Migrate all services to use implicit TLS for SMTP Submission

56865f8c · Kristian Klausen · 32e53cac · 56865f8c · 56865f8c · 56865f8c
Commit 56865f8c authored Dec 20, 2020 by Kristian Klausen 🎉
--- a/roles/gitlab/tasks/main.yml
+++ b/roles/gitlab/tasks/main.yml
@@ -48,11 +48,11 @@
        gitlab_rails['initial_root_password'] = "{{ vault_gitlab_root_password }}"
        gitlab_rails['smtp_enable'] = true
        gitlab_rails['smtp_address'] = 'mail.archlinux.org'
-        gitlab_rails['smtp_port'] = 587
+        gitlab_rails['smtp_port'] = 465
        gitlab_rails['smtp_user_name'] = 'gitlab'
        gitlab_rails['smtp_password'] = "{{ vault_gitlab_root_password }}"
        gitlab_rails['smtp_domain'] = 'gitlab.archlinux.org'
-        gitlab_rails['smtp_enable_starttls_auto'] = true
+        gitlab_rails['smtp_tls'] = true
        gitlab_rails['gitlab_email_enabled'] = true
        gitlab_rails['gitlab_email_from'] = 'gitlab@archlinux.org'
        gitlab_rails['gitlab_email_display_name'] = 'GitLab'

--- a/roles/postfix/templates/main.cf.j2
+++ b/roles/postfix/templates/main.cf.j2
@@ -139,7 +139,8 @@ smtpd_reject_footer = For assistance contact <postmaster@archlinux.org>. Please
 {% if postfix_relayhost %}
 # relay all outbound mail via {{postfix_relayhost}}
 # the square brackets prevents postfix from trying to lookup mx records
-relayhost = [{{postfix_relayhost}}]:587
+relayhost = [{{postfix_relayhost}}]:465
+smtp_tls_wrappermode = yes
 smtp_sasl_auth_enable = yes
 smtp_sasl_password_maps = ${indexed}/relay_passwords
 # allow plaintext authentication only over tls secured connections

--- a/roles/prometheus/templates/alertmanager.yml.j2
+++ b/roles/prometheus/templates/alertmanager.yml.j2
 global:
  resolve_timeout: 5m
-  smtp_smarthost: 'mail.archlinux.org:587'
+  smtp_smarthost: 'mail.archlinux.org:465'
  smtp_from: 'alertmanager@archlinux.org'
-  smtp_require_tls: true
+  smtp_require_tls: false
  smtp_auth_username: alertmanager
  smtp_auth_password: {{ vault_monitoring_alertmanager_smtp_pass }}


--- a/tf-stage2/keycloak.tf
+++ b/tf-stage2/keycloak.tf
@@ -76,10 +76,10 @@ resource "keycloak_realm" "archlinux" {
  smtp_server {
    host              = "mail.archlinux.org"
    from              = "accounts@archlinux.org"
-    port              = "587"
+    port              = "465"
    from_display_name = "Arch Linux Accounts"
-    ssl               = false
-    starttls          = true
+    ssl               = true
+    starttls          = false

    auth {
      username = data.external.vault_keycloak.result.vault_keycloak_smtp_user