summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf2
-rw-r--r--roles/IMAP/templates/etc/postfix/main.cf.j22
-rw-r--r--roles/MSA/templates/etc/postfix/main.cf.j21
-rw-r--r--roles/MX/templates/etc/postfix/main.cf.j22
-rw-r--r--roles/common-web/files/etc/nginx/ssl/config1
-rwxr-xr-xroles/common/files/usr/local/bin/gendhparam.sh13
-rwxr-xr-xroles/common/files/usr/local/bin/genkeypair.sh4
-rw-r--r--roles/common/tasks/main.yml12
-rw-r--r--roles/lists/templates/etc/postfix/main.cf.j22
-rw-r--r--roles/out/templates/etc/postfix/main.cf.j22
10 files changed, 35 insertions, 6 deletions
diff --git a/roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf b/roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf
index 90843b2..e801639 100644
--- a/roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf
+++ b/roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf
@@ -26,33 +26,33 @@ ssl_key = </etc/dovecot/ssl/imap.fripost.org.key
# Require that CRL check succeeds for client certificates.
#ssl_require_crl = yes
# Directory and/or file for trusted SSL CA certificates. These are used only
# when Dovecot needs to act as an SSL client (e.g. imapc backend). The
# directory is usually /etc/ssl/certs in Debian-based systems and the file is
# /etc/pki/tls/cert.pem in RedHat-based systems.
#ssl_client_ca_dir =
#ssl_client_ca_file =
# Request client to send a certificate. If you also want to require it, set
# auth_ssl_require_client_cert=yes in auth section.
#ssl_verify_client_cert = no
# Which field from certificate to use for username. commonName and
# x500UniqueIdentifier are the usual choices. You'll also need to set
# auth_ssl_username_from_cert=yes.
#ssl_cert_username_field = commonName
# DH parameters length to use.
-#ssl_dh_parameters_length = 1024
+ssl_dh_parameters_length = 2048
# SSL protocols to use
ssl_protocols = !SSLv2
# SSL ciphers to use
ssl_cipher_list = HIGH:!SSLv2:!aNULL:!eNULL:!3DES:!MD5:@STRENGTH
# Prefer the server's order of ciphers over client's.
#ssl_prefer_server_ciphers = no
# SSL crypto device to use, for valid values run "openssl engine"
#ssl_crypto_device =
diff --git a/roles/IMAP/templates/etc/postfix/main.cf.j2 b/roles/IMAP/templates/etc/postfix/main.cf.j2
index ef2f0d6..4cc07a6 100644
--- a/roles/IMAP/templates/etc/postfix/main.cf.j2
+++ b/roles/IMAP/templates/etc/postfix/main.cf.j2
@@ -47,42 +47,44 @@ default_transport = error:5.1.1 Transport unavailable
# Virtual transport (the alias resolution and address validation is
# performed on the MX:es only)
virtual_transport = lmtp:unix:private/dovecot-lmtpd
lmtp_bind_address = 127.0.0.1
virtual_mailbox_domains = static:all
virtual_mailbox_maps = static:all
#transport_maps = cdb:$config_directory/transport
# Restore the original envelope recipient
relay_domains =
recipient_canonical_classes = envelope_recipient
recipient_canonical_maps = pcre:$config_directory/recipient_canonical.pcre
# Don't rewrite remote headers
local_header_rewrite_clients =
relay_clientcerts = cdb:$config_directory/relay_clientcerts
smtpd_tls_security_level = may
+smtpd_tls_exclude_ciphers = EXPORT, LOW, MEDIUM, aNULL, eNULL, DES, RC4, MD5
smtpd_tls_cert_file = /etc/postfix/ssl/{{ ansible_fqdn }}.pem
smtpd_tls_key_file = /etc/postfix/ssl/{{ ansible_fqdn }}.key
+smtpd_tls_dh1024_param_file = /etc/ssl/private/dhparams.pem
smtpd_tls_session_cache_database= btree:$data_directory/smtpd_tls_session_cache
smtpd_tls_received_header = yes
smtpd_tls_ask_ccert = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_tls_fingerprint_digest = sha256
strict_rfc821_envelopes = yes
smtpd_delay_reject = yes
disable_vrfy_command = yes
smtpd_client_restrictions =
permit_mynetworks
permit_tls_clientcerts
# We are the only ones using this proxy, but if things go wrong we
# want to know why
defer
smtpd_helo_required = yes
smtpd_helo_restrictions =
diff --git a/roles/MSA/templates/etc/postfix/main.cf.j2 b/roles/MSA/templates/etc/postfix/main.cf.j2
index 8ebefde..800dda8 100644
--- a/roles/MSA/templates/etc/postfix/main.cf.j2
+++ b/roles/MSA/templates/etc/postfix/main.cf.j2
@@ -60,40 +60,41 @@ smtp_data_done_timeout = 1200s
header_checks = pcre:$config_directory/anonymize_sender.pcre
#content_filter = amavisfeed:unix:public/amavisfeed-antivirus
# TLS
{% if 'out' in group_names %}
smtp_tls_security_level = none
smtp_bind_address = 127.0.0.1
{% else %}
smtp_tls_security_level = encrypt
smtp_tls_cert_file = /etc/postfix/ssl/{{ ansible_fqdn }}.pem
smtp_tls_key_file = /etc/postfix/ssl/{{ ansible_fqdn }}.key
smtp_tls_session_cache_database = btree:$data_directory/smtp_tls_session_cache
smtp_tls_policy_maps = cdb:/etc/postfix/tls_policy
smtp_tls_fingerprint_digest = sha256
{% endif %}
smtpd_tls_security_level = encrypt
smtpd_tls_cert_file = /etc/postfix/ssl/smtp.fripost.org.pem
smtpd_tls_key_file = /etc/postfix/ssl/private/smtp.fripost.org.key
+smtpd_tls_dh1024_param_file = /etc/ssl/private/dhparams.pem
smtpd_tls_session_cache_database= btree:$data_directory/smtpd_tls_session_cache
smtpd_tls_received_header = yes
smtpd_tls_ask_ccert = yes
# SASL
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = no
smtpd_sasl_local_domain =
smtpd_sasl_exceptions_networks = $mynetworks
smtpd_sasl_security_options = noanonymous, noplaintext
smtpd_sasl_tls_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = unix:private/dovecot-auth
strict_rfc821_envelopes = yes
smtpd_delay_reject = yes
disable_vrfy_command = yes
diff --git a/roles/MX/templates/etc/postfix/main.cf.j2 b/roles/MX/templates/etc/postfix/main.cf.j2
index 181066a..09a5ce7 100644
--- a/roles/MX/templates/etc/postfix/main.cf.j2
+++ b/roles/MX/templates/etc/postfix/main.cf.j2
@@ -76,42 +76,44 @@ smtp_send_xforward_command = yes
smtp_destination_recipient_limit = 1000
reserved-alias_recipient_limit = 1
# Tolerate occasional high latency
smtp_data_done_timeout = 1200s
{% if 'out' in group_names %}
smtp_tls_security_level = none
smtp_bind_address = 127.0.0.1
{% else %}
smtp_tls_security_level = encrypt
smtp_tls_cert_file = /etc/postfix/ssl/{{ ansible_fqdn }}.pem
smtp_tls_key_file = /etc/postfix/ssl/{{ ansible_fqdn }}.key
smtp_tls_session_cache_database = btree:$data_directory/smtp_tls_session_cache
smtp_tls_policy_maps = cdb:/etc/postfix/tls_policy
smtp_tls_fingerprint_digest = sha256
{% endif %}
smtpd_tls_security_level = none
smtpd_tls_security_level = may
+smtpd_tls_exclude_ciphers = EXPORT, LOW, MEDIUM, aNULL, eNULL, DES, RC4, MD5
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
+smtpd_tls_dh1024_param_file = /etc/ssl/private/dhparams.pem
smtpd_tls_CApath = /etc/ssl/certs/
smtpd_tls_session_cache_database= btree:$data_directory/smtpd_tls_session_cache
smtpd_tls_received_header = yes
smtpd_tls_ask_ccert = yes
# http://en.linuxreviews.org/HOWTO_Stop_spam_using_Postfix
# http://www.howtoforge.com/block_spam_at_mta_level_postfix
strict_rfc821_envelopes = yes
smtpd_delay_reject = yes
disable_vrfy_command = yes
# UCE control
invalid_hostname_reject_code = 554
multi_recipient_bounce_reject_code = 554
non_fqdn_reject_code = 554
relay_domains_reject_code = 554
unknown_address_reject_code = 554
unknown_client_reject_code = 554
diff --git a/roles/common-web/files/etc/nginx/ssl/config b/roles/common-web/files/etc/nginx/ssl/config
index 7deef29..26a64f4 100644
--- a/roles/common-web/files/etc/nginx/ssl/config
+++ b/roles/common-web/files/etc/nginx/ssl/config
@@ -1,19 +1,20 @@
ssl on;
# See http://nginx.org/en/docs/http/configuring_https_servers.html#optimization
keepalive_timeout 75 75;
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:5m;
# XXX: Ideally we want to get rid of TLSv1, to be immune to the BEAST
# attack. Sadly as of 2013 many clients don't support TLSv1.2, though.
# The alternative would be to reject BEAST-vulnerable ciphers from TLSv1
# in favor of RC4, but that's not satisfactory either since RC4 has
# other weaknesses.
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!SSLv2:!aNULL:!eNULL:!3DES:!MD5:@STRENGTH;
+ssl_dhparam /etc/ssl/private/dhparams.pem;
ssl_prefer_server_ciphers on;
# Strict Transport Security header for enhanced security. See
# http://www.chromium.org/sts.
add_header Strict-Transport-Security "max-age=15552000";
diff --git a/roles/common/files/usr/local/bin/gendhparam.sh b/roles/common/files/usr/local/bin/gendhparam.sh
new file mode 100755
index 0000000..074986b
--- /dev/null
+++ b/roles/common/files/usr/local/bin/gendhparam.sh
@@ -0,0 +1,13 @@
+#!/bin/sh
+
+set -ue
+PATH=/usr/bin:/bin
+
+privkey="$1"
+bits="${2:-2048}"
+rand=
+
+mv -f "$(mktemp)" "$privkey"
+chmod og-rwx "$privkey"
+
+openssl dhparam -rand "${rand:-/dev/urandom}" "$bits" >"$privkey"
diff --git a/roles/common/files/usr/local/bin/genkeypair.sh b/roles/common/files/usr/local/bin/genkeypair.sh
index d6539e2..982c1d9 100755
--- a/roles/common/files/usr/local/bin/genkeypair.sh
+++ b/roles/common/files/usr/local/bin/genkeypair.sh
@@ -20,40 +20,41 @@
# along with this program. If not, see <http://www.gnu.org/licenses/>.
set -ue
PATH=/usr/bin:/bin
# Default values
type=rsa
bits=
hash=
force=0
config=
pubkey=pubkey.pem
privkey=privkey.pem
dns=
ou=
cn=
usage=
chmod=
chown=
+rand=
usage() {
cat >&2 <<- EOF
Usage: $0 command [OPTIONS]
Command:
x509: generate a self-signed X.509 server certificate
csr: generate a Certificate Signing Request
dkim: generate a private key (to use for DKIM signing)
Options:
-t type: key type (default: rsa)
-b bits: key length or EC curve (default: 2048 for RSA, 1024 for DSA, secp224r1 for ECDSA)
-h digest: digest algorithm
--ou: organizational Unit Name; can be repeated
--cn: common Name (default: \$(hostname --fqdn)
--dns: hostname for AltName; can be repeated
-f: force; can be repeated (0: don't overwrite, default;
1: reuse private key if it exists;
2: overwrite both keys if they exist)
@@ -106,41 +107,40 @@ while [ $# -gt 0 ]; do
--cn=?*) cn="${1#--cn=}";;
--ou=?*) ou="${ou:+$ou\n}$nou.organizationalUnitName = ${1#--ou=}"
nou=$(( 1 + $nou ));;
-f) force=$(( 1 + $force ));;
--pubkey=?*) pubkey="${1#--pubkey=}";;
--privkey=?*) privkey="${1#--privkey=}";;
--usage=?*) usage="${usage:+$usage,}${1#--usage=}";;
--config=?*) dns="${1#--config=}";;
--chmod=?*) chmod="${1#--chmod=}";;
--chown=?*) chown="${1#--chown=}";;
--help) usage; exit;;
*) echo "Unrecognized argument: $1" >&2; exit 2
esac
shift;
done
-rand=/dev/urandom
case "$type" in
# XXX: genrsa and dsaparam have been deprecated in favor of genpkey.
# genpkey can also create explicit EC parameters, but not named.
rsa) genkey=genrsa; genkeyargs="-f4 ${bits:-2048}";;
dsa) genkey=dsaparam; genkeyargs="-noout -genkey ${bits:-1024}";;
# See 'openssl ecparam -list_curves' for the list of supported
# curves. StrongSwan doesn't support explicit curve parameters
# (however explicit parameters might be required to make exotic
# curves work with some clients.)
ecdsa) genkey=ecparam
genkeyargs="-noout -name ${bits:-secp224r1} -param_enc named_curve -genkey";;
*) echo "Unrecognized key type: $type" >&2; exit 2
esac
if [ "$cmd" = x509 -o "$cmd" = csr ]; then
case "$hash" in
md5|rmd160|sha1|sha224|sha256|sha384|sha512|'') ;;
*) echo "Invalid digest algorithm: $hash" >&2; exit 2;
esac
@@ -167,33 +167,33 @@ if [ -z "$config" -a \( "$cmd" = x509 -o "$cmd" = csr \) ]; then
$(echo "$ou")
commonName = $cn
[ v3_req ]
subjectAltName = email:admin@fripost.org${dns:+, $dns}
basicConstraints = critical, CA:FALSE
# https://security.stackexchange.com/questions/24106/which-key-usages-are-required-by-each-key-exchange-method
keyUsage = critical, ${usage:-digitalSignature, keyEncipherment, keyCertSign}
EOF
fi
if [ -s "$privkey" -a $force -eq 0 ]; then
echo "Error: private key exists: $privkey" >&2
[ "$cmd" = dkim ] && dkiminfo
exit 1
elif [ ! -s "$privkey" -o $force -ge 2 ]; then
# Ensure "$privkey" is created with umask 0077
mv -f "$(mktemp)" "$privkey" || exit 2
chmod "${chmod:-og-rwx}" "$privkey" || exit 2
[ -z "$chown" ] || chown "$chown" "$privkey" || exit 2
- openssl $genkey -rand /dev/urandom $genkeyargs >"$privkey" || exit 2
+ openssl $genkey -rand "${rand:-/dev/urandom}" $genkeyargs >"$privkey" || exit 2
[ "$cmd" = dkim ] && { dkiminfo; exit; }
fi
if [ "$cmd" = x509 -o "$cmd" = csr ]; then
if [ -s "$pubkey" -a $force -eq 0 ]; then
echo "Error: public key exists: $pubkey" >&2
exit 1
else
[ "$cmd" = x509 ] && x509=-x509 || x509=
openssl req -config "$config" -new $x509 ${hash:+-$hash} -days 3650 -key "$privkey" >"$pubkey" || exit 2
fi
fi
diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml
index 3b3c0a5..4e85d0a 100644
--- a/roles/common/tasks/main.yml
+++ b/roles/common/tasks/main.yml
@@ -1,39 +1,45 @@
---
- include: sysctl.yml tags=sysctl
- include: hosts.yml
- include: apt.yml tags=apt
- name: Install intel-microcode
apt: pkg=intel-microcode
when: "ansible_processor[0] | search('^Intel.*') and not (ansible_virtualization_role == 'guest' and ansible_virtualization_type == 'xen')"
tags: intel
- include: firewall.yml tags=firewall,iptables
- include: samhain.yml tags=samhain
- include: auditd.yml tags=auditd
- include: rkhunter.yml tags=rkhunter
- include: clamav.yml tags=clamav
- include: fail2ban.yml tags=fail2ban
- include: smart.yml tags=smartmontools,smart
when: "not ((ansible_virtualization_role == 'guest' and ansible_virtualization_type == 'xen') or ansible_system_vendor == 'QEMU')"
- include: haveged.yml tags=haveged,entropy
-- name: Copy genkeypair.sh
- copy: src=usr/local/bin/genkeypair.sh
- dest=/usr/local/bin/genkeypair.sh
+- name: Copy genkeypair.sh and gendhparam.sh
+ copy: src=usr/local/bin/{{ item }}
+ dest=/usr/local/bin/{{ item }}
owner=root group=root
mode=0755
tags: genkey
+ with_items:
+ - genkeypair.sh
+ - gendhparam.sh
+- name: Generate DH parameters
+ command: gendhparam.sh /etc/ssl/private/dhparams.pem creates=/etc/ssl/private/dhparams.pem
