diff options
| author | Guilhem Moulin <guilhem@fripost.org> | 2020-05-18 04:34:00 +0200 | 
|---|---|---|
| committer | Guilhem Moulin <guilhem@fripost.org> | 2020-05-18 04:34:17 +0200 | 
| commit | 61ba2a2fe12ffd5578429dfe1d354a1c5d16517a (patch) | |
| tree | f6e37d60a9069672b2bc99a591dc34689f881346 /roles/common | |
| parent | b1808ed6a25beb9b2a746a1d1bed3dd9a459a619 (diff) | |
AEAD ciphers: Add EECDH+CHACHA20 macro.
This adds the following two ciphers:
  ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH  Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
  ECDHE-RSA-CHACHA20-POLY1305   TLSv1.2 Kx=ECDH  Au=RSA   Enc=CHACHA20/POLY1305(256) Mac=AEAD
Diffstat (limited to 'roles/common')
| -rw-r--r-- | roles/common/templates/etc/postfix/master.cf.j2 | 4 | 
1 files changed, 2 insertions, 2 deletions
| diff --git a/roles/common/templates/etc/postfix/master.cf.j2 b/roles/common/templates/etc/postfix/master.cf.j2 index 2c00250..65ca2b6 100644 --- a/roles/common/templates/etc/postfix/master.cf.j2 +++ b/roles/common/templates/etc/postfix/master.cf.j2 @@ -2,44 +2,44 @@  # Postfix master process configuration file.  For details on the format  # of the file, see the master(5) manual page (command: "man 5 master").  #  # {{ ansible_managed }}  # Do NOT edit this file directly!  #  # ==========================================================================  # service type  private unpriv  chroot  wakeup  maxproc command + args  #               (yes)   (yes)   (yes)   (never) (100)  # ==========================================================================  {% if inst is not defined %}  [127.0.0.1]:16132 inet n -      y       -       -       smtpd  {% elif inst == 'MX' %}  smtpd     pass  -       -       y       -       -       smtpd  smtp      inet  n       -       y       -       1       postscreen  tlsproxy  unix  -       -       y       -       0       tlsproxy  dnsblog   unix  -       -       y       -       0       dnsblog  {% elif inst == 'MSA' %}  submission inet n       -       y       -       -       smtpd -  -o tls_high_cipherlist=EECDH+AESGCM:!MEDIUM:!LOW:!EXP:!aNULL:!eNULL +  -o tls_high_cipherlist=EECDH+AESGCM:EECDH+CHACHA20!MEDIUM!LOW!EXP!aNULL!eNULL  submissions inet n      -       y       -       -       smtpd    -o smtpd_tls_wrappermode=yes -  -o tls_high_cipherlist=EECDH+AESGCM:!MEDIUM:!LOW:!EXP:!aNULL:!eNULL +  -o tls_high_cipherlist=EECDH+AESGCM:EECDH+CHACHA20!MEDIUM!LOW!EXP!aNULL!eNULL  {% if groups.webmail | difference([inventory_hostname]) | length > 0 %}  [{{ postfix_instance.MSA.addr }}]:{{ postfix_instance.MSA.port }} inet n       -       y       -       -       smtpd    -o broken_sasl_auth_clients=no    -o smtpd_tls_security_level=none    -o smtpd_sasl_security_options=noanonymous    -o smtpd_sasl_exceptions_networks=    -o smtpd_authorized_xforward_hosts=127.0.0.0/8,[::1]/128{{ ipsec_subnet is defined | ternary(','+ipsec_subnet, '') }}    -o smtpd_peername_lookup=no  {% endif %}  {% elif inst in ['IMAP', 'out', 'lists'] %}  [{{ postfix_instance[inst].addr }}]:{{ postfix_instance[inst].port }} inet n       -       y       -       -       smtpd    -o smtpd_authorized_xforward_hosts=127.0.0.0/8,[::1]/128{{ ipsec_subnet is defined | ternary(','+ipsec_subnet, '') }}    -o smtpd_peername_lookup=no  {% endif %}  pickup    unix  n       -       y       60      1       pickup  cleanup   unix  n       -       y       -       0       cleanup  qmgr      unix  n       -       n       300     1       qmgr  tlsmgr    unix  -       -       y       1000?   1       tlsmgr  rewrite   unix  -       -       y       -       -       trivial-rewrite  bounce    unix  -       -       y       -       0       bounce | 
