Create a self-signed certificate for incoming mail (mga#29514)

This still needs to be enabled once it's checked.

2 files changed, 15 insertions, 5 deletions

diff --git a/modules/postfix/manifests/init.pp b/modules/postfix/manifests/init.pp
index 7a6f6389..8a4394df 100644
--- a/modules/postfix/manifests/init.pp
+++ b/modules/postfix/manifests/init.pp
@@ -10,4 +10,15 @@ class postfix {
         content => '',
         notify  => Service['postfix'],
     }
+
+    file { '/etc/ssl/postfix/':
+        ensure => directory,
+    }
+
+    openssl::self_signed_splitted_cert { "${::hostname}.${::domain}":
+        filename  => 'postfix',
+        directory => '/etc/ssl/postfix/',
+        owner     => 'postfix',
+        group     => 'postfix'
+    }
 }
diff --git a/modules/postfix/templates/main.cf b/modules/postfix/templates/main.cf
index 40e5d352..2322cb71 100644
--- a/modules/postfix/templates/main.cf
+++ b/modules/postfix/templates/main.cf
@@ -103,12 +103,11 @@ smtpd_banner = $myhostname ESMTP $mail_name ($mail_version) (<%= lsbdistid %>)
 unknown_local_recipient_reject_code = 450
 smtp-filter_destination_concurrency_limit = 2
 lmtp-filter_destination_concurrency_limit = 2
-# disabled for the time being, as the certificate do not exist
-# FIXME create the cert in puppet
+# disabled for the time being
 smtpd_use_tls = no
-#smtpd_tls_cert_file = /etc/pki/tls/certs/postfix.pem
-#smtpd_tls_key_file = /etc/pki/tls/private/postfix.pem
-#smtpd_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
+smtpd_tls_cert_file = /etc/ssl/postfix/postfix.crt
+smtpd_tls_key_file = /etc/ssl/postfix/postfix.key
+smtpd_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
 # enable opportunistic TLS when sending
 smtp_tls_security_level = may
 smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt