diff options
| author | Guilhem Moulin <guilhem@fripost.org> | 2016-05-18 19:25:20 +0200 |
|---|---|---|
| committer | Guilhem Moulin <guilhem@fripost.org> | 2016-05-18 21:13:46 +0200 |
| commit | 8fc53ecddfe875be30501a89fd24f226de7575d9 (patch) | |
| tree | 7412dfd08ec407fbd57bfb15f9fef16244cd100f /roles/common | |
| parent | 00ef4cf0b280b6c9acefeae9065bec99540411aa (diff) | |
postfix: Update to recommended TLS settings.
Following Viktor Dukhovni's 2015-08-06 recommendation
http://article.gmane.org/gmane.mail.postfix.user/251935
(We're using stronger ciphers and protocols in our own infrastructure.)
Diffstat (limited to 'roles/common')
| -rw-r--r-- | roles/common/files/etc/postfix/master.cf | 4 | ||||
| -rw-r--r-- | roles/common/templates/etc/postfix/main.cf.j2 | 2 |
2 files changed, 6 insertions, 0 deletions
diff --git a/roles/common/files/etc/postfix/master.cf b/roles/common/files/etc/postfix/master.cf index 9b81c70..b816223 100644 --- a/roles/common/files/etc/postfix/master.cf +++ b/roles/common/files/etc/postfix/master.cf @@ -1,67 +1,71 @@ # # Postfix master process configuration file. For details on the format # of the file, see the master(5) manual page (command: "man 5 master"). # # Do not forget to execute "postfix reload" after editing this file. # # ========================================================================== # service type private unpriv chroot wakeup maxproc command + args # (yes) (yes) (yes) (never) (100) # ========================================================================== smtpd pass - - n - - smtpd -o cleanup_service_name=cleanup_nochroot smtp inet n - n - 1 postscreen tlsproxy unix - - n - 0 tlsproxy dnsblog unix - - n - 0 dnsblog submission inet n - - - - smtpd + -o tls_high_cipherlist=HIGH:!aNULL:!eNULL:!3DES:!MD5:@STRENGTH pickup fifo n - - 60 1 pickup cleanup unix n - - - 0 cleanup cleanup_nochroot unix n - n - 0 cleanup qmgr fifo n - n 300 1 qmgr tlsmgr unix - - - 1000? 1 tlsmgr rewrite unix - - - - - trivial-rewrite bounce unix - - - - 0 bounce defer unix - - - - 0 bounce trace unix - - - - 0 bounce verify unix - - - - 1 verify flush unix n - - 1000? 0 flush proxymap unix - - n - - proxymap proxywrite unix - - n - 1 proxymap smtp unix - - - - - smtp smtpl unix - - - - - smtp -o smtp_bind_address=127.0.0.1 relay unix - - - - - smtp # -o smtp_helo_timeout=5 -o smtp_connect_timeout=5 showq unix n - - - - showq error unix - - - - - error retry unix - - - - - error discard unix - - - - - discard local unix - n n - - local virtual unix - n n - - virtual lmtp unix - - - - - lmtp anvil unix - - - - 1 anvil scache unix - - - - 1 scache 127.0.0.1:16132 inet n - - - - smtpd 2525 inet n - - - - smtpd + -o tls_high_cipherlist=EECDH+AESGCM:!MEDIUM:!LOW:!EXP:!aNULL:!eNULL 2526 inet n - - - - smtpd + -o tls_high_cipherlist=EECDH+AESGCM:!MEDIUM:!LOW:!EXP:!aNULL:!eNULL 2527 inet n - - - - smtpd + -o tls_high_cipherlist=EECDH+AESGCM:!MEDIUM:!LOW:!EXP:!aNULL:!eNULL reserved-alias unix - n n - - pipe flags=Rhu user=nobody argv=/usr/local/bin/reserved-alias.pl ${sender} ${original_recipient} @fripost.org sympa unix - n n - - pipe flags=Rhu user=sympa argv=/usr/local/bin/sympa-queue ${user} # Client part (lmtp) - amavis amavisfeed unix - - n - 5 lmtp -o lmtp_destination_recipient_limit=1000 -o lmtp_send_xforward_command=yes -o lmtp_data_done_timeout=1200s -o disable_dns_lookups=yes # Server part (smtpd) - amavis (if the MDA and outgoing proxy are on the # same machine, we need to create another entry, on another port.) 127.0.0.1:10025 inet n - n - - smtpd -o content_filter= -o smtpd_delay_reject=no -o smtpd_client_restrictions=permit_mynetworks,reject -o smtpd_helo_restrictions= -o smtpd_sender_restrictions= diff --git a/roles/common/templates/etc/postfix/main.cf.j2 b/roles/common/templates/etc/postfix/main.cf.j2 index 39952c2..3f36418 100644 --- a/roles/common/templates/etc/postfix/main.cf.j2 +++ b/roles/common/templates/etc/postfix/main.cf.j2 @@ -25,40 +25,42 @@ alias_maps = local_recipient_maps = # All aliases are virtual default_database_type = cdb virtual_alias_maps = cdb:/etc/aliases alias_database = $virtual_alias_maps # Forward everything to our internal outgoing proxy {% if 'out' in group_names %} relayhost = [127.0.0.1]:{{ postfix_instance.out.port }} {% else %} relayhost = [outgoing.fripost.org]:{{ postfix_instance.out.port }} {% endif %} relay_domains = {% if 'out' in group_names %} smtp_tls_security_level = none smtp_bind_address = 127.0.0.1 {% else %} smtp_tls_security_level = encrypt +smtp_tls_ciphers = high +smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 smtp_tls_exclude_ciphers = EXPORT, LOW, MEDIUM, aNULL, eNULL, DES, RC4, MD5 smtp_tls_cert_file = $config_directory/ssl/{{ ansible_fqdn }}.pem smtp_tls_key_file = $config_directory/ssl/{{ ansible_fqdn }}.key smtp_tls_session_cache_database = btree:$data_directory/smtp_tls_session_cache smtp_tls_policy_maps = cdb:$config_directory/tls_policy smtp_tls_fingerprint_digest = sha256 {% endif %} smtpd_tls_security_level = none # Turn off all TCP/IP listener ports except that dedicated to # samhain(8), which sadly cannot use pickup through the sendmail binary. master_service_disable = !127.0.0.1:16132.inet inet {% set multi_instance = False %} {%- for g in postfix_instance.keys() | sort -%} {%- if g in group_names -%} {%- if not multi_instance -%} {%- set multi_instance = True -%} ## Other postfix instances multi_instance_wrapper = $command_directory/postmulti -p -- |