main.cf.j2 @@ -25,7 +25,7 @@ smtp_tls_security_level=verify # smtp_tls_servername = hostname smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache -smtp_tls_policy_maps = inline:{nauta.cu=may} +smtp_tls_policy_maps = hash:/etc/postfix/smtp_tls_policy_map smtp_tls_protocols = >=TLSv1.2 smtp_tls_mandatory_protocols = >=TLSv1.2 diff --git a/cmdeploy/src/cmdeploy/postfix/smtp_tls_policy_map b/cmdeploy/src/cmdeploy/postfix/smtp_tls_policy_map new file mode 100644 index 00000000..abecb3ce --- /dev/null +++ b/cmdeploy/src/cmdeploy/postfix/smtp_tls_policy_map @@ -0,0 +1,257 @@ +nauta.cu may +.0 encrypt +.1 encrypt +.2 encrypt +.3 encrypt +.4 encrypt +.5 encrypt +.6 encrypt +.7 encrypt +.8 encrypt +.9 encrypt +.10 encrypt +.11 encrypt +.12 encrypt +.13 encrypt +.14 encrypt +.15 encrypt +.16 encrypt +.17 encrypt +.18 encrypt +.19 encrypt +.20 encrypt +.21 encrypt +.22 encrypt +.23 encrypt +.24 encrypt +.25 encrypt +.26 encrypt +.27 encrypt +.28 encrypt +.29 encrypt +.30 encrypt +.31 encrypt +.32 encrypt +.33 encrypt +.34 encrypt +.35 encrypt +.36 encrypt +.37 encrypt +.38 encrypt +.39 encrypt +.40 encrypt +.41 encrypt +.42 encrypt +.43 encrypt +.44 encrypt +.45 encrypt +.46 encrypt +.47 encrypt +.48 encrypt +.49 encrypt +.50 encrypt +.51 encrypt +.52 encrypt +.53 encrypt +.54 encrypt +.55 encrypt +.56 encrypt +.57 encrypt +.58 encrypt +.59 encrypt +.60 encrypt +.61 encrypt +.62 encrypt +.63 encrypt +.64 encrypt +.65 encrypt +.66 encrypt +.67 encrypt +.68 encrypt +.69 encrypt +.70 encrypt +.71 encrypt +.72 encrypt +.73 encrypt +.74 encrypt +.75 encrypt +.76 encrypt +.77 encrypt +.78 encrypt +.79 encrypt +.80 encrypt +.81 encrypt +.82 encrypt +.83 encrypt +.84 encrypt +.85 encrypt +.86 encrypt +.87 encrypt +.88 encrypt +.89 encrypt +.90 encrypt +.91 encrypt +.92 encrypt +.93 encrypt +.94 encrypt +.95 encrypt +.96 encrypt +.97 encrypt +.98 encrypt +.99 encrypt +.100 encrypt +.101 encrypt +.102 encrypt +.103 encrypt +.104 encrypt +.105 encrypt +.106 encrypt +.107 encrypt +.108 encrypt +.109 encrypt +.110 encrypt +.111 encrypt +.112 encrypt +.113 encrypt +.114 encrypt +.115 encrypt +.116 encrypt +.117 encrypt +.118 encrypt +.119 encrypt +.120 encrypt +.121 encrypt +.122 encrypt +.123 encrypt +.124 encrypt +.125 encrypt +.126 encrypt +.127 encrypt +.128 encrypt +.129 encrypt +.130 encrypt +.131 encrypt +.132 encrypt +.133 encrypt +.134 encrypt +.135 encrypt +.136 encrypt +.137 encrypt +.138 encrypt +.139 encrypt +.140 encrypt +.141 encrypt +.142 encrypt +.143 encrypt +.144 encrypt +.145 encrypt +.146 encrypt +.147 encrypt +.148 encrypt +.149 encrypt +.150 encrypt +.151 encrypt +.152 encrypt +.153 encrypt +.154 encrypt +.155 encrypt +.156 encrypt +.157 encrypt +.158 encrypt +.159 encrypt +.160 encrypt +.161 encrypt +.162 encrypt +.163 encrypt +.164 encrypt +.165 encrypt +.166 encrypt +.167 encrypt +.168 encrypt +.169 encrypt +.170 encrypt +.171 encrypt +.172 encrypt +.173 encrypt +.174 encrypt +.175 encrypt +.176 encrypt +.177 encrypt +.178 encrypt +.179 encrypt +.180 encrypt +.181 encrypt +.182 encrypt +.183 encrypt +.184 encrypt +.185 encrypt +.186 encrypt +.187 encrypt +.188 encrypt +.189 encrypt +.190 encrypt +.191 encrypt +.192 encrypt +.193 encrypt +.194 encrypt +.195 encrypt +.196 encrypt +.197 encrypt +.198 encrypt +.199 encrypt +.200 encrypt +.201 encrypt +.202 encrypt +.203 encrypt +.204 encrypt +.205 encrypt +.206 encrypt +.207 encrypt +.208 encrypt +.209 encrypt +.210 encrypt +.211 encrypt +.212 encrypt +.213 encrypt +.214 encrypt +.215 encrypt +.216 encrypt +.217 encrypt +.218 encrypt +.219 encrypt +.220 encrypt +.221 encrypt +.222 encrypt +.223 encrypt +.224 encrypt +.225 encrypt +.226 encrypt +.227 encrypt +.228 encrypt +.229 encrypt +.230 encrypt +.231 encrypt +.232 encrypt +.233 encrypt +.234 encrypt +.235 encrypt +.236 encrypt +.237 encrypt +.238 encrypt +.239 encrypt +.240 encrypt +.241 encrypt +.242 encrypt +.243 encrypt +.244 encrypt +.245 encrypt +.246 encrypt +.247 encrypt +.248 encrypt +.249 encrypt +.250 encrypt +.251 encrypt +.252 encrypt +.253 encrypt +.254 encrypt +.255 encrypt