diff options
| author | Guilhem Moulin <guilhem@fripost.org> | 2016-05-18 17:59:23 +0200 |
|---|---|---|
| committer | Guilhem Moulin <guilhem@fripost.org> | 2016-05-18 17:59:23 +0200 |
| commit | 00ef4cf0b280b6c9acefeae9065bec99540411aa (patch) | |
| tree | f73f9335b2ed5b762f2698566f595af582ea7477 | |
| parent | cda53ea254de51eb46cb0f53f7d33b9a0f794bfc (diff) | |
postfix: unset 'smtpd_tls_session_cache_database'.
Following Viktor Dukhovni's 2015-08-06 recommendation for Postfix >= 2.11
http://article.gmane.org/gmane.mail.postfix.user/251935
| -rw-r--r-- | roles/IMAP/templates/etc/postfix/main.cf.j2 | 2 | ||||
| -rw-r--r-- | roles/MSA/templates/etc/postfix/main.cf.j2 | 2 | ||||
| -rw-r--r-- | roles/MX/templates/etc/postfix/main.cf.j2 | 2 | ||||
| -rw-r--r-- | roles/lists/templates/etc/postfix/main.cf.j2 | 2 | ||||
| -rw-r--r-- | roles/out/templates/etc/postfix/main.cf.j2 | 2 |
5 files changed, 5 insertions, 5 deletions
diff --git a/roles/IMAP/templates/etc/postfix/main.cf.j2 b/roles/IMAP/templates/etc/postfix/main.cf.j2 index 42afd2c..c6acd02 100644 --- a/roles/IMAP/templates/etc/postfix/main.cf.j2 +++ b/roles/IMAP/templates/etc/postfix/main.cf.j2 @@ -51,41 +51,41 @@ virtual_transport = lmtp:unix:private/dovecot-lmtpd lmtp_bind_address = 127.0.0.1 virtual_mailbox_domains = static:all virtual_mailbox_maps = static:all #transport_maps = cdb:$config_directory/transport # Restore the original envelope recipient relay_domains = recipient_canonical_classes = envelope_recipient recipient_canonical_maps = pcre:$config_directory/recipient_canonical.pcre # Don't rewrite remote headers local_header_rewrite_clients = relay_clientcerts = cdb:$config_directory/relay_clientcerts smtpd_tls_security_level = may smtpd_tls_exclude_ciphers = EXPORT, LOW, MEDIUM, aNULL, eNULL, DES, RC4, MD5 smtpd_tls_cert_file = /etc/postfix/ssl/{{ ansible_fqdn }}.pem smtpd_tls_key_file = /etc/postfix/ssl/{{ ansible_fqdn }}.key smtpd_tls_dh1024_param_file = /etc/ssl/dhparams.pem -smtpd_tls_session_cache_database= btree:$data_directory/smtpd_tls_session_cache +smtpd_tls_session_cache_database= smtpd_tls_received_header = yes smtpd_tls_ask_ccert = yes smtpd_tls_session_cache_timeout = 3600s smtpd_tls_fingerprint_digest = sha256 strict_rfc821_envelopes = yes smtpd_delay_reject = yes disable_vrfy_command = yes smtpd_client_restrictions = permit_mynetworks permit_tls_clientcerts # We are the only ones using this proxy, but if things go wrong we # want to know why defer smtpd_helo_required = yes smtpd_helo_restrictions = reject_invalid_helo_hostname diff --git a/roles/MSA/templates/etc/postfix/main.cf.j2 b/roles/MSA/templates/etc/postfix/main.cf.j2 index ae64b22..fe65830 100644 --- a/roles/MSA/templates/etc/postfix/main.cf.j2 +++ b/roles/MSA/templates/etc/postfix/main.cf.j2 @@ -63,41 +63,41 @@ header_checks = pcre:$config_directory/anonymize_sender.pcre # TLS {% if 'out' in group_names %} smtp_tls_security_level = none smtp_bind_address = 127.0.0.1 {% else %} smtp_tls_security_level = encrypt smtp_tls_exclude_ciphers = EXPORT, LOW, MEDIUM, aNULL, eNULL, DES, RC4, MD5 