From 9a33043197b7ad284193e6cc47806fb80a23f212 Mon Sep 17 00:00:00 2001
From: Julian Rother <julian@holzmarkt.com>
Date: Wed, 29 Jan 2025 17:23:04 +0100
Subject: [PATCH] Separate tls key/cert options for imap, submission and smtp

---
 defaults/main.yml                 | 8 ++++++--
 templates/dovecot/dovecot.conf.j2 | 4 ++--
 templates/postfix/main.cf.j2      | 8 ++++----
 templates/postfix/master.cf.j2    | 2 ++
 4 files changed, 14 insertions(+), 8 deletions(-)

diff --git a/defaults/main.yml b/defaults/main.yml
index 12c4796..2e2c306 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -1,6 +1,10 @@
 mailserver:
-  tls_cert: "/etc/ssl/{{ inventory_hostname }}.chain.crt"
-  tls_key: "/etc/ssl/private/{{ inventory_hostname }}.key"
+  smtp_tls_cert: "/etc/ssl/{{ inventory_hostname }}.chain.crt"
+  smtp_tls_key: "/etc/ssl/private/{{ inventory_hostname }}.key"
+  submission_tls_cert: "/etc/ssl/{{ inventory_hostname }}.chain.crt"
+  submission_tls_key: "/etc/ssl/private/{{ inventory_hostname }}.key"
+  imap_tls_cert: "/etc/ssl/{{ inventory_hostname }}.chain.crt"
+  imap_tls_key: "/etc/ssl/private/{{ inventory_hostname }}.key"
   domains: [] # All mail domains
   postfix:
     metrics_address: "127.0.0.1:9154"
diff --git a/templates/dovecot/dovecot.conf.j2 b/templates/dovecot/dovecot.conf.j2
index 1cf89a0..b016226 100644
--- a/templates/dovecot/dovecot.conf.j2
+++ b/templates/dovecot/dovecot.conf.j2
@@ -3,8 +3,8 @@ protocols = imap sieve
 mail_plugins = $mail_plugins quota
 
 ssl = required
-ssl_cert = <{{ mailserver.tls_cert }}
-ssl_key = <{{ mailserver.tls_key }}
+ssl_cert = <{{ mailserver.imap_tls_cert }}
+ssl_key = <{{ mailserver.imap_tls_key }}
 ssl_dh = </etc/ssl/dh-4096.pem
 ssl_min_protocol = TLSv1.2
 ssl_cipher_list = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
diff --git a/templates/postfix/main.cf.j2 b/templates/postfix/main.cf.j2
index d05092d..76147dc 100644
--- a/templates/postfix/main.cf.j2
+++ b/templates/postfix/main.cf.j2
@@ -2,10 +2,8 @@ compatibility_level = 3.7
 
 # Sane defaults
 biff = no
-# TODO: v why? v
 append_dot_mydomain = no
 local_header_rewrite_clients = permit_inet_interfaces permit_sasl_authenticated
-# TODO: v why? v
 readme_directory = no
 smtpd_helo_required = yes
 strict_rfc821_envelopes = yes
@@ -62,8 +60,10 @@ mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
 mydestination = {{ inventory_hostname_short }} {{ inventory_hostname }} localhost
 
 # TLS parameters
-smtpd_tls_cert_file = {{ mailserver.tls_cert }}
-smtpd_tls_key_file = {{ mailserver.tls_key }}
+smtpd_tls_cert_file = {{ mailserver.smtp_tls_cert }}
+smtpd_tls_key_file = {{ mailserver.smtp_tls_key }}
+mua_tls_cert_file = {{ mailserver.submission_tls_cert }}
+mua_tls_key_file = {{ mailserver.submission_tls_key }}
 smtpd_use_tls = yes
 smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
 smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
diff --git a/templates/postfix/master.cf.j2 b/templates/postfix/master.cf.j2
index e4e34e6..4046367 100644
--- a/templates/postfix/master.cf.j2
+++ b/templates/postfix/master.cf.j2
@@ -17,6 +17,8 @@ smtp      inet  n       -       y       -       -       smtpd
 submission inet n       -       y       -       -       smtpd
   -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
   -o smtpd_tls_security_level=encrypt
+  -o smtpd_tls_cert_file=$mua_tls_cert_file
+  -o smtpd_tls_key_file=$mua_tls_key_file
   -o syslog_name=postfix/submission
   -o smtpd_sasl_auth_enable=yes
   -o smtpd_reject_unlisted_recipient=no