diff options
| author | Guilhem Moulin <guilhem@fripost.org> | 2016-05-18 17:55:40 +0200 |
|---|---|---|
| committer | Guilhem Moulin <guilhem@fripost.org> | 2016-05-18 17:55:44 +0200 |
| commit | cda53ea254de51eb46cb0f53f7d33b9a0f794bfc (patch) | |
| tree | e23452acbeb0f233a323ebac0abdc9c8d3dd9d1d /roles/MSA | |
| parent | 5425ed1ffa2953abdfdc819841665260dd38701d (diff) | |
Move /etc/ssl/private/dhparams.pem to /etc/ssl/dhparams.pem and make it public.
Ideally we we should also increase the Diffie-Hellman group size from
2048-bit to 3072-bit, as per ENISA 2014 report.
https://www.enisa.europa.eu/publications/algorithms-key-size-and-parameters-report-2014
But we postpone that for now until we are reasonably certain that older
client won't be left out.
Diffstat (limited to 'roles/MSA')
| -rw-r--r-- | roles/MSA/templates/etc/postfix/main.cf.j2 | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/roles/MSA/templates/etc/postfix/main.cf.j2 b/roles/MSA/templates/etc/postfix/main.cf.j2 index 6c2a9bd..ae64b22 100644 --- a/roles/MSA/templates/etc/postfix/main.cf.j2 +++ b/roles/MSA/templates/etc/postfix/main.cf.j2 @@ -62,41 +62,41 @@ header_checks = pcre:$config_directory/anonymize_sender.pcre # TLS {% if 'out' in group_names %} smtp_tls_security_level = none smtp_bind_address = 127.0.0.1 {% else %} smtp_tls_security_level = encrypt smtp_tls_exclude_ciphers = EXPORT, LOW, MEDIUM, aNULL, eNULL, DES, RC4, MD5 smtp_tls_cert_file = /etc/postfix/ssl/{{ ansible_fqdn }}.pem smtp_tls_key_file = /etc/postfix/ssl/{{ ansible_fqdn }}.key smtp_tls_session_cache_database = btree:$data_directory/smtp_tls_session_cache smtp_tls_policy_maps = cdb:/etc/postfix/tls_policy smtp_tls_fingerprint_digest = sha256 {% endif %} smtpd_tls_security_level = encrypt smtpd_tls_exclude_ciphers = EXPORT, LOW, MEDIUM, aNULL, eNULL, DES, RC4, MD5 smtpd_tls_cert_file = /etc/postfix/ssl/smtp.fripost.org.pem smtpd_tls_key_file = /etc/postfix/ssl/smtp.fripost.org.key -smtpd_tls_dh1024_param_file = /etc/ssl/private/dhparams.pem +smtpd_tls_dh1024_param_file = /etc/ssl/dhparams.pem smtpd_tls_session_cache_database= btree:$data_directory/smtpd_tls_session_cache smtpd_tls_received_header = yes smtpd_tls_ask_ccert = yes # SASL smtpd_sasl_auth_enable = yes smtpd_sasl_authenticated_header = no smtpd_sasl_local_domain = smtpd_sasl_exceptions_networks = $mynetworks smtpd_sasl_security_options = noanonymous, noplaintext smtpd_sasl_tls_security_options = noanonymous broken_sasl_auth_clients = yes smtpd_sasl_type = dovecot smtpd_sasl_path = unix:private/dovecot-auth strict_rfc821_envelopes = yes smtpd_delay_reject = yes disable_vrfy_command = yes |