smtp_tls_cert_file = /etc/postfix/ssl/{{ ansible_fqdn }}.pem smtp_tls_key_file = /etc/postfix/ssl/{{ ansible_fqdn }}.key smtp_tls_session_cache_database = btree:$data_directory/smtp_tls_session_cache smtp_tls_policy_maps = cdb:/etc/postfix/tls_policy smtp_tls_fingerprint_digest = sha256 {% endif %} smtpd_tls_security_level = encrypt smtpd_tls_exclude_ciphers = EXPORT, LOW, MEDIUM, aNULL, eNULL, DES, RC4, MD5 smtpd_tls_cert_file = /etc/postfix/ssl/smtp.fripost.org.pem smtpd_tls_key_file = /etc/postfix/ssl/smtp.fripost.org.key smtpd_tls_dh1024_param_file = /etc/ssl/dhparams.pem -smtpd_tls_session_cache_database= btree:$data_directory/smtpd_tls_session_cache +smtpd_tls_session_cache_database= smtpd_tls_received_header = yes smtpd_tls_ask_ccert = yes # SASL smtpd_sasl_auth_enable = yes smtpd_sasl_authenticated_header = no smtpd_sasl_local_domain = smtpd_sasl_exceptions_networks = $mynetworks smtpd_sasl_security_options = noanonymous, noplaintext smtpd_sasl_tls_security_options = noanonymous broken_sasl_auth_clients = yes smtpd_sasl_type = dovecot smtpd_sasl_path = unix:private/dovecot-auth strict_rfc821_envelopes = yes smtpd_delay_reject = yes disable_vrfy_command = yes address_verify_sender = $double_bounce_sender@$mydomain diff --git a/roles/MX/templates/etc/postfix/main.cf.j2 b/roles/MX/templates/etc/postfix/main.cf.j2 index caaaf3f..27214a1 100644 --- a/roles/MX/templates/etc/postfix/main.cf.j2 +++ b/roles/MX/templates/etc/postfix/main.cf.j2 @@ -81,41 +81,41 @@ smtp_data_done_timeout = 1200s {% if 'out' in group_names %} smtp_tls_security_level = none smtp_bind_address = 127.0.0.1 {% else %} smtp_tls_security_level = encrypt smtp_tls_exclude_ciphers = EXPORT, LOW, MEDIUM, aNULL, eNULL, DES, RC4, MD5 smtp_tls_cert_file = /etc/postfix/ssl/{{ ansible_fqdn }}.pem smtp_tls_key_file = /etc/postfix/ssl/{{ ansible_fqdn }}.key smtp_tls_session_cache_database = btree:$data_directory/smtp_tls_session_cache smtp_tls_policy_maps = cdb:/etc/postfix/tls_policy smtp_tls_fingerprint_digest = sha256 {% endif %} smtpd_tls_security_level = may smtpd_tls_exclude_ciphers = EXPORT, LOW, MEDIUM, aNULL, eNULL, DES, RC4, MD5 smtpd_tls_cert_file = /etc/postfix/ssl/mx.fripost.org.pem smtpd_tls_key_file = /etc/postfix/ssl/mx.fripost.org.key smtpd_tls_dh1024_param_file = /etc/ssl/dhparams.pem smtpd_tls_CApath = /etc/ssl/certs/ -smtpd_tls_session_cache_database= btree:$data_directory/smtpd_tls_session_cache +smtpd_tls_session_cache_database= smtpd_tls_received_header = yes smtpd_tls_ask_ccert = yes # http://en.linuxreviews.org/HOWTO_Stop_spam_using_Postfix # http://www.howtoforge.com/block_spam_at_mta_level_postfix strict_rfc821_envelopes = yes smtpd_delay_reject = yes disable_vrfy_command = yes # UCE control invalid_hostname_reject_code = 554 multi_recipient_bounce_reject_code = 554 non_fqdn_reject_code = 554 relay_domains_reject_code = 554 unknown_address_reject_code = 554 unknown_client_reject_code = 554 unknown_hostname_reject_code = 554 unknown_local_recipient_reject_code = 554 diff --git a/roles/lists/templates/etc/postfix/main.cf.j2 b/roles/lists/templates/etc/postfix/main.cf.j2 index 75c5a59..f3ece49 100644 --- a/roles/lists/templates/etc/postfix/main.cf.j2 +++ b/roles/lists/templates/etc/postfix/main.cf.j2 @@ -43,41 +43,41 @@ recipient_delimiter = + # No relay: this server is inbound-only relay_transport = error:5.1.1 Relay unavailable default_transport = error:5.1.1 Transport unavailable relay_domains = sympa.