+ tags: genkey
- include: logging.yml tags=logging
- include: ntp.yml tags=ntp
- include: mail.yml tags=mail,postfix
- name: Install common packages
apt: pkg={{ item }}
with_items:
- ca-certificates
- etckeeper
- ethtool
- git
- htop
- molly-guard
- rsync
- screen
- telnet-ssl
diff --git a/roles/lists/templates/etc/postfix/main.cf.j2 b/roles/lists/templates/etc/postfix/main.cf.j2
index e55eb9e..d286f27 100644
--- a/roles/lists/templates/etc/postfix/main.cf.j2
+++ b/roles/lists/templates/etc/postfix/main.cf.j2
@@ -39,42 +39,44 @@ alias_database =
local_recipient_maps =
message_size_limit = 67108864
recipient_delimiter = +
# No relay: this server is inbound-only
relay_transport = error:5.1.1 Relay unavailable
default_transport = error:5.1.1 Transport unavailable
relay_domains = sympa.$mydomain
transport_maps = cdb:$config_directory/transport
sympa_destination_recipient_limit = 1
# Don't rewrite remote headers
local_header_rewrite_clients =
relay_clientcerts = cdb:$config_directory/relay_clientcerts
smtpd_tls_security_level = may
+smtpd_tls_exclude_ciphers = EXPORT, LOW, MEDIUM, aNULL, eNULL, DES, RC4, MD5
smtpd_tls_cert_file = /etc/postfix/ssl/{{ ansible_fqdn }}.pem
smtpd_tls_key_file = /etc/postfix/ssl/{{ ansible_fqdn }}.key
+smtpd_tls_dh1024_param_file = /etc/ssl/private/dhparams.pem
smtpd_tls_session_cache_database= btree:$data_directory/smtpd_tls_session_cache
smtpd_tls_received_header = yes
smtpd_tls_ask_ccert = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_tls_fingerprint_digest = sha256
strict_rfc821_envelopes = yes
smtpd_delay_reject = yes
disable_vrfy_command = yes
smtpd_client_restrictions =
permit_mynetworks
permit_tls_clientcerts
# We are the only ones using this proxy, but if things go wrong we
# want to know why
defer
smtpd_helo_required = yes
smtpd_helo_restrictions =
diff --git a/roles/out/templates/etc/postfix/main.cf.j2 b/roles/out/templates/etc/postfix/main.cf.j2
index da8ed48..eab3c0b 100644
--- a/roles/out/templates/etc/postfix/main.cf.j2
+++ b/roles/out/templates/etc/postfix/main.cf.j2
@@ -36,42 +36,44 @@ local_transport = error:5.1.1 Mailbox unavailable
alias_maps =
alias_database =
local_recipient_maps =
message_size_limit = 67108864
recipient_delimiter = +
relay_domains =
relay_transport = error:5.3.2 Relay Transport unavailable
# All header rewriting happens upstream
local_header_rewrite_clients =
smtp_tls_security_level = may
smtp_tls_note_starttls_offer = yes
smtp_tls_session_cache_database = btree:$data_directory/smtp_tls_session_cache
relay_clientcerts = cdb:$config_directory/relay_clientcerts
smtpd_tls_security_level = may
+smtpd_tls_exclude_ciphers = EXPORT, LOW, MEDIUM, aNULL, eNULL, DES, RC4, MD5
smtpd_tls_cert_file = /etc/postfix/ssl/{{ ansible_fqdn }}.pem
smtpd_tls_key_file = /etc/postfix/ssl/{{ ansible_fqdn }}.key
+smtpd_tls_dh1024_param_file = /etc/ssl/private/dhparams.pem
smtpd_tls_session_cache_database= btree:$data_directory/smtpd_tls_session_cache
smtpd_tls_received_header = yes
smtpd_tls_ask_ccert = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_tls_fingerprint_digest = sha256
strict_rfc821_envelopes = yes
smtpd_delay_reject = yes
disable_vrfy_command = yes
smtpd_client_restrictions =
permit_mynetworks
permit_tls_clientcerts
# We are the only ones using this proxy, but if things go wrong we
# want to know why
defer
smtpd_helo_required = yes
smtpd_helo_restrictions =