summaryrefslogtreecommitdiffstats
path: root/roles/common/templates/etc
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem@fripost.org>2015-10-27 18:21:45 +0100
committerGuilhem Moulin <guilhem@fripost.org>2015-10-27 18:21:45 +0100
commit3ee71788fc14b245f46d85c14d7f9917227434bb (patch)
treeb38c0f72174460f20eb51f306c9fb74855407048 /roles/common/templates/etc
parent6cb5b8fdc6e2cd4cbb47f45be01b05de2c8269d9 (diff)
Internal Postfix config: Disable TLS protocols <1.2 rather than enable 1.2 only.
Diffstat (limited to 'roles/common/templates/etc')
-rw-r--r--roles/common/templates/etc/postfix/tls_policy.j26
1 files changed, 3 insertions, 3 deletions
diff --git a/roles/common/templates/etc/postfix/tls_policy.j2 b/roles/common/templates/etc/postfix/tls_policy.j2
index 5ff7d26..352ef3e 100644
--- a/roles/common/templates/etc/postfix/tls_policy.j2
+++ b/roles/common/templates/etc/postfix/tls_policy.j2
@@ -2,7 +2,7 @@
# /!\ WARNING: smtp_tls_fingerprint_digest MUST be sha256!
{% if 'out' not in group_names %}
-[outgoing.fripost.org]:{{ postfix_instance.out.port }} fingerprint ciphers=high protocols=TLSv1.2
+[outgoing.fripost.org]:{{ postfix_instance.out.port }} fingerprint ciphers=high protocols=!SSLv2:!SSLv3:!TLSv1:!TLSv1.1
{% for h in groups.out | sort %}
match={{ lookup('pipe', 'openssl x509 -in certs/postfix/'+h+'.pem -noout -fingerprint -sha256 | cut -d= -f2') }}
{% endfor %}
@@ -10,14 +10,14 @@
{% if 'MX' in group_names %}
{% if 'IMAP' not in group_names %}
-[mda.fripost.org]:{{ postfix_instance.IMAP.port }} fingerprint ciphers=high protocols=TLSv1.2
+[mda.fripost.org]:{{ postfix_instance.IMAP.port }} fingerprint ciphers=high protocols=!SSLv2:!SSLv3:!TLSv1:!TLSv1.1
{% for h in groups.IMAP | sort %}
match={{ lookup('pipe', 'openssl x509 -in certs/postfix/'+h+'.pem -noout -fingerprint -sha256 | cut -d= -f2') }}
{% endfor %}
{% endif %}
{% if 'lists' not in group_names %}
-[lists.fripost.org]:{{ postfix_instance.lists.port }} fingerprint ciphers=high protocols=TLSv1.2
+[lists.fripost.org]:{{ postfix_instance.lists.port }} fingerprint ciphers=high protocols=!SSLv2:!SSLv3:!TLSv1:!TLSv1.1
{% for h in groups.lists | sort %}
match={{ lookup('pipe', 'openssl x509 -in certs/postfix/'+h+'.pem -noout -fingerprint -sha256 | cut -d= -f2') }}
{% endfor %}