$mydomain transport_maps = cdb:$config_directory/transport sympa_destination_recipient_limit = 1 # Don't rewrite remote headers local_header_rewrite_clients = relay_clientcerts = cdb:$config_directory/relay_clientcerts smtpd_tls_security_level = may smtpd_tls_exclude_ciphers = EXPORT, LOW, MEDIUM, aNULL, eNULL, DES, RC4, MD5 smtpd_tls_cert_file = /etc/postfix/ssl/{{ ansible_fqdn }}.pem smtpd_tls_key_file = /etc/postfix/ssl/{{ ansible_fqdn }}.key smtpd_tls_dh1024_param_file = /etc/ssl/dhparams.pem -smtpd_tls_session_cache_database= btree:$data_directory/smtpd_tls_session_cache +smtpd_tls_session_cache_database= smtpd_tls_received_header = yes smtpd_tls_ask_ccert = yes smtpd_tls_session_cache_timeout = 3600s smtpd_tls_fingerprint_digest = sha256 strict_rfc821_envelopes = yes smtpd_delay_reject = yes disable_vrfy_command = yes smtpd_client_restrictions = permit_mynetworks permit_tls_clientcerts # We are the only ones using this proxy, but if things go wrong we # want to know why defer smtpd_helo_required = yes smtpd_helo_restrictions = reject_invalid_helo_hostname diff --git a/roles/out/templates/etc/postfix/main.cf.j2 b/roles/out/templates/etc/postfix/main.cf.j2 index 7a18e25..8c03f67 100644 --- a/roles/out/templates/etc/postfix/main.cf.j2 +++ b/roles/out/templates/etc/postfix/main.cf.j2 @@ -40,41 +40,41 @@ local_recipient_maps = message_size_limit = 0 recipient_delimiter = + relay_domains = relay_transport = error:5.3.2 Relay Transport unavailable # All header rewriting happens upstream local_header_rewrite_clients = smtp_tls_security_level = may smtp_tls_note_starttls_offer = yes smtp_tls_session_cache_database = btree:$data_directory/smtp_tls_session_cache relay_clientcerts = cdb:$config_directory/relay_clientcerts smtpd_tls_security_level = may smtpd_tls_exclude_ciphers = EXPORT, LOW, MEDIUM, aNULL, eNULL, DES, RC4, MD5 smtpd_tls_cert_file = /etc/postfix/ssl/{{ ansible_fqdn }}.pem smtpd_tls_key_file = /etc/postfix/ssl/{{ ansible_fqdn }}.key smtpd_tls_dh1024_param_file = /etc/ssl/dhparams.pem -smtpd_tls_session_cache_database= btree:$data_directory/smtpd_tls_session_cache +smtpd_tls_session_cache_database= smtpd_tls_received_header = yes smtpd_tls_ask_ccert = yes smtpd_tls_session_cache_timeout = 3600s smtpd_tls_fingerprint_digest = sha256 strict_rfc821_envelopes = yes smtpd_delay_reject = yes disable_vrfy_command = yes address_verify_sender = $double_bounce_sender@$mydomain unverified_recipient_defer_code = 250 unverified_recipient_reject_code = 550 smtpd_client_restrictions = permit_mynetworks permit_tls_clientcerts # We are the only ones using this proxy, but if things go wrong we # want to know why